Professional Documents
Culture Documents
A Cryptographic Compendium
This site contains a brief outline of the various types of cipher systems
that have been used historically, and tries to relate them to each other
while avoiding a lot of mathematics.
1. Introduction
2. Paper and Pencil Systems
3. Electrical and Mechanical Cipher Machines
4. Telecipher Machines
5. The Computer Era
6. Public-Key Cryptography
7. Miscellaneous Topics
Thus, although this page is about cryptography, it does not fall into
certain categories of worthwhile and helpful pages about cryptography
that are more common; it is neither:
There are links to some of the pages in these categories in the Links
section of this site.
In only one section do I discuss, and very briefly, codes, in which words or
phrases rather than letters, bits, or digits are the unit of encipherment.
However, the word code is used legitimately in mathematics to refer to
substitutions which are non-linguistic (and hence, in cryptology, would be
called ciphers) from Morse code to Hamming code (used for error-
correction) and Huffman code (used for data compression). I have,
therefore, been unable to be rigorous about the use of the word "code" in
these pages.
[Next]
[Next] [Up/Previous/Index]
Introduction
This page is about codes and ciphers, which people use to communicate
with each other in ways that other parties cannot (it is hoped) understand.
Although secrecy in communication can precede literacy, for example by
the use of obscure allusions, a spoken language that is different from the
one commonly spoken, a jargon or cant of terms with special or secondary
meanings, or a conventionalized way of speaking such as Pig Latin, the
efflorescence of many and sophisticated methods of secret
communications waited for the development of alphabetic writing, which
allows any thought to be represented by a small number of easily
manipulated characters.
Only when both conditions exist: when the contents of a message must be
kept secret, and yet the message is so urgent that the risk must be taken of
sending it by a means that may allow others to read it, would people take
the time and effort to put a message into cipher, and take the risk involved
in relying on cipher to maintain its secrecy.
Of course, today computers carry out the steps involved in enormously
complicated cipher schemes at the push of a button, so neither the effort
nor the risk looms as large as it did during most of the history of the
subject.
This site contains a brief outline of the various types of cipher systems
that have been used historically, and tries to relate them to each other
while avoiding a lot of mathematics.
The Codebreakers, David Kahn, Macmillan (1st ed.) Simon and Schuster
(2nd ed.). This book is a fascinating history of cryptography, dealing with
the role it has played in many historical events. There are also some
nuggets of technical information not seen in other books aimed at the
general public, and there is historical information about subjects related
to secret codes, such as cable codes (which do not involve secrecy, and
were for saving money on sending telegrams).
Applied Cryptography, Bruce Schneier; John Wiley and Sons. This book
is aimed at the computer professional who needs to implement secure
systems involving cryptography. As it describes a wide selection of
algorithms and protocols, it will be of interest to anyone concerned with
cryptography in the computer era. This book is one of the most widely
available books covering the subject matter, and it is frequently cited as a
source and as an authority on the USENET newsgroup sci.crypt. The 2nd
edition is considerably expanded, with fascinating detail on a much larger
number of cipher systems.
[Next] [Up/Previous/Index]
which turns
Please send me some money
into
This is called substitution, and ciphers based on this principle date back to
ancient times.
Atbash:
A B C D E F G H I J K L M
-------------------------
Z Y X W V U T S R Q P O N
Albam:
A B C D E F G H I J K L M
-------------------------
N O P Q R S T U V W X Y Z
Atbah:
A B C D J K L M E S T U V
------- ------- - -------
I H G F R Q P O N Z Y X W
Note that all three of these are reciprocal, in
that if one letter becomes another letter, then
that other letter becomes the original letter in
turn.
The illustration also contains other information. The numerical value of each
letter is given below the name of the letter, and the original Hebrew form of the
name of the letter is also shown to the right. Also, Cryptic Script B, an alphabet
used in the writing of part of the Dead Sea Scrolls is shown (albeit imperfectly;
the symbol for Shin is only known to be used for one of the two values of that
letter, as indicated by dots, and an additional special-purpose character is not
shown.)
The other method of concealing a message is called transposition, which was also
used in ancient times, at least by the Spartans with the scytale, a baton around
which a leather belt could be wound, so that a message could be written on the
belt, crossing from one loop to the next, so that it could only be read while the
belt was so wound.
❍ Polyalphabetic Substitution
● Code Books
● Fun With Playing Cards
● Conclusions
[Next] [Up/Index] [Previous]
There are several types of cipher machine that we will examine in this section;
and a few more that belong to another section, since they hint at the computer age
to follow.
❍ The Reihenscheiber
❍ Sweden's HC-9
❍ LACIDA
❍ Child's Play
Telecipher Devices
This section looks at cipher machines that worked with teletypewriters.
Just as today's computers represent printed characters as 8-bit bytes using the ASCII code,
teletypewriters used a similar code for communications purposes. However, they used only
five bits per character, which conserved bandwidth, although it meant that shifting between
letters and other characters such as numbers and punctuation marks required sending
characters that indicated a shift was taking place.
Thus, we have a family of cipher machines that, before the computer age, was already
working in binary code.
Two early American attempts at a telecipher machine were not used in practice, since they
were found to be insecure. One was designed by Gilbert S. Vernam for A. T. & T., the two-
tape machine, where two punched tape loops of unequal size each provided a current
character to be XORed with the plaintext character. The other was devised by Col. Parker
Hitt, who was one of America's foremost cryptologists of the World War I era, for ITT, and
involved ten cams with 96, 97, 98, 99, 100, 101, 102, 103, 104, and 105 positions, two of
which supplied the bits to be XORed with one bit of the current plaintext character.
The XOR or exclusive-or logical operation is the simplest possible way to apply a key to a
plaintext to conceal it. This operation is also modulo-2 addition, with the very small table:
| 0 1
---+-------
0 | 0 1
1 | 1 0
If we view 0 as standing for "False", and 1 as standing for "True", then A exclusive-or B is
true if either A is true exclusively (that is, A is true and B is false), or if B is true exclusively
(B is true and A is false).
However, the machine devised by Vernam was modified to a form which was secure, and
many countries have used similar devices. Instead of increasing the number of punched tape
loops used to XOR with the plaintext, the number of key inputs was reduced from two to just
one: and that one took a key tape consisting of completely random bits, used only once.
This, the one-time tape, is again the perfect case of polyalphabeticity, which was previously
noted as the one-time pad under pencil-and-paper methods.
If anyone is unfamiliar with the alphabet used for 5-level teletypewriters, which is called the
Baudot code (although, more accurately, it is in fact derived, with slight modifications, from
the Murray code, a later 5-unit printing telegraph code, just as the code for transmitting chess
moves by telegraph is called the Uedemann code, for the first person to invent such a code,
even though the code actually used is a later one, properly known as Gringmuth notation;
also, the International Morse Code, though it has several characters in common with the code
of dots and dashes originally devised by Samuel Findley Breese Morse, is actually a revision
of his code devised by one Frederick Gerke from Austria, as I have recently learned thanks to
Terry Ritter) a table of it is given here.
(In the interests of making complete information handy, the table included is one with some
additional information from one of my USENET posts.)
International Telegraph Alphabet No. 1 was a version of Emile Baudot's original 5-unit code,
the one that included a 'letters space' and a 'figures space'. (I've seen a web site that
incorrectly claims that International Morse, formerly Continental Morse, was ITA 1.)
International Telegraph Alphabet No. 2 is what is most commonly called Baudot; it is the 5-
level code derived from the Murray code.
ITA 3 and ITA 4 are obscure, but they are both derived from ITA 2, as are a couple of other
codes.
The final code, ten bits long, is AUTOSPEC. All the codes, except for CCIR 476, are shown
in order of transmission; CCIR 476 is shown the other way around, being assumed to be sent
LSB first as is ASCII.
Unlike ITA 3, CCIR 476 has a pattern that relates it to ITA 2: except for the letters B and U,
whose natural codes are used for alpha and beta, those ITA 2 characters which have 4, 3, or 2
one bits set are represented by 0x0, 0x1, and 1x1 respectively, where x is the five bits of the
ITA 2 character; and 1nnnnn0 represents the characters that don't fit into this range, with
again exactly 3 of the n bits set. Note that ITA 3 is a 3 of 7 code, while CCIR 476 is a 4 of 7
code.
Perhaps this is why the newer CCIR 476 is the one US radio amateurs are permitted to use,
and do use for AMTOR, while the older ITA 3 was used for ARQ purposes originally. But
it's odd to see a new code developed to fill exactly the same purpose as an older code already
accepted as an international standard.
ITA 3 was known as, or derived from, the Moore ARQ code, also known as the RCA code. It
appears to have been the first code used for ARQ (automatic repeat request) purposes, and to
have been invented in or prior to 1946 by H. C. A. van Duuren. ITA 3 was adopted as an
international standard in 1956, according to the source which first brought him to my
attention.
AUTOSPEC repeats the five-bit character twice, but if the character is one with odd parity,
the repetition is inverted. Thus, the parity bit is transmitted with high reliability, and every
other bit of the character is effectively repeated twice. It can be thought of the result of
applying an error-correcting code with the matrix:
1 0 0 0 0 0 1 1 1 1
0 1 0 0 0 1 0 1 1 1
0 0 1 0 0 1 1 0 1 1
0 0 0 1 0 1 1 1 0 1
0 0 0 0 1 1 1 1 1 0
to 5-level characters.
The entries
F % ! and
V = ;
mean that, for F, no figures shift character is defined by ITA 2; however, the % sign is uses as
a national-use figures shift character for Britain. The U.S. figures shift character is !. For V,
however, the = sign is defined as the official figures shift character. The U.S. 5-unit
teletypewriter code, which is nonconformant to ITA 2, defines ; as the figures shift character
for V instead.
After the code bits, there are four more columns of characters, giving the characters used by
ASCII over AMTOR. The all-zeroes character is used to toggle between the ordinary
character set in the first two columns, and the auxilliary one in the second two. The ordinary
character set is that of the international version of the 5-level code, rather than the U.S.
version, but the figures shift of J, instead of being the bell, is the asterisk.
Note that there is also an official standard of very recent vintage for using lowercase with 5-
level code, which works on a different principle: a LTRS code while already in letters case is
used to toggle between upper and lower case.
This standard does not include ASCII graphics characters, but it was designed to be
compatible with the use of the all-zeroes code for supplementary alphabetic characters; these
characters could have their lower case available using their shift character in the same fashion
as LTRS is used.
This new standard works as follows: FIGS LTRS operates as a reset into upper-case mode. In
normal upper-case mode, when returning to letters case from figures case, one is returning to
upper-case letters.
When in letters case, a superfluous LTRS code switches into lower-case. This is true even
when reset into upper-case mode; but then it also clears lower-case mode, so that, whether
one is printing upper-case or lower-case, when one returns from printing figures characters to
print letters, one begins with lower-case letters.
ABC [FIGS] 1234 [LTRS] DEF [LTRS] ghi [FIGS] 1234 [LTRS] jkl
[LTRS] MNOPQ [FIGS] 1234 [LTRS] rst [FIGS][LTRS] UVW
[FIGS] 1234 [LTRS] XYZ
Essentially, toggling between upper and lower case with a superfluous LTRS is always on.
FIGS LTRS resets (to upper-case, or capitals) only the default letters case that a normal
LTRS, used for exiting figures printing, returns to. And that default flips back to lower case
the first time lower case is accessed with an (otherwise) superflous LTRS.
The superfluous LTRS now switches one into lower-case mode, as well as immediately
switching to printing lower-case letters. The FIGS shift still takes you to normal figures case,
and a LTRS shift returns you to lower-case letters.
A superfluous LTRS shift changes you to printing upper-case characters, but the mode
remains lower-case mode. Thus, FIGS takes you to printing digits, and LTRS takes you to
printing in the default case for the current mode, which is lower case.
A superfluous LTRS toggles between printing upper-case and lower-case, but only moves
you from upper-case mode to lower-case mode. To change mode in the reverse direction, the
combination FIGS LTRS is required. Once that combination is used, not only do you print in
upper-case, but a LTRS shift used after printing figures will return you to the new default
case, which is again upper case.
The bits are numbered from 1 to 5, in the order in which they are transmitted. They are
normally preceded by one start bit (0) and followed by one and a half stop bits - that is, a 1
level on the wire for one and a half times the time used for transmitting a data bit. In ASCII,
the bits of a character are transmitted least significant bit first; since the 5-level code bits
don't represent codes in any kind of numerical order, sometimes bit 5 and sometimes bit 1 is
taken as the most significant bit, although the tendency has been to treat bit 5 as the MSB
because of the use of the same UART chips for ASCII and 5-level code.
And here is a graphical version, showing the standard, U.S., financial, and weather character
sets:
The top two lines show the original Murray code, from which the modern 5-level code is
derived. (The original Baudot code was completely different.) It too, like the original Baudot,
used a letters space and a figures space. I'm not sure about the functions of the line feed and
carriage return characters: one of them could be a newline, and the other might have had a
different control function. Also, in my reference, the space for the figures shift of A was left
blank. My guess is that that should have been a comma.
Incidentally, the reason that this code is not so organized that when the letters are in
alphabetical order, their codes are in binary numerical order, as is the case for ASCII, is
because the codes were chosen so that the most common letters would have codes that would
cause less wear and tear on the moving parts of teleprinters. The following chart shows the
scheme by which the codes were assigned:
lsc lf
EfprT AINO UCM KV SRH DL FG TP BW QX tiYZ
1 * * * * * * * * ** ** ****
2 * ** ** ** * * * ** * * **
.........................................
3 * ** *** ** * * * * ** * *
4 * ** ** ** * * ** * * * **
5 * * * * * * * * ** ** ****
There are rumors that the secret cipher machines of the 1960s and beyond
involved the use of shift registers, and, more specifically, that they used nonlinear
shift registers, since it is known that a linear feedback shift register produces a
sequence which, while it has a long period and an appearance of randomness, is
not itself a secure additive key for a cipher. Since it is very difficult to guarantee
that a shift register whose feedback is nonlinear will always have a reasonably
long period, I think I will continue to doubt these rumors until the facts finally
become declassified. (However, since the mathematical theory does exist by
which the conditions for maximum period of the quadratic congruential
generator are known, I definitely could be wrong.)
However, some published papers use the term "nonlinear shift register" to
describe a stream cipher system which has a linear feedback shift register at its
heart, but which has as its output a nonlinear function of the shift register's state.
Since it is trivially possible to produce any output sequence with the same period
as the underlying LFSR in this way, (Proof: use the outputs from all the cells in
the LFSR as inputs to the address lines of a one-bit wide ROM programmed, in a
suitable order, with the desired sequence) I have no problem accepting the
existence of nonlinear shift register designs in this sense.
Publicly known designs based on shift registers instead use linear shift registers,
but do such things as combining the output from several, controlling the stepping
of one shift register with another, as was done with the pinwheels in some of the
more secure telecipher designs of the last chapter, or using one shift register to
select between the outputs of two other shift registers.
But the main thrust of the computer era has been in the development of block
ciphers, starting with the LUCIFER project at IBM, which was the direct
ancestor of DES, the Data Encryption Standard.
● LUCIFER
● The Data Encryption Standard
❍ Details of DES
❍ Variations of DES
❍ Key Enrichment
❍ Quadibloc II
❍ Quadibloc III
❍ Quadibloc IV
❍ Quadibloc V
❍ Quadibloc VI
❍ Quadibloc S
❍ Quadibloc VII
❍ Quadibloc VIII
❍ Quadibloc IX
❍ Quadibloc X
❍ Twofish (finalist)
❍ SERPENT (finalist)
❍ RC6 (finalist)
❍ DEAL
❍ MARS (finalist)
❍ SAFER+
❍ FROG
❍ LOKI-97
❍ CAST-256
❍ Magenta
❍ DFC
● Stream Ciphers
❍ Shift-Register Stream Ciphers
■ An Illustrative Example
■ Other Constructions
■ Panama
● Conclusions
❍ Modified Panama
❍ Mishmash
Public-key Cryptography
Public-key cryptography is a very novel form of cryptography that first became
known to the public during the decade of the 1970s. Not only is it novel, its very
name seems paradoxical and confusing.
And if a message is secret, that means that the key to unlock it must be a secret,
or else anyone could decipher it. That is still just as true for public-key
cryptography as it is for the regular kind.
If that's the case, what does the word "public" in public-key cryptography mean?
Normally, with a conventional cryptographic system, if you know both the key
for sending a secret message, and the method of encryption in which that key is
used, then you also know everything you need to know to decipher secret
messages sent with that key and in that system. A few conventional encryption
systems are reciprocal, so that exactly the same key and procedure serves for
encryption and decryption; but in those that are not reciprocal, the key and
procedure for decryption are both still easily derived from those for encryption,
and in most cases, only one of the two differs.
A public-key cryptosystem is one where a key, useful for sending messages, can
be made public without revealing the still-secret key that allows those messages
to be read.
A two-part codebook is one where the code groups don't have the same order as
the plaintext words and phrases they represent. If you publish only the
enciphering half of such a codebook, keeping the deciphering part to yourself,
then it is easier to send coded messages to you than it is to read them.
Of course, that doesn't really provide genuine security. But it hints as to how
PKC can be possible.
Another example, one of the first PKC concepts expressed in the open literature,
goes as follows:
and so on.
The keys for each key number are chosen genuinely at random.
The person who wants to send you a message picks any one of your large number
of encrypted messages, and breaks it. Then, using the key found inside, he
encrypts his message to you, and the precedes it with a note saying: "I am using
key number 2126 to encrypt this message".
He only had to decrypt one of the encrypted key messages to send you a
message, but anyone who wanted to read it would have to keep decrypting all the
messages until he found the right one.
So, the principle of PKC is to find some trick that works one way without
revealing how to reverse the process. And one good place to look for tricks like
that is in higher mathematics, and each of the public-key methods we will look at
in the remainder of this section will have had a basis that came from that source.
If PKC did not exist, however, credit-card companies could instead have issued
secret passwords to credit-card holders. If a merchant verified a password by
comparing a one-way hash of the password and the user's account number to a
coded number on the credit card, knowing the one-way hash of the password
wouldn't enable him to create a new password to decieve other merchants. Thus,
even without public-key methods, it would be possible to avoid the requirement
that every transaction would have to be directly verified with the credit-card
company. But precautions would be needed to ensure that a hash code could not
be used in place of a password, by being inserted into a stage of the verification
process which comes after the password being converted to its hash. Including
the account number in the hash prevents making forged credit cards for someone
else's account with a different password, if the hash also involves a secret key.
But there are other ways to send a message from one place to another without
prior exchange of a secret key.
● Modulus Arithmetic
● The Rivest-Shamir-Adleman (RSA) method
❍ Looking for Primes
❍ Finding d from e
❍ Factoring
● Other Methods
● The Uses of Public-key Cryptography
● Conclusions
Next Chapter
Table of Contents
Main Screen
Home Page
[Next] [Up/Index] [Previous]
Miscellaneous Items
Computer programs that handle data encryption, such as the well-known program
PGP (Pretty Good Privacy) involve other functions besides encryption itself.
While that would be silly, transmitting an encrypted series of bits in the form of
printable ASCII characters only might make good sense, by making it easier to
transmit your data without problems over a network where control characters
have special meanings. Although TCP/IP was specifically designed to permit all
256 possible byte values to be transmitted transparently (the only control
character with special meaning is DLE, Data Link Escape, and two DLEs in a
row always represent a real DLE that is part of user data) binary data is usually
transmitted over the Internet in "base-64" format, where 64 printable ASCII
characters, specifically chosen not to be different in the versions of ASCII used
for different languages, and to be also present in EBCDIC, are used.
Even the case of a simple pencil and paper cipher does, in a rudimentary form,
illustrate these two additional phases of encryption.
Changing
to
WGRXT RTRVU IPQRI PVRE
First,
is changed to
PLEASESENDMOREMONEY
Then,
PLEASESENDMOREMONEY
is changed to
WGRXTRTRVUIPQRIPVRE
Finally,
WGRXTRTRVUIPQRIPVRE
is changed to
for ease of reading and transmission, which illustrates the process of applying
armor to the output of an encryption process.
Finally, digital signatures need one-way hash functions. Ordinary checksums
aren't adequate, since it is possible to construct a message with a different
meaning having the same checksum as the one someone intended to sign. One-
way hash functions are similar to block ciphers in some ways, but different in
others.
Hash functions can also be used as a way of producing encryption keys from pass
phrases or from random input of imperfect quality.
● Data Compression
❍ The Representation of Speech
❍ Semi-Arithmetic Coding
❍ Character Codes
● Error-Correcting Codes
● Armor, Message Termination, and Base Conversion
❍ From 47 bits to 10 letters
❍ Armor-Related Fractionation
❍ Message Blocking
● Steganography
● One-way Hash Functions
❍ Description of SHA
● Hardware Security
❍ When Somebody's Looking Over Your Shoulder
● Key Management
❍ The IBM Key Management Scheme for DES
❍ Kerberos
❍ Key Escrow
Table of Contents
Main Screen
[Up]
A Cryptographic Compendium
Contents
Introduction
❍ Methods of Transposition
❍ Improving Substitution
Checkerboard
■ Fractionated Morse, and Other Oddities
■ Polyalphabetic Substitution
❍ Code Books
❍ Conclusions
■ The Reihenschieber
■ Isomorphs
machine
❍ Miscellaneous Machine Ciphers
■ Sweden's HC-9
■ LACIDA
■ Child's Play
3. Telecipher Machines
❍ The Lorenz Schlusselzusatz
❍ An American patent
❍ Converter M-228
■ Details of DES
■ Variations of DES
■ Key Augmentation
■ Quadibloc II
■ Quadibloc III
■ Quadibloc IV
■ Quadibloc V
■ Quadibloc VI
■ Quadibloc S
■ Quadibloc VII
■ Quadibloc VIII
■ Quadibloc IX
■ Quadibloc X
■ Twofish (finalist)
■ SERPENT (finalist)
■ RC6 (finalist)
■ DEAL
■ MARS (finalist)
■ SAFER+
■ FROG
■ LOKI-97
■ CAST-256
■ Magenta
■ DFC
❍ Stream Ciphers
■ An Illustrative Example
■ Other Constructions
■ Panama
■ Modified Panama
■ Mishmash
5. Public-Key Cryptography
❍ Modulus Arithmetic
■ Finding d from e
■ Factoring
■ El Gamal
❍ Other Methods
6. Miscellaneous Topics
❍ Data Compression
■ Semi-Arithmetic Coding
■ Character Codes
❍ Error-Correcting Codes
❍ Armor, Message Termination, and Base Conversion
■ From 47 bits to 10 letters
■ Armor-Related Fractionation
■ Message Blocking
❍ Steganography
❍ One-way Hash Functions
■ Description of SHA
❍ Hardware Security
■ When Somebody's Looking Over Your Shoulder
❍ Key Management
■ The IBM Key Management Scheme for DES
■ Kerberos
■ Key Escrow
■ Quantum Cryptography
❍ Cryptanalysis
■ The Limits of Cryptanalysis
Morse code uses variable-length symbols made up of dots and dashes, but unlike a straddling checkerboard, the
length of a symbol is not determined by the dots and dashes within it. Instead, spaces are also needed to mark off
the symbols from each other.
But fractionation is still possible using Morse code as a basis. Elementary Cryptanalysis, by H. F. Gaines, gives a
cipher devised by M. E. Ohaver, the author of an early series of magazine columns on cryptanalysis which was
of value to her in the writing of that book, called a "mutilation" cipher, that works like this:
Split the message in Morse code into two parts; the string of dots and dashes, and a series of numbers giving the
number of dots or dashes in the representation of each letter. Then, take the numbers, divide them into groups of
n, and reverse the order of the numbers in each group. Using the now transposed numbers as a guide, turn the
string of dots and dashes back into letters.
A table of Morse code follows (and, while I'm at it, I may as well include Japanese Morse, having the data
available from one of my old USENET posts):
5 ..... 5 6 -.... 6
4 ....- 4 = -...- D2 me
(5) ...-. / -..-. D3 mo
3 ...-- 3 -..-- D5 yu
(6) ..-.. C4 to (c) -.-.. B7 ki
Inter ..-.- D0 mi Start -.-.- BB sa
..--. DF [B] ( -.--. D9 ru
2 ..--- 2 -.--- B4 e
Wait .-... B5 o 7 --... 7
(9) .-..- yi (e) --..- CB hi
+ .-.-. DD n --.-. BC shi
.-.-- C3 te (f) --.-- B1 a
.--.. ye 8 ---.. 8
(a) .--.- B0 - ---.- BD su
(b) .---. BE se 9 ----. 9
1 .---- 1 0 ----- 0
(1) u umlaut (2) a umlaut, cedilla (3) o umlaut or other accent (4) ch, s cedilla (5) s hat (6) e primary accent
(usually acute, grave in Italian) (9) e accent grave (a) a accent (b) j hat (c) c cedilla or accent (e) z accent grave
(f) n tilde
To remove ambiguities, the Japanese syllables are preceded by the hex code, in the version of 8-bit ASCII that
includes kana, of the kana symbol represented. The symbols whose phonetic values I give as yi and ye have the
appearance, respectively:
* ********
******* *
* * *
* * * *
* * *
******* *
* *******
Since this system requires that the ciphertext letters must be able to represent all combinations of from one to
four dots or dashes, four extra symbols, used in Morse for accented letters in some languages other than English,
need to be included in the cipher alphabet.
While the original system, having only the group length as a key, may not have been all that secure, the basic
concept is clever and original. The character lengths could as easily have been transposed by means of a double
columnar transposition, and the dots and dashes could be translated to 0s and 1s, and enciphered by any
applicable method, even DES.
While I consider Ohaver's "mutilation" cipher very interesting, for the principle which it illustrates, the term
Fractionated Morse is normally used for a less elegant, but more secure, system, in which possible combinations
of three symbols from the set of dot, dash, and x, the latter standing for the space between letters, are represented
by letters. Note that combinations with two consecutive "x"s are not required, so the ciphertext uses a 22-letter
alphabet.
The letters will vary in frequency, and since two adjacent letters that would produce two consecutive "x"s do not
occur, redundancy still remains in subtle forms as well.
● 25 times 27 is one less than 26 times 26, so one could encipher bigrams (except 1 that is ignored) into
objects consisting of two symbols from a five-character alphabet and three symbols from a three-character
alphabet, and then seriate the two kinds of symbols separately, also using two tables, one 125 entries long,
and one 81 entries long, for substitution on them;
● 32 equals 27 plus 5, and 128 equals 125 plus 3, so there are two different ways to encipher a binary
bitstream as a mix of symbols from a three-character and a five-character alphabet;
● 26 to the 10th power is very slightly larger than 2 to the 47th power; this is noted in a section in the last
chapter dealing with ways of preparing a binary message for transmission as text (known as "armor"), but
even this could be made use of in an elaborate fractionation scheme.
Because there are convenient ways to convert both letters and bits to a mix of symbols from a 3-element set and
from a 5-element set, as well as an efficient way to convert from bits to letters, intriguing possibilities suggest
themselves. An elaborate fractionation scheme combining the threads mentioned here together is described later.
Enciphering Digits
One interesting way to produce a mixed fractionation scheme comes from the fact that the square of any
triangular number is the same as the sum of the cubes of the consecutive numbers which, when added, produced
that triangular number!
Making use of that fact, and since 10 is a triangular number, one can construct a table like this:
0 1 2 3 4 5 6 7 8 9
0 AAA AAB AAC * -+- -++ aca acb acc acd
1 ABA ABB ABC --- +-- +-+ ada adb adc add
2 ACA ACB ACC --+ ++- +++ baa bab bac bad
3 BAA BAB BAC CAA CAB CAC bba bbb bbc bbd
4 BBA BBB BBC CBA CBB CBC bca bcb bcc bcd
5 BCA BCB BCC CCA CCB CCC bda bdb bdc bdd
6 aaa aba daa dab dac dad caa cab cac cad
7 aab abb dba dbb dbc dbd cba cbb cbc cbd
8 aac abc dca dcb dcc dcd cca ccb ccc ccd
9 aad abd dda ddb ddc ddd cda cdb cdc cdd
As 1 cubed is just 1, and 2 cubed is 8, these symbols make up only a very small part of the square table above,
and thus this part of the table is seldom used. One way to deal with that is to change the table, so that those 9
spaces are instead filled by two symbols from the ABC set of symbols.
0 1 2 3 4 5 6 7 8 9
0 AAA AAB AAC AA AB AC aca acb acc acd
1 ABA ABB ABC BA BB BC ada adb adc add
2 ACA ACB ACC CA CB CC baa bab bac bad
3 BAA BAB BAC CAA CAB CAC bba bbb bbc bbd
4 BBA BBB BBC CBA CBB CBC bca bcb bcc bcd
5 BCA BCB BCC CCA CCB CCC bda bdb bdc bdd
6 aaa aba daa dab dac dad caa cab cac cad
7 aab abb dba dbb dbc dbd cba cbb cbc cbd
8 aac abc dca dcb dcc dcd cca ccb ccc ccd
9 aad abd dda ddb ddc ddd cda cdb cdc cdd
9 8 2 7 0 1 6 4 3 5
-------------------
A T O N E S I R
2 B C D F G H J K L M
6 P Q U V W X Y Z . /
we can encipher a sample message in this scheme, just seriating across the whole message for simplicity (in
practice, one would want to do other things):
For this example, I won't worry about enciphering the last digit of the message. Padding, or another
encipherment step might take care of that.
Now, I seriate the symbols from the ABC and the abcd sets independently, retaining the type of each pair of
digits, and thus the symbols are rearranged as follows, leading to enciphered digits:
d A B B c a c B d C a c d B C d b a c d d A a a a seriation
a B C B d d b A d A c b c B A b b b d a c A a b d
a C A A a c d c C d c a A B b c c c d c B b b b
621250409618791394350978824034733881986584017071170 reconversion
One could also leave all the "d" symbols in their place, and seriate only the "abc" and "ABC" symbols as though
case did not matter - but then convert either to capital or small letters so that the type of each two digit group is
kept the same. (Some care, of course, must be taken when developing a variation so that decipherment remains
possible.) That would produce the following result:
d C A A b b b C d B c d d A B c a c d b d A c c b seriation
a A A B d d a A d A b d c B A a d c a d a C c d b
b B A C a d b a A c c c A A b b b c c c C b b b
633400125659272392307894841030671787645864228797370 reconversion
and this method has its strengths, but also its weaknesses (mainly because the "d"s remain fixed).
Giant Playfair
Another technique I once described involved first using the straddling checkerboard to encipher a message as
digits, and then to use Playfair to encipher it. But instead of using the Playfair technique over a 5 by 5 square of
letters, one uses a 10 by 10 square containing digit pairs, like the following:
68 71 07 49 76 42 54 77 21 82
02 09 98 65 70 55 17 01 50 91
33 35 30 08 62 22 97 44 06 57
64 18 78 58 96 34 11 56 52 38
95 26 86 20 27 37 93 05 14 85
63 29 39 61 87 10 88 32 00 80
31 81 16 83 24 99 67 72 13 53
89 94 47 40 25 73 04 59 84 19
03 75 28 60 12 41 43 48 66 74
79 46 36 45 51 69 23 15 92 70
Thus, the four digits 2076 would encipher to 2749 with this square.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]
Armor
A number of methods are possible for converting binary bits to printable characters.
One of the simplest is to take five or six bits of binary data to select one of 32 or 64
characters. Other, more complicated schemes are possible, though.
If 85 characters can be used, then five characters are enough to represent four bytes of
random data. If 86 characters can be used, a simplified scheme can achieve the same
result, since 86 times 3 is 258, which is larger than 256. Assign not more than three of
the 256 possible values for a byte to each of the 86 allowed characters. Then, after
representing four bytes by one of those characters, one character from a set of 81 (3
times 3 times 3 times 3) can resolve which of the 256 byte values, or which of up to 3
values for the character given, is valid for each of the four bytes.
The problem of converting messages to text form for transmission over the Internet is,
of course, closely tied to the ASCII representation of characters. Here is a chart
showing the printable characters in ASCII in graphical form:
and here is an ASCII chart in text form, first just the control characters:
0 0
0 0
0 1
0000 NUL Null DLE Data Link Escape
0001 SOH Start of Header DC1 Device Control 1
0010 STX Start of Text DC2 Device Control 2
0011 ETX End of Text DC3 Device Control 3
0100 EOT End of Transmission DC4 Device Control 4
0101 ENQ Enquiry NAK Negative Acknowledge
0110 ACK Acknowledge SYN Synchronization
0111 BEL Bell ETB End of Transmission Block
1000 BS Backspace CAN Cancel
1001 HT Horizontal Tab EM End of Medium
1010 LF Line Feed SUB Substitute
1011 VT Vertical Tab ESC Escape
1100 FF Form Feed FS Field Separator
1101 CR Carriage Return GS Group Separator
1110 SO Shift Out RS Record Separator
1111 SI Shift In US Unit Separator
and now the entire 7-bit ASCII code, with only the abbreviations of the first 32 control
characters:
0 0 0 0 1 1 1 1
0 0 1 1 0 0 1 1
0 1 0 1 0 1 0 1
0000 NUL DLE 0 @ P ` p
0001 SOH DC1 ! 1 A Q a q
0010 STX DC2 " 2 B R b r
0011 ETX DC3 # 3 C S c s
0100 EOT DC4 $ 4 D T d t
0101 ENQ NAK % 5 E U e u
0110 ACK SYN & 6 F V f v
0111 BEL ETB ' 7 G W g w
1000 BS CAN ( 8 H X h x
1001 HT EM ) 9 I Y i y
1010 LF SUB * : J Z j z
1011 VT ESC + ; K [ k {
1100 FF FS , < L \ l |
1101 CR GS - = M ] m }
1110 SO RS . > N ^ n ~
1111 SI US / ? O _ o DEL Delete
The problem of transmitting data in ASCII text characters over the Internet is
complicated by the fact that some of the characters in ASCII do not have counterparts
in other data transmission codes used by some computers, such as the original version
of EBCDIC. Also, some character positions in 7-bit ASCII are used to represent
different characters in other countries. Thus, the characters in the same columns as the
letters are often used to represent accented letters; the symbol # is replaced in the
United Kingdom by the British pound sign.
In some transmissions over the Internet, a line beginning with a minus sign or hyphen
(-) runs the risk of being interpreted as a header line, indicating the MIME type of a
section of a document.
Of course, if one wishes to send a text by Morse Code, or over a 5-unit teletypewriter
link, the best way to do it would be to convert the binary data to letters from the 26-
letter alphabet, using no other characters.
I have worked out an elaborate and efficient scheme for doing this.
This scheme could also serve other purposes. Since a great many historical encryption
algorithms are aimed at the 26-letter alphabet, one could apply them to a text already
encrypted by modern methods in binary after such a conversion.
And there is an easy way to send a text composed only of uppercase letters over the
Internet efficiently, if a 78-character character set is possible. Take four letters: the first
can be encoded as three symbols from 1 to 3. Combine one such symbol with each
remaining letter to determine which character to use from a character set with 3 times
26 characters, which is 78 characters.
A section is also included here about the question of how to perform the special
processing required to end a message efficiently and securely when the length of the
original plaintext message isn't an integer number of blocks in size, whether those are
blocks used by a block cipher or blocks for the conversion process used to produce
armor for transmission. Also, since base conversion is discussed here, this spot seemed
as good as any to place a discussion of base conversion as it applies to random or
pseudorandom keystreams.
Here is a short message, enciphered only by replacing each of its letters by a different letter on a
consistent basis:
The first step that would occur to many people would be to make use of the fact that some letters
are more common than others in English. E is the most common letter, and letters like J, Q, X,
and Z are quite rare.
And so, we count the letters in our message. This produces the following table of frequencies:
A E F G H I J L M N O P Q R S T U V W X Y
1 2 9 4 1 2 7 5 10 2 5 5 4 6 18 9 1 6 3 4 8
18: S 7: J 3: W
10: M 6: R V 2: E I N
9: F T 5: L O P 1: A H U
8: Y 4: G Q X
Cipher: S M Y J W
---------
Plain: e t n i f
Here, it looks like we've been luckier than we have a right to expect. With frequencies of 6.94
and 6.92 for N and I respectively, it isn't hard to imagine that I might be more common than N,
instead of N being more common than I, in the text of a particular message.
The combination t-e occurs three times from MGS, and once each from MQS and MLS, so it
seems reasonable to think that G stands for h. e-ent might be event, and -ffi-e might be office,
although it is actually hard to take seriously that W necessarily stands for f.
To make a good start on breaking a simple substitution, however, single-letter frequencies are
not enough. They might work for picking out the letters E and T in most cases, but more
information is available that can serve as a better guide.
We've seen that N and I have frequencies of 6.94 and 6.92 respectively. This is a very small
difference. But one is a consonant, and the other is a vowel. So we might expect them to behave
differently. And they do.
Next
Skip to Next Chapter
Table of Contents
Main page
[Next] [Up] [Previous] [Index]
Methods of Transposition
After looking at ciphers which can replace the letters of one's message by completely
different letters, a cipher that can't change any letters at all seems weak.
And, if your message might mention, or might not mention, someone with, say, a Q or
an X in his name, then a transposition cipher will indeed give that away, although one
could solve that by adding some garbage to the end of your message before encrypting
it. But transposition ciphers can be secure in themselves, and as well, transposition
methods are useful to know, since they can be mixed with substitution methods for a
more secure cipher.
The best known method of transposition, simple columnar transposition, works like
this:
Using a key word or phrase, such as CONVENIENCE, assign a number to each letter
in the word using this rule: the numbers are assigned starting with 1, and they are
assigned first by alphabetical order, and second, where the same letter appears twice,
by position in the word.
Then, write in the message under the keyword, writing across - but take out columns, in
numerical order, reading down. Thus:
C O N V E N I E N C E
1 10 7 11 3 8 6 4 9 2 5
---------------------------------
H E R E I S A S E C R
E T M E S S A G E E N
C I P H E R E D B Y T
R A N S P O S I T I O
N
produces
Of course, it wouldn't be left with the spaces showing the columns that were used.
Decoding is harder - to read a message scrambled this way, you first have to count the
letters to determine, in this case, that there are 45 letters, and so the first column will
have five letters in it, and the other ones four, so that you know when to stop when
filling the letters in vertically to read them out horizontally.
Since the text being transposed is split into nearly regular divisions of almost equal
length, even double columnar transposition can be broken without recourse to multiple
anagramming: the use of several messages of the same length, enciphered in the same
key, to recover the transposition by matching together columns of letters that form
reasonable letter pairs.
C O N V E N I E N C E
1 10 7 11 3 8 6 4 9 2 5
---------------------------------
H
E R E I S A S E C R
E T M E S
S A G E E N C I
P H E R E D B Y T R A
N S P O S I T
I O N
produces
Here, the first row is filled in only up to the column with the key number 1; the second
row is filled in only up to the column with the key number 2; and so on. Of course, one
still stops when one runs out of plaintext, so the eighth row stops short of the key
number 8 in this example. This method has the advantage of dividing the text being
transposed in a more irregular fashion than ordinary columnar transposition.
For example, during World War I, the French army used a transposition in which
diagonal lines of letters were read off before the rest of the diagram. Also, several
countries have used columnar transpositions in which several positions in the grid were
blanked out and not used.
2 4 3 1 5
-----------
a b c d e
f g h i U
j k l V W
m n X Y Z
o p q r s
t
A square grille, divided into a grid of squares, one-quarter of which are punched with
holes, is placed over a sheet of paper. The message is written on the paper through the
holes, and then the grille is rotated by 90 degrees, and then the message continues to be
written, as the grille is turned through all four possible positions.
The trick to designing such a grille is to divide the grille into quarters, numbering the
squares in each quarter so that as the grille is rotated, corresponding squares have the
same number. Then, choose one square with each number for punching.
In World War I, the Germans used turning grilles with an odd number of holes on each
side as well as with an even number; to do this, they marked the square in the centre,
which was always punched, with a black border to indicate it was only to be used in
one of the grille's positions.
Grid numbering:
1 2 3 4 5 16 11 6 1
6 7 8 9 10 17 12 7 2
11 12 13 14 15 18 13 8 3
16 17 18 19 20 19 14 9 4
5 10 15 20 X 20 15 10 5
4 9 14 19 20 19 18 17 16
3 8 13 18 15 14 13 12 11
2 7 12 17 10 9 8 7 6
1 6 11 16 5 4 3 2 1
Layout:
O - - O - O - - - 1 4 16
- - O - - - - - O 8 2
- O - - - - O - - 12 13
- - O - O - - O - 18 20 9
- - - - X - O - O X 15 5
- - - O - - - O - 19 17
O - - - - O - - - 3 14
- O - - O - - - O 7 10 6
- - O - - - - - - 11
Filling-in:
first position
T H I O - - O - O - - -
S I - - O - - - - - O
S A - O - - - - O - -
M E S - - O - O - - O -
S A G - - - - O - O - O
E T - - - O - - - O -
H A O - - - - O - - -
T I A - O - - O - - - O
M - - O - - - - - -
(this is a message that I am)
second position
t E h N i C - O - - O - - O -
s R Y i - - - O - O - - -
s P T a - - O - O - - - -
I m e N s O - - - - - O - -
G s a W g - - - O . - - O -
I e T t O - - - - O - - -
h H A a T - O - O - - - - O
t U i R a - - O - - - - O -
N m I O - - - - - O - -
(encrypting with a turni)
third position
t e h n i N c - - - - - - O - -
G s r G y R i O - - - O - - O -
s p I t a L - - - O - - - - O
i L m e E n s - O - - - O - - -
T O g s a w g O - O - . - - - -
i P e R t O t - O - - O - O - -
h h V a a I t - - O - - - - O -
D t u i E r a O - - - - - O - -
n m T H i I - - - O - O - - O
(ng grille to provide thi)
fourth position
t e S h n i n c I - - O - - - - - O
g L s r g y L r i - O - - - - O - -
U s p i t S a T l O - - - - O - O -
i l m R e e n s A - - - O - - - - O
t T o g s I a w g - O - - . O - - -
i p V e r t o t E - - O - - - - - O
h h v a E a X i t - - - - O - O - -
d t i A i M e r a - - - O - O - - -
n P m t L h i E i - O - - O - - O -
(s illustrative example)
Transposition can be used to generate a scrambled order of the letters in the alphabet
for use as a substitution alphabet.
Transposition forms part of a fractionation cipher, where letters are divided into parts,
then the parts are put back together in a different order, belonging to different letters.
Next
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
Improving Substitution
A cipher based on the use of a secret alphabet is not very secure; such ciphers are
presented as puzzles in crossword puzzle magazines. To achieve security it is
required to do something better.
If a letter can be broken up into smaller pieces for purposes of signalling, those
smaller pieces can also be used in a cipher. For example, one can take the letters
of a message apart into smaller pieces, transpose the smaller pieces, and then put
the pieces back together again into letters.
This is called fractionation, and is closely related to polygraphic substitution for
two reasons; one is that both deal with different sized units - parts of letters and
letters, or letters and pairs of letters - and the other is that fractionation is
sometimes used as a method of polygraphic substitution.
● Polyalphabetic Substitution
Next
Skip to Next Section
Chapter Start
Table of Contents
Main Page
Home Page
[Next] [Up/Previous] [Index]
Some of the early nomenclators were fairly unsophisticated; the substitutes for the letter B might
be the letter M or the digit 4, written in several distinctive styles - and then the substitutes for C
might be the letter N or the digit 5, again written in distinctive styles. Thus, a cryptanalyst
willing to try a simple guess would only need to solve a Caesar cipher - a simple substitution
where the alphabet is merely displaced instead of being thoroughly scrambled - instead of facing
the full problem of finding substitutes for the full set of symbols individually.
One ingenious modern method of producing a homophonic cipher, called the Grandpré cipher,
involves choosing ten ten-letter words, which can be ordered so that their first letters form an
eleventh ten-letter word, and which collectively include all 26 letters of the alphabet.
For example:
0 1 2 3 4 5 6 7 8 9
0 S T R A T I F I E D
1 U N D E R S T O O D
2 B A R K E N T I N E
3 M A J O R I T I E S
4 A S T R O L O G E R
5 R E E X A M I N E D
6 I N V E S T M E N T
7 N E G A T I V E L Y
8 E F F E R V E S C E
9 S Q U E E Z I N G S
The advantage it has, over a more routine type of homophonic table, for example:
0,3,8 4,7 9 1 5 2 6
1,2,7,8 E T A O I N S
0,4,5 H R D L U B C
3,9 M F G J K P Q
6 V W X Y Z
is that the multiple substitutes for each letter are not closely related.
The book The American Black Chamber, by Herbert Osborn Yardley, illustrated a cipher wheel
used by the Mexican Army which could be set up to produce a homophonic cipher with a key
that could be easily changed.
having four movable disks, one containing the two-digit pairs from 01 to 26, the second the
pairs from 27 to 52, the third the pairs from 53 to 78, the fourth the pairs from 79 to 99,
followed by 00 and four blank, unused spaces. The key consisted of the four two-digit pairs
aligned under the letter A, and the possible substitutes for any letter were the four (or possibly
three) two-digit pairs aligned under it. Obviously, the system would have been more secure had
the alphabet and the sequence of digit pairs been mixed.
The most important weakness of a homophonic system is that the person using it can become
lazy, and use the same substitute for a letter over and over, or use the substitutes in rotation,
rather than using them randomly.
Also, as many homophonic systems are devised by amateurs, they can have defects of one kind
or another. Helen Fouché Gaines in Elementary Cryptanalysis notes that Givierge, author of the
Cours de Cryptographie, described a homophonic system of the following kind:
E J G F D
O K M H S
P R W
---------
IT |a b c d e
AL |f g h i j
BQ |k l m n o
CN |p q r s t
u v x y z
---------
V X Y Z U
This is a type of straddling checkerboard, and we will meet a more elegant form of it later in the
section on fractionation. The word straddling refers to the fact that while most letters have a
two-letter group as their substitute, consisting of the letters indicating their row and column
(which may, incidentally, be taken in either order, as the alphabet has been split in half for this
purpose), five less-frequent letters represent each other. Thus, the presence of occasional one-
letter symbols is intended to complicate the problem for the cryptanalyst, making it difficult for
him to find out where the letter pairs that make up most of the message begin and end.
Although this cipher has many nice features, it does have a number of defects. Since the letters
that have only one letter as their substitute are, essentially, in a separate table, why use only a 25-
letter alphabet? Of course, in French, the letter W is so little used as almost not to be part of the
alphabet. But there are other defects.
● Although a group can begin with a letter from either half of the alphabet, the second letter
always has to be from the other half.
● Also, the second letter of a two-letter group can't be one of the five letters that represent
themselves, although since the first letter already indicates that there is a two-letter group,
that would not cause confusion.
Hence, this cipher omits a large number of two-letter substitutes which it could be making use
of. An improved design could be the following:
E J G F D b|M
O K U H S f|T
V W g|N
--------- p|R
IZ |r q l m x| DFOQTX v|P
AL |e u w h n| CJLNPWY y|Q
BY |c i k z a| AEGKUV
CX |o j t s d| BHIMRSZ
---------
E A C F G
I B H J L
P D O K M
Q T R N V
S U Z X W
Y
Here, six mid-frequency letters have single-letter substitutes, but these substitutes are drawn
from other letters in the alphabet.
The rest of the alphabet is divided into two halves, but once a letter is chosen to indicate either a
row or a column, the other co-ordinate of the plaintext letter is chosen from a set made from the
entire alphabet. Hence, if a letter on the left begins a two-letter group, it is ended with a letter
below; if a letter on the top begins a two-letter group, it is ended with a letter on the right.
Thus, the plaintext letter R can become ED, EO, OO, IQ, ZQ, or II.
As noted previously, the basic concepts of cryptography were slow to emerge. David Kahn's
book The Codebreakers illustrates the earliest known example of a cipher with homophones,
from the year 1401. It looked like this:
a b c d e f g h i k l m n o p q r s t u x y z
---------------------------------------------
Z y x D t s r q p o n l m k j h g f e d c b a
2 4 8 F
3 H 9 T
+ J L ~
where the capital letters stand for various special symbols (Z indicates a reverse script lowercase
z, F indicates an ff ligature, and J indicates the astrological symbol for Jupiter, for example).
To modern eyes, what is particularly striking about this cipher is that, even though the step of
improving on simple substitution by using multiple equivalents was taken, the basic cipher
alphabet itself is not thoroughly mixed, but instead varies only slightly from a simple reversed
alphabet.
Incidentally, the British publisher Hodder and Stoughton has an extensive series of books on
various subjects in a series called "Teach Yourself Books": particularly noteworthy in this series
are the instructional books for foreign languages, which the case of some languages are the only
readily available introductory book in print in English. (These are the books that used to have
yellow covers, but which changed to light blue covers some years back.) The book Codes and
Ciphers by Frank Higenbottam in this series, while a general introduction to the subject, is
distinguished by its uniquely extensive coverage of the topic of breaking messages enciphered
using nomenclators.
Next
Chapter Start
Skip to Next Section
Table of Contents
Home page
[Next] [Up] [Previous] [Index]
Of course, one could just use a random list of all 676 possible combinations of two
letters, and this would give the maximum possible security for a system that handles
two letters at a time.
Or, one could even follow the lead of Giovanni Battista della Porta, and use a table
giving different symbols for every pair of letters:
This is a redrafting of the table of 400 symbols for the digraphs of a 20-character
alphabet given by Porta in his De Furtivis Literatum Notis. In the original, there are a
few typographical errors, leading to some duplicate symbols:
Naturally, since Porta was expressing the idea of a digraphic cipher in print for the first
time, he did so in a way that seems unsophisticated by modern standards.
The columns in Porta's diagram all contain characters related in shape. This makes it
easier to look up a symbol, but also gives away information. One way to retain the
advantage of easily finding a symbol, but without giving away information to the
cryptanalyst, is illustrated in the diagram above: have similar symbols arranged along
the diagonals of the diagram, and use mixed alphabets along the edges. While a
digraphic symbol cipher is something that isn't too practical, similar techniques have
been used for small code charts to make them practical and secure.
Systematic methods of enciphering several letters at once, without simply using a very
large table, will be outlined in what follows. Fractionation lends itself to many
complicated and bizarre developments, a few of which will be illustrated there.
Hopefully, all the examples that will be contained in the following pages will prove a
starting point from which you can let your imagination run wild.
Representing letters by five symbols from a set of two, or three symbols from a set of
three, has tended to be used mostly for steganography, as proposed by Bacon and
Trithemius. (That is, in the former case, if one does not count the use of the 5-level
code for teletypewriters.)
The Hagelin B-21 and its relatives also involved fractionation, combined with
polyalphabeticity but without transposition.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up/Previous] [Index]
Playfair
The most famous polygraphic system is, of course, the Playfair cipher, which works as
follows: given a 5 by 5 square, containing a jumbled alphabet, such as:
T X V H R
L K M U P
N Z O J E
C G W Y A
F B S D I
doing without one letter by some rule: i.e. if Q is omitted, as here, use KW to stand for
QU; or treat I and J, or U and V, as one letter.
Then, a pair of letters is converted to a ciphertext pair using one of three possible rules,
whichever one applies:
if the two letters are neither in the same row or the same column, replace each letter by
the one that is in its own row, but in the column of the other plaintext letter. Examples:
TI becomes RF, TW becomes VC, KA becomes PG, UB becomes KD, WX becomes
GV
T------>R T-->V H R
| K M U | | K | U P
| Z O J | | Z | J E
| G W Y | C<--W Y A
F<------I F B S D I
if the two letters are both in the same column, replace each one by the one below it,
wrapping around if necessary. Examples: VW becomes MS, TN becomes LC, TL
becomes LN, TF becomes LT, KB becomes ZX
T X V H R
L K M U P
N Z | J E
C G W Y A
F B S D I
it the two letters are both in the same row, replace each one by the one to the right of it,
wrapping around if necessary. Examples: TH becomes XR, KP becomes ML, NZ
becomes ZO.
T X---H R
L K M U P
N Z O J E
C G W Y A
F B S D I
Double letters aren't allowed within a single digraph, and must be split up by inserting
a letter used as a null (for example, an X) between them.
If the Playfair cipher is used on a computer, perhaps in combination with other ciphers,
it might be more convenient to make a rule for double letters, such as using the letter
that is both below and to the right of the plaintext letter, and also doubling it. Then, EE
would become CC.
Playfair has inspired some related bigraphic ciphers that, on the one hand, improve
security by involving multiple, unrelated alphabets, but on the other hand, are simpler
in that they use fewer rules than Playfair.
In the Four-Square cipher, two squares are used to find the two plaintext letters, and
two others are used to find the two ciphertext letters:
D W X Y M | E P T O L D W X Y M | E P T O L
R J E K I | C V I Y Z R J E K I | C V I Y Z
U V H P S | R M A G B U V H---------->M A G B
A L B Z N | F W J H S A L | Z N | F | J H S
G C O F T | U N D X K G C | F T | U | D X K
-----------|----------- ----|------|----|------
J T B U E | V I M A G J T | U E | V | M A G
Z H N D X | S W P O H Z H N<----------W P O H
L A F R G | U T Z K E L A F R G | U T Z K E
P M I Y C | N R D X Y P M I Y C | N R D X Y
V S K W O | B J L C F V S K W O | B J L C F
and the only rule for finding the substitute for a digraph is similar to the first rule given
for Playfair: the first letter is replaced by the letter in its row, and the second letter's
column, and so on. Thus, as the diagram above illustrates, HW becomes MN.
With only two squares, the first plaintext letter and the second ciphertext letter are
found in the square on the left, and if both plaintext letters are in the same row, each
one is replaced by the other letter. (Other rules are possible, as long as the result is a
pair of letters, the first from the square on the right, the second from the square on the
left, in the same row. For example, each letter could be replaced by the letter to the
right of, or below, the other letter in the other letter's own square.)
During World War II, several digraphic ciphers were used by the German armed
forces. All had the common feature that text was broken up by seriation before being
enciphered: that is, the message MORE TROOPS NEEDED HERE would be broken
up like this:
MORET NEEDE
ROOPS DHERE
While the seriation step is an essential part of some fractionation ciphers we will see
below, using it with a digraphic cipher has been questioned, since it allows the
cryptanalyst to pretend he is dealing with simple substitution with 26 homophones for
each letter, and therefore may make solution easier instead of harder.
Jim Gillogly has noted that declassified NSA documents refer to another cipher of this
type, in which the digraphs were enciphered twice by means of the two-square cipher.
Since each letter enciphered the first time was then found in the square on the other
side for the second encipherment, the relation between plain and cipher digraphs was
much more complicated than in regular Playfair.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]
The first of the three rules for Playfair encipherment changes one two-letter group, or digraph, to
another by exchanging column co-ordinates. This suggests using row and column co-ordinates in a
more general fashion. Let's take the 5 by 5 square above, but number the rows and the columns, like
this:
1 2 3 4 5
---------
1) T X V H R
2) L K M U P
3) N Z O J E
4) C G W Y A
5) F B S D I
Then, another method of encipherment would be as follows: Divide a message into groups of letters of
a fixed length, say five letters, and write the row and then the column co-ordinate of each letter
beneath it, like this:
and then, going across within each group, read the numbers in order, and turn them, in pairs, into
letters: that is, read 11555 14535 52453 33435... and turn them into the letters corresponding to 11, 55,
51, 45, 35, 52, and so on.
This is the Bifid cipher of Delastelle, and the general principle of this form of cipher is called
seriation. This is one of the most secure pencil-and-paper ciphers that is still used by hobbyists as a
puzzle. It isn't hard to make this kind of cipher just a little bit more complicated, and thereby obtain
one that is genuinely secure. It belongs to the class of cipher methods known as fractionation, where
letters are divided into smaller pieces, or "fractions". Just as two symbols from 1 to 5 give 25 letters,
three symbols from 1 to 3 give 27 letters; and five binary bits provide a 32-character alphabet.
The Trifid, also due to Delastelle, is the analogous cipher using a 27-letter alphabet represented by
three symbols from 1 to 3:
which again is read off horizontally after being written in vertically, yielding a cipher message like
this:
Representing the letters as combinations of two groups of from one to five signal fires was originally
proposed by Polybius in his Histories, as being a general method of communications, unlike ones he
noted as being previously used that depended on a small list of pre-arranged messages. It looked like
this:
with the letters of the Greek alphabet placed on five numbered tablets, and each letter being numbered
on each tablet.
Other forms of dividing a character into smaller pieces, such as ASCII or Baudot, or Morse Code (to
be seen below) were also developed to allow communications over various types of channel, as were
the signal flags used by ships, to use an example of a different type.
Some ciphers actually used by Soviet spies used a square like this:
9 8 2 7 0 1 6 4 3 5
-------------------
A T O N E S I R
2 B C D F G H J K L M
6 P Q U V W X Y Z . /
Eight of the most common letters are translated to a single digit. The two digits not used in this way
begin two-digit combinations that stand for the remaining letters. This is an example of a variable
length code with the prefix property. When it is possible to tell, from the digits one has already seen of
a symbol, whether or not one needs to include the next digit in the symbol, then spaces between the
digits of a symbol are not needed, and this is what is known as the prefix property.
At one time, telephone numbers in North America had this property, because the middle digit of an
area code was always 0 or 1, and the first three digits of a regular telephone number, also known as
the exchange, never had 0 or 1 as the middle digit. Therefore, it was possible to dial 1 plus the seven-
digit number to make a long-distance call within one's own area code, since the first three digits could
not possibly be an area code. However, the increased need for more telephone numbers made it
necessary to abandon this rule, in January 1995 and therefore when dialing a long-distance call within
one's own area code, it is now still necessary to dial the area code. This method of dealing with the
increased demand for telephone numbers had the advantage that the number of digits in a telephone
number did not have to be increased, and this avoided problems with computer data-processing
systems that allocated the fixed minimum amount of space for a telephone number, as well as limiting
the amount of alteration needed for older telephone equipment.
In Britain, on the other hand, it was necessary to lengthen every telephone number by one digit, and
this was done by inserting the digit 1 in every number in the second position on a day called "phONE
day", April 16, 1995, although permissive dialing remained in effect until April 22, 2000. A number
of other countries also modified their systems of telephone numbers during roughly the same period;
Australia began in 1996, and Finland changed over its phone system on October 12, 1996.
Since in Morse code, a dot is the letter E, and a dash is the letter T, but other Morse code symbols also
begin with a dot or a dash, Morse code is a variable-length code that does not have the prefix property,
and so spaces are required between letters in Morse code.
Of course, the second digit of a two-digit combination could also have stood, by itself, for another
letter; but because when you start from the beginning and move forwards, there is no chance of
confusion, this is a workable and usable system.
Thus, the message SENDMONEY would become 4 1 0 22 25 7 0 1 66, or, rather, 41022 25701 66
because spaces to show where the letters begin are not needed; the first digit representing a letter
determines if its substitute is one or two digits long.
More complicated codes that work this way, using only the two binary digits 0 and 1, are used as a
form of data compression. The most famous variable-length prefix-property binary codes are the
Huffman codes; but this term only applies to such a code when symbols were assigned in it by a
specific algorithm, which has been proven to be optimal, within the limitations of only considering
single-symbol frequencies, and only using this kind of code: arithmetic coding, which doesn't work in
whole bits, can be more efficient. Before Huffman's proof, codes of that nature assigned in a different
fashion, which are known as Shannon-Fano codes, were the best known.
In one case, the VIC cipher used by Reino Hayhanen (the message in that cipher on microfilm, inside
a hollow nickel, was the background to the page introducing this section) the digits produced by a
straddling checkerboard were then subjected to a form of columnar transposition which was varied by
selecting triangular areas to be filled with plaintext last.
In other cases, after the message was converted to digits, encipherment similar to the Vigenère to be
described in the next section was performed. Since Vigenère is a form of addition, doing addition on
digits is easier for most people, without special equipment, than doing it on letters.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]
David Kahn described that cipher briefly in an article in Scientific American, and in full
detail in a talk at the 1960 annual convention of the American Cryptogram Association
which was later reprinted in his book Kahn on Codes.
The VIC cipher, which I will demonstrate here adapted to the sending of English-
language messages, begins with an involved procedure to produce ten pseudorandom
digits. The agent must have memorized six digits (which were in the form of a date), and
the first 20 letters of a key phrase (which was the beginning of a popular song) and must
think of five random digits for use as a message indicator.
Let the date be July 4, 1776, to give the digits 741776. (Actually, the Russians used their
customary form of dates, with the month second.) And let the random indicator group be
77651.
The first step is to perform digit by digit subtraction (without carries) of the first five
digits of the date from the indicator group:
77651
(-) 74177
---------
03584
The second step is to take the 20-letter keyphrase, and turn it into 20 digits by dividing it
into two halves, and within each half, assigning 1 to the letter earliest in the alphabet,
and so on, treating 0 as the last number, and assigning digits in order to identical letters.
Thus, if our keyphrase is "I dream of Jeannie with t", that step proceeds:
I D R E A M O F J E A N N I E W I T H T
6 2 0 3 1 8 9 5 7 4 1 6 7 4 2 0 5 8 3 9
The result of the first step is then expanded to ten digits through a process called chain
addition. This is a decimal analog of the way a linear-feedback shift register works:
starting with a group of a certain number of digits (in this case five, and later we will do
the same thing with a group of ten digits), add the first two digits in the group together,
take only the last digit of the result and append it to the end of the group, then ignore the
first digit, and repeat the process.
The 10 digit result is then added, digit by digit, ignoring carries, to the first 10 digits
produced from the keyphrase to produce a ten-digit result, as follows:
6 2 0 3 1 8 9 5 7 4
(+) 0 3 5 8 4 3 8 3 2 7
-----------------------
6 5 5 1 5 1 7 8 9 1
And these 10 digits are then encoded by encoding 1 as the first of the 10 digits produced
from the second half of the keyphrase, 2 as the second, up to 0 as the tenth.
using code: 1 2 3 4 5 6 7 8 9 0
1 6 7 4 2 0 5 8 3 9
6 5 5 1 5 1 7 8 9 1
becomes 0 2 2 1 2 1 5 8 3 1
This ten digit number is used by chain addition to generate 50 pseudorandom digits for
use in encipherment:
0 2 2 1 2 1 5 8 3 1
---------------------
2 4 3 3 3 6 3 1 4 3
6 7 6 6 9 9 4 5 7 9
3 3 2 5 8 3 9 2 6 2
6 5 7 3 1 2 1 8 8 8
1 2 0 4 3 3 9 6 6 9
The last row of these digits (which will still be used again) is used like the letters in a
keyword for transposition to produce a permutation of the digits 1 through 9 (with 0 last
again):
1 2 0 4 3 3 9 6 6 9
---------------------
1 2 0 5 3 4 8 6 7 9
and those digits are used as the top row of numbers for a straddling checkerboard:
1 2 0 5 3 4 8 6 7 9
-------------------
A T O N E S I R
-------------------
0 B C D F G H J K L M
8 P Q U V W X Y Z . /
One detail omitted is that the checkerboard actually used had the letters in the bottom
part written in vertical columns with some columns left until the end. That doesn't work
as well in an English example, as there are only two left-over spaces after the alphabet.
We are pleased to hear of your success in establishing your false identity. You will be
sent some money to cover expenses within a month.
For the sake of our example, we will give our agent a small personal number of 8. This
number is used to work out the widths of the two transposition tableaux used to
transpose the numbers obtained above. The last two unequal digits, which in this case are
the last two digits (6 and 9) of the last row of the 50 numbers generated above, are added
to the personal number with the result that the two transpositions will involve 8+6, or 14,
and 8+9, or 17, columns respectively.
The keys for those two transpositions are taken by reading out the 50 numbers by
columns, using the 10 digits used to generate them as a transposition key. Again, 0 is
last, so given the table above:
0 2 2 1 2 1 5 8 3 1
---------------------
2 4 3 3 3 6 3 1 4 3
6 7 6 6 9 9 4 5 7 9
3 3 2 5 8 3 9 2 6 2
6 5 7 3 1 2 1 8 8 8
1 2 0 4 3 3 9 6 6 9
Our first transposition uses the first 14 digits as the key of a conventional simple
columnar transposition:
36534693233928
--------------
83419481074164
00250441950588
58096800202466
73462101077604
73038858090510
76470043272888
85808370707014
64326509409534
88250258549484
81436468372047
3109532049
Since our message consisted of ten rows of 14 digits, plus one extra row of 9 digits, it is
149 digits long. At this initial stage, one null digit is appended to the message, making it
150 digits long, so that it will fill a whole number of 5-digit groups.
Thus, with the null digit added, it gives us the intermediate form of the message:
The fact that our message is 150 digits long was important to note, since the next step in
the encipherment, although it is also a columnar transposition, includes an extra
complexity to make the transposition irregular, and so it is necessary to lay out in
advance the space that will be used in that transposition.
The remaining 17 digits of the 31 we read out above, 9 47352 36270 39813 4, are the
key for this second transposition. The numbers, in addition to indicating the order in
which the columns are to be read out, indicate where triangular areas start which will be
filled in last.
The first triangular area starts at the top of the column which will be read out first, and
extends to the end of the first row. It continues in the next row, starting one column later,
and so on until it includes only the digit in the last column. Then, after one space, the
second triangular area starts, this time in the column which will be read out second.
Since we know that our message is 150 digits long, we know that it will fill 8 rows of 17
digits, with 14 digits in the final row. This lets us fill in the transposition block, first
avoiding the triangular areas:
94735236270398134
-----------------
09200274534686
018138480577786
8831596370253911
01830988075079700
47940
270279
9290628
08606542
040483240
94735236270398134
-----------------
09200274534686308
01813848057778633
88315963702539116
01830988075079700
47940548114481803
27027952434864084
92906284478400547
08606542056215465
04048324080540
36178 05428 99592 53507 01440 00113 42004 74684 58426 75048
42503 10084 69181 77284 83603 47503 50076 68483 88242 42838
90960 35071 37586 89914 05000 77651 80429 00873 78601 44725
44860
Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]
Based on the Playfair cipher, I once thought of a way to make a cipher that worked on groups of three
letters.
T X V H R
L K M U P
N Z O J E
C G W Y A
F B S D I
● If all three letters are the same, replace them by three repetitions of the letter diagonally below
and to the right of that letter. Thus: MMM becomes JJJ in the square above. Below, and to the
right, are always interpreted cyclically, so DDD becomes RRR, and PPP becomes NNN, and
even III becomes TTT.
● If two of the letters are the same, encipher the two letters as if they were part of a digraph to be
enciphered with Playfair.
❍ If the two letters are in the same row, replace each one with the letter to its right. Thus:
with the letter that is in its own row, but in the column of the other letter. Thus: BOO
becomes SZZ, MIM becomes PSP.
● When all three letters are different, follow these rules:
❍ If all three letters are in the same row, replace each one with the letter to its right. Thus,
third letter, replace the letter that is in the same row as one other letter and the same
column as the other other letter with the letter that is in the same column as the letter
with which it shares a row, and in the same row as the letter with which it shares a
column. Replace the two other letters by each other. Thus, YUK becomes KGY, WVY
becomes HYV, POE becomes OPM, GAP becomes PKG.
❍ If two letters are in the same column, but the third letter is neither in that column nor in
the same row as either of those two letters, replace each letter by the letter which is in
its own row, but in the other column used by the three letters. Thus, TCO becomes
VWN, TAN becomes RCE, HUG becomes XKY.
❍ If two letters are in the same row, but the third letter is neither in that row nor in the
same column as either of those two letters, replace each letter by the letter which is in
its own column, but in the other one of the two rows used by the letters. Thus, NED
becomes FIJ, GAS becomes BIW, LOP becomes NME.
❍ If no two letters share either a row or column, each letter is replaced by the letter in its
own row, but in the column of the next letter of the trigram, the first letter being the
'next letter' for the last one. Thus, TOY becomes VJC, LOB becomes MZF, GET
becomes ANX.
Note that since a trigram with repeated letters always enciphers to a trigram with repeated letters, one
could use a separate square for each of the three possibilities, or even just use an arbitrary substitution
alphabet for the case of three identical letters.
If one uses a substitution where each letter of a 27-letter alphabet is replaced by three digits from 1 to
3, then the obvious method of constructing a trigraphic cipher from this is to write the equivalents of
the three letters in by columns and take them out by rows; thus, with the alphabet
T H E
3 1 2 X
2 3 1 L
1 3 2 Y
For 26 Letters
Let's imagine that we want to have a method that doesn't require, as the original Playfair did, inserting
a letter like X into the plaintext when a double letter occurs; we want something that can be applied
mechanically to any arbitrary input text. This would make it suitable for use as a step in encryption
performed by a computer.
For the cipher derived from Playfair, the structure of the rules provides a clue. When the extra letter
turns up, ignore it for encryption, but place it in the ciphertext without alteration, and treat two
remaining letters, if they are different, as in regular Playfair, and a single remaining letter (or two
identical remaining letters) as if they were three identical letters.
How, though, can we possibly make the cipher which requires a 27-letter alphabet work with only 26
letters?
First, choose a substitution table such that the unused letter, &, is represented by the code 333.
L O G S & G
2 1 3 S 2 3 3 L
3 3 3 & 1 3 3 O
3 3 1 G 3 3 1 G
That appears to be a trivial consequence of the fact that this cipher is reciprocal.
Since an ampersand is represented by the code 333, however, that means that whether or not a square
produces an ampersand depends only on the positions of the 3s in that square; the other two digits, 1
and 2, are irrelevant. Thus, we can do better than leaving trigrams which encipher to combinations
including an ampersand unenciphered.
Between the two encipherments, we can apply a substitution to the letters of the first result, as long as
that substitution leaves the 3s unchanged. Since this substitution operates perpendicular to the
plaintext and the ciphertext, the cipher still mixes the letters of the trigram together in this case.
111 212 113 123 131 232 311 321 133 233
112 122 123 223 132 231 312 311 233 133
121 211 213 113 231 131 321 322 313 313
122 221 223 213 232 132 322 312 323 323
211 121 331 332
212 222 332 331
221 111
222 112 333 333
L O G H & V
2 1 3 S 213 -> 113 (H) 1 3 3 O
3 3 3 & 333 -> 333 (&) 1 3 3 O
3 3 1 G 331 -> 332 (V) 3 3 2 V
Heptagraphic encryption
Having now obtained two trigraphic ciphers which both operate on trigrams of the 26-alphabet, but
which operate on different principles, one is immediately tempted to combine them to create a cipher
which will be much stronger than either one alone.
One way to do this is simply to apply both in sequence. However, inspired by recently encountering
the polymorphic block ciphers of Kostadin Bajalcaliev, I have thought of a more elaborate way of
doing this.
Let us encipher a block of seven letters at a time. Three letters are enciphered trigraphically by one of
the two systems given above, and the next three are enciphered using the other system. The seventh
letter is used to indicate which system is used.
from 1 2 3 4 5 6 7
to 4 7 1 2 3 5 6
Since it seems wasteful to leave a letter unenciphered just to use it as the source of one bit of
information, that letter could also be used to choose between twelve possibilities: there could be three
different sets of tables for one of the block ciphers, and four different sets of tables for the other. For
the one based on Playfair, it is not even necessary that the omitted letter be the same for each set of
tables.
Nonagraphic Encryption
Of course, with two different trigraphic ciphers, performing some sort of transposition between
applying them is another way to produce a very strong cipher.
Just as the trigraphic cipher based on a 27-character alphabet places digits in a square by columns, and
takes them out by rows, one could encrypt nine letters at a time by placing them in a square array, and
encrypting first the columns by one cipher, and then the rows by the other. One could even do that
twice, inspired by Square, the predecessor of Rijndael, the new Advanced Encryption Standard.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]
Polyalphabetic Substitution
The idea of using substitution ciphers that change during the course of a message was a very important step forwards in
cryptography. David Kahn's book, The Codebreakers, gives a full account of the origins of this idea during the Italian
Renaissance.
The earliest form of polyalphabetic cipher was developed by Leon Battista Alberti by 1467. His system involved writing the
ciphertext in small letters, and using capital letters as symbols, called indicators, to indicate when the substitution changes,
now and then through a message. The plaintext alphabet on his cipher disk was in order, and included the digits 1 through 4
for forming codewords from a small vocabulary.
Subsequently, more modern forms were devised, which change the substitution for each letter:
● A progressive-key system, where keys are used one after the other in normal order. This was first published
posthumously, in a book by Johannes Trithemius that appeared in 1518. The key ABCD...Z was used with regular
alphabets in the form depicted therein.
● A keyword indicating the alphabets to use in turn. Although this system is what is called the Vigenère, it originated
with Giovan Batista Belaso in 1553. In 1563, Giovanni Battista Porta added the use of mixed alphabets to this system.
● The autokey system, where a key starts the choice of alphabet, but the message itself determines the alphabets to use
for later parts of the message. Although an unusable form of this was first proposed by Girolamo Cardano, it was
Blaise de Vigenère who proposed the modern form of the autokey cipher in 1585.
The following compact table provides 26 alphabets, each labelled with a letter of the alphabet:
B C D E F ZABCDEFGHIJKLMNOPQRSTUVWXY
G H I J K UVWXYZABCDEFGHIJKLMNOPQRST
L M N O P PQRSTUVWXYZABCDEFGHIJKLMNO
Q R S T U KLMNOPQRSTUVWXYZABCDEFGHIJ
V W X Y Z FGHIJKLMNOPQRSTUVWXYZABCDE
B G L Q V ABCDEFGHIJKLMNOPQRSTUVWXYZ
C H M R W BCDEFGHIJKLMNOPQRSTUVWXYZA
D I N S X CDEFGHIJKLMNOPQRSTUVWXYZAB
E J O T Y DEFGHIJKLMNOPQRSTUVWXYZABC
F K P U Z EFGHIJKLMNOPQRSTUVWXYZABCD
The A alphabet isn't shown, since in that alphabet, every letter stands for itself, and so, if nothing is done, nothing need be
looked up in the table. For any other alphabet, use the letter indicating the alphabet to find a row among the top five, and a
row among the bottom five; using those two rows, the upper row stands for plaintext, the lower for cipher.
Thus, for alphabet Q, the top row begins KLMNO... and the bottom row begins ABCDE..., and so K becomes A, Q becomes
G, and A becomes Q in that alphabet.
If you think of A as standing for zero, B for 1, up to Z for 25, this particular set of alphabets is nothing more than the modulo
26 addition of the plaintext and the key to obtain the ciphertext. Circular disks or sliding scales can be used to carry out the
addition. This, perhaps, can be more easily seen if we exhibit the Vigenère tableau in full, accompanied by the table for
modulo-26 addition:
|ABCDEFGHIJKLMNOPQRSTUVWXYZ | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19 20 21 22 23 24 25
-+-------------------------- --
+-----------------------------------------------------------------------------
A|ABCDEFGHIJKLMNOPQRSTUVWXYZ 0| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19 20 21 22 23 24 25
B|BCDEFGHIJKLMNOPQRSTUVWXYZA 1| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
20 21 22 23 24 25 0
C|CDEFGHIJKLMNOPQRSTUVWXYZAB 2| 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 0 1
D|DEFGHIJKLMNOPQRSTUVWXYZABC 3| 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
22 23 24 25 0 1 2
E|EFGHIJKLMNOPQRSTUVWXYZABCD 4| 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
23 24 25 0 1 2 3
F|FGHIJKLMNOPQRSTUVWXYZABCDE 5| 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25 0 1 2 3 4
G|GHIJKLMNOPQRSTUVWXYZABCDEF 6| 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
25 0 1 2 3 4 5
H|HIJKLMNOPQRSTUVWXYZABCDEFG 7| 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
0 1 2 3 4 5 6
I|IJKLMNOPQRSTUVWXYZABCDEFGH 8| 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0
1 2 3 4 5 6 7
J|JKLMNOPQRSTUVWXYZABCDEFGHI 9| 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1
2 3 4 5 6 7 8
K|KLMNOPQRSTUVWXYZABCDEFGHIJ 10|10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2
3 4 5 6 7 8 9
L|LMNOPQRSTUVWXYZABCDEFGHIJK 11|11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3
4 5 6 7 8 9 10
M|MNOPQRSTUVWXYZABCDEFGHIJKL 12|12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4
5 6 7 8 9 10 11
N|NOPQRSTUVWXYZABCDEFGHIJKLM 13|13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5
6 7 8 9 10 11 12
O|OPQRSTUVWXYZABCDEFGHIJKLMN 14|14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6
7 8 9 10 11 12 13
P|PQRSTUVWXYZABCDEFGHIJKLMNO 15|15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7
8 9 10 11 12 13 14
Q|QRSTUVWXYZABCDEFGHIJKLMNOP 16|16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8
9 10 11 12 13 14 15
R|RSTUVWXYZABCDEFGHIJKLMNOPQ 17|17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16
S|STUVWXYZABCDEFGHIJKLMNOPQR 18|18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17
T|TUVWXYZABCDEFGHIJKLMNOPQRS 19|19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11
12 13 14 15 16 17 18
U|UVWXYZABCDEFGHIJKLMNOPQRST 20|20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12
13 14 15 16 17 18 19
V|VWXYZABCDEFGHIJKLMNOPQRSTU 21|21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13
14 15 16 17 18 19 20
W|WXYZABCDEFGHIJKLMNOPQRSTUV 22|22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
15 16 17 18 19 20 21
X|XYZABCDEFGHIJKLMNOPQRSTUVW 23|23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22
Y|YZABCDEFGHIJKLMNOPQRSTUVWX 24|24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23
Z|ZABCDEFGHIJKLMNOPQRSTUVWXY 25|25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
18 19 20 21 22 23 24
And, of course, instead of the modulo-26 addition table for our 26-letter alphabet, a Vigenere
table can be constructed for any alphabet. Thus, modulo-24 addition would be used for the
Greek alphabet, modulo-32 addition for the Russian alphabet, or, as shown in the picture at
left, modulo-22 addition for the Hebrew alphabet. Here, the table is written from right to left, in
the same direction as normally used for Hebrew writing.
The message "Wish you were here" can be encrypted by the three possible methods, using SIAMESE as the keyword:
Straight keyword:
Message: WISHYOUWEREHERE
Key: SIAMESESIAMESES
Cipher: OQSTCGYOMRQLWVW
Progressive key:
Message: WISHYOUWEREHERE
Key: SIAMESETJBNFTFU
Cipher: OQSTCGYPNSRMXWY
Autokey:
Message: WISHYOUWEREHERE
Key: SIAMESEWISHYOUW
Cipher: OQSTCGYSMJLFSLA
For the progressive key, the keyword, followed by the keyword advanced one position at a time through the alphabet, is
used. Just using ABCDEF... as the key would not have been unique enough to serve as a real cipher.
The table shown here can be thought of as a table for the addition of letters, which is equivalent to addition modulo 26,
where A stands for 0, B stands for 1, continuing on to Z, which would stand for 25.
The plain keyword system can be solved by the Kasiski method; look for repeated sequences of letters in a message, and
count the number of letters between them. From this, it is easy to spot common factors, and determine the length of the
keyword used. This lets one sort the letters into the ones enciphered with the same alphabet. If normal alphabets are used,
looking at the profile of the frequency count makes solution trivial.
For the other two methods, elementary cryptanalysis only allows solution for normal (or at least known) alphabets. The
progressive key case can be made to yield its period if one looks not for repeated letters, but for repeated distances in the
alphabet between adjacent letters; this subtracts out the slow movement of the keyword through the alphabet. The autokey
can basically be solved by brute-force trial on the length of its starting keyword. Of course, these systems can still be solved
with mixed alphabets, but more advanced methods are needed, involving statistics or multiple messages with the same key.
In addition to using mixed alphabets for greater security, there are other systems of historical importance.
The Gronsfeld, which added a numeric key to the plaintext, meant that there were only ten possible equivalents for each
letter, but was easier to do by hand without a table or slide or disk. The Porta system used a smaller table; the first half of the
alphabet was stationary while the second half moved, and equivalents for letters in each half of the alphabet were found in
the other half.
The table for the Porta system (converted to the modern 26-letter alphabet) is as follows:
ABCDEFGHIJKLM
-------------
AB |NOPQRSTUVWXYZ
CD |OPQRSTUVWXYZN
EF |PQRSTUVWXYZNO
GH |QRSTUVWXYZNOP
IJ |RSTUVWXYZNOPQ
K KL |STUVWXYZNOPQR
e MN |TUVWXYZNOPQRS
y OP |UVWXYZNOPQRST
QR |VWXYZNOPQRSTU
ST |WXYZNOPQRSTUV
UV |XYZNOPQRSTUVW
WX |YZNOPQRSTUVWX
YZ |ZNOPQRSTUVWXY
The Gronsfeld, and, even more easily, the Porta, because they only allow some letters, but not others, as equivalents for any
given plaintext letter, can be attacked through this weakness.
In attempting to devise a cipher that, like the Gronsfeld, lends itself to mental arithmetic, I used (for the English alphabet)
the method of representing numbers as letters that was used by the ancient Hebrews and the ancient Greeks:
A 1 J 10 S 100
B 2 K 20 T 200
C 3 L 30 U 300
D 4 M 40 V 400
E 5 N 50 W 500
F 6 O 60 X 600
G 7 P 70 Y 700
H 8 Q 80 Z 800
I 9 R 90
a) If the plaintext and key letters are in the same column, they are added:
b) If the plaintext and key letters are in two different columns, their nonzero digits are added, and the letter in the third
column which contains neither key nor plaintext containing the sum is taken:
If we had a 27-letter alphabet, we would only have to add that when the sum is greater than 9, subtract 9 (in the appropriate
digit place):
For the 26-letter alphabet, it's easy to modify rule (a): if the two letters are in the third column, subtract 800 instead of 900.
Rule (b) is modified in this way: always subtract 9; if the cipher letter and the key letter produce 900 as the result, use
instead the letter that would be produced by enciphering a letter with the value 900 with the key letter. Since there is no letter
with that value, when one is produced by deciphering, decipher 900 with the key to get the true plaintext letter.
Plaintext
ABCDEFGHI JKLMNOPQR STUVWXYZ
----------------------------
A|BCDEFGHIA TUVWXYZJS KLMNOPQR
B|CDEFGHIAB UVWXYZKST LMNOPQRJ
C|DEFGHIABC VWXYZLSTU MNOPQRJK
D|EFGHIABCD WXYZMSTUV NOPQRJKL
E|FGHIABCDE XYZNSTUVW OPQRJKLM
F|GHIABCDEF YZOSTUVWX PQRJKLMN
G|HIABCDEFG ZPSTUVWXY QRJKLMNO
H|IABCDEFGH QSTUVWXYZ RJKLMNOP
I|ABCDEFGHI STUVWXYZR JKLMNOPQ
This table is slightly imperfect. For each of the first eighteen letters in the alphabet, when they occur in the plaintext, there is
one letter that no key letter will cause to be its ciphertext equivalent, and there is another letter that will be that plaintext
letter's ciphertext equivalent for two different key letters. However, although imperfect, it is less so than the Gronsfeld
cipher, and so the system might be of some use (although just converting to digits with a straddling checkerboard achieves
the same goal, of simplifying applying a key, without any imperfections, and considerably more simply).
It is, however, more important to recognize the names of two other systems. If Vigenère can be thought of as plaintext + key
= cipher, Beaufort amounts to key - plaintext = cipher. Since cipher = key + plaintext, Beaufort, like Porta, is reciprocal: the
same steps exactly will both encipher and decipher. Variant Beaufort is plaintext - key = cipher, and is the same as
deciphering for Vigenère.
Slides and disks are often used for the Vigenère and other polyalphabetic ciphers, particularly mixed-alphabet Vigenère.
Helen Fouché Gaines' Elementary Cryptanalysis gives a classification of mixed alphabet slides into four types:
A slide of type 0a produces a reciprocal cipher, and can be used for Beaufort. The mechanical equivalent of such a slide is an
element of a Hagelin machine.
The Type 1 slide is more easily cryptanalyzed than the Type 2 or above slides since once the different alphabets have been
determined by discovering the period of the cipher by the Kasiski method (looking for repeated digrams, trigrams and above,
noting the distance between them, and looking for a common factor to most of the distances, giving greater weight to longer
repetitions) the frequency counts can be lined up, since they are displaced along the cipher slide, which in this case has the
known regular alphabet along it.
Even in the mixed-alphabet case, once the period is found, letter frequencies and bigram frequencies can be used to read the
message. For a frequent letter, whether only a few letters, or a wide variety of letters, appear before or after that letter helps
to identify whether the letter is a vowel or a consonant, or to determine exactly which letter it is.
When some alphabets are partly reconstructed, if you know that the alphabets have been produced by a slide, even one with
two mixed alphabets, there are certain logical inferences that you may be able to make that will obtain the values of
additional letters. This technique is known as symmetry of position.
Let us suppose that we know that the plaintext letters E and N become, in one alphabet, the ciphertext letters P and Q, and in
another alphabet the ciphertext letters K and V.
Since the distance between the letters E and N on the slide with the scrambled plaintext alphabet does not change, even
though it is unknown, we know from this that the letters P and Q are the same distance apart on the ciphertext slide as the
letters K and V are.
And since one goes from one alphabet generated by a slide to another by moving one of the alphabets a certain distance, one
also knows that the two equivalents for E, the letters P and K on the ciphertext slide, are the same distance apart as Q and V.
Of course, these two facts are really consequences of one another: since P-Q = K-V, then it must also be true that P-K = Q-
V, where P, Q, K, and V are now standing for unknowns in modulo-26 arithmetic.
In any event, if we then find that in a third alphabet, the plaintext letters R and T become the ciphertext letters P and K,
respectively, and if we are fortunate enough to have an alphabet in which R becomes Q, we can then conclude that T will
become V in that alphabet.
Later, when at least two alphabets are almost completely reconstructed, it may be possible to work out what alphabets were
present on the slide that generated them. This can help in continuing the solution, or in reading future messages.
QWERTYUIOPASDFGHJKLZXCVBNM abcdefghijklmnopqrstuvwxyz
BOXWITHFVEDZNLQURJGSPACKMY dkanxlqufrjgymvebwzihcopts
QWERTYUIOPASDFGHJKLZXCVBNM abcdefghijklmnopqrstuvwxyz
OXWITHFVEDZNLQURJGSPACKMYB zmclwqurvjgsbyedointfkxahp
On the left is the way the slide looks, and on the right are the alphabets as they appear to the cryptanalyst, who does not yet
know what alphabets are on the slides. Consecutive alphabets are shown; the method works for any odd shift between
alphabets except 13 (not because it's unlucky, but because it is exactly half of 26, the number of letters in the alphabet); for
an even shift, partial information about the slide is obtained: two separate 13-letter pieces.
The slides can be reconstructed because of the information the alphabets above give about them: D and Z are the equivalents
for A in the two alphabets. So, the distance between D and Z on the bottom slide must be the amount by which the slide must
be moved to get from one alphabet to the other. But that is also true of K and M, the two equivalents for B, and A and C, the
two equivalents for C, and so on.
So, we start with the letter D. The letter Z is our displacement ahead of it: here, it happens that the displacement is one, so
we'll get the exact alphabet on the slide, instead of simply an equivalent alphabet. To move another displacement forward,
we find Z as the equivalent for S in the first alphabet, and N as its equivalent in the second.
a s d f g h j k l z x c v
DZ ZN NL LQ QU UR RJ JG GS SP PA AC CK
b n m q w e r t y u i o p
KM MY YB BO OX XW WI IT TH HF FV VE ED
If the shift were three instead of one, then the alphabets would be subjected to decimation, so that instead of DZNLQ... the
first few letters after D would be in positions D..Z..N..L..Q..., but the slides would still generate the same cipher alphabets,
only after different shifts.
It is particularly because the Kasiski method of attacking the simple keyword form of the Vigenere is so powerful that other
methods, such as key progression and the autokey were originated to avoid it.
The Lanaki Classical Cryptography Course, available at The Crypto Drop Box, notes two other methods sometimes tried.
One is to repeat the letters of one's keyword an increasing number of times, with a period different from the length of the
keyword: thus, the keyword SIAMESE might be repeated with the pattern 12345, so that one's key would begin
SIIAAAMMMMEEEEESEESSSIIIIAAAAAMEESSSEEE...
and an idea suggested by W. F. Friedman is then noted, where instead of using a simple sequence like 12345, one uses the
lengths of the Morse Code symbols for the letters in a keyword to control the pattern of repetitions.
These methods don't make a truly aperiodic cipher the way the autokey does, but like the progressive-key method, they
provide a longer period. However, the presence of stretches of plaintext enciphered with the same keyletter at least seems
like a weakness.
Of course, one could take Friedman's idea, and make it more complicated (and therefore impractical for actual use!) in a
number of ways.
Let us use a Morse Code keyword of BAKER, which is, in dots and dashes,
and use two other keywords, ORANGE and CHOCOLATE, for Vigenere use.
A dot selects a letter from the first keyword, a dash selects a letter from the second keyword. And let both keywords also
experience key progression.
While this will still lead to a sequence with a finite period, the period will be a long one, and will start like this:
ORAN GE PSB O HFQ TCPI GR UDQ J HSV ERKI TW FSL J UXG TMKV YH UNL W ZIV
CHOC OL ATE D IPD PMBU FE JQE Q NCV GFKR FR ODW H GLS GSPE XI HMT H TQF
-... .- --. . .-. -... .- --. . .-. -... .- --. . .-. -... .- --. . .-.
CRAN GL ATB O HPQ PCPI GE JQQ J HCV GRKI TR ODL J ULG GMKV YI HML W ZQV
alternatively, the ends of each letter in the Morse keyword could control key progression for the first keyword, and the end
of each occurence of the whole keyword could control key progression for the second keyword, like this:
ORAN HF QTC Q KIS WFSL KU YHU O NXA KXQO ZC MZS R CFO CVTD HQ EXV G KTG
CHOC OL ATE C HOC PMBU FD IPD P MBU GEJQ EQ NCV G EJQ FROD WH FKR F ROD
-... .- --. . .-. -... .- --. . .-. -... .- --. . .-. -... .- --. . .-.
CRAN HL ATC Q KOS PFSL KD IPU O NBA GXQO ZQ NCS R CJO FVTD HH FKV G KOG
thus making use of more of the information in the Morse keyword, but, since such things are clearly impractical by hand, we
shall instead let such devices as rotor machines and the Hagelin lug and pin machine introduce complicated polyalphabetic
ciphers, as it was with such devices that such ciphers finally became usable.
Cipher disks are harder to make than slides, but they do look prettier. One type of cipher disk I invented independently looks
like this:
This disk was the best of my attempts to devise something which would be easy to use, but involve something more than just
sliding one alphabet against another. My intention was to approach the power of a rotor machine.
Essentially, the wheel is constructed from four disks, one of which has half of its outer portion removed.
On the bottom is a disk with the mixed plaintext alphabet, shown as item 1 in the diagram.
Above it is item 2, a disk with the numbers 1 through 13 repeated twice, against a backround of one color (shown here as
purple).
Then comes item 3, a disk of the same diameter, but with half of its perimeter removed to expose thirteen of the spaces on
the disk below. The half remaining has a background of a color contrasting with that disk (shown here as green), and a
mixed sequence of the numbers 1 through 13.
Finally, there is the smallest disk on the top, item 4, with the mixed cipher alphabet.
How the disks are stacked one on top of the other is illustrated by item 5 in the drawing, a view of the four disks one on top
of the other, but slightly offset to allow the perspective to be visible.
In use, one looks up a letter in the plaintext alphabet, and proceeds to the number in the next inner band. Then, starting from
the same number, against the background of the opposite color, also in that band (but on the other of the two middle disks)
one proceeds to the cipher letter on the innermost circle with the cipher alphabet. This is illustrated by item 6 in the picture.
One idea I had for making this type of device useful, by making it easier to move the disks with each letter enciphered, was
to add to each disk a rim (presumably with 26 notches or bumps around the outside, not shown for simplicity) so that the
four disks could be advanced like thumbwheels.
Versions of the disks using latticework to hold the outside rim in place, while allowing all the letters and numbers in lower
disks to be visible, are shown as items 7, 8, 9, and 10 in the diagram. Item 11 shows an oblique view of the disks stacked,
item 12 a face-on view.
One way to make use of this construction would be to have layers of cardboard between the disks, so that each rim is
individually exposed for a short distance. The 26 possible key letters would be allocated so that seven of them are used to
indicate that the lowest disk is to turn counterclockwise from 1 to 7 spaces, another 7 turn the smallest disk clockwise 1 to 7
spaces, and 6 indicate the disk shown with a purple rim is to turn counterclockwise from 1 to 6 spaces, and 6 indicate the
disk with half its periphery cut away is to turn clockwise from 1 to 6 spaces.
For use with text as a key, the letters would be allocated so that the frequent letters represented odd displacements, and were
distributed evenly among the four disks.
A version of the same device as a slide instead of a disk would look like this:
-----------------------------------------------------
F S H G Y M L Q K X O N E R Z A D I V C U T P W J B
-------------------------
------| 1 1 1 1 |--------------------
|7 4 1 6 3 5 0 1 9 2 3 2 8| 1 1 1 1
3 4 5| |6 7 8 9 0 1 2 3 1 2
------ --------------------
-----------------------------------------------------
X V I D U J C G M E Z A F T W O S H K Y P B R N Q L
-----------------------------------------------------
The Byrne Chaocipher, which was mentioned in David Kahn's The Codebreakers, was subsequently the subject of a
Cryptologia article, which indicated that the principle of this wheel may have been used before in that cipher.
Another device I designed myself in trying to produce a convenient cardboard approximation to a rotor machine is the
following slide:
The slide has a frame with an approximately rectangular pattern of holes, but with two corners clipped. Behind the frame,
there are two slides; one with slots in it that moves vertically, and a solid one that moves horizontally behind it.
The letters on the vertical slide are arranged so that as it moves up or down one position, the letters that become concealed
are rearranged and fill the spaces on the slide that now become visible, like this:
P E H S C A p e h s c a
L V F O K R Z l V F O K R Z
I B Q Y G W N I B Q Y G W N
X T M J D U X T M J D U E
C H L S P A
The same principle applies to the horizontal slide. However, since space is required for the vertical sliding alphabets, and the
spaces between the open rectangles, instead of being filled with merely one set of alphabets, it contains three interlaced
alphabets, which independently change in this way.
9 8 2 7 0 1 6 4 3 5
-------------------
A T O N E S I R
2 B C D F G H J K L M
6 P Q U V W X Y Z . /
could be used to convert letters to digits. Since it takes account of letter frequencies, the conversion is an efficient one.
This type of conversion makes the various types of polyalphabetic encipherment more convenient by hand, since the
Vigenere encryption is now simply addition (on a digit-by-digit basis, ignoring carries).
|0123456789
-+----------
0|0123456789
1|1234567890
2|2345678901
3|3456789012
4|4567890123
5|5678901234
6|6789012345
7|7890123456
8|8901234567
9|9012345678
and, as this is the table for addition modulo 10, it is not surprising that it resembles the table above for addition modulo 26,
or the equivalent Vigenère table.
So, using this conversion from letters to numbers to perform the equivalent of the examples above:
Repeating key:
W ISH Y OU W EREH ERE
603421667626015121151
439251414392514143925
---------------------
032672071918529264076
Progressive key:
W ISH Y OU W EREH ERE
603421667626015121151
439251415403625265147
---------------------
032672072029630386298
Autokey:
W ISH Y OU W EREH ERE
603421667626015121151
439251416034216676260
---------------------
032672073650221797311
so the same methods are as applicable to digits as they are to letters. However, the ease of doing addition on digits as
opposed to letters also means that the equivalent of the use of mixed alphabets is not found often with digits.
As noted in the previous section, Soviet spies using a straddling checkerboard for converting letters to digits have then often
encrypted these digits using a polyalphabetic substitution of the Vigenere type.
However, the attempt was made to use a perfect form of Vigenere encryption. (As the declassified information concerning
VENONA reveals, the attempt wasn't made quite well enough: supposed "one-time pads" were used at least twice on many
separate occasions.)
If, ahead of sending a message, you and your correspondent have arranged to share a key consisting of:
then there is no way to "break" your messages by cryptanalysis. (Of course, the length and timing of messages may still give
information away.)
Why is there no way to break messages in such a case? Because, if the key is random, and if it is never used anywhere else
but with just one message, so there is no other way to get information about that key, then that key could be anything.
So any possible message having the same length as the intercepted message remains possible, because there is no way to
exclude the key that would give rise to any hypothetical message. If the key were not random, but generated by some rule,
then perhaps the key that would transform some possible plaintexts into the ciphertext actually intercepted could not have
been generated by that rule, thereby ruling out those plaintexts. If the key were used another time, then one possible text for
the first message could be ruled out because the other message would not make sense. But without either of these
opportunities, one speculative plaintext is only as good a guess as any other, and no better.
This survey of cryptographic algorithms has not gone very far, still being in its first chapter, and already we have found
perfection. But not only is quite a bit of key required, but more importantly, when that key is used up, no more secure
communications are possible using this method. And since the key is bulky, and impossible to memorize, this is only useful
where the messages are easy to intercept but the key is safe, for example, in communications, but not in protecting files on
your hard disk. Also, it can't complement public-key cryptography, since it doesn't provide a way by which encrypting a
small session key by a slow method with some useful special properties (making it possible to start communicating securely
without any advance secret exchange of a key) can protect a large message.
The one-time pad is perfect, and it is relatively easy to understand why it is impregnable. In general, it is not suitable for
everyday use, since computers make it very easy to carry out conventional encryption with methods of enormous
complexity. Such enormous complexity that there seems to be no rational reason to doubt their security. But just as there is a
tendency in some quarters to advocate the use of methods that aren't quite complex enough (for example, DES with its 56-bit
key, or other block ciphers that are only a step or two better), there is a tendency in other quarters to say that the "experts"
should not be trusted, and only the one-time system, in one of its various forms, is any good.
Incidentally, for the polyalphabetic encryption of a stream of message digits by a stream of key digits, it is not strictly
necessary to use only addition without carries. Just as either addition modulo 10 or addition modulo 26 are equally valid,
depending on whether the message is made up of digits or letters, addition modulo 100,000 is also equally valid. That is, five
message digits could be added to five key digits to produce five cipher digits using normal addition with the propagation of
carries within the five-digit group.
The one carry, though, that must be discarded is the one out of the five digits, if it is not propagated to the preceding five-
digit group. Sending the sum of 53478 and 88412 as 141890 instead of 41890 is a serious mistake, as it proves that both the
plain and key groups at that position must be larger than 41889, as neither of those five-digit groups can be larger than 99999.
One method of polyalphabetic encipherment that suffered from this error is any cipher of the Nihilist type.
A five-by-five square like that illustrated below was used to convert both a message and a key (repeatedly used, as in Porta's
cipher commonly known as the Vigenère) into a stream of digits:
1 P Z R M T
2 Y A V F I
3 O H K W N
4 G D X B U
5 S J C E L
1 2 3 4 5
However, when the stream of key digits was added to the stream of cipher digits, instead of using a modified modulo-5
tableau such as:
| 1 2 3 4 5
-------------
1 | 2 3 4 5 1
2 | 3 4 5 1 2
3 | 4 5 1 2 3
4 | 5 1 2 3 4
5 | 1 2 3 4 5
the digits were simply added by normal decimal addition without carries. Hence, while each digit which was added belonged
to a family of only five digits, the sum as transmitted could have any of nine values, (a sum of 1 could not occur) and only
one of those values, the digit 6, did not place some constraint on both the key digit and the message digit, as can be seen
from the table of that operation:
| 1 2 3 4 5
-------------
1 | 2 3 4 5 6
2 | 3 4 5 6 7
3 | 4 5 6 7 8
4 | 5 6 7 8 9
5 | 6 7 8 9 0
The actual Nihilist cipher, as described in Gaines, was even worse than this: the letters in the checkerboard square were in
their normal order, and the addition was performed with carries, to the extent that messages were sent in two-digit groups,
and three digit sums (such as 45 + 55, or 52 + 51) were sent in three digit form, preserving the carry out of the group.
However, the Russian language, before the Russian Revolution, had a thirty-six letter alphabet, and the use of a full 6 by 6
square would have improved things slightly.
Since the most natural way to apply a stream of key letters to a stream of plaintext letters is the Vigenère, and the most
natural way to apply a stream of key digits to a stream of plaintext digits is modulo-10 addition, when applying a stream of
key bits to a stream of plaintext bits, the very simple operation of modulo-2 addition, or exclusive-OR (XOR) is often used,
with the very short table:
| 0 1
-------
0 | 0 1
1 | 1 0
| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7
------------------- -------------------
0 | 0 1 2 3 4 5 6 7 0 | 0 1 2 3 4 5 6 7
1 | 1 2 3 4 5 6 7 0 1 | 1 0 3 2 5 4 7 6
2 | 2 3 4 5 6 7 0 1 2 | 2 3 0 1 6 7 4 5
3 | 3 4 5 6 7 0 1 2 3 | 3 2 1 0 7 6 5 4
4 | 4 5 6 7 0 1 2 3 4 | 4 5 6 7 0 1 2 3
5 | 5 6 7 0 1 2 3 4 5 | 5 4 7 6 1 0 3 2
6 | 6 7 0 1 2 3 4 5 6 | 6 7 4 5 2 3 0 1
7 | 7 0 1 2 3 4 5 6 7 | 7 6 5 4 3 2 1 0
the first for modulo-8 addition, and the second for an independent exclusive-OR of each of the three bits of an octal digit,
shows how these two operations differ in their algebraic structure; thus, some modern computer ciphers alternate between
XOR and addition modulo 256 or modulo 65,536 within a complicated sequence of operations to make the cryptanalyst's
path a more tangled one.
| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7
------------------- -------------------
0 | 0 1 2 3 4 5 6 7 0 | 0 1 2 3 4 5 6 7
1 | 1 2 3 0 5 6 7 4 1 | 1 2 0 4 5 6 7 3
2 | 2 3 0 1 6 7 4 5 2 | 2 0 1 5 6 7 3 4
3 | 3 0 1 2 7 4 5 6 3 | 3 4 5 6 7 0 1 2
4 | 4 5 6 7 0 1 2 3 4 | 4 5 6 7 1 3 2 0
5 | 5 6 7 4 1 2 3 0 5 | 5 6 7 2 3 4 0 1
6 | 6 7 4 5 2 3 0 1 6 | 6 7 3 0 2 1 4 5
7 | 7 4 5 6 3 0 1 2 7 | 7 3 4 1 0 2 5 6
illustrate two ways of obtaining tables that are different algebraically from either of the previous two. The first is a table of
the operation of adding the last two bits of a three-bit octal digit with modulo-4 addition, and XORing the first bit
independently. The second results from deliberately constructing a table which must be algebraically distinct from anything
like this, by beginning with a subtable for modulo-3 addition, which could not occur in a table built from exclusive-OR and
addition modulo a power of two, and then using displacements of the other five digits in the shadow of that subtable. Finally,
the remaining five by five square is filled; at first, some diagonals are filled systematically, and then the rest is filled through
trial and error, with some backtracking.
Next
Chapter Start
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]
Code Books
Before it became possible to build complex electrical and mechanical cipher machines,
cipher systems requiring many complex manipulations would have been impractical
and error prone.
A code book, with its long list of equivalents for thousands of words and phrases, as
opposed to the 26 letters of the alphabet, offers a degree of security without requiring a
large number of operations for each word encoded.
Codes have also been used for sending messages by telegraph at lower prices, by
representing common phrases used in business with single codegroups. Such
codebooks are arranged so that both the codegroups and their meanings are in easy-to-
find alphabetical order. A codebook arranged this way is called a one-part code.
Most (but not all) secret codebooks are called two-part codes; the codegroups are
assigned in a random order to the words encoded, and there is both an encoding
section, with the words in alphabetical order, and a decoding section, with the
codegroups in alphabetical (or numerical) order.
Thus, the decoding section of a codebook might look like this imaginary example that I
also used as the background to this page:
EZNLJ Shanghai
EZNKL OUGH
EZNLM 270 degrees
EZNMN Ship may not be
EZNNO Docking facilities
EZNOP Diesel fuel
EZNRS France
EZNST Repair-s-ed-ing
EZNTU Ship has
EZNUV Cancun
EZNVW 43 degrees
EZNYZ 500
EZNZA 23 knots
EZOAA Maintenance urgently required
EZOBB Perth
EZOCC 15 metres
EZODD Captain will be
EZOEE 23 3/4
The rationale behind the sequence of 5-letter groups shown is explained in the section
on Error-Correcting Codes.
Some codebooks assign both numeric codegroups and alphabetic codegroups to words;
the alphabetic codegroups are easier to actually transmit by Morse code, but the
numerical codegroups are easier to manipulate.
To increase security, secret codebooks often included nulls, that is, codegroups which
were to be ignored upon decipherment. Also, many codebooks included more than one
substitute for the most common words or phrases.
David Kahn's book The Codebreakers is illustrated with actual pages from once-secret
codebooks, such as the British and Allied Merchant Ship code, and the Hudson code of
the American Expeditionary Force.
Another codebook illustrated was Cypher SA, the codebook of the British Navy in the
last months of World War I. Another illustration of a different part of this codebook
also appeared in David Kahn's article in the July 1966 issue of Scientific American.
This codebook was perhaps unique, in that it used a stripped-down form of the autokey
principle.
It used a considerable number of nulls, and every message had to start with a null,
because many of the most common words and phrases in the code could not begin a
message.
Each five-digit codegroup in the code was followed by one of the three letters A, B, or
C. Many of the more common words and phrases had three different substitutes,
preceded by A, B, and C in order, and the one to be used was determined by which
letter had followed the previous codegroup.
Since what we have is essentially three different codes, A, B, and C, although these
codes are the same in part, determined for each group by the codegroup enciphered
before, Cypher SA is properly classed as a form of autokey.
With many codes, a form of polyalphabetic substitution is used. In addition to the two-
part codebook, with numerical equivalents for the words or phrases to be sent, a second
book, filled with random numbers, is required. This second book's contents are called
the additive. A random starting point in the book is chosen for each message, and that
starting point is sent at the beginning of the message. Then, the numbers in the book
are added to the codegroups from the codebook before transmission. Always, carries
past the start of a codegroup are discarded; almost always, all carries are ignored, the
individual digits being added in isolation. This is the decimal equivalent of doing an
XOR instead of addition.
When a long running key is used for Vigenere encryption, but that key is re-used,
Kerchoffs superimposition can be used to align different messages encrypted with the
same key. The messages are slid against each other, and positions that provide a high
number of coincidences, particularly those involving groups of consecutive characters,
are chosen.
For breaking codes used with additives, Kerchoffs superimposition is usually used in a
more sensitive form, as improved by W. F. Friedman. The kappa test compares the
proportion of coincidences that would be found, in the Vigenere case, between two
sequences of random letters, which would be exactly 1/26, and between two normal
plain-language texts. That is higher, because the letters are not all equal in frequency.
That figure equals the sum of the squares of the probabilities of all the plaintext
symbols; the chance of an A in the first message times the chance of an A in the second
message, plus the chance of a B in the first message times the chance of a B in the
second, and so on. The same applies to two strings of random groups of five digits,
which would have one group in 100,000 matching by chance, and two coded messages
without an additive applied. If two messages are aligned so that their additives
coincide, as far as coincidences between them at that position are concerned, it is as if
no additive was applied.
The following illustates why the random kappa is always smaller than the plaintext
kappa:
--------------------- ----------------------
|----| | |---------| |
|----| | |---------| |
|---------- | |---------| |
| |----| | |---------| |
| |----| | |--------------- |
| ----------- | | |----| |
| |----| | | |----| |
| |----| | | --------- |
| ----------| | |--| |
| |----| | ------|
| |----| | |--|
--------------------- ----------------------
The square of a number gains size from both of its factors, so taking size from a
smaller number squared and giving it to a larger one causes that size to be placed more
advantageously; therefore making all the numbers equal minimizes the sum of the
squares.
Next
Skip to Next Chapter
Table of Contents
Home page
[Next] [Up] [Previous] [Index]
This has been an inspiration to both myself and others; for example, Paul Crowley has
developed another cipher using playing cards called Mirdek.
Step 1: From the prepared deck (the order of the cards in it is the key), turn up, and
deal out face up in a row, successive cards until the total of the cards (A=1, J=11,
Q=12, K=13) is 8 or more.
Step 2: If the last card dealt out in Step 1 is a J, Q, or K, take its value, otherwise take
the total of the values of the cards dealt out in Step 1. (This gives a number from 8 to
17.) In the next row, deal out that many cards from the top of the deck.
Step 3: Deal out the rest of the deck under that row, in successive rows that begin on
the left, and end under the lowest card in the top row, the next lowest card in the top
row, and so on, in rotation. A red card is lower than a black card of the same
denomination, and when there are two cards of the same color and denomination, the
first one in the row is considered lower.
These first three steps may lead to a layout which looks like this:
7S QH
3D 6S 3C 2D QD 4S 8S JS JD 10H QC 8H
5H AC 6D KS
10C
QS 9D 5D
2H 3S KD JH 2S 9C
9H 6H
8C 2C 7H JC 4C 8D 3H KC 7D 6C AH 4H
5C 10D 10S 7C 9S KH 4D
AD 5S AS
Step 4: Take the cards dealt out in Step 3, and pick them up by columns, starting with
those under the lowest card in the row dealt out in Step 2. The top card in the column is
to be on the bottom of a pile of face up cards, and the first column picked up is to be on
the bottom of the re-assembled deck.
Step 5: Place the cards dealt out in Step 2 (the last one on the bottom) in face-up form
on top of the re-assembled deck, and then the cards dealt out in Step 1, again, the last
one on the bottom of a face up pile put on top of the re-assembled deck.
Step 6: Turn the deck of cards over to face-down position to repeat Step 1.
Thus, these steps would cause the following new order of the deck to result from the
layout above:
KS JH JC 7C 5H 10C QS 2H 9H 8C 5C AD 6D
5D KD 7H 10S AS 9C 8D KH AC 9D 3S 6H 2C
10D 5S 4H 3H 4D 6C 7D KC 2S 4C 9S AH 8H
QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S
And the cards that were at the beginning of the deck, and thus controlled the
transposition, are now at the end of the deck, and will be subject to the next
transposition instead of controlling it.
Looking at the cards from the top of the deck, ignore all J, Q, and K cards; take the first
other card, from A to 10, and count down that many cards to find a card from A to 10.
Do the same from the bottom of the deck. The last digit of the sum of the values of
those two cards is the keystream digit.
Applying this to the scrambled deck obtained above (which is cheating a bit, since in
practice the transposition has to be done three times), it works this way:
KS JH JC 7C 5H 10C QS 2H 9H 8C 5C AD 6D
(7) 1 2 3 4 5 6 7*
5D KD 7H 10S AS 9C 8D KH AC 9D 3S 6H 2C
10D 5S 4H 3H 4D 6C 7D KC 2S 4C 9S AH 8H
QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S
7* 6 5 4 3 2 1 (7)
the two selected cards are the ace of diamonds and the ten of hearts, so the keystream
digit is a 1.
This way, people don't have to memorize a bridge ordering of the suits, and they use a
straddling checkerboard to allow false addition to apply the key, instead of trying to do
Vigenere or modulo-26 arithmetic in their heads.
By limiting the mental arithmetic required, I'm trying to make my method simpler.
However, the way in which the cards are rearranged is more complex; the cards are
dealt out in a layout, not merely manipulated in a straight line, and thus the result looks
somewhat more like a game of solitare. In the novel, the cipher Solitare was based on a
computer stream cipher; my method for using playing cards is instead based on an old
pencil-and-paper cipher.
The method of transposition used is the one given by General Luigi Sacco, that breaks
up a block into uneven units, and which perhaps has some advantages over ordinary
columnar transposition.
Of course, some of the rules used mean that there are biases in the transposition; if
every card had a distinct value, the order of the columns would be slightly more
random, and the rule intended to limit the row size to 17 instead of 21 makes 11, 12,
and 13 more likely row lengths. Note that Step 4 is set up to make the scrambling
invertible, so I did accept some good advice from Bruce Schneier's Solitare. The well-
known reason for this is noted elsewhere on this site: a non-invertible transformation
risks shrinking the state space of the thing transformed. That is: the fact that the
transformation is invertible is no guarantee of a long or maximal period. But if every
possible ordering of the deck is possible at the start, then every possible ordering of the
deck remains possible after 20, 30, or 2000 iterations of an invertible transformation. If
two orderings of the deck both transformed to the same ordering of the deck, then the
transformation would not be invertible. On the other hand, with a non-invertible
transformation, the number of possible orderings can continue to shrink as the
transformation is repeated.
Divide the keyphrase into parts that are eight or more letters in length as follows: first,
use all the words that are eight or more letters long in the phrase, then, go through the
phrase, and, using only the shorter words, take as many words as needed at a time to
reach eight or more letters. When the last part is formed, and there are less than eight
unused letters in the key phrase, include them in the last part.
Then, take these parts of the keyphrase, and use them in pairs.
First, for each part, imagine the word as standing above the columns of cards, and then
perform Step 3 and Step 4 of the normal cycle, but on the entire deck.
Example:
Phrase: THE QUICK BROWN FOX JUMPED OVER THE LAZY DOG
THEQUICK
BROWNFOX
JUMPEDOVER
THELAZYDOG
So, the first two parts lead to the deck being scrambled as follows:
T H E Q U I C K
7 4 2 6 8 3 1 5
AS 2S 3S 4S 5S 6S 7S
8S 9S 10S
JS QS KS AH 2H 3H
4H 5H
6H 7H 8H 9H 10H JH QH KH
AD 2D 3D 4D
5D
6D 7D 8D 9D 10D
JD QD KD AC 2C 3C 4C
5C 6C 7C
8C 9C 10C JC QC KC
Since the first card of a column is placed on the bottom when the cards are face up, and
the first column picked up is at the bottom of the cards when they are face up, they will
be on the top when the deck is in normal face-down order, and so this step leads to the
cards being in the order:
7S QH 4C 3S 10S KS 8H 3D 8D KD 7C 10C 6S
3H JH 3C KC 2S 9S QS 5H 7H 2D 7D QD 6C
9C KH 4S AH 9H 4D 9D AC JC AS 8S JS 4H
6H AD 5D 6D JD 5C 8C 5S 2H 10H 10D 2C QC
Now, the deck is then laid out like this for the second part:
B R O W N F O X
1 6 4 7 3 2 5 8
7S
QH 4C 3S 10S KS 8H
3D 8D KD 7C 10C
6S 3H JH
3C KC 2S 9S QS 5H 7H
2D 7D
QD 6C 9C KH
4S AH 9H 4D 9D AC JC AS
8S
JS 4H 6H AD 5D 6D
JD 5C 8C 5S 2H
10H 10D 2C
QC
7S QH 3D 6S 3C 2D QD 4S 8S JS JD 10H QC
8H 5H AC 6D KS 10C QS 9D 5D 2H 3S KD JH
2S 9C 9H 6H 8C 2C 7H JC 4C 8D 3H KC 7D
6C AH 4H 5C 10D 10S 7C 9S KH 4D AD 5S AS
Then, each of the two parts is used to scramble half of the deck again; the
transpositions above depended on the order of letters in each part, but this step will
instead depend on which letters are present.
Go through the alphabet, from A through Z, as you take cards from the top of the deck.
When you reach a letter that is part of the current part of the keyphrase, that card
completes the current pile you are making. The next card starts a new pile. Z always
completes the last pile, even if it is not present.
Then put the piles back together, but in the reverse order in which they were obtained.
Thus, the first part, THEQUICK, divides the first half of the deck like this:
A B C
7S QH 3D
D E
6S 3C
F G H I
2D QD 4S 8S
J K
JS KD
L M N O P Q
10H QC 8H 5H AC 6D
R S T
KS 10C QS
U
9D
V W X Y Z
5D 2H 3S KD JH
5D 2H 3S KD JH 9D KS 10C QS 10H QC 8H 5H
AC 6D JS KD 2D QD 4S 8S 6S 3C 7S QH 3D
Then, the second half, BROWNFOX, is applied to the second half of the deck.
When there is an odd part of the key phrase, then the deck is transposed with that part,
and only its first half is mixed again.
Once the entire keyphrase is applied to the deck of cards, the deck is then subjected to a
non-invertible triple cut, as follows:
From each end of the deck, a card with a value from A to 10 is located, by the
procedure used to find the keystream numbers in normal encipherment. Then, starting
from the top of the deck when it is face down, which we will assume is placed on the
left, additional cards are counted from that card according to its value: one more card if
it is an ace, two more if it is a deuce, and so on, but this time, face cards are not ignored.
The procedure is repeated from the other keystream card, again counting inwards. If
cards are left, these stay in the middle, and those from the bottom of the deck to the end
of the count are placed on the left-hand side.
Using the previous example of obtaining a keystream digit to illustrate how this works:
KS JH JC AH 5H 10C QS 2H 9H 8C//KC AD 6D
(1) 1* 1 2 3 4 5
5D KD 7H 6C AS 9C 8D 5C AC 9D 3S 6H 2C
7D 5S 3H 10D 4D 9S 10S//2S 4C 4H KH 7C 8H
7 6 5 4 3 2
QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S
1 7* 6 5 4 3 2 1 (7)
the pairs of slashes indicate the points at which the deck will be cut, ending up in the
order 2S...7S, KC...10S, KS...8C from the order above.
Finally, the cards are laid out according to the word spacing of the keyphrase:
T H E
2S 4C 4H
Q U I C K
KH 7C 8H QC 10H
B R O W N
JD JS 8S 4S QD
F O X
2D 3C 6S
J U M P E D
3D QH 7S KC AD 6D
O V E R
5D KD 7H 6C
T H E
AS 9C 8D
L A Z Y
5C AC 9D 3S
D O G
6H 2C 7D
T H E
5S 3H 10D
Q U I C K
4D 9S 10S KS JH
B R O W N
JC AH 5H 10C QS
F O X
2H 9H 8C
repeated until the deck is all laid out, and then they are picked up in face up form with
the last column, and its top card, on the bottom.
In the example, that leads to the cards ending up in this order when turned face down:
6D 10H QD AD JH QS QC 4S KC 6C 3S KS 10C
4H 8H 8S 6S 7S 7H 8D 9D 7D 10D 10S 5H 8C
4C 7C JS 3C QH KD 9C AC 2C 3H 9S AH 9H
2S KH JD 2D 3D 5D AS 5C 6H 5S 4D JC 2H
Next
Table of Contents
Main page
[Next] [Up] [Previous] [Index]
Its treatment of them has been brief, almost to the point of being perfunctory.
Encyclopedia articles and inexpensive books cover this territory fairly well. The more
recent methods of encryption are covered in more specialized publications; that, and a
fascination with their intricacies, has led me to cover them in more detail.
Because most methods of substitution require some sort of chart or table (the Gronsfeld
was specifically designed to avoid this problem), or a slide or disk for polyalphabetics,
transposition ciphers were quite popular with armies as field ciphers.
During World War I, for a short time Germany used Vigenere encipherment with key
ABC (and, later, with key ABCD - but only for deceptive transmissions and not
important messages) followed by a simple columnar transposition.
For puzzle-solving purposes, the "Nicodemus" cipher breaks a message into complete
rectangular blocks, which are transposed by exactly the same keyword as was
previously used to encipher them in Vigenere. Thus, the enciphered message consists
of groups of plaintext letters encrypted in Vigenere with the same key, which can, of
course, be exploited by the cryptanalyst.
Claude Shannon, the father of information theory, who also contributed to the theory of
chess-playing computers, wrote a paper in The Bell System Technical Journal the title
of which was The Communications Theory of Secrecy Systems in which he noted that
the two basic elements of a cipher system are confusion and diffusion.
This has influenced the design of some cipher systems. A preliminary sketch of the
design of IBM's LUCIFER block cipher, appearing in Scientific American embodied
these elements in almost a pure form. (The actual LUCIFER cipher as implemented
was quite different, although it also embodied those elements, but in a less
straightforward way.)
Generally, confusion is understood as substitution, and diffusion is understood as
transposition.
These terms are, however, general and inclusive. Based on the specific methods of
attaining security found in the actual pencil-and-paper systems we've met so far, I feel
it is warranted to take the dangerous step of moving to a more specific and concrete
division of the operations within a cipher system.
The danger is that it could limit the imagination of cipher designers by being more
concrete. But since the terms 'confusion' and 'diffusion' are tending to be identified with
the simplest forms of substitution and transposition, it seems to me that more detail
might instead stimulate cipher designers to consider more options.
Confusion
replacing symbols by other symbols.
Diffusion
moving of plaintext symbols to other positions within the ciphertext.
Convolution
the achievement of diffusion by means of confusion; the effect of performing
diffusion on a finer scale than confusion. This refers to what happens in
polygraphic and fractionation systems.
Alternation
changing, from one portion of the ciphertext to the next, of the rules for
confusion and/or diffusion.
Indirection
placing elements in a cipher 'behind' other elements so that their effects are
harder to analyze.
With this division, more of the methods actually used suggest themselves. Also, a
measure of quality can perhaps be noted. For confusion and diffusion, bigger seems to
be better. For alternation, the complexity of the scheme of alternation, its
unpredictability, is the measure of quality.
Associated with these goals are specific means, such as substitution for confusion.
If we view a message as an array of symbols, where P(n) is the n-th element of the
plaintext message P, and C is the ciphertext message, one can illustrate the various
techniques by formulas.
Substitution (Confusion)
Transforming a message by replacing the values of its elements according to
some rule; for example, C(i)=S(P(i)) over all i in the message, where S is a
substitution table indexed over the elements of the alphabet used.
Transposition (Diffusion)
Transforming a message by placing its elements in different locations within the
message; for example, C(T(i))=P(i) over all i in the message, where T is a
transposition table indexed over all the character positions in the message.
Fractionation (Convolution)
Transforming a message from being expressed in a number of symbols of one
alphabet to a different number of symbols in an alphabet of a different size,
combined with transpositions and substitutions on those alphabets. Such a
transformation might have a form such as C(i/2) = S(P(i)*N+P(i-1)) where i
starts as 2 and goes over all the even-numbered characters of the original
message, and N is the number of characters in the original alphabet. Its inverse
would be P(2i) = SL(C(i)) and P(2i-1) = SR(C(i)), where SL and SR are
substitutions such that mapping the characters c of the original alphabet to pairs
( SL(c), SR(c) ) is bijective; that is, different inputs become different outputs in
both directions. This is most useful when substitutions are applied to the
message with the larger alphabet size and fewer characters, and transpositions
are applied to the message with the smaller alphabet size and more characters.
Polyalphabeticity (Variation)
Applying a different substitution rule to different characters of the message.
Thus, C(i)=S(P(i),i) where the output of the substitution is a function of the
character's position in the message as well as the particular character.
Indirection involves preparing things like substitution tables in ways that are ciphers in
their own right; hence, it isn't found very much in simple paper-and-pencil ciphers,
where the amount of work to be done must be kept limited. The methods used for
forming substitution alphabets from a keyword by means of a transposition block, such
as the Ohaver method, noted previously, involve indirection in a sense, but only once
during a message. So there is no basic pencil-and-paper technique which is an effective
example of indirection. However, later on we will see the rotor machine SIGABA,
which may be considered the classic illustration of indirection.
[Next] [Up] [Previous] [Index]
Next
Table of Contents
Main page
[Next] [Up/Previous] [Index]
Next Section
Chapter Start
Skip to Next Chapter
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
About 20 or 30 disks, each with a different scrambled alphabet on the edge, and with a
hole in the centre so they can all be stacked on a common axle, make up the device. The
disks can be numbered on one side, and the order in which they are stacked can be used
as a key that can easily be changed.
To encipher a message, rotate the disks so that its letters line up in one row, and take the
letters in any other row as the encrypted message. Decipherment is possible, because it is
easy to pick out one row of plaintext among 24 others of gibberish that are possible.
This is quite a secure cipher device, especially considering that it doesn't involve a lot of
fancy technology. Since every letter in a block is displaced through a different alphabet,
and every block has a different displacement, it is even possible to mistakenly assume
that it is unbreakable.
However, it isn't unbreakable. Like the Enigma, which we will meet later, no letter can
represent itself. This allows probable plaintext to be positioned against intercepted
messages.
The main attack against this type of cipher is the de Viaris method. If the alphabets on
the cylinder are poorly chosen, it may be that the fifth letter clockwise from E, for
example, can never be some letters, and is one particular letter several times. Thus, an
opponent who has a copy of the cylinder itself and some plaintext may be able to
identify the displacement for a block - and, with that, then determine the order of the
disks.
The alphabets on the M-94, a version of the Bazeries cylinder made from aluminum, and
used by the U.S. during the Second World War, were chosen to be part of a Latin square
to be more resistant to a de Viaris attack. A Latin square is an N by N square containing
the numbers from 1 to N, each N times, so that no number occurs twice in either the
same row or the same column. For example,
1 2 3 4 5
3 1 4 5 2
2 5 1 3 4
5 4 2 1 3
4 3 5 2 1
1 2 3 4 5
2 3 4 5 1
3 4 5 1 2
4 5 1 2 3
5 1 2 3 4
is also a Latin square, and is obviously not a good type of sequence for a cylinder cipher,
as every cylinder has the same alphabet, only shifted by one, there is more to choosing a
good set of alphabets for a cylinder than simply using a Latin square.
Ideally, if one were using 25 cylinders for a 26-character alphabet, one would like a
sequence such that, if one aligns any one letter to form a solid row of that letter, then the
remaining 25 letters on the 25 cylinders are, in each case, a Latin square. Then, for each
displacement, and each letter, all substitutes would be equally possible. I do not know
whether or not it is possible to fulfill this condition.
Even when the de Viaris attack is not possible, cylinder ciphers can be broken. During
World War II, the U.S. used an improved version of the cylinder cipher. Strips instead of
disks were used (which, of course, makes no difference in itself), and there were 100 of
them to choose from. The cipher procedure involved choosing 30 strips, but breaking up
the message into blocks of only 15 letters long.
Despite all this, and the fact that they did not have a captured specimen of the device to
work with, cryptanalysts in Nazi Germany were able to break messages enciphered with
the M-138-A.
If one does not have a copy of the device, and in any case the strips or disks used have
been made resistant to the de Viaris attack, it is still possible to attack a Bazeries cylinder
if one has several hundred messages, all sent with the same key.
Using the kappa test (the fact that two unrelated plaintexts will have more identical
characters in corresponding positions than two sequences of random letters, which will
have one coincidence for every 26 letters), one can group together messages with the
same displacement from the row with the plaintext message.
Once this is done, and if one had enough messages to work with, frequency counts can
be used for each position.
After the war, a further improvement was made to the strip cipher. In addition to a daily
order for the strips, keylists also gave a table with a column number (or a blank) under
each of the 26 letters. A random set of five letters was chosen for each message; the
column numbers in the frame corresponding to these letters were not used to encipher
that message. These were called "Channel Elimination Numbers", and the numbers
where the numbers of positions in the frame, not strips. (Since which strip went in which
column was also part of the same daily key, this was important operationally - for ease of
sending different messages, each with its own indicator, during the one day, not
cryptographically.)
As this essentially varied the key for every message, it prevented the statistical attack
outlined above.
The Bazeries cylinder relies on the input plaintext being plaintext, with some
redundancy, so that it can be found. Of course, if one allows expanding the text with an
extra letter, or using a pre-arranged scheme to pick the ciphertext row, variations of the
cipher method can be designed without this limitation, and therefore useful for the
subsequent encipherment of ciphertext.
The following diagram, showing a different kind of strip used for this type of
encipherment:
retains the limitation, while reducing it somewhat. The plaintext SEND MONEY is
being enciphered to the numerical ciphertext 345589628759, and its redundancy is being
reduced in the process by the same amount as a straddling checkerboard would do so.
The principle involved is that a plaintext letter, if found on the right side of the strip, is
represented by that single strip; otherwise, two strips, the first with the symbol > or >>
on the right-hand side, and the second with the plaintext letter in the first, or second,
column on the left-hand side are aligned to represent that letter.
Such a method, though, is only practical if, at least with practice, the row containing
plaintext "leaps out" at the eye of the decipherer.
In the diagram above, the first row contains the nonsense string OGOSRIERH, while the
second one contains the desired plaintext SENDMONEY, and the third contains
YORNEPCF, but that does seem to take some effort to see.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
An earlier model used a fixed gear, which caused the following movements, in order:
7 6 7 5 6 7 6 8 6 10 5 6 5 7 6 5 9
Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
2x + y = a
x - y = b
and you want to find out what x and y are in terms of a and b.
That last step may seem trivial, but it is included for completeness.
You can make a chart to save you copying the letters x, y, a, and b every time you
perform a step:
x y a b
-------------
2 1 | 1 0
1 -1 | 0 1
and the rows of this chart can be treated like the equations were. In this case, one might
proceed as follows:
x y a b
-------------
2 1 | 1 0 2x + y = a
1 -1 | 0 1 x - y = b
3 0 | 1 1 3x = a + b
1 -1 | 0 1 x - y = b
3 0 | 1 1 3x = a + b
-3 3 | 0 -3 -3x + 3y = -3b
3 0 | 1 1 3x = a + b
0 3 | 1 -2 3y = a - 2b
Of course, the last step of multiplying each row by 1/3rd (or, equivalently, dividing
each row by 3) is still to be taken. I've avoided it here, to omit dealing with fractions.
If one works with numbers in modular arithmetic, particularly if the modulus is not a
prime number, the rules change slightly.
If you add or subtract a multiple of one of the equations from another, you can still use
any multiple, since a multiple of zero is the same as doing nothing, and so since that
does not destroy information, neither will using a number that is not relatively prime to
the modulus.
When multiplying a single row by a number, however, you cannot use a number unless
it is relatively prime to the modulus. The Hill Cipher deals with modulo-26 arithmetic,
and so in addition to zero, 13 and all the even numbers are disallowed for this
manipulation.
Enciphering in the Hill Cipher is the same as finding a and b given x and y, where x
and y are numbers from 0 to 25 substituted for two letters of a digraph being
enciphered, and deciphering is solving for x and y given a and b.
Note that not all systems of linear equations can be solved, and you must choose one
that has an inverse. One way to do this is by performing the manipulations allowed for
finding an inverse on a square with zeroes everywhere except along the diagonal, since
this will always result in a square that can be brought to that form by these same
manipulations.
Also, the square formed by the coefficients of this kind of equation is called a matrix.
The act of finding a and b for x and y, using the original form of the equations which
directly give a and b as functions of x and y, thought of as an operation using the
square of numbers we began with in the x and y columns (called a matrix) is called
multiplying the vector (x,y) by the matrix to get the vector (a,b). The square
representing x, y, and z or a, b, and c on one side of a set of equations, with a 1 at the
start of the first row, in the second place in the second row, and so on, with zeroes
everywhere else, is called the identity matrix, since if a=x, b=y, c=z, then finding a, b,
and c for x, y, and z gives you the same numbers.
The linearity in the Hill cipher is its weak point. So a scrambled alphabet for
converting letters to numbers needs to be used, and it is important to remember that
that scrambled alphabet is a very important part of the key.
Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
A rotor which had 26 contacts in a circle on one side, and a spindle with 26 contact
strips on the other side, is always sure, when it moves, to take each letter to a different
substitute. Such a rotor is called a half-rotor, and the Hagelin B-211, which we will
meet later, uses such rotors as well.
The Japanese cipher machine which was codenamed RED by American codebreakers
behaved as if it consisted of two half-rotors, one with 20 contacts for 20 consonants,
and one with 6 contacts for 6 vowels, counting Y as a vowel. This property allowed
encrypted text to be pronounceable, thus allowing use of the commercial telegraph
system.
This division of the alphabet was perpetuated in the PURPLE machine, which was a
weakness of that machine, although it at least had a plugboard so that the six letters
handled by themselves could be any six letters.
Also, while American codebreakers built their own RED work-alikes that really did
have two half-rotors, the actual machine used by the Japanese had only one half-rotor;
the spindle had all 26 strips, and the wheel face had two sets of 60 contacts, one wired
with the same scramble of 20 characters repeatedly, and the other wired with the same
scramble of the other 6 characters repeatedly.
The 60-contact wheel usually moved one step for each character enciphered, but not
always. Its motion was controlled by a 47-position gear or pinwheel. Only eleven of the
teeth could be disabled, including four adjacent pairs of teeth.
When an enabled tooth is active, the rotor advances one position for the letter currently
enciphered.
When a disabled tooth is encountered, the rotor also advances one position, but the 47-
position gear continues to advance for the current letter. Thus, occasionally the rotor
will move two or even three positions when a letter is enciphered, but it will always
move exactly 47 positions for each cycle of the 47-position gear. That cycle will take
less than 47 letters, one less for every disabled tooth.
[Next] [Up] [Previous] [Index]
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Reihenschieber
This device really belongs among the paper-and-pencil systems. But it is placed here in consideration of the fact
that, briefly, from 1958 to 1960, it was considered adequate to safeguard even top secret material.
The Reihenschieber resembled a slide rule in shape. Ten square sticks, taken from a set of 26, were placed in it, and
a grille slid along the device.
The 26 sticks that came with the device were each labelled with a letter of the alphabet. Which ten sticks to use in
the device was determined by the daily key, a sequence of ten different letters. Each stick had ten dimples on each
of its four sides, which allowed it to be placed between the Reihenschieber's rails in ten positions. These were
determined by another daily key, this time of ten digits. The ten digits (with the last one repeated to make an
eleventh digit) were used to encipher a five letter area indicator, which was sent with the message, repeated twice
using the same method that the digits the Reihenscheiber generates are used to encipher messages: each digit
indicates the column in a table containing the enciphering alphabet, and in addition the following digit, depending
on whether it is low (0-4) or high (5-9), selects one of two tables.
The sticks were printed with random sequences of digits, interspersed with the odd dot. The dots were ignored when
encountered, being present to make the sequence of digits produced by the device irregular. To the left of these
digits, there was an expanse with some letters and blank spaces; this expanse contained each of the 26 letters once
in an area 10 characters long on the four sides of the stick. The ten letters, generated from the ten digit key called
the "message key", were placed in a line, and thus these 10 letters specified both the horizontal placement and the
side which was to be uppermost, for each stick.
A frame that held grilles on the front and back (the strips were also printed with digits on the back) slid along the
device like the cursor on a slide rule. With each month's supply of key material, three sets of grilles were supplied,
each for use for a period of 10 or 11 days. As the strips ran along the device, going from left to right, the numbers
the device produced were those read out from the grille vertically, first from top to bottom, and then from the
leftmost column to the rightmost column. After reading out the digits shown at one slide position, the slide was
flipped over to read the numbers showing on the back as well before the slide was advanced along the ruler for the
next group of numbers. The grilles had 10 columns; the article which is my source claims they had 25 holes, but
gave an example with 26.
The grille could be slid through 52 positions, labelled first with the lowercase alphabet and then the uppercase
alphabet. The first position used was the one with the lowercase letter corresponding to the last letter of the
enciphered area indicator as used to slide and rotate the ten sticks.
____________ ______________
______| |___________________________|
/ | | |_
| | | abcdefghijklmnopq| ----------
---------------| |---------------------------| | - -|
|X u ae l pr| | 1701.5433.626.90512.3| | |7| |4|
---------------| |---------------------------| |- - - -|
|E i qj| |ooo 849.216.55.1034.2| |6| |.| |
-------------| |---------------------------| |-- -- - |
|G m uwi o| |o 65.20473.12.9.14516| ||4| |.||3||
-------------| |---------------------------| | - - - -- |
|P a| |ooooooo 9.250.3961490| | |0| |7| |
------------| |---------------------------| |- - - - -|
|V oi u xm| |oo 131.6150492.747318| |9| |2| |5|
--------------| |---------------------------| |-- - --|
|A py x q r| | 24619.43.529.6565.34| ||.| |5||.||
--------------| |---------------------------| | -- - -- |
|W hwm z| |oooo 5.1693.40453.112| | |.| |3| |
------------| |---------------------------| |- - - - |
|C i eqrl| |oo 87.21295.306172.91| |4| |3| |
------------| |---------------------------| |- - -- -|
|T c| |oooooooo .40541.331.6| | |1||.||8|
-----------| |---------------------------| | - -- - --|
|J u mtnw| |oooo 259.10129.6542.3| ||8||4| |1||
-----------| |---------------------------|_ | - - - |
| | | abcdefghijklmnopq| ----------
\______| |___________________________|
|____________| |______________
and in the position shown, the encipherer would read off the digits 6944870142537331458 for use in enciphering.
The slide continues on like this:
_____
|_____________________________________
| \
-- |IJKLMNOPQRSTUVWXYZ |
-| |----------------------------------------
|4| |802.1221607.435549.2076.24391462 EF|
-| |--------------------------------------------
| |.4335.20623.49.17029.33406.415.3307. EF|
- | |--------------------------------------------
Also, the four sides of one of its sticks would have looked something like this:
---------------------------------------------------------------------------
|A py x q r oooooooooo 24619.43.529.6565.3471.52.403569.19382.1
---------------------------------------------------------------------------
|A u mvjo zt oooooooooo .95190.317.45602.12995.138.440.27061.630
---------------------------------------------------------------------------
|A ek lbd c s oooooooooo 437.1512.44691.703977.69.405631.29331.95
---------------------------------------------------------------------------
|A nh gfi aw oooooooooo 2026.19.5113.4072.6198.20541.35622.9271.
---------------------------------------------------------------------------
The A at the left end indicated which square stick it was; on the other end, a code of two capital letters indicated
which set of sticks a stick belonged to. There are 52 usable positions for the grille; as the grille is 10 columns wide,
and there are 10 possible horizontal positions for the slide, the area of numbers and dots is 52 + 9 + 9 or 70
characters long.
Thus, the Reihenschieber did not encipher text directly. It simply was used to generate a stream of digits, which was
used as a key.
The digits were used to encipher text using a table of twenty alphabets, organized as two tables of ten alphabets.
One digit was used per letter to be enciphered; the digit picked one of the alphabets from a table; which table was
decided by whether the next digit (which will later be used to encipher another letter) was high (5-9) or low (0-4). A
new set of tables was provided each month.
My source for the information in this section is an article from the April 1996 issue of Cryptologia. The author,
Michael van der Meulen, had also done a few previous articles on German paper-and-pencil systems.
But the Reihenschieber as described here seems to have some flaws that reduce its potential security.
● The grille has more than 10 holes. Although the dots on the sticks help, this still means that digits will repeat
at almost regular intervals.
● Of the forty possible positions for each stick, only 26 are ever used. This would not be a problem if the sticks
were frequently replaced, but they are part of the "hardware" of the device.
● The "area key" is the only thing that varies the keying of one day's messages using the same key list. There
is no indicator that varies randomly with each message.
● There is no reason for the message key not to consist of eleven digits, even if the last one need only be either
0 or 5. Or, for that matter, why not twelve digits, so that the starting position of the grille can be derived
separately.
If one is ambitious, one might even advocate using a monthly table with 100 alphabets, and using two digits to
encipher every letter, rather than using 20 alphabets (a number less than 26, and therefore also dangerous).
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
A drum, containing 29 mixed cipher alphabets, advanced two positions each time the
machine was used to encipher a letter.
An alphabet in normal order contained the plaintext letters. A window high enough to
expose two of the alphabets on the drum was present on the device. The plaintext
alphabet was moved in an irregular sequence to cover either the top or the bottom
alphabet of the two on the drum that were behind the window, but whether the normal
alphabet was the high one or the low one, it was always the one used for plaintext.
Thus, the movement of the bar with the plaintext alphabet simply controlled which of
two of the 29 cipher alphabets would be used at each step.
The irregular movement of this bar was controlled in two steps. First, a 25-pin
pinwheel advanced with each letter enciphered. Active pins on this pinwheel advanced
a chain with a variable number of links; some of those links were shaped to call for the
plaintext alphabet bar to be in its lower position, some were shaped to call for it to be
in its higher position.
Unfortunately, the cipher produced by this machine as described so far is quite weak; if
one knows that an A-22 has been used, one simply divides the encrypted message into
groups of 29 letters. Then, for each column of letters at that spacing, only two
alphabets are used, and this fact diminishes the benefit of the elaborate mechanism
devoted to alternating between those two. Instructions provided with the machine,
however, suggested advancing it two or three steps after enciphering some letters;
those who went to this extra effort would have obtained a greater degree of security.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the
C-38, used by the U.S. Army as the M-209, six pinwheels, with 17, 19, 21, 23, 25, and
26 positions on them, can be set by the user with an arbitrary series of pins that are
active. For every letter enciphered, all the pinwheels rotate one space.
The combination of active and inactive pins is presented to a cage with 27 sliding bars.
Each bar has two sliding lugs on it, which can be placed either in a position where it is
inactive, or in a position corresponding to any of the pinwheels, so that it will slide the
bar to the left, if the pin currently presented by that pinwheel is active.
The number of lugs sticking out rotates the cipher alphabet against the plaintext
alphabet. The two alphabets used are just the regular alphabet, and the alphabet in
reverse order, from Z back to A. This meant that encipherment was reciprocal,
although the machine still had a switch to select encipherment or decipherment: this
determined if the machine printed its output in five letter groups, or if it translated one
letter, chosen by the user, to a space.
The C-52, a postwar version of the Hagelin lug and pin machine, added an extra five
sliding bars to the cage that, instead of moving the cipher alphabet, caused the stepping
of the pinwheels to be irregular. The first pinwheel always moved, but the remaining
five pinwheels only moved when their corresponding bars were slid to the left. The six
pinwheels were labelled A, B, C, D, E, and F from left to right; bar 1 controlled
pinwheel B, bar 2 pinwheel C, and so on.
Also, on the C-52 the lugs could be moved from bar to bar, and the six pinwheels were
chosen from a set with lengths 25, 26, 29, 31, 34, 37, 38, 41, 42, 43, 46, and 47. Using
the pinwheels with lengths 34, 38, 42, 46, 25, and 26 allowed one to achieve
compatibility with the C-36: provided one also turned off the irregular pinwheel
stepping feature.
The alphabet always started from its normal position, instead of the position last used,
before being rotated by the projecting slide bars. This was perhaps the machine's main
weakness, as it made attacks based on frequency counts of displacements possible, but
it was perhaps unavoidable, since there was always a slight possibility of occasional
mechanical errors. Particularly as the machines were often used on battlefields.
In setting the lugs on the sliding bars, it was important to put many lugs for some
pinwheels, and few lugs for others, so as to get an even distribution of displacements:
basically, although some bars with two lugs active were desirable for irregularity, the
arrangement needs to approximate a binary coding of the active pins - that is, one
pinwheel might have only one lug facing it, another two, another four, and another
about eight, and another about thirteen or so.
For the C-52, in setting up lugs on the first five bars, it was important to ensure
frequent movement of the pinwheels.
Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the
C-38, used by the U.S. Army as the M-209, six pinwheels, with 17, 19, 21, 23, 25, and
26 positions on them, can be set by the user with an arbitrary series of pins that are
active. For every letter enciphered, all the pinwheels rotate one space.
The combination of active and inactive pins is presented to a cage with 27 sliding bars.
Each bar has two sliding lugs on it, which can be placed either in a position where it is
inactive, or in a position corresponding to any of the pinwheels, so that it will slide the
bar to the left, if the pin currently presented by that pinwheel is active.
In this section, we will examine how messages sent on the original C-38 machine could
be cryptanalyzed, in the simplest case. That is, I will assume that a large number of
intercepts for a given day (or whatever period intervenes between key changes) are
available, and that the message indicator, giving the initial positions of the pinwheels,
is not encrypted (or, which is the same thing in practice, any method of encryption used
for the pinwheel position has been revealed to the cryptanalyst by some other method
of intelligence).
The first thing to do is to find a pair of messages that have pinwheel settings that
overlap. To find overlaps, the first step is to convert a pinwheel setting into a number in
the sequence of pinwheel positions that the machine experiences. (Note that when the
machine was improved to have an irregular pinwheel motion, this approach could not
be used; overlaps could still be found, but then one would have to perform kappa tests
on every pair of messages, a tedious process requiring automated assistance.)
Such conversion relies on the Chinese Remainder Theorem: given a series of integers,
such as a, b, and c, which are all relatively prime to one another, the remainder of a
number after division by a, b, and c is sufficient to uniquely identify that number if it is
known to be within a range of length a times b times c.
Thus, for example, the numbers 1 through 15 have different remainders modulo 3 and
modulo 5:
1 | 1 1 6 | 0 1 11 | 2 1
2 | 2 2 7 | 1 2 12 | 0 2
3 | 0 3 8 | 2 3 13 | 1 3
4 | 1 4 9 | 0 4 14 | 2 4
5 | 2 0 10 | 1 0 15 | 3 0
How can we quickly convert a pair of remainders to the number it is associated with,
without performing a table lookup? Basically, we can take one remainder as is; the
remainder modulo 5 tells us something we will need to know to find the number. But
we then want to use the other remainder, the one modulo 3, to tell us how many times a
whole 5 needs to be added to this remainder.
How might we do this? Looking at the way the groups of five numbers start, it seems
that the difference between the two numbers might be considered. That difference is:
1 | 1 1 0 6 | 0 1 -1 11 | 2 1 1
2 | 2 2 0 7 | 1 2 -1 12 | 0 2 -2
3 | 0 3 -3 8 | 2 3 -1 13 | 1 3 -2
4 | 1 4 -3 9 | 0 4 -4 14 | 2 4 -2
5 | 2 0 2 10 | 1 0 1 15 | 3 0 3
From this, it can be seen that if we take the difference modulo 3, it nicely separates the
numbers into three groups of five, but we have to shift to starting with 0, as is only to
be expected, since the remainders modulo 15 run from 0 to 15.
Thus, the rule, which can be applied repeatedly to convert a group of several
remainders to a remainder modulo their product, is:
Given two prime numbers, A and B, where A is less than B, and the remainders
modulo those primes, a and b, of an unknown number, the remainder of that number
modulo AB is determined as follows:
Once we have found two overlapping messages, the second step is to solve for the
plaintext of those messages over the extent of the overlap. Because the machine
produces successive shifts of a known alphabet, we know that the distance between two
ciphertext letters at a given position corresponds to the distance between the two
plaintext letters they represent, so for each position, we have only 26 out of 676
possibilities to consider for two letters. (Remember, the plaintext alphabet and the
cipher alphabet are the normal alphabet and the reversed alphabet, and the distances
between letters must be considered in their own alphabets.) Eliminating pairs which
have an uncommon letter in either position narrows down the possibilities for each
letter in each message.
For a machine like the Sigaba, which produces a different alphabet for each letter, an
attack at a "depth of two" is probably impossible without much additional information.
Having some plaintext and corresponding ciphertext, we can derive from that the series
of displacements generated by the operation of the lugs and pins over the part of the
sequence of pinwheel positions in question.
At this stage, one can apply sophisticated techniques, which have been described
elsewhere, to attempt to reconstruct the lug and pin settings of the machine. In order
that different combinations of active and inactive pins will tend to produce different
numbers of shifted lugs (different displacements of the alphabet), the lugs need to be
distributed among the positions corresponding to pinwheels in a manner that assigns
different weightings to the different pinwheels, resembling, but not identical to, the
weighting of binary numbers (16, 8, 4, 2, 1). Thus, if one looks for large displacements
and how they alternate with small ones, one may find a pattern that indicates where the
lugs are on at least one pinwheel.
The third step is to find messages which have an almost overlap. A list of all the
pinwheel positions in the overlap will help with this; it can be compared to the start and
end pinwheel positions of other messages (and middle positions, if the other messages
are long enough, and the overlap is short enough). An almost overlap is a span of
letters in a message where the positions of five of the six pinwheels have matching
positions to the pinwheels enciphering the (full) overlap sequence with which it is
being compared.
Since each pinwheel contributes only a single bit of input to the cage which determines
the displacements (note that for a computer version of this type of cipher, which
XORed together whole bytes in lists of differing length as input to an S-box, this would
not work), half the time, the displacement would match that of the displacement in the
message with which the almost overlap exists. So, a trial decipherment can be made
using those displacements, and it should not be hard to pick out the half of the letters
that are right. This gives information on whether a pin in one position on a pinwheel
has the same active or inactive state as a pin somewhere else.
Multiple almost overlaps involving the same odd pinwheel allow reconstruction of the
pinwheel; so does the fact that an extra active pin results in an increased displacement
(although there are exceptions to that rule once the cage has more than 25 lugs in it).
Constructing a table with 64 entries (corresponding to the combinations of active and
inactive pins) giving displacements is sufficient to read messages, although it is
doubtless possible to reconstruct the lug settings from the displacement table.
Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Here's a very crude artistic impression (in ASCII-Art, yet!) of what this beautifully-
made machine looked like:
___
___ '-.
_ ___ '-. \
_ o\_____ ___ '-. \ |______
_ \ | ___ '-. \ | _/\
_ o\ | ___ '-. \ | _/ _ |
/ \ ___ '-. \ | _/ _/o\ \
| O | ___ '-. \ | _/ _/o | |
_/| |.-' '-. \ | _/ _/o o \ \
_/ / \ | _/ _/o o o | |
/_______| |_____ _/ _/o o o _/ _/ === ===
| .-. | /o o o _/ _/ === === ===
| /-. )_________ \ \ o o _/ _/ === === ===|
| ( )________ \ | | o _/ _/ === === ===| |
| \_________ \ ) \ \o _/ _/|=== === ===| |_|
| | ( ) | |/ _/|__|| || || |_|
| .-. | |'-' \ _/|____||__||__||_|
| ( ) _|____|_ | | | |___|
| '-' \ / | |_____|---
| \_____======O===========O/
|________________________________|/
The Japanese cipher machine the American solvers of which called it PURPLE didn't
have any rotors in it, but instead used telephone stepping switches. However, in some
ways, it was still closely related to a rotor machine, and so it will be discussed here as
well.
While the term code as distinct from cipher sometimes refers to a substitution on words
and phrases as distinct from one on letters or digraphs, and sometimes (as in "Morse
code", "Hamming code", or "Huffman code") seems to be applicable to any fixed
substitution, forcing me to employ it somewhat loosely, I have been fastidious in
restricting the use of the term "rotor machine" to cipher machines with wired rotors,
which operate by changing a substitution produced by wires inside the rotor to its
contacts when the rotor is rotated. Other cipher machines, operating on different
principles, but with rotating parts (such as the Hagelin lug and pin machines, or the
Lorenz SZ-40) which operate on entirely different principles, have occasionally been
referred to in print as "rotor machines". I wish to disparage this trend, as it would make
the term "rotor machine" much less useful, by causing it no longer to refer to a family
of cipher machines which all are based on a common cryptographic principle.
Chapter Start
Skip to Next Section
Next Chapter
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
In Hebern machines, the contacts on the rotors were simply flat circles of metal; the machine
had ball contacts on springs to make contact with them. This allowed the rotors to be put in
upside down, for more possible keys. The Enigma, on the other hand, was built more cheaply;
the rotors had plain metal contacts on one side, and spring contacts on the other. This almost
halved the number of contacts needed, provided you didn't decide to use a new set of rotors.
A rotor provided a changing scrambled alphabet, by (you guessed it!) rotating. A rotor with 26
contacts on each side, each corresponding to a letter of the alphabet, that changed E to M before
rotating would now change D to L (or F to N, depending on the direction in which it rotated),
while E could become any other letter, depending on the way the different wire went that was
now brought into position to encipher it.
Note that the example given had the rotor moving "backwards" by default. If the rotors are
labelled with letters going in the same direction as the use of the input contacts, and they
advance so that the next letter in the alphabet becomes visible at a fixed position, the result will
be to move the contacts on the rotor to the input contacts corresponding to the previous letter
from the ones to which they were previously connected.
The five rotors on a Hebern machine came close to moving like the wheels of an odometer.
However, they did not move precisely in this way. There were fast rotors, which moved once for
every letter enciphered, medium rotors, which moved once for every 26 letters, after a carry
from the fast rotors, and there were slow rotors, which moved once after 650 (rather than 676)
letters were enciphered. And there could also be rotors that didn't move at all, except that they
could be set by hand before encipherment began. Some versions of the five-rotor Hebern
machine had control levers, which determined which rotors moved each way.
The 'carries' between rotors were handled by ratchet gears that were at the two ends of the shaft
carrying the rotors. The reason for the slow rotors moving after every 650 letters was because
the machine was designed to avoid having the slow rotor moving at exactly the same time as the
medium rotor, since having all the rotors move together seemed like a weakness.
A good picture of a Hebern rotor machine appears in the July, 1966 issue of Scientific American,
which has an article on cryptology by David Kahn.
The following diagram may illustrate a little about how a rotor machine works:
In the first section, we see the keyboard connected to a set of contacts, arranged in a circle,
forming the input to the first rotor. Often, the contacts are arranged so that the contacts on the
circle are in alphabetical order; the early commercial Enigmas were wired so that the contacts
matched the keyboard arrangement instead.
In the second section, I attempt to illustrate that the contacts on both sides of a rotor are
connected so that each contact on one side is connected to one contact on the other side, but in a
scrambled way.
In the third section, I follow the fate of the letter E through three rotors, before and after the one
in the middle advances one step. The path of electricity through the first rotor stays the same;
but the movement of the second rotor has brought a second wire into contact with the electricity;
the wire formerly used is shown as a dotted line in its new position. The third rotor has not
moved, but since the electrical current has left the second rotor from a different contact, a
different wire in that rotor is used also, the old one also shown as a dotted line, but this time in
the same position.
One late rotor machine design that has become known to the public is that of the Hagelin HX-
63, which was offered for sale in the early 1960s, but was quickly phased out by electronic
cipher devices.
It had nine rotors, each with 41 contacts. As it enciphered a 26-letter alphabet, wires looped 15
of the rotor bank's output contacts back to its input.
There were two plugboards with the machine; one scrambled the 26 plaintext letters on input,
and another scrambled the 15 loopback connections. (It is somewhat surprising that a plugboard
scrambling the plaintext on input was chosen over one scrambling the ciphertext on output: it
would seem the latter would provide better protection against cryptanalysis, for the same reason
that a Type II slide is to be preferred over a Type I slide.)
The following diagram illustrates the wiring of an HX-63, showing the wires that are looped
back and the plugboards:
It is described as having a "very irregular" motion of the rotors, and each rotor had a set of 41
switches the setting of which would vary the effective wiring of that rotor.
Although I do not know what wiring scheme was chosen for those switches, one possibility
might be something like this:
Friedman Squares and Symmetry of Position for Rotors
The alphabets produced by a single rotor in its various positions can be shown in a tableau
similar to those used for Vigenere; such a table would look like this:
Rotor
position Plaintext
| A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
-----------|-----------------------------------------------------
A | L N K Y U W Z J X H E I A O G S P V C T D R B Q F M
B | M J X T V Y I W G D H Z N F R O U B S C Q A P E L K
C | I W S U X H V F C G Y M E Q N T A R B P Z O D K J L
D | V R T W G U E B F X L D P M S Z Q A O Y N C J I K H
E | Q S V F T D A E W K C O L R Y P Z N X M B I H J G U
F | R U E S C Z D V J B N K Q X O Y M W L A H G I F T P
G | T D R B Y C U I A M J P W N X L V K Z G F H E S O Q
H | C Q A X B T H Z L I O V M W K U J Y F E G D R N P S
I | P Z W A S G Y K H N U L V J T I X E D F C Q M O R B
J | Y V Z R F X J G M T K U I S H W D C E B P L N Q A O
K | U Y Q E W I F L S J T H R G V C B D A O K M P Z N X
L | X P D V H E K R I S G Q F U B A C Z N J L O Y M W T
M | O C U G D J Q H R F P E T A Z B Y M I K N X L V S W
N | B T F C I P G Q E O D S Z Y A X L H J M W K U R V N
O | S E B H O F P D N C R Y X Z W K G I L V J T Q U M A
P | D A G N E O C M B Q X W Y V J F H K U I S P T L Z R
Q | Z F M D N B L A P W V X U I E G J T H R O S K Y Q C
R | E L C M A K Z O V U W T H D F I S G Q N R J X P B Y
S | K B L Z J Y N U T V S G C E H R F P M Q I W O A X D
T | A K Y I X M T S U R F B D G Q E O L P H V N Z W C J
U | J X H W L S R T Q E A C F P D N K O G U M Y V B I Z
V | W G V K R Q S P D Z B E O C M J N F T L X U A H Y I
W | F U J Q P R O C Y A D N B L I M E S K W T Z G X H V
X | T I P O Q N B X Z C M A K H L D R J V S Y F W G U E
Y | H O N P M A W Y B L Z J G K C Q I U R X E V F T D S
Z | N M O L Z V X A K Y I F J B P H T Q W D U E S C R G
Just as a Vigenere table has a regularity, in that it shows the same alphabet in its rows (and
columns) repeatedly, only shifted, here a regularity is visible as well, but it is subtler: the
diagonals of this square are shifted regular alphabets.
In a mixed-alphabet Vigenere, if the letters A and B become Q and V in one alphabet, and T and
R in another, then Q and V are separated by the same distance as T and R in the cipher alphabet.
In a rotor machine where the entry rotor is the fast rotor, the principle is the same, except now if
the fast rotor has moved one position between the two alphabets, the comparison would be
between A and B becoming Q and V in one position, and Z and A becoming T and R in the
other position.
So in this case, the two mixed alphabets being considered are the one provided by the fast rotor,
and the one provided by the other rotors. The shifts of the fast rotor need to be compensated for
in the input. Similarly, if the output rotor were the fast rotor, the shifts would be adjusted for in
the ciphertext letters.
What about the case when the input and output permutations to a rotor are both unknown? For
example, when the fast rotor is in the middle of a stack of five rotors. At first, it might seem
hopeless to apply symmetry of position to that case, because there seems no way to tell when an
input or output in one case involves the same wire in the moving rotor or not as in another case.
But there is a way to apply symmetry of position in this case, given enough text with
overlapping key settings. Incidentally, if the entry and exit alphabets of the rotor machine as a
whole are known, in the case we are considering, where rotor 3 is the fast rotor, positions where
rotors 1, 2, 4, and 5 are all displaced by the same amount, the known plaintext, known
ciphertext, and fast rotor position can all be translated to permit including known plaintext from
such a key setting for comparison.
One thing is assumed to be known, the position of the rotor being examined, which advances
one step each time while the other rotors do not move.
With nearly complete alphabets, some progress can definitely be made in this case.
Another possibility does not produce certain results, only probable relationships.
Suppose that in position 1 of the rotor under study, plaintext A becomes ciphertext B; in position
7 of the rotor under study, plaintext C becomes ciphertext B; in position 11 of the rotor under
study, plaintext C becomes ciphertext D; and in position 14 of the rotor under study, plaintext A
becomes ciphertext D.
This creates a closed cycle of equivalents, separated by a given pattern of rotor displacements.
If we also knew that in position 2 of the rotor under study, plaintext W became ciphertext X; in
position 8 of the rotor under study, plaintext Y became ciphertext X; in position 12 of the rotor
under study, plaintext Y became ciphertext Z; and in position 15 of the rotor under study,
plaintext W became ciphertext Z, then we might think it likely that the two structures
correspond, and the same rotor wires are involved in corresponding steps of the two cases.
If so, then W precedes A, and Y precedes C, on the input side of the rotor, and X precedes B,
and Z precedes D, on the output side of the rotor, by exactly one position in each case.
Since all our elementary facts about the rotors are of the form perm(e-7)=R-7, that is, a
relationship between one plaintext letter and its equivalent for one particular rotor position, there
is no way to directly amass equations that can be used to solve for any direct facts about the
structure of the rotor as an unknown; instead, differences and patterns have to be relied upon.
Symmetry of Position is a technique that is used to reconstruct rotor wirings when a large
amount of information is available about the alphabets produced by a rotor. But how does one
get started attacking ciphertext produced by a rotor machine?
Let us assume the simplest case, where one knows the initial positions of the rotors for each
message, and where the fast rotor is the exit rotor. However, we can allow an unknown
assignment of the exit contacts from the rotor bank to the display or printer of the rotor machine,
and we will assume that only ciphertext is available.
With the exit rotor the fast rotor, one has stretches, 26 letters long, where the fast rotor, in its
different positions, is the only thing enciphering monalphabetically enciphered text. But each
stretch deals with text enciphered in a different monalphabetic cipher, so how can that help us?
The chance that two texts, enciphered independently, will have the same letter at any given
position, is 1/26. Two plain-language texts, or two texts enciphered in an identical manner by
means of a polyalphabetic cipher, will have a greater number of coincidences; aligning
messages on the basis of single letter coincidences is called the kappa test. But let us assume we
do not have any overlapping rotor settings to help us. How can the principle of the kappa test
help us?
Monalphabetically enciphered texts, even if they are not enciphered by the same monalphabetic
cipher, still have one thing in common: they have an uneven frequency distribution. In English,
the letter E makes up 12% of an average text, and the letter T makes up 9%. Twelve percent of
26 is just over three.
Thus, one can take our stretches of 26 enciphered letters, and compare them with each other.
When we find coincidences, it is likely that the monalphabetic substitutions which provided the
inputs to the fast rotor in both cases used the same letter or letters as substitutes for one or more
high-frequency plaintext letters.
Thus, in the ideal case, by coincidences we might find a number of stretches with many
coincidences with each other, and in each of the 26 positions in a stretch, the letter involved in
the most coincidences would be the substitute provided by the fast rotor for the particular letter
that, for most of those stretches, was the substitute for plaintext E produced by the rest of the
rotor machine.
Since there are several high-frequency letters in English, the result is not likely to be that easily
obtained; instead, there will be many possibilities, and the technique of symmetry of position,
above, will be one of the things used to narrow down the possibilities.
Edward Hebern originated this method himself; this perhaps is less surprising than it seems (one would, perhaps, have
expected the master cryptologist W. F. Friedman to come up with it, for example) when one considers that his first rotor
machine, made for use by users in the commercial world, only had one rotor in it.
Finding an interval method rotor sequence is related to solving the Eight Queens problem, except in this case the problem
involves a chessboard that allows one to move off any edge and then back on on the opposite edge, and the "queens" can
only move and capture along one diagonal, the same diagonal for all of them. A perfect solution is possible only on a board
of odd order; seven queens on a 7x7 board, nine queens on a 9x9 board, but for this modified problem, there is no solution
for eight pieces.
A simple proof of this fact depends on properties of triangular numbers. The nth triangular number is (n^2+n)/2. If n is an
odd number, this is a multiple of n, but if it is an even number, this is an odd multiple of n/2.
On both sides of a rotor, one wire is connected to each contact. So, if the wires are connected to each contact on the
opposite side, the sum of the displacements must be equal to zero, modulo the size of the rotor, since the wires are still
connected to contacts with the same numbers, contact 1 through contact n. If one tries to use all possible displacements
from 1 to n, (or from 0 to n-1, if you prefer) then for even n, the sum will be wrong.
From: 1 2 3 4 5 6 7 8 9
To: 5 4 3 2 1 9 8 7 6
(Difference: 4 2 0 7 5 3 1 8 6)
An interval method wiring for an even number of contacts will have exactly one possible difference omitted, and one
repeated twice. Fortunately, while the above example of an interval method sequence is highly symmetrical, there are many
possible arrangements that satisfy the interval criterion, and most appear almost random.
Here is another example of an interval method wiring, this time for a 26-contact rotor:
From: A B C D E F G H I J K L M N O P Q R S T U V W
X Y Z
To: L N K Y U W Z J X H E I A O G S P V C T D R B
Q F M
(Difference: 11 12 8 21 16 17 19 2 15 24 20 23 14 1 18 3 25 4 10 0 9 22 5
19 7 13)
Here, only the difference of 6 is omitted, and only the difference of 19 occurs twice.
Note that it is the alphabet used for constructing an example of a Friedman square on the previous page.
1-contact rotors: - 1 1
2-contact rotors: 1 2 2
3-contact rotors: - 1 3
4-contact rotors: 1 4 16
5-contact rotors: - 3 15
6-contact rotors: 4 24 144
7-contact rotors: - 19 133
8-contact rotors: 32 256 2,048
9-contact rotors: - 225 2,025
10-contact rotors: 464 4,640 46,400
11-contact rotors: - 3,441 37,851
12-contact rotors: 8,768 105,216 1,262,592
13-contact rotors: - 79,259 1,030,367
14-contact rotors: 227,008 3,178,112 44,493,568
15-contact rotors: - 2,424,195 36,362,925
16-contact rotors: 7,814,144 125,026,304 2,000,420,864
17-contact rotors: - 94,471,089 1,606,008,513
where the number of odd-contact rotors in the third column is from integer sequence A006717 in the Handbook of Integer
Sequences, while the number of even-contact rotors is calculated by my own computer program. Note that, in the case of 2-
contact rotors, one does not multiply by n (which is 2) going from the second to the third column, because in that case the
arrangements are symmetric.
The same type of backtracking algorithm as is used to solve the Eight Queens problem was used in my program to generate
the numbers for even-contact rotors, but instead of trying various permutations of the output contact numbers from 1 to n, I
instead tried permutations of the set of intervals I was using. This let me exploit a symmetry (instead of considering all
possibilities for the duplicated and omitted intervals, I only needed to work with one), and divide the number of
arrangements I generated by n, as well as reducing the number of levels the program went through to build an arrangement
by one, since the two duplicate intervals of zero were fixed by an outer loop.
Next
Chapter Start
Skip to Next Section
Table of Contents
Return to Home Page
[Next] [Up] [Previous] [Index]
Isomorphs
It is possible to break even the complicated cipher produced by a rotor machine.
Especially when only one rotor moves with every letter enciphered, that rotor is at
either the input or output end of the rotor machine, and no other rotor moves more
often than once every 26 letters.
Of course, having some cribs, that is, plaintext for a number of cipher messages, will
be helpful. As will cracking the 'indicator system', that is, the method by which the
sender notifies the recipient of the starting positions of the rotors for each message.
When only one rotor moves, and the rest of the machine stands still, and the moving
rotor is on the outside, then the only difference between the cipher applied for one such
period of 26 letters and any other is a monalphabetic substitution.
With enough overlapping cribs, one may be able to reconstruct little pieces of the fast
rotor relative to more than one of the monalphabetic substitutions produced by the
others, and it may even be possible to link these pieces together. As soon as it becomes
possible to nullify the effect of the fast rotor, messages become almost trivial to solve.
If you know the wiring of all the rotors, and you have some known plaintext, and the
fast rotor is on the outside, the procedure is to try each rotor, in all 26 rotational
positions as the fast rotor (this amounts to 130 trials for a machine with five rotors)
until you find one that produces a monalphabetic result. If the fast rotor is on the output
side, you use it to decipher the ciphertext. If it is on the input side, you use it to
encipher the plaintext. Either way, if the plaintext and ciphertext are made to match, so
that repeated letters in both match up, you have found an isomorph.
Note that while frequent or complicated rotor movement can make it impossible to
mount an isomorph attack, having the fast rotor in the middle of the rotor stack makes
such an attack more difficult, since one has mixed alphabets to deal with, and these will
not be the same in all messages, it does not make attacks based on this principle
completely impossible.
Next
Chapter Start
Skip to Next Section
Table of Contents
Return to Home Page
[Next] [Up] [Previous] [Index]
All three machines were built from common telephone stepping switches. These
switches had six input wires. Each wire was connected to a wiper, and each wiper
could make contact with one of twenty-five terminals. All six wipers moved together,
and each one had its own set of 25 terminals to contact.
A solenoid controlled the movement of the wipers. When a current pulse was fed to it,
the wipers advanced one position, except that, if the wipers were already at position 25,
a spring caused the wipers to go back to the first position. Thus, although the 25
terminals were arranged in a semicircle, the switch acted as though they formed a full
circle, with stepping in only one direction.
In CORAL, a stack of five stepping switches did the same job as a rotor would do in a
Hebern rotor machine. 26 input wires carried current to 26 outputs, in 25 different
ways. The alphabets for each of the 25 wiper positions, unlike the alphabets for the
different positions of a rotor, were completely independent and unrelated.
JADE was just about the same as CORAL, except that it was used to encipher
messages written with the Japanese katakana syllabary, which has 48 symbols. Thus, it
added a shift key to the keyboard. The shifts weren't enciphered; only a 25-symbol
alphabet was, giving equivalents to the 48 kana and the two diacritical marks used with
katakana.
PURPLE, the earliest of the three machines, had a somewhat stranger structure. A
plugboard selected 20 letters of the alphabet to be enciphered through banks of four
stepping switches. The other six letters were enciphered by means of only one stepping
switch. This division of the alphabet was easily detected through frequency counts, and
was perhaps the most serious weakness of the machine. (Another very serious
weakness, and also a strong contender for the title of "most serious", was the fact that
the stepping switch banks were, for obvious reasons, not removable, so one could never
perform the operation equivalent to changing the rotor order.)
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
The Enigma
In 1974, the British government permitted the disclosure of the story of the
decipherment of the German Enigma cipher machine in World War II. That the Enigma
had been broken by the Allies in World War II, however, was not in fact secret up until
that time; the account of the capture of the German U-505 submarine in David Kahn's
book The Codebreakers from 1967 notes not only that a German cipher machine was
captured along with its monthly keys, but that messages on machines of this type were
already being read, "with the help of a mass of machinery that filled two buildings".
Also, the book "The Broken Seal" by Ladislas Farago referred to a meeting between
British and U.S. representatives to discuss a swap of American information on
PURPLE for British information on the Enigma (the Americans were generous, but
went away empty-handed at the time, but Britain very shortly thereafter relented, as
later revealed). But only after 1974 did the details of this cryptanalytic feat emerge.
Despite some continued secrecy, it can fairly be said that the cryptanalysis of the
Enigma is the only case in which not merely the story of an isolated cryptanalytic
success, but instead the ongoing saga of coping with changes in a cipher system, has
become public.
Because of the intense concern in the United States about whether or not the Japanese
bombing of Pearl Harbor could somehow have been prevented, it was officially
revealed quite shortly after the war that cryptanalysts working for the U. S.
Government and Armed Forces had solved both Japanese codes and Japanese ciphers,
including the cipher produced by the so-called "PURPLE machine".
Had this not been the case, perhaps this would have been kept secret for the same
amount of time as the British success in cracking the cipher of the Enigma machine, as
a result of the normal reticence of nations concerning matters relating to an activity of
such high sensitivity.
As well, given the role of Polish nationals in the early part of the Enigma story, a
genuine concern to avoid any of them still residing in Poland being summoned for, at
the least, debriefing, may well have been a consideration. As to the sale of used
Engimas, I would think that the rule of caveat emptor, rather than any imputation of
fraud, would be applicable.
Starting with the commercial Enigma C, the Enigma differed from other rotor
machines (although, later, the British Typex and a commercial machine from Ottico
Maccina Italiana were based on it) in that the electrical signal for a plaintext letter did
not just go in one end of the rotor stack and out the other, but also was sent back to go
through the rotors the other way by a reflecting rotor.
This strengthened the cipher in some ways, but also gave it important weaknesses. And
it also meant that quite a number of unique cryptanalytic techniques were developed
for the Enigma which were specific to it. In comparison, CORAL, although a more
difficult target, would still be approached with almost the same techniques as would be
used against a Hebern rotor machine, with the exception that the unrelated nature of the
alphabets provided by a stepping switch increased the amount of text required for
applying those techniques.
There was a mechanical difference: the rotors had plain contacts on one side, and spring-loaded contacts on
the other. A Hebern machine had only plain contacts on its rotors, and the machine itself therefore needed
twice as many spring-loaded contacts as a permanent part of the machine. This cut total costs for an Enigma,
but it meant that rotors were more expensive, and indeed during the war, the German forces kept on using
their old rotors, only gradually adding the odd new one to the set.
In addition to the contacts and the wires between them, a rotor often has two other parts of significance to
the cipher it will generate which are often overlooked. Like the wheels in an odometer or a mechanical
adding machine, rotors in some rotor machines include what is essentially a gear with one tooth to cause the
next rotor to move one position forwards at one point in its own rotation. Some rotor machines, of course,
use completely different principles to move the rotors; the Hebern machine did use this principle, but still
kept that part of the gearing physically separate from the rotor itself. Also, the rotor has to be labelled, so
that there is some way of recording and communicating the starting position in which the rotors of a rotor
machine are to be set. Otherwise, the two parties to a communication will be unable to set up their machines
the same way. On the Hebern machine, the rotor itself was marked.
In the Enigma, a movable alphabet ring was labelled with the letters identifying rotor positions. The rotor
itself, of course, was marked so that alphabet ring settings could be written down too. The ratchet wheel,
which determined when one rotor would cause the next slower one to advance, was attached to the alphabet
ring. This is quite important to note, as it determined how methods of exploiting the Enigma's indicator
method would work, and how the Bombe had to be designed.
But the main distinguishing feature of the Enigma was its reflecting rotor. Instead of plaintext going in one
end with ciphertext coming out the other, the reflecting rotor, with the 26 contacts on one side connected to
each other in a scrambled fashion, caused the electrical signal to go through the rotors a second time in the
opposite direction, coming out on the same side it came in, but at a different contact.
This meant two contacts on the entrance side of the rotor stack were "live". Instead, therefore, of the switch
operated by a typewriter key on the Enigma merely connecting the battery to the proper contact of the
outermost rotor, it instead took the contact of that rotor, and disconnected it from the lamp under the same
letter as well as connecting it to the battery.
As an extra security feature, the Enigmas used by German forces during World War II included a plugboard.
The wires leading from the lamps and keyboard to the rotors were all cut, and then wired to a socket that
acted like the socket for a phone plug. If nothing was plugged in, the two wires to the plug were connected
together. If a plug was inserted, the two wires were not connected to each other, instead, each one was
connected to one of the two contact points in the plug.
Although a commercial Enigma, modified by Polish cryptanalysts to match a military Enigma, used phone
plugs, the plugs in the plugboard of the actual Enigma had two prongs, but they still functioned electrically
in the same way as phone plugs.
So, think of 26 phone plug sockets, and a set of ten wires, with a phone plug at each end, with the tip at one
end wired to the shaft at the other end, and you will have an accurate electrical picture of the plugboard of
the Enigma.
| | |
----- ----------| ----------| ----------|
| --||- -----||----------||- -|------
| / || \ / || || \ / | |
| | -||--\- ---||- ----||- \ --/--|----- |
| | / || \ / || \ / || \ \| / | ||
| || -||- ------||----- ---||--\-\- _-|---- ||
| ||| || \ / || \ / || _-\|\-- | |||
| ---||---- ---||------ -||- \ ----|--- |||
| || || \ / || \ / || |\ | ||||
| | -||------ _-||--_ ----||--_ | ----|-- ||||
| | || _--\-- || ---/-_ || -|--_ | |||||
| --||-- ----||------ -||---- --|- |||||
----- ----------| ----------| ----------| ||||||
Slow | Medium | Fast | ||||||
||||||
---------------------------- ||||||
| | | | | | | ||||||
- | | | | | | ||||||
--- ( ) (*) ( ) ( ) ( ) ( ) Lamps ||||||
- | | | | | | ||||||
--- | | | | | | ||||||
| | | | | | | ||||||
--------|---|---|---|---|---|- ||||||
| | | | | | | | | | | | ||||||
I I / I I I Keyboard ||||||
| | | | | | ||||||
| | | | | | ||||||
|_ _| | | | | ||||||
_X_ I I I I Plugboard ||||||
| | | | | | ||||||
| | | | | ------------- |||||
| | | | ------------------ ||||
| | | ----------------------- |||
| | ---------------------------- ||
| --------------------------------- |
--------------------------------------
The Germans themselves broke messages transmitted by Republican forces during the Spanish Civil War on
conventional Enigma machines without plugboards. And it was the plugboard, more than anything else, that
convinced them that the Enigma was unbreakable.
The rotor wirings of the Naval Enigma, most of which were also used by the Wehrmacht, were:
The first five regular rotors, and the two reflecting rotors above were used in both the Wehrmacht and the
Navy. Only the Navy used the last three regular rotors, numbers 6 through 8, and two thin rotors, one
reflecting, to replace the reflecting rotor. The rotors only used in the Naval Enigma are marked with an
asterisk.
Each rotor, other than the reflecting rotor, is described this way: the line at the top with the letters in order
from A to Z indicates the contact which is on the side of the rotor facing the wires from the keyboard and
lamps, and the table entry indicates the contact on the side facing the reflecting rotor connected to that
contact, when the alphabet ring is in the A position, and A is the letter showing through the window at the
top of the machine.
While this form of the Enigma was used by the Wehrmacht, and by the Navy with improvements, other
forms of the Enigma were used during the war by other military and governmental organizations within
Nazi Germany.
One of the most famous is the Abwehr Enigma, which used rotors with 11, 15, or 17 notches, but which had
no plugboard. Its keyboard had numerals and punctuation marks on the keys above the letters. The Mil Amt,
which succeeded the Abwehr, used a machine with a set of six rotors, all with nine notches.
The Railway Enigma was an Enigma with a typewriter keyboard entrance permutation, like the commercial
Enigma C and Enigma D.
Although the Army and Navy continued to use their original rotors throughout the war, each of the other
groups using Enigmas used their own rotor wirings. This was a natural security precaution. Probably the
reason that other Enigma machines used did not have plugboards is also because security kept groups using
Enigma machines from knowing about the Enigmas used by other groups: it may well be that the different
Enigmas were made in separate factories. However, the Mil Amt seems to have learned the same lesson as
was used in the Naval Enigma, by switching to rotors all having the same notches.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
By using the cords coming out of the Uhr box instead, it became convenient to change
the plugboard setting more often, because it could be changed just by turning the knob
on top of the Uhr box. The knob had forty settings, numbered from 0 to 39. These
settings were indicated by a two letter code, given by a sticker on the lid of the Uhr box.
When set to setting 0, the Uhr box acted like a set of ordinary patch cords. Of the
twenty plugs coming out of the Uhr box, ten were painted white, and ten were painted
red. The plugs in the two groups were numbered from 1 to 10, and the pairs of one red
plug and one white plug both bearing the same number each behaved like a patch cord
in setting 0.
Even in other settings, although the connections between the input of one plug and the
output of another plug were now scrambled, it was still true that the input of any red
plug was always connected to the output of a white plug, and the input of any white
plug was always connected to the output of a red plug.
Because patch cords always connected their input and output to the output and input on
the other end, they produced a reciprocal permutation of the alphabet. The Uhr box
allowed this to be avoided. This didn't change the fact that the Enigma's cipher was
reciprocal, since the permutations of the Enigma's individual rotors weren't reciprocal
either, but the cipher of the Enigma as a whole was still reciprocal, since the reflecting
rotor caused the electrical signal from the keyboard to the glowlamps to go through
each rotor twice, first one way, and then the other. The same thing was true of the Uhr
box.
But the fact that ordinary patch cords produced a permutation which was reciprocal on,
as it were, a second level did prove helpful to British cryptanalysts. For one thing, it
permitted an adjunct to the Bombe called the 'diagonal board' which allowed it to be
both more versatile and more effective.
Based on these facts concerning the Uhr box, I had suspected that it may have been
wired as follows:
The knob on the Uhr box would have turned what was, essentially, a reflecting rotor
with 40 contacts.
The contacts marked A would all have wires connecting them to the contacts marked
C, but in scrambled order. Similarly, the contacts marked B would all be connected to
the contacts marked D, again in a scrambled order.
The contacts in the box which connected to this movable reflecting rotor would also be
divided into four groups, which we can also think of as being labelled
ABCDABCDABCD... and so on.
The input contacts from the red plugs would be connected to the contacts marked A,
and since these were always to be connected to the output contacts of the white plugs,
those would be connected to the contacts marked C.
Similarly, the input contacts from the white plugs could go to the contacts marked B,
and the output contacts from the red plugs to the contacts marked D.
The order in which the plugs were connected to the contacts would match the
scrambled wiring in the 40-contact reflecting rotor, so that when it was set to position
0, the desired objective of emulating plain patch cords would be achieved.
It would be possible, although unnecessary, for all the input contacts, for example,
from the patch cord plugs to be wired in numerical order around the circle.
The following diagram may make the description of my tentative reconstruction of the
Uhr box clearer:
However, a paper in the July 1999 issue of Cryptologia has now explained the actual
workings of the Uhr box, and it differed somewhat from my tentative reconstruction.
Instead of having 40 contacts, the reflecting rotor that was the heart of the Uhr box had
80 contacts, of which only 40 were used at any one time.
The contacts on the reflecting rotor were in two consecutive rings of 40 contacts, and
either the even or odd ones were used in any position. Thus, the contacts on the Uhr
box were in two rings of 20.
The outer ring was wired to the red plugs, and the inner ring was wired to the white
plugs. In both rings, the even-numbered contacts of the Uhr box were wired to the thick
pin of the two pins on the plugs. The wires from the red plugs were wired to these
contacts in order, but those from the white plugs were wired in a scrambled fashion.
Essentially, therefore, the Uhr box worked somewhat like my hypothetical
reconstruction, except that it had two sets of scrambled wirings, each one of which
could be rotated to only half as many positions.
However, there was another peculiarity of the wiring of the Uhr box that led to a
weakness.
Although the wires from the white plugs were not wired to the Uhr box contacts in
order, they were wired to those contacts in pairs. This meant that of the two wirings in
the reflecting rotor, one, in order to allow the zero setting to emulate ordinary
plugboard wires, had to take pairs of contacts (with a contact in between belonging to
the other wiring) to pairs of contacts in the other ring, reversing the two elements in the
pair (so as to take a large pin from a red plug to a small pin on a white plug and vice
versa). This meant that every fourth setting of the Uhr box behaved like a set of
conventional plugboard wires.
A diagram of the actual Uhr box may help to make its design clearer:
in this diagram, only the wires in the rotor are shown that are in the set used in the zero
position, which reflect the flaw in the device that makes every fourth setting (every
second setting using that set of wires) reciprocal. The Uhr box is shown here set in the
zero position. Because of the extra complexity of inner and outer contacts, a more
schematic diagram, rather than one showing the rotor contacts in a circle, is given.
While the Uhr box did not do much by itself, only providing a fixed substitution that
did not change during a message, this kind of design illustrates how one could, for
example, build an interesting type of rotor machine for a 26-letter alphabet using
especially-wired 52-contact rotors. The idea of wiring a rotor with a number of contacts
that is a multiple of the size of the alphabet used, so that it acts like two different rotors
that are used alternately, also will surface in the Hagelin B-21, which we will meet
later.
Another enhancement used on some Enigmas late in the war was a reflecting rotor that
could be completely rewired by the user based on a daily key.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Also, they both looked like very large typewriters, and printed their output rather than
merely indicating letters with glowlamps. The Enigma B used the normal 26-letter
alphabet, while the Enigma A had a 28-letter alphabet, including three accented letters
for the German language, but omitting one letter of the alphabet not often used in
German.
Instead, they had four rotors, used once in normal fashion, controlled by four cams,
with 11, 15, 17, and 19 positions. These cams all moved one position with every letter
enciphered, and a raised tooth on any one cam caused the rotor corresponding to that
cam to advance one step.
Occasionally, none of the four rotors would advance between letters, and this probably
made the machine appear weak. However, this kind of irregular rotor movement does
eliminate the isomorph method of attack, and therefore this kind of design appears to
be quite promising. Since, however, it was cams and not user-settable pinwheels that
were used, an adversary knowing the sequence of raised teeth on each cam would no
doubt have been able to develop alternative methods of attack on this system.
Had the machine had five rotors instead of four, then the thirty-two possible rotor
motions would have exceeded the number of letters in the alphabet. With four rotors,
there were at most only sixteen possible alphabets the machine could present at each
step, and this could also be exploited.
A machine with ten pinwheels, all of different sizes, with the XOR from two pinwheels
controlling each of five rotors? Such a machine might well have been very strong.
However, the search for the ultimate in irregular rotor movements was pursued in a
different direction by the Americans, resulting in an even stronger machine, the
SIGABA, which we will meet later.
Another variation of the Enigma was the one used by the Abwehr. It was an Enigma
without a plugboard, but the rotors had a large number of notches, so that the slower
rotors still moved fairly often.
It may also be noted that the Abwehr Enigma's reflecting rotor moved as the slowest
rotor during encipherment. Also, like the commercial pre-war Enigma C and D, in
addition to not having a plugboard, the keyboard and lamps were connected to the
rotors following the layout of the typewriter keyboard rather than in alphabetical order;
thus, an Abwehr Enigma had the rotating reflecting rotor, and the multiple notches on
the rotors, as its only changes from the commercial model Enigma. With one other
minor, but interesting, addition: this version of the Enigma also had digits and
punctuation marks printed above the letters on both the keyboard and the lampboard.
Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
W. F. Friedman devised Converter M-325. It was similar to the Enigma, except that the rotor nearest
the reflecting rotor, rather than the rotor farthest from it, was the fast rotor. This produced a machine
that did not need a plugboard to be reasonably secure.
The British cipher machine during World War II was the Typex. Its rotors were notched several times
for frequent and irregular motion. Three rotors moved, and the farthest of them from the reflecting
rotor was still the fast rotor. But there were two other rotors beyond the fast rotor, and they acted as a
plugboard replacement.
Some models of the Typex had two concentric sets of 26 contacts. According to those who have had
the opportunity to examine surviving specimens of this machine, they were not used for the obvious
purpose of providing a return path for electrical current, thus allowing the unique weaknesses of the
Enigma design to be avoided.
Despite this, I still wonder; there is a simple way, using dummy rotors connected by cables, to turn a
SIGABA into a plain Hebern machine. As the SIGABA and the Typex were made to interoperate by
means of accessories which turned them into the "Combined Cipher Machine", it makes sense to
conclude that the second set of contacts was used as a return path on the Typex, since then suitably
wired rotors with some sets of contacts wired without scrambling could allow Hebern type operation
of such a machine as well, thus facilitating this particular method of interoperation. Although the fact
that the fast rotor is on the entrance side (like an Enigma, unlike an M-325) makes it more difficult to
turn a Typex into a Hebern machine with the fast rotor in the middle, it is not impossible: an
auxilliary wiring harness, with dummy rotors, is also required as with the SIGABA, and the reflecting
rotor is one of those that has to be replaced. The following diagram shows a principle that may have
been used:
As the details of the actual CCM are available, no doubt I will soon be hearing if my reconstruction is
near the mark or not. As only three rotors aren't much, the actual CCM may have been somewhat
more complicated, for example by including entry and exit plugboards to replace the two stators in a
real Hebern five-rotor machine.
As the Typex is said to have very closely resembled the Enigma, I had assumed that it had a "650
break" as well, and this would have further complicated interoperation with the SIGABA. However,
since the Typex used heavily multinotched wheels, such a gearing arrangement would have shortened
its period considerably, so perhaps that problem did not arise. (It's even possible there was a lever
somewhere to choose with!)
On some later models of the Typex, the two entrance rotors also moved. This is merely a speculation
on my part, but one simple way in which they could have been caused to move is this: the entrance
rotor would be the slow rotor, the next one the medium, and the same notches in the wheels that
caused the regular carry would also cause movement of the wheels on the entrance side, but the
ratchet wheels would be displaced. So, if the positions B, G, J, M, O, R, T, V, and X caused the
original medium wheel to move when the fast wheel reached them, and the original slow wheel to
move when the medium wheel reached them, then perhaps the positions Z, E, H, K, M, P, R, T, and
V, each two positions earlier, would cause movement on the other side of the fast rotor. Or another
row of notches could be present on the wheels, and the number of notches in that row could very well
be even, since the ordinary rotor motion would already be providing the maximum period. No such
motion, however, unlike the original motion with those two rotors as stators, or better yet a motion
resembling that of the Converter M-325, would allow easy interoperation with a SIGABA using
dummy rotors by emulating a Hebern machine, basically the lowest common denominator of the two
machine types.
Some time after World War II, Switzerland, which had been using a version of the Enigma for its
own communications, designed its own significantly improved cipher machine based on the Enigma,
the NEMA (for Neue Maschine, not National Electrical Manufacturers Association). Recently, a
computer program simulating its operation, accompanied by a description of the machine, became
available. One of the program's authors, Frode Weierud, has a forthcoming article in Cryptologia
about the machine.
It used lamps to indicate the letters it produced as output, and physically it looked like a metal box
with a sloped front in which a typewriter keyboard was sunk. Recently, examples have become
available on the open market, at prices considerably below those of World War II Enigmas.
The device had four rotors, plus a reflecting rotor, all of which (including the reflecting rotor) moved
during encipherment. However, it had the appearance of having ten (rather thin) rotors. This was
because each rotor was manually adjusted by means of a flange on its left with 26 segments labelled
with the letters of the alphabet, and bore on its right a ring of appearance similar to that flange, but
which contained a notched gear. Each rotor's movement was controlled by the ring to its right; when a
notch on the ring came into position, its corresponding rotor did not advance for the current letter
being enciphered. In addition, the ring on the entrance rotor, towards the right of the rotor bank, was
distinctively colored (it was red) and had a second notched gear on it. This gear, when a notch on it
came into position, prevented the second and fourth rotors, and their corresponding rings, from
moving. Usually, all the rings would move with every character enciphered.
Thus, the NEMA had a period of 17,576 letters, each ring-rotor pair having a period of 676. If the red
ring had stopped only two other rings, and not their corresponding rotors as well, the period could
have been 26 times longer. In any case, it has a large number of initial settings, and a very irregular
rotor movement, bettered only by that of the SIGABA (although the Enigma A and Enigma B also
had a rotor movement that is more irregular than usual). Note that the diagram, for simplicity, shows
the mechanics of the rotor movement by lines which may suggest electrical wires; actually, the result
was achieved mechanically. Also note that the wheels with notched gears, although concentric on the
same shaft as the rotors, are shown in the diagram in a row below the rotors, using the usual diagram
symbol for pinwheels.
And, during the sixties, an Italian firm, O.M.I., offered a version of the Enigma with seven rotors. But
it embodied an ingenious idea for providing security in a machine sold openly without requiring
customers to rewire their rotors. The rotors came in two pieces, both with scrambled wiring, that the
customer could interchange and rotate to form the rotor set to use.
It would be a little harder to do this with rotors of the Hebern type, if one wished to take full
advantage of the fact that both sides of these rotors are identical, but it could still be done using
androgynous connectors positioned in alignment with the centers of the contacts, as shown below:
An interesting web site in Germany, which no longer exists, described several cipher machines from
behind the Iron Curtain. Three of them were described in enough detail (which I tried to make out as
best I could, not understanding German) that I found their mention of interest.
The T217, or ELBRUS, is an electronic cipher machine, having at least a superficial external
resemblance to the early electronic cipher machines used by the United States (as those machines are,
as far as I know, still classified, I have no knowledge of whether the resemblance is more than
superficial). A linear-feedback shift-register generator feeds a longer shift register, and bits from that
are selected under the control a key cassette to go into combinatorial logic to produce bits for stream
cipher use.
The M105 uses a principle I don't quite understand yet: 5-level code characters are converted to a 12-
bit form, then XORed with a key tape, then converted back down to 5-bit form. It isn't quite clear to
me how transformations more involved than an XOR can actually be accomplished by this principle,
particularly when decoding is also performed by precisely the same method. However, such a
machine could work by cheating; for example, the 5-bit character
abcde
could be converted to
abcde0000000
to be enciphered, and then the 12-bit result of being XORed with the key tape could be converted to 5
bits by taking the first 5 bits, performing a nonlinear operation controlled by the last 2 bits, and then
XORing with the second 5 bits. To decipher using the same key tape, the 5-bit ciphertext character
pqrst
00000pqrst00
before the XOR with the key tape. Even something like that, particularly if a plugboard can be used to
scramble the 12 bits from the key tape, might not be entirely silly. Also, if the nonlinear transform
controlled by the last 2 bits leaves something invariant, that, rather than 0, could be put in the last 2
bits. For example, if the last 2 bits are used to choose between different ways of transposing the 5 bits
of a character, for encryption the parity of the plaintext character could be placed in one, or both, of
those bits before the XOR, affecting which bit transpose is used.
For decryption, the parity of the ciphertext character after being XORed with the five bits for that
purpose on the tape, XORed with the parity of the five bits that will later be XORed to form the
plaintext character, will produce the parity of the plaintext character before the bit transpose (affected
by that parity) is known.
And, finally, the M125, or the Fialka, is described on his site, which is why I am mentioning his site
on this page: it is a variation of the Enigma.
It enciphers a 31-character alphabet. A punched card is used to perform the function of the Enigma
plugboard, but for only of 30 of the 31 symbols enciphered. The punched card has been described to
me as square, with two centering holes, and with the regular punched holes only below a diagonal on
the card. This suggests to me that each hole position controls a double-pole double-throw (DPDT)
switch, determining if two lines in a folded crossbar pattern are crossed.
There are 10 highly multinotched rotors, and they have fixed contacts on one side and spring-loaded
contacts on the other, like those of the Enigma.
Now, these 10 rotors all have 31 contacts on each side. There is also a reflecting rotor, but how can a
reflecting rotor with an odd number of contacts work?
One contact of the reflecting rotor, instead of being connected to another contact, is connected to a
circuit that causes the machine to encipher the input letter as itself. Note, however, that the machine's
cipher is fully reciprocal.
Like the Typex, we have an Enigma with both multinotched rotors and a plugboard; British
cryptanalysts working on the Abwehr Enigma on the one hand, and the Army and Navy Enigmas on
the other saw that to be an effective combination. This may not be terribly surprising, as there was
Soviet penetration of the British Ultra effort during World War II. The patch panel, like the Uhr Box,
avoids the problem of the plugboard substitution being reciprocal in itself.
Although the machine is connected to 5-level tape equipment, instead of enciphering normal 5-level
code (leaving, perhaps, the all-zeroes character unenciphered) the German-language version of this
device omits the letters W, X, and Y, and uses J to represent the space (thus printing a space when
deciphering, and a J when enciphering), leaving room for the digits from 2 through 9 in the character
set. As Russian has a 32-letter alphabet, presumably the original Russian-language version did not
include digits in its character set.
My initial attempt to reconstruct the Fialka from the information I had found resulted in a somewhat
different machine, with its own features of interest.
In the a block diagram I saw, there were three signals going from the reflecting rotor to a transistor
symbol. I thought that perhaps this meant that three contacts were wired in a loop, with diodes going
from one to the next, in rotation. As a DC current is used to go from the keyboard to the rotors and
back to the output mechanism, this can mean that A becomes B, B becomes C, and C becomes A.
(However, there is nothing to prevent the current from going through two diodes in a row. This can be
avoided by the use of resistors or multiple diodes, and a suitable choice of voltage threshold, or by a
simple transistor circuit.)
That would mean the cipher of the machine as a whole would not be quite reciprocal, but no letter
could represent itself. The easiest way to reverse the action of such a circuit during decipherment
would be simply to reverse the polarity of DC current through the machine.
The fact that the punched-card "plugboard" affected only 30 of the machine's 31 characters was
baffling to me, and implied some sort of external constraint. As I assumed a simple crossbar
arrangement for card sensing, to minimize parts count, the fact that a standard 80-column card has
over 900 holes in it meant that it could indeed control a 30 by 30 crossbar patch panel. (One needs
961 hole positions for a 31 by 31 crossbar patch panel!) The diagram shows a possible arrangement
for the crossbar circuitry that uses the first 75 columns of the card, and which, by taking into account
the zone and digit positions of the card, allows key cards to be produced with conventional punched
card equipment, using only &, -, /, and the digits and the upper-case letters.
Perhaps the construction I reached through speculation will be helpful to amateur builders intending
to build a replica of the Fialka at home, but with the use of more standard parts, even if it departs
from the historical reality.
The following diagram is provided for those who aren't familiar with the code used on the 80-column
punched card:
Obviously, the simplest method to avoid this problem with the Enigma would be to revert to sending
the signal through the rotors in only one direction, as with the Enigma A and Enigma B, or as with the
original Hebern machine. But if one wanted to avoid having to switch a large number of wires when
changing from encipherment to decipherment, or if one felt it useful to have the signal going through
the rotors twice instead of just once, how would an Enigma not having this problem be designed?
One can begin by merely changing the labels which are over the indicating light bulbs. If the light
bulb that is on the circuit with the Q key is now labelled B instead of Q, then it is B that the letter Q
will not be enciphered as.
But then one would have to have one wiring for encipherment, and a different wiring, either selected
by a large and complex switch, or by constructing enciphering Enigmas and deciphering Enigmas.
One way to avoid the problem would be to replace the plugboard of the Enigma with two
switchboards, one connecting the keys to the machine, and one connecting the lamps to the machine.
Then one could select any wiring configuration for encipherment, and its counterpart, with lamp and
key wirings exchanged, for decipherment.
Could a suitable choice of new labels for the light bulbs allow a simpler solution, one that involved a
lesser change to the way the Enigma worked? One possibility would be, given the keys are connected
to the rotor contacts in alphabetical order, to label the light bulb connnected to the A key with N, the
light bulb connected to the B key with O, and so on. Then, if the setting rings are labelled with two
alphabets similarly displaced, in contrasting colors, and the gear teeth by which one ring advances the
next are so arranged that if a tooth is at one position, there is also a tooth at the position diametrically
opposite (shortening the period, because all the rotors must now have an even number of teeth), one
could indeed have a machine that behaved almost exactly like the Enigma.
However, the fact that the letter A can now never be represented by N, instead of never by A, is just a
fixed substitution that would soon be discovered, and then it would cause no real difficulties for the
cryptanalyst. A normal Enigma plugboard would not change this: and the sockets on it would also
have to be labelled in two colors, as the plugboard wiring would have to be displaced 13 positions to
decipher.
Another thought would be, instead of having two switchboard-type plugboards, where a set of 26
sockets is matched by 26 plugs from within the Enigma, to have a second plugboard of the regular
Enigma type in a single Enigma. In addition to the one between the rotors and the lamps and keys
both, the additional plugboard would be between the lamps and the keys. The reciprocal nature of the
plugboard substitution would not be a problem, and would in fact allow the same wiring to serve for
encryption and decryption. This arrangement is illustrated below:
However, it wouldn't quite work as illustrated. Although the rotor substitution and the plugboard
substitution are both reciprocal, that does not mean that they commute. But a more complicated
wiring based on this principle would be possible, such as placing the rotors on the lamp side for
decipherment; this would require a bank of 26 relays to simulate the effect of the switches in the
keyboard.
One simple way to make this work, with some limitations, is this: for encipherment, use only the
plugboard between the lamps and keyboard. For decipherment, also use the regular plugboard, and
wire it in the same way as the plugboard between the lamps and keyboard. This works because
plugboard wirings are reciprocal.
The basic problem of this sort of arrangement is that the rotors are connected to the keyboard and not
the lamps in an Enigma, hence a permutation between the keyboard and lamps disrupts the
relationship between the rotor contacts and the lamps and keys that makes decipherment possible
when it is reversed for decipherment. Could an Enigma be modified so that the rotors were connected
to the lamps? Yes, if each lamp were shorted with a diode:
This diagram shows the flow of electricity in an Enigma. On the left, a simplified diagram of the
Enigma is shown. Wires at a positive potential are red, wires at a negative potential are blue, and
wires carrying current are shown thicker with yellow symbols indicating the direction of current.
On the right, the arrangement involving diodes needed to allow the rotors to be connected to the lamp
side of a modified Enigma is illustrated. Current that pressing a key allows to flow goes first through
the shorting diode belonging to the lamp with the same letter, then through the rotors, and on its
return trip lights the correct lamp, since it is going the other way, and cannot be shorted by that lamp's
diode.
Suitable switching circuitry, allowing either arrangement to be selected, and reversing other
connections, would allow a two-plugboard Enigma of the type shown above to even have an Uhr box
connected at either or both plugboards.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
The cryptanalytical methods used are sorted by type in the following sections, and thus
a more chronological summary may help to make the story more understandable.
Initially, the Enigma was without a plugboard. The method of "cliques on the rods"
was used against it at this stage; this was a version of the isomorph attack against a
Hebern machine, modified as required for the Enigma.
Next, a plugboard was used, but only three cords were plugged into it, affecting only
six of the twenty-six letters. A common ground setting was used to encipher the
starting setting which operators were supposed to choose at random; this setting was
enciphered twice. Here, the tables generated by the cyclometer were used: the doubly-
enciphered indicator meant that if one message had A as its first letter and Q as its
fourth, A as the first letter of the message always implied Q as the fourth. Thus, the
relation between the first and fourth letters of a day's intercepts defined an alphabet,
and the same was true of the second and fifth letters and the third and sixth. The
characteristics of these alphabets allowed those tables to pinpoint the day's ground
setting.
Then, instead of a ground setting, a setting picked also at random, and sent in the clear,
was used. This nine-letter indicator was attacked on the basis of watching for cases
where corresponding letters in the doubly-enciphered indicator, now the fourth and
seventh, fifth and eighth, and sixth and ninth letters of the message, were the same. The
original Polish Bombe, and also the perforated sheets, were used at this stage.
When the number of rotors in the rotor set was increased to five from three, the British
took over from the Poles, and relied mainly on the perforated sheets.
When the rotor starting position for an individual message was enciphered only once,
the Turing Bombe, soon augmented by the diagonal board, allowed decrypting Enigma
messages to continue.
On the Naval Enigma, eight rotors as well as a split reflecting rotor were used. This
was dealt with by aligning messages to find key overlaps; from this, and a study of the
indicators, constraints on the possible rotor orders were found, allowing the Bombe to
still be used.
Near the end of the war, the Uhr box and a rewirable reflecting rotor were used in some
places. The Uhr box merely required giving up the diagonal board. The reflecting rotor
required a major redesign of the Bombe, but decoding continued.
Next Section
Chapter Start
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
Both the probable plaintext and the ciphertext had to be put through the fast rotor, and
it was the two results that had to match, that is, be monalphabetic encipherments of one
another, having repeated letters in the same places.
Since a rotor can be in 26 different positions, changing both the input and output
letters, one needs 26 different strips. Each strip shows, for one particular input letter,
the possible output letters for each position of the rotor.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
E K M F L G D Q V Z N T O W Y H X U S P A I B R C J
E J K C H...
and the strip for the letter B would contain the sequence
K L D I...
since in the A position of the rotor, A becomes E, the A strip begins with E. When the
B contact, that takes B to K in the A position, is moved back to the A position, then it
will take A to the letter before K, or J. Similarly, when the C contact is moved two
positions back, its destination, the M contact, is moved two places back to K. Of
course, the strips might also be prepared for the rotor moving the other way, with the
letters in reverse order.
The strips will have their sequences of letters repeated twice; one chooses the strips
which correspond to plaintext and ciphertext, and puts them next to one another, but
staggered, because the fast rotor is always moving one step for every letter. Then, the
rows across, between the strips, show the possible encipherments of the plaintext or
ciphertext letters for every starting position of the fast rotor.
Strips with the rotor outputs on them were aligned to produce the results, and thus the
method was called "La Méthode des Bâtons" in French, and in Britain the strips were
called rods, with the repeated letters that matched up called cliques.
The sequence of 26 letters that a rotor would produce from a given letter in different
positions cannot be a scrambled alphabet, with no letter repeated, for reasons seen in
the previous section on the interval method. In the colorful terminology of Bletchley
Park, the duplicated letter on a rod resulting from two wires producing the same
displacement was called a "beetle", and the result of two wires having exactly opposite
displacements was called a "starfish", as recently revealed in papers by C. H. O'D.
Alexander available on Frode Weierud's web page. These papers note, among other
things, that the rods were sometimes used against Enigmas with plugboards as well, in
cases where the indicators could not be interpreted. (Two of the papers, about
something called JNA-20, appear to be about PURPLE or CORAL, even though they
still use the term "Stecker" in reference to its plugboard.)
Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
First, they started the Enigma, for a given day, with a fixed secret setting, called the
ground setting or Grundstellung. At this setting, the actual starting rotor setting was
repeated twice and enciphered.
Then, still before the war started, while only the Poles were breaking the Enigma, a
change was made. Instead of a secret ground setting, a starting point was picked by the
user at random, and started the message in the clear. Then the starting rotor setting used
for the message itself was again repeated twice and enciphered.
In both cases, the relationship between the two repetitions of the rotor start position
gave too much away.
In the first case, since one had many messages for a given day, all with the same
ground setting, one could look at the alphabet formed by combining that produced by
the machine at the ground setting with that produced three letters later. This alphabet
was visible in the clear: if a message began VBT RSQ, then V became R in that
compound alphabet.
Essentially, tables could be made of the distinguishing features of the alphabets created
at each starting position. And alphabets had such features, even after the plugboard was
used. These were visible when an alphabet was reduced to 'cycle form': if V becomes
R, then what does R become, and how many steps does it take to get back to V? Any
scrambled alphabet basically divides the alphabet into pieces of various sizes, and
those sizes aren't changed by the plugboard. The cyclometer, used to create these
tables, will be described along with the Bombes in the next section.
The three alphabets derived from a day's intercepts (or three months' intercepts,
actually) had, when reduced to cycle form, some very special properties. Although they
were formed by comparing two encipherments at positions separated by 3, they could
also be thought of, since decipherment and encipherment were the same, as the results
of applying the encipherments at those two positions, one after the other.
This has the following curious result:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
U V T X R W M I H Z Q P G S Y L K E N C A B F D O J
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
G K R P S Y A J M H B Q I U W D L C E V N T O Z F X
In the pair of reciprocal alphabets shown above, A becomes U, and then U becomes N.
So, in the compound alphabet, A becomes N. Note that U also becomes A in the first
alphabet, and N becomes U in the second, but these don't connect, so the compound
alphabet is not reciprocal.
(a n e c v k l d z h m)
What happens if we follow the fate of the letter U, which becomes A in the first
alphabet, just as A became U?
(u g i j x p q b t r s)
Because this sequence consists of the middle letters, taken in reverse order, of the
previous cycle, the individual substitutions can be found at one of the positions these
two sequences have when slid against each other after one is reversed:
A N E C V K L D Z H M
U S R T B Q P X J I G
A N E C V K L D Z H M
G U S R T B Q P X J I
Because at that stage poorly chosen rotor starting positions, both consisting of adjacent
letters on the keyboard, and also consisting of the same letter repeated three times,
were common, it was possible to eliminate ambiguity in aligning the cycles and
determine the rotor starting positions, without as yet knowing either the alphabet ring
settings, the rotor order, or even the wiring of any rotors.
Knowing the letters visible in the little windows on the enemy's Enigma was an
accomplishment, but by itself it did not let you read any messages. The Poles did know
the rotor wirings of the Enigma, though. They had not captured a machine, and doing
so in peacetime would have made it obvious that one was missing. Instead, a spy had
given the French, and the French had given them, keys for a period and some matching
plain and enciphered messages, from which they laboriously reconstructed the rotor
wirings and internal connections of the Enigma.
In addition to knowing the initial rotor settings, applying the pencil-and-paper method
noted above provides you with six successive alphabets produced by the Enigma. At
this stage, only a limited number of letters are modified by the plugboard, and the
Enigma had only three rotors to insert in any of six different orders.
If, for the encipherment of the first six letters after the ground setting, the medium rotor
did not move, these alphabets are produced from an inner alphabet, produced by the
medium, slow, and reflecting rotors, at six consecutive positions of the fast rotor.
The grille or slotted sheet method involved sheets with the successive alphabets
produced by one rotor printed on them, which were slid over a piece of paper on which
these six alphabets were written.
If it weren't for the plugboard, negating the fast rotor would produce six identical
alphabets: even with the plugboard, the right position produced six alphabets with
many letters in common, and from the similarities and differences, both the plugboard
settings and the inner permutation could be determined.
The initial rotor settings are known in terms of where the alphabet rings are; now the
ground setting is known in terms of the positions of the rotors themselves. Still more
work needs to be done to read messages: the original Polish Bombe automated that
next step.
Arbitrary Ground Settings
Since the ratchet that allowed one rotor to move the next slower rotor and the alphabet
ring which was used to refer to rotor positions were fixed together, in the second
system it was often possible to determine, since the Enigma's original five rotors all
had their one carry in different positions, which rotor was the fast rotor.
Among the many indicators for a day, there would be some with repeated letters. And
there would be some with the starting positions given in the clear possibly adjacent to
each other. Which positions are adjacent depends on when carries occur. And if the
same letter becomes first N and then V three letters later, and then fails to change from
N to V when it is apparently in the same two positions, then one is mistaken about
when the medium rotor moved.
Combinations where the same letter becomes the same letter in the same message, in
two positions three places different could not always occur, and these indicators, called
"females", eliminated possible indicator settings.
Also useful to Bletchley Park at this stage were "Herivel tips", which were the result of
Enigma operators choosing, after setting up their machine for the day, to use as their
first setting the position of the rotors as they stood, or possibly moving them only a few
places, from the position after setup which meant the rotors were near their initial
positions, and the setting sent in the clear would give away the alphabet ring settings
(either by itself, or in combination with the arbitrary ground settings of other operators
making the same mistake).
The perforated sheets were one set of 26 square sheets, with punched holes, for each
possible rotor order. They were used when the ground setting was sent in the clear,
followed by two encipherments of the current setting. Each sheet corresponded to the
position of one of the wired rotors (in Poland, apparently the slow one) and the rows
and columns on the sheets corresponded to the positions of the other two rotors. The
rows and columns, except the first one, were repeated twice. A hole was punched in a
sheet whenever a letter would be enciphered to itself by an Enigma with that position
of the three rotors plus an Enigma with the fast rotor three places further ahead.
Since a rotor order is assumed by one's choice of perforated sheet set to use, one can
exclude all indicators in which the medium rotor moved. This is because the ratchet
wheel and the alphabet ring are attached to each other. In practice, unless there is other
information available, one needs to try all 60 rotor orders. And, yes, one also needs to
try 26 stacks of sheets for each rotor order. However, 1560 trials is not an
unmanageable brute-force search, even by manual methods.
One finds numerous indicators with repeated letters in the same position, and places,
one on top of each other, alphabet sheets so staggered as to match the relative
displacements of the ground settings for the different messages. Then, a hole through
the stack of alphabet sheets indicates which position of the wired rotors corresponds to
each of the ground settings.
During the war, the double encipherment of the indicator was eventually abolished.
This increased the reliance of cryptanalysts on a large piece of electrical machinery, the
Bombe. But for a period of time before it became available messages were still
deciphered, as the result of the continuation of the practice of choosing adjacent
keyboard letters, then called "cillies" by the British, (well, they were silly) even if
settings consisting of three identical letters were by then suppressed.
With the Naval Enigma, instead of switching to a single encipherment of the initial
rotor position, the use of a common ground setting was revived; however, the
indicators recieved an additional layer of encryption; the two repeated encipherments
of the initial rotor setting were enciphered by means of a table of digraphs.
If the enciphered starting setting was ABC DEF, then the digraphs that would be
enciphered in the table would be AY BD CE XF where X and Y represent two
additional letters chosen by the encipherer at random; that is, the starting setting was
staggered like this:
A B C X
Y D E F
This would have made the indicators useless for cryptanalysts, except that the digraph
table was not itself part of the daily key. Instead, for one period, a set of nine digraph
tables were used, and only which one was to be used was part of the key that changed
each day. As copies of the digraph tables (which were, for convenience, reciprocal)
were captured, the result was merely that all nine possibilities had to be checked. With
a common ground setting, as noted above if letter 1 was A and letter 4 was D once,
then letter 4 had to be D whenever letter 1 was A, and so one would normally be able,
with 27 messages, to swiftly determine the right table to use.
Had this method been used with the later indicator method used by the other services,
an arbitrary ground setting and a single encipherment, considerably more work would
have been multiplied by a factor of nine, even using the digraph tables that had been
captured. Had the digraph tables been changed more often, that too would have
diminished the usefulness of the indicators, but by then the advanced Bombes in use
eliminated the need to break the indicator system; it would have meant more work, but
their Engima messages would not have become inviolate.
Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
The Bombe
The Bombe, in its various forms, was a device containing multiple sets of Enigma
rotors that rotated quickly to try all possible positions of the rotors.
Because the Enigma had a plugboard, and because no simple relay circuit would
recognize valid German-language text, even having a device of that nature did not
make it trivial to crack the Enigma machine's cipher. Thus, the Bombe came in
different forms during the life of the cryptanalytic effort against the Enigma.
The Cyclometer
The cyclometer was the first modified Enigma mechanism used in cracking Enigma
ciphers, but it was used to prepare tables in advance, rather than working on
information from a specific day's intercepts.
It consisted of two sets of Enigma rotors connected so as to face one another, and
positioned so that the fast rotor was three positions different in the two sets, the other
rotors being in the same position. A keyboard and lights was also connected to the 26
wires between the rotor sets. A key did not disconnect the light corresponding to it.
The rotors were manually stepped. For each position, one depressed a key, and noted
how many lights lit up, and then depressed a key corresponding to a light that hadn't
yet lit up for that position, until all the letters were divided into groups of different size.
The table thus generated was useful when the indicators of the Enigma were
enciphered twice according to a common ground setting for the entire day.
From the messages intercepted, one could form alphabets based on the indicators.
Since the ground setting was always the same, if the first letter of the starting setting
chosen by the operator was A, the same two alphabets would be applied to it at the
ground setting position and the position three letters later, and so if the indicator was
X-- Q-- for one message, it would be in the form X-- Q-- for every message where A
was the first letter of the starting setting.
The pattern of that alphabet which would survive changes in the plugboard settings was
its cycle decomposition. That is, an alphabet might be made up of three letters that
stayed the same, two pairs of letters swapped with each other, one group of three letters
in which each letter was replaced by the next one, and so on.
The characteristics of the three alphabets produced from a days indicators would match
three consecutive alphabets in the table produced by the cyclometer, unless the ground
setting was chosen so that the medium rotor moved during the first six letters.
The original form of the Bombe was designed back when the Enigma only had a set of
three rotors to interchange, and when only three wires were connected to the
plugboard, affecting only six out of 26 letters.
It was used against the doubly-enciphered indicator system of the Enigma during the
period when ground settings were chosen at random by the operator, and sent in the
clear with each message.
If one has two "females", indicators where one letter is repeated in the two
encipherments of the actual rotor starting position, and furthermore, they result in the
same letter and are in different positions, which was a common enough occurence
given the volumes of traffic in use, one could proceed as follows:
Connect a voltage to that contact on four rotor sets. Take these in two pairs, each pair
with positions offset by three, and if both pairs, at the same time, produce the same
output letter (that is, both sets in each pair produce the same letter, but the two pairs
may produce a different one) then one has found the right starting position.
This won't work, however, if the letter found in the ciphertext was changed by the
plugboard. The actual machine had six rotor sets, and could take advantage of finding
the same letter in all three possible positions.
The Turing Bombe exploited the fact that messages sent by the Enigma often included
long stretches of probable plain text, particularly the titles, spelled out in full, of
military officers. Since the Enigma never enciphered a letter to itself, it was possible to
find possible exact alignments for such likely phrases, or "cribs".
Let us suppose that, comparing some probable plaintext to matching ciphertext, we find
the following:
The 4th letter of the crib was a plaintext E that was enciphered to N.
The 8th letter of the crib was a plaintext E that was enciphered to X.
The 19th letter of the crib was a plaintext N that was enciphered to X.
These encipherments form a loop. For some position of the rotors, N becomes E at that
position, and then for the position four steps later, E becomes X, and a further 11
positions later, X goes back to E.
Since the Enigma has a plugboard, instead of N, E, and X, one can only say with
certainty that "some letter" becomes "some other letter", which then becomes "yet
another letter", which then goes back to "the first letter".
So, a Turing Bombe worked this way: the three rotors plus the reflecting rotor of an
Enigma were replaced by seven rotors, with a conventional rotor imitating the
reflecting rotor in the middle. For the loop in the example, one would have three such
sets (machines would be working in parallel for every possible rotor order, so as to
avoid taking time to re-order rotors: in fact, one complete set of all 60 orders
constituted a single Bombe at this point) positioned so that when one set was at the
position it was in for the 4th letter of the crib, the next was in the position 4 steps later,
and the next was in the position 15 steps later.
Each set of rotors was connected to the next set by 26 wires in parallel. A voltage was
applied to one of the wires at one point. That wire was chosen to be the wire for the
actual letter found in the crib, so that if that letter was not changed by the plugboard,
the actual closed loop in the crib would be the only part of the circuit reached by the
voltage, and so each of the 26-wire links would have only one live wire.
Otherwise, when the correct position was reached, even if all 25 other wires in each
link were reached by voltage, the actual closed loop would, being closed, be isolated,
and not get voltage.
So a relay circuit checked the 26 wires at one point in the loop, and halted the Bombe
whenever not all 26 wires had voltage (presumably ignoring the times when the rotors
were between positions).
If the notches that caused one wheel to move the next slower wheel had been fixed to
the rotor body, the Turing Bombe would have been simpler to understand, and would
always have worked, since then for any position of the wired rotors, the position of the
rotors a certain number of steps later would be known.
Since the notches were in fact fixed to the alphabet wheel, what was done instead was
to perform the carry from the fast wheel to the medium wheel, and one from the
medium wheel to the slow wheel, at only one position in the apparatus, with
corresponding wheels in all rotor sets linked together. If only the fast wheel was
displaced between rotor sets, the machine worked if the medium wheel did not move
anywhere inside the crib.
One could also displace the medium wheel by one place in some rotor sets to try
different assumptions about where the medium wheel moved.
It might be noted that, since we don't care which letter our test letter was taken to by
the plugboard, a relative displacement of the whole rotor set would make no difference.
Since the reflecting rotor could not even be moved to alternate positions by hand,
however, different rotor positions were absolute, not relative. But if the reflecting rotor
had been settable, the Bombe would not have had to run 26 times longer.
In the example, only a single closed loop was taken from a crib. In fact, a single closed
loop would have stopped the Turing Bombe with too many false alarms, and thus this
Bombe had more than three rotor sets, and was used with cribs that gave more than one
loop, with the loops connected to each other.
The Turing Bombe, as noted, simply looked for cases where some letter became some
other letter, and so on. But the cribs also included information about which letter
became which other letter. Despite the plugboard, there was a way to make use of this
information, and that way was the diagonal board.
Let us begin with the simple 3-letter loop used as an example above: N becomes E
becomes X becomes N.
Let us suppose that E was not modified by the plugboard, for ease of understanding,
and so we apply our voltage to the wire corresponding to E at the point corresponding
to where we encountered E in the plaintext and ciphertext.
On the other hand, X might have been affected by the plugboard. If so, E will become
some other letter, which will become either N or some other letter, which becomes E
again.
This means that X and N were switched by the plugboard, and so this N had better
become an X at the point N is expected. Otherwise, an impossible plugboard
arrangement is required, and so the apparent successful hit is a false alarm.
The diagonal board was used to cover all the possibilities of an inconsistency like this.
It was a square matrix of sockets, wired so that column P in the Q row was wired to
row P in the Q column, for every two different letters in addition to P and Q.
The 26 wires for any position in a crib were also connected to the row of the diagonal
board corresponding to the plaintext and/or ciphertext letter that was seen at that
position of the crib. Current going through the wire for that actual letter was not
connected anywhere, but current for a different letter was connected to the row for that
different letter being seen, at the position where the original letter would be actually
encountered.
This provided additional connections. Yet, if the voltage entered the setup at the correct
position, the closed circuit was not extended to other wires; so, if the voltage entered at
another position, the closed circuit still recieved no voltage.
Thus, the Bombe still worked as before, except that it automatically ignored many of
the false alarms for which it had previously stopped.
An additional device attached to the Turing Bombe to eliminate additional false alarms
performed the following function:
When not all the wires were live, if all the wires but one were live, the voltage was
redirected to that one wire.
Then, all the different letters of the crib were scanned, to ensure that no two letters in
the crib (including both its plaintext and ciphertext forms) which were different would
have had to have been brought to the same letter, instead of to different letters, by the
plugboard for the current bombe position to be valid.
Autoscritcher
For this device, a crib is required where, at several positions, the same plaintext letter
has become the same ciphertext letter.
A Bombe with sets of the three regular rotors only is used to find positions consistent
with this. As the letters can be displaced by the plugboard, all possible pairs of
plaintext and ciphertext letters are tried by external circuitry for each position of the
fast rotor. However, a very good crib is needed for there to be enough detectable
inconsistencies for such an approach to be useful; the article itself notes that the
description must still be incomplete.
Incidentally, I recently found that this page has a very good description of how the
Bombe worked as well.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
This machine was originally called the ECM Mark II within the predecessor of the
NSA that developed it. The ECM Mark I was a machine developed by Edward Hebern,
and the ECM Mark III was a machine that, like the Mark II, had irregular rotor
movement, but which achieved it by a simpler system. Edward Hebern was involved
with the development of both the ECM Mark I and the ECM Mark III, while the ECM
Mark II, our present subject, was developed entirely within the U.S. Government. Its
basic principles were originiated within the Army Security Agency, but its the ECM
Mark II itself, in its specific form, was developed within the U.S. Navy.
The basic principle of the SIGABA that made it so strong is the use of additional
rotors, rather than gears, to control the movement of the rotors used to encrypt a
message.
As this excellent design has, very recently, been declassified in its entirety, it has
become possible for you and I to examine and admire it.
The SIGABA contains fifteen rotors, ten of which are conventional 26-contact rotors,
and five of which are smaller rotors with only 10 contacts on each side. These rotors
are divided into three groups.
Five 26-contact rotors, called cipher rotors, encipher or decipher the message being
transmitted in the same way as the rotors in a regular Hebern rotor machine. Any of
them can move after a letter is enciphered; their motion is controlled by electrical
signals.
Another five 26-contact rotors are called control rotors. On the input side, the four
contacts (corresponding to the letters F, G, H, and I) get electricity. On the output side,
the contacts are wired together in nine bunches of various sizes, as follows:
1 B 4 FGH 7 PQRST
2 C 5 IJK 8 UVWXYZ
3 DE 6 LMNO 9 A
The five 10-contact rotors are called the index rotors. They are only set by hand before
starting to use the machine. Nine of their ten inputs are connected to the nine bunches
of contacts which take the output of the control rotors, and the numbers of the bunches
in the table above show which contact recieves the signal from that bunch. Their ten
outputs are connected together in five pairs, each of which supplies the signal which
controls the advance of the cipher rotors.
When using the machine, the ten 26-contact rotors were first set to their starting
positions, which were the ones marked by the letter O instead of the ones marked with
the letter A that one might expect, usually with the aid of an automatic feature in the
machine. It could also be done by hand, but if the user was not careful, one of the
control rotors, particularly one of the two on the outside, could be left in a halfway
position, preventing the cipher rotors from ever moving.
The index rotors, however, were set by hand. Setting them was in a sense easier, or at
least less problematical, and for each day there were three different settings for them,
for three different levels of security classification of the message being sent. The order
of the index rotors apparently was at one time changed each day, but during World War
II the procedure was changed to always leave these rotors in order.
The wiring of the index rotors (or at least a wiring used at one time with the index
rotors) is known, and is as follows:
Input
0 1 2 3 4 5 6 7 8 9
Rotor -------------------
1 7 5 9 1 4 8 2 6 3 0
2 3 8 1 0 5 9 2 7 6 4
3 4 0 8 6 1 5 3 2 9 7
4 3 9 8 0 5 2 6 1 7 4
5 6 4 9 7 1 3 5 2 8 0
These rotors are all wired by the interval method. In addition, it is always the interval -
3 that is duplicated (and therefore the interval +2 that is omitted). And furthermore, the
two wires with interval -3 both always start from two contacts which have exactly one
contact between them.
This means that they all belong to one class of the classes into which a program I wrote
to count the number of interval method wirings for rotors of even size divided the
possible wirings into. As it turns out, rotor wirings recorded for the 26-contact rotors of
machines Edward Hebern made for the U.S. Navy to test had the same structure, which
has led me to suspect that this may also have been true of the 26-contact rotors of the
SIGABA, no actual specimens of which (the wirings, not the rotors) have been
preserved. However, the actual wirings of two rotors for SIGCUM, a telecipher
machine, which were recovered by Frank Rowlett during tests of its security have
survived, and have recently been disclosed, and these rotors were not wired according
to the interval method. Since SIGCUM was manufactured by the same contractor as
SIGABA, and it was also contemporary with the later period of the use of SIGABA,
this seems to be more conclusive.
The keyboard on the SIGABA had a row of digits like the keyboard on a regular
typewriter. While the SIGABA didn't encipher messages containing digits, the keys for
the digits 1 through 5 were used, when the machine was switched to a setup mode, to
advance the control rotors. When sending a message, the operator first picked five
letters at random, which were sent with the message as an indicator. Then, starting
from the OOOOO position, using the 1 to 5 keys, the control rotors were moved to
spell out the five letter indicator, starting with the first control rotor (which the 1 key
moved). Although the mechanical gears that usually moved the control rotors were not
active during this setup mode, each time a number key was pressed, the cipher rotors
moved based on the electrical signal travelling through the control and index rotors in
the same way as during normal encipherment. Thus, the indicator specified a position
for the cipher rotors as well as for the control rotors, but the starting position of the
cipher rotors was, in effect, well encrypted.
When messages were enciphered, the space bar could be used on the keyboard, and
caused the letter Z to be enciphered; on the other hand, the Z key as well as the X key
both caused the letter X to be enciphered. Also, the machine inserted a space after
every five letters enciphered for ease of reading for transmission. For decryption, Z
printed as space, thus restoring the spaces in the original message.
In the postwar period, the CSP-889, as the SIGABA was known in the Navy, was
replaced by a modified version, the CSP-2900. This had some interesting differences.
Six, rather than four, inputs to the control rotors were live. These corresponded to the
letters D, E, F, G, H, and I. Since this meant that all five cipher rotors could move at
the same time, cipher rotors 2 and 4 were changed to move backwards when they
moved, so that if all the rotors moved, they still wouldn't all move in step.
The outputs of the control rotors were now gathered in ten bunches instead of nine, and
the largest connected together only four contacts, not six. Also, three control rotor
outputs were left unused, instead of none, as before. Since the number of discarded
outputs was less than six, it was still true that at least one rotor would always move.
0 UV 4 FGH 8 WXYZ
1 B 5 IJK 9 A
2 C 6 LMNO
3 DE 7 ST not connected: PQR
This diagram is modified to illustrate the newer form of the ECM Mark II:
Machines of the ECM Mark II type used for a communications link between the
President of the U.S. and the Prime Minister of the U.K., which was called "POTUS-
PRIME", were operated in a fashion that produced additional security. The five cipher
rotors were set by hand, and apparently so were the control rotors, and the settings for
the cipher and control rotors were taken from a list of thirty five-letter groups for use as
either of cipher rotor settings and control rotor settings, with a three-letter codeword
which was pronounceable and had error-correction properties, for each one. (The two
three-letter codewords were combined into a single six-letter group for transmission.)
Thus, the idea of increasing the SIGABA key length by using a ten-letter indicator was
indeed considered, and it was used, along with the other possible way of achieving
ultimate rotor security, a codebook for message indicators, where circumstances
warranted the extra effort.
This link was used during World War II, and the British were not allowed access to the
American cipher machines at their end at that time.
The SIGABA, or the Electric Code Machine Mark II, was developed before World
War II by people from both the U.S. Army and the U.S. Navy. The story of its
development is a somewhat complicated one. The basic idea of electrically-controlled
rotors was originated by W. F. Friedman, who implemented it in the original M-134
machine, which had five rotors that enciphered text, the motion of which was
controlled by a paper tape. A plugboard was included to vary which channel of the
paper tape controlled which rotor. Frank Rowlett then came up with what could be
considered the core concept of the SIGABA: the idea of using rotors to control the
rotors that enciphered text.
At the time, the U.S. Army had limited funding for the development of new cipher
machines, and thus Friedman and Rowlett embodied this new principle in an add-on
device, called the M-229 or SIGGOO, that connected to the M-134. The M-229 had
three rotors. A six-position switch controlled how these rotors moved (shown as a
plugboard with three plugs and sockets in the diagram). Five inputs to these three
rotors, having the role of the control rotors in the SIGABA, were live. The outputs
were connected together in two groups of five and three groups of four. Here is a
diagram of the combined M-134 and M-229:
Meanwhile, this new idea was conveyed to the cryptological department of the U.S.
Navy as well. Laurence F. Safford and Donald J. Seiler developed the Electric Code
Machine Mark II (Mark I was the Hebern rotor machine) which was essentially the
SIGABA in its final form there. For a period during this development, Army-Navy
collaboration was disrupted by other factors, but when channels were reopened, the
Army group recognized that the ECM Mark II was a superior embodiment of their
ideas, and were happy to accept it as a cipher machine for use by both services.
The source for most of the information on this page is the U.S.S. Pampanito web site,
which has an entry in my Links section.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Next
Skip to Next Section
Skip to Next Chapter
Chapter Start
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
For enciphering, co-ordinate signals entered on the spindle side of a half-rotor with ten
positions. Essentially, it worked like two separate half-rotors with five inputs and
outputs: the odd contacts were wired one way to the five contact strips on the output
side, and the even contacts were wired another way.
shows how such a half rotor works: the five contact strips on the spindle side are shown
in yellow. Five wires in blue proceed to the rotor side; then these five wires are
connected in a random order to one group of five rotor contacts by green wires, and to
another group by purple wires.
The B-21 had pinwheels of sizes 17, 19, 21, and 23. These advanced one step for each
letter enciphered. An OR (not an XOR), between two pinwheels caused each half rotor
to move one step if the result was a 1.
The B-211, in addition to printing its output on a strip of paper, had two plugboards
with five plugs and five sockets to scramble the five outputs taken from the half rotors.
The arrangement of the B-211 is illustrated below:
The French military used a variation of the B-21 which had a second pair of half rotors.
The extra pair of half-rotors had fifteen rather than ten positions.
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
The HC-9
The HC-9 is a handheld mechanical cipher machine used by the Swedish armed forces
during the postwar era.
It behaves as if it contained five pinwheels, of sizes 29, 31, 33, 34, and 35. Each
"pinwheel" advances one space for every letter enciphered, and their outputs are used
to select one of sixteen cipher alphabets as follows: four bits are formed from the five
bits presented by the five sequences by taking the XOR of each pair of adjacent bits.
This result is treated as a four-bit number. Thus, the XOR of the bits from the 29-bit
and 31-bit sequences controls displacing the list of alphabets by eight places.
But instead of pinwheels, the sequences are supplied by a punched card, which sits in
the device and whose large round holes are sensed by little metal fingers inside the
device.
Another replaceable card inside the device gives the sixteen alphabets in use. These
alphabets were all chosen to be reciprocal in practice for ease of use.
Next
Skip to Next Chapter
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
LACIDA
LACIDA, a rotor machine developed in Poland, uses conventional rotors, like a Hebern
machine. However, it is unusual in that its moving rotors come in three different sizes;
with 24, 31, and 35 contacts.
These rotors each move one step with every character enciphered, thus providing a
period of 24*31*35, or characters.
The input alphabet consists of the alphabet with the letters Q and V omitted; the output
alphabet uses all the letters, and all the digits except zero.
The conversion between 24 contacts and 31 contacts, and the conversion between 31
contacts and 35 contacts, are claimed, in the accounts I have read, to be accomplished
by stators: rotors that don't move during encipherment, but which can be set initially to
any position. (The rotors and stators are marked with the alphabet from A to Z, and at
most 26 initial positions are used with any rotor.) In addition, an extra 35 contact rotor
is used as a stator on exit. Originally, I thought that rather odd, as it seemed to require
rotors made of rubber, but because mechanically, the rotors are similar to those of the
Enigma, in that they contain one set of spring-loaded contacts, and a flange that serves
as a gear, upon further reflection I realized that the conversion stators were possible,
and would probably be achieved by placing the teeth on their gear flange at somewhat
irregular positions.
Next
Skip to Next Chapter
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
The Hill Cipher and the Bazeries Cylinder are the unusual members of this group in that they deal with several
characters at once.
Putting them aside, the other designs reflect the relative difficulty of incorporating any kind of memory in a simple
electrical or mechanical device.
Rotor machine usage illustrates an elaboration of the concept of a key to a cipher system. In addition to a general
method of enciphering, cipher systems require a key that is easily changed. This allows many messages to be sent in
a given system, while the number of messages enciphered in exactly the same way is kept limited by varying the key.
In the case of rotor machines, the key is split up into three parts, which are treated differently.
There are the rotor wirings. These are difficult to change, but they are worth keeping secret, and do need to be varied
periodically.
The order of rotors in the machine, and other settings depending on the type of the machine (index rotor settings in
the SIGABA, plugboard and alphabet ring settings in the Enigma) are changed perhaps each day, on the basis of a list
of daily keys which is distributed once a month.
The initial setting of rotors for a given message is also a part of the key. This part, however, is sent with the message,
perhaps in some way encrypted, as it is chosen randomly for each message by the operator of the rotor machine. (It is
often termed a message indicator, which is prefixed to a message along with a system indicator which identifies the
particular type of cipher used or the particular family of keys used.)
This same kind of multi-level key structure can be found in modern block ciphers, despite the fact that they operate
on very different principles. The contents of S-boxes can be thought of as at least potentially subject to change, and
therefore as corresponding to rotor wirings. The key proper is secret, and must be somehow distributed like a rotor
order. For many block cipher modes, an initialization vector is required, which functions like a message indicator.
Thus, rotor ciphers illustrate how care must be taken, for a system that will be used widely, to limit the number of
messages that will be sent with the same key, and to vary as much of the key as often as is feasible. So, the parts of
the key that are harder to vary are varied less often.
The different strengths of the different types of rotor cipher also teach us something about good cipher design.
The fact that the SIGABA stands head and shoulders above the other devices here illustrates the importance of
allowing elements in a cipher design to have the power to scramble the plaintext, and yet having these elements do so
in an indirect way, so that even with matching plaintext and ciphertext, their values are hard to determine.
The Enigma and the Bazeries cylinder shared a very serious weakness; since no letter can represent itself, it is easy to
align probable plaintext with enciphered messages. One apparently simple way to eliminate this weakness would be
to use columnar transposition on the ciphertext produced by such a device.
While that would create a very strong cipher, since the ciphertext produced by a Bazeries cylinder, let alone an
Enigma, is so scrambled that it would seem there would be little in the way of clues for breaking the transposition
cipher, such methods do not tend to be often used. That is because a pencil and paper transposition cipher is tedious
to perform, thus negating the advantage of using a machine for cryptography in making encryption quick and
efficient. Also, encrypted messages are often sent over the radio in Morse code. The problems caused by garbled
letters are magnified by a cipher of this type. However, as long as cipher letters are transmitted in five-letter groups,
and the total number of letters in a message is sent with every message, a garbled letter in the ciphertext would still
imply only one garbled letter in the plaintext, so such a method is not completely impractical.
For two of the systems covered in this chapter, an interesting question arises for the first time. For the Bazeries
cylinder, instead of a random arrangement of letters on the disks, a Latin square is used to improve resistance to the
de Viaris attack. For rotor machines, rotors wired according to the interval method may be used, to maximize the
variety in the alphabets produced by each rotor as it rotates.
The question arises: is good better than random? One way to look at it is to view any constraints on permutations as
part of the system of a cipher, part of what is needed for it to work properly; and to compare the cipher in that form to
one without the constraint, to evaluate whether a larger choice of keys, or the possibility of a design weakness
without the constraint, is a more serious problem.
While these examples seem to be ones in which the use of an optimum sequence is justified, there can be cases where
the reverse is true.
Sometimes, fairly poor sequences are used for paper-and-pencil digraph encipherment tables. Instead of an
arrangement of all 676 digraphs, one winds up performing an encipherment which is equivalent to reversing every
pair of letters, and then alternating between two cipher alphabets.
Obviously, a random table of digraphs is much better than this. One might not be sacrificing much if one used a table
that was reciprocal, since otherwise one would need two tables, one for enciphering and one for deciphering.
The advantage of a random table is that changing one cipher letter almost always changes both cipher letters.
It is possible to use a special form of table where changing one cipher letter is guaranteed to change both cipher
letters:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A aa xe bq wx hn qs my cm jn td zc yr di sl vw nz gu ck ep lo fj kf pb ut rg iv
B qc bb xf cr ax io rt ny dn ko ue zd ys ej tm wa oz hv dl fq mp gk lg vu sh jw
C mh rd cc xg ds bx jp su oy eo lp vf ze yt fk un ab pz iw em gr nq hl wv ti ka
D im ni se dd xh et cx kq tv py fp mq wg zf yu gl vo bc qz ja fn hs or aw uj lb
E ps jn oj tf ee xi fu dx lr uw qy gq nr ah zg yv hm wp cd rz kb go it ba vk mc
F ju qt ko pk ug ff xj gv ex ms va ry hr os bi zh yw in aq de sz lc hp cb wl nd
G iq kv ru lp ql vh gg xk hw fx nt wb sy is pt cj zi ya jo br ef tz md dc am oe
H ne jr lw sv mq rm wi hh xl ia gx ou ac ty jt qu dk zj yb kp cs fg uz ed bn pf
I vz of ks ma tw nr sn aj ii xm jb hx pv bd uy ku rv el zk yc lq dt gh fe co qg
J hi wz pg lt nb ua os to bk jj xn kc ix qw ce vy lv sw fm zl yd mr eu gf dp rh
K fv ij az qh mu oc vb pt up cl kk xo ld jx ra df wy mw ta gn zm ye ns hg eq si
L ot gw jk bz ri nv pd wc qu vq dm ll xp me kx sb eg ay na ub ho zn yf ih fr tj
M yg pu ha kl cz sj ow qe ad rv wr en mm xq nf lx tc fh by ob vc ip zo ji gs uk
N zp yh qv ib lm dz tk pa rf be sw as fo nn xr og mx ud gi cy pc wd jq kj ht vl
O kr zq yi rw jc mn ez ul qb sg cf ta bt gp oo xs ph nx ve hj dy qd ae lk iu wm
P bf ls zr yj sa kd no fz vm rc th dg ub cu hq pp xt qi ox wf ik ey re ml jv an
Q sf cg mt zs yk tb le op gz wn sd ui eh vc dv ir qq xu rj px ag jl fy nm kw bo
R gy tg dh nu zt yl uc mf pq hz ao te vj fi wd ew js rr xv sk qx bh km on la cp
S ln hy uh ei ov zu ym vd ng qr iz bp uf wk gj ae fa kt ss xw tl rx ci po mb dq
T dj mo iy vi fj pw zv yn we oh rs jz cq vg al hk bf gb lu tt xa um sx qp nc er
U tx ek np jy wj gk qa zw yo af pi st kz dr wh bm il cg hc mv uu xb vn rq od fs
V wo ux fl oq ky ak hl rb za yp bg qj tu lz es ai cn jm dh id nw vv xc sr pe gt
W xd ap vx gm pr ly bl im sc zb yq ch rk uv mz ft bj do kn ei je oa ww ts qf hu
X eb fc gd he if jg kh li mj nk ol pm qn ro sp tq ur vs wt au bv cw da xx yy zz
Y rl sm tn uo vp wq ar bs ct du ev fw ga hb ic jd ke lf mg nh oi pj qk yz zx xy
Z ck dl em fn go hp iq jr ks lt mu nv ow pa qb rc sd te uf vg wh ai bj zy xz yx
The digraphs in this table form a Graeco-Latin square of order 26. Something that Euler conjectured was impossible.
A Graeco-Latin square of order 6 is impossible. For larger numbers of the form 4n+2 for some integer n, a special
construction is required to create Graeco-Latin squares, which was only discovered in 1960. The square shown above
is, of course, constructed according to the method given in the original paper by Bose, Shirikande, and Parker.
While the Graeco-Latin square above could be dressed up to make it look more random, by applying a simple letter
substitution to its contents (three letters are special, but they don't have to be x, y, and z) and rearranging rows and
columns, it would seem that choosing such a square, instead of a random one, for a digraphic substitution would not
be a sensible idea.
However, as a mixing step, perhaps even an unkeyed mixing step, inside a block cipher with a long key in other
areas, Graeco-Latin squares may still be useful. This, in fact, is the subject of a patent for a technique called Balanced
Block Mixing, held by Terry Ritter. Also note that odd order, or order 4n, both allow a much larger number of
Graeco-Latin squares than order 4n+2.
Next, we can look at some elaborate rotor machine designs that combine the principles and original ideas of the rotor
machine designs we have examined in this chapter.
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up/Previous] [Index]
The heart of this device is two pairs of two half rotors, each pair with one with five inputs and ten outputs and
one with five inputs and fifteen outputs, as in the improved French version of the B-211.
The coordinates for each letter of the alphabet are varied by preceding and following that part of the device by
three conventional rotors. Almost conventional, that is, since these rotors all have two duplicate concentric sets
of wiring, so that each letter is connected to its home in both row and column. Note that since these rotors have
26 positions, one letter bypasses the B-21 -like part of the device.
And to top it all off, these six rotors are advanced by means of a SIGABA-like setup. Obviously too bulky and
expensive to build out of real electromagnetic components, and yet fascinating.
Here is an example of an interesting rotor machine design using some of the ideas suggested by the design of the
Uhr Box:
The arrangement for rotor motion is of interest. With each letter enciphered, a pinwheel is used to select whether
rotor 2 or rotor 4 moves. Rotor 3 moves whenever a notch on either of those rotors is advanced, and then it
advances rotor 5, which advances rotor 1, normally. Given multinotched rotors, this produces a fairly irregular
movement with only one pinwheel.
However, the main unusual feature of the design is the way the rotors are wired.
As may not be readily apparent from the diagram, unless you are familiar with the conventions I've used in
previous diagrams in this chapter, the rotors have two concentric rings of 26 contacts on each side.
● The 26 contacts in the outer ring on one side are connected in a jumbled fashion to the 26 contacts in the
outer ring on the other side.
● The 26 contacts in the inner rings are divided into 13 odd contacts and 13 even contacts. The 13 odd
contacts in the inner ring on one side are connected in a jumbled fashion to the 13 odd contacts in the
inner ring on the other side, and the same applies to the 13 even contacts on both sides.
The middle rotor connects the 26 contacts in the outer ring on one side to the 13 odd contacts of the inner rings
on both sides, and the 26 contacts in the outer ring on the other side to the 13 even contacts of the inner rings on
both sides.
Plaintext enters through the contacts on the outer ring on the left side of the rotor stack, and ciphertext leaves
through the contacts on the outer ring on the right side.
On each side of the rotor stack, a plugboard controls the reflection of the odd contacts of the inner ring to the
even contacts of the inner ring.
When a letter is enciphered, its signal first passes through the outer rings of rotors 1 and 2 in a normal rotor
machine fashion.
Then, rotor 3 sends the signal through the inner rings, either of rotors 2 and 1 or of rotors 4 and 5, through their
odd (or even) contacts, to be reflected back through the even (or odd) contacts of rotors 1 and 2 or rotors 5 and 4.
And then rotor 3 takes the reflected signal, and sends it through the outer rings of rotors 4 and 5 to continue in a
normal rotor machine fashion.
There is some potential for additional flexibility in the design; for example, it would still work if the two
plugboards were cross-wired (but not if they were merged into one), and the specially-wired rotor used as rotor 3
does not absolutely have to be in the central position.
In the section on the Enigma, I noted that if one shorted the indicator lights with diodes, it would be possible to
attach the rotors to the lamps instead of the keys. This would allow one to design an Enigma in which the rotors
could be switched from being connected to the keys or the lamps, so that a plugboard could be placed between
the keys and the lamps. In this way, enciphering and deciphering would both be possible, but a letter could
represent itself.
This diagram illustrates how this principle could be taken to its ultimate conclusion. On the left hand side of the
keyboard and lampboard, a letter is being shown as being enciphered, and on the right hand side a letter is shown
as being deciphered. Note how the polarity needs to be taken into account in enciphering mode, so that the
diodes across the lamps do not prevent normal Enigma-like operation.
Here are a couple of other attempts to construct elaborate rotor machines combining principles we've seen in
previous examples. The first also uses rotors with two concentric rings of 26 contacts, but this time the two sets
of contacts are wired differently, not in parallel.
The cipher rotors act a bit like those in the Enigma; the plaintext letter causes electricity to go from left to right,
and then the signal returns, going right to left, to produce the ciphertext letter. However, the returning signal uses
the second set of contacts, and so the cipher is not reciprocal.
The general structure of the machine is like the SIGABA; but the extra set of contacts in the control rotors is
used to provide an ever-changing "reflecting rotor" for the cipher rotors.
The following (originally done for use as a background, with different colors) illustrates a double-sized
SIGABA. However, five of the signals controlling the ten cipher rotors are created somewhat differently, using a
method from a rotor-based telecipher machine, the SIGCUM, which we will encounter later.
The five new control signals have some poor properties, but they nicely complement the SIGABA-type ones,
since they have an exact 50% probability of being active.
Changing the wiring a bit (and making more rotors electrically controlled) gives us this:
While it has the drawback that the SIGABA-style superior control rotors may occasionally remain immobile,
because only the SIGCUM-style ones have unused output contacts, this design causes five of the ten cipher
rotors to be controlled by a set of control rotors (the SIGABA-style ones) that are themselves controlled by
control rotors (the SIGCUM-style ones) also used to directly control the other five cipher rotors. Not explicit in
the diagram is a timing issue requiring a more basic redesign; in the original SIGABA, the cipher rotors move in
response to the control rotor position at one time, and the control rotors advance at another time, requiring two
clock phases; as the SIGABA-style control rotors can't move simultaneously with either the SIGCUM-style
control rotors or with the cipher rotors, we now need three clock phases.
which is simply how I, and perhaps others, imagined the SIGABA might have worked after reading a brief
description of it by David Kahn from about 1980, and seeing the first pictures of it that were released some years
later. Since the actual design didn't involve the five ten-contact rotors moving, this design would have been even
more expensive to build.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Child's Play
The M-134 and the M-229, as described in the section on the SIGABA rotor machine,
have suggested to me the idea of a very flexible style of rotor machine, one which
could even be used, if made from plastic, as an educational children's toy!
As a toy, the heart of it would be three rotor machines of the type diagrammmed below.
These machines consist of a bank of five rotors. At each end, there is a plugboard like
that of the Enigma, but using standard phono plugs. Beyond the plugboard, on each
side, there is a 26-contact connector used to connect a keyboard and a lampboard, only
one of each being included in the set. The keyboard would also have a 26-contact
connector; plugging the lampboard into that connector would allow the Enigma to be
simulated.
The machine would use rotors that have plastic slip rings on the outside with bumps to
control rotor motion, signalling a carry from one rotor to the other. The rotors and the
rings would both be reversible.
All the slip rings would have only one bump on one side. They would have multiple
bumps on the other side, and there they would differ.
● Five identical slip rings, with three bumps on the other side. (yellow)
● Five slip rings, with five bumps on the other side, each one having a different
arrangement, and numbered from 1 to 5. (green)
● Five identical slip rings, with seven bumps on the other side. (blue)
As noted, the plugboards on the device use phono plugs, and work like that on the
Enigma, so that straight-through wiring is the default when no plugs are inserted.
The cables provided with the machine will have the forms illustrated in this diagram:
Although it may not be obvious, the first cable crosses over the two parts of the
contact. The complement of cables would be:
● 52 cables with phono plugs at both ends, with crossover wiring like those of the
Enigma. (grey)
● 52 cables with phono plugs at both ends, and parallel wiring. These will
primarily be used when connecting different machines together. (red)
● 93 cables with a phono plug at one end, accompanied by a socket for a banana
plug, and a stackable banana plug (like the ones on cables made by Pomona
Electronics) on the other end. These allow arbitrary permutations to be set up.
93 is 78 plus 18, so that one set is provided for each machine, plus six extra for
the wheel advance section, with its smaller plugboard using the same connector.
The kit would include plans for many projects, starting with a Hebern rotor machine,
going on to an Engima, and then the SIGABA, and even a small Turing bombe for use
against a two-rotor Enigma. (Maybe that would require some additional pieces not
mentioned here. And, of course, I'd have to come up with a way to manufacture an
economical diagonal board.)
U. S. Patent 6097812 has recently been granted on the design used in the M-138 (and
M-138-T2 and M-138-A) cipher machine, and this design combines the M-138 with
the M-228 and M-229, and hence is likely to be affected by this patent.
Next
Skip to Next Chapter
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
The SIGABA achieved very irregular rotor movement by a uniquely strong method, using the changing jumbled
maze of wires in a part equivalent to a complete conventional rotor machine to supply electrical signals
controlling the seemingly random stepping of rotors in what amounted to a second conventional rotor machine for
enciphering the letters of the text.
The Swiss NEMA cipher machine achieved irregular rotor movement by accompanying each rotor with an
adjacent rotating ring, which had notches on it that inhibited that rotor's movement. The rings always moved,
except for two rings that were sometimes prevented from moving by a second set of notches on the first rotor's
ring.
Also, U. S. Patent 4,143,978, filed on May 4, 1938, but only issued on March 13, 1979, with inventors Bern
Anderson and Donald J. Seiler, describes a machine which made use of five pinwheels with 25 positions to control
the five rotors with 26 positions. This patent appears to be for the ECM Mark I, which was the design which
preceded the ECM Mark II, also known as the SIGABA.
And, of course, the Enigma A and Enigma B had a very irregular rotor movement at the dawn of the rotor era, by
having each rotor controlled by its own cam, and each cam having a number of positions relatively prime to all the
others. Had the cams been resettable pinwheels, the design would have been quite impressive indeed.
Descriptions of a later rotor machine imply that it achieved irregular rotor stepping based on a principle we will
see later in the descriptions of the Siemens T-52d and T-52e Geheimschreiber telecipher machines:
Given three or more pinwheels or cams, each of which produces a sequence of binary bits as it rotates, bits from
each pinwheel (perhaps sensed at a different position on the cam than the bits used for the purpose of
encipherment) could be used to control the movement of other pinwheels.
Although this seems like a compromise of the potential security of a rotor machine, using the rotors to step
themselves instead of having a separate set of pinwheels or cams to control stepping has the major advantage of
making it simpler to set up the machine for an encipherment.
But if one tries to do this in the simplest way, just using one pinwheel to cause another to step, what is there to
prevent all the pinwheels from coming to a position where they are producing a zero value for their stepping
output, so that they will all stay in one position thereafter?
The Siemens Gehemschreiber prevented this by a scheme that looked something like this, illustrated with five
cams labelled A, B, C, D, and E:
A steps if D or (not E)
B steps if E or (not A)
C steps if A or (not B)
D steps if B or (not C)
E steps if C or (not D)
In this illustration, the output from each cam forces the stepping of one other cam, and the complement of that
output forces the stepping of a third cam. This ensures that some stepping will always take place.
In this case, as the bits from the cams are also used to encipher a binary signal by being XORed with it, active and
inactive positions on the cams need to be close to equal in number. Since each cam steps based on the OR of two
inputs, this means that the cams step about 3/4 of the time.
Since outputs from those cams are used for encipherment as well, they should step almost all the time. While
occasional failures to step can make the bit sequence irregular, bits that do not change also allow plaintext patterns
to be visible.
The Lorenz Schlusselzusatz, which used two sets of five pinwheels, one which always moved, and another set
which moved, or remained still, in unison, half the time either way, based on a more conventional scheme
involving control from two other pinwheels, was cryptanalyzed with the aid of the early electronic calculating
device COLOSSUS partly because the patterns of the constantly moving pinwheels were visible when the other
ones did not move. (The fact that 5-level teleprinter code is designed so that 0 bits strongly outnumber 1 bits, to
prevent mechanical wear and tear and to make paper tape less fragile, also was an important factor.)
In a rotor machine, however, moving even one rotor completely scrambles the cipher alphabet it provides. If each
rotor moved with probability 1/2, then each new alphabet would be from the largest and most uncertain possible
set of alternatives.
Could the principle used in the T-52 be modified to produce movement with probability 1/2, and yet still ensure
continual movement which will not cease to involve any of the rotors?
The first scheme I came up with to do this is illustrated by the following diagram:
It may be easier to understand with the diagram shown below and to the right:
Using seven rotors in this example, I first start with four live inputs,
which are turned into eight outputs having a 50-50 chance of being
live by being redirected by the active teeth on four of the rotors.
This is shown in the diagrams above and to the right by a red wire,
carrying a live input from the power supply, being switched to four of
eight wires by four switches, each controlled by a rotor. In the
diagram to the right, this is the first layer of the circuit, shown in the
leftmost column.
Then, six of these eight signals, in pairs from different rotors, are
swapped (or not) under the control of three other rotors.
The seven output signals then control the stepping of the rotors.
Again, as the colors help to make visible, each signal is directed to a
rotor that had no part in its creation, in either the first or the second
layers.
Dark Blue: Two signals controlled by rotors 3 and 4 are then swapped
under the control of rotor 5. The two resulting signals control the
movement of rotors 1 and 6.
Purple: Two signals controlled by rotors 1 and 3 are then swapped under the control of rotor 7. The two resulting
signals control the movement of rotors 2 and 5.
Gray: Two signals controlled by rotors 2 and 4 then have one signal selected from them under the control of rotor
1. The resulting signal controls the movement of rotor 3.
This basic principle, with little change, would work with any odd number of rotors, starting with five.
The specific arrangement in the diagrams shown above was selected to minimize wire crossings in the original
(horizontal) diagram, so that it would be as legible as possible, and, with the rotors labelled in order from left to
right as A, B, C, D, E, F, and G is:
where the control signal different from the others is the one stepping rotor C.
Since we start with eight signals, four of which are active, and swap them in pairs, only in one case selecting only
one of two signals to use, half the time four rotors will advance, and the other half of the time three rotors will
advance.
With an even number of rotors, of course, the same principle could be applied even more simply, without the need
for one control signal to be different from the others.
But many other arrangements are also possible. An arrangement based on a slightly different principle is shown
here:
Here, each rotor is controlled by the OR of the AND of two independent inputs, so, based on each rotor having
half of its teeth present and half of them absent, causing each signal and its complement to be active half the time,
the chance of any one rotor moving on average is 7/16 rather than 1/2.
We start by creating seven signals. To ensure that at least one rotor will always move, two of them are the signal
from one rotor and its complement; the other five are the signals from five other rotors.
Then, we change these seven signals into fourteen signals, by switching them to one of two destinations, and the
output from each of the seven rotors is used to perform one such switch.
Finally, the wired-OR of two of these signals controls one rotor that had no direct part in creating it.
Here, from one to six rotors will always move, creating more possibilities for the next rotor position. However, as
we will see at the start of the following chapter, a 3 out of 7 code contains 35 entries, so with seven rotors rather
than five, having only 3 or 4 rotors move each time already creates more than twice as many possibilities as are
needed.
The actual arrangement in the diagram shown, again chosen for clarity, with the rotors labelled as A, B, C, D, E,
F, and G from left to right, is:
While these arrangements will certainly produce rotor movements that seem jumbled and unpredictable, it is not
immediately clear how long the period of such rotor motions might be; it might be only a few times larger than the
number of positions on a rotor.
Here is an example of a slightly more complicated setup, based on the same general principles.
Essentially, the wiring is the same as the first example, (although the ordering of the connections has been
changed slightly, as indicated by the reversal of the colors green and blue in one portion of the diagram) but in
addition, one signal is created using the scheme in the second example, and a switch controlled by rotor 4
determines whether that signal, shown in dark green, or the normal signal following the pattern of the first
example, shown in purple, is fed to rotor 5.
The first three sections show the switches which operate as in the first example.
Section 1 shows the four switches which, given the live signal as input, produce eight outputs, four of which are
active.
Section 2 shows six switches, wired so as to swap three pairs (shown by blue, green, and purple wires) of signals
from the first four switches.
Section 3 shows one switch, which selects between the two remaining signals from the first four switches to
provide the seventh output signal.
The next two sections show the new wiring which creates an alternate signal that can be used to step rotor 5,
following the principle shown in the second example.
Section 4 shows two switches, fed the live input, which produce two outputs, each of which may be active or not.
Section 5 shows two switches, fed those two outputs, producing two outputs which are only have as likely to be
active, and which are then joined by a wired-OR.
Section 6 shows one switch, which selects between the output from section 5 or one of the outputs from section 2.
Again, labelling the rotors from left to right as the letters A through G, the logic of the wiring in the diagram is
equivalent to:
Note that the signal controlling the stepping of rotor E is a function of whether an active or inactive tooth position
is found on all six other rotors.
One could even use, with a suitable rearrangement of rotor assignments in one case, the complete wiring
arrangements of both the first and second examples, with their outputs connected together in a wired-OR, and a
single switch controlling whether the live input goes to the first or second circuit. However, even if the first or
second examples would prove too simple, such a drastic remedy should not be required. Instead, the example
above should be sufficiently complex to correct the problem, because although only the stepping of rotor 5 (or E)
is made more complex in this example, it in turn affects the stepping of all the other rotors.
Other arrangements, based on the more conventional scheme of moving rotors like the wheels on an odometer,
which guarantees the maximum possible period, could be produced which also result in a fairly irregular
movement of the rotors.
Incidentally, before proceeding, it is very important to clarify the difference between the situation which I have
denoted in my schematic diagrams by and the situation which I denote by in a diagram. In the first
case, a tooth on one rotor causes another rotor to move only once, when the first rotor moves into the position
distinguished by that tooth. In the second case, a tooth on one pinwheel, or cam, or even a rotor, causes the next
one to move with the encipherment of each letter for as long as the first pinwheel remains in the position
associated with that tooth.
While the first type of movement is usually accomplished mechanically, the control rotors of the SIGABA and the
rotors of the M-228 and M-229 moved this way under electrical control. The second type of movement seems like
an obvious consequence of electrical control: a wheel that is in different positions turns a switch on and off
depending on what position it is in. So how can the first type of movement also be electrical?
This diagram illustrates the difference between the arrangements required for the two types of motion. The large
teeth shown in green correspond to the 26 normal positions of the rotor, where a tooth may be either present or
absent. The small teeth shown in red are located between rotor positions, so that a tooth, if present, will move
across the sensing position as the rotor advances from one position to the next.
For the first type of motion, pulses occur when the rotor that is their source is moving, and so it is reasonable that
another rotor would move when a pulse of electricity is switched on. Making a rotor move only one step per pulse
seems like only a small mechanical detail.
For the second type of motion, instead of an elaborate approach involving storing the
signals sensed from the rotors in a buffer, what is necessary is, first of all, that the
live inputs to the circuit are actually timing pulses, and, so that the rotors will not
move while their positions are being sensed, rotors should move just after the
trailing edge of a pulse. This can be achieved by having the pulse go through a
solenoid, pulling a lever back which is then restored to its original position by a
spring after the pulse ends, with a rachet mechanism causing the lever to advance the
rotor it controls only on its return journey: this is a very common and standard
mechanical arrangement, illustrated in the diagram at left. Since the device also
supplies a gentle push to the sawtooth gear when moving in the "wrong" direction, a
conventional ratchet mechanism, which is not shown in the illustration, is also
required to keep that gear moving only one way (although in some cases, friction
may be sufficient).
For the other case, the same mechanical arrangement could be used, although in that case, having the rotor
advance on the leading edge of the pulse would be appropriate, as it would avoid unnecessary delay. This would
involve reversing the positions of the electromagnet and the spring in the diagram above, and in that case, the
spring would not have to be as strong, since it would only return the mechanism to position instead of also having
to push on the gear. A similar mechanism, rather than a small motor, is likely to be found in those quartz clocks
and quartz watches that have hands instead of a numeric display.
Now that this is clarified, let us examine a more complicated design based on the first type of rotor motion.
Instead of having just one notch or tooth on a rotor, any number of teeth that is relatively prime to the number of
positions on the rotor, if used in an odometer-style arrangement, would still produce a maximal period, since when
one rotor returns to its original position, the rotor it advances will be in a spot from which it will only return to its
original position at the same time that the rotor preceding it returns to its original position after being advanced 26
times if it is a 26-position rotor, even if it has also passed through its original positions at different times several
times before then.
Another thing that would not interfere with a maximum period would be for a rotor participating in such an
arrangement to also be advanced any number of times for each revolution of a rotor which preceded the rotor
directly controlling it. All such advances would ultimately cancel out, being a multiple of 26 or other rotor size,
over a full revolution of the rotor immediately preceding the rotor.
One important thing, to avoid problems with a mechanical version of this design, and to ensure that maximum
period is achieved, is that the teeth used to advance a later rotor must never be in the same position as the teeth
used to advance the next rotor.
Of course, to achieve both a guaranteed long period, and a more irregular sequence of motions, one could combine
both types of rotor motion, the first type, or transition-driven advance, and the second type, or state-driven
advance, in a single design.
Thus, we might have two groups of rotors, ABCDE and GHIJK, which are connected for state-driven advance,
and in addition, rotor E might drive rotor F, and rotor F might drive rotor G, using transition-driven advance.
Is it possible to combine a guarantee of long period with irregular rotor movement from the same source?
Obviously, one could use five cams to produce an irregular motion, and another five cams to produce motion with
a period equal to the product of their lengths. But can things be arranged so that the period is guaranteed to reflect
all the items used, and yet the motion is irregular as well? Already, we've seen in my example of a transition-
driven design with extra further forward carries one way to do this, but while the period is guaranteed, the motion
is only irregular to a limited extent.
Would the SIGABA have a guaranteed period of 26 to the tenth power if it were modified as shown in this
diagram:
Here, all ten of the rotors are shown as being advanced by a conventional rotor mechanism, in addition to the
cipher rotors being advanced by the unique control signals of the SIGABA. Instead of showing an OR gate
controlling input to the rotor stepping mechanism, two separate symbols for rotor advance are shown, one behind
the other. This indicates that, to ensure maximum period, I think it would be necessary to use different clock
phases for the two types of rotor advance, so that it would be possible, if both systems of rotor advance would
cause a rotor to advance, for that rotor to step twice. However, when one rotor advances due to a control signal, it
would also have to cause conventional carries. But this separation of phases would then occur without (a certain
kind of) special effort, since the control rotors cannot be moving when the cipher rotors are moving in response to
the control signals which have passed through their wiring.
One way that it seems obvious it is safe to combine transition-driven and state-driven rotor advance would be
through something like this:
Here, superimposed on a conventional transition-driven odometer-like rotor advance, earlier rotors are also
driving later rotors, further down the chain, but based on their state, not on transitions. Again, it seems that over a
full cycle of transition-driven advances, the extra state-driven advances should cancel out, not affecting the overall
period, even if they provide additional movement in the interim.
Next
Chapter Start
Table of Contents
Main Page
This page is about a dark and mysterious subject. (Or, more
accurately, and for fairness' sake, a subject with a dark and mysterious
reputation.) A subject that is fascinating both for the air of mystery
that has surrounded it, and because of the complexities and intricacies
which are unavoidably part of its subject matter.
A Cryptographic Compendium
This series of pages has information about a large number of cipher systems. So far, the
coverage of cryptanalysis is quite limited, though.
This site now contains a very useful table of powers of integers that uses frames.
Although there is no space for an archived version of the entire site, there is one, which
may not be fully up to date at any given time, at this location.
I have many interests, such as old science-fiction TV shows, and easy listening music
from Tin Pan Alley.
Items covering a number of other topics as well are at the following location:
http://members.xoom.com/quadibloc/index.html
At that site are charts for some methods of storing Chinese characters. Here in this site,
you can find a space habitat design, a discussion about going to Mars, a tall building
design, a page about signal flag systems as used by ships, a map projection, several
topics concerning mathematics: (an explanation of the mathematical notion of infinity,
a discussion of Gödel's proof and the halting problem, an explanation of two famous
equations, a diagram of the rotations of a dodecahedron, a page about pentagonal
tilings, a page about Archimedian solids, a little page about the fourth dimension), an
attempt to explain the Einstein-Podolsky-Rosen experiments, and a discussion of the
Eldredge-Gould theory of punctuated equilibria some color charts, an example of a
computer architecture, a discussion of the musical scale, a couple of comments about
chess, and three pages about calendars: (perpetual calendars for the Gregorian calendar
which show not only the day of the week, but also the position of the day in the
Chinese sexagesimal cycle of days, a luni-solar calendar, and a simplified calendar
proposal), and, finally, a page containing some handy unit conversions.
Links to Other Sites Other Topics
Needless to say, any trademarks referenced are the property of their respective owners,
and are used here only for purposes of identification.
As this series of web pages contains some ideas and speculations about how to design
and implement ciphers, readers are notified that I am not engaging in providing
professional advice in these pages, and are advised to seek the direct advice of a
competent professional before embarking on projects using cryptography.
It had twelve pinwheels, all of which could have all their pins set by the user. Ten of
these pinwheels formed two groups of five, and one wheel from each group inverted its
corresponding plaintext bit when a pin was active on it.
The wheels of the first group had sizes 41, 31, 29, 26, and 23. Those of the second
group had sizes 43, 47, 51, 53, and 59.
Two additional wheels were of size 37 and 61. The wheels of the first group, and the
wheel with 61 positions, advanced one position with every letter enciphered. When the
current pin on the 61-position wheel was active, the wheel with 37 positions advanced
one space. When the current pin on the 37-position wheel was active, then the wheels
of the second group advanced one space.
Although the SZ-40 appears to be a simple design, and a very similar design proposed
by Col. Parker Hitt, but without the feature that the stepping of five wheels was
irregular, was shown to be insecure, the British found breaking SZ-40 messages to be a
more difficult problem than breaking Enigma messages. Some cribs were available that
helped them to break into the system; part of the difficulty seems to have come from
the limited availability of resources, and another part from the lack of captured
equipment and tables: for example, the list giving numbers representing wheel settings
was never captured, while the bigram tables for the Enigma were.
HEATH ROBINSON, named after a British cartoonist who, like Rube Goldberg in the
U.S., was famous for his drawings of elaborate contraptions (although the styles of the
two artists were very different), worked by comparing the holes punched in two paper
tapes, one containing an intercepted message, and one containing a reproduction of part
of the sequence of bits the pinwheels of an SZ-40 might be expected to generate. The
tapes were padded with nulls to make them of relatively-prime length, and HEATH
ROBINSON indicated at what point in the motions of both tapes a correlation between
the two was found. This required the two tapes to move synchronously, and so the
sprocket holes had to be used, which limited the speed at which the tapes could move.
The paper by Carter sheds considerable light on the cryptanalytic principles behind
COLOSSUS. The 5-level code used for teletypewriters was designed to minimize
mechanical wear and tear; hence, the codes for the most frequent letters E and T, as
well as the code for the space, consisted of a single 1 bit and four zeroes. This meant
that zeroes predominated in the plaintext, and in addition, it meant that for any two
characters in succession, corresponding bits in them were more likely than not to be the
same. (Of course, this characteristic of the plaintext was weaker than the higher
frequency of zeroes.)
Since one set of pinwheels in the SZ-40 did not advance with every character
enciphered, this meant that when two succeeding cipher characters had a corresponding
bit that changed, then it was likelier than not that the fast pinwheel for that bit was at a
point where two adjacent pins were in different positions, and when two succeeding
cipher characters had a corresponding bit that stayed the same, then the probability that
the fast pinwheel had two similar pins was also increased. (Since the slow pinwheels
did move half the time, this correlation was again weakened, but it still existed.)
Because the pin settings for the fast pinwheel were chosen so that like and unlike pairs
of pins were as close to being equally likely as possible, it was not possible in practice
to correlate a single pinwheel at a time, but correlations involving pairs of pinwheels
were easier. (At first, this appears odd, since, the fast wheels all having relatively prime
periods, they are independent. However, since all the slow pinwheels either move or
not at the same time, a search for correlations in two wheels at once could improve its
effectiveness by giving more weight to an observation in one wheel which takes place
when another wheel is in the more common change or no-change state for its part of
the period of that fast wheel.) An abbreviated notation was used to specify types of
tests to be run with COLOSSUS: one test was a simple correlation on two particularly
favored pinwheels; other tests searched for common pairs of characters, such as space-
figures shift, or figures shift-period. In some messages, doubled letters were quite
common, and there was a test that looked for them as well.
There is also a paper by W. T. Tutte, one of the cryptanalysts who worked on messages
enciphered by the Schlusselzusatz at Bletchley Park, now available on the site of Frode
Weierud that details the early days of the cryptanalysis of the Schlusselzusatz,
codenamed Tunny by the British. That source notes the following:
Originally, the machine was used with a 12-letter indicator, which contained initial
positions for all twelve pinwheels without encryption (e.g. under a "ground setting").
Each letter stood for an initial position, and the wheels had only 25 positions which a
letter could indicate, except, of course, for the wheel with only 23 positions.
The initial analysis which allowed the British to determine the basic principles of the
Sclusselzusatz was aided by the reciept of some pairs of messages enciphered with the
same starting positions, including one re-encipherment of a long message with changes
in word spacing and punctuation with exactly the same indicator.
In 1943, the Germans switched to using a number as an indicator, which was assumed
to signify a 12-letter combination from a list. Later, they switched from changing
pinwheel settings once a month to changing them each day, and they also modified the
machine so that the wheels in the second group, instead of having their irregular
motion controlled only by the 37 and 61 pinwheels, had that motion depend on a
function of the pinwheels that moved with each character, or on the previous plain text
(thus employing the autokey principle). However, the five wheels that stepped with
every character continued to do so, and although the five slow wheels were controlled
differently, they still either all moved or all stayed still, so the existing cryptanalytic
approaches remained valid.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Error-Correcting Codes
After text has been compressed, and even more so after it has been encrypted, the resulting output is random in appearance.
This makes it easy to make mistakes in handling it, and hard to see errors if they are introduced through electrical noise on a
communications link or any similar cause.
Thus, even if redundancy is removed as far as is possible before encryption by means of data compression, after encryption is
complete, it becomes desirable to put redundancy back in, to give resistance to errors.
There are mathematical techniques, given an arbitrary text, to add more symbols to it in a way that gives resistance to a
specific number of errors. Since they depend only on the input text, if the ciphertext is used as input, this kind of added
redundancy does not help the cryptanalyst, except by giving both him and the legitimate recipient a copy of the ciphertext that
is more likely to be accurate.
Thus, telegraph codes were designed so that an error in a single letter of a codeword, or switching two adjacent letters in a
codeword, would not result in another valid codeword, by the use of tables such as this:
AA AB AC AD AE AF AG AH AI AJ AK AL AM AN AO AP AQ AR AS AT AU AV AW AX AY AZ A&
BB BC BD BE BF BG BH BI BJ BK BL BM BN BO BP BQ BR BS BT BU BV BW BX BY BZ B& BA
CC CD CE CF CG CH CI CJ CK CL CM CN CO CP CQ CR CS CT CU CV CW CX CY CZ C& CA CB
DD DE DF DG DH DI DJ DK DL DM DN DO DP DQ DR DS DT DU DV DW DX DY DZ D& DA DB DC
EE EF EG EH EI EJ EK EL EM EN EO EP EQ ER ES ET EU EV EW EX EY EZ E& EA EB EC ED
FF FG FH FI FJ FK FL FM FN FO FP FQ FR FS FT FU FV FW FX FY FZ F& FA FB FC FD FE
GG GH GI GJ GK GL GM GN GO GP GQ GR GS GT GU GV GW GX GY GZ G& GA GB GC GD GE GF
HH HI HJ HK HL HM HN HO HP HQ HR HS HT HU HV HW HX HY HZ H& HA HB HC HD HE HF HG
II IJ IK IL IM IN IO IP IQ IR IS IT IU IV IW IX IY IZ I& IA IB IC ID IE IF IG IH
JJ JK JL JM JN JO JP JQ JR JS JT JU JV JW JX JY JZ J& JA JB JC JD JE JF JG JH JI
KK KL KM KN KO KP KQ KR KS KT KU KV KW KX KY KZ K& KA KB KC KD KE KF KG KH KI KJ
LL LM LN LO LP LQ LR LS LT LU LV LW LX LY LZ L& LA LB LC LD LE LF LG LH LI LJ LK
MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ M& MA MB MC MD ME MF MG MH MI MJ MK ML
NN NO NP NQ NR NS NT NU NV NW NX NY NZ N& NA NB NC ND NE NF NG NH NI NJ NK NL NM
OO OP OQ OR OS OT OU OV OW OX OY OZ O& OA OB OC OD OE OF OG OH OI OJ OK OL OM ON
PP PQ PR PS PT PU PV PW PX PY PZ P& PA PB PC PD PE PF PG PH PI PJ PK PL PM PN PO
QQ QR QS QT QU QV QW QX QY QZ Q& QA QB QC QD QE QF QG QH QI QJ QK QL QM QN QO QP
RR RS RT RU RV RW RX RY RZ R& RA RB RC RD RE RF RG RH RI RJ RK RL RM RN RO RP RQ
SS ST SU SV SW SX SY SZ S& SA SB SC SD SE SF SG SH SI SJ SK SL SM SN SO SP SQ SR
TT TU TV TW TX TY TZ T& TA TB TC TD TE TF TG TH TI TJ TK TL TM TN TO TP TQ TR TS
UU UV UW UX UY UZ U& UA UB UC UD UE UF UG UH UI UJ UK UL UM UN UO UP UQ UR US UT
VV VW VX VY VZ V& VA VB VC VD VE VF VG VH VI VJ VK VL VM VN VO VP VQ VR VS VT VU
WW WX WY WZ W& WA WB WC WD WE WF WG WH WI WJ WK WL WM WN WO WP WQ WR WS WT WU WV
XX XY XZ X& XA XB XC XD XE XF XG XH XI XJ XK XL XM XN XO XP XQ XR XS XT XU XV XW
YY YZ Y& YA YB YC YD YE YF YG YH YI YJ YK YL YM YN YO YP YQ YR YS YT YU YV YW YX
ZZ Z& ZA ZB ZC ZD ZE ZF ZG ZH ZI ZJ ZK ZL ZM ZN ZO ZP ZQ ZR ZS ZT ZU ZV ZW ZX ZY
M N O P Q R S T U V W X Y Z & A B C D E F G H I J K L AA BB CC
DD EE FF GG HH II JJ KK LL MM NN OO PP QQ RR SS TT UU VV WW XX YY ZZ
N O P Q R S T U V W X Y Z & A B C D E F G H I J K L M A& BA CB
DC ED FE GF HG IH JI KJ LK ML NM ON PO QP RQ SR TS UT VU WV XW YX ZY
O P Q R S T U V W X Y Z & A B C D E F G H I J K L M N AZ B& CA
DB EC FD GE HF IG JH KI LJ MK NL OM PN QO RP SQ TR US VT WU XV YW ZX
P Q R S T U V W X Y Z & A B C D E F G H I J K L M N O AY BZ C&
DA EB FC GD HE IF JG KH LI MJ NK OL PM QN RO SP TQ UR VS WT XU YV ZW
Q R S T U V W X Y Z & A B C D E F G H I J K L M N O P AX BY CZ
D& EA FB GC HD IE JF KG LH MI NJ OK PL QM RN SO TP UQ VR WS XT YU ZV
R S T U V W X Y Z & A B C D E F G H I J K L M N O P Q AW BX CY
DZ E& FA GB HC ID JE KF LG MH NI OJ PK QL RM SN TO UP VQ WR XS YT ZU
S T U V W X Y Z & A B C D E F G H I J K L M N O P Q R AV BW CX
DY EZ F& GA HB IC JD KE LF MG NH OI PJ QK RL SM TN UO VP WQ XR YS ZT
T U V W X Y Z & A B C D E F G H I J K L M N O P Q R S AU BV CW
DX EY FZ G& HA IB JC KD LE MF NG OH PI QJ RK SL TM UN VO WP XQ YR ZS
U V W X Y Z & A B C D E F G H I J K L M N O P Q R S T AT BU CV
DW EX FY GZ H& IA JB KC LD ME NF OG PH QI RJ SK TL UM VN WO XP YQ ZR
V W X Y Z & A B C D E F G H I J K L M N O P Q R S T U AS BT CU
DV EW FX GY HZ I& JA KB LC MD NE OF PG QH RI SJ TK UL VM WN XO YP ZQ
W X Y Z & A B C D E F G H I J K L M N O P Q R S T U V AR BS CT
DU EV FW GX HY IZ J& KA LB MC ND OE PF QG RH SI TJ UK VL WM XN YO ZP
X Y Z & A B C D E F G H I J K L M N O P Q R S T U V W AQ BR CS
DT EU FV GW HX IY JZ K& LA MB NC OD PE QF RG SH TI UJ VK WL XM YN ZO
Y Z & A B C D E F G H I J K L M N O P Q R S T U V W X AP BQ CR
DS ET FU GV HW IX JY KZ L& MA NB OC PD QE RF SG TH UI VJ WK XL YM ZN
Z & A B C D E F G H I J K L M N O P Q R S T U V W X Y AO BP CQ
DR ES FT GU HV IW JX KY LZ M& NA OB PC QD RE SF TG UH VI WJ XK YL ZM
& A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AN BO CP
DQ ER FS GT HU IV JW KX LY MZ N& OA PB QC RD SE TF UG VH WI XJ YK ZL
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z & AM BN CO
DP EQ FR GS HT IU JV KW LX MY NZ O& PA QB RC SD TE UF VG WH XI YJ ZK
B C D E F G H I J K L M N O P Q R S T U V W X Y Z & A AL BM CN
DO EP FQ GR HS IT JU KV LW MX NY OZ P& QA RB SC TD UE VF WG XH YI ZJ
C D E F G H I J K L M N O P Q R S T U V W X Y Z & A B AK BL CM
DN EO FP GQ HR IS JT KU LV MW NX OY PZ Q& RA SB TC UD VE WF XG YH ZI
D E F G H I J K L M N O P Q R S T U V W X Y Z & A B C AJ BK CL
DM EN FO GP HQ IR JS KT LU MV NW OX PY QZ R& SA TB UC VD WE XF YG ZH
E F G H I J K L M N O P Q R S T U V W X Y Z & A B C D AI BJ CK
DL EM FN GO HP IQ JR KS LT MU NV OW PX QY RZ S& TA UB VC WD XE YF ZG
F G H I J K L M N O P Q R S T U V W X Y Z & A B C D E AH BI CJ
DK EL FM GN HO IP JQ KR LS MT NU OV PW QX RY SZ T& UA VB WC XD YE ZF
G H I J K L M N O P Q R S T U V W X Y Z & A B C D E F AG BH CI
DJ EK FL GM HN IO JP KQ LR MS NT OU PV QW RX SY TZ U& VA WB XC YD ZE
H I J K L M N O P Q R S T U V W X Y Z & A B C D E F G AF BG CH
DI EJ FK GL HM IN JO KP LQ MR NS OT PU QV RW SX TY UZ V& WA XB YC ZD
I J K L M N O P Q R S T U V W X Y Z & A B C D E F G H AE BF CG
DH EI FJ GK HL IM JN KO LP MQ NR OS PT QU RV SW TX UY VZ W& XA YB ZC
J K L M N O P Q R S T U V W X Y Z & A B C D E F G H I AD BE CF
DG EH FI GJ HK IL JM KN LO MP NQ OR PS QT RU SV TW UX VY WZ X& YA ZB
K L M N O P Q R S T U V W X Y Z & A B C D E F G H I J AC BD CE
DF EG FH GI HJ IK JL KM LN MO NP OQ PR QS RT SU TV UW VX WY XZ Y& ZA
L M N O P Q R S T U V W X Y Z & A B C D E F G H I J K AB BC CD
DE EF FG GH HI IJ JK KL LM MN NO OP PQ QR RS ST TU UV VW WX XY YZ Z&
A miniature version of such a code construction table is shown in The Codebreakers by David Kahn, but here I've put the last
two letters of the codeword in alphabetical order in the rows of the square on the lower right, since a code compiler would
want to generate codewords in alphabetical order. The row of the top square, and the column of the square on the lower right,
which contain digraphs beginning with &, are omitted, since those are unused if codewords from a 26-letter alphabet are
wanted.
Valid codewords consist of two letters from the top, a letter from the lower left, and two letters on the lower right, such that
the single letter shares the same column as the pair of letters from the top and the same row as the pair of letters from the
lower right. The use of an extra dummy letter & is required to avoid codewords differing only by a swap of two adjacent
letters. The middle square can start with any letter; here it is started with M to indicate that this feature can be used to produce
codewords different from those in someone else's code.
For example, given a string of bits, a single bit which contains the parity of that string of bits can be appended to it. In that
case, if the result is transmitted, and exactly one bit is in error in what is recieved, the parity will be wrong, and the fact that an
error has taken place will be detected.
Another simple example would be to transmit one's message three times. For every group of three corresponding bits from the
three copies of the message, if exactly one error takes place in communications, that error can be corrected, because of the
three recieved copies of that bit, two will be correct, and only one will be wrong.
These are the two trivial examples of perfect codes: adding a parity bit, and repeating each bit a certain number of times.
If we confine ourselves to the even parity form of a parity bit, both these codes can be represented by matrices:
A parity bit:
1 0 0 0 0 0 0 0 1
0 1 0 0 0 0 0 0 1
0 0 1 0 0 0 0 0 1
0 0 0 1 0 0 0 0 1
0 0 0 0 1 0 0 0 1
0 0 0 0 0 1 0 0 1
0 0 0 0 0 0 1 0 1
0 0 0 0 0 0 0 1 1
Triple repetition:
1 1 1
In general, matrix multiplication works like this: introduce the numbers which are the elements of the vector being multiplied
from the left, starting with the first one on the top; for each bit in that row, calculate the product of the number introduced
from the side with the number in the matrix; then, after all the products have been calculated, total them down the columns to
obtain the output.
For error-correcting codes illustrated by matrices, it is the bits of the message that are introduced from the left. Then, an AND
is performed (rather than a multiplication) between them and the bits of the matrix, and the results are accumulated by an
XOR going down the columns (rather than addition).
1 0 0 0 1
1 --> 1 0 0 0 1
0 1 0 0 1
0 --> 0 0 0 0 0
0 0 1 0 1
1 --> 0 0 1 0 1
0 0 0 1 1
1 --> 0 0 0 1 1
-------------------
1 0 1 1 1
As this is a code applied to a binary signal, all arithmetic is done modulo 2 (hence, 1+1+1 = 1 instead of 3).
Just using parity bits can allow correcting errors. One way to do this is to have both a parity bit for each byte of data, and a
parity byte that results from the XOR of all the data bytes. If there is one error, the byte it is in is indicated by the parity bit for
that byte, and the bit it is in is indicated by which byte of the final parity byte shows the wrong parity.
A simple way to obtain row and column parity for a sequence of characters on a computer would be to add three parity
characters to a line of 49 7-bit characters on this basis:
❍ XOR the character to the second accumulator, and rotate it left one bit.
❍ XOR the character to the third accumulator, and after every seven characters, rotate it right one bit.
This would allow one single-bit error in a line to be found and therfore corrected, as follows:
33333X3-----*------*------*------*------*------*- ==?
----2-13333*3*----2-1----2-1----2-1----2-1----2-1 ===
1--2---1--2---*33*3331--2---1--2---1--2---1--2--- ?==
-12-----12-----12----3**3333-12-----12-----12---- ===
-21-----21-----21-----21----3**3333-21-----21---- ===
2--1---2--1---2--1---2--1---2--1---*33*3332--1--- =?=
----1-2----1-2----1------1-2----1-2----1-23333*3* ===
The X is at the only point where the three lines of bits marked by 1, 2, and 3 all coincide. Note that the asterisks mark points
where two of them cross. Assuming the shifts after a byte is XORed in even take place after the last byte, the question marks
indicate where the three parity characters would show the wrong parity if there was an error at the point marked by the X.
It is easier to do this for 7-bit characters because 7 is an odd number, but it can also be done for 8-bit bytes, simply by rotating
only one accumulator by one bit for each byte, and not rotating one accumulator at all, as follows:
33313333---1-------1-------1-------1-------1-------1-------1---- ==?
----1---3333*333----1-------1-------1-------1-------1-------1--- ===
22222*2222222*22*****X**22222*2222222*2222222*2222222*2222222*22 =?=
------1-------1-------1-333333*3------1-------1-------1-------1- ===
-------1-------1-------1-------13333333*-------1-------1-------1 ===
1-------1-------1-------1-------1-------*33333331-------1------- ?==
-1-------1-------1-------1-------1-------1------3*333333-1------ ===
--1-------1-------1-------1-------1-------1-------1-----33*33333 ===
However, approaches based only on using parity bits are unsophisticated, and more efficient ways of correcting and detecting
multiple errors can be found if more sophisticated codes are used.
Another class of error-correcting codes are called Hamming codes. No longer trivial, these codes are also perfect, which
means they add exactly enough redundancy to a group of input bits to detect and correct a certain number of errors.
Note that this perfection applies to one particular situation, where errors occur randomly among bits. Where there is a
tendency for bits close together in a message to be in error together, this being called a burst error, other strategies are needed.
One common way of dealing with this is simply to apply conventional error-correcting codes to widely-separated bits at equal
intervals in a message. This, or the strategy of applying the error-correcting code first, and then spreading out the bits of each
output group, is called interleaving.
In a Hamming code, after the group of bits being encoded, the extra parity bits are formed by allocating every combination of
those bits with two or more of them equal to 1 to each bit position in the input. Hence, changing one bit in the input always
changes at least three bits in the word with error-correction added. Since no two rows in the error-checking part of the matrix
are identical, changing two bits in the input still results in a three-bit change at least; thus, the number of bits difference (or the
Hamming distance) between possible outputs (valid codewords) is a minimum of three.
A parity bit can be added to a Hamming code; the result is another perfect code, this time with a four-bit change resulting
from any change in the input.
The Hamming distance between valid codewords tells us how much error-checking we have. If there is no error-checking
added, each different input still gives a different output, for a distance of 1. If the distance is 2, one error can be detected, as is
the case for the code that just adds one parity bit. If the distance is 3, as for repeating a bit three times, or the basic Hamming
code without a parity bit added, one error can be corrected.
The error-correcting capabilities of an error-correcting code are given by the Hamming distance between codewords, but it is
possible to choose how to make use of them. For example, if we repeat every bit three times, we can either choose to accept
011 as standing for 1, hence correcting one error when it occurs, but being fooled if two errors happen, or we can choose to
discard it, accepting only 000 and 111. Thus, a Hamming distance of 3 can be used either to correct one error, or to detect two
errors. A distance of 4, such as obtained by a Hamming code with a parity bit, or by repeating a bit four times, allows
correcting one error and detecting two errors, or detecting up to three errors.
1 0 0 0 0 1 1
0 1 0 0 1 0 1
0 0 1 0 1 1 0
0 0 0 1 1 1 1
1 0 0 0 0 0 0 0 0 0 0 0 0 1 1
0 1 0 0 0 0 0 0 0 0 0 0 1 0 1
0 0 1 0 0 0 0 0 0 0 0 0 1 1 0
0 0 0 1 0 0 0 0 0 0 0 1 0 0 1
0 0 0 0 1 0 0 0 0 0 0 1 0 1 0
0 0 0 0 0 1 0 0 0 0 0 1 1 0 0
0 0 0 0 0 0 1 0 0 0 0 0 1 1 1
0 0 0 0 0 0 0 1 0 0 0 1 0 1 1
0 0 0 0 0 0 0 0 1 0 0 1 1 0 1
0 0 0 0 0 0 0 0 0 1 0 1 1 1 0
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1
0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0
0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1
0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0
0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1
0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1 1 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1
Since a Hamming code, as shown, can only correct one error, decoding is simple:
● Take the data portion of the recieved codeword (the portion that should just contain the unmodified input data), and
place it through the Hamming code again. If there is a perfect match between the error-checking part of the recieved
block and the error-checking part of the one now generated, or if there is no more than one bit difference, the data as
recieved is assumed to be correct.
● If there are two or more bits of difference, find the row in the matrix where those bits are 1 bits in the error checking
part. The data bit which is passed through by a 1 on the diagonal in the data part of the matrix is the one in error.
This, of course, assumes that the transmitted block actually was subjected to no more than one error. When a parity bit is
added to the Hamming code, decoding is modified slightly:
● If parity is correct, decode the first part of the block, but accept the result only if no errors are found. (In this case, the
block is assumed to have been recieved correctly.)
● If parity is wrong, decode the first part of the block, and accept the result if either no errors are found (here, the error is
assumed to be in the parity bit itself), or if one error is found (and therefore corrected).
These are just one particular form for each of the three Hamming codes shown. Rearranging the rows or columns, or certain
other modifications, will not change the ability of the code to be used to detect or correct errors. Replacing one row of the
matrix by the XOR of itself and another row is allowed, because that will result in the matrix generating exactly the same set
of codewords, but they will be generated in some cases for different inputs.
There are a number of other codes used for error detection and correction. Examples of codes used in the same kind of form as
used with Hamming codes include Hadamard codes and Reed-Muller codes. These codes all add slightly more redundancy
than is required for the error-checking they seek to attain.
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1
1 1 0 0 1 1 0 0 0 0 1 1 0 0 1 1
1 0 0 1 1 0 0 1 0 1 1 0 0 1 1 0
1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1
1 0 1 0 0 1 0 1 0 1 0 1 1 0 1 0
1 1 0 0 0 0 1 1 0 0 1 1 1 1 0 0
1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1
These codes are obtained by a procedure similar to that used to create fractal designs:
1 1 1 1
1 1 1 0 1 0
1 0 - becomes -->
1 1 0 0
1 0 0 1
applied as many times as desired, and then the result has its complement appended to it. Mariner 9 used the code of this type
that occupies a 32 by 64 matrix. This method only generates Hadamard codes of orders which are powers of 2. Hadamard
codes and matrices of many other orders which are multiples of 4 are also known, and it is conjectured, but not yet proven,
that one exists for every such order. These Hadamard codes are obtained by other, more difficult methods.
Only one other perfect code for binary signals is known, the binary Golay code. It takes a 12-bit input, and adds 11 error-
checking bits to it. Like the Hamming codes, an extra parity-check bit can be added, and the code remains perfect.
A modified form of the Golay code with parity bit added, so that the parity bit is no longer explicitly visible, is shown in a
book by two of the three co-authors of the Handbook of Applied Cryptography, and an equivalent form, modified by some
rearrangement of rows and columns (to obtain a shifting of the cyclic 11 by 11 portion of the error-checking matrix, and to put
the row and column of 1 bits in a more conventional position) is shown here:
1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1
0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 1 1
0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 1 0 1
0 0 0 1 0 0 0 0 0 0 0 0 1 0 1 1 1 0 0 0 1 0 1 1
0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 1 0 0 0 1 0 1 1 1
0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 0 0 1 0 1 1 0 1
0 0 0 0 0 0 1 0 0 0 0 0 1 1 0 0 0 1 0 1 1 0 1 1
0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 1 0 1 1 0 1 1 1
0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 1 1 0 1 1 1 1
0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 0 1
0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 1 0 1 1 1 0 0 1
0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 0
In this code, the minimum Hamming distance between valid codewords is eight; without the parity bit, it would be seven.
A distance of seven allows either correcting three errors, correcting two errors and detecting four errors, correcting one error
and detecting five errors, or detecting six errors.
A distance of eight allows either correcting three errors and detecting four errors, correcting two errors and detecting five
errors, correcting one error and detecting six errors, or detecting seven errors.
Examine the error-checking portion, the second square half, of the matrix for the Golay code shown above. The right and
bottom edges consist of all ones except for a zero where they meet.
The remaining 11 by 11 square consists of the sequence 10110111000 repeated in every row, but shifted one space to the left
in each row. This sequence contains exactly six one bits, an even number.
The matrix is symmetric, hence unchanged when flipped around the diagonal running from the top left to the bottom right.
Hence, the fact that every row contains an odd number of 1 bits, the last row ANDed with any other row produces a row with
six one bits, and any two of the first 11 rows, when combined by an AND, produces a rotated version of one of the following
strings:
10110111000 and 01101110001 = 00100110000 (3 bits)
10110111000 and 11011100010 = 10010100000 (3 bits)
10110111000 and 10111000101 = 10110000000 (3 bits)
10110111000 and 01110001011 = 00110001000 (3 bits)
10110111000 and 11100010110 = 10100010000 (3 bits)
10110111000 and 11000101101 = 10000101000 (3 bits)
10110111000 and 10001011011 = 10000011000 (3 bits)
10110111000 and 00010110111 = 00010110000 (3 bits)
10110111000 and 00101101110 = 00100101000 (3 bits)
10110111000 and 01011011100 = 00010011000 (3 bits)
preceded by a single 1 bit, means that, using modulo 2 arithmetic, the error-checking matrix in the code as represented here is
its own inverse. (If it weren't for that extra zero, a different decoding matrix would be required, and a slightly more
complicated version of the decoding procedure given below would be required.) Because of the symmetry around the
diagonal, this is true both in the usual convention for matrix multiplication (numbers go in from the top, and come out on the
right) and the one used for error-correcting codes (numbers go in from the left, and come out on the bottom). For more
information on matrix multiplication, see the section concerning the Hill Cipher.
This helps to make it practical to check a codeword formed by this code, and then transmitted, for errors. The following
procedure will find the correct original 12-bit input if there were three or fewer errors in the transmitted 24-bit block, or it will
fail if there were four errors. (With more than four errors, of course, it can be fooled.)
● First, take the first half, and put it through the code, to see what the codeword would have looked like, if the first half
containing the actual data happens to be perfectly without error. Since we are able to correct up to three errors, if the
error-checking part of this result differs by no more than three bits from what was recieved, all the errors (if any)
happened in the error-checking part, so the data as recieved can be accepted.
● Second, take the second half, and put it through the code. Since the error-checking part of the matrix is its own inverse,
the error-checking half of the result will be what the data was supposed to have been, if the error-checking half of the
block was recieved perfectly without error. If that result differs by no more than three bits from what was recieved in
the data portion of the block, then the data as recovered from the error-checking part can be accepted.
● Third, consider the possibility that there were errors in both the data and error-checking part of the block. With three
errors it is possible that there could be one error in one of the two parts of the block, and two errors in the other part.
So, decoding continues by a limited amount of trial and error. Here, we will assume that exactly one bit in the data
portion of the block is in error. Thus, we will take the data portion of the block, and for each of the 12 bits of it in turn,
we will invert that bit, put the result through the code, and compare the error-checking portion of the result with that
recieved. If the result is two or fewer errors in the error-checking portion then the right bit has been found, and the data
portion with the bit you flipped is correct.
● Fourth, assume that exactly one bit in the error-checking portion of the block is in error, and for each of the 12 bits in
the error-checking portion, invert that bit, apply the code to the result, and compare the error-checking portion of the
output to the data portion of the recieved block. If two or fewer errors are found, then the data calculated from the error-
checking portion with one flipped bit contains the correct data.
Another perspective on the binary Golay Code, which I also found understandable, is contained in this thesis. In the form of
the Golay Code given above, eleven rows are cyclic, and one special, in the error-checking matrix; in the form discussed in
that thesis, all twelve rows are equivalent, but as they relate to the faces of a dodecahedron, there is no way to put them in a
cyclic order.
1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 1 1 1 1
0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 1 1 1 1
0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 0 0 1 1 1
0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 1 1
0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 0 1 1 1 0 0 1
0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 0 1 1 1 0 1
0 0 0 0 0 0 1 0 0 0 0 0 1 0 1 1 1 0 1 0 1 1 0 0
0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 1 1 1 0 1 0 1 1 0
0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 1 1 1 0 1 0 1 0
0 0 0 0 0 0 0 0 0 1 0 0 1 1 1 0 0 1 1 1 0 1 0 0
0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 1 0 0 0 1 1 0 1 0
0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 0 0 0 0 0 1
Each of the twelve rows and columns of the error-checking part of the matrix corresponds to a face of the dodecahedron, and
it contains a zero for every pair of faces that are next to one another. (A face is not considered to be next to itself.) This is still
a Golay code, with the same error-correcting property of a Hamming distance of 8 between codewords, and not only is the
error-checking matrix symmetric, but once again it is its own inverse as shown here. Because of the dodecahedral symmetry,
once again, it is only necessary to AND one row of the matrix with the eleven other rows to establish that. For example, row 1
shares four bits with rows 2 to 11, and two bits with row 12.
But being self-dual is not a necessary property of a Golay code; either example of a Golay code given here would still be a
Golay code if the error-checking matrix were reflected left to right, since the error-checking properties would be identical, but
then that matrix would not be its own inverse.
This site contains a link to a paper in DVI format giving eight different constructions of the binary Golay code.
(Unfortunately, you may have difficulty in viewing documents in DVI format on your system.)
And here is an example of a form of the Golay code, again one that generates 24-bit output, with the parity bit concealed, that
may have actually been used in the transmission of information; it is part of an unofficial draft standard for automatically
establishing radio links, and thus it may have been taken from previous actual practice or standards:
1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1
0 1 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 0 1 0 0 1 0
0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 1 0 1 0 1 1
0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 0 1 1 1 0 1 1 0
0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 0 0 1
0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 0 1
0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 1
0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0
0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0
0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1 0 1
0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1 1
The error-checking part of the matrix is not symmetric along the main (upper left to lower right) diagonal, and its transpose is
shown as being used in decoding. Also, it is said to have been generated from the polynomial
11 9 7 6 5
x +x +x +x +x +x+1
Each column has seven ones in it, so when multiplied by its transpose, there will be a 1 in every position on the diagonal in
the result. Any two distinct columns have either four or two ones in common, (as I had to verify by brute force with a short
BASIC program) and so the transpose of the error-checking part of the matrix is indeed also the inverse of that part.
Despite the fact that each column and row contains seven ones, the error matrix can't be produced simply by rearranging rows
and columns of the one produced from the dodecahedron. This can be shown because the columns corresponding to opposite
faces can be identified (no zeroes in the same row), and two non-opposite faces must be adjacent to two other faces, and those
two faces must be adjacent to three other (than the first two: those two faces may be adjacent to each other if the two non-
opposite faces were not adjacent) faces each, two from each group of which are opposite to two from the other group (which
is the point at which it breaks down if you start with the first two columns).
Error-checking in this case involves the use of the inverse of the error-checking part of the matrix, but otherwise the algorithm
is the same as the one given above.
The field of error-correcting codes, like the field of data compression, is still a very active one, with new research being done
and patents being issued on new methods.
In the 1970s, a set of error-correcting codes called "Fire codes" were developed. One of the simplest of these could be used as
a direct replacement for a parity bit, used with each character in many existing systems, providing error correction instead of
just the detection of erroneous characters.
Data * - - - - - - - * * - - * - - - - * - - *
bits - * - - - - - - * - * - - * - - - * - - *
- - * - - - - - * - - * - - * - - * - - *
- - - * - - - - * - - - * - - * - * - - *
- - - - * - - - * - - - - * - - * * - - *
- - - - - * - - * - - - - - * - - X - - *
- - - - - - * - * - - - - - - * - * * - *
- - - - - - - * * - - - - - - - * * - * *
Parity = = = = = = = = P = = = = = = = = ! = = !
Each parity bit is the XOR of parity for the data byte with which it is associated and parity for staggered bits from the eight
previous bytes. Essentially, it is a clever way to obtain the same results as are provided by the use of row and column parity
bits. (After the last byte of data, one extra byte, with the extra parity bit, is needed to provide parity for all the remaining
diagonals.)
More complicated forms involved XORing these parity bits with the parity of another group of eight bits, staggered by being
from bytes separated by a larger distance.
A very recent exciting development in error-correcting codes is the class of codes known as "Turbo Codes". These codes are
based on the principle of applying two error-correcting codes to the data bits, but with different interleaving. Just as
interleaving by itself turns a burst error into scattered individual-bit errors, which error-correcting codes can deal with more
easily, using two different interleaving schemes on the data being transmitted reduces to a very small value the chance that
any bit will be unrecoverable due to an excessive number of random errors in both of the error-correcting code blocks in
which it is found. (The same principle can also be applied to continuous error-correcting codes as well as block codes.)
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
The British never achieved a regular penetration of T-52 messages. It now appears that,
at least during the war, that the only T-52 messages they deciphered were messages
that belonged to pairs sent with the same key, but they were able to determine how the
T-52 worked from those messages.
One part of the reason for this is that many messages encrypted by the T-52 were sent
over land lines, which the Swedes, but not the British, had the opportunity to intercept.
But another reason was that the T-52 was used to encrypt high-level strategic traffic for
the Luftwaffe, which also sent similar messages using Enigmas. Thus, attacking the T-
52 was lower in priority than attacking the Lorenz Schlusselzusatz, which was used to
encrypt high-level strategic traffic for the German Army, or Heer, which, although it
did use Enigmas for tactical messages, did not generally use them for messages with
information of strategic importance.
It may also be noted that the final version of the machine, the T-52e, which included
two improvements which previously appeared separately in the T-52c and T-52d,
seems to be a very secure design, although the use of cams instead of resettable
pinwheels was a serious flaw.
Ten wheels, in this machine cams whose pattern of 0 and 1 positions could not be
modified, of sizes 73, 71, 69, 67, 65, 64, 61, 59, 53, and 47, which were called A, B, C,
D, E, F, G, H, and K respectively, provided the raw material for this machine's cipher.
In additon to having their states sensed at the primary tap point, producing the output
that was XORed with the plaintext characters or controlled their shuffling, they were
also sensed at a point 25, 24, 23, 23, 22, 22, 20, 20, 18, and 16 positions earlier,
respectively.
This additional position controlled the movement of the wheels, so that they stepped in
an irregular fashion.
The way in which the wheels stepped can best be explained by an oversimplified form
of that motion. Each wheel moved unless both of two possible conditions was met, in
which case it was prevented from moving: In the simplified model:
Note that the twenty conditions involved both the extra tap on each wheel and its
inverse, and no wheel controlled itself. Since every wheel had to be either 1 or 0, and
the condition was OR for movement, at least five of the ten wheels had to move with
this arrangement, so although the wheels controlled each other, they could not get stuck
in a state where they never stepped.
Mechanically, this worked as follows: both the plus and minus connections to an
electromagnet were controlled by relays, so the electromagnet was energized only if
the relays at both ends allowed current to flow. The magnets were interposer magnets:
if active, they prevented the cam they controlled from moving.
From the main sensing position on the cams A through K, ten signals were derived,
labelled 1, 3, 5, 7, 9, and I, II, III, IV, and V, that performed the actual operation of
modifying the plaintext to produce the ciphertext.
I through V were XORed with bits 1 through 5 of the plaintext character. Then bits in
the character were swapped: 1 caused (if its value was 1 instead of 0) bits 1 and 5 to be
swapped; signals 3, 5, 7, and 9 swapped bits 4 and 5, 3 and 4, 2 and 3, and finally 1 and
2.
First, bits A through K were exchanged, by a simple plugboard on the T52a, T52b, and
T52d, and by a set of switches that performed the same function as a plugboard on the
T52e, and by an elaborate set of five switches with eight positions on the T52c. Then,
in the T52c and the T52e, the ten signals went into a bank of relays, so that each of the
signals, 1 through 9 and I through V, that performed the actual encipherment was the
XOR of several cam outputs.
The T52e, shown here, included all the features that this telecipher acquired over its
development. The extra features, over and above a simple set of ten cams controlling
XORs and swaps of plaintext bits, are divided into two groups; one group was also
present only on the T52c, and the other group was also present only on the T52d.
The relay bank was also present in the T52c, but it was wired differently. The T52c
also had a means of altering the order in which cam outputs went to the relay bank, but
instead of a plugboard, it was a set of five eight-position switches, each one controlling
three swaps of the cam signals.
The T52d did not have those features, but it did have cam stepping logic; again, that
logic was somewhat different from that of the T52e.
3 6 9 12 15
2 5 8 11 14
1 4 7 10 13
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
-----------------------------------------------------
P 0 0 0 0 1 0 0 0 1 1 0 1 1 1 1
S 0 1 0 1 0 0 0 1 1 1 1 0 0 0 0
T 1 0 0 0 0 1 1 0 1 1 1 1 0 1 0
U 0 0 1 0 1 1 1 1 0 0 0 0 1 0 0
W 0 1 1 1 0 1 1 1 1 0 1 0 0 0 1
X 1 0 1 1 1 0 0 0 0 1 0 0 0 1 1
Y 1 1 0 1 1 1 0 1 0 0 0 1 1 0 1
Z 1 1 1 0 0 0 1 0 0 0 1 1 1 1 0
The T52d and T52e are shown here in the "ohne Klartextfunktion" mode. They also
had a feature where the third bit of a plaintext character, after a delay, was introduced
into the cam stepping logic, which was also changed in that mode. This limited
autokey, or "clear text function", caused serious problems of garbling in practice, and
was therefore little used.
However, that does not prevent me from including diagrams of the T52d and T52e in
this mode, particularly as the stepping logic is somewhat more symmetrical in this
mode in both cases.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
The device has two sets of five pinwheels, of lengths 19, 21, 23, 25, and 26. ( Toby's
Cryptopage, now available again after a hiatus, also discusses the TA-1, a later version
with larger pinwheels of lengths 26, 29, 31, 33, and 35.) The pins are pushed in or
pulled out by the user, and the five bits of each plaintext character are modified by
being subjected to an exclusive-OR operation with the current pin of the corresponding
pinwheel from each of the two sets.
The first set of pinwheels steps one position for every character enciphered. An
additional position on the pinwheels, besides the one used to XOR the plaintext, is
sensed (two positions earlier). That alternate output, from all five pinwheels, is XORed
together, creating a single bit; if 0, the second set of pinwheels steps only once; if 1,
they step twice.
The second set of pinwheels is also sensed at the same alternate position, and the
output from all of them is combined by XOR. This time, the result, if 1, causes the
entire output ciphertext character to be inverted.
This design allows two identical modules to be used in the device, thus making
manufacture more economical. It achieves irregular stepping, but only ten, not twelve,
pinwheels are required.
The source for the information on this page is the home page of Torbjörn Andersson,
entitled Toby's Cryptopage, which has an entry in my Links section. It is well worth a
visit, and includes original photos of many of the machines discussed here; not just the
SA-1, but also the T-52 and the B-211.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
An American Patent
U. S. Patent 4157453 is one of the few patents that were secretly issued to people
working for the NSA or one of its predecessor agencies that has now been publicly
issued in normal fashion, many years later.
It was filed on October 10th, 1944, but issued on June 5th, 1979. The inventor was Leo
Rosen, known to history as the one who had the inspiration to realize that the Japanese
cipher machine codenamed PURPLE used telephone stepping switches.
This patent refers only to scrambling the order of bits in a teletypewriter signal, without
inverting any bits. However, in addition to shuffling the bits within a single character,
as the T-52 did, this device moved bits between characters.
Originally, I was only able to see the claims of this patent, but the text of it has since
become available. It turns out that it referred to buffering two or four 5-level-code
characters, recieved serially, in banks of relays, transposing the stored bits, and then
transmitting the result. Given the technology of the time, commutator switches were
used to access relays serially; today, a designer thinking of how to perform such an
operation would no doubt think of shift registers.
Having just seen a brief description of the purpose of the invention, I had supposed that
this patent could have been for a system that was actually applied to a combined time
and frequency division voice scrambler, with its application disguised for security.
However, as a telecipher device, one of the simplest ways in which to accomplish this
kind of scrambling would be to do the following: use pinwheels to scramble the bits
within a character; then, subject these bits to a fixed pattern of delays, so that they are
distributed among two to five different characters; then, perform a second pinwheel-
controlled scramble of the bits within each character.
To decipher, one first inverts the second scramble. Then, one delays the bits in a
complementary fashion to that used for enciphering: if bits 1 to 5 are subject to delays
0 1 0 1 0 on enciphering, then use delays 1 0 1 0 1 on deciphering, for a net delay of
every bit by 1 character; if bits 1 to 5 are subject to delays 0 1 2 3 4 on enciphering, use
delays 4 3 2 1 0 for deciphering, for a net delay of 4 characters. Then, invert the first
scramble, with the pinwheels controlling it offset so that their scramble is delayed to
match the net delay of the enciphering delay stage and its deciphering complement.
[Next] [Up] [Previous] [Index]
Next
Skip to Next Chapter
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
The original version supplied thirteen live inputs to the input rotor. Five outputs from
the other end were XORed to the five bits of a teletypewriter character. The rotors
advanced conventionally for each character enciphered, and had only one carry
position. Like the SIGABA, the letter O, and not A, indicated the zero position of the
rotors. The five rotors included one that moved for every letter enciphered, and one that
moved only when that first rotor completed a full rotation and so on, like an odometer,
but with one difference: which rotor moved with which frequency could be chosen
arbitrarily. The original Hebern machine had three classes of rotor movement, and it
too allowed the selection of how the individual rotors moved, but in a less
straightforwards manner.
This simple design was found to be insecure, after being put into use, for a particular
case of operator error. A considerably revised version served for some time, and its
description is as follows:
In the revised version, there were only five live inputs to the input rotor. Fifteen
outputs from the other end were wired together in five groups of three to provide the
five output bits. This gave each bit a probability of about 48.846%, or exactly 381/780,
of being a one.
In the original design, all five rotors moved in the conventional manner of wheels on an
odometer, except that the position of the rotor that moved with every character
enciphered, and the position of each rotor that moved when another rotor completed a
full circle, could be set arbitrarily. In the revised design, three rotors moved in that
way, and two other rotors had movements called fast bump and slow bump that
depended on the bits the rotors generated.
If bit 1, bit 3, and bit 5 of the generated bits (to be XORed with the plaintext to create
ciphertext) were all ones, the slow bump rotor would advance for the next character. If
bit 2 and bit 4 were both 1, the fast bump rotor would advance. In addition, the slow
bump rotor skipped an extra position when it reached O, as well as stepping the slow
rotor (if the slow rotor was also at O; this may have been a misprint for 'slow bump',
since that won't happen very often).
An issue of Cryptologia some years previous to the issue in which SIGCUM or the M-
228 was described, quoted a government memo which referred to the M-294. This
machine was very similar to the SIGABA, except that the five "cipher rotors" supplied
a bitstream to encipher a teletypewriter message; presumably using an arrangement
similar to that seen here. Such a device would certainly provide a method of
encipherment for teletypewriter messages of impressive security. SIGNIN was an
alternative designation for the M-294. The M-138 and M-138-A, indirect predecessors
of the SIGABA, were rotor machines, of the Hebern type, acting upon the 26 letters of
the alphabet, but with the motions of their five rotors controlled by a paper tape; in a
way, these machines were the exact inverse or complement of SIGCUM.
Frank B. Rowlett passed away on June 29, 1998, at the age of 90.
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
The M-228 is an exception to both halves of this generalization; it is secure, but it isn't
entirely new, being largely based on a rotor mechanism.
Of course, it is true that I could have described the T-52 in more detail (at least in
words, for those who cannot recieve the schematic diagrams included in that section,
which do accurately describe it). It is certainly very complex. But the complexity and
expense of the machine are beyond those of the SIGABA, while the security may well
be less even than that of the Enigma. (Yes, it was broken less often than the Enigma;
but there were fewer intercepts, and the more restricted distribution of the machine
makes it likely that it was more carefully used.) Had the routing of signals to the
various inversion and swapping relays changed with every character, instead of merely
being a static part of the key, the system might have been significantly more secure. Of
course, even more important would be the change to pinwheels instead of cams.
It is interesting that one wire in the Swedish SA-1 seems to hold the key to the security
of that machine. That wire is the one from the first pinwheel bank which controls the
stepping of the second pinwheel bank. But can something that contains only a single bit
of information per five-bit character really provide security?
The M-228 is interesting, and as noted in the section on it, apparently a newer machine
existed that was like a SIGABA, except that the cipher rotors were used to encipher
teletypewriter signals in the fashion of the M-228.
This appears to strengthen the machine, since bits from two essentially independent
sources are XORed with the plaintext. Can we be sure that the bits from the cipher
rotors completely mask those from the control rotors, though, or could this design have
a weakness, by offering a "window" to the control rotors?
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up/Previous] [Index]
Like DES, LUCIFER was an iterative block cipher, using Feistel rounds. That is,
LUCIFER scrambled a block of data by performing an encipherment step on that
block several times, and the step used involved taking the key for that step and
half of that block to calculate an output which was then applied by exclusive-OR
to the other half of the block. Then, the halves of the block were swapped, so that
both halves of the block would be modified an equal number of times.
Subkey generation
Each round uses a 72-bit subkey. The subkey for the first round consists of the
first byte of the key repeated twice, followed by the next seven bytes of the key.
Rotate the key left by seven bytes, then generate the subkey for the next round.
The f-function
XOR the right half of the block with the last eight bytes of the subkey for the
round.
Based on the bits of the first byte of the subkey for that round, swap nibbles in
the eight bytes of that result for those bytes which correspond to a 1 bit.
Use S-box 0 for the most significant nibble of each of these eight bytes, and S-
box 1 for the least significant nibble of each byte:
Input: 0 1 2 3 4 5 6 7
S-box 0 output: 12 15 7 10 14 13 11 0
S-box 1 output: 7 2 14 9 3 11 0 4
Input: 8 9 10 11 12 13 14 15
S-box 0 output: 2 6 3 1 9 4 5 8
S-box 1 output: 12 13 1 10 6 15 8 5
Permute the 64 bits of the result, numbered from 0 (for the most significant bit)
to 63 (for the least significant bit), by the following permutation:
10 21 52 56 27 1 47 38 18 29 60 0 35 9 55 46
26 37 4 8 43 17 63 54 34 45 12 16 51 25 7 62
42 53 20 24 59 33 15 6 50 61 28 32 3 41 23 14
58 5 36 40 11 49 31 22 2 13 44 48 19 57 39 30
After every round except the last one, the right and left halves of the block are
swapped.
Comments
Although LUCIFER has a larger block and key size than DES, it is considerably
more vulnerable to attacks from differential cryptanalysis, and is also weak due
to the regular nature of its key schedule.
However, this does not mean that the LUCIFER algorithm is useless. If a
reasonably good stream cipher is used both before and after LUCIFER, its
weaknesses essentially become irrelevant, and its strengths are still present. It
might indeed be argued that this kind of precaution ought to be used with DES as
well.
[Next] [Up/Previous] [Index]
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]
We know now for sure that the key was much too short. (Since that was written,
we learned that it was really much too short, thanks to this project.)
It's clear that the secret the NSA asked IBM not to reveal was the method of
differential cryptanalysis. Since the S-boxes were not optimized against linear
cryptanalysis, this proves that IBM didn't know about that attack back then.
Although the fact that the NSA did certify the design as secure might suggest that
the NSA didn't have that technique either, the inference is not really warranted:
the NSA is, after all, an agency noted for its reticence.
And there is also a result showing that DES with all sixteen subkeys specified
independently is not much stronger than a cipher with a 65-bit key.
DES is designed for implementation in hardware, and even includes some steps
which do not appear to strengthen the cipher at all but which are hard to perform
in software. If, however, DES had been a secret algorithm, these extra steps
would have helped to make it harder to determine the algorithm by analysis.
Details of DES
Variations of DES
Next Section
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
Home Page
[Next] [Up/Previous] [Index]
First, for no particularly good reason (except, just possibly, to group together the
most and least significant bits of uncompressed text characters) the bits of the
block are transposed according to the following permutation:
58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7
For 16 rounds, the left half, or the first 32 bits, is modified by being XORed with
a 32 bit result calculated from the right half of the block in its current state and
the subkey for that round. After each of the first 15 rounds, the halves are then
swapped.
The f-function
This calculation, known as the f-function, proceeds as follows:
The 32-bit right half of the block is expanded to 48 bits by means of this, the
expansion permutation:
32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13
12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25
24 25 26 27 28 29 28 29 30 31 32 1
The eight groups of four bits in the right half are each made the middle four bits
of a group of six bits in the result, and they are joined, on each side, by the bits
that were adjacent to them originally. Those two outer bits are, in a way,
supplementary to the four bits in the middle, since the S-box tables contain four
encodings of the middle bits, in which every different value has a different result,
selected by the two outer bits.
32 5 1 2 3 4 4 9 5 6 7 8
to allow the S-boxes to be laid out more simply, provided that one generated and
stored the subkeys with the same change in the order of their bits.)
After the right half of the block has been expanded to 48 bits, it is XORed with
the current round's 48-bit subkey. The result is then used as the input to eight
lookup tables, with a six bit input and a four bit output.
Then, the 32 bit result formed by the output of the eight S-boxes above in turn is
subjected to the following permutation, P:
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
One round of DES, with the f-function shown in detail, is illustrated by the
following diagram, accompanied by another diagram giving an overview of the
whole block cipher:
Round:
Overview:
After the sixteen rounds of DES are complete, the left and right halves of the
block together, not swapped in the last round, are then subjected to the inverse of
the initial permutation, which takes the bits from 1 to 64 of the block, and puts
them in the final result in this order:
40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25
Subkey generation
The 56-bit key used by DES is, when in standard format, stored in eight bytes, in
which the least significant bit of each byte is used for parity! Thus, the
permutation, called Permuted Choice 1, which divides the 56-bit key into two 28-
bit halves, acts on bits 1 through 7, 9 through 15, 17 through 23, and so on.
First half:
57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
Second half:
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
Like the initial permutation and inverse initial permutation, permuted choice 1 is
irrelevant to the strength of DES, except insofar as it makes things awkward for
general-purpose computers. On the other hand, the permutation P is vitally
necessary to the cryptographic strength of DES.
The two 28-bit quantities are then subjected to successive circular left shifts of
different sizes before the subkey for each round is determined from them. These
circular left shifts, one of which is applied before the first subkey is taken, are in
order of the following sizes:
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Note also that to decrypt, the only alteration in the DES algorithm is that the
subkeys are used in reverse order.
The 48-bit subkey for each round is extracted from the two 28-bit quantities, the
first consisting of bits 1 to 28, and the second of bits 29 to 56, by the following
permutation, Permuted Choice 2:
14 17 11 24 1 5 3 28 15 6 21 10
23 19 12 4 26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40 51 45 33 48
44 49 39 56 34 53 46 42 50 36 29 32
Note that, since only 48 bits are produced, some numbers from 1 through 56 are
absent. This permutation is important to the strength of DES. (Also, if the
implementation is modified to simplify the arrangement of the S-boxes, as noted
in the preceding parenthetical note, then this permutation is the one that must be
changed correspondingly, to 14 5 17 11 24 1, 3 10 28 15 6 21, and so on. Also,
likely the subkeys would be stored in 8-byte spaces, with each byte containing
only six bits of the subkey.)
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]
Variations of DES
DES, being the best known of a whole class of ciphers, has inspired many
suggestions for variations of it.
The initial permutation and inverse initial permutation, and perhaps also
permuted choice 1, could be removed, to obtain a cipher of equivalent intrinsic
strength, but simpler to perform on a computer.
The sixteen subkeys could be supplied directly as a key, instead of being derived
from a short 56-bit key. However, a result reported in Bruce Schneier's book
Applied Cryptography shows that the strength of that is only a slight
improvement on that of regular DES, essentially equivalent to using a 65-bit key.
If the eight S-boxes are moved, from their regular positions so that the order in
which they are applied to the successive six-bit groups of their input is 2, 4, 6, 7,
3, 1, 5, and 8, without altering the permutation P, DES remains highly resistant to
differential cryptanalysis, but becomes resistant to linear cryptanalysis as well.
(Any re-ordering of the S-boxes in which S-boxes 1, 7, and 4 are consecutive and
in that order can make DES very weak against differential cryptanalysis, as noted
in Biham and Shamir's original paper on differential cryptanalysis.)
RSA Data Security has recommended DESX, which is simply DES strengthened
by performing an XOR against additional key bits at the beginning and at the end
of encipherment.
One way in which DES might be strengthened by a simple modification that has
occurred to me is this: retain the initial and inverse initial permutations, but
perform them after rounds 4 and 12 of the cipher respectively. This way, they are
contributing something to its strength. Perhaps it would even be possible to use a
112-bit key, as follows: for the first 56 bits, generate the regular key schedule,
and use it during rounds 1 through 4 and 13 through 16. For the last 56 bits, use
the decrypting key schedule from those bits during rounds 5 through 12. Unlike
DESX, though, this kind of modification is only applicable if one is performing
DES encryption in software, not when using existing DES hardware.
Another possible way of using a 112-bit key would be by enhancing DES with an
idea I use in QUADIBLOC: use 32 subkeys, by applying the f-function twice,
first to the right half of the block, then to the first f-function output, before
XORing the result to the right half. This propagates changes in the block more
quickly.
Also, it would seem to me that one could obtain a very strong cipher by
alternating pairs of rounds of DES with rounds of SAFER, a block cipher based
on very different principles.
A more economical way to realize increased strength would be, perhaps, to take
the variation suggested above, with IP after round 4, and IIP after round 12, and
apply, before and after each of these permutations a user-supplied substitution,
part of the key, acting on the eight bytes of the block. The inverse of this
substitution would be used on deciphering. Since differential cryptanalysis
depends on substitutions being known, this would seem to improve the strength
of the cipher against that kind of attack; and, since a random substitution on the
possible byte values from 0 to 255 takes quite a bit more than 56 bits to describe
it, key size is also increased. Applying the substitution at the beginning and end
of the block cipher would probably be advisable as well; this would increase the
amount of this extra key that is actually used, and it would protect all sixteen,
rather than just the middle eight, rounds of the block cipher from outside scrutiny.
Next
Chapter Start
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]
Description of SAFER
SAFER uses eight rounds. The first step for a round is to apply the first subkey
for the round to the eight bytes of the block. The operation by which each byte of
the subkey is applied to each byte of the block depends on which byte is used: the
sequence is
Then, the S-box is used. Those bytes to which the subkey was applied by an
XOR go through the regular S-box; those bytes to which it was applied by
addition go through the inverse S-box.
The S-boxes:
The regular box represents 45 raised to successive powers modulo 257 (with the
modulo 257 result then squeezed into a byte by being taken modulo 256):
64 53 72 156 81 47 59 85
227 192 159 216 211 243 141 177
255 167 62 220 134 119 215 166
17 251 244 186 146 145 100 131
Since the second S-box is the inverse of the first, it can be thought of as
containing logarithms base 45 modulo 257, although, given the intractability of
the discrete logarithm problem, it is not calculated that way directly, but is
instead just the inverse of the preceding one:
208 80 89 63 77 98 52 10
72 136 181 86 76 46 107 158
210 61 60 3 19 251 151 81
117 74 145 113 35 190 118 42
95 249 212 85 11 220 55 49
22 116 215 119 167 230 7 219
164 47 70 243 97 69 103 227
12 162 59 28 133 24 4 29
Then the second subkey for the round is applied to the block. This time, the
sequence of operations complements that used previously:
Then, the different bytes are mixed together without using a bit transpose.
Instead, arithmetic is used.
The first byte is replaced by twice the old first byte plus the old second byte. The
second byte is replaced by the old first byte plus the second byte. Only the last
eight bits of the sums are kept, of course.
This same method of combining the bytes is applied to the third and fourth bytes,
the fifth and sixth bytes, and the seventh and eighth bytes.
Then the bytes are interchanged; after the interchange, the order of the bytes
becomes
1 3 5 7 2 4 6 8
The mixing is performed on pairs of bytes again, and then the interchange, and
then the mixing.
After the eighth round, an extra subkey is applied in the same way as the first
subkey of each round.
The reverse of the method of mixing pairs of bytes is this: to get the old first
byte, subtract the new second byte from the new first byte. The old second byte is
the new second byte minus the old first byte, which is the same as twice the new
second byte minus the new first byte.
Subkey generation
In the original version of SAFER, the first 64-bit subkey was the key itself. To
generate successive subkeys, the individual bytes of the key were given a circular
left shift of 3 bits between the rounds, and the current result is then XORed with
a fixed constant for each round.
The first several constants are given, enough for up to 10 rounds. Originally, six
rounds were proposed for SAFER, but this was increased to 8. The constants are
also derived mathematically.
SAFER SK
A new version of SAFER, SAFER SK, has a more secure key schedule.
The 64-bit key is expanded by one byte, that byte being the XOR of all the
previous bytes. For generating the first subkey, that byte is ignored; for the
second, where the key would have been used, one instead takes the eight bytes
starting with the second byte of the nine-byte expanded key; for the second, start
with the third, and after the ninth go back to the first; and so on.
SAFER SK-40
A 40-bit version of SAFER-SK also exists, with the starting nine-byte expanded
key beginning with bytes 1 to 5 being the 40-bit key, and the remaining bytes
being, in order:
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]
The IDEA algorithm is interesting in its own right. It includes some steps which, at
first, make it appear that it might be a non-invertible hash function instead of a block
cipher. Also, it is interesting in that it entirely avoids the use of any lookup tables or S-
boxes.
IDEA uses 52 subkeys, each 16 bits long. Two are used during each round proper, and
four are used before every round and after the last round. It has eight rounds.
The plaintext block in IDEA is divided into four quarters, each 16 bits long. Three
operations are used in IDEA to combine two 16 bit values to produce a 16 bit result,
addition, XOR, and multiplication. Addition is normal addition with carries, modulo
65,536. Multiplication, as used in IDEA, requires some explanation.
The number 65,537, which is 2^16+1, is a prime number. (Incidentally, 2^8+1, or 257,
is also prime, and so is 2^4+1, or 17, but 2^32+1 is not prime, so IDEA cannot be
trivially scaled up to a 128-bit block size.) Thus, if one forms a multiplication table for
the numbers from 1 through 65,536, each row and column will contain every number
once only, forming a Latin square, and providing an invertible operation. The numbers
that 16 bits normally represent are from 0 to 65,535 (or, perhaps even more commonly,
from -32,768 to 32,767). In IDEA, for purposes of multiplication, a 16 bit word
containing all zeroes is considered to represent the number 65,536; other numbers are
represented in conventional unsigned notation, and multiplication is modulo the prime
number 65,537.
Description of IDEA
Let the four quarters of the plaintext be called A, B, C, and D, and the 52 subkeys
called K(1) through K(52).
Multiply the new value of F by K(6). Add the result, which is also the new value of F,
to E.
Change both A and C by XORing the current value of F with each of them; change
both B and D by XORing the current value of E with each of them.
Swap B and C.
Repeat all of this eight times, or seven more times, using K(7) through K(12) the
second time, up to K(43) through K(48) the eighth time. Note that the swap of B and C
is not performed after round 8.
The intricacies of IDEA encryption may be made somewhat clearer by examining the
following diagrams:
Details: Overview:
Decryption
How can the round in IDEA be reversed, since all four quarters of the block are
changed at the same time, based on a function of all four of their old values? Well, the
trick to that is that A xor C isn't changed when both A and C are XORed by the same
value, that value cancels out, no matter what that value might be. And the same applies
to B xor D. And since the values used are functions of (A xor C) and (B xor D), they
are still available.
This cross-footed round, rather than a Feistel round, is the most striking distinguishing
factor of IDEA, although its use of multiplication, addition, and XOR to avoid the use
of S-boxes is also important.
Those that are added are replaced by their two's complement. Those that are multiplied
in are replaced by their multiplicative inverse, modulo 65,537, in IDEA notation when
used to change blocks directly, but those used to calculate the cross-footed F-functions
are not changed. Keys XORed in would not need to be changed, but there aren't any
such keys in IDEA. Due to the placement of the swap, the first four keys for decryption
are moved somewhat differently than the other keys used for the same operation
between rounds.
KD(1) = 1/K(49)
KD(2) = -K(50)
KD(3) = -K(51)
KD(4) = 1/K(52)
and they do not quite follow the same pattern as the remaining subkeys which follow.
The following is repeated eight times, adding 6 to every decryption key's index and
subtracting 6 from every encryption key's index:
KD(5) = K(47)
KD(6) = K(48)
KD(7) = 1/K(43)
KD(8) = -K(45)
KD(9) = -K(44)
KD(10) = 1/K(46)
Subkey generation
The 128-bit key of IDEA is taken as the first eight subkeys, K(1) through K(8). The
next eight subkeys are obtained the same way, after a 25-bit circular left shift, and this
is repeated until all encryption subkeys are derived.
This method of subkey generation is regular, and this may be a weakness. However,
IDEA is considered to be highly secure, having stood up to all forms of attack so far
tried by the academic community.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
Skipjack
Skipjack, the originally secret algorithm associated with the infamous Clipper chip, was
declassified on Tuesday, June 23, 1998, and appeared as a .PDF document at the NIST web
site the following morning.
The basic round type of Skipjack forms another alternative, alongside those offered by SAFER
and IDEA, to the Feistel round structure seen in DES, LUCIFER and Blowfish, among other
block ciphers. In each round, one of four quarters of the block is subjected to four Feistel
rounds on a small scale, and one other quarter is modified by being XORed with the round
number and the quarter that went through the mini-Feistel cipher, either before or after that
step. No bit transposes are required in Skipjack, making it efficient to implement on a general-
purpose computer.
Skipjack has 32 rounds. These rounds are of two types, A and B. A type A round proceeds as
follows:
The first quarter of the block (called W1) is enciphered by the "G permutation", which is
actually a four-round Feistel cipher. The result, and the round number (where round numbers
go from 1 through 32), are XORed with the fourth quarter of the block (W4). Then each
quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to W4, and W4
back to W1.
The second quarter of the block (W2) is XORed with the round number and the first quarter of
the block (W1). Then the first quarter of the block is enciphered by the "G permutation".
Again, each quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to
W4, and W4 back to W1.
The rotation of quarters of the block is not omitted after the last round. The 32 rounds of
Skipjack consists of eight type A rounds, eight type B rounds, eight type A rounds, and eight
type B rounds. Note that by having a type A round first, and a type B round last, the form of
the first quarter on the "inside" is XORed with one of the other quarters in the first and last
rounds.
Permutation G is a four-round Feistel cipher, involving dividing its 16-bit input into two 8-bit
halves. Like DES, the left half of the block is not changed in each round, but acts as input to
the f-function, the output of which is XORed to the right half. Unlike DES, the two halves are
swapped after the last round (as the algorithm has only four rounds, all four iterations of the f-
function can be illustrated, going alternately from right to left, and then from left to right; in
that form, no swaps at all are required).
The f-function of the G permutation is as simple as one might expect for an f-function only 8
bits wide: the input is first XORed with the current round's subkey, and then the result is
substituted according to a lookup table, called F.
The subkeys for G, each one byte long, are simply four consecutive bytes of the 80-bit key.
The first four bytes are used in the first round, the next four bytes in the second, the last two
bytes followed by the first two bytes in the third, and so on.
which illustrates the first 12 rounds of Skipjack. The first round, of type A, is shown with the
G function illustrated in full. The next seven rounds, also of type A, are shown with the G
function indicated by a box marked with a G. Then the last four of the twelve rounds shown, of
type B, are showed the same way. There are dotted lines dividing the rounds in the diagram.
Instead of rotating the quarters of the block, the functions move between columns; since the
last rotation is not skipped, this illustration will show, if continued to include all 32 rounds, the
quarters ending up in their proper places without any final rotation being required.
The S-box of Skipjack, called F, which is the heart of the f-function of the Feistel mini-cipher
that is the G permutation, is as follows:
a3 d7 09 83 f8 48 f6 f4 b3 21 15 78 99 b1 af f9
e7 2d 4d 8a ce 4c ca 2e 52 95 d9 1e 4e 38 44 28
0a df 02 a0 17 f1 60 68 12 b7 7a c3 e9 fa 3d 53
96 84 6b ba f2 63 9a 19 7c ae e5 f5 f7 16 6a a2
39 b6 7b 0f c1 93 81 1b ee b4 1a ea d0 91 2f b8
55 b9 da 85 3f 41 bf e0 5a 58 80 5f 66 0b d8 90
35 d5 c0 a7 33 06 65 69 45 00 94 56 6d 98 9b 76
97 fc b2 c2 b0 fe db 20 e1 eb d6 e4 dd 47 4a 1d
42 ed 9e 6e 49 3c cd 43 27 d2 07 d4 de c7 67 18
89 cb 30 1f 8d c6 8f aa c8 74 dc c9 5d 5c 31 a4
70 88 61 2c 9f 0d 2b 87 50 82 54 64 26 7d 03 40
34 4b 1c 73 d1 c4 fd 3b cc fb 7f ab e6 3e 5b a5
ad 04 23 9c 14 51 22 f0 29 79 71 7e ff 8c 0e e2
0c ef bc 72 75 6f 37 a1 ec d3 8e 62 8b 86 10 e8
08 77 11 be 92 4f 24 c5 32 36 9d cf f3 a6 bb ac
5e 6c a9 13 57 25 b5 e3 bd a8 3a 01 05 59 2a 46
163 215 9 131 248 72 246 244 179 33 21 120 153 177 175 249
231 45 77 138 206 76 202 46 82 149 217 30 78 56 68 40
10 223 2 160 23 241 96 104 18 183 122 195 233 250 61 83
150 132 107 186 242 99 154 25 124 174 229 245 247 22 106 162
57 182 123 15 193 147 129 27 238 180 26 234 208 145 47 184
85 185 218 133 63 65 191 224 90 88 128 95 102 11 216 144
53 213 192 167 51 6 101 105 69 0 148 86 109 152 155 118
151 252 178 194 176 254 219 32 225 235 214 228 221 71 74 29
66 237 158 110 73 60 205 67 39 210 7 212 222 199 103 24
137 203 48 31 141 198 143 170 200 116 220 201 93 92 49 164
112 136 97 44 159 13 43 135 80 130 84 100 38 125 3 64
52 75 28 115 209 196 253 59 204 251 127 171 230 62 91 165
173 4 35 156 20 81 34 240 41 121 113 126 255 140 14 226
12 239 188 114 117 111 55 161 236 211 142 98 139 134 16 232
8 119 17 190 146 79 36 197 50 54 157 207 243 166 187 172
94 108 169 19 87 37 181 227 189 168 58 1 5 89 42 70
This was double-checked by looking at the inverse of this S-box generated by the same
program that converted what I typed from hexadecimal to decimal, as the S-box is a straight
permutation of the numbers from 0 to 255. In the original document in its electronic form,
lowercase c and e are sometimes difficult to distinguish.
For decipherment, each round is replaced by a corresponding deciphering round, and these
rounds are, of course, executed in the reverse of the enciphering order.
The first quarter, W1, is XORed with W2 and the round number (rounds now counting down
from 32 to 1). Then the second quarter, W2, is subjected to the inverse of the G permutation.
Then, each quarter is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to
W2, and W4 to W3.
The second quarter, W2, is subjected to the inverse of the G permutation. The third quarter,
W3, is then XORed with the round number and the changed value of W2. Again, each quarter
is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to W2, and W4 to
W3.
The deciphering equivalent of the G permutation involves using the four subkeys in reverse
order - and reversing the roles of the right and left halves of the 16-bit quarter block.
Comments
However, I have noted that the inconsistency involved may be more apparent than real.
Between the statements cited, and the declassification of SKIPJACK, a paper was published by
an academic researcher noting that Feistel ciphers of a particular type, specifically those in
which the f-function was itself a series of Feistel rounds, could be proven to be immune to
differential cryptanalysis.
SKIPJACK, although not precisely of that type, is closely related: one of the four subblocks
undergoes Feistel rounds, but in addition to the result being used, as an f-function output, on
another subblock, the subblock is also retained in its modified state.
Also, note that SKIPJACK consists of eight type A rounds, followed by eight type B rounds
twice, instead of sixteen type A rounds and then sixteen type B rounds. Since the type A
rounds are appropriate for the beginning of the cipher, and the type B rounds are appropriate
for its end, it might seem at first that this weakened the cipher. However, the boomerang
attack, which was discovered after the declassification of SKIPJACK, allows differential
cryptanalysis to be done independently on the first and last half of a block cipher; thus, if
SKIPJACK were composed of two halves, each with one type of round, it could have been
attacked as if it consisted of only a single type of round.
It may also be noted that a recent book, Top Secret Intranet, reveals that SKIPJACK was
considered adequate to safeguard information classified SECRET but not information
classified TOP SECRET. This appears to refer to early 1999, and may still be the case as of
this writing (May 1999). Also, note that SKIPJACK has an 80-bit key, the key-length limit for
exportable ciphers is 40 bits, and some suppliers of encryption equipment to the U.S.
government have advertised their equipment provides a 120-bit key or a 160-bit key. This may
be because 40 is a multiple of both 8 and 10, and 2^10 equals 1024, which is just over 1000.
Thus every 40 bits in a key can have just over a trillion possible values, making it easy to
express the number of possible keys in decimal terms.
One notes that the key consists of 10 bytes, which is a number of the form 4n+2. While it
might not increase the security of SKIPJACK to do so, if there are no subtle traps in the
structure of SKIPJACK, which appears to have a simple and uniform structure, it might be
possible to use a key composed of the next such number of bytes with it: 14 bytes. That is an
interesting possibility, because such a key would be a 112-bit key, exactly twice as long as the
key used in DES.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
Blowfish
The Blowfish program was developed by author and computer security and
cryptography consultant Bruce Schneier. Blowfish is a cipher based on Feistel
rounds, and the design of the f-function used amounts to a simplification of the
principles used in DES to provide the same security with greater speed and
efficiency in software. The block ciphers Khafre and CAST have somewhat
similar rounds.
The main claim to fame of Blowfish, however, is in its method of key scheduling.
The round keys, and the entire contents of all the S-boxes, are created by multiple
iterations of the block cipher. This enhances the security of the block cipher,
since it makes exhaustive search of the keyspace very difficult, even for short
keys.
Description of Blowfish
Unlike DES, Blowfish applies the f-function to the left half of the block,
obtaining a result XORed to the right half of the block. Originally, I had said that
this departure from convention may cause confusion in reading the description of
Blowfish. However, upon further reflection, I think that it is really DES that is
creating confusion; the time sequence of events should move from left to right
(particularly in a design that is otherwise big-endian); this is generally what
happens in more recent designs, such as the AES candidates, and particularly in
ciphers with unbalanced Feistel rounds.
Blowfish consists of sixteen rounds. For each round, first XOR the left half of the
block with the subkey for that round. Then apply the f-function to the left half of
the block, and XOR the right half of the block with the result. Finally, after all
but the last round, swap the halves of the block. There is only one subkey for
each round; the f-function consumes no subkeys, but uses S-boxes which are key
dependent.
After the last round, XOR the right half with subkey 17, and the left half with
subkey 18.
The f-function
Blowfish uses four S-boxes. Each one has 256 entries, and each of the entries are
32 bits long.
To calculate the f-function: use the first byte of the 32 bits of input to find an
entry in the first S-box, the second byte to find an entry in the second S-box, and
so on. The value of the f-function is ((S1(B1) + S2(B2)) XOR S3(B3)) + S4(B4)
where addition is performed modulo 2^32.
Decryption
Decryption is the same as encryption, with the 18 subkeys used in reverse order.
At first, this seems unbelievable (although not quite as bad as understanding
decryption of IDEA), because there are two XOR operations following the last
use of the f-function, and only one preceding the first use of the f-function.
However, if you modify the algorithm so that use of subkeys 2 through 17 takes
place before the output of the f-function is XORed to the right half of the block,
and is done to the same data before that XOR, although that means it is now on
the right half of the block, since the XOR of the subkey has been moved before a
swap of the halves of the block, you have not actually changed anything since the
same information is XORed to the left half of the block between each time it is
used as input to the f-function. In fact, you can even move the XOR still earlier,
before the preceding swap of block halves. Once you do that, you have the exact
reverse of the decryption sequence.
Subkey generation
Begin by initializing subkeys 1 through 18, followed by elements zero through
255 of the first S box, then elements zero through 255 of the second S box, all the
way to element 255 of the fourth S box, with the fractional part of pi. The most
significant bit of the fractional part of pi becomes the most significant bit of the
first subkey.
Then, take the key, which may be of any length up to 72 bytes, and, repeating it
as often as necessary to span the entire array of 18 subkeys, XOR it with the
subkey array contents.
Then execute the Blowfish algorithm repeatedly, with an initial input of a 64-byte
block of all zeroes as plaintext input. After each execution, replace part of the
subkeys or S boxes with the successive outputs of Blowfish, in the same order as
the digits of pi in binary (or hexadecimal) form were placed in them; after the
first iteration, replace subkeys 1 and 2; after the tenth iteration, replace the first
two entries (0 and 1) in S-box 1; and so on.
For each iteration of Blowfish in key generation, also use the output of the
preceding iteration as input. (The original description of Blowfish in the April
1994 issue of Dr. Dobb's Journal could be interpreted to imply that zero should
be used as input for every iteration. As the later iterations only change individual
S-box entries, this could lead to large stretches of identical data in the S-boxes,
and is thus a misreading of the directions, not a slightly different original form of
the algorithm.)
Thus, loading Blowfish with a new key takes as much time as encrypting 521
blocks ((256*4+18)/2) in Blowfish. This gives Blowfish an extra 9 bits of
security against a brute force search for keys shorter than maximum length,
which makes the 32-bit, instead of 40-bit limit for export versions of Blowfish
reported by one individual just about exactly right. (Seems you just can't fool the
NSA.)
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
● Description of QUADIBLOC
❍ Euler's Constant and the QUADIBLOC S-boxes
● Quadibloc IX
● Quadibloc X
Next Chapter
Chapter Start
Table of Contents
Main Page
Home Page
[Next] [Up/Previous] [Index]
Description of QUADIBLOC
The intent of the following proposed block cipher is to provide a cipher which is at
least as secure as DES, and possibly somewhat more secure, which is reasonably
efficient when implemented in software, and is furthermore easy to implement.
Changes required for QUADIBLOC 99, which corrects known weaknesses in the
original QUADIBLOC (QUADIBLOC 96), are indicated in highlighted boxes.
Two S-boxes, taking 8 binary inputs uniquely to 8 binary outputs, are used, as well as
the inverse of the second S-box. The S-boxes are constructed from Euler's constant
(.57721...) as follows:
start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place
Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is
decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for
each iteration. The iteration where Number of choices is 2 is the last iteration.
During each iteration, multiply ACC by Number of choices. Leave the fractional part
of the result in ACC; swap
A( Number of choices )
and
This generates S-box 1; repeat the procedure with the contents remaining in ACC to
obtain S-box 2. (ACC must be long enough to hold Euler's constant to sufficient
precision to support both applications of the procedure.)
The S-boxes are given on the page entitled Euler's Constant and the Quadibloc S-boxes.
In QUADIBLOC 99, a third S-box, generated by continuing the process, is also used.
In addition, the following 4 of 8 code for the numbers 0 to 63 is used during subkey
generation:
given the 6 bits abcdef, in the output word, let c stand for 01 if the bit c is 0, or 10 if the
bit c is 1, and let DD stand for 0011 if the bit d is 0, or 1100 if the bit d is 1, then
55 56 59 5A 65 66 69 6A 95 96 99 9A A5 A6 A9 AA
35 36 39 3A C5 C6 C9 CA 53 5C 63 6C 93 9C A3 AC
4D 4E 71 72 8D 8E B1 B2 17 1B 27 2B D4 D8 E4 E8
1D 1E 2D 2E D1 D2 E1 E2 47 4B 74 78 87 8B B4 B8
The cipher is an iterative block cipher, with 16 rounds and 48 subkeys, and uses Feistel
rounds: half the block is used to encipher the other half in each round. It operates on a
64-bit block, and has a 160-bit key.
Initially, the first 4 bytes of data to encrypt are taken as the left half, and the last 4
bytes are taken as the right half.
A copy of the right half, which will actually be unchanged by this round, is taken.
The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for
round 2, to subkey 46 for round 16).
In QUADIBLOC 99, the fourth byte is instead replaced by its substitute in S-box 2.
The bits of the result, considered to be numbered from 1 (most significant bit of the
first, leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the
pattern in DES, are to be transposed to lie in the following positions:
1 2 27 28 21 22 15 16
9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32
25 26 19 20 13 14 7 8
Note that this arrangement posesses a great deal of symmetry: only ONE version of S-
box 1, with 256 32-bit entries is needed to perform both the S-box substitution, and the
subsequent permutation, in a single step for efficiency on a computer without hardware
instructions for bit transposition. And, since no bits change their position within a byte,
a slower implementation, using S-box 1 with single byte entries, and doing the
transposition using masking, is also possible.
In QUADIBLOC 99, the symmetry of the bit transposition remains, but one expanded
version of S-box S2 is also required.
The 32 transposed bits are now XORed with the round's second subkey.
In QUADIBLOC 99, the value generated at this point is also retained, and is called
the intermediate result of the f-function.
Each byte of the result is again replaced by its substitute in S-box 1, and the bits of the
result are transposed as before.
In QUADIBLOC 99, in the second part of the f-function, the second and third bytes
are instead replaced by their substitutes in S-box 2.
The result is XORed with the round's third subkey. This produces the output of the f-
function.
Applying the f-function output to alter the left half of the block:
In a QUADIBLOC 99 type A round, the first (leftmost) half of the intermediate result
of the f-function is used to control an ICE-style swap of bits between the halves of the
left half of the block at this time: each bit in that 16-bit quantity which is 1 indicates
that corresponding bits in the two halves of the 32-bit left half of the block are to be
swapped.
In a QUADIBLOC 99 type B round, the first (leftmost) half of the intermediate result
of the f-function is used to control an ICE-style swap of bits between the halves of the
left half of the block at this time: each bit in that 16-bit quantity which is 1 indicates
that corresponding bits in the two halves of the 32-bit left half of the block are to be
swapped.
The result is XORed with the result of the f-function applied to the right half.
In a QUADIBLOC 99 type B round, first the second and third bytes of the left half of
the block are swapped, and then the second (rightmostmost) half of the intermediate
result of the f-function is now used to control another ICE-style swap of bits between
the halves of the left half of the block: each bit in that 16-bit quantity which is 1
indicates that corresponding bits in the two halves of the 32-bit left half of the block
are to be swapped.
In a QUADIBLOC 99 type A round, first the second and third bytes of the left half of
the block are swapped, and then the second (rightmostmost) half of the intermediate
result of the f-function is now used to control another ICE-style swap of bits between
the halves of the left half of the block: each bit in that 16-bit quantity which is 1
indicates that corresponding bits in the two halves of the 32-bit left half of the block
are to be swapped.
Round: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Type: A A B B A A B B B B A A B B A A
Except for the four middle rounds, this ensures that the ICE-style bit transpositions
alternate with the byte substitutions using S-box 3.
The swap:
the right half for the next round is the modified left half, after the XOR and the two
substitutions, subjected to a circular left shift of 8 bits (which can be carried out by
moving whole bytes, of course).
In QUADIBLOC 99, the swap is performed in all rounds except round 16 only. The
bit transpose after round 8 is removed as not having as much effectiveness as was
hoped for, and instead the ICE-style bit swap is added to every round. The circular left
shift of 8 bits is no longer part of the swap, and is replaced by the exchange of two
bytes preceding the last bit swap.
After round 8:
Subject the bits of the block, numbered from 1 to 64, from left to right, to the following
(reciprocal) bit transpose:
1 34 11 44 21 54 31 64 9 42 3 36 29 62 23 56
17 50 27 60 5 38 15 48 25 58 19 52 13 46 7 40
33 2 43 12 53 22 63 32 41 10 35 4 61 30 55 24
49 18 59 28 32 6 47 16 57 26 51 20 45 14 39 8
Each byte of the right half of the result is replaced by its substitute in S-box 2.
Nothing happens: the result at that point, without further swapping, is the output of the
cipher.
a) every bit of the f-function output depends on every bit of the right half of the block,
thus making propagation very rapid, and
b) the first half of the f-function can be thought of as substituting for the absence of an
expansion permutation and auxilliary S-box inputs as found in DES.
b) after every round except rounds 8 and 16, the modified left half from one round
becomes the right half for the next, and the unmodified right half receives a right
circular shift of 8 bits before becoming the left half for the next round, and
In QUADIBLOC 99, the swap of the second and third bytes in the left half of the
block is changed to take place after the first ICE-style swap and before the first use of
S-box 3. Also, now the ICE-style swap that occurs first uses the second (rightmost)
half of the intermediate result of the f-function as input, and the ICE-style swap that
occurs second uses the first (leftmost) half of the intermediate result of the f-function
as input.
c) the 16 groups of three subkeys for the 16 rounds are used in reverse order, but the
three subkeys within each group are still used in the same order.
The bit transpose with partial substitution between rounds 8 and 9 is intended to create
a 'wall' between the first 8 and the last 8 rounds that will make the cipher much harder
to analyze and solve.
The bit transpose has been removed since the boomerang attack has cast some doubts
on its efficacy.
Subkey generation:
The 160-bit key shall be expanded to 176 bits by applying the 4 of 8 bit code specified
above to each group of 6 bits in the last 48 bits of the key, thus expanding these 48 bits
to 64 bits. (This is done to prevent weak keys.)
In QUADIBLOC 99, the last 64 bits of the 160-bit key shall be used, reduced to 48
bits by ignoring the most significant two bits of each byte, as input to the 4 of 8 bit
code. This avoids having to perform unnecessary shift operations. Then, the 160-bit
key will be expanded to the following: the first 96 bits of the original 160-bit key, the
64 bits generated from the 4 of 8 code, and the last 64 bits of the original 160-bit key
XOR the first 64 bits of the original 160-bit key (so that the expanded key does not
contain both the original form, and the 4 of 8 encoding, of the same bits) to produce
an expanded key that is 224 bits long.
The first 128 bits of the result shall be divided into four 32-bit blocks, which shall be
called, from left to right, P, Q, R, and S.
P, Q, and R will be taken as the three subkeys for the current round, subject to an XOR
to be subsequently described.
Then, P, Q, and R shall be shifted left n bits, and S shall be shifted left 3n bits, with the
first n bits of P, then the first n bits of Q, then the first n bits of R being shifted into S,
while the bits shifted out of S into P, Q, and R will alternate, one bit at a time, into
these three registers/locations.
Before:
P) P1 P2 ... P32
Q) Q1 Q2 ... Q32
R) R1 R2 ... R32
S) S1 S2 ... S32
and after:
5, 6, 5, 5,
7, 7, 7, 7,
7, 8, 7, 7,
5, 6, 5, 5.
Each of the 48 subkeys thus generated will now be XORed with the leftmost 32 bits of
T, where T begins as the last 48 bits of the expanded key, and is given a right circular
shift of 17 bits after each use.
In QUADIBLOC 99, a right circular shift of 11 bits will be used after generating all
but the last of the 27 subkeys used by the first nine rounds, and then a right circular
shift of 17 bits will be used afterwards. Since the expanded key is 224 bits long, rather
than 176 bits long, T will be 96 bits long and will initially contain the last 96 bits of
the expanded key.
Euler's constant is defined as the limit, as n tends to infinity, of the sum of 1 + 1/2 + 1/3
+ ... up to 1/n, minus the natural logarithm of n, normally written:
n
/ ____ \
| \ 1 |
lim | > --- | - ln(n)
n -> infinity | /___ i |
\ i=1 /
Since
_n
/
| 1
| ---, dx = ln(n)
| x
_/
1
that is, the integral from 1 to n of 1/x with respect to x is the natural logarithm of n, the
following diagram illustrates what Euler's constant is in graphical form:
Allowing the graph to continue on indefinitely to the right, the boxes shown which are
divided into green and gray areas have a total overall area of 1. (Note that the vertical
scale in the graph is exaggerated compared to the horizontal scale for clarity.) Euler's
constant, .57721 56649... is the total of the areas of the gray parts of the boxes.
Because only scaling makes the shape of the graph of 1/x from 1 to 2 different from the
graph of 1/x from 2 to 4, or the graph of 1/x from 4 to 8, the following diagram:
illustrates a way in which it is possible to derive a formula for Euler's constant that would
only involve calculating the natural logarithm of 2.
(i+1)
infinity 2
____ ____
\ \ 1 1
gamma = (1 - ln(2)) + > (1 - ln(2)) - > --- - ---
/___ /___ i j
i = 1 i 2
j = 2 +1
By superimposing the areas from 1 to 2, from 2 to 4, and 4 to 8 after adjusting them to fit,
one sees that another series for Euler's constant, not involving any logarithms, is possible,
as it is (1/2 - 1/3) + 2 * ((1/4 - 1/5) + (1/6 - 1/7)) + 3 * ((1/8 - 1/9) + (1/10 - 1/11) + (1/12 -
1/13) + (1/14 - 1/15)) + ..., or, in other words:
(i+1)
infinity 2 - 1
____ ____
\ \ (j-1) 1
gamma = > i * > (-1) * ---
/___ /___ j
i = 1 i
j = 2
Euler's constant is more difficult to calculate than the square root of 2, e, or pi, and it is
less well understood. Mathematicians have not yet proven which of rational, algebraic, or
transcendental it is.
The S-boxes constructed from Euler's constant (.57721 56649...) for use in the Quadibloc
series of block ciphers are derived as follows:
start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place
Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is
decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for each
iteration. The iteration where Number of choices is 2 is the last iteration.
During each iteration, multiply ACC by Number of choices. Leave the fractional part of
the result in ACC; swap
A( Number of choices )
and
This generates S-box 1; repeat the procedure with the contents remaining in ACC to
obtain S-box 2. (ACC must be long enough to hold Euler's constant to sufficient precision
to support both applications of the procedure.)
A BASIC program to generate these S-boxes is given here. And this BASIC program
produced the DATA statements it required from a file containing the value of Euler's
constant.
Here are the S-boxes thus produced. S-boxes from 1 through 4 are used in several of the
ciphers in the Quadibloc series. S-boxes 5 and 6 are combined into one S-box with 512
entries, called S5, in Quadibloc II and III, and similarly S-boxes 7 and 8 become S6 and S-
boxes 9 and 10 become S7. S-box 11 is used under the name S9 in Quadibloc III.
S-box 1 is:
S-box 2 is:
187 91 192 149 175 80 48 231
19 23 210 35 104 31 72 111
180 20 79 100 45 173 240 113
63 236 201 69 118 181 248 185
115 62 29 166 253 67 60 41
247 124 101 24 135 87 221 144
197 188 93 65 123 142 207 195
105 53 163 145 190 18 130 76
233 251 146 161 193 211 10 235
83 14 174 96 27 151 126 112
43 34 117 157 56 5 219 22
155 4 213 186 245 66 214 196
246 64 49 147 71 61 133 37
12 227 121 17 68 143 165 176
191 232 8 116 238 59 184 102
224 138 170 11 39 205 36 244
183 140 217 228 237 209 212 42
177 77 208 78 25 242 15 50
114 81 97 0 154 13 216 2
119 152 250 88 220 171 127 103
1 21 74 70 252 200 92 156
73 32 226 95 150 99 167 122
182 84 47 136 3 162 125 139
98 153 158 134 172 239 168 178
85 194 249 51 128 33 38 223
107 254 141 241 148 46 120 198
137 75 132 108 58 243 225 204
89 129 131 16 203 255 44 86
160 189 230 106 215 55 222 229
94 164 82 202 26 179 6 7
199 90 30 54 57 40 109 28
206 9 110 52 218 234 169 159
S-box 3 is:
S-box 4 is:
S-box 5 is:
S-box 7 is:
S-box 8 is:
S-box 9 is:
S-box 10 is:
S-box 11 is:
Next
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Variations of QUADIBLOC
QUADIBLOC-80
Using QUADIBLOC with the initial key formed by concatenating the 80-bit key with
its inverse (one's complement, bitwise negation), encipher the following:
1) Expand the first 18 bits of the key to 24 bits using the 4 of 8 bit code in
QUADIBLOC; repeat these as often as required to XOR with the last 64 bits of the
key. (Yes, 2 bits are used twice.)
2) Take the first 64 bits of the key; XOR with the 24 bits formed by expanding the last
18 bits of the key, repeated starting from the right.
3) Form a 48-bit string by XORing the first 40 bits + 00000000 with 00000000 + the
last 40 bits; convert that to 64 bits using the 4 of 8 bit code on all of it.
Using the 192 bits which result from these three block encryptions, convert to a 160-bit
key as follows:
concatenate the 64 bits of 1) enciphered with the 64 bits of 2) enciphered and the first
(leftmost, most significant) 32 bits of 3) enciphered,
and XOR these 160 bits with the last 32 bits of 3) enciphered, repeated five times.
QUADIBLOC-64
Expand a 64-bit key to an 80-bit key by converting the first 48 bits of the key to 64
bits, using the 4 of 8 bit code. This, concatenated with the last 16 bits, makes 80 bits.
Then XOR the 64 bit key with that, repeated 2 and 1/2 times. (The last one-half uses
the first 32 bits.)
QUADIBLOC-40
Expand the 40-bit key to an 80-bit key by concatenating it with its inverse.
Produce a 160-bit key from this as outlined for QUADIBLOC-80.
Expand the 40-bit key to 52 bits by converting the first 36 bits to 48 bits using the 4 of
8 bit code. XOR the 52 bit result (48 expanded bits + 4 original bits) starting with a
whole block on the left repeatedly with the 160-bit result to get the 160-bit key to use.
QUADIBLOC-320
The first half is used to generate subkeys normally, and so is the second half. First-half
subkeys are used in rounds 1, 2, 5, 6, 9, 10, 13, and 14; second-half subkeys are used in
rounds 3, 4, 7, 8, 11, 12, 15, and 16.
QUADIBLOC-640
The key is divided into four quarters, each of which is used to generate subkeys
normally, and the subkeys generated from the first quarter are used in rounds 1, 2, 9,
and 10; from the second in 3, 4, 11, and 12; from the third in 5, 6, 13, and 14; and from
the fourth in 7, 8, 15, and 16.
Enhanced QUADIBLOC
S-box 2, in QUADIBLOC, is used only when enciphering, and its inverse is used when
deciphering. Since this S-box gets changed anyways, Enhanced QUADIBLOC is
QUADIBLOC changed in that S-box 2 is part of the key, and supplied by the user,
instead of being the fixed value shown in the definition of QUADIBLOC.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
- Ease of implementation,
- Security, and
QUADIBLOC-640 can have its effective key size shortened by from 32 to 64 bits
through a meet-in-the-middle attack.
Since Quadibloc uses one S-box all the way across in the F-function, if Quadibloc had
weak keys (which, fortunately, it doesn't) it would have a rotational symmetry for all
rotations of a multiple of 8 bits applied to the two halves of the block together. The
permutation after round 8 also limits the damage this would do.
It probably has much worse ones than that, but I don't have the prestige to get Eli
Biham et al to do my work for me... .
Does doing an XOR after the substitution and P-permutation in the F-function leak key
bits?
Should an odd value, instead of 8 bits, be used for the circular shift done along with the
swap of halves?
The F-function is more complicated than that of DES in some ways, but unlike that of
DES, it isn't a one-way hash; it's invertible.
The P-permutation, and the "wall" permutation used after round 8, are both regular.
Additional notes:
The use of a single S-box all the way across in the f-function also means that if
characteristics are found for applying differential cryptanalysis, it is easier to use them
in successive rounds. However, the fact that the S-box has 256 entries, the fact that the
f-function is doubled, and the use of S-box 2 on the left half, all make a differential
attack unlikely.
The use of a permutation after round 8 is not as total an obstacle to analysis as I had
originally thought. It is no hindrance whatever to the boomerang attack, discussed in
the section on differential cryptanalysis. However, in addition to a permutation, I also
put the right half of the block through S2 both before and after (the left half goes
through S2 anyways). Thus, it does not appear at this time that the boomerang attack
requires immediate alterations to the QUADIBLOC design.
I can think of two obvious improvements that I avoided for the sake of ease of
implementation.
- Replace the swap plus circular shift with a straight swap, but in ALL 16 rounds, after
the XOR, and before the second use of S-box 2, do a right circular shift of 12 bits on
the left half of the block.
DES could be made TOTALLY insecure by stripping just TWO elements from it:
- remove the expansion permutation, changing all the S-boxes to have 4 inputs as well
as 4 outputs;
Quadibloc relies on the fact that it uses a simple S-box followed by a regular P
permutation, and repeats that process twice. The first application substitutes for the
expansion permutation, as well as providing some security of its own.
In addition, after round 8, a non-keyed scramble that makes every bit of the block
depend on every other bit is applied, in hopes of frustrating analysis. S-box 2 gets extra
use here, but the bit transpose differs from the rest of the cipher.
The key is expanded slightly, from 160 bits to 176 bits, using a 4 of 8 code. The 4 of 8
code is not intended to have any security properties, since it would not contribute to the
security of the cipher if it were more random. What it DOES do is eliminate weak keys,
like all zeroes or all ones.
Also, by XORing key material before AND after the use of S box 1, complementation
properties are eliminated.
DES has a 56 bit key, 48 bits of which are used in each round.
Quadibloc has a key of 160 bits. This is expanded to 176 bits; then, 128 bits are used in
each round to generate an effective round subkey which is 96 bits in length.
DES uses engineered S-boxes with auxiliary inputs from adjacent nibbles for
heightened nonlinearity, and an irregular bit transpose P. The S-boxes are based on
multiple permutations of (0..15). The key material is applied by an XOR prior to using
the S-boxes.
DES simply XORs the f-function output with the left half.
Quadibloc uses a second S-box before and after the XOR with the f-function output.
Thus, plaintext actually goes through an S-box, which seems intuitively more
satisfying.
How should I know? After all, it is secret, and I have had no access to
the secret.
Quadibloc was designed in one weekend by one person with neither any
particularly relevant academic credentials nor relevant cryptanalytic
experience (hey, I do have an M.Sc. in Nuclear Physics!). Skipjack was
designed by the top cryptographers and cryptanalysts in the U.S.,
entrusted with guarding the nation's security.
You and I don't get to make use of Skipjack without key escrow,
Quadibloc doesn't have this problem.
(Note that, since this was written, Fortezza PCMCIA cards without key
escrow were made available to the public in the U. S., which was an
interesting, and perhaps even amusing, development in the ongoing
Clipper Chip saga.)
At present, I no longer have the excuse I began that section with, as Skipjack has now
been declassified. (I write these words as part of the update of these pages to include its
description!)
Skipjack has a regular key schedule, which would seem to open up the possibility of
related-key attacks; Quadibloc has an irregular one, based on that of DES.
Quadibloc's f-function has two stages to it, which was an apparent innovation at the
time. However, Skipjack's G permutation is actually a four-round miniature block
cipher with a 16-bit block.
The natural key size of Quadibloc is only 160 bits, while Blowfish makes full use of a
key up to 384 bits in length.
On the other hand, the added complexity of the F-function may be to the credit of
Quadibloc. On balance, though, it may be fair to say that the advantages of Blowfish
over Quadibloc in security are of a sort likely to have real- world value, while the
advantages of Quadibloc are of a more theoretical nature.
Very little.
Possible results:
Not worried. Saddam Hussein has already heard of IDEA, Triple-DES, Blowfish...if
the NSA thinks I have endangered U.S. national security, then they've done so, by
choosing to live in a fool's paradise.
Probability slightly lower than that of one of the primes in your RSA modulus actually
being a Carmichael number.
The intent of boring the world with yet another block cipher should, however, be stated.
Due to restrictions on source code export, (which may not apply to us lucky Canadians)
I have chosen to lead the way in showing that a secure algorithm can be designed to be
so simple to implement that coding it is trivial, and does not depend on giant S-boxes
or difficult mathematics which requires access to a reference source code
implementation.
Also, Quadibloc illustrates techniques that could be applied to other ciphers. Doubling
the F-function is possible in Blowfish quite simply (you will need more pi); and it
could even be done in DES, with more violence to the key schedule. (In fact, it is
probably one of the more secure ways to create a 112-bit key DES variant.)
Next
Start of Section
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
Key Augmentation
The key schedule of QUADIBLOC, while designed to avoid weak keys, and resist
related-key attacks, is still something of an afterthought compared to the rest of the
cipher.
A procedure to add 64 bits to the key of any variant of QUADIBLOC, and improve its
key schedule (which may be applied repeatedly, even to the extent of modifying the
key for every block enciphered, causing QUADIBLOC to act as sort of a stream
cipher) is described here.
First, the key to be augmented is to be used normally to generate the 48 32-bit long
subkeys used by QUADIBLOC.
The second subkey for each round is to be replaced by the previous value of the first
subkey for the previous round. The second subkey for round 1 is to be replaced by the
previous value of the first subkey of round 16.
The third subkey for each round is to be replaced by the previous value of the second
subkey that round.
The first subkey for each round is to be replaced by the previous value of the third
subkey for that round.
Then, the saved f-function values are to be applied by being XORed with subkeys (the
result replacing the former value of the subkey) in the following sequence:
The f-function for round:
9 7 11 5 13 3 15 1 16 2 14 4 12 6 10 8
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
The left half of the result of the QUADIBLOC encryption is to be XORed with the
second subkey for the first round.
The right half of the result of the QUADIBLOC encryption is to be XORed with the
third subkey for the ninth round.
Three key augmentations will ensure that every subkey is XORed with one f-function
output; twenty-four key augmentations will ensure that every subkey is XORed with
one of the halves of an encryption result.
55330FAACCF05533
Key Extension
In addition to key augmentation, the use of a longer key can be permitted by the use of
the following operation, intended to be applied after key augmentation has been
applied to a previous set of subkeys.
In key extension, a new 160-bit key is used to generate subkeys in the normal fashion,
but the resulting subkeys are then XORed to the existing subkeys instead of replacing
them.
Thus, an alternative variant of QUADIBLOC with a 320-bit key can be achieved by:
● Using the first 160 bits as a key to generate an initial set of subkeys.
● Performing closed key augmentation.
● Performing key extension with the remaining 160 bits of the key.
● Performing closed key augmentation.
Next
Start of Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
Quadibloc II
Although this expanded version of Quadibloc is a cipher with a 128 bit block size, I am not trying to detract from
the importance of the candidate ciphers for the AES process. Prior to the deadline for a submission, I had
considered a few designs, but I had nothing that I was quite satisfied with. Precisely because the other designs
were now available to examine, I was able to find the "missing pieces" needed to complete a design.
This design allows key lengths of 128, 192, or 256 bytes, and in fact also allows keys of any length in the
sequence starting 128, 144, 160, 176... provided that the key is not longer than 36 bytes times the number of
rounds. The number of rounds can be 8, 12, 16, 20, 24, 28, 32, 36..., any multiple of 4 greater than or equal to 8.
One round of Quadibloc II takes perhaps 7 1/2 times as long as a round of DES, although a more optimistic
estimate might be 3 3/4 times as long. Thus, 8-round Quadibloc II might manage to take less than 6 times as long
as DES even with the initial estimate, and that would make Quadibloc II more efficient than Triple-DES. (The
estimate is based on the fact that a round of DES requires eight fetches of a 32-bit quantity from a table; a round
of Quadibloc II requires 24 fetches of a 32-bit quantity, and 24 fetches of an 8-bit quantity.)
This design also begins life with an unfair advantage: it partly results from the inspiration provided by the
various AES candidates, and has, in fact, swiped good ideas from two or three of them at least. In any case, this
design is proposed not as something that would have been a potential candidate were it not too late, but instead,
particularly in its 32-round form, as something for those people who want a very secure block cipher without
concern for efficiency.
Instead of two S-boxes, this design uses ten S-boxes generated from Euler's constant, by repeating the following
process, the same one as used in the original QUADIBLOC:
● Load Euler's constant into a very long multi-precision register which is simulated by an array.
● Repeat the following for each S-box to be created.
● Load an array with the numbers from 0 to 255 in order. A pointer to an element of the array is set to point
to the first element in the array, and is called TARGET.
● Repeat the following for each of the integers from 256 down to 2; call the current integer SIZE.
● Multiply the contents of the multi-precision register by SIZE. Leave the fractional part of the result in the
multi-precision register; call the integer part of the result CHOICE. (CHOICE will be an integer from 0 to
SIZE minus one.)
● Swap the elements TARGET and TARGET + CHOICE in the 256-element array. (If CHOICE is zero, do
nothing for this step.)
● Proceed to the next number from 256 down to 2.
● The 256-element array now contains a complete S-box. Save or print out its contents.
● Proceed to the next S-box to be generated.
As previously noted, I chose Euler's constant instead of, say, pi, because the mathematical theory behind Euler's
constant is more complicated than that behind pi, which in turn is somewhat more complicated than e, the base of
the natural logarithms.
The first four of these S-boxes are likely to be stored as arrays of 256 32-bit words, with the bits spread out
reflecting the P permutation, which is again the same one as used in QUADIBLOC, and is as follows:
The bits
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
become
1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32 25 26 21 22 13 14 7 8
and this permutation is to be interpreted according to the following convention: the numbers in the bottom
sequence identify the source of each bit in the permuted result in order.
The round structure of Quadibloc II uses essentially the same f-function as was used in QUADIBLOC, with one
addition: after the second substitution/permutation layer, and the third XOR of subkey material, the 32-bit
subblock then goes through a key-dependent S-box. No permutation follows this S-box.
Three out of four 32-bit subblocks are used as input to f-functions. The f-function of the first subblock is used to
supply additional inputs both to the other two f-functions and to the application of their outputs to the fourth
subblock, which they modify.
There are other things going on in the round, and there are some minor changes to the f-function as well. The
following diagram shows how the main part of a round proceeds:
The dotted lines show a part of the round which is required if less than 32 rounds are used, but which, involving
as it does use of intermediate results from the f-function might produce some theoretical advantages if omitted.
Before the regular rounds of Quadibloc II begin, and after they end, there is an additional phase of extra
manipulations the purpose of which is to make life more difficult for the cryptanalyst. This phase is shown in the
following diagram which gives an overview of Quadibloc II:
The wide boxes are the key-dependent byte permutations; the fixed permutations that take place between regular
rounds are shown as wire crossings.
Initially, the block is divided into 16-bit units, which undergo substitution by means of a miniature block cipher
of four Feistel rounds with the key-dependent S-box S8 as the f-function. First the leftmost byte in each pair of
bytes is used to index into S8, finding the byte to XOR with the rightmost byte, and then it is done in the reverse
direction, and so on, alternating for four rounds.
Then, each half of the block undergoes two rounds of Feistel encryption with a simplified f-function having only
one S/P (substitution/permutation) layer. For faster diffusion, each f-function output is, in two of the rounds,
XORed with the two subblocks in the other half of the block, and in the other two used to control swapping bits
bitween those two subblocks, in the fashion pioneered by ICE. This operation is illustrated below:
The f-function consists of:
Four rounds are performed. In each round, the f-function of one subblock is XORed to the other subblock in the
same half of the block. In the outer two rounds, that output is also XORed to the two subblocks in the other half;
in the inner two rounds, it is used to control the swapping of bits between those two subblocks, a 1 bit
corresponding to a bit position where swapping occurs, as was done in the block cipher ICE. The four subblocks
are chosen in order, from left to right, as the input to the f-function.
Then, the bytes of the block are again rearranged according to a key-dependent permutation. A similar
transformation takes place at the end. (MARS, of course, uses a different round structure before and after the
main part of the cipher, but here the main idea swiped, but placed in a new form, is the idea of FROG. Instead of
making the targets of XORs key-dependent, a key-dependent rearrangement of the bytes before a series of XORs
achieves the same thing with a simpler key setup.)
The changes required to decipher in Quadibloc II are hinted at by the following diagram:
The initial and final miniature Feistel rounds need not be changed. The degenerate rounds with a short f-function
have to operate on the four subblocks in reverse order, as well as using the subkeys in reverse order. The regular
round experiences these changes: the steps changing the fourth subblock need to be reversed as well as being
done in reverse order: thus, the substitution layers use the inverses of S7, S6, and S5; and the XOR/plus stages
take the f-function of the third subblock first, then that of the second; also, more subtly, the order in which the
two intermediate results of the f-function of the first subblock are XORed to the second and third subblocks are
reversed.
The first four S-boxes generated above are called S1 through S4, and function as S-boxes with 8 inputs and 8
outputs in the first f-function. But in the next two f-functions, they are combined in pairs to form S-boxes with 9
inputs and 8 outputs. This is shown on the diagram: S1/S3 is an S-box that acts like S1 when the extra input is
zero, and like S3 when the extra, most significant or leftmost, input is one.
S-boxes S1, S2, S3, and S4 are as given in the page on Euler's Constant and the Quadibloc S-boxes.
The Rounds
In detail, the round proceeds in this manner; and hopefully the diagram above will enable you to follow the
lengthy description below:
● The first subblock is used as input to the first f-function, calculated as follows:
❍ The first subkey for the round is XORed to it.
❍ The four bytes of the current value are substituted using S1, S1, S2, and S2, from left to right.
(Note that this method of avoiding cyclic symmetry, with a bare minimum of S-boxes, comes from
LOKI 97.)
❍ The result is permuted by the QUADIBLOC permutation P. (This permutation is simple and
uniform, to minimize storage needed to hold the S-box outputs after permutation for a common
optimized implementation of ciphers like this and like DES: this is one way in which I am
specifically differing from LOKI 97.)
❍ The current subblock value is the first intermediate value from the first f-function, and is used
later.
❍ The second subkey for the round is XORed in.
❍ The current value's four bytes are substituted in S-boxes S3, S4, S3, and S4 from left to right.
❍ This result is now the second intermediate value from the first f-function.
❍ The four bytes of the result are substituted by means of the key-dependent S-box, S8.
❍ The result is the output of the first f-function. Its bits are considered to be numbered from 1 to 32
from left (MSB of first byte) to right (LSB of last byte), and they will be used individually in
groups of four in what follows.
● The first subblock remains unchanged going into the next round, although an f-function was calculated
from it.
● The second subblock is modified: its new value will be itself XORed with the XOR of the two
intermediate results from the first f-function. The third subblock is also modified in this same way.
However, the input to the second f-function is the second subblock XORed with the first intermediate
result only, and the input to the third f-function is the third subblock XORed with the second intermediate
result only. This can be achieved as follows:
❍ XOR the second subblock with the first intermediate result.
❍ XOR the third subblock with the first intermediate result. (Note that this method of applying the
intermediate results to the middle subblocks is similar to the ingenious technique of applying key
material in LOKI 97. Here, the intent is twofold: to conceal the f-function input, and to minimize
the risk of attack created by the additional use of intermediate f-function results in the round.)
● The second f-function is calculated using its input and the fourth, fifth, and sixth subkeys for the round. It
differs from the first f-function in these particulars:
❍ The intermediate results are not saved.
❍ The first S-box stage consists of placing all four bytes of the current result into the compound S-
box S1/S3. For each byte, the corresponding bit from bits 1 to 4 of the first f-function output
indicate whether that S-box acts like S-box S1 for that byte or like S-box S3.
❍ The second S-box stage consists of placing all four bytes of the current result into the compound S-
box S2/S4. For each byte, the corresponding bit from bits 5 to 8 of the first f-function output
indicate whether that S-box acts like S-box S2 for that byte or like S-box S4.
● The third f-function is calculated using its input and the seventh, eighth, and ninth subkeys for the round.
It is very similar to the second f-function, but the S-boxes are again slightly different, as follows:
❍ As with the second f-function, the intermediate results are not saved.
❍ The first S-box stage consists of placing all four bytes of the current result into the compound S-
box S1/S4. For each byte, the corresponding bit from bits 9 to 12 of the first f-function output
indicate whether that S-box acts like S-box S1 for that byte or like S-box S4.
❍ The second S-box stage consists of placing all four bytes of the current result into the compound S-
box S2/S3. For each byte, the corresponding bit from bits 13 to 16 of the first f-function output
indicate whether that S-box acts like S-box S2 for that byte or like S-box S3.
● The fourth subblock is the one that undergoes the most thorough modification, the change that is the point
of the round. (The changes to the second and third subblocks were an afterthought that may create the risk
of a weakness in the cipher, but which were necessary to make it possible that the cipher could be secure
after only eight rounds, instead of thirty-two, as might be needed if only one subblock were modified in
each round.) This modification proceeds as follows:
❍ The four bytes of the subblock are substituted for using S-box S5, with bits 17 through 20 of the
first f-function output used as the most significant bit of the S-box input for each byte (that
switches between two different permutations of the numbers 0 through 255).
❍ The output of the second f-function is applied to the result. Bits 29 through 32 of the first f-
function output determine if each byte of the second f-function output is XORed (0) or added (1).
❍ The four bytes of the subblock are substituted using S-box S6, with bits 21 through 24 of the first f-
function output supplying the most significant bit of S-box input associated with each byte.
❍ The output of the third f-function is applied to the result. Bits 29 through 32 of the first f-function
output determine if each byte of the second f-function output is added (0) or XORed (1). (This use
of an addition or an XOR followed by its opposite is, of course, reminiscent of SAFER.)
❍ The four bytes of the subblock are now substituted using S-box S7, with the most significant bit of
each S-box input coming from bits 25 through 28 of the first f-function output.
This involved procedure constitutes the round. After each round except the last, a step corresponding to the swap
of left and right halves of the block in DES is performed. Here, however, the movement of individual bytes is
involved.
Bytes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
become
15 16 8 11 13 1 9 10 2 14 5 6 7 4 3 12
5 10 15 16 9 14 3 12 13 6 7 4 1 2 11 8
if that is not the case (but the number of rounds must still be a multiple of 4, and must be at least 8). Both byte
permutations are presented as a series of 16 numbers giving the number of the source byte for each byte in the
result in order.
It might be noted that some time before I designed Quadibloc II, the idea of using different operations in a block
cipher, based on a data-dependent result in the cipher, played an important role in the block cipher "Anigma"
designed by Kostadin Bajalcaliev.
Key Generation
Each round of Quadibloc II requires nine 32-bit subkeys. In addition, the extra scrambling phases at the
beginning and end of the cipher require four subkeys each. Thus, 8-round Quadibloc II uses 80 subkeys, from K1
to K80, requiring 320 bytes of RAM.
The key for Quadibloc II must be at least eight bytes, or 64 bits, long, and may be any whole number of bytes up
to twice the length of the total size of the subkeys plus sixteen bytes, or 128 bits. Many maximum-length keys
will lead to duplicate internal key states of the cipher, of course; this maximum is an absolute maximum, beyond
which some bits of the key will simply be ignored in the keying process.
As well, S8, the key-dependent S-box, is subkey material, and requires an additional 256 bytes of RAM. This
total requirement of 576 bytes of RAM is the amount of storage needed for a key after key generation, which
may have to be non-volatile in some applications; additional RAM is of course also needed for scratchpad
storage in calculations, particularly during key generation.
Note: the bytes of S8 are stored as single bytes; they do not need to be expanded to four-byte entries to speed up
a permutation, as is true of the fixed S-boxes S1 through S4, and the inverse of S8 is not required for
deciphering, unlike S-boxes S5 through S7; the S-box requiring the least storage was chosen as the key-
dependent one. (Having a key-dependent S-box, of course, is a way to achieve a high degree of resistance to
differential and linear cryptanalysis.)
K1 K2 K3 K4
K5 K8 K11 K6 K9 K12 K7 K10 K13
K14 K17 K20 K15 K18 K21 K16 K19 K22
K23 K26 K29 K24 K27 K30 K25 K28 K31
...
K68 K71 K74 K69 K72 K75 K70 K73 K76
K77 K78 K79 K80
and so on; thus the subkeys are filled for one round before going on to the next, but the first subkey for each f-
function is filled before the second subkey for each f-function, and so on.
The subkeys for the degenerate rounds are just filled in numerical order, the first four at the start, and the last
four at the end.
First, the actual key is placed directly into the subkeys. It must consist of a whole number of bytes, and be at
least eight bytes long, for the rest of the procedure to work.
Fill A1, A2, A3, and B1, B2, B3, B4, and B5 with the first eight bytes of the key in order. Initialize the variable
Q to be zero.
Split the key into two pieces as follows, where L is the number of bytes in the key:
● If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining
bytes of the key. Then increase each piece in length by one byte by appending the one's complement of
the first byte in the piece to it.
● If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the
second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
appending the one's complement of the first two bytes in the piece to it.
● If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and
the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
appending the one's complement of the first two bytes in the piece to it.
In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In
the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case,
the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of
the two pieces of the key are relatively prime, and uniquely identify the length of the original key.
Each group of bytes is then used as the initial contents of a shift register, which operates as follows:
The sum of the first and third bytes in the shift register is XORed with the second-last byte in the shift register.
The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all
other bytes being moved to the next earlier place, the first byte being discarded.
For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by
carrying out the following instructions:
For each of the numbers 0 to 4, do the following:
Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to
them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are
cumulative.)
Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above.
Add Q to that byte. Put that byte through the following process:
The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the
variable Q.
One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through
B5 have already been changed) as follows: increment A2. If A2 wraps around, being incremented from 255 to
zero, increment A1. If A1 wraps around, increment A3.
● Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure:
❍ Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey
K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting
where one has left off for subsequent permutations.
❍ Each permutation is generated by the use of either 512, or, under some rare circumstances, only
256, bytes. Note that 8-round Quadibloc II only has 320 bytes of subkey; (4 bytes times 9 subkeys
times 8 rounds, plus 8 additional subkeys for the start and finish); and therefore additional bytes
need to be generated for this version of Quadibloc II and other versions without a sufficiently large
number of rounds. The SIGABA-like procedure used initially to extend the key is used for this, but
with some modifications. In this case, A1 through B5 are filled with the last eight subkey bytes
(the first eight contain the first eight bytes of the key, which were previously used to fill A1
through B5, which would cause the generation process here to partially repeat the operations of the
earlier generation process), and the input byte to the process is obtained from a single shift register,
similar in form to each of the two shift registers using pieces of the original key, which initially
contains all of the subkeys, including the last eight bytes.
❍ A permutation is generated as follows:
■ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0
to 255 in order. The arrays must also be able to hold the value -1. The second and third
arrays are filled with -1.
■ For each byte used: let the value of the byte be called N, and let I be a counter which starts
at 0 for the first byte, incrementing with each byte used, and ending at 255.
■ Then, for each byte:
■ If element N of the first array is not -1, set element N of the first array to -1, and set
third array.
■ Once this has been done, if the third array contains any numbers other than -1, proceed as
follows:
■ If there is only one filled (not equal to -1) element in the third array, then there is only one
remaining element in the first array, and one element of the second array equal to -1, so fill
the second array with the one available byte, and finish.
■ If there are only two filled elements in the third array, take the least significant bit of the
first filled element. If it is zero, fill the -1 elements of the second array with the remaining
elements of the first array in order; if it is one, do so in reverse order, and finish.
■ If there are less than 256 filled elements in the third array, repeat them over and over to fill
the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when
the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of
the third array.
■ Now, use the third array to complete the second array by doing the following for II from 0
to 255:
■ Let the value of element II of the third array be XX.
■ Then, scan through the second array. When an element of the second array is -1, fill it with
the corresponding element of the first array (if it is not also -1) and set that element of the
first array to -1.
■ If there are any -1 elements left in the second array, fill them with the elements of the first
❍ Set A to be element N of the first permutation; set B to be element N of the second permutation,
The key-dependent byte transpositions used at the beginning and end of the cipher are derived from the key-
dependent S-box S8 as follows: the first permutation consists in taking bytes 0, 1, ... 16 to the bytes indicated by
the least significant nibbles of the S-box entries in S8 of the form 0x in hexadecimal, taken in the order they are
found. Note that this builds up the permutation in "dispatch" form, while all the fixed permutations in this
description of Quadibloc II are given in "fetch" form. The second permutation is built up from the bytes of the
form 1x in hexadecimal. The third one, which takes place after the rounds are completed, is the inverse of the one
built up from the bytes of the form 9x in hexadecimal, and the fourth one is the inverse of the one built up from
the bytes of the form 8x in hexadecimal.
Then, the actual key sequence used for encipherment is generated by the following procedure:
Using the last 128-bits of the key, if the key is 128 bits long or more, or the key repeated as many times as
required to fill a 128-bit block otherwise (starting from the beginning, not the end and working backwards) as the
plaintext block, encipher it using the initial key schedule generated above, but with the following modifications.
The intermediate results of all three f-functions are saved. The following nine 32-bit words are produced from
each round of the encipherment process:
● The first intermediate result of the first f-function XOR the final value of the fourth subblock
● The second intermediate result of the first f-function
● The first f-function output
● The first intermediate result of the second f-function XOR the initial value of the fourth subblock
● The second intermediate result of the second f-function
● The second f-function output
● The first intermediate result of the third f-function
● The second intermediate result of the third f-function
● The third f-function output
Also, the degenerate rounds produce their f-function outputs as well, so exactly one 32-bit output is produced for
every subkey.
After each round of the encipherment process which is used to generate the final subkeys, the nine words above
are XORed to nine subkeys. The four f-function outputs of the degenerate rounds are also used, so the number of
words used equals the number of subkeys; each set of four degenerate rounds is treated as a single round in that
the four results are not applied to the subkeys until the set of four rounds has been performed completely. The
sequence of subkeys to which they are applied is as follows (reading across):
thus, first the last subkey of each round is modified, then the second-last subkey of each round, and so on. The
subkeys are modified before the encipherment is completed, but only after each round is completed. The subkeys
used in the degenerate rounds are placed in the sequence as well as possible. The intermediate values applied are
taken from those generated by the subkeys in their numerical order.
Once the subkeys have been modified in this manner, if the size of the key was greater than the total size of the
subkeys, any remaining bytes in the key are to be XORed with the subkeys that are now present, using the same
order as was used for initially filling the subkey space,
K1 K2 K3 K4
K5 K8 K11 K6 K9 K12 K7 K10 K13
...
et cetera.
Allowing the key to be larger than the total size of the subkeys, of course, doesn't make sense after a point; but if
the excess is small, the main result is to make it possible for the same set of subkeys to be accompanied by
different values of the key-dependent S-box S8.
Then, the same procedure used to generate the initial value of S8 from the initial subkeys is applied to the final
subkeys. Since the subkeys may not have enough bytes in them to supply the permutation-generating process, the
SIGABA-like procedure of generating additional bytes is used again, as done previously for generating the initial
value of S8. Once again, A1 through B5 are filled from the last eight subkey bytes, and the earlier subkey bytes
are divided into two almost equal parts as was done with the key previously.
The generated result, however, is not used as the final value of S8. Instead, each element of S8 is replaced by the
value it points to in this result; that is, for N from 0 to 255, S8(N) becomes R(S8(N)). (Thus, S8 depends on both
the old and new subkeys, and doesn't relate to the current subkeys in a simple way.)
The new value of S8 is also used as the old value was above to provide the four key-dependent byte
transpositions which begin and end the cipher.
One may, if one wishes, see the view of the subkeys (other than those of the degenerate rounds) as belonging to a
rectangular prism of 32-bit words, accessed in three different directions, as evocative of Rijndael.
If you have time to encipher your data with 40 rounds of Quadibloc II, I have a variation for you. A diagram
giving an overview of this variation is provided.
First, the tiny Feistel rounds, the key-dependent byte permutation (derived from
the 0x bytes), the initial degenerate four-subkey series of rounds, and another
key-dependent byte permutation (derived from the 1x bytes), then a second layer
of tiny Feistel rounds, another key-dependent byte permutation (derived from
the 4x bytes), another series of four degenerate rounds, and another key-
dependent byte permutation (derived from the 5x bytes).
Then, four rounds of Quadibloc II, with the byte interchange after the first three
rounds following the pattern for a multiple of four rounds that is not a multiple
of 16 rounds.
Now, the whitening sequence is repeated, again first with a series of miniature
Feistel rounds.
Then, another key dependent byte permutation, derived from the elements of S8
in the form 2x.
Thirty-two rounds of Quadibloc II, but with the additional XORs of the second
and third subblocks with the two intermediate values from the f-function of the
first subblock omitted. Byte interchange after the first 31 of these rounds is as
for a multiple of 16 rounds.
Key-dependent byte permutation, the inverse of the one derived from the
elements of S8 of the form Fx.
Key-dependent byte permutation, the inverse of the one derived from the elements of S8 of the form Bx.
The final three-step whitening sequence, plus the tiny Feistel rounds, and byte transpositions, all repeated twice.
Byte transpositions are the inverses of those derived from the elements of S8 in the forms Dx, Cx, 9x, and 8x.
By restricting the perhaps dangerous - but diffusion-enhancing - XOR of intermediate results to the outer eight
Quadibloc rounds, one has a diffusing outer part and a secure core. This, of course, comes even closer to the
design of MARS.
Note that for this variation, when the keys are initially filled, the thirty-two subkeys for the four sets of
degenerate rounds stand outside the sequence; sixteen at the start, and sixteen at the end, and when the keys are
modified, the subkeys for the first four degenerate rounds are at the left of the top four rows, those for the last
four at the right of the bottom two rows.
K1 K2 K3 K4
K5 K6 K7 K8
K9 K12 K15 K10 K13 K16 K11 K14 K17
K18 K21 K24 K19 K22 K25 K20 K23 K26
K27 K30 K33 K28 K31 K34 K29 K32 K35
K28 K39 K42 K37 K40 K43 K38 K41 K44
K45 K46 K47 K48
K49 K50 K51 K52
K53 K56 K59 K54 K57 K60 K55 K58 K61
...
K332 K335 K338 K333 K336 K339 K334 K337 K340
K341 K342 K343 K344
K345 K346 K347 K348
K349 K352 K355 K350 K353 K356 K351 K354 K357
...
K376 K379 K382 K377 K380 K383 K378 K381 K384
K385 K386 K387 K388
K389 K390 K391 K392
and the order for adjusting the keys from f-function outputs and intermediate results is:
K392 K388 K348 K344 K384 K375 K366 K357 K340 ... K26 K17
K391 K387 K347 K343 K383 K374 K365 K356 K339 ... K25 K16
K390 K386 K346 K342 K382 K373 K364 K355 K338 ... K24 K15
K389 K385 K345 K341 K381 K372 K363 K354 K337 ... K23 K14
K380 K371 K362 K353 K336 ... K22 K13
K379 K370 K361 K352 K335 ... K21 K12 K52 K48 K8 K4
K378 K369 K360 K351 K334 ... K20 K11 K51 K47 K7 K3
K377 K368 K359 K350 K333 ... K19 K10 K50 K46 K6 K2
K376 K367 K358 K349 K332 ... K18 K9 K49 K45 K5 K1
Instead of using S-boxes S5 through S7 singly, they are used in pairs on the fourth subblock, and so the extra
nonlinearity bits required here are doubled as well. An additional 32 nonlinearity control bits are created from the
XOR of one intermediate result from the f-function of the second subblock and the other intermediate result from
the f-function of the third subblock. As switching between addition and XOR for applying the f-function outputs
directly to the fourth subblock requires only one bit per byte, the remaining four bits are used to switch the
addition operation to a subtraction operation.
The other major modification in this extended variant of the basic round is to use S8 in the same method as used
in the initial whitening phase to promote diffusion within the fourth subblock.
However, I find the following variation on the basic Quadibloc II round even more interesting:
Here, two other intermediate values in the f-function of the first subblock are used to form a 32-bit value used for
an ICE-style interchange between the f-functions of the second and third subblocks. The interchange takes place
just before S8 is applied, thus ensuring it significantly alters the f-function outputs applied to the fourth subblock.
As well, a micro-Feistel layer is used, as in the doubled nonlinearity variant, but this time to modify the first
subblock, so that all four subblocks are changed, and changed in a key-dependent way by every round (the
changes to the first three subblocks depend on the first subblock as well as the key, while those to the fourth
subblock depend on all of the first three subblocks).
Also added is an interaction, taken from the block cipher 3-Way, between three of the subblocks. This places a
very small (3 bits input and output) nonlinear S-box in the cipher that operates on corresponding bits in the three
subblocks. Since it either operates on all but the first subblock, or all but the fourth subblock, two round types
were required to make the cipher equally secure against attacks from either direction. (The deciphering form of
the round could also be used, but that of course creates the slim possibility of some rounds partly undoing the
work of other rounds.)
Since each bit of the output is the bit of the input XOR a function of the other two bits that is 1 most of the time,
the identities of the bits are in a sense preserved; thus, it does not appear that the apparent danger of information
leaking past the involved transformation of the fourth subblock is a genuine concern. In addition, the type A
rounds are used at the beginning, and the type B rounds at the end, so that any leakage is towards the inside of
the block cipher rather than towards the outside.
Since the first subblock is aloof from the values and changes in the other three subblocks, the interaction between
the last three subblocks does not prevent the round from being invertible, even though it happens after the XOR
of intermediate results from the f-function of the first subblock. The interaction between the first three subblocks
does not prevent the round from being invertible, because the operations taking place before it are all self-
contained.
In analyzing Quadibloc II, it may be interesting to examine how it could be attacked if part of the internal key is
known. If S8 is known, Quadibloc II becomes a more conventional block cipher. Is the conventional part of it
still reasonably strong? If the conventional subkeys, but not S8, are known, but not the intermediate subkey
values, can part of the generation of S8 still be retraced? With only a small part of the internal operations of the
cipher controlled by the secret part of the key, can cryptanalysis trace enough to obtain information about S8?
Next
Start of Section
Skip to Next Chapter
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
Quadibloc III
Quadibloc III is an extension of Quadibloc II which uses a different type of block cipher as its inner core. It too
uses a 128-bit block size. Unlike Quadibloc II, which, at least with only eight full rounds, is not too much slower
than a typical AES candidate (although it isn't fully clear to me if eight rounds is enough for security), Quadibloc
III, while secure, is clearly too slow and complicated to be useful for practical purposes. Its value is that it
illustrates a number of concepts which may be useful in ciphers of a more practical size.
Here is a diagram giving an overview of the structure of Quadibloc III, to accompany a description of its rounds:
❍ The four S9 outputs produce a 32-bit result whose first 16 bits are the first four bits of each of their
outputs, and whose last 16 bits are the last four bits of each of their outputs.
❍ This result is then enciphered by means of four Feistel rounds, where the f-function consists of first
XORing in a 16-bit half of a subkey, then using the two bytes of the result to index into two key-
dependent S-boxes, S10 and S11, which each take an 8-bit input and give a 16-bit output. The sum
of the two outputs is XORed with the other half of the 32-bit block.
❍ The 32-bit result of this process is used as a 32-bit subkey was used initially to encipher a further
16 bits of the block, and this continues until the entire 128-bit block has been enciphered in 16-bit
pieces.
These sixteen rounds each use fifteen subkeys; the first one uses subkey K125 to supply the four bytes
used for enciphering the first 16-bit subblock, and then subkeys K126 through K139, two at a time, for
enciphering the 32-bit intermediate results from enciphering one subblock to produce the 32-bit input to
use to encipher the next one, and the last one uses subkeys K350 through K364.
● Then, the preceding steps are done in reverse order, with the key-dependent byte permutations now being
the inverses of the ones derived from the Bx, Ax, 9x, and 8x elements of S8, and with the two Mishmash
rounds using subkeys K365 through K412, the eight normal Quadibloc II rounds using subkeys K413
through K484, and the set of four degenerate rounds using subkeys K485 through K488.
The following diagram illustrates the method used for the middle 16 rounds of Quadibloc III:
Using four eight-bit subkeys (derived from a single 32-bit subkey, to remain within the overall structure derived
from Quadibloc II), four Feistel rounds are used to encipher a 16-bit subblock; in the first round, the right half is
XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the f-function
alternates from right to left to left to right, and in the two outer rounds, the subkey is XORed and the f-function
output added, and in the two inner rounds, the subkey is added and the f-function output XORed.
The four intermediate results of the f-functions, derived before S8 substitution, are used to index into the fixed S-
box S9. The S-box outputs are used to form a 32-bit word consisting of the first nibbles of the four substituted
results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of the
previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a left-to-
right round of this cipher, by means of a twist upon entry and exit from the horizontal Feistel rounds.)
The resulting 32-bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses
wide key-dependent S-boxes in the f-function. Here, four 16-bit subkeys are used, and so they are derived from
two 32-bit regular subkeys.
The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in in-place format, and
the first round goes from right to left (or, in the diagram, top to bottom).
If the first set of four Feistel rounds operating on a 16-bit subblock is denoted by 1, the second by 2, and angle
brackets are used to show how one round provides the subkey input for the next, the pattern of rounds used in
this phase is as follows:
The S-box S9 is fixed, and is generated by continuing the process used for generating S-boxes 1 through 7 from
Euler's constant to generate one more permutation of the numbers 0 through 255, therefore this S-box is the one
designated S11 on the page entitled Euler's Constant and the Quadibloc S-Boxes.
The concept of a cipher called Mishmash is noted in the conclusions section of this chapter, to which reference
may be required.
The left half of the block (in the second round, the right half) is enciphered using four rounds of Quadibloc. The
intermediate results, after XORing in the second of the three subkeys, of each of the four f-function outputs are
then subjected to the Quadibloc f-function again, with another twelve subkeys, and the four 32-bit outputs are
XORed together.
The 32-bit result controls the encipherment of the right half of the block. The right half of the block is enciphered
by cipher steps 1 through 5. The first 25 bits of the 32-bit result is divided into five 5-bit values, indicating for
each of the five cipher steps, in order of their numeric labels, which of 32 sets of subkey material is used for
them.
The last 7 bits of the 32-bit result indicates the order in which the five cipher steps take place. Values 0 through
119 of these seven bits give the 120 permutations of the numbers from 1 through 5 in numerical order, as shown
in the following table:
and the remaining values give the following eight preferred orders once again:
120 31425
121 32415
122 51423
123 52413
124 31524
125 32514
126 41523
127 42513
Only one pool of 32 subkey values is used by all four Mishmash rounds in the cipher (which is different from the
Mishmash concept described in the conclusions section), despite the danger that a subkey may be used more than
once.
1. Two rounds of DES. Two 48-bit subkeys are the subkey material this uses.
2. Two rounds of Quadibloc. Six 32-bit subkeys are the subkey material this uses.
3. Four rounds of SKIPJACK. Sixteen 8-bit subkeys are the subkey material this uses.
4. One round of SAFER. Two 64-bit subkeys are the subkey material this uses.
5. Two rounds of GoodStuff. This consists of two rounds, similar to the middle rounds of this cipher, but
acting on only four 16-bit subblocks each. The ordering of the operations is 1234 followed by 4321 (not
3214). This uses fourteen 32-bit subkeys as subkey material.
In the Mishmash rounds, the final interchange is not omitted after the DES and Quadibloc rounds, since they are
part of an ongoing block cipher. This is true also of the Mishmash concept, as can be seen from the diagrams,
which show the ciphers in in-place form.
The four Skipjack rounds are type A in the first two Mishmash rounds in the cipher, and type B in the last two. In
addition, the SAFER rounds in the last two Mishmash rounds are rounds of SAFER decryption instead of
SAFER encryption, for the same reason.
Subkey Generation
Subkey generation for Quadibloc III follows the same general scheme as for Quadibloc II; initial subkeys are
generated using a method similar to the one used in Quadibloc II, but somewhat more elaborate.
Fill A1, A2, and A3; B1, B2, B3, B4, and B5; and C1, C2, C3, C4, and C5 with the first thirteen bytes of the key
in order. Initialize the variable Q to be zero.
Split the key into two pieces as follows, where L is the number of bytes in the key:
● If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining
bytes of the key. Then increase each piece in length by one byte by appending the one's complement of
the first byte in the piece to it.
● If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the
second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
appending the one's complement of the first two bytes in the piece to it.
● If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and
the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
appending the one's complement of the first two bytes in the piece to it.
In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In
the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case,
the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of
the two pieces of the key are relatively prime, and uniquely identify the length of the original key.
Each group of bytes is then used as the initial contents of a shift register, which operates as follows:
The sum of the first and third bytes in the shift register is XORed with the second-last byte in the shift register.
The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all
other bytes being moved to the next earlier place, the first byte being discarded.
For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by
carrying out the following instructions:
Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to
them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are
cumulative.)
Once that has been done, using the modified values of B1 through B5, we once again use the numbers 0 to 4 in
order as inputs as we do the following:
Modify the variables C1 through C5 by adding the results of this process for the numbers 0 to 4, respectively, to
them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are
cumulative.)
Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above.
Add Q to that byte. Put that byte through the following process:
The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the
variable Q.
One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through
B5 have already been changed) as follows: replace A1 with the former contents of A2; replace A2 with the
former contents of A3; and replace A3 with the former contents of A3 XOR the current output byte (also stored
in Q).
After generating the first 440 regular 32-bit subkeys, initial values of the remaining subkey material is generated
in the following order:
● first, initial subkeys K441 through K488 (which will later be used for subkeys with different numbers),
(192 bytes)
● then the contents of key-dependent S-box S8, (from 1536 to 2304 bytes are used to produce this, since it
is generated from three permutations which require either 512 or 768 bytes to produce)
● then the 256 16-bit entries for each of S10 and S11; (1024 bytes)
● then the Mishmash subkeys; 32 sets of two 48-bit subkeys for the DES rounds, (384 bytes)
● 32 sets of six 32-bit subkeys for the Quadibloc rounds, (768 bytes)
● 32 sets of sixteen 8-bit subkeys for the Skipjack rounds, (512 bytes)
● 32 sets of two 64-bit subkeys for the SAFER rounds, (512 bytes)
● 32 sets of fourteen 32-bit subkeys for the GoodStuff rounds. (1792 bytes)
● An additional 2304 bytes of subkey material to be used later. (2304 bytes)
All the subkey material thus generated, except the material used to produce S-box S8, is retained in order in an
array for later modification.
● Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure:
❍ Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey
K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting
where one has left off for subsequent permutations.
❍ Each permutation is generated by the use of either 512, or, under some rare circumstances, only
256, bytes.
❍ A permutation is generated as follows:
■ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0
to 255 in order. The arrays must also be able to hold the value -1. The second and third
arrays are filled with -1.
■ For each byte used: let the value of the byte be called N, and let I be a counter which starts
at 0 for the first byte, incrementing with each byte used, and ending at 255.
■ Then, for each byte:
■ If element N of the first array is not -1, set element N of the first array to -1, and set
element I of the second array to N.
■ Otherwise, store N in the first unused position (the first position containing -1) in the
third array.
■ Once this has been done, if the third array contains any numbers other than -1, proceed as
follows:
■ If there is only one filled (not equal to -1) element in the third array, then there is only one
remaining element in the first array, and one element of the second array equal to -1, so fill
the second array with the one available byte, and finish.
■ If there are only two filled elements in the third array, take the least significant bit of the
first filled element. If it is zero, fill the -1 elements of the second array with the remaining
elements of the first array in order; if it is one, do so in reverse order, and finish.
■ If there are less than 256 filled elements in the third array, repeat them over and over to fill
the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when
the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of
the third array.
■ Now, use the third array to complete the second array by doing the following for II from 0
to 255:
■ Let the value of element II of the third array be XX.
■ Then, scan through the second array. When an element of the second array is -1, fill it with
the corresponding element of the first array (if it is not also -1) and set that element of the
first array to -1.
■ If there are any -1 elements left in the second array, fill them with the elements of the first
❍ Set A to be element N of the first permutation; set B to be element N of the second permutation,
Only the first 440 subkeys, each 32-bits long, which are the first subkey material generated by this method, are
modified by the key augmentation technique of performing an initial encipherment, and XORing subkeys with
intermediate results. Because some of the rounds do not produce intermediate results suitable for this use, the key
augmentation step undergoes an important change. Instead of modifying the 440 subkeys by performing a normal
Quadibloc III encipherment, and using its intermediate results, a modified encipherment, using only normal
rounds found in Quadibloc II is used.
The modified encipherment consists of one group of four degenerate rounds, forty-eight normal Quadibloc II
rounds, and one more group of four degenerate rounds. This arrangement uses exactly 440 subkeys. Four key-
dependent byte permutations are used, from 0x, 1x, and inverse 9x and 8x; only one unkeyed whitening step,
followed by the 0x permutation, begins the cipher; the 1x permutation follows the first group of four degenerate
rounds, preceding the first conventional Quadibloc II round.
The subkeys are initially filled in the following order, consistent with Quadibloc II practice:
K1 K2 K3 K4
K5 K8 K11 K6 K9 K12 K7 K10 K13
K14 K17 K20 K15 K18 K21 K16 K19 K22
...
K428 K431 K434 K429 K432 K435 K430 K433 K436
K437 K438 K439 K440
and are modified during key enrichment in the following order (although the subkeys are aligned in columns to
illustrate their pattern, the order used is that found by reading across):
Bytes for use in the 48 additional subkeys, S10 and S11, and in Mishmash, are generated during the initial part of
subkey generation, even though these parts of the cipher aren't used in key-enrichment; then, during the key-
enrichment phase, nine bytes of output from the same shift register process as was used to fill all the subkey
material with its initial values, but modified in an analogous fashion to that used for Quadibloc II (the last 13
bytes of the 440 regular subkeys are used to fill A1 through C5, and one shift register, rather than two, is used,
consisting of the rest of the subkey material), are used to modify eight bytes in this additional subkey material.
This is done as follows: the first byte determines the use of the next eight bytes; if its most significant bit is a 1,
the next byte is XORed to the previously generated byte, if its most significant bit is a 0, the next byte replaces
the corresponding previously generated byte, and so on through the bits of the first byte and the bytes following.
The additional subkey material being modified in this step consists of 7488 bytes. For the purpose of an
additional operation to be performed concurrently with the XOR or replacement of these bytes in groups of eight
using generated bytes in groups of nine, these bytes are to be considered as 20 blocks of 256 bytes each, plus 64
extra bytes.
The additional manipulation to be performed consists of two steps. Only during the processing of the second
through the 19th of the 20 complete blocks are both steps done; one is done during the processing of the first
block.
For each of the first 256 generated bytes of the 288 generated bytes required to modify the 256 bytes of the
current block, the next block is modified as follows:
Letting c be a counter, 0 for the first generated byte, and incremented by one as we change to use each additional
generated byte, and letting n be the value of the current generated byte, we swap byte c and byte n of the next
block.
This only requires the existence of a following block, and is therefore done when the current block is any block
from the first through the nineteenth.
For each of the last 256 generated bytes of the 288 generated bytes we use in modifying the 256-byte current
block, immediately following the use of that same byte for modifying the next block during the period when both
operations overlap, we modify the preceding block as follows:
Letting c be a counter, 0 for the first generated byte used by this step, the 33rd of the 288 generated bytes for the
current block, and letting n be the value of the current generated byte, we let p be the value of byte c of the next
block, and let q be the value of byte n of the previous block.
We then swap bytes p and q of the previous block. Letting k be the XOR of the values of the two bytes so
swapped, byte n of the previous block is then modified by being XORed with byte k of the next block.
This requires both a preceding and a following block, and is done for the second block through the nineteenth.
Performing these transposition steps on the subkey material helps to destroy any pattern it might contain.
As many of the last 2304 bytes of subkey material as required are used to generate a permutation following the
steps used for generating the initial value of S8. The generated result, however, is not used as the final value of
S8. Instead, each element of S8 is replaced by the value it points to in this result; that is, for N from 0 to 255, S8
(N) becomes R(S8(N)). (Thus, S8 depends on both the old and new subkeys, and doesn't relate to the current
subkeys in a simple way.)
Then, the 488 subkeys required for Quadibloc III are produced from the 440 subkeys generated normally and the
48 additional ones by using the 48 additional subkeys in order as the ones for the f-functions that are used to
modify the f-function results before being XORed together in the Mishmash rounds.
Hence,
Note that implementations need not actually move the subkeys around, but merely need to ensure that each
encipherment step uses the correct subkeys from those stored in memory.
Specific named variations of Quadibloc III are provided here to broaden its range of applicability.
The first variation is Quadibloc III SC (Short Cycle). This version retains the complexity of Quadibloc III, but
eliminates the large number of rounds of the GoodStuff kind in the middle of the cipher. Instead, only two such
rounds are retained, with the following arrangement:
This, by reducing the amount of required subkey material from 488 subkeys to 278, and hence the key
augmentation phase of key generation is modified as follows: eight regular Quadibloc II rounds are used, the first
10 words of S10 are also modified, and there is no shifting of subkeys out of numerical order, as was required to
exclude a particular 48 subkeys from key augmentation in the normal version. The unkeyed whitening step, and
the initial and final byte transposes (0x and 8x) are also retained in the modified encipherment.
The next variation is Quadibloc III MD (Maximum Dispersion). This version adds eight 64-bit words of subkey
material to what is used by the cipher. They are not used during the modified encipherment cycle performed for
key augmentation, but they are generated initially, like other parts of the subkey material not then used. They are
generated immediately after the 32 extra normal subkeys which are modified after, instead of during, key
augmentation, and immediately before calculating S-box S8. Otherwise, since the key schedule is only
lengthened, key augmentation is not otherwise modified for this variation.
These 64-bit words are used to perform an ICE-style interchange of the left and right halves of the block,
immediately after the first four key-dependent byte interchanges derived from S-box S8 and immediately before
the last four such byte interchanges. A 1 bit corresponds to a bit to be interchanged, and the words are used in
order during encipherment.
Finally, Quadibloc III SD (Short/Dispersive) combines the modifications in Quadibloc III SC and Quadibloc III
MD. As it has 294 32-bit words of normal subkey, the key augmentation phase of its key generation is based on a
modified encipherment involving a byte transpose based on the 0x row of S8, an unkeyed whitening step, a set of
four degenerate rounds, a byte transpose based on the 1x row of S8, eight normal Quadibloc II rounds, the 9x
transpose, four degenerate rounds, inverse whitening, and the 8x transpose. The first two words of S10 are also
included in the key augmentation for this variation.
A variation in the round structure, like those illustrated for Quadibloc II, will also be illustrated here, but in this
case it is for the Mishmash portion of the cipher.
This diagram gives an overview of the Mishmash rounds as modified. Instead of placing the intermediate results
of the four QUADIBLOC 96 rounds on the left side through an additional QUADIBLOC f-function, these results
are used to produce a 32-bit result by means of the 32-bit Feistel structure used within the GoodStuff portion of
the cipher. This reduces the number of additional subkeys required for this part of the cipher to 8 from 48, but the
strength of the modified cipher appears fully satisfactory.
Another variation on Quadibloc III uses the modified Mishmash rounds described above, but in addition changes
the order of the rounds in line with insights that have come out of looking at how some differential attacks,
including the boomerang attack work. The idea is that parts of the cipher that are analytically simple are put on
the outside, and parts that are harder to analyze, but possibly leaving room for new probing attacks, are put in the
center. A diagram giving an overview of the variation, accompanied by its description, are below:
The 268 subkeys required, plus the first 20 32-bit words of the S-box S11, are modified after initial subkey
generation by key augmentation through 32 normal Quadibloc II rounds with no degenerate rounds, (and two
byte transposes, based on the 0x and 8x rows, instead of four, and two unkeyed whitening steps, as for the
regular cipher) and there is no shifting of subkeys out of numerical order, as was required to exclude a particular
48 subkeys from key augmentation in the normal version.
Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]
Quadibloc IV
Quadibloc IV is a block cipher with a 128-bit blocksize with a simpler design than that
of either Quadibloc III or even Quadibloc II. It has 32 rounds, numbered from 1 to 32,
each using three 32-bit subkeys.
It uses the S-boxes S1, S2, and S3 (S3 is only used during key generation) derived
from Euler's constant, as listed in the description of Quadibloc II.
It attempts - despite the fact that A xor B and B xor A are the same thing - to use a
strategy derived from hash functions to produce a secure f-function; the quantity
XORed to the first subblock in each round is the XOR of two f-functions, one which
uses a subblock as input, and two subkeys as keys, and one which uses a subkey as
input, and two subblocks as keys.
The Rounds
The 128-bit block is considered to be divided into four 32-bit subblocks, B1 through
B4. The leftmost subblock, B1, is the only one modified in a round. It has two
quantities XORed to it:
● An f-function, using B2 as input, with the first two subkeys for the round as
keys, using S1 as the S-box.
● An f-function, using the third subkey for the round as input, with B3 and B4 as
keys, using S2 as the S-box.
The f-function is essentially the basic Quadibloc f-function: XOR the input and the first
key, substitute the bytes in the S-box, and then perform the following regular
permutation of the bits:
1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32 25 26 19 20 13 14 7 8
Then, XOR the input and the second key and again perform the S and P steps. In
Quadibloc IV, no third key is used.
3 4 2 1
After round 4 and after round 28, the bytes of the 128-bit block are interchanged in the
following order:
1 14 11 8 5 2 15 12 9 6 3 16 13 10 7 4
After round 16, the four subblocks are interchanged in this order:
3 2 1 4
After the other rounds whose numbers are divisible by 4, the four subblocks are
interchanged in this order:
3 1 4 2
Hence, if one numbers the subblocks on entry to round 5 as 1, 2, 3, and 4, the orders in
which they appear from round 5 to round 28 are as follows:
1 2 3 4 3 4 2 1 2 1 4 3 4 3 1 2
1 4 2 3 2 3 4 1 4 1 3 2 3 2 1 4
1 3 4 2 4 2 3 1 3 1 2 4 2 4 1 3
1 4 3 2 3 2 4 1 4 1 2 3 2 3 1 4
1 2 4 3 4 3 2 1 2 1 3 4 3 4 1 2
1 3 2 4 2 4 3 1 3 1 4 2 4 2 1 3
Because of the byte interchange after rounds 4 and 28, the first and last four rounds
function as a whitening phase of the block cipher.
Key Generation
Two shift registers, one 64 bytes in length and one 65 bytes in length, are used to
generate subkeys, and are loaded with the key, which can be from 2 to 63 bytes in
length, as follows:
order, followed by the one's complement of the key (in normal order),
followed by as many repetitions of the key as are needed to fill its first
64 bytes, followed by the one's complement of the first byte of the key.
● If the key is from 33 to 63 bytes in length:
❍ The 64-byte shift register is loaded with the first half of the key
(including one more byte than the second half, if the number of key bytes
is odd), followed by the one's complement of the first half of the key and
as many repetitions of the first half of the key as are needed to fill it.
❍ The 65-byte shift register is loaded with the second half of the key,
followed by the one's complement of the second half of the key, and as
many repetitions of the second half as are needed to fill its first 64 bytes,
followed by the one's complement of the first byte of the second half of
the key.
Initial values of subkey bytes are generated from these two shift registers as follows:
Take the 49th byte, add the 33rd byte, and XOR the 64th byte. Find the substitute for
the result in S-box S3. XOR the 3rd byte, and add the 1st byte.
The result will be the new first byte of the shift register, the other bytes being advanced
one place, and the old 64th byte being discarded.
Take the 23rd byte, add the 65th byte, and XOR the 11th byte. Find the substitute for
the result in S-box S3. Add the 50th byte, and XOR the 1st byte.
The result will be the new 65th byte of the shift register, the other bytes being moved to
the next earlier place, and the old 1st byte being discarded.
The byte of the subkey generated from this step is the generated new first byte of the
first shift register, replaced with its substitute from S-box S3, XORed with the
generated new 65th byte of the second shift register.
Once all 96 subkeys have been filled with their initial values, key augmentation takes
place. A normal encipherment cycle is performed, enciphering the 128-bit block
A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A
but after each round, the four intermediate values generated in the round are applied as
follows:
1. The output of the SP operation following the use of the first subkey for the
round;
2. The output of the SP operation following the use of the second subkey for the
round;
3. The output of the SP operation following the use of the third subblock;
4. The output of the SP operation following the use of the fourth subblock;
Intermediate values 1, 2, and 4 of each round are XORed to the subkeys after the round
is over, and the order in which the subkeys is modified is:
and then, intermediate value 3 from the round is added, using byte-wide addition (as
well as creating no endian confusion, this is sure to be implementable, even on systems
that support only 16-bit arithmetic with no way to disable integer overflow exceptions)
to the following subkeys in this order:
As this block cipher was designed using design principles from hash functions, it
seemed appropriate to specify a mode in which it could be used to generate a hash of a
file. However, only the simplest mode is specified here, generating a 128-bit hash,
which is not considered adequately long to obtain collision resistance.
One iteration of the cipher will be used to hash a block consisting of 32 32-bit words,
or 128 bytes. The string of bits to be hashed will be converted to a whole number of
blocks by having a 1 appended to it, and then the result will be filled out with zeroes to
fill the last block.
A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A
The subkeys for the encipherment will be supplied by the block to be hashed as follows:
Both subkeys
and subkeys
will be supplied from the bytes of the block, taken in groups of four, in order. (The first
byte is the leftmost byte of the word.)
Subkeys
which are the hexadecimal digits in the fractional portion of pi (also used as the starting
value of the S-boxes and subkeys in Blowfish, although it uses 784 of them, not just 32
of them).
After each block is hashed, the input to the encryption cycle is XORed with the output
to produce the current value of the hash, which will be the input to the next encryption
cycle.
A Variation of Quadibloc IV
Next
Start of Section
Skip to Next Chapter
Skip to Next Section
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]
Quadibloc V
Quadibloc V is a straightforward and simple member of the Quadibloc family of ciphers. It operates on a 128-bit
block, and has a key which must consist of number of bytes that is a multiple of four and which is equal or
greater than 8. It uses S-box S1 derived from Euler's constant, as used in other ciphers of the Quadibloc series,
and it uses one key-dependent S-box, called S2, which has 16 entries, each 64 bits long.
It has four rounds, and each round uses 72 bytes of subkey material. The halves of the block are swapped after
each of the first three rounds.
As encipherment and decipherment are different, and as the f-function only diffuses half of the information in the
left half of the block, it might seem that there are opportunities for cryptanalysis. But what happens to the right
half of the block, and the use of a key-dependent S-box, even if only a minimal one, appears to close any such
opportunities. Also, the key schedule seems to be secure, although it too is greatly simplified over that of
Quadibloc II or III.
The Rounds
One copy of the second byte in the pair is XORed with a byte of subkey material; the next copy has the next byte
of subkey material added to it. Then both copies are replaced by their corresponding entries in S-box S1. The
first byte in the pair first has the first copy of the other byte, as modified, added to it. This intermediate result is
retained for later use. Then it is replaced by the entry it now selects in S-box S1. Finally, the second copy of the
other byte, as modified, is XORed to it.
The first and second nybbles of this resulting byte are used to index to two elements of S-box S2. The entry
chosen by the second nybble of a byte then has its halves swapped. The intermediate result saved for later use is
also split into two nybbles, each used to index an element from S-box S2. The one chosen by the first nybble is
rotated 16 bits left, and the one chosen by the second nybble is rotated 16 bits right.
These elements of S-box S2 are XORed with the right half of the block at various times.
This portion of the cipher uses the first eight subkey bytes for the round.
First, the bytes in the right half of the block are modified by going through tiny Feistel rounds, similar to
permutation G of SKIPJACK, but here using S-box S1 as the f-function. First, each pair of bytes goes through
two rounds of this, first the left-hand byte modifying the right-hand byte, then the right-hand byte modifying the
left-hand byte. Two subkeys are used to perform these two rounds for one pair of bytes, then the next two
subkeys are used for two rounds for the next pair of bytes, as is visible from the numbering in the diagram.
● the one from the first nybble of the byte generated from the first pair of bytes in the left half of the block
● the one (with its halves swapped) from the last nybble of the byte generated from the last pair of bytes in
the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the
second pair of bytes in the left half of the block
● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the
third pair of bytes in the left half of the block
Then, two more tiny Feistel rounds are applied to each pair of bytes in the right half, and then the bytes are
interchanged as follows:
1 4 3 6 5 8 7 2
and then another two tiny Feistel rounds are applied. Note that this interchange, applied three times, ensures that
each even byte is paired with each odd byte for four tiny Feistel rounds during this process.
● the one from the first nybble of the byte generated from the second pair of bytes in the left half of the
block
● the one (with its halves swapped) from the last nybble of the byte generated from the third pair of bytes in
the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the first
pair of bytes in the left half of the block
● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the
last pair of bytes in the left half of the block
are XORed to the right half of the block in its present state.
Then, another four tiny Feistel rounds with a byte interchange in the middle.
● the one from the first nybble of the byte generated from the third pair of bytes in the left half of the block
● the one (with its halves swapped) from the last nybble of the byte generated from the second pair of bytes
in the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the last
pair of bytes in the left half of the block
● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the
first pair of bytes in the left half of the block
Then, another four tiny Feistel rounds with a byte interchange in the middle.
● the one from the first nybble of the byte generated from the last pair of bytes in the left half of the block
● the one (with its halves swapped) from the last nybble of the byte generated from the first pair of bytes in
the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the third
pair of bytes in the left half of the block
● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the
second pair of bytes in the left half of the block
And now, two tiny Feistel rounds are applied to each pair of bytes in the right half of the block. Finally, the bytes
are interchanged as follows:
1 3 5 7 2 4 6 8
This final interchange sorts the odd and even bytes into groups, so that pairs will later be made on a different
basis.
The key material used during encipherment consists of a 512 byte key-dependent S-box S2, and 288 bytes of
subkey material.
● The key is split into two parts, the first having one byte less than half the bytes in the key, and the second
having the remaining bytes.
● Bytes of subkey material are alternately filled from each half of the key.
● Each time one returns to the first byte of a part of the key, after using the last byte previously, one adds 1
to a constant (initially zero) which is added to each byte as it is taken.
Using this initial subkey material, a block is enciphered consisting of the first sixteen bytes of the key, or, if the
key is shorter than sixteen bytes, the key followed by the key with each byte XORed with 1, followed by the key
XORed with 2 if necessary, all the bytes then replaced with their substitutes in S-box S1.
Each round of encipherment produces eight 64-bit intermediate results: an intermediate result is obtained by
taking the current value of the right half of the block after each pair of tiny Feistel rounds, except that in the case
of those rounds followed by XORing in S-box S2 entries, the intermediate value is taken after that XOR.
After each round is completed, and five rounds are performed, rather than the four used for normal encipherment,
the fifth using the same subkeys as the first, the intermediate results are used to modify the subkeys.
The first 36 of the 40 intermediate results generated are XORed with the subkey material, in the following order:
1 K1 K2 ... K8
2 K73 K74 ... K80
3 K145 K146 ... K152
4 K217 K218 ... K224
5 K9 K10 ... K16
6 K81 K82 ... K88
...
36 K281 K282 ... K288
In addition, each byte of all but the first eight intermediate results (leaving the last 32 intermediate results, which
amount to 256 bytes) is used to modify the 512-byte S-box S2, as follows:
● The S-box S2 is to be considered as consisting of two halves, each 256 bytes in length, called H0 and H1.
H0(n) is the (n+1)th byte of H0; that is, H0(0) is the first byte of H0.
● Let the byte being used to modify the S-box have the value X.
● Let a counter, initially equal to 0, and increasing by 1 each time be noted by N. This counter will run from
0 to 255 as the process below takes place.
● Let W=N xor X.
● Let P=H0(W) xor X and Q=H1(W) xor X
● In all cases, first modify H1(P) by XORing it with H0(P) and with X, then modify H0(Q) by XORing it
with H1(Q) and with X.
● Modify H0(X) by XORing it with Q and with W, and modify H1(X) by XORing it with P and with W.
● If N and X are not equal, swap H0(N), H0(X), H1(N), and H1(X) as follows: H0(N) is replaced by H0(X),
which is replaced by H1(N), which is replaced by H1(X), which is replaced by the former value of H0(N).
Variations
If one wishes to use Quadibloc V with eight rounds, then the key augmentation step of the key schedule is
modified as follows:
The encipherment step used to generate intermediate results now runs for nine rounds. All intermediate results
are used to XOR with subkey bytes, and the order is similar to that for the four-round version: first, an XOR is
done to the first eight bytes in each of the eight rounds, then the next eight bytes in each of the eight rounds. The
ninth round uses the subkeys for the first round.
The last 512 bytes so generated, which involve all but the first eight intermediate results, are used to carry out the
modification of the S-box S2, but this time twice.
With sixteen rounds, the key augmentation step will involve encipherment with eighteen rounds, the last two
using the subkeys of the first two rounds. Again, all intermediate results are used to XOR with subkey bytes. The
last 1024 bytes generated, which exclude the first sixteen intermediate results (or those from the first two rounds)
are used to modify S-box S2 four times.
Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
Quadibloc VI
Quadibloc VI attempts to achieve the attractive characteristics of Quadibloc III, but with fewer rounds. The main intention in the design of Quadibloc VI is to
make a block cipher that has the advantages of a stream cipher.
A typical block cipher subjects each block of data it enciphers to a series of manipulations, with the only variation in these manipulations due to the variable and
secret key being that the data, while being manipulated, occasionally has subkey material XORed to it. Perhaps addition will also be used.
A stream cipher can resist analysis by applying different key material to the encipherment of each byte or block it encounters.
Thus, the Mishmash encipherment method used within Quadibloc III imitates a stream cipher, by choosing subkeys from a pool to encipher one half of a block, the
choice being determined by the other half of the block. This principle is employed here as well, but with a simpler structure.
Quadibloc VI uses the same fixed S-boxes S1 and S2 derived from Euler's constant as QUADIBLOC and other ciphers in the Quadibloc series, whose contents
have been listed in previous sections.
Description of Mixing/Whitening
The first step in encipherment, when a 128-bit block is submitted to Quadibloc VI, is to ensure that every bit in the block affects, or potentially affects, every bit in
every other block, through a short series of mixing and whitening transformations, as shown in the diagram below:
First, the bytes, by pairs, go through four mini-Feistel rounds, using the key-dependent S-box S8 as the f-function.
Then, using 64-bit subkey LK1, the two halves of the block have selected corresponding bits swapped, in the manner originated by the block cipher ICE.
Then, to bring bytes that have not yet influenced each other into contact, the bytes are transposed so that after transposition, the bytes in order came from the
following positions, from 1 to 16, as indicated by the numbers below:
1 13 2 14 3 15 4 16 5 9 6 10 7 11 8 12
Once this is done, another four mini-Feistel rounds with the key-dependent S-box S8 used as the f-function are performed on adjacent pairs of bytes.
Then, once again bytes are moved to bring bytes that had not affected one another into contact. As a possible transposition to do so here is the one used previously,
it is applied once again.
Then, a completely unkeyed step is used for the final merging of bytes, a set of Pseudo-Hadamard Transforms applied to pairs of bytes.
Finally, the bytes in the block are transposed according to a key-dependent byte transposition derived from the contents of key-dependent S-box S8.
In a regular round of Quadibloc VI, the leftmost six bytes of the block are enciphered by means of two rounds of the GoodStuff method, which proceeds as follows:
Using four eight-bit subkeys (derived from a single 32-bit subkey), four Feistel rounds are used to encipher a 16-bit subblock; in the first round, the right half is
XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the f-function alternates from right to left to left to right, and in
the two outer rounds, the subkey is XORed and the f-function output added, and in the two inner rounds, the subkey is added and the f-function output XORed.
The four intermediate results of the f-functions, derived before S8 substitution, are used to index into the fixed S-box S2. The S-box outputs are used to form a 32-
bit word consisting of the first nibbles of the four substituted results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of
the previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a left-to-right round of this cipher, by means of a twist
upon entry and exit from the horizontal Feistel rounds.)
The resulting 32-bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses wide key-dependent S-boxes in the f-function.
Here, four 16-bit subkeys are used, and so they are derived from two 32-bit regular subkeys.
The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in in-place format, and the first round goes from right to left (or, in the
diagram, top to bottom).
The following diagram illustrates the operations that take place during a regular round of Quadibloc VI upon the leftmost eight bytes of the block:
The first six bytes are subjected to encipherment according to the GoodStuff algorithm, first in one direction, and then in another.
The final f-function outputs in the Feistel rounds applied to the 32 bit quantity that serves as subkeys for the 16-bit Feistel rounds in each of the GoodStuff
encipherments are XORed to the last two of the first eight bytes. Before, between, and after these XORs, those two bytes are modified using the same type of mini-
Feistel round as was used in the initial mixing/whitening phase.
Note that the first and last f-function (or S-box S8) outputs are XORed together to produce one byte of output.
This byte is used to control the encipherment of the other half of the block, which is enciphered using the modification of the original QUADIBLOC round used in
Quadibloc S, to be described in the next section. A Quadibloc S round is illustrated below:
The single byte of output has 256 possible values. 7 times 6 times 5 is 210, which is less than 256, therefore this byte can be used to choose three distinct subkeys
from a pool of seven subkeys to be used as the three subkeys for the Quadibloc S round.
After the first three regular Quadibloc IV rounds in a group of four, the bytes are interchanged according to the following pattern, where each number denotes the
position of a byte in the source to the permutation, the numbers being in the order of the bytes upon] output:
3 4 5 6 7 8 1 2 13 14 15 16 9 10 11 12
The intent of this is to have the two bytes in the first half which are enciphered differently take on four different values, while the halves of the second half are
swapped each time.
After every group of four regular Quadibloc IV rounds except the last four, the halves of the block are swapped.
It is assumed that a mere eight rounds of Quadibloc IV will suffice. At least sixteen rounds, however, would be absolutely required were it not for the initial
mixing and whitening rounds. This is because four rounds are, in a sense, really only one round.
Finally, using 64-bit subkey LK2, the operations of the mixing/whitening rounds are performed in reverse order. The Pseudo-Hadamard Transform is replaced by
its inverse, and so are the two fixed byte permutations. But the groups of four mini-Feistel rounds stay the same (instead of being inversed by having left and right
bytes switched), and the ICE-style swap is its own inverse.
The steps involved in the final mixing/whitening step may be made clearer by this diagram:
Although, when compared with the method for generating the key schedule for Quadibloc II and Quadibloc III, many shortcuts are taken in the method used for
Quadibloc VI, it will be seen that key generation for Quadibloc VI is still long and complicated.
Quadibloc VI with eight regular rounds uses the following subkey material:
● Eighty 32-bit subkeys, designated K1 through K80, ten of which are used for each regular round which contains two rounds of GoodStuff encipherment;
● Eight banks of seven 32-bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1
through V56;
● The key-dependent S-boxes S10 and S11, each of which contains 256 random 16-bit entries;
● Two 64-bit subkeys, LK1 and LK2;
● The key-dependent S-box S8, which contains the bytes 0 to 255 in random order;
● A key-dependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements
once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the
block.
For what follows, the first three items in the list above are to be considered to be stored in order contiguously in memory.
that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer.
Then generate initial values for subkeys K1 through K80, pooled subkeys V1 through V56, and the contents of key-dependent S-box S10 (as well as an initial
value for key-dependent S-box S8) by generating 1056 bytes
through the following procedure: take a copy of the key, and appended to that copy, after its last byte, is a byte equal to the inverse, the bitwise negation, or one's
complement, of the XOR of all the bytes of the original key. This ensures the key as expanded does not consist entirely of zeroes.
Bytes are then generated from the key by chain addition. This means that a byte is generated as follows: the sum, modulo 256, of the first two bytes of the key is
the generated result; and it is also appended to the end of the key, whose first byte is then removed. (Note that the cipher itself uses XOR only, and not addition
modulo 256.)
The method of producing subkey bytes is a degenerate form of the MacLaren-Marsaglia generator. An array with 256 byte positions, called A(0) to A(255), is
filled by generating 256 bytes by means of chain addition.
The initial value for the key-dependent S-box S8 is generated concurrently with subkey generation by means of the use of two additional arrays, B(0) to B(255)
and C(0) to C(255).
These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also contains the 255 byte values in order as well.
Then, each time a value is stored in a location of A, both the 256 initial values, and the value stored in A(q) each time a subkey byte is generated, the following
procedure is performed:
Let p be the value being stored in the array A, and let q be the index in A of where it is being stored.
Otherwise:
Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.)
Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed v, the former value of B(q), in B(w) which originally contained p).
Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1, and ending with the last (least significant) byte of subkey 12, the
contents of the array B are used as the key-dependent S-box.
Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for
the Quadibloc S part of a round are still empty), we will encipher the contents of S-box S11 as follows:
Four entries in S-box S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment
of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys:
After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated
left by two bytes.
Then, the first 80 (16-bit) entries in S11 are swapped with the first 40 (32-bit) subkeys for GoodStuff encipherment.
Starting with the first byte in K41, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 40
GoodStuff subkeys is now modified as follows:
Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
encipherment, after that result has been rotated left by two bytes.
Then, the last 112 entries in S11, S11(144) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V56. This time,
the subkey material used will extend into the start of S11, as illustrated by the table below:
And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
encipherment, after that result has been rotated left by two bytes.
Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the
formula:
where the values n-542 and n-544 begin, on the first pass, as pointing into K1 to K80, and then V1 to V56, but afterwards are confined to the area from the start of
S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed S-box S2 is now used.
The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc S-type subkeys and
of the final value of S8, and this process is repeated only as many times as these processes require input.
First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order.
Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shift-register process above applied to the area from
V1 to S11(255), utilizing the following procedure (as seen in Quadibloc II and Quadibloc III):
● Each permutation is generated by the use of either 512, or, under some rare circumstances, only 256, bytes.
● A permutation is generated as follows:
❍ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0 to 255 in order. The arrays must also be able to hold the
value -1. The second and third arrays are filled with -1.
❍ For each byte used: let the value of the byte be called N, and let I be a counter which starts at 0 for the first byte, incrementing with each byte used,
■ If element N of the first array is not -1, set element N of the first array to -1, and set element I of the second array to N.
■ Otherwise, store N in the first unused position (the first position containing -1) in the third array.
❍ Once this has been done, if the third array contains any numbers other than -1, proceed as follows:
❍ If there is only one filled (not equal to -1) element in the third array, then there is only one remaining element in the first array, and one element of
the second array equal to -1, so fill the second array with the one available byte, and finish.
❍ If there are only two filled elements in the third array, take the least significant bit of the first filled element. If it is zero, fill the -1 elements of the
second array with the remaining elements of the first array in order; if it is one, do so in reverse order, and finish.
❍ If there are less than 256 filled elements in the third array, repeat them over and over to fill the array. Then, take an additional 256 input bytes (thus,
512 bytes are used except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of the third array.
❍ Now, use the third array to complete the second array by doing the following for II from 0 to 255:
■Let the value of element II of the third array be XX.
■Swap elements II and XX of the first array.
❍ Then, scan through the second array. When an element of the second array is -1, fill it with the corresponding element of the first array (if it is not
also -1) and set that element of the first array to -1.
❍ If there are any -1 elements left in the second array, fill them with the elements of the first array that are not -1 in order.
● When this procedure is completed, the contents of the second array are the desired permutation.
Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on
the initial value of S8, with numbers from 0 to 209, 46 of them twice.
These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group. The numbers
from 0 to 34 will be considered to represent triples of distinct numbers in ascending order in numerical order:
0 1 2 3 7 1 3 6 14 1 6 7 21 2 4 7 28 3 5 6
1 1 2 4 8 1 3 7 15 2 3 4 22 2 5 6 29 3 5 7
2 1 2 5 9 1 4 5 16 2 3 5 23 2 5 7 30 3 6 7
3 1 2 6 10 1 4 6 17 2 3 6 24 2 6 7 31 4 5 6
4 1 2 7 11 1 4 7 18 2 3 7 25 3 4 5 32 4 5 7
5 1 3 4 12 1 5 6 19 2 4 5 26 3 4 6 33 4 6 7
6 1 3 5 13 1 5 7 20 2 4 6 27 3 4 7 34 5 6 7
and then this sequence is repeated but with the three elements in each of the other five of the six possible orders to make all 210 combinations:
0 1 2 3 1 1 2 4 ... 34 5 6 7
35 1 3 2 36 1 4 2 ... 69 5 7 6
70 2 1 3 71 2 1 4 ... 104 6 5 7
105 2 3 1 106 2 4 1 ... 139 6 7 5
140 3 1 2 141 4 1 2 ... 174 7 5 6
175 3 2 1 176 4 2 1 ... 209 7 6 5
Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old
value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation.
Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values
taken will be LK1 and LK2.
The key-dependent byte permutations used between the mixing/whitening rounds and the regular rounds are generated as follows:
The one performed after the first mixing/whitening round is obtained by taking the bytes in the final form of S-box S8 of the form 0x, and using their least
significant nibbles to indicate which position each byte of the block will be moved to. This is the dispatch form of the permutation, which is the opposite of the one
used to describe bit and byte transpositions in the description of the Quadibloc ciphers. The one performed after the regular rounds is generated from the bytes of
the form 8x, but is in fetch form, the least significant nibble of each of these bytes indicating the source from which each byte of the result is obtained.
Variations of Quadibloc VI
Although Quadibloc VI would absolutely need sixteen rounds if the mixing/whitening stages were absent, that does not mean that sixteen rounds are not a good
idea in any case. With sixteen rounds, the required key material consists of:
● One hundred and sixty 32-bit subkeys, designated K1 through K160, ten of which are used for each regular round which contains two rounds of GoodStuff
encipherment;
● Sixteen banks of seven 32-bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1
through V112;
● The key-dependent S-boxes S10 and S11, each of which contains 256 random 16-bit entries;
● Two 64-bit subkeys, LK1 and LK2;
● The key-dependent S-box S8, which contains the bytes 0 to 255 in random order;
● A key-dependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements
once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the
block.
The key generation process closely parallels that for eight rounds, with small changes as follows:
that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer.
Then generate initial values for subkeys K1 through K160, pooled subkeys V1 through V112, and the contents of key-dependent S-box S10 (as well as an initial
value for key-dependent S-box S8) by generating 1376 bytes
through the degenerate MacLaren-Marsaglia procedure from Quadibloc S, and the permutation generated as its side effect is the initial value for S-box S8.
Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for
the Quadibloc S part of a round are still empty), we will encipher the contents of S-box S11 as follows:
Four entries in S-box S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment
of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys:
After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated
left by two bytes.
Then, the first 160 (16-bit) entries in S11 are swapped with the first 80 (32-bit) subkeys for GoodStuff encipherment.
Starting with the first byte in K81, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 80
GoodStuff subkeys is now modified as follows:
Next, entries S11(80) through S11(240) in S11 are enciphered, two at a time, using the left half of a regular Quadibloc VI round as above, once again using the
subkeys in the order above for the encipherment, starting with subkeys K1 through K10, and are swapped after encipherment with the second group of 80 subkeys
for GoodStuff encipherment.
Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
encipherment, after that result has been rotated left by two bytes.
Then, the last 224 entries in S11, S11(32) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V112. This time,
the subkey material used will extend into the start of S11, as illustrated by the table below:
At this point, the subkey material required has caught up with the bytes we are attempting to encipher, and so we return to the beginning of the available subkey
material, as follows:
And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
encipherment, after that result has been rotated left by two bytes.
Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the
formula:
where the values n-862 and n-864 begin, on the first pass, as pointing into K1 to K160, and then V1 to V112, but afterwards are confined to the area from the start
of S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed S-box S2 is now used.
The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc S-type subkeys and
of the final value of S8, and this process is repeated only as many times as these processes require input.
First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order.
Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shift-register process above applied to the area from
V1 to S11(255), utilizing the procedure for generating permutations from Quadibloc II and Quadibloc III.
Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on
the initial value of S8, with numbers from 0 to 209, 46 of them twice.
These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group.
Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old
value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation.
Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values
taken will be LK1 and LK2.
And hence ends key generation for Quadibloc VI with sixteen rounds.
Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]
Quadibloc S
Quadibloc S is a block cipher with a 64-bit block, based on the original QUADIBLOC, but
including in its f-function one feature from Quadibloc II, while omitting the use of S-box S2
on the half of the block being modified.
The version with four rounds is being specifically proposed here. Since each f-function
involves three table lookups, even this could be considered to be comparable, at least in the
time taken, to 12-round DES. That means that six rounds (comparable to 18) would be
acceptably fast: but the four round version is being considered specifically to examine what
sort of cryptanalytic attacks are possible.
It may be that Quadibloc S with eight rounds, except for the fact of a 64-bit block size, would
be secure enough for actual use. Certainly, it should be secure with sixteen rounds, being
comparable to original QUADIBLOC. Also, a key schedule is used that should be more secure
than that of the original QUADIBLOC, but much less complicated than that of Quadibloc II.
The Rounds
A copy of the right half, which will actually be unchanged by this round, is taken.
The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for round 2,
to subkey 10 for round 4).
Then, each byte is replaced by its substitute in S-box 1, whose contents are given in the section
on Euler's Constant and the Quadibloc S-Boxes.
The bits of the result, considered to be numbered from 1 (most significant bit of the first,
leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the pattern in
DES, are to be transposed so that these bits are then in the order below, still labelled with their
previous positions:
1 2 27 28 21 22 15 16
9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32
25 26 19 20 13 14 7 8
The result is then XORed with the second subkey for the round. Then, S-box S1 and the bit
transposition are applied again, and the result of that is XORed with the third subkey for the
round.
Then, the four bytes of the result are replaced with their substitutes in a key-dependent S-box.
This produces the final result, which is XORed with the left half of the block. This change to
the value of the block is the end product of the round. Finally, in all rounds but the last one, the
two halves of the block are swapped.
The first step of key generation is this: appended to the key, after its last byte, is a byte equal to
the inverse, the bitwise negation, or one's complement, of the XOR of all the bytes of the
original key. This ensures the key as expanded does not consist entirely of zeroes.
Bytes are then generated from the key by chain addition. This means that a byte is generated as
follows: the sum, modulo 256, of the first two bytes of the key is the generated result; and it is
also appended to the end of the key, whose first byte is then removed. (Note that the cipher
itself uses XOR only, and not addition modulo 256.)
The method of producing subkey bytes is a degenerate form of the MacLaren-Marsaglia
generator. An array with 256 byte positions, called A(0) to A(255), is filled by generating 256
bytes by means of chain addition.
The key-dependent S-box is generated concurrently with subkey generation. Two additional
arrays, B(0) to B(255) and C(0) to C(255), are used in this process.
These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also
contains the 255 byte values in order as well.
Then, each time a value is stored in a location of A, both the 256 initial values, and the value
stored in A(q) each time a subkey byte is generated, the following procedure is performed:
Let p be the value being stored in the array A, and let q be the index in A of where it is being
stored.
Otherwise:
Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.)
Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed
v, the former value of B(q), in B(w) which originally contained p).
Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1,
and ending with the last (least significant) byte of subkey 12, the contents of the array B are
used as the key-dependent S-box.
Test Vectors
The following is output from a short BASIC program which implements four-round Quadibloc
S.
Keys and the block are shown as sequences of bytes, from first to last, represented as decimal
numbers from 0 to 255, for simplicity in programming.
Next
Start of Section
Skip to Next Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Quadibloc VII
Quadibloc VII is an attempt to embody the principles found in the Large-Key
Brainstorm within the compass of a block cipher.
● Two S-boxes, each containing 256 entries, each entry being 16 bits in length;
(1024 bytes)
● Thirty-two subkeys, four for each of eight rounds, each 16 bits in length; (64
bytes)
● Ninety-six subkey pools, each one containing 16 subkeys, each subkey being 16
bits in length, (3072 bytes)
The Rounds
The XOR of the two halves of the first 32-bit quarter after two Feistel rounds is used to
control, for each of the four Feistel rounds performed on the next quarter, which of
sixteen possible subkeys are used.
After every odd-numbered round, the eight 16-bit subblocks are permuted to the
following order (expressed in terms of a list of the sources of the subblocks after the
permutation):
7 6 1 8 3 2 5 4
thus, the left halves move to the next later quarter, and the right halves move to the
corresponding position in the other half of the entire block.
After every even-numbered round except the last, the eight 16-bit subblocks are
permuted to the following order (expressed in terms of a list of the sources of the
subblocks after the permutation):
7 4 1 6 3 8 5 2
thus, the left halves move to the next later quarter, and the right halves move to the
next earlier quarter.
This diagram illustrates, by color-coding, how the pieces of the block move during the
8 rounds of Quadibloc VII:
(1) [2] 3 4 5 6 7 8
7 6 (1) 8 3 [2] 5 4
5 8 7 [2] (1) 4 3 6
3 4 5 6 7 8 (1) [2]
(1) 6 3 8 5 [2] 7 4
7 2 (1) 4 3 6 5 8
5 4 7 6 (1) 8 3 [2]
3 8 5 [2] 7 4 (1) 6
The paths of the first left half and the first right half are indicated by brackets. Note that
the first left half, 1, is enciphered:
thus ensuring that the blocks affect the other blocks by being enciphered with them in
the small Feistel rounds, in addition to affecting them by modifying their encipherment
through the use of the subkey pools.
The f-function is merely the XOR of the value in S10 indexed by the leftmost half of
the input with the value in S11 indexed by the rightmost half of the input.
While the round structure of Quadibloc VII is impressive, as is to be expected given the
large amount of subkey material it consumes, as there are only two S-boxes in the
cipher, both of them key-dependent, the cipher is still only as good as its key schedule.
Initially, the subkeys will be filled in the following order: first the 96 subkey pools,
then the two S-boxes (first S10, then S11, from entry 0 to entry 255 each), then the 32
fixed subkeys. And they will be initially filled by means of almost the same key
generation method as used in Quadibloc S:
The key is expanded to prevent a key that is long and of all zeroes in whole or in part
from causing poor results as follows: a key of n bytes is expanded to one of 3n+1
bytes, the last byte of which is a byte equal to the inverse, the bitwise negation, or one's
complement, of the XOR of all the bytes of the original n byte key. The first 3n bytes
of the key alternate between a byte from each of the following sources:
● The n bytes of the original key, in order.
● One of the possible byte values, starting from 127, and incrementing by one
each time.
● The bytes of the original key, in reverse order, inverted, and with 1, 2, 3, and so
on added to them.
Thus, if the original key is 0 128 255, after expansion the key becomes 0 127 1 128 128
129 255 129 2 128.
Bytes are then generated from the key by chain addition. This means that a byte is
generated as follows: the sum, modulo 256, of the first two bytes of the key is the
generated result; and it is also appended to the end of the key, whose first byte is then
removed. (Note that the cipher itself uses XOR only, and not addition modulo 256.)
Once all the subkeys have been filled by this method, the quantity
01F253A435C607F859AA3BCC0DFE5FA0 is to be enciphered with the temporary
subkeys thus calculated, for the first four rounds of a normal Quadibloc VII
encipherment.
This output is now used as the key from which bytes are generated by chain addition. It
is expanded, but not in the same fashion as the original key: it is only doubled in
length, and the bytes of the key alternate with the bytes of the key in reverse order,
inverted (but without anything added to them). Since 32 is not a number of the form 3n
+1 (unlike 16, which is such a number), both keys are ensured to be different in length.
Quadibloc VIII
Quadibloc VIII is a design reminiscent of Quadibloc II and Quadibloc III. With a
simple and uniform round structure, it still attempts to make the algorithm itself, not
just the subkeys applied, variable.
Because of the variability in the algorithm, it is not suited to smart card applications, as
it is not resistant to attacks based on timing or power consumption. Also, there could be
weak keys, both because some keys might cause short sequences in the shift registers
used for producing subkeys, and because some keys might lead to duplicate entries in
S10 and S11. The byte interchange between rounds might be questioned. However, I
am of the opinion that the same factors which seem to contribute these weaknesses also
contribute more in strength than they remove, and that the design prevents potential
weaknesses such as these from being exploitable.
It may be noted that this design has drawn inspiration from many quarters. It uses the
bit swap under mask of ICE, and the XOR with subkeys of the left-hand quarter of
each half was inspired by LOKI-97, as was the manner of minimally alternating
between two S-boxes in the f-function in the left half to avoid a rotational symmetry.
The concept of having initial and final mixing and whitening phases, even though the
phases themselves may not much resemble those of MARS, is due to that cipher, and
the notion of placing the algorithm under the control of the key owes something to
FROG. Using the initial mixing and whitening phases to vary where each bit goes in
the algorithm is somewhat similar to the method used in FROG to achieve algorithmic
variability. The basic regular round structure consists of two Feistel rounds, each one
operating between two quarters of the block within one half of the block; RC6 has a
similar basic round structure, but with one important difference: in RC6, the block,
viewed as LRLR, modifies each R portion based on a function involving both its own
L portion and the other one, so that each R portion depends on both L portions. In
Quadibloc VIII, although the block also has an LRLR form, and the first L portion is
transformed in an invertible manner that depends only on the key (instead of being left
alone as in the original Feistel structure), the first R portion depends only on the first L
portion, while the second R portion depends on both L portions, and even the second L
portion is transformed in a way that depends on the first L portion.
Quadibloc VIII consists of sixteen rounds, with a brief whitening and mixing phase at
the beginning and end of the cipher.
For the purpose of a round, a block is divided into two halves, each half being further
subdivided into two quarters. In each half, the left quarter is used as the input to an f-
function, basically the f-function from Quadibloc S and Quadibloc II and others, and
the output is XORed with the right quarter.
Before and after being used as the input to the f-function, the left quarter is put through
one of two keyed transformations. The same is done with the right quarter before and
after being XORed with the output from the f-function.
The left quarter only, at the beginning and end of the round, is XORed with subkey
material.
For the left half only, an extra output is derived from the calculation of the f-function.
This extra output supplies bits which have a nonlinear effect on transformations applied
to the right quarter of the left half, and to both quarters of the right half.
Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up/Previous] [Index]
The left quarter of the left half of the block is first modified by being XORed with a 32-bit subkey (in the case of
the first round, this is subkey 49, and the number is advanced by 2 with each round). Then it is subjected to one
of two possible transformations: either it is divided into four bytes, and each pair of bytes is enciphered through a
two small-scale Feistel rounds, using key-dependent S-box S8 as the f-function, or it is divided into two 16-bit
portions which are enciphered by two Feistel rounds.
Then, the other of the two possible transformations is performed on the left quarter of the left half of the block,
and finally another 32-bit subkey is XORed with it (subkey 50 in the first round, advanced by 2 for each
succeeding round).
The two small transformations of a 32-bit quarter of the block are, in detail, as follows:
In the first transformation, numbering the bytes from 1 to 4 from left to right, first byte 2 of the block is
changed by being XORed with the byte of S8 indicated by byte 1 of the block XORed with byte 1 of the subkey,
and at the same time byte 4 of the block is changed by being XORed with the byte of S8 indicated by byte 3 of
the block XORed with byte 2 of the subkey. (These XORs, and those in the next paragraph, may be changed to
modulo-256 addition, under circumstances to be noted below.)
Subsequently, byte 1 of the block is changed by being XORed with the byte of S8 indicated by byte 2 of the
block (in its current modified state) XORed with subkey byte 3, and at the same time byte 3 of the block is
changed by being XORed with the byte of S8 indicated by byte 4 of the block (in its current modified state)
XORed with subkey byte 4.
Thus, the block is divided into two halves; each half is subjected to two Feistel rounds in place, and the input to
the f-function comes first from the byte on the left, and then in the second round from the byte on the right. The
key-dependent S-box provides the f-function.
In the second transformation, the 32-bit block is split into two 16-bit halves. Two Feistel rounds take place,
with the left half initially supplying the input to the f-function. The f-function begins with the input being
XORed to 16 bits of subkey (the left half in the first round, the right half in the second, of a 32-bit subkey); then,
the left half of the result is used to index into key-dependent S-box S10, and the right half of the result is used to
index into key-dependent S-box S11. The two items found are then added (with the left byte being the most
significant), and the result is the f-function output. The round is completed by modifying the target half of the
block by XORing it with the f-function output.
Considering 32-bit subkey 721 as being composed of bits numbered from 1 to 32 from left to right, bit 1, if it is a
1, changes all the XORs in the first transformation when it is applied to the left quarter of the left half of the 128-
bit block in the first round to additions, both those where the subkey is XORed to the index into S8, and where
the output from S8 is XORed to a byte of the block.
Bit 17, if it is a 1, causes the second of the two transformations, the one which acts on 16-bit halves of the 32-bit
quarter, to take place first, in the first round. Bits 18 through 32 do this for rounds 2 through 16.
The f-function
The f-function used in Quadibloc VIII is essentially the same f-function as seen in Quadibloc II and Quadibloc S,
except with the use of different S-boxes and, in the case of the left half, an intermediate result is taken, which is
not the same as the one taken in Quadibloc III, which also uses an otherwise similar f-function.
The f-function consists of three general types of phase: S, for substitution, P, for bit-permutation, and X, for the
XOR of subkey material. The f-function used here is of the type XSPXSPXS. By having two full SP layers,
changing a single bit of the input always affects the entire f-function output, and therefore the avalanche property
of Quadibloc S is considerably stronger than that of DES; in return for a slower f-function, a single bit change in
the input block propagates to the whole block after only four rounds instead of eight.
The first S phase uses S-boxes 1, 1, 1, and 2 in order from left to right, and the second uses S-boxes 1, 2, 2, and 2
from left to right. S1 and S2 are as described in the description of previous ciphers in the Quadibloc series,
having been generated from Euler's constant.
The bit permutation used is a straightforwards one, where the first (leftmost) two bits of each byte remain in
position, the next two bits are rotated one byte to the right, the third pair of bits rotated 16 bits, and the last
(rightmost) two bits of each byte are rotated one byte to the left. Again, this is given in the description of the
original Quadibloc cipher.
The third S-phase replaces all the bytes with their substitutes in key-dependent S-box S8.
The subkeys XORed with the f-function input are subkeys 1, 2, and 3 in the first round, and the subkey numbers
are offset by 3 with each succeding round (thus, subkeys 4, 5, and 6 are used in round 2).
An auxilliary result is also produced from the f-function for the left half of the block. This result is the XOR of
the current values in the f-function after, of the complete f-function, in the form XSPXSPXS, the parts from the
beginning labelled XSP and the parts XSPXSP have been done.
For the remaining three quarters of the block, the auxilliary result will be used to control the order of the two
transformations applied to a single quarter, and whether, for the transformation of the first kind (which may be
done first or second) XORs or single-byte additions are used, in the fashion that subkey 721 controlled this for
the first quarter. Other bits of the auxilliary result will be used to select subkeys for use in subsequent
encipherment from a set of four possible values, and to select S-boxes from two possibilities for the f-function
used in the right half of the block.
First, the right quarter of the left half is subjected to one of the two available transformations. If the bits of the
auxilliary output of the f-function are numbered from 1 to 32 from left to right, bit 28, if it is 0, indicates that the
transformation of the first type, using S8 as the f-function, is done first; if it is 1, it indicates that the
transformation with a 16-bit wide f-function is done first. Bit 27 indicates, if it is a 1, that the XORs in the
transformation of the first type uses bytewise additions instead of XORs.
Bits 9 and 10 indicate, as a two bit number, bit 9 being more significant, which of the subkeys 145, 289, 433, or
577 is used for the transformation of the first type (whether it is done first or second), and bits 11 and 12
similarly indicate whether subkey 146, 290, 434, or 578 is used for the transformation of the second type. (In the
next round, and each time one progresses from one round to the next, the number of each subkey in each of these
groups of four subkeys is advanced by 9.)
After the first transformation is performed, the f-function output is XORed with the right quarter of the left half
of the block. Then, the second transformation is performed.
As can be seen from comparing the two diagrams, the operations that take place on the right half of the block are
very similar to those which apply to the left half of the block. The main difference is that the 32-bit auxilliary f-
function output came from the left half, and it is used extensively in modifying the encipherment of the right half
(only six of its 32 bits were used to affect the transformations which applied to the right quarter of the left half).
Here, subkey 113 is first XORed with this quarter. This subkey number advances by 1 with each round, not by 2
as for the left half. Bit 30 of the auxilliary f-function output from the left half controls whether the transformation
of the first type (if 0) or of the second type (if 1) is done first, and bit 29, if 1, selects the use of bytewise addition
in the transformation of the first type.
Again, as before, the value between the two transformations is used as the f-function input. Bits 13 and 14 of the
auxilliary f-function output select the subkey (from 147, 291, 435, and 579) to use for the transformation of the
first type, and bits 15 and 16 select the subkey (from 148, 292, 436, and 580) to use for the transformation of the
second type.
The f-function
Again, the same XSPXSPXS structure is used. For the first two S stages, S-boxes 3 and 4 in the sequence
generated from Euler's constant are used. Bits 1 through 8 of the auxilliary f-function output from the left half
determine (0=S-box 3, 1=S-box 4) which S-box is used, for the four bytes of the f-function input in order from
left to right, first in the first stage and then in the second. The third S phase again just substitutes bytes from S-
box S8.
The three subkeys used are selected (in the first round, and advanced by 9 for each succeeding round as
previously noted) from subkeys 149, 293, 437, and 581 for the first XOR, guided by bits 21 and 22 of the
auxilliary f-function output; from subkeys 150, 294, 438, and 582 (in the first round) for the second XOR by bits
23 and 24; from subkeys 151, 295, 439, and 583 (in the first round) for the third XOR by bits 25 and 26.
Again, here we have two transformations, with the XOR of the f-function output in the middle. Bit 32 controls
which transformation comes first, and bit 30 controls whether XOR or addition is used in the transformation of
the first type. The transformation of the first type uses, in the first round, a subkey from subkeys 152, 296, 440,
and 584, as selected by bits 17 and 18 of the auxilliary output of the f-function in the left half, and the
transformation of the second type uses a subkey from subkeys 153, 297, 441, and 585, as selected by bits 19 and
20 of the auxilliary output of the f-function from the left half.
Byte Interchange
After each round of Quadibloc VIII, except round 16, the 16 bytes of the block are rearranged from being in the
order
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9
Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Since mixing consists of Feistel round operations on pairs of bytes, ICE-style bit
swapping is first applied to move half the bits from the left to the right side of that
operation (and vice versa).
Then, after two rounds of mixing, an ICE-style swap moves half the bits from the left
half of the block to the right half of the block (and vice versa), making it uncertain
whether any bit is in the left-hand side simple Feistel round or in the right-hand side
controlled Feistel round to begin with.
Finally, after two more rounds of mixing, and ICE-style swap moves bits between the
left and right quarters of each half, randomizing what side of the f-function they start
out on.
On exit from the cipher, the masks M4, M5, and M6 are applied in order, and the
Feistel rounds applied to pairs of bytes still use the left byte as input to the f-function
first, as illustrated below:
Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
● Six 64-bit swap masks, M1 through M6, each produced from 48 bits of normal subkey
material (specifically, the least significant 6 bits of each byte of 64 bits of normal
subkey material) by the use of a 4 of 8 code;
● One key-dependent S-box, S8, consisting of a permutation of the numbers from 0 to
255;
● Two key-dependent S-boxes, S10 and S11, each consisting of 256 16-bit values;
● Seven hundred and twenty-one 32-bit subkeys, organized as follows:
❍ 48 subkeys, from K1 through K48, used with the f-function in the left half;
❍ 32 subkeys, from K49 through K80, used to XOR with the left quarter of the
left half of the block at the beginning and end of each round;
❍ 16 subkeys, from K81 through K96, used as input to the transformation of the
first type applied to the left quarter of the left half of the block;
❍ 16 subkeys, from K97 through K112, used as input to the transformation of the
second type applied to the left quarter of the left half of the block;
❍ 16 subkeys, from K113 through K128, used to XOR with the left quarter of the
of XOR or byte-wide addition in the transformation of the first kind, for the
left quarter of the left half of the block in each round.
The key, which must be a multiple of 32 bits in length, is expanded into four different strings
of bytes as follows:
1. The first string consists of the key, with the one's complement of the modulo 256 sum
of all the bytes in the key appended.
2. The second string consists of the bytes in the key in normal order, alternating with the
one's complement of the bytes of the key in reverse order.
3. The third string consists of the bytes of the key in normal order, alternating with
consecutive numbers starting with 1, and with the bytes of the key in reverse order,
except that the last byte this would produce (a copy of the first byte of the key) is
omitted.
4. The fourth string consists of the bytes of the first half of the key, alternating with the
one's complement of the bytes of the second half of the key, alternating with
consecutive numbers starting with 128, alternating with the one's complement of the
bytes in the first half of the key in reverse order, but with the last byte this would
produce omitted.
Thus, four strings of different length are produced, and the bytes of the key are distributed
through these strings with different spacings. Also, no string can be all zeroes.
For example, given a key consisting of eight bytes with the values 1 2 3 4 5 6 7 8, the four
strings will be
1 2 3 4 5 6 7 8 219
1 1 8 2 2 7 3 3 6 4 4 5
5 5 4 6 6 3 7 7 2 8 8
1 251 128 250 2 252 129 249 3 253 130 248 4 254 131
Each of these four strings is used to produce bytes by chain addition. A cycle of chain
addition proceeds as follows: The modulo-256 sum of the first two bytes of the string is
calculated. This value is the current output from the process. The string is modified by having
its first byte removed, and the calculated sum appended to the end of the string.
● 256 bytes are produced by chain addition from the first string. These fill 256-byte
buffer 1. 256 bytes are produced by chain addition from the second string. These fill
256-byte buffer 2.
● When bytes are produced, the four strings, from first to fourth, will be rotated between
the designations of string A, B, C, and D in the following pattern, which repeats for
each four bytes generated:
❍ A: first, B: second, C: third, D: fourth
● To produce a byte of subkey material, string B is subjected to chain addition, and the
value it produces is used as an index into buffer 1. The value in buffer 1 at that point
is removed, and called output X. String A is subjected to chain addition, and the value
it produces replaces the value removed from buffer 1. (This is, of course, the classic
MacLaren-Marsaglia technique.) Similarly, string D is subjected to chain addition,
and the value it produces is used as an index into buffer 2. The value at this point is
removed, and becomes output Y, and is replaced by the output from subjecting string
C to chain addition.
● The XOR of outputs X and Y is used as the desired byte of subkey material.
At this point, the bytes of subkey material are subjected to a further operation during key
revision, to be described below.
The required subkey material is produced from this byte generator as follows:
● 1024 bytes are generated, to form the contents of S10 and S11.
● A permutation of the bytes from 0 to 255 is produced from generator output, in a
fashion to be described below, and this permutation will be called P.
● 2884 bytes are generated, forming the 721 32-bit subkeys.
● Another permutation of the byte values from 0 to 255 is produced. This permutation is
called Q. The S-box S8 can now be calculated, and satisfies the equation Q(S8(x)) = P
(x). Thus, it is produced by applying the inverse of Q to P.
● Six groups of eight bytes are calculated. The first two bits of these bytes are ignored;
the last six bits are used to index into the 4 of 8 code used with Quadibloc, and thus
the masks M1 through M6 are formed. (The original bytes used as input to the 4 of 8
code must be retained if a subsequent key revision phase is to be performed.)
The first byte generated is always used to fill the leftmost byte of a multi-byte subkey.
55 56 59 5A 65 66 69 6A 95 96 99 9A A5 A6 A9 AA
35 36 39 3A C5 C6 C9 CA 53 5C 63 6C 93 9C A3 AC
4D 4E 71 72 8D 8E B1 B2 17 1B 27 2B D4 D8 E4 E8
1D 1E 2D 2E D1 D2 E1 E2 47 4B 74 78 87 8B B4 B8
The basic procedure for generating a permutation, used to produce permutations P and Q
from generator output, is, as used with Quadibloc II, the following:
● Begin with three arrays of 256 numbers, the first of which is filled with the numbers
from 0 to 255 in order. The arrays must also be able to hold the value -1. The second
and third arrays are filled with -1.
● For each of 256 bytes produced by the generator: let the value of the byte be called N,
and let I be a counter which starts at 0 for the first byte, incrementing with each byte
used, and ending at 255.
● Then, for each byte:
❍ If element N of the first array is not -1, set element N of the first array to -1,
● Then, scan through the second array. When an element of the second array is -1, fill it
with the corresponding element of the first array (if it is not also -1) and set that
element of the first array to -1.
● If there are any -1 elements left in the second array, fill them with the elements of the
first array that are not -1 in order.
Whether the procedure finishes after 256 bytes, or after 512 bytes, from the generator are
used, the contents of the second array when the procedure is concluded are the permutation
produced.
Key Augmentation
There are ten intermediate results within a round that can be used for key augmentation.
These are:
1. The left quarter of the left half of the block, after being subjected to the first of the two
possible alternate operations, and as serves as the input to the f-function;
2. The intermediate result of the left half f-function after the first S-P layer, and before
the XOR of the second subkey input to the f-function;
3. The intermediate result of the left half f-function after the second S-P layer, and
before the XOR of the thirs subkey input to the f-function;
4. The left half f-function output;
5. The right quarter of the left half of the block, after being subjected to the first of the
two possible alternate operations, and before being XORed with the f-function output;
6. The left quarter of the right half of the block, after being subjected to the first of the
two possible alternate operations, and as serves as the input to the f-function;
7. The intermediate result of the right half f-function after the first S-P layer, and before
the XOR of the second subkey input to the f-function;
8. The intermediate result of the right half f-function after the second S-P layer, and
before the XOR of the thirs subkey input to the f-function;
9. The right half f-function output;
10. The right quarter of the right half of the block, after being subjected to the first of the
two possible alternate operations, and before being XORed with the f-function output;
After a key is set up using the key schedule as previously described, the 721 32-bit subkeys
can be modified through key augmentation steps.
00FF0F0F333355550123456789ABCDEF
using Quadibloc VIII, normally, but during each round retain the ten intermediate results
listed above. After the round is concluded, XOR the ten intermediate results, in the order
given, with ten successive subkeys, starting with subkey K145 in the first round. Thus, the
ten intermediate results from the first round are XORed with subkeys K145 through K154,
the ten intermediate results from the second round are XORed with subkeys K155 through
K164, and so on.
After the block encryption is complete, move the subkeys backwards 160 positions in the list
of subkeys. Thus, the former subkeys K1 through K160 become subkeys K562 through
K721; the former subkeys K161 through K721 become subkeys K1 through K561.
Although five key augmentation steps are required to modify all the subkeys, a single key
augmentation step ensures that subkeys K1 through K144, as well as K721, are among the
160 subkeys modified by being XORed with intermediate results, these subkeys being the
most critical, as they are the ones not contained in a group of four subkeys, any one of which
may be used in a given encipherment.
Quadibloc VIII with one key augmentation step is to be called Quadibloc VIII A1, and with
five key augmentations steps, the other standard number, Quadibloc VIII A5.
With 721 regular subkeys, including the 1024 bytes contained in the two key-dependent S-
boxes S10 and S11, which are the equivalent of 256 additional subkeys, in what is modified
by key augmentation is not, in fact, impractical.
A modified key augmentation step proceeds exactly as a regular key augmentation step,
except that the buffer moved backwards by 160 subkeys now consists of the 721 subkeys K1
through K721 followed by the 256 entries in S-box S10, where each consecutive pair of
entries forms a subkey, the earliest entry being leftmost, followed by the 256 entries in S-box
S11 in the same form.
Seven key augmentation steps are now required to modify all the subkey material now
exposed to change, and this leads to the variant of Quadibloc VIII to be called Quadibloc
VIII M7. (Alternating regular and modified key augmentation rounds is possible; any pattern
of the form aMMaaaaa where M is a modified key augmentation round, and a is either
regular or modified key augmentation, will result in all the subkey material being fully
modified.)
Also, Quadibloc VIII M3 is sufficient to modify the fixed subkeys K1 through K144, the
subkey K721, and all of S10 and S11. (Again, Quadibloc VII A M2 would suffice for this as
well.)
Key Revision
Because modifying the other portions of subkey material is not simple enough to be done
during a process such as key augmentation, a further process of subkey modification is
provided, called key revision. A key revision step, which is optional, may only be performed
immediately following a key augmentation step. The 128-bit output from the block
encipherment performed to provide a key, which is then used as input to a slightly modified
version of the normal initial key generation process for Quadibloc VIII.
The key used as input for the modified key generation process is the following:
● For the first key revision step, the key is the 160-bit quantity consisting of the 128-bit
block cipher output from the immediately preceding key augmentation step, followed
by its first (leftmost) 32 bits repeated, unless the original key was 160 bits long, in
which case the 128-bit block cipher output is used without being lengthened;
● For the second key revision step, the key is the 192-bit quantity consisting of the 128-
bit block cipher output from the immediately preceding key augmentation step,
followed by its first (leftmost) 64 bits repeated, unless the original key was 192 bits
long, in which case the 128-bit block cipher output is used without being lengthened;
● For the third key revision step, the key is the 224-bit quantity consisting of the 128-bit
block cipher output from the immediately preceding key augmentation step, followed
by its first (leftmost) 96 bits repeated, unless the original key was 224 bits long, in
which case the 128-bit block cipher output is used without being lengthened;
● For the fourth key revision step, the key is the 256-bit quantity consisting of two
repetitions of the 128-bit block cipher output from the immediately preceding key
augmentation step, unless the original key was 256 bits long, in which case the 128-bit
block cipher output is used without being lengthened;
● For the fifth key revision step, the key is the 288-bit quantity consisting of two
repetitions of the 128-bit block cipher output from the immediately preceding key
augmentation step, followed by its first (leftmost) 32 bits repeated, unless the original
key was 288 bits long, in which case the 128-bit block cipher output is used without
being lengthened;
and so on. This ensures that, if multiple key revision steps are performed, each key revision
step uses a key which is different in length both from the original key and from the key used
in all other key revision steps.
With this key, the procedure for initial Quadibloc VIII is followed, except for these changes:
Since a value for the S-box S8 now exists, the bytes generated by the subkey byte generator
are additionally subjected to the following encipherment step before being used, and the
bytes being used begin with that corresponding to the third byte of output from the original
subkey byte generator:
For each byte of output from the original subkey byte generator, the preceding two bytes of
output are enciphered using a two-round Feistel cipher which uses S8 as the f-function. First,
a counter, initialized at 1 and incrementing by 1 is is XORed with the eldest byte, the result
being used to index into S8, and the value found in S8 is XORed with the immediately
preceding byte, modifying it. Then, a counter, initialized at 0 and incrementing by 1, except
that the value 255 is skipped, is XORed with the immediately preceding byte, as modified,
and the result is used to index into S8, and the value found in S8 is XORed with the eldest
byte, modifying it.
The current byte is then used to produce the byte to be used in subkey generation as follows:
Thus, the keystream is enciphered in essentially a simple form of CFB mode, except that the
block cipher used is really a stream cipher, since its subkeys are continually changing.
The subkey bytes thus generated are used to modify the existing key schedule, instead of to
replace it, as follows:
● The first 1024 bytes generated are XORed with the contents of S10 and S11.
● A permutation called P is again produced from generator output.
● The next 2884 bytes generated are XORed with the bytes of the 721 32-bit subkeys.
● A permutation called Q is again produced from generator output.
● Six groups of eight bytes are calculated. These are XORed with the raw mask value,
before 4 of 8 coding, left by either the original key schedule or by the previous key
revision step, and then subjected to 4 of 8 coding to provide the six 64-bit mask values
M1 through M6.
● The permutations P and Q are then used to produce the new S8 permutation, S8'(x),
from the previous one, S8(x), such that the following equation is true: S8'(Q(x))=S8(P
(x)). This can be done as follows: for each byte x from 0 to 255, use x as an index into
P; use the result as an index into S8; store the result in the location within S8' found
by using x as an index into Q.
Quadibloc VIII with one key augmentation step, followed by one key revision step, is to be
called Quadibloc VIII A1 R; Quadibloc VIII with seven modified key augmentation steps,
the last of which is followed by a key revision step, is to be called Quadibloc VIII M7 R;
Quadibloc VIII with seven modified key augmentation steps, each of which is followed by a
key revision step, is to be called Quadibloc VIII MR7. Quadibloc VIII with five key
augmentation steps, the last of which is followed by a key revision step, is to be called
Quadibloc VIII A5 R; Quadibloc VIII with five key augmentation steps, each of which is
followed by a key revision step, is to be called Quadibloc VIII AR5.
The key schedule of Quadibloc VIII A1 R should be entirely satisfactory; the more lengthy
variants should not be required for security, although Quadibloc VIII M7 R has, at least, the
argument in its favor that its key schedule tends towards that of Blowfish (which, of course,
however, used only the result of a complete encipherment to modify subkeys, rather than
intermediate results within each round).
Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Design Rationale
Quadibloc VIII was designed to be a strong cipher not only against attacks which are
currently understood, but also to be likely to be resistant against attacks which might be
discovered in the future. It has been designed very conservatively; a full 16 rounds
have been used, despite the fact that each round is considerably more elaborate than a
single round in more conventional block ciphers: thus, its security does not depend on
the merit of the somewhat unconventional measures I have included in the algorithm in
hopes of achieving a very high level of security.
Such things as medical records, or other information related to the personal privacy of
individuals, may be required to remain confidential for 50 or even 100 years. Because
the speed and power of computers has been increasing at a fast pace for some time, it is
very difficult to make a firm prediction of how powerful computers might be at such a
distant time.
Although some fundamental physical limits, as well as physical laws which even limit
the performance of quantum computers, do appear to imply that one can specify a key
size that will leave one's messages forever immune to brute-force searching, it is even
harder to predict what new and surprising discoveries may be made in the field of
mathematics or in cryptanalysis that may allow attacks taking less time than a brute-
force search (trying every possible key).
Hence, I felt that it was justified to attempt to design a cipher which, while remaining
constrained to some extent to operate within limits at least comparable with those of
more conventional designs, was still aimed at providing a very high level of security
without attempting to justify the security aimed at as necessary. As with all the ciphers
in the Quadibloc series, ease of implementation is another important consideration, and
it is execution speed which has taken a back seat.
The most important step taken in the design of Quadibloc VIII to achieve the apparent
potential for very high security was to, in every round, subject the 32-bit quarters of the
block to two different transformations, making it variable which of those two
transformations occurred first. As well, in one of those transformations, whether XOR
or modulo-256 addition is used is variable.
This does create vulnerability to attacks based on monitoring the power consumption of
a device carrying out this algorithm. Simultaneously (in hardware) or in a fixed order
(in software) carrying out both possible operations, the one used and the one not used,
is a measure that could be used to avoid this.
To achieve greater resistance to differential and linear cryptanalysis, key-dependent S-
boxes are used. With the contents of the S-boxes unknown, characteristics cannot be
found for the f-function in the normal manner used for simple differential
cryptanalysis. This increases the amount of memory required to carry out the
algorithm, again limiting its usefulness. The multi-stage nature of the f-function, in
addition to giving this cipher a strong avalanche characteristic, also improves resistance
to differential and linear cryptanalysis.
There are three basic possible ways in which weak keys could occur in the algorithm:
● A key could cause one or more of the four chain addition sequences used to
generate subkey material to have a short period;
● The key-dependent S-box S8, or either of the key-dependent S-boxes S10 and
S11, might, by accident, consist of bytes in an ordering that is, or that
approaches, a linear or affine function of its input;
● The key-dependent boxes S10 and S11 might contain duplicate entries.
But I tend to view the threat from at least the second and third of these as negligible.
With 16 rounds, and an f-function that has not one, but two SP stages based on fixed S-
boxes, as well as the fact that there are two different groups of key-dependent S-boxes,
both of which act on the entire block in every round, it should not be possible for an
attacker to effectively exploit, or detect, a weakness in any one key-dependent S-box
should it occur.
Some of the individual steps in the algorithm can also be further examined:
Algorithmic Variability
In each round, the algorithm can take one of 16 shapes by the interchange of two
transformations applied to the 32-bit quarters of the block. In addition, there are 16
possibilities of using either XOR or bytewise addition in one of those transformations.
These 256 possibilities in each round are the product of four possibilities for the
leftmost quarter of the block, which are key-dependent, and 64 possibilities for the
remaining three quarters of the block, which are data-dependent.
It might be suggested that more of the variability in the algorithm ought to be key-
dependent, since in this way, it could be said that only 2^32 different algorithms are
used, and this number is susceptible to brute-force search, if there were some rapid way
to solve the rest of the cipher.
If one ignores the choice between four subkeys in various portions of the round, and
the extra algorithmic variation caused by switching between addition or XOR, and only
counts the sixteen possibilities in each round, for each of the four quarters of the block,
of doing either of two 32-bit transformations first, then the key-dependent part of that
involves only 2^16 possibilities. While it might be possible to simply ignore them, by
trying an attack based each possibility, as there are 2^48 possibilities for the data-
dependent part of that, it would seem that a conventional differential attack (actually,
that is a misnomer, as other aspects of the design would require some extension to the
original techniques of differential cryptanalysis) would require one to compare known
plaintext-ciphertext pairs where the same one of the 2^48 possible algorithms was used.
Byte Interchange
As noted in the description of the algorithm, after each round of Quadibloc VIII, except
round 16, the 16 bytes of the block are rearranged from being in the order
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9
This particular rearrangement was carefully designed. It has the following properties:
● It is a cyclic permutation of the numbers from 1 to 16; hence, each byte of the
block will be moved to each of the possible positions during the 16 rounds of
the cipher.
● Each byte continuously alternates between being in the left and the right
quarters of either half. That is, if a byte is in the left quarter of one half in one
round, it will be in the right quarter of either the same half, or the other half, in
the next round.
● The alternation between halves, if only odd numbered rounds or only even
numbered rounds are considered, (or if only rounds where the byte is in the left
quarter of its half, or only rounds where the byte is in the right quarter of its half
are considered, which is equivalent from the preceding property) follows the
pattern R L L R L R R L or a cyclic permutation thereof.
Since the main feature of the cipher is a Feistel round within each half of the block,
parts of the block alternate regularly between being on the left and right sides of the f-
function as in any normal Feistel cipher.
An irregular pattern of alternation between left and right halves of the block is used, so
that for each round, bytes will be brought together in different combinations.
Thus, let us consider byte 5, and where it appears in odd-numbered rounds only, when
it is on the right quarter in its half, and thus on the recieving end of the f-function. Let
us depict, with the bytes identified by their positions in round 1, the input and output of
the f-function, but rotating both by corresponding amounts so that byte 5 appears first
on the right quarter, so we see what it looks like from the viewpoint of byte 5.
While this only brings the bytes together in four distinct possible configurations,
although in different orders in each of the two times, that is still about as irregular as is
possible given that the only device available in this uniform and consistent permutation
between rounds to bring different bytes together is dispatching them to the other half of
the block for differing periods of time.
These are the positions of the bytes in the 16 rounds of Quadibloc VIII:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9
9 1 12 10 14 15 5 16 4 11 3 2 6 8 7 13
13 16 14 15 2 11 12 9 6 7 5 8 10 1 3 4
4 9 2 11 8 7 14 13 10 3 12 1 15 16 5 6
6 13 8 7 1 3 2 4 15 5 14 16 11 9 12 10
10 4 1 3 16 5 8 6 11 12 2 9 7 13 14 15
15 6 16 5 9 12 1 10 7 14 8 13 3 4 2 11
11 10 9 12 13 14 16 15 3 2 1 4 5 6 8 7
7 15 13 14 4 2 9 11 5 8 16 6 12 10 1 3
3 11 4 2 6 8 13 7 12 1 9 10 14 15 16 5
5 7 6 8 10 1 4 3 14 16 13 15 2 11 9 12
12 3 10 1 15 16 6 5 2 9 4 11 8 7 13 14
14 5 15 16 11 9 10 12 8 13 6 7 1 3 4 2
2 12 11 9 7 13 15 14 1 4 10 3 16 5 6 8
8 14 7 13 3 4 11 2 16 6 15 5 9 12 10 1
But does this provide blanket protection against differential and linear cryptanalysis?
No, I cannot claim that. But because differential and linear cryptanalysis attacks are
often only small improvements on brute-force cryptanalysis, even making them only
slightly more difficult is worthwhile.
The example given in David Kahn's book The Codebreakers of an amateur cipher that
might be wrongly claimed unbreakable may indicate the danger here: it was a form of
fractionation, where letters were translated to pairs of digits from 1 to 5 by a Polybius
square, and then back to letters after a single digit of padding is added to the beginning.
It might be thought impregnable, because nothing is left for the cryptanalyst to grasp.
Yet, a Playfair cipher in its most common case consists of switching the column
coordinates of a pair of letters, so it can be seen that this cipher is actually similar in
difficulty.
If we consider a block cipher with a strong differential characteristic, and then precede
and follow it by ICE-style bit swaps, but without the small-scale Feistel rounds also
used in Quadibloc VIII, a differential cryptanalysis attack can still be mounted.
If blocks that are identical, except for bit 21 being inverted, on input lead to a particular
difference between output blocks that is more likely, then with bit swaps before and
after, simply use pairs of blocks that differ only in one bit, but with all possible bits that
could be swapped to position 21. The output result would also be jumbled, but the fact
that a difference between pairs of output blocks would be the same, even if its shape
could not be predicted, would show that the fact about the key indicated by the
characteristic was likely to be true.
And, of course, the way in which the characteristic was jumbled would give
information about the swap used, which gives additional information about the subkeys.
After the first bit swap and mini-Feistel layer, the 16 bytes of the block can be thought
of as divided into the following eight independent groups:
1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 8
After the second bit swap and mini-Feistel layer, the number of groups decreases to
four:
1 1 2 2 3 3 4 4 1 1 2 2 3 3 4 4
1 1 2 2 1 1 2 2 1 1 2 2 1 1 2 2
so two groups of 64 bits go through this phase without in any way affecting each other.
Since the normal rounds deal with the block in four quarters, the last two bit swaps are
sufficient to place an input bit in any part of the normal round; the first bit swap creates
a corresponding uncertainty for the mini-Feistel rounds in the mixing and whitening
phase itself.
Because I aimed at a high level of security for Quadibloc VIII, I tried to ensure that the
key schedule was strong. Yet, I still wanted to keep the process of key generation
relatively simple.
Thus, from the key, I first produced initial values for four simple shift registers of
different lengths. Although there is no guarantee that chain addition will produce a
maximal period, the amount of subkey material to be generated, while large, is still
limited.
As can be seen from the description of the key schedule, measures were taken to ensure
that even with an all-zero key, no shift register would start out with all-zero contents,
or contents uniform in other ways.
However, the key augmentation and key revision phases were added to provide a key
schedule that should be completely safe.
Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Quadibloc IX
Quadibloc IX is a block cipher that obtains its security through the principle of indirection. It has only four
rounds. However, each round involves performing a form of the basic Quadibloc f-function ten times. Hence, the
f-function is represented in a schematic form:
a box, bearing on it the numbers of the two S-boxes used within it, from the standard Quadibloc set (note that
they are used so to avoid a symmetry involving rotating each 32-bit subblock by an integer number of bytes), has
an input and an output, and in addition, three subkeys as input, and two intermediate results as output. Note also
that the key-dependent S-box is noted here as S9, since the first eight of the standard Quadibloc S-boxes are used.
This compact schematic notation allows the Quadibloc IX round to be illustrated in a compact fashion:
❍ as shown in a light blue color in the diagram above, so that the principal part of the round is more
clearly visible, additional intermediate results from the encipherment which produced that
encipherment's subkeys as well as intermediate results from the previous encipherment, combined
by XOR;
❍ one of two fixed subkeys.
After each round except the last, the 64-bit halves of the block are swapped.
Since each round contains two Feistel rounds for each half of the block, four such rounds involve only eight
Feistel rounds, but the F-function is of the SPSPS type instead of the SP type.
The number of rounds, therefore, might be barely enough to provide a degree of security even without
considering the cipher's main feature. Because the intermediate results from the left half are first enciphered, and
then used as subkeys for encipherment, it is difficult to work backwards from known plaintext and ciphertext for
a single round to determine the subkeys for the round. The use of a key-dependent S-box further frustrates
differential cryptanalysis and related techniques.
The key material used in this cipher consists of 88 subkeys, each 32 bits long, and one S-box containing the 256
bytes from 0 to 255 in a scrambled order.
In the detailed description of the cipher which follows, should there be any appearance of ambibuity, please
remember that I consistently use big-endian conventions; that is, the most significant bit or byte of a word is
always the first one, the leftmost one, and the one with the lowest number.
The f-function
● First, the 32-bit input is XORed with the first 32-bit subkey.
● Then, the first three bytes of the result are replaced by their equivalents in the first of the two S-boxes
selected for this f-function from among those described in the section Euler's Constant and the Quadibloc
S-Boxes which, for this cipher, may be either S-box 1, 3, 5, or 7, and the fourth byte of the result is
replaced by its equivalent in the subsequent S-box from that selection.
● Then, the bits of the result of the substitution are transposed, from the order 1, 2, 3,... 32 to the order
1 2 27 28 21 22 15 16
9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32
25 26 19 20 13 14 7 8
● The current value constitutes the first intermediate result generated by the f-function.
● Now, the 32-bit value is XORed with the second 32-bit subkey.
● The four bytes of the result are replaced by their equivalents in the S-boxes used before, but this time only
the first byte is replaced by its equivalent in the first of those S-boxes, and the last three bytes are replaced
by their equivalents in the second S-box.
● The bits undergo the same transposition as before.
● The current result is now the second intermediate result availible from this f-function.
● The 32-bit value is now XORed with the third 32-bit subkey used with this f-function.
● The four bytes of the result are replaced by their equivalents in the key-dependent S-box, which for
Quadibloc IX is designated S-box 9.
● The result is now the output from the f-function.
● The first quarter of the block is used as input to an f-function using S-boxes 1 and 2, with subkeys which
are subkeys 1, 5, and 9 in the first round, and which increase in number by 1 in each subsequent round (as
do all subkeys used in a round of Quadibloc IX). The two intermediate results produced shall be
designated D and C. The output of the f-function is XORed to the second quarter of the block,
permanently modifying it.
● The second quarter of the block is used as input to an f-function using S-boxes 1 and 2, with subkeys
which are subkeys 13, 17, and 21 in the first round, and so on. The two intermediate results produced
shall be designated B and A. The output of the f-function is XORed to the first quarter of the block,
permanently modifying it.
● Intermediate results B and C shall form one 64-bit block, and intermediate results D and A shall form a
second 64-bit block, each of which shall be enciphered by means of two Feistel rounds, proceeding as
follows:
❍ B is used as input to an f-function using S-boxes 3 and 4, with subkeys 37, 41, and 45 in the first
round. The two intermediate results produced will be designated E and U. The output of the f-
function is XORed to C, permanently modifying it.
❍ C is used as input to an f-function using S-boxes 3 and 4, with subkeys 61, 65, and 69 in the first
round. The two intermediate results produced will be designated G and W. The output of the f-
function is XORed to B, permanently modifying it.
❍ The following two Feistel rounds proceed independently from the two previously described.
❍ D is used as input to an f-function using S-boxes 3 and 4, with subkeys 25, 29, and 33 in the first
round. The two intermediate results produced will be designated F and V. The output of the f-
function is XORed to A, permanently modifying it.
❍ A is used as input to an f-function using S-boxes 3 and 4, with subkeys 49, 53, and 57 in the first
round. The two intermediate results produced will be designated H and X. The output of the f-
function is XORed to D, permanently modifying it.
● Two subkeys, subkeys 73 and 77 in the first round, shall form one 64-bit block, and this block will be
enciphered by means of two Feistel rounds, as follows:
❍ The left half of the block formed by the two subkeys shall be used as input to an f-function using S-
boxes 5 and 6. The subkeys used as input to this f-function shall be, in order:
■ A, as modified by the preceding step in which A, B, C, and D were enciphered;
❍ The two intermediate results produced will be designated P and R. The output of the f-function
will be XORed to the right half of the block formed by the two subkeys, permanently modifying it.
(That is, the right half of the block is permanently modified for the remainder of the round
computation in which it is used. The subkey itself is not modified for subsequent encipherments, as
this is a block cipher, containing no state which is preserved between encipherments, other than
that which is wholly dependent on the key alone.)
❍ The right half of the block formed by the two subkeys shall be used as input to an f-function using
S-boxes 5 and 6. The subkeys used as input to this f-function shall be, in order:
■ D, as modified by the preceding step;
❍ The two intermediate results produced will be designated Q and S. The output of the f-function
will be XORed to the left half of the block formed by the two subkeys, permanently modifying it.
● The third quarter of the block is used as input to an f-function using S-boxes 7 and 8. The subkeys used as
input to this f-function shall be, in order:
❍ The right half of the block formed from subkeys 73 and 77 as enciphered by the preceding step;
❍ The XOR of the following four intermediate results from the preceding step and the step which
preceded it: X, U, P, S.
● The intermediate results are not used. The output of the f-function is XORed to the fourth quarter of the
block, permanently modifying it.
● The fourth quarter of the block is used as input to an f-function using S-boxes 7 and 8. The subkeys used
as input to this f-function shall be, in order:
❍ The left half of the block formed from subkeys 73 and 77 as enciphered by the preceding step;
❍ The XOR of the following four intermediate results from the preceding step and the step which
preceded it: W, V, Q, R.
● The intermediate results are not used. The output of the f-function is XORed to the third quarter of the
block, permanently modifying it.
After each round, the halves of the block, the first half being composed of the first and second 32-bit quarters of
the block, and the second half being composed of the third and fourth 32-bit quarters of the block, are swapped.
As noted, this block cipher uses 88 subkeys, each one 32 bits long, numbered from 1 to 88, and one 256-byte key
dependent S-box designated S9.
If the length of the key is a multiple of 32 bits in length, then let that multiple be N, where the key is 4*N bytes
in length. In that case, the first string shall be 14*N-1 bytes in length, and the second string shall be 14*N+1
bytes in length.
If the length of the key is an odd multiple of 16 bits in length, then let that multiple be M, where the key is 2*M
bytes in length. In that case, the first string shall be 7*M-2 bytes in length, and the second string will be 7*M
bytes in length.
In other words, the second string shall be initially three and one half times as long as the key, and the first string
shall be initially one byte shorter than the second string, and if the number of bytes in the first string is even, it
shall be shortened by one byte, but if instead the number of bytes in the second string is even, it shall be
lengthened by one byte.
The first string shall be filled with repetitions of the following material, up to its length: the key itself, followed
by a single byte containing the one's complement of the XOR of all the bytes of the key together.
The second string shall be filled with repetitions of the following material, up to its length: the one's complement
of the key, followed by the bytes of the key in reverse order.
The 88 subkeys, each one four bytes in length, shall be formed in order, one byte at a time, starting with the most
significant and leftmost byte of the first subkey.
Each string will be called upon to produce output bytes by the process of chain addition. A chain addition step
consists of calculating the sum, modulo 256, of the last two bytes in the string. This sum shall be the output byte
from the step. The string will then be modified as follows: the last byte of the string shall be removed, and the
output byte shall be appended to the string before the first byte, with the result that the bytes in the string shall
advance one position.
Each string has associated with it a 256-byte buffer. Before beginning to generate subkey material, each string
shall generate 256 bytes, and these bytes will be placed in the cells of this buffer, beginning with cell 0 and
ending with cell 255.
An additional 256 bytes of subkey material shall be generated after all the required subkeys are generated. This
subkey material, along with the buffers associated with the two strings, shall be used to generate the key-
dependent S-box S9 as follows:
● Let the extra 256 bytes of subkey material be kept in an array designated P, and the 256-byte buffers
associated with the first and second strings be designated Q and R respectively. In addition, initialize a
256-byte buffer S with zeroes. A buffer designated T will also be used, which may contain the value -1 in
its cells in addition to the numbers from 0 to 255. As well, there will be two buffers of unsigned 16-bit
quantities, called QQ and RR.
● For each number from 0 to 255 in order, called c (for counter): consider the element of P indicated by that
number, and call it x; that is, set x to be P(c). If S(x) is zero, set S(x) to be 1, and set T(c) to be x. If S(x) is
not zero, set T(c) to be -1.
● Count the elements of S that are equal to zero. If none are, then skip the next step. If one is, then exactly
one element of T(c) will be -1; set that element to the index of the zero element of S, and skip the next
step. Otherwise, continue.
● Scan the arrays S and T from beginning to end, independently. Look for zero elements in S, and the value -
1 in T. When one of these is found in one array, wait for the corresponding item in the other array. Then
replace the value -1 in T by the index of the zero element in S. Once this step is complete, the array T will
contain one copy of every value from 0 to 255.
● Fill the array QQ with 16-bit quantities consisting of the element of the array Q at the same index times
256, plus the index. Fill the array RR with 16-bit quantities consisting of the element R at the same index
times 256, plus the index.
● Sort arrays QQ and RR.
● AND each element of QQ and RR with 255, masking out all but the least significant byte of each element.
● For each number from 0 to 255 in order, called c, perform the following calculation: set element RR(c) of
P to element QQ(c) of T; that is, P(RR(c))=T(QQ(c)).
● The contents of array P are to be used as S-box S9.
Decipherment
To decipher a block encrypted in Quadibloc IX, it is necessary to modify the round, as well as to perform the
four rounds in reverse order. The modified round for decryption involves performing the two Feistel rounds
acting on the first and second quarters of the block, and the two Feistel rounds acting on the third and fourth
quarters of the block, in reverse order in each case, while retaining all designations of subkeys used and
intermediate values output.
[Next] [Up] [Previous] [Index]
Next
Start of Section
Skip to Next Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Quadibloc X
The block cipher Quadibloc X operates on a 128-bit block divided into four 32-bit subblocks. All four subblocks
are modified in each round, and three different types of cipher step are used to modify the various subblocks.
The leftmost subblock is modified directly in one piece, using a method somewhat reminiscent of SAFER. Two
subrounds of this method are applied to it during each round of Quadibloc X. The intermediate value of that
subblock between the two subrounds is used as a master nonlinear control input for the cipher steps applied to
the remaining subblocks. Because the number of these rounds is even, an interchange of the two middle bytes of
the subblock in a round does not interfere with the swap of 16-bit subblock segments between Quadibloc X
rounds.
The two middle subblocks are modified by means of Feistel rounds using the Quadibloc f-function. Three Feistel
rounds are applied. Because the number of these rounds is odd, the swap of 16-bit subblock segments between
Quadibloc X rounds is simplified, since each Quadibloc X round can be treated as a single Feistel round.
The rightmost subblock is modified through both XOR and addition of intermediate results of the Feistel rounds
applied to the middle two subblocks. Between each application of an intermediate result, a substitution is
performed of a type that leads to this modification of the subblock approximating decorellation. Four
intermediate results are used, and the operations are, in order, XOR, bytewise addition modulo 256, bytewise
addition modulo 256, and XOR.
Between each pair of Quadibloc X rounds, the 128-bit block is considered to be divided into eight 16-bit
subblock segments, and these are permuted from the order
1 2 3 4 5 6 7 8
to the order
7 4 1 6 3 8 5 2
so that the left halves of each subblock move to the next rightmost subblock between rounds, and the right halves
of each subblock move to the next leftmost subblock between rounds.
The subround applied to the leftmost subblock twice in a Quadibloc X round is illustrated below:
● First, in the modification step, the subblock is XORed with a 32-bit subkey.
● Then, in a substitution step, the bytes of the subblock are replaced with their equivalents in either S-box
S5 from the set generated from Euler's constant and used with other Quadibloc ciphers or S-box S10, to
be described in the section concerning the transformation applied to the rightmost subblock, and chosen to
produce decorrelation. The S-boxes are used in the order S5, S10, S5, S10.
● Third, in another modification step, the individual bytes of another 32-bit subkey are added to the
individual bytes of the subblock modulo 256.
● Then, the four bytes of the block operate on each other in the unification step.
❍ First, each two bytes enter into two mini-Feistel rounds, using the key-dependent S-box S8 as the f-
function. The left byte is used as the index into S8, and the result is added to the right byte modulo
256. Then, the right byte is used as the index into S8, and the result is XORed with the left byte.
❍ Then, of the four bytes, the two middle ones are swapped.
❍ Third, each pair of bytes again goes through two mini-Feistel rounds; this time, the operations used
Two such subrounds are performed on the leftmost subblock in each round of Quadibloc X, and the value of the
leftmost subblock between those two subrounds is used as the nonlinear control word for the remaining part of
the round.
The Feistel subround which operates on the central two 32-bit subblocks of the 128-bit block is illustrated below.
On the left is shown one byte from the 32-bit nonlinear control word derived from the encipherment of the
leftmost subblock. For the three Feistel subrounds performed in a Quadibloc X rounds, the first, second, and
third bytes, from the left of that word, are used for the three rounds in order.
The Feistel round is then completed when the F-function output is XORed with the third subblock.
Of the three subrounds performed, the the first intermediate result of each round will be known as IR5, IR6, and
IR7, respectively, and the second intermediate result of each round will be known as IR1, IR2, and IR3,
respectively. These intermediate results will be used in the modification of the rightmost subblock.
After the first two of the three Feistel subrounds performed in a Quadibloc X round, the second and third
subblocks of the 128-bit block will be swapped, these being the right and left halves of the block on which those
Feistel subrounds operate.
Four quantities, derived from the intermediate results produced from the three Feistel rounds applied to the
middle two subblocks, are applied to the rightmost subblock.
The assignment of intermediate results from the Feistel rounds to the four inputs to this modification step is
determined by the last four bits of the last byte of the nonlinear control word according to the following table,
which uses 16 of the 24 possible arrangements, when each intermediate result is only used once, and IR4B,
created by addition, is always used as input to an XOR step, and IR4A, created by XOR, is always used as input
to an additon step:
The S-boxes S10, S11, S6, and S7 used in this step are ones specifically designed to produce decorrelation. Since
only addition modulo 256 is used, the decorellation is only approximate.
The S-box S11 contains successive powers of 3, under Galois Field multiplication using the polynomial x^8 +
x^6 + x^5 + x^3 + 1 (cancellation binary string 101101001) as used with Twofish, except that the last entry in
the S-box is 0. The S-box S10 is the inverse of an S-box containing successive powers of 3, under Galois Field
multiplication using the polynomial x^8 + x^4 + x^3 + x + 1 (cancellation binary string 100011011) as used with
Rijndael, except that the last entry in the S-box being inverted is 0.
Thus, these S-boxes (and their inverses, as required for deciphering) are as follows:
S-box S11:
1 3 5 15 17 51 85 255
104 184 161 138 247 112 144 217
2 6 10 30 34 102 170 151
208 25 43 125 135 224 73 219
4 12 20 60 68 204 61 71
201 50 86 250 103 169 146 223
8 24 40 120 136 241 122 142
251 100 172 157 206 59 77 215
16 48 80 240 121 139 244 117
159 200 49 83 245 118 154 199
32 96 160 137 242 127 129 234
87 249 98 166 131 236 93 231
64 192 41 123 141 254 107 189
174 155 196 37 111 177 186 167
128 233 82 246 115 149 214 19
53 95 225 74 222 11 29 39
105 187 164 133 230 67 197 38
106 190 171 148 213 22 58 78
210 31 33 99 165 134 227 76
212 21 63 65 195 44 116 156
205 62 66 198 35 101 175 152
193 42 126 130 239 88 232 81
243 124 132 229 70 202 55 89
235 84 252 109 183 176 185 162
143 248 97 163 140 253 110 178
191 168 145 218 7 9 27 45
119 153 194 47 113 147 220 13
23 57 75 221 14 18 54 90
238 91 237 94 226 79 209 26
46 114 150 211 28 36 108 180
181 182 179 188 173 158 203 52
92 228 69 207 56 72 216 0
S-box S10:
255 0 25 1 50 2 26 198
75 199 27 104 51 238 223 3
100 4 224 14 52 141 129 239
76 113 8 200 248 105 28 193
125 194 29 181 249 185 39 106
77 228 166 114 154 201 9 120
101 47 138 5 33 15 225 36
18 240 130 69 53 147 218 142
150 143 219 189 54 208 206 148
19 92 210 241 64 70 131 56
102 221 253 48 191 6 139 98
179 37 226 152 34 136 145 16
126 110 72 195 163 182 30 66
58 107 40 84 250 133 61 186
43 121 10 21 155 159 94 202
78 212 172 229 243 115 167 87
175 88 168 80 244 234 214 116
79 174 233 213 231 230 173 232
44 215 117 122 235 22 11 245
89 203 95 176 156 169 81 160
127 12 246 111 23 196 73 236
216 67 31 45 164 118 123 183
204 187 62 90 251 96 177 134
59 82 161 108 170 85 41 157
151 178 135 144 97 190 220 252
188 149 207 205 55 63 91 209
83 57 132 60 65 162 109 71
20 42 158 93 86 242 211 171
68 17 146 217 35 32 46 137
180 124 184 38 119 153 227 165
103 74 237 222 197 49 254 24
13 99 140 128 192 247 112 7
The S-box S6 contains successive powers of 19 in multiplication modulo 257, except that 256, when it occurs, is
replaced with zero, and the S-box S7 is the inverse of S6. Hence, the contents of these S-boxes are as follows:
S-box S6:
1 19 104 177 22 161 232 39
227 201 221 87 111 53 236 115
129 138 52 217 11 209 116 148
242 229 239 172 184 155 118 186
193 69 26 237 134 233 58 74
121 243 248 86 92 206 59 93
225 163 13 247 67 245 29 37
189 250 124 43 46 103 158 175
241 210 135 252 162 251 143 147
223 125 62 150 23 180 79 216
249 105 196 126 81 254 200 202
240 191 31 75 140 90 168 108
253 181 98 63 169 127 100 101
120 224 144 166 70 45 84 54
255 219 49 160 213 192 50 179
60 112 72 83 35 151 42 27
0 238 153 80 235 96 25 218
30 56 36 170 146 204 21 142
128 119 205 40 246 48 141 109
15 28 18 85 73 102 139 71
64 188 231 20 123 24 199 183
136 14 9 171 165 51 198 164
32 94 244 10 190 12 228 220
68 7 133 214 211 154 99 82
16 47 122 5 95 6 114 110
34 132 195 107 234 77 178 41
8 152 61 131 176 3 57 55
17 66 226 182 117 167 89 149
4 76 159 194 88 130 157 156
137 33 113 91 187 212 173 203
2 38 208 97 44 65 207 78
197 145 185 174 222 106 215 230
S-box S7:
128 0 240 213 224 195 197 185
208 170 179 20 181 50 169 152
192 216 154 1 163 142 4 76
165 134 34 127 153 54 136 90
176 233 200 124 138 55 241 7
147 207 126 59 244 109 60 193
149 114 118 173 18 13 111 215
137 214 38 46 120 210 74 99
160 245 217 52 184 33 108 159
122 156 39 91 225 205 247 78
131 84 191 123 110 155 43 11
228 222 93 235 44 47 177 196
133 243 98 190 102 103 157 61
2 81 253 203 95 151 199 12
121 234 198 15 22 220 30 145
104 40 194 164 58 73 83 101
144 16 229 211 201 186 36 66
168 232 17 158 92 150 143 70
106 249 140 71 23 223 75 125
209 130 189 29 231 230 62 226
115 5 68 49 175 172 107 221
94 100 139 171 27 238 251 63
212 3 206 119 77 97 219 167
28 250 31 236 161 56 180 89
117 32 227 202 82 248 174 166
86 9 87 239 141 146 45 246
242 21 65 188 237 116 187 254
79 19 135 113 183 10 252 72
105 48 218 8 182 25 255 162
6 37 204 132 14 35 129 26
88 64 24 41 178 53 148 51
42 80 57 69 67 96 85 112
1 2 3 4 5 6 7 8
to the order
7 4 1 6 3 8 5 2
Normally, ar least 8 rounds of Quadibloc X are used for encryption. Ideally, 12 or 16 rounds would be preferable.
32 rounds allow the four bits per round that alter the algorithm fundamentally (by changing the order in which
the intermediate results of the three Feistel rounds are applied decorellatively to the fourth subblock) to total to
128 bits, thus the algorithm can no longer be brute-force searched; this allows Quadibloc X to realize its full
potential.
One round is definitely insecure, since the first 32-bit subblock is essentially subjected to a block cipher with a
32-bit block size. Two rounds are already an interesting problem for the cryptanalyst, and four rounds might
possibly be secure, but cannot be recommended.
Quadibloc X uses the following key material: 17 subkeys, each 32 bits long, per round, and one key-dependent S-
box, S8, containing the bytes from 0 to 255 in a shuffled order. The subkeys used by the first round are K1
through K17, as shown in the diagram, and those used by the second round are K18 through K34, and so on.
Initialization
Three strings of bytes of different length are produced from the key.
The first string consists of the key, followed by one byte containing the one's complement of the XOR of all the
bytes of the key.
The second string consists of the one's complements of the bytes of the key in reverse order, with three bytes
appended containing the following three quantities:
● The sum, modulo 255, of the bytes of the key, incremented by one by normal addition. (Thus, this
produces a number from 1 to 255.)
● The XOR of all the bytes at odd numbered positions in the key, where the first byte in the key is
considered to be byte 1, and odd.
● The one's complement of the XOR of all the bytes at even numbered positions in the key.
The third string consists of alternating bytes, taken from the bytes of the key in reverse order, and then from the
bytes of the one's complement of the key, and then that string is followed by the one's complements of the first
four bytes of the key.
128 64 32 16 8 4 2 1 1 2 3 4 5 6 7 8
First string:
128 64 32 16 8 4 2 1
1 2 3 4 5 6 7 8
8
Second string:
247 248 249 250 251 252 253 254
254 253 251 247 239 223 191 127
37 170 93
Third string:
8 127 7 191 6 223 5 239
4 247 3 251 2 253 1 254
1 254 2 253 4 252 8 251
16 250 32 249 64 248 128 247
127 191 223 239
Given that the length of the key is 4n, the lengths of the three strings are 4n+1, 4n+3, and 8n+4, and hence all
three are relatively prime, since both 4n+1 and 4n+3 are odd, and 8n+4 is two times 4n+2.
Two buffers are filled by generating bytes from the first and second strings by chain addition.
The sum, modulo 256, of the last two bytes in the string is calculated. This sum is the output of the chain
addition step. Also, the last byte of the string is removed, and the sum is appended to the beginning of the string.
Both buffers contain 256 bytes. The first buffer, called buffer A, is filled with 256 successive bytes generated
from the second string by chain addition. The second buffer, called buffer B, is filled with 256 successive bytes
generated from the first string by chain addition.
Once the setup is complete, subkey material is generated one byte at a time, the first byte generated being the
leftmost byte of subkey K1, and so on.
Note that this procedure, since it exercises the two strings used to select bytes, rather than the string used to
generate values, results in a small change in the key resulting in large changes in the subkeys from the very
beginning.
Permutation Generation
Once all the required 32-bit subkey words are generated, the key-dependent S-box S8 must be generated. This is
done as follows:
● 256 bytes are generated following the same procedure as for subkey byte generation, and these bytes are
placed in a 256-byte buffer called buffer C.
● A 256-byte buffer called buffer D is filled with the numbers from 0 to 255 in order.
● For every i from 0 to 255, if element i of buffer C (hereinafter called C(i)) is not equal to i, swap elements
i and C(i) of buffer D.
● For every i from 0 to 255, if B(i) is not equal to i, swap elements i and B(i) of buffer D.
● For every i from 0 to 255, if A(i) is not equal to i, swap elements i and A(i) of buffer D.
The resulting contents of buffer D are used as S-box S8. Note that this is a much more straightforwards
procedure than used previously to produce S8 in other ciphers in this series.
With the complexity of the Quadibloc X round, its two kinds of subkeys, and the lack of unused intermediate
values, it would be difficult to propose a key augmentation procedure for this cipher as used with some other
block ciphers in the Quadibloc series. Instead, a different method of providing an improved key schedule, which
makes use of the existing logic of Quadibloc X encipherment, is proposed.
Two keys are required, a primary key and a secondary key. The primary key is used to create a key schedule,
including a key-dependent S-box S8, for single-round Quadibloc X encipherment. Then, using buffers A and B
as they stand (generating S8 does not change them), additional key bytes are generated by the same process as
used for the subkeys to produce two more values: a 96-bit seed value, and a 96-bit initial counter value.
Then the secondary key is used to generate the bytes to be used in the key schedule for the actual Quadibloc X
encipherment desired. However, after each four bytes are generated, they are enciphered in an unusual stream
cipher mode of single-round Quadibloc X, as illustrated below.
The first four bytes are enciphered as follows:
The 128 bit value composed of the 96-bit seed value and the 32-bit group of four bytes generated by the
MacLaren-Marsaglia-based technique used for subkey generation are encrypted in single-round Quadibloc X,
using the key schedule derived from the primary key.
The rightmost 32 bits of the result are the encrypted four keystream bytes.
Successive groups of four bytes are encrypted by following these additional steps:
The first 96 bits of the result are divided into six 16-bit subblock halves, and they are permuted from:
1 2 3 4 5 6
to:
5 4 1 6 3 2
After being permuted, the counter value is added to them, and the result of that addition will be used as the new
seed value for input along with the next 32 bits to be encrypted.
Note that when the final step of creating the key-dependent S-box S8 is taken, the contents of buffer C, being
ordinary output, will have gone through this encryption step, but the contents of buffers A and B will not have.
Deciphering
In deciphering, it is necessary to replace S-boxes S10, S11, and S5 by their inverses, switch addition and
subtraction modulo 256 as appropriate, and perform the steps within the round in reverse order as appropriate,
leaving steps within f-functions unaffected.
Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Although some branches of the Government of the United States, including its Chief
Executive, have been pursuing policies such as export restrictions and the "Clipper
chip" initiative, based on perceived dangers of the spread of strong encryption, the
National Institute of Standards and Technology, another branch of the U. S.
Government, has sought public submissions of an improved block cipher which would
serve the specific purpose of protecting the unclassified communications of the U. S.
Government, but which would also, no doubt, serve the public sector as well.
The block cipher that is accepted will be called the AES, for Advanced Encryption
Standard.
An idea that might occur upon first hearing about the AES effort: could a simple
construction like the following, operating at speeds only slightly slower than those of
single DES, provide adequate strength:
|
XOR <---
_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _
|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
| |
|-------------> +
+ <-------------|
| |
----------- -----------
| DES | | DES |
----------- -----------
| |
|-------------> +
+ <-------------|
| |
_ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _
|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
|
XOR <---
|
Also, it should be noted that this illustration of how DES could be used as the basis of a
128-bit block cipher is not terribly original with me; whitening has been proposed
many times before, and the use of some sort of mixing before and after using DES to
increase the block size is part of Terry Ritter's Fenced DES design.
This design is not perfect: since the expression for one of the outputs of a PHT has a
factor of two in it, one can, using chosen plaintexts where only the least significant
byte of one particular half is varied, uncover some facts about the S-boxes used, for
example. This, among other weaknesses, was noted by Bryan G. Olson. Since keeping
one block the same still changes the complete output, because the other DES
encipherment is different, not 256 chosen plaintexts, but a larger number, are required,
but an attack is still possible.
All the AES candidate algorithms have been disclosed. I have written up descriptions
of some of them in my own words, with diagrams, that may be helpful to some in
understanding the algorithms. In some cases, my descriptions are not complete; for
example, in several cases I omit a description of the key schedule. It may also be noted
that links to the descriptions of the algorithms are available at the Block Cipher Lounge
as well as at the official AES site.
Since this page was originally developed, on August 9, 1999, five algorithms were
announced as those chosen for consideration in Round 2 of the AES selection process.
All five of those algorithms are among those described here, and they are indicated in
the list below:
Next
Chapter Start
Skip to Next Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up/Previous] [Index]
The Rounds
Note that 63 in hexadecimal is 3 plus 6*16, or 36+60 or 96, and that is 99, as begins the table.
Next is the Shift Row step. Considering the block to be made up of bytes 1 to 16, these bytes are
arranged in a rectangle, and shifted as follows:
from to
1 5 9 13 1 5 9 13
2 6 10 14 6 10 14 2
3 7 11 15 11 15 3 7
4 8 12 16 16 4 8 12
Blocks that are 192 and 256 bits long are shifted like this:
from to
1 5 9 13 17 21 1 5 9 13 17 21
2 6 10 14 18 22 6 10 14 18 22 2
3 7 11 15 19 23 11 15 19 23 3 7
4 8 12 16 20 24 16 20 24 4 8 12
and
from to
1 5 9 13 17 21 25 29 1 5 9 13 17 21 25 29
2 6 10 14 18 22 26 30 6 10 14 18 22 26 30 2
3 7 11 15 19 23 27 31 15 19 23 27 31 3 7 11
4 8 12 16 20 24 28 32 20 24 28 32 4 8 12 16
Note that in the 256 bit case, the rows are shifted 1, 3, and 4 places to the left, instead of 1, 2, and 3
places as for the other two block sizes.
Next comes the Mix Column step. Matrix multiplication is performed: each column, in the arrangement
we have seen above, is multiplied by the matrix:
2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2
However, this multiplication is done over GF(2^8). This means that the bytes being multiplied are treated
as polynomials rather than numbers. Thus, a byte "muliplied" by 3 is that byte XORed with that byte
shifted one bit left.
If the result has more than 8 bits, the extra bits are not simply discarded: instead, they're cancelled out by
XORing the binary 9-bit string 100011011 with the result (shifted right if necessary). This string stands
for the generating polynomial of the particular version of GF(2^8) used; a similar technique is used in
cyclic redundancy checks.
The final step is Add Round Key. This simply XORs in the subkey for the current round.
Although a three-dimensional color diagram of the round has already appeared at the beginning of the
page, the Rijndael round can also be illustrated in a more conventional manner:
The extra final round omits the Mix Column step, but is otherwise the same as a regular round.
ARK
BSB
SR
MC
ARK
BSB
SR
MC
ARK
...
BSB
SR
MC
ARK
BSB
SR
ARK
Because it begins and ends with an ARK (Add Round Key) step, there is no wasted unkeyed step at the
beginning or end. The sequence of operations is important for facilitating decipherment, as well.
Although the sequence is not symmetrical, the order of some of the steps in Rijndael could be changed
without affecting the cipher. The Byte Sub step could just as easily be done after the Shift Row step as
before it.
That would change
to
If, on the other hand, we reversed the original sequence, we would get
Although these look similar, except for the different positions of the spaces, which just mark what are
termed "rounds" in the algorithm, wherever the sequence "MA" appears in the modified, but equivalent,
algorithm, the sequence "AM" appears in the reverse sequence, required for decryption.
Of course, the steps also need to be reversed as well: ARK is an XOR, so that is its own inverse, but the
matrix in the Mix Column step needs to be replaced with its inverse, and the S-box in the Byte Sub step
needs to be replaced with its inverse for decryption as well.
What about the switch between "MA" and "AM", though? Do we need to change the order of operations
for decryption?
No; with matrix multiplication, the distributive property also applies, so the round keys involved in such
a reversal merely need to be multiplied by the (inverse) Mix Column matrix, and then they can be
XORed in at the same time (of course, in reverse order) as was used for encryption. (XOR corresponds to
addition in GF(2^8), which is where the multiplications are performed.)
14 11 13 9
9 14 11 13
13 9 14 11
11 13 9 14
as can quickly be verified by making use of its symmetry, and once the answer is known:
1 2 4 8 16 32 64 128
27 54 108 216 171 77 154 47
94 188 99 198 151 53 106 212
179 125 250 239 197 145 57 114
228 211 189 97...
the successive powers of 2 in the representation of GF(2^8) used. Successive powers of 3, unlike 2,
include all the values from 1 to 255, and thus several implementations of Rijndael use tables of the
powers of 3, and the inverse table giving the discrete logarithm in that field, to facilitate calculations, but
the round constants are still the powers of 2. (I'm not entirely sure why one needs log and antilog tables
when all one is doing is muliplying by 2 and by 3, but doubtless there is a nonobvious way to implement
Rijndael with greater efficiency that makes use of them. The inverse of the matrix used in the Mix
Column step has the values 9, 11, 13, and 14 as its coefficients, however, so this could simply serve to
limit the number of tables needed for both enciphering and deciphering, replacing six tables by two.)
For keys 256 bits in length, in addition, the S-box from the Byte Sub step alone is applied to the word
from the preceding stretch for the fifth word in a stretch in addition.
Attacks on Rijndael
The possibility of this attack was first noted by the developers of Square and Rijndael themselves, and
was noted in the paper that initially described Square.
Comments
The availability of different block sizes with Rijndael permits a cute variant of the "bricklaying" mode
proposed for Triple-DES to be used with it:
Here, each vertical line represents 32 bits, and the three layers use the 128, 192, and 256 bit block sizes in
order.
Despite the fact that Rijndael has a very different structure from that of DES, and in some ways could be
said to more closely resemble SAFER, because the Byte Sub step directly alters the bytes to be
encrypted, and the Mix Column step causes every byte in a column to affect every other byte there,
somewhat as the PHT stage in SAFER involves the whole block, it is still possible to relate the
fundamental steps in Rijndael to parts of DES based on the function they perform in contributing to the
step of the overall cipher.
The Add Round Key step clearly corresponds to the XOR of subkey material with the input to the f-
function.
The Mix Column step is where the different bytes interact with each other, so it corresponds to the XOR
of the f-function output with the left half of the block in DES.
The Byte Sub step contributes the nonlinearity in Rijndael, and so it corresponds to the f-function itself.
The Shift Row step ensures that the different bytes of each row do not only interact with the
corresponding byte in other rows. Thus, it corresponds to permutation P within DES.
In drawing an analogy between Rijndael and DES, it is very easy, based on a superficial glance at
Rijndael, and the appearance of the Shift Row step, to view it as corresponding to the swapping of halves
of the block within DES. In fact, Rijndael does not require a step with this function, because the Mix
Column step in Rijndael causes every byte in a column to alter every other byte in the column, so no step
is needed that swaps rows.
This subtle point is actually quite important. The number of regular rounds in Rijndael is always an odd
number; without a Mix Column step, the last round involves no interaction between bytes, so it makes
sense not to count it as a "real" round. Thus, it is not a multiple of the number of columns, which is 4, 6,
or 8, depending on the size of the block.
Differential cryptanalysis attacks on DES become quite a bit easier for variants of DES with an odd
number of rounds. Thus, if the Shift Row step in Rijndael had corresponded to swapping halves of the
block, this would have possibly been an important weakness in Rijndael. It may still be a slight flaw, but
existing cryptanalytic results against Rijndael do not seem to exhibit a pattern indicating this.
The key schedule for Rijndael can be carried out equally well with keys that are 160 or 224 bits long,
since it only requires that the key size be a multiple of 32 bits. Even block sizes of 160 and 224 bits are
possible as well. A revised version of the Rijndael specification includes these as extensions, and the rule
for the number of rounds to use is based on the larger of the block size and the key size, with 10 regular
rounds (11 rounds in total) corresponding to 160 bits, and 12 regular rounds (13 rounds in total)
corresponding to 224 bits.
Thus, one can obtain 12 regular rounds, which I view as desirable for the 128-bit and 192-bit block sizes,
by specifying a key of 224 bits. As a nice bonus, the number of 32-bit words in 224 bits is seven, which
is relatively prime to either four or six, which appears, at least from a naïve point of view, as if it might
improve the key schedule at least slightly as well.
This chart, showing the number of rounds for different block sizes and key sizes, also indicates when
these apparently desirable properties are obtained:
Key Block
128 160 192 224 256
128 10 11 12 13 14 10 is a multiple of 5
+ * + 4 is relatively prime to 5 and 7
160 11 11 12 13 14 10 is a multiple of 5
+ * + + + 5 is relatively prime to 4, 6, 7, and 8
192 12 12 12 13 14
+ + 6 is relatively prime to 5 and 7
288 15 15 15 15 15 14 is a multiple of 7
+ + + * + 9 is relatively prime to 4, 5, 7, and 8
320 16 16 16 16 16 15 is a multiple of 5
* + 10 is relatively prime to 7
Thus, there is at least one "ideal" key size for every possible block size:
Block
size Ideal key sizes
128 224 352
160 128
192 224
224 288
256 352
once again, I reiterate, this is only significant if these essentially minor concerns, as seen from a naïve
point of view, have any validity.
Incidentally, for a block size of 224 bits, the Shift Row step is again altered, but not in quite the same
way as for a 256-bit block. Only the last row, not the last two rows, is shifted by an extra byte position.
Also, the additional Byte Sub step noted for 256-bit keys is added to the key schedule for all key sizes
greater than 192 bits, so it applies to the 224-bit key as well as to all key sizes greater than 256 bits.
That the design of the S-box involves the same GF(2^8) as the Mix Column step might also appear to be
a concern. However, the Rijndael S-box is nearly ideal in resistance to differential cryptanalysis, and is
also excellent in avoiding any approximations in GF(2^8) usable in the GF(2^8) equivalent of linear
cryptanalysis.
The choice of Rijndael over the other finalist algorithms, also believed to be highly secure, was based
primarily on its efficiency and low memory requirements; this, coupled with the fact that existing
cryptanalyses of Rijndael are based on reduced-round variants somewhat close to the actual cipher
(although the results close to the actual number of rounds are quite impractical to exploit) means that
some controversy, even if not the intense controversy surrounding DES, may haunt the new AES as well.
Rijndael was preceded by the block cipher Square, which was somewhat similar. However, instead of a
Shift Row step, a transpose of the square matrix of bytes was used; in effect, this meant that diffusion
over the whole block was obtained by alternating Mix Column steps with Mix Row steps. Specific
attacks were found against Square, against which Rijndael was strengthened.
Finally, I will propose a minor variation to Rijndael that might make cryptanalysis more difficult.
Instead of subjecting all the columns of the block to the same operation in the Mix Column step, every
second column, instead of being subjected to a matrix multiplication, could instead be subjected to a
scaled-down version of the PHT stage in SAFER. Since only four bytes are involved, this would mean
two stages of PHT operations, and the bytes in the second and third rows would be swapped between the
stages. To avoid major changes to the shift row step, the pattern of operations should be MPMP for two
rounds, and then PMPM for two rounds; also, the bytes in the second and third rows should be swapped
back after the second PHT stage (or the PHT operations would be performed "in place", which is
equivalent). By using two completely unrelated operations, but both of which completely mix all the
bytes in a column, resistance to analysis should be improved.
However, although this is a different form of mixing, and will thus block the Square attack, it is also a
weaker form of mixing, and thus would need to be combined with an increase in the number of rounds.
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Twofish
Developed by Bruce Schneier as a successor to his 64-bit Blowfish block cipher, the Twofish specification has
been released, and is available at http://www.counterpane.com//twofish.html in both Adobe Postscript format and
Adobe Acrobat .PDF format.
Twofish uses 40 32-bit subkeys. The first eight are used for whitening, four at the beginning and four at the end
are XORed with the entire block. Each round uses two of the remaining 32 subkeys, and so Twofish has sixteen
rounds.
The division of the 128-bit block into four 32-bit quarters is done using the "little-endian" convention, which
presumably means the leftmost quarter is the earliest one, but the least significant numerically. I will denote the
quarters as Q0 through Q3.
Q0, and Q1 rotated left 8 bits, are each submitted to four key-dependent S-boxes with 8-bit inputs and outputs.
These key-dependent S-boxes are equivalent to the use of fixed S-boxes with 8-bit inputs and outputs alternating
with the XOR of subkey material, and the fixed S-boxes are themselves constructed from smaller S-boxes with
four-bit inputs and outputs.
Then, the bytes in each are combined by means of matrix multiplication with the following matrix (called the
MDS matrix):
01 EF 5B 5B
5B EF EF 01
EF 5B 01 EF
EF 01 EF 5B
(needless to say, the entries are in hexadecimal notation) over the Galois Field of 2^8 with the modular
polynomial x^8 + x^6 + x^5 + x^3 + 1.
This means that when a byte is multiplied by an element of the matrix, instead of actual multiplication being
performed, which can be thought of as shifting the input byte, and adding it to the total whenever its last bit is over
a 1 bit of the number in the matrix, a similar operation is performed, but an XOR instead of addition is performed.
Thus, in effect, one is multiplying polynomials (one cannot carry, since one doesn't know what x is) with
coefficients that are either 0 and 1, handled according to modulo-2 arithmetic.
The result of this "multiplication" is a 16-bit number. It is then reduced to an 8-bit number as follows: the modular
polynomial, considered to be the binary string 101101001, is shifted left until its first bit coincides with the first 1
bit of the result. It is then XORed with the number, and shifted right until its first bit coincides with the first
remaining 1 bit, and this is repeated until the number is 8 bits long or less.
Finally, the two resulting 32-bit quantities are mixed with each other through a Pseudo-Hadamard Transform; the
one formed from Q1 is added to the one formed from Q0, then the one formed from Q0 is added to the one formed
from Q1.
Then, the first subkey for the round is added to the one formed from Q0, and the result is XORed to Q2. The
second subkey for the round is added to the one formed from Q1, and the result is XORed to Q3.
Finally, Q2 is rotated one bit right, and the two halves of the block are swapped (Q0 is swapped with Q2, and Q1
is swapped with Q3).
As in DES, the halves are not swapped after the last round.
Note that the matrix multiplication, since it involves an XOR (rather than addition) of the individual products, can
be precomputed, making the S-box entries 32 bits wide rather than 8.
This description of the key schedule is not quite detailed enough to permit implementation at this time, but it
outlines all the required steps, and should help in understanding the original documentation.
Key generation begins by deriving three key vectors each half the length of the original key.
The first two are formed by splitting the key into 32-bit parts. Numbering these parts starting from zero, the even-
numbered ones become M(e), and the odd-numbered ones become M(o).
The third one is formed by dividing the key into 64-bit parts, and producing one 32-bit part of the key vector by
multiplying each 64-bit part by this matrix (called the RS matrix):
01 A4 55 87 5A 58 DB 9E
A4 56 82 F3 1E C6 68 E5
02 A1 FC C1 47 AE 3D 19
A4 55 87 5A 58 DB 9E 03
over the Galois Field GF(2^8) with the modular polynomial x^8 + x^6 + x^3 + x^2 + 1, which means that after an
XOR-multiplication the bit pattern 101001101 is used to fit the result back into eight bits this time.
The reason that both fields are referred to simply as "GF(2^8)" is because, except that the same roles will now be
performed by different numbers from 0 to 255, no matter which modular polynomial is used, there is really only
one Galois Field for any prime power. Changing the modular polynomial changes which number does what,
which is an isomorphism, but it does not change the underlying mathematical structure of the field. However, that
doesn't mean that changing the modular polynomial serves no purpose here: it is essentially a way to get an S-box
for free.
The resulting 32-bit words are then placed in reverse order into the key vector called S.
The fixed S-boxes with eight bit inputs and outputs, called q(0) and q(1), are each constructed from four S-boxes
with four bit inputs and outputs. For q(0), the S-boxes are:
Input 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
------------------------------------------------
T0 8 1 7 13 6 15 3 2 0 11 5 9 14 12 10 4
T1 14 12 11 8 1 2 3 5 15 4 10 6 7 0 9 13
T2 11 10 5 14 6 13 9 0 12 8 15 3 2 4 7 1
T3 13 7 15 4 1 2 6 14 9 11 3 0 8 5 12 10
And, for q(1), the S-boxes, again given the same designations, are:
Input 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
------------------------------------------------
T0 2 8 11 13 15 7 6 14 3 1 9 4 0 10 12 5
T1 1 14 2 11 4 12 3 7 6 13 10 5 15 9 0 8
T2 4 12 7 5 1 6 9 10 0 14 13 8 2 11 3 15
T3 11 9 5 1 12 3 13 14 6 4 7 15 2 0 8 10
● The input byte is split into its most significant and least significant halves, A and B.
● The new value of A is the XOR of the old values of A and B.
● The new value of B is the XOR of the old value of A, B rotated right one bit, and 8 if the old value of A
was odd.
● A and B are then replaced by their substitutes in the 16-bit S-boxes T0 and T1 respectively.
● The new value of A is the XOR of the old values of A and B.
● The new value of B is the XOR of the old value of A, B rotated right one bit, and 8 if the old value of A
was odd.
● A and B are then replaced by their substitutes in the 16-bit S-boxes T2 and T3 respectively.
● A and B are then combined in reverse order to form the result byte.
The four key-dependent S-boxes are formed from the 32-bit elements of the key vector S as follows:
If the key is 256 bits long, the key vector S has four 32-bit elements, S(0), S(1), S(2), and S(3). In that case, the
four key-dependent S-boxes are equivalent to performing the operations:
output = q(0)(S(0,0) xor q(1)(S(1,0) xor q(1)(S(2,0) xor q(0)(S(3,0) xor q(1)
(input))))
output = q(1)(S(0,1) xor q(1)(S(1,1) xor q(0)(S(2,1) xor q(0)(S(3,1) xor q(0)
(input))))
output = q(0)(S(0,2) xor q(0)(S(1,2) xor q(1)(S(2,2) xor q(1)(S(3,2) xor q(0)
(input))))
output = q(1)(S(0,3) xor q(0)(S(1,3) xor q(0)(S(2,3) xor q(1)(S(3,3) xor q(1)
(input))))
When the key is 192 bits long, the S-box definitions are simplified to:
and when the key is only 128 bits long, the S-box definitions are simplified to:
The subkeys which are actually added to the function outputs before they are XORed to another quarter of the
block are produced by a process very similar to a Twofish round, but with key-dependent S-boxes derived from
the key vectors M(e) and M(o) instead of from the key vector S. The inputs are the round number times 2, plus 1
on one side, in all four bytes of a word, and the rotate left step takes place after the function instead of before: an 8-
bit rotate left before the PHT, and a 9-bit rotate left after.
[Next] [Up] [Previous] [Index]
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
SERPENT
Developed by Eli Biham, the originator of differential cryptanalysis, SERPENT is a block-cipher
algorithm which, like SAFER, is a "straight-through" algorithm, rather than using Feistel rounds.
The original form of its description is available at http://www.cs.technion.ac.il/~biham/Reports/
Serpent/. It is simple in appearance, using plain 4-bit-wide S-boxes without additional inputs (like
GOST) and standard computer logic operations. It also includes an initial permutation and an
inverse initial permutation, so that the S-boxes can be implemented with logic operations instead of
table lookups; this is possible because the eight S-boxes used by the algorithm are used in sequence
rather than in parallel.
Considering the 128 bit block as consisting of bits 0 to 127, from left to right, but with bit 0 the
least significant, the first operation performed is the initial permutation. The sources of the bits
resulting from that permutation are, in order, as follows:
0 4 8 12 16 ... 124
1 5 9 13 17 ... 125
2 6 10 14 18 ... 126
3 7 11 15 19 ... 127
SERPENT has 32 rounds. The last one has a slightly different sequence of operations than the other
rounds.
In a normal round, the first step is to XOR the current round's subkey with the 128-bit-wide block.
Then, the entire block is transformed, nybble by nybble, according to the current S-box for the
round. The S-boxes are numbered from S0 to S8, and are used in order repeatedly; S0 for rounds 1,
9, 17, and 25; S1 for rounds 2, 10, 18, and 26; and so on.
Then, the block goes through a series of mixing operations so that the different nybbles of the block
interact. The process consists of ten steps, which can be thought of as being organized into five
phases.
This process proceeds, in bitslice mode, as follows; for the normal mode described here, this series
of steps must be preceded by the inverse of the initial permutation and followed by the initial
permutation to be correct:
Considering the block as being divided into four 32-bit quarters, Q0, Q1, Q2, and Q3, from left to
right, the operations are:
Modify Q1 by XORing Q0 and Q2 to it. Modify Q3 by XORing Q0 shifted left 3 bits, and Q2 (left
alone) to it.
Rotate Q1 1 bit left, and rotate Q3 7 bits left.
Modify Q0 by XORing Q1 and Q3 to it. Modify Q2 by XORing Q1 shifted left 7 bits, and Q3 (left
alone) to it.
After the 32nd round, the bits are subjected to what is called in SERPENT the final permutation,
which is the inverse of the initial permutation, and the sources of the bits resulting from it are as
follows:
0 32 64 96 1 33 65 97 2 34 66 98 3 35 67 99
4 36 68 100 5 37 69 101 6 38 70 102 7 39 71 103
8 40 72 104 9 41 73 105 10 42 74 106 11 43 75 107
12 44 76 108 13 45 77 109 14 46 78 110 15 47 79 111
...
28 60 92 124 29 61 93 125 30 62 94 126 31 63 95 127
The following diagram may be of some help in understanding Serpent, although it doesn't show
either the full width of the cipher or all its details.
The Key Schedule
128 and 192 bit keys are first transformed to 256 bit keys. All short keys are padded to 256 bits by
having 000...001 appended to them at the most significant end, which is apparently on the right as
things are defined here.
A 256 bit key is handled as follows: it is divided into eight 32-bit words. The first one is considered
the oldest, and new words are generated as follows:
where the first generated word is considered to be word zero - so the 256 bit key consists of words -
8 through -1.
128 words are generated. Then, these words are taken in groups of four to produce the round
subkeys, by being put through the S-boxes. A different S-box is used, though, than the one which
will be used during that round; the S-boxes are used in the sequence S3, S2, S1, S0, S7, S6, S5, S4,
repeated four times.
[Next] [Up] [Previous] [Index]
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
RC6
Devised by Dr. Ronald C. Rivest, of RSA fame, RC6 is based on Feistel rounds; but
not Feistel rounds operating between the two halves of the block. Instead, the Feistel
rounds operate between pairs of quarters of the block, and they are interlocked by the
exchange of some data. Circular shifts the extent of which is controlled by data, and a
quadratic function applied to 32-bit integers are the nonlinear elements which provide
the security of this block cipher.
The design of the block cipher is such that the number of rounds, the size of the key,
and the size of the block, are all flexible. It is based on the previous RC5 block cipher,
which is patented by RSA Laboratories, but instead of being RC5 expanded to a larger
block size, it is designed to limit the width of registers required to handle large blocks.
It will be described here only with the specific number of rounds and blocksize
proposed for the AES, and I am not yet including a description of the key schedule.
RC6 uses 44 subkeys, numbered S0 to S43, each one 32 bits long. The block to be
enciphered is divided into four 32-bit integers, A, B, C, and D. The first four bytes
enciphered form A, and the convention is little-endian; the first byte enciphered
becomes the least significant byte of A.
RC6 begins with an initial whitening step; B is XORed with S0, and D is XORed with
S1.
Each round of RC6 uses two subkeys; the first one uses S2 and S3, and successive
rounds use successive subkeys.
The least significant 5 bits of the quantity XORed to A (function f of B circular left
shifted 5 bits) specifies the extent to which C is circular left shifted.
The least significant 5 bits of the quantity XORed to C (function f of D circular left
shifted 5 bits) specifies the extent to which A is circular left shifted.
Then the first subkey for the round is XORed to A, and the second subkey for the
round is XORed to C.
Then, the four quarters of the block are rotated as follows: the value of A is placed in
D, the value of B is placed in A, the value of C is placed in B, and the (original) value
of D is placed in C.
After the 20th round is complete, an additional whitening step takes place: A is XORed
with S42, and C is XORed with S43.
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
DEAL
Designed by Richard Outerbridge, who developed a construction for using a block
cipher with one block size to create a new one with a larger block size, DEAL is a
Feistel round cipher with a small number of rounds that uses DES as its f-function. Its
description is available at http://www.ii.uib.no/~larsr/newblock.html
The block is divided into two 64-bit halves. In each round, the right half of the block is
XORed with the left half of the block after encryption under DES with the current 64-
bit round key with parity bits (the least significant bit of each byte) ignored as the key.
Eight rounds are recommended for use with a 256-bit key; with a 128-bit key or a 192-
bit key, six rounds are used, which gives DEAL essentially exactly the same speed as
Triple-DES.
The halves of the block are swapped after every round, including the last one.
For all key generation, the encryption or convolution step used is encryption with DES,
using the constant key X'0123456789ABCDEF'.
The 128-bit key is considered to consist of two 64-bit blocks, K1 and K2.
The second round key is (K2 xor the first round key), encrypted.
The third round key is (K1 xor the second round key xor X'8000000000000000'),
encrypted.
The fourth round key is (K2 xor the third round key xor X'4000000000000000'),
encrypted.
The fifth round key is (K1 xor the fourth round key xor X'1000000000000000'),
encrypted.
The sixth round key is (K2 xor the fifth round key xor X'0100000000000000'),
encrypted.
The second round key is (K2 xor the first round key), encrypted.
The third round key is (K3 xor the second round key), encrypted.
The fourth round key is (K1 xor the third round key xor X'8000000000000000'),
encrypted.
The fifth round key is (K2 xor the fourth round key xor X'4000000000000000'),
encrypted.
The sixth round key is (K3 xor the fifth round key xor X'1000000000000000'),
encrypted.
The second round key is (K2 xor the first round key), encrypted.
The third round key is (K3 xor the second round key), encrypted.
The fourth round key is (K4 xor the third round key), encrypted.
The fifth round key is (K1 xor the fourth round key xor X'8000000000000000'),
encrypted.
The sixth round key is (K2 xor the fifth round key xor X'4000000000000000'),
encrypted.
The seventh round key is (K3 xor the sixth round key xor X'1000000000000000'),
encrypted.
The eighth round key is (K4 xor the seventh round key xor X'0100000000000000'),
encrypted.
[Next] [Up] [Previous] [Index]
Next
Skip to Next Section
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
MARS
MARS is the IBM's entrant into the AES competition. As IBM is the company that designed DES, this
alone makes this entry of particular interest. Note, incidentally, that as the AES process only requires
companies to allow free use of the proposed algorithm if it is selected as the successful candidate, some
AES candidates are protected by patents, both to retain control of the cipher itself if it is not selected, and
to control the basic technology on which the cipher is based, so that licensing would still be required for
larger variants of the cipher, for example. Among the entrants I have examined so far, this applies to RC6
and it had also applied to MARS, but IBM later made MARS available for licensing free of charge.
As the little-endian case is difficult to describe, I am going to use big-endian conventions consistently in
my description of MARS. Essentially, this means that the very first thing one does when starting MARS as
I describe it is divide the 128-bit block of plaintext into four words of four bytes, and reverse the order of
the four bytes in each word. The same has to be done on exit.
Overview
Then, there are sixteen rounds (the last eight are called
"reverse" rounds, with a rationale somewhat like the one seen
in Skipjack) which constitute the "cryptographic core" of the
cipher. One 32-bit word is used to modify the other three, by
being split into three copies of itself, and subjected to various
manipulations, including one multiplication by key material,
one S-box lookup, and two data-dependent rotations.
The diagrams I will use here show the words of the block with
the first word on the left, and with the most significant byte of
each word on the left. Thus, before starting, and after finishing,
the bytes of the block being enciphered must be transposed to
the following order, if considered as numbered from 0 to 15:
3 2 1 0 7 6 5 4 11 10 9 8 15
14 13 12
The four bytes of the first word in the block, W0, are used as
inputs to the two fixed S-boxes used by this cipher with eight
bits of input and 32 bits of output. The second word is XORed
with the word in S0 chosen by the least significant byte of the
first word and then the word in S1 chosen by the third, or
second least significant, byte of the first word is added to it.
The word in S0 chosen by the second byte of the first word is
added to the third word. The fourth word is XORed with the
word in S1 chosen by the first byte of the first word.
In the first and fifth round of this, the fourth word is added to
the first word, and in the second and sixth round of this, the
second word is added to the first word. This additional
complication is intended to protect against differential
cryptanalysis.
Then the words are rotated, so that the old first word becomes
the new fourth word, and the other words are moved to the
position immediately preceding their old position.
Also on this diagram are the next sixteen rounds, which constitute the "cryptographic core" of MARS. The
E function produces three 32-bit outputs from the first word of the block and two 32-bit subkeys. The 13-
bit circular left shift shown as being applied to the first word would be duplicated inside the E-function if it
really recieved only one input; that oversimplication is avoided in the following diagram,
which shows one of the forward core rounds (which I have chosen to label as type D in the first diagram
for ease of reference) in detail.
The final eight rounds of MARS are the inverse, in the sense of the operations performed, of the first eight
rounds of unkeyed mixing; subtraction replaces each addition, and the rounds are performed in reverse
order. However, the direction in which the four words are rotated after each round is not reversed, so these
rounds are not an exact inverse of the first four rounds in an overall sense.
S(0,1) in the diagram stands for an S-box with nine input bits and 32 output bits which is merely the
concatenation of S0 and S1.
The S-boxes in MARS are as follows (no, I didn't type them in myself; I must gratefully acknowledge the
C implementation of MARS by Brian Gladman as my source):
S-box 0:
S-box 1:
The key for MARS may be from 4 to 39 words in length. These words are considered to be little-endian in
format, so the first byte of the key is the least significant byte of the first word.
To generate the key, we use an array of words which is considered to have subscripts ranging from -7 to
39. The first seven words of this array, numbered from -7 to -1, are filled with the first seven words in the
S-box (or the first seven words in S-box zero).
Then, words 0 to 38 of the array are initialized in order with the following quantity:
Word 39 of the array is loaded with the number of words in the external key.
At this point, we forget words -7 through -1 of the array, and treat the array as containing only words 0
through 39.
Then, seven times over, starting from word 1 of the array, add to each word of the array the S-box entry
indicated by the most significant nine bytes of the preceding element of the array. Note that word 39 is
considered as preceding word 0, the last word to be modified by this loop.
Finally, word i of this temporary array, for i from 0 to 39, becomes subkey (7 * i) modulo 40.
A proposed change to the definition of MARS is to replace this key generation procedure, which
generates 40 subkey words in one step, with four instances of the following, each of which generates 10
subkey words:
To generate the key, we use an array of words which is considered to have subscripts ranging from 0 to
14. The key is placed in the array starting with word 0, the word in the array immediately following the
last word of the key is filled with the number of words in the key, and the remainder of the array is filled
with zeroes.
What follows is done four times, each time producing 10 words of subkey.
Then, words 0 to 14 of the array are initialized in order with the following quantity:
Then, four times over, starting from word 1 of the array, add to each word of the array the S-box entry
indicated by the most significant nine bits of the preceding element of the array. Note that word 14 is
considered as preceding word 0, the last word to be modified by this loop.
Finally, word (4 * i) modulo 15 of this temporary array, for i from 0 to 9, becomes subkey i plus 10 times
the iteration number (in the first iteration, considered iteration number zero, we generate subkeys 0
through 9, in the second iteration we generate subkeys 10 through 19, and so on).
Subkeys 5, 7, 9, 11, ... to 35 are used to multiply the first word of the block within the E function. These
subkey values are modified if necessary to ensure that they are good values for multiplication.
The method of correcting these subkeys is somewhat involved, and goes as follows:
Let SM be SR or 3.
Let IX be SR and 3.
Create MA such that only those bits in MA corresponding to a run of ten or more bits in SM are ones,
excluding the first and last bit of each run. (If MA is zero, SR does not need to be altered, so you can quit.)
Originally, the reference code implementing this procedure left the first bit of MA equal to one if the first
bit of SM was zero. A proposed modification to MARS is to change this to conform to the written
description.
Let MA be MA and FFFFFFFC - that is, set its last two bits to zero.
Use IX to select an element from this array (containing four values from the S-boxes):
0: A4A8D57B
1: 5B5D193B
2: C8A8309B
3: 73F9A978
then rotate the value right by the amount indicated by the element three places ahead
The proposed modification changes this to one place back. (Since only odd-numbered subkey words are
modified, this will always lead to a word in the same group of 10 words as the one being modified.)
in the array of words of internal key, and then modify the current key word by XORing it with that result
ANDed with MA.
Comments
As noted above, the unkeyed mixing rounds of MARS seemed to me to be somewhat wasteful. However, I
was one of what seemed to be only a few people who liked MARS, thinking it one of the likeliest
candidates to remain secure for a considerable time to come. Originally, I could not think of a good way to
modify the key schedule to produce keys for the mixing rounds. Once the key schedule was modified,
however, I saw a natural way to do this, which I described in a comment to Round 2 of the AES process.
However, a second comment in which I made a correction to that proposal got garbled.
Using the new key schedule, after generating subkeys 30 to 39, the process that is applied to the array of
15 words to generate a batch of 10 subkeys is to be performed once again. Once this is done, the contents
of that array, the elements of which are known as T[0] through T[14], are to be modified as follows:
The intent of this is to cause the contents of the array T to be a non-invertible function of the key. This is
done by XORing the contents of T after an iteration of the invertible transformation function with values
generated from it previous to that iteration.
The values chosen are all values used as subkey values, so that additional memory is not required to retain
other information to be used for this purpose. For that reason, the subkeys that were modified in order to
be used for the multiplication portion of the E function in the cryptographic core rounds of MARS are also
avoided.
Then, two additional iterations of the process previously used to generate a set of 10 subkey words are
performed, but from each of them only eight subkeys are now taken. Each subkey is used to provide four
bytes to XOR to the values used to index into the MARS S-boxes in one of the mixing rounds.
Because there are now seven, rather than four, instances of the procedure to modify the contents of the
array T, the number of the array word being calculated, when XORed with the contents of that word,
should be shifted three bits left instead of two bits left.
In my proposal, I did not specify how to take eight subkeys from each of the last two key generation
phases. I now suggest that, instead of choosing the subkeys based on (7 * i) mod 15, for each of these last
two phases, the eight subkeys taken should simply be from words T[8], T[9], ... T[14], T[0], thus always
using the last ones modified, and being different from the scheme used for the rest of MARS. However, if
the subkeys used for the first group of mixing rounds are subkeys 40 to 47 in order, and for the second
group 48 to 55 in order, the words taken from these rounds should be allocated to the subkeys as follows:
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
SAFER+
SAFER+ is the proposal of Cylink Corporation for the Advanced Encryption Standard,
and its description is available at http://www.cylink.com/internet/library.nsf/pages/
SAFER/. It is very similar to the original 64-bit block cipher SAFER.
it uses the same S-boxes as SAFER in the same way. Instead of the regular "butterfly"
formation of Pseudo-Hadamard Transforms used in the original SAFER, a slightly
irregular arrangement is used, so that the net result of the operations, given in the
document as the matrix M (it stated that that matrix could be realized by a four-layer
PHT network similar to the three-layer one in SAFER, but did not give the network;
thus this diagram rectifies the omission) has certain desirable properties.
One other improvement in SAFER+ over SAFER is that after matrix M is applied in
the last round, one extra subkey is applied to the block, using the same sequence of
alternating XORs and additions as is used for the first subkey in a round. This means
that the final application of matrix M is not a waste of time in terms of cryptographic
security.
For a key length of 128 bits, 8 rounds are used; for 192 bits, 12 rounds; and for a 256-
bit key, SAFER+ has 16 rounds.
The key schedule of SAFER+ is quite simple. The key, whatever its length, has one
byte appended to it, equal to the XOR of all the bytes in the key.
The first subkey consists of the first 16 bytes of the key. For each remaining subkey,
first rotate the expanded key left 11 bits, then take the first 16 bytes of the result, and
use them after XORing them with a constant. I am not reproducing the constants here;
the paper describing SAFER+ gives them, but in decimal form.
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
FROG
FROG is another block cipher which is based on whole-byte operations. In structure, it
has a slight resemblance to NewDES. The original description of it is available at http://
www.tecapro.com/aesfrog.htm.
A weakness has been uncovered in it, but a minor modification would correct that: of
its eight rounds, the last four could be performed in deciphering mode. (An appropriate
rearrangement of bytes between the first four rounds and the last four would ensure
against the possibility of a key existing that would cause the last four rounds to undo
the work of the first four.)
Each round consists of sixteen steps, one for each byte of the block. Each round has the
following subkey material:
LOKI97
Designed by Dr. Lawrie Brown, of the Australian Defence Force Academy with assistance
from Dr. Josef Pieprzyk (who designed the S-boxes) and Dr. Jeniffer Seberry, and named after
the Norse god of trickery and cunning, LOKI97 is a successor to the 64-bit block ciphers
LOKI89 and LOKI91. (Fittingly enough, Dr. Brown spent part of the sabbatical year during
which he designed it at a University in Norway!)
http://www.adfa.oz.au/~lpb/research/loki97/
but a full description is also presented here, for the convenience of those without a convenient
means to view or print items in Postscript form.
In each round, two 64-bit subkeys are added (yes, using normal 64-bit addition including
carries) to the right half of the 128-bit block. Its value, after the first subkey is added, but
before the second subkey is added, is used as the input to the f-function for that round. This is
a nicely symmetrical way of both modifying the input to the f-function and modifying the right
half of the block as well.
A third 64-bit subkey is used as an input to the f-function; it is not directly added or XORed to
the right half of the block or a transformed version of it, but instead controls the f-function's
nonlinearity. For purposes of the key schedule, this 64-bit subkey is the second one; the two
added to the right half are the first and third, respectively. The output of the f-function is, as in
DES, XORed to the left half of the block.
The f-function
Unlike the f-function in DES, which includes the step of XORing the 48-bit subkey with the
right half of the block after the expansion permutation, the addition of subkeys to the right half
of the block is, in LOKI97, performed outside the f-function, as we have seen.
The first step in the f-function involves applying the least significant and rightmost (numbered
from 31 to 0 in the convention used in the paper describing LOKI97) 32 bits of the subkey
input (the entire 64-bit subkey input is called input B to the f-function) to the current value of
the right half of the block (after one of the two additions, as noted above, and which is called
input A to the f-function) as follows: a 1 bit in the 32 bits of subkey input used indicates that
corresponding bits of the two halves of the right half of the block are to be swapped. A bit
swap of this nature can be easily implemented by means of AND and OR instructions, and was
earlier used in the ICE block cipher.
LOKI has two distinct S-boxes; S1 contains 8192 values from 0 to 255, and S2 contains 2048
values from 0 to 255. After the expansion permutation which is the next step, these S-boxes
will be used in the order:
So the expansion permutation will produce groups of 13, 11, 13, 11, 11, 13, 11, and 13 bits
corresponding to each byte output from the bit-swapping step.
This is done by appending to the beginning of each byte either 5 or 3 bits, as needed, from the
least significant part of the preceding byte (going around the circle to append the least
significant 5 bits of the last byte to the front of the first one). This is simpler than the
expansion permutation of DES, which augmented each nybble of the input with one bit taken
from each of the two adjacent nybbles.
The output of the S-boxes, considered as consisting of bits 63 to 56 from the first S-box, bits
55 to 48 from the second S-box, and so on, is then permuted by the following permutation P:
7, 15, 23, 31, 39, 47, 55, 63, 6, 14, 22, 30, 38, 46, 54, 62,
5, 13, 21, 29, 37, 45, 53, 61, 4, 12, 20, 28, 36, 44, 52, 60,
3, 11, 20, 27, 35, 43, 51, 59, 2, 10, 18, 26, 34, 42, 50, 58,
1, 9, 18, 25, 33, 41, 49, 57, 0, 8, 16, 24, 32, 40, 48, 56
where this listing is of the output bits, each number showing from which input bit that output
was obtained. (Remember, the input bits are numbered from 63 down to 0 here.)
Finally, the 32-bit result is again submitted to the S-boxes, but this time in the following order:
with the additional five or three more significant bits of input required for each S-box supplied
by the leftmost or most significant half of the subkey input to the f-function. (One starts from
the left, and takes the leftmost bits of the subkey input for this purpose.)
Each entry in the two S-boxes is equal to the cube of the one's complement of that entry's
position, modulo a polynomial in the Galois fields GF(2^13) for S1 and GF(2^11) for S2.This
technique is more familiar from calculating cyclic redundancy checks; a binary number, such
as 1101, is considered to be a polynomial:
1 * x^3 + 1 * x^2 + 0 * x + 1
in this case, the coefficients of which are modulo 2 numbers that can only be either 0 or 1.
For S1, the polynomial is 10100100010001, and for S2 the polynomial is 101010100111. In
each case, the polynomial is one bit wider than the S-box inputs, so it can be used, shifted to
the right if necessary, to XOR away every bit by which the cube extends past the width of the
S-box input. After that is done, only the last 8 bits of the result are used as the S-box entry, but
the reduction from either 13 or 11 bits to 8 is done by simple chopping.
Subkey generation
Subkeys for LOKI97 are generated by a modified version of the cipher itself.
The input to the subkey is considered to be composed of four 64-bit pieces, called K4, K3,K2,
and K1. When a 256-bit key is used, its first 64 bits become K4, its second K3, and so on.
A 192-bit key is converted to a 256 bit key as follows: the given key becomes the first 192 bits
of the 256-bit key to be used, and the last 64 bits are calculated by using the LOKI97 f-
function, with the first 64 bits acting as input A (the "righthalf" input) and the second 64 bits
acting as input B (the "subkey" input).
A 128-bit key is converted to a 256 bit key as follows: the given key becomes the first 128 bits
of the 256-bit key to be used, the third group of 64 bits (K2) is the f-function of the second 64
bits submitted as input A and the first 64 bits submitted as input B, and the fourth group of 64
bits (K1) is the f-function calculated with the first 64 bits submitted as input A and the second
64 bits as input B, exactly as in the 192-bit case.
Once the input key is in 256-bit form, as K4, K3, K2, and K1, the 48 subkeys used are
calculated as follows:
The LOKI97 f-function is calculated with the following inputs: the A input is K1 plus K3 plus
the hexadecimal constant 9E3779B97F4A7C15 multiplied by the number of the subkey
generation round (from 1 to 48), and the B input is K2.
K4 is XORed with this result, and the result of this XOR is the subkey generated as well.
Then, before the next f-function calculation, the subkeys are rearranged: the old K1 value
becomes the new K2 value, K2 goes to K3, K3 goes to K4, and K4, after the XOR (the same
as the subkey value) goes to K1.
For round 1, subkey 1 is what is first added to the right half of the block; subkey 2 is the B
input to the f-function, and subkey 3 is what is added secondly to the right half of the block.
This pattern continues with the remaining subkeys for theremaining rounds.
For decryption, subkey 1 becomes the additive inverse of subkey 48, subkey 2 becomes
subkey 47, subkey 3 becomes the additive inverse of subkey 46, and this repeats for each
group of three subkeys.
Analysis
LOKI97 was the first submission to the Advanced Encryption Standard process to be publicly
disclosed by its authors. Unfortunately, it was also the first one to be found to have flaws.
The fixed S-boxes, which took 11 or 13 bits of input, consisting of three or five supplemental
bits "borrowed" from the previous byte, plus the eight bits of the byte for which they provided
a substitute, simply consisted of apparently random bits. While their contents were designed to
have some good properties, the fact that the S-boxes did not contain eight or thirty-two
successive permutations of the numbers from 0 to 255 meant that the S-box output was biased.
An attack was found by Vincent Rijmen and Lars Knudsen that exploited this. (Note that a key-
dependent S-box, like that of Blowfish, does not need to be composed of bijections. Wide
fixed S-boxes, as used in CAST-128 and MARS, also don't appear to face that constraint.)
The structure of the S-boxes was only a problem because in the second S-box stage, the extra
bits of input to the S-boxes came only from the subkeys, so the biases in the S-boxes would
tend to leak those subkey bits.
In DES, additional efficiency can be gained by storing a table of the S-box values after they
have gone through permutation P. Here, the same S-box goes into the one fixed permutation,
after the first S-box stage, at different places, and then the second S-box stage is not followed
by a permutation. This complicates implementation, and loses the additional diffusion an extra
permutation layer (which would be available "for free", if identical) would provide.
Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
CAST-256
CAST-256 is the Canadian entry in the competition for the new Advanced Encryption
Standard. It takes its name from the original CAST cipher, designed by Carlisle Adams
and Stafford Tavares; they and others worked on the design of CAST-256. The original
paper describing the cipher is at this location:
http://www.entrust.com/resources/pdf/cast-256.pdf
Unless it is chosen as the AES, licensing is likely to be required to use this submission
as well as some others.
It uses an f-function that produces a 32-bit output from a 32-bit input, and each round
consists of modifying one 32-bit quarter of the block by XORing it with the f-function
of another 32-bit quarter of the block. There are 48 rounds in CAST-256.
The rounds are organized in groups of four, called quadrounds. CAST-256 begins with
six forwards quadrounds, and then continues with six reversed quadrounds, which are
reversed exactly as would be required for decipherment. Thus, to perform CAST-256
decipherment, it is only necessary to change the order in which the subkeys are used.
Each round uses two subkeys, a "mashing" subkey 32 bits in length, and a rotation
subkey 5 bits in length. A reverse quadround is reversed to the extent that the four
rounds within it actually use their subkeys in reverse order; thus, the rounds of CAST-
256 use their subkeys in this order:
0 1 2 3 ... 22 23
27 26 25 24 31 30 29 28 35 34 33 32
39 38 37 36 43 42 41 40 47 46 45 44
The f-function in CAST-256 comes in three different flavors, with the positions in
which the operations of addition, XOR, and subtraction are used changed. In the first
type of f-function, the input first has the current mashing key added to it. Then, the
result is given a circular left shift the extent of which is given by the current rotation
key. Then, each of the four bytes of the result are used to select entries from one of the
four S-boxes. The entries in the S-boxes are 32 bits wide. The entry in S1, selected by
the first byte, first has the S2 entry selected by the second byte XORed to it, then the
S3 entry selected by the third byte subtracted from it, then the S4 entry selected by the
fourth byte added to it.
In the f2 function, the mashing key is XORed, the S2 entry is subtracted, the S3 entry
is added, and the S4 entry is XORed.
In the f3 function, the mashing key is subtracted, the S2 entry is added, the S3 entry is
XORed, and the S4 entry is subtracted.
CAST-256 may have a key that is 128, 160, 192, 224 or 256 bits long, providing two
additional key lengths besides those required for an AES candidate. The 256-bit input
to the first octave consists of the key padded with zero 32-bit words in the rightwards,
later positions.
The subkeys used for the octaves are as follows: the first mashing subkey is 5A827999
in hexadecimal, and the first rotation subkey is 19 in hexadecimal.
Subsequent subkeys are formed by adding 6ED9EBA1 to the previous round's mashing
subkey, and adding 17 (again, hexadecimal) to the previous round's rotation subkey.
Needless to say, the two additions are modulo 2^32 and 2^5, respectively.
The value of the block after each octave supplies enough subkey material for one
quadround of the cipher. The eight 32-bit segments of the 256-bit block supply KR0,
KM3, KR1, KM2, KR2, KM1, KR3, and KM0 in order: that is, the first segment
supplies the first rotation key for the quadround (all but the last five bits are ignored),
the second segment supplies the last mashing key for the quadround, and one proceeds
onwards, forwards through the rotation keys and backwards through the mashing keys.
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Magenta
Magenta is a block cipher with a complex and deeply nested design. However, the S-
box has a simple structure, and there are also weaknesses in the key schedule. This led
to cryptanalytic results being obtained against it shortly after it was disclosed.
Although it has been claimed that there are other weaknesses in the design, it still
seems to me that the design contains some useful principles.
1 2 4 8 16 32 64 128 101
202 241 135 107 214 201 247 139 115
230 169 55 110 220 221 223 219 211
195 227 163 35 70 140 125 250 145
71 142 121 242 129 103 206 249 151
75 150 73 146 65 130 97 194 225
167 43 86 172 61 122 244 141 127
254 153 87 174 57 114 228 173 63
126 252 157 95 190 25 50 100 200
245 143 123 246 137 119 238 185 23
46 92 184 21 42 84 168 53 106
212 205 255 155 83 166 41 82 164
45 90 180 13 26 52 104 208 197
239 187 19 38 76 152 85 170 49
98 196 237 191 27 54 108 216 213
207 251 147 67 134 105 210 193 231
171 51 102 204 253 159 91 182 9
18 36 72 144 69 138 113 226 161
39 78 156 93 186 17 34 68 136
117 234 177 7 14 28 56 112 224
165 47 94 188 29 58 116 232 181
15 30 60 120 240 133 111 222 217
215 203 243 131 99 198 233 183 11
22 44 88 176 5 10 20 40 80
160 37 74 148 77 154 81 162 33
66 132 109 218 209 199 235 179 3
6 12 24 48 96 192 229 175 59
118 236 189 31 62 124 248 149 79
158 89 178 0
Start with 1, and shift one position left to obtain the next entry: when 1 is shifted out,
XOR the contents with 101. This obtains the first 255 entries of the table; use 0 as the
last entry.
In the Magenta documentation, f(x) is defined as entry x in this S-box. On that basis,
other functions are defined in a step by step manner:
To help keep track of where we are so far, this diagram illustrates how pi(X) operates
on a 16-byte bit string:
S(x(0),x(1),x(2),...x(15)) = (x(0),x(2),x(4),...x(14),x(1),x(3),x(5),...x(15))
Our last preparatory definition is that of C(n,w), where n is a number, and w a 16-bit
vector, as the following:
C(1,w) = T(w)
Note that n is not a piece of the key or of the block being encrypted; it is a parameter
giving the depth of recursion used.
● for a 128-bit key, the key is divided into parts, K1, K2, and the subkeys for the
six rounds in order are K1, K1, K2, K2, K1, K1.
● for a 192-bit key, K1, K2, K3, K3, K2, K1.
● for a 256-bit key, K1, K2, K3, K4, K4, K3, K2, K1.
It appears that, except for swapping halves, Magenta is reciprocal. The first paper
giving a cryptanalysis of Magenta incorrectly gave the key schedule as K1 K2 K1 K1
K2 K1, it appears.
Originally, the F function was going to be the first eight bytes of S(C(7,(X(2),SK(n)))),
but the number of rounds inside the f-function was reduced because of a possible
weakness. Even so, Magenta is deeply nested with complexity.
Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
The original version of its specification is available on its designer Serge Vaudenay's
web site.
The arrangement of the Feistel rounds is like that of DES, with halves swapped after all
rounds but the last one.
First, two 64-bit subkeys (considered as two halves of a single 128-bit round subkey)
are applied to the right half of the block by multiplication and addition, modulo 2^64
+13. Then the last 64 bits of the result are used.
Then, the right and left halves of the 64-bit result are swapped. The new left half has an
S-box entry, chosen by the rightmost 6 bits of the new right half, XORed to it. The new
right half is only XORed with a constant.
Although this description is short and simple, using multiplication with an odd
modulus in the f-function ensures that every bit of the f-function output depends on
every bit of its input.
More importantly, the use of both multiplication and addition has an important
property, which explains the meaning of the word 'decorrelation' in the name of this
cipher, and which also is connected with the use of Galois field multiplication in some
other ciphers in this section, such as Rijndael and Twofish.
Because of the distributive property involving both multiplication and addition, that
a*x + a*y = a*(x+y), thus multiplication distributes over addition, the following is true:
Let us suppose the input p produces the output q, and r produces the output s, after
being first multiplied by a and then having b added to it. If you change a, and then
change b so that p still produces q, r can produce anything, because the difference
between q and s is proportional to the multiplier a.
This also works when Galois field multiplication is used, with XOR taking on the role
of addition. This subject is more extensively discussed in a section entitled A Note on
the Importance of the Galois Field.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
The obvious way of using DES is simply to apply it directly to plaintext, transforming each 64-bit block of
plaintext. This is called ECB, or Electronic CodeBook mode.
There are two reasons this mode might not be found satisfactory. If the same message is sent twice, with the same
key, its enciphered form will also be identical. Also, one needs to have eight bytes of plaintext available before
performing encipherment. Thus, other ways of using DES were proposed. None of them strengthened the basic
cipher, or added to the size of the key.
CBC, for Cipher Block Chaining, is one of the most popular modes. It addresses the first of the two problems with
ECB mode. Each plaintext block, before being encrypted normally by DES (as in ECB mode) is XORed with the
previous ciphertext block. The first plaintext block is XORed with a random 64-bit block, called the initialization
vector, which is transmitted in the clear. This mode looks like this:
Plaintext
| |
--->XOR -------->XOR
| | |
----------- | -----------
| DES | | | DES |
----------- | -----------
| | |
| | |
|--------- |-----
| |
| |
Ciphertext
The useful properties of CBC mode can be illustrated by means of the following short demonstration:
Let's imagine a block cipher that operates on three-letter groups, and uses Vigenere instead of XOR...
Now, if we change the message at the beginning, everything changes all the way through, because information
indeed keeps getting propagated:
But if, instead, it is the original message that is sent, and a transmission error takes place, so that instead of
recieving
then only two blocks are destroyed. Since each ciphertext block was a function of the plaintext block and the
previous ciphertext block, each plaintext block is a function of the ciphertext block and the previous ciphertext
block. As long as those two ciphertext blocks are right, the rest of the message is irrelevant.
In this decipherment example, the first plaintext block is totally garbled, because the erroneous ciphertext block is
the input into the block cipher; the second plaintext block only has an error which matches that of the plaintext
block, because the erroneous block is used in a Vigenere calculation after the block cipher.
Thus, someone could even note that ...EDSMONEY is probably NEEDSMONEY, and work out that LPE should
become LNE. That would allow MKM to be corrected to MNM, and the message recovered.
A mode somewhat similar to CBC, called PCBC, for Propagating Cipher Block Chaining, XORs each plaintext
block, before being encrypted normally by DES, with both the previous ciphertext block and the previous
plaintext block. Since on decipherment, the DES decryption is done first with both XORs taking place afterwards,
if two ciphertext blocks are swapped, while they will decrypt incorrectly, succeeding blocks will again decrypt
normally. As this mode was intended to take the place of the use of a checksum for guaranteeing message
integrity, this characteristic was considered a flaw, and led to this mode's being abandoned in favor of ordinary
CBC when Kerberos, the one well-known place where it was used, went from version 4 to version 5.
OFB, for Output FeedBack, addresses both the first and second problems noted earlier that exist with ECB mode.
An initialization vector is again sent in the clear. It is repeatedly encrypted by DES, and the result of doing so is
XORed with the successive blocks of the plaintext.
This mode has two problems of its own. The plaintext itself is only subjected to an XOR. This means that if the
plaintext is known, another plaintext can be substituted by inverting the same bits of the ciphertext as one would
need to invert of the plaintext to do so. This is called a bit-flipping attack. And there is always the possibility,
admittedly a slim one, that one might choose a key and an initialization vector such that the successive blocks
generated might repeat in a short loop.
Plaintext
| |
| |
--->XOR |---| -------->XOR
| | | | |
| | D | | |
|-----| E |---- |-----
| | S | |
| | | |
| |---| |
Ciphertext
A bit-flipping attack will garble subsequent blocks, and so if one takes care that messages have checksums,
straddle more than one block, and so on, that is prevented despite the fact that the plaintext is only subjected to an
XOR at the time of being enciphered. Since the plaintext modifies what is used to XOR later parts, there is no
problem of a generator falling into a short loop.
This mode limits the propagation of transmission errors to the same extent as CBC mode. Once again, this can be
illustrated using an alphabetic cipher as an example. To simplify matters, the same block cipher key and the same
plaintext are used as in the previous example, and this will show that these two modes are very closely related.
Now, if we change the message at the beginning, everything changes all the way through, because information
indeed keeps getting propagated:
But if, instead, it is the original message that is sent, and a transmission error takes place, so that instead of
recieving
then only two blocks are destroyed. Since each ciphertext block was a function of the plaintext block and the
previous ciphertext block, each plaintext block is a function of the ciphertext block and the previous ciphertext
block. As long as those two ciphertext blocks are right, the rest of the message is irrelevant.
In this decipherment example, the first plaintext block only has an error which matches that of the plaintext block,
but the second block is totally garbled, because the erroneous ciphertext block went through the block cipher
before being applied to the plaintext.
This mode has variants that involve performing DES encryptions more often, such as once for each bit or byte.
Some problems have been claimed with these variants, and they require more computation without increasing
security.
Triple-DES
A common way to increase the security of DES is to apply DES to a block three times. Using DES twice is
avoided, because of the possibility of an attack which reduces the security of double-DES almost to the level of
single-DES; this attack, called the meet-in-the-middle attack, requires a very large quantity of memory.
Usually, Triple-DES is done by encrypting with one key, decrypting with another, and then encrypting again with
either the first key or a third one. This way, if all three phases are done with the same key, interoperability with
regular single DES is possible. This is called EDE mode, for Encrypt-Decrypt-Encrypt.
If one is going to use DES three times, one can be more elaborate.
If one is going to use Triple-DES, one can also increase the effective block size of DES through something called
an Outerbridge construction. The image below illustrates a generalization of that construction to quadruple, rather
than merely double, the block size, and to increase the effective key size as well. The 64-bit blocks are considered
to be divided into four 16-bit parts, which are distributed between DES operations.
If only the keys for the four middle operations were different, a meet-in-the-middle attack could reduce the
security of this to that of ordinary Triple-DES, but varying the keys on the outside genuinely lengthens the key.
(However, varying them on the inside may be a good idea too, as there may be other types of attack possible.)
Another suggestion for modifying Triple-DES to encipher a large block of text was made by Carl Ellison. What
was suggested was the following: in addition to enciphering an input text by means of ECB mode three times,
twice, between each pair of DES encryptions, the bytes of the entire message would be transposed. The
transposition would not depend on any secret key, but instead the number of times each possible byte value from 0
to 255 occured in the text being transposed (which, of course, is not changed by transposition) would provide the
"key" for the transposition.
The attack works like this: encipher a message consisting of the same block repeated over and over.
After the first DES encryption, the result will also consist of a single block repeated over and over. So, after the
first unkeyed transposition, the result will be a message consisting of at most eight different byte values in
scrambled order.
If the message is long enough, it will be very likely that the result of the first unkeyed transposition will include
two identical blocks, while this would still be very unlikely in any other case. This will result in two identical
blocks being found in the output of the second DES encryption.
Now, it becomes possible, using the actual ciphertext produced by encrypting the chosen plaintext, to perform a
brute-force search on the key of the third DES encryption stage only. After decrypting the ciphertext by a trial
key, one can then reverse the second unkeyed transposition stage. This obtains a possible intermediate text which
will, or will not, include a repeated block in it.
By using more than one chosen plaintext of repeated identical blocks, one can check if such a possible key is
correct.
Then, a brute-force search on the key for the first DES stage is possible, because different keys would, by
producing different inputs to the first unkeyed transposition stage, result in repeated blocks at different locations
in the message. Finally, with both the first and third DES keys known, the inputs and outputs to the second DES
stage are known, and so that key can be searched for independently.
Clearly, it is easy to frustrate this specific attack. The second DES stage could use a chaining mode of encryption,
which would completely conceal any repeated blocks which it recieved as input.
As well, if a system using such a cipher were vulnerable to a chosen-plaintext attack, it could be constructed so as
to use a separate session key for each message, with only the random session key being enciphered by a
permanent key that could be used to read other messages.
If the transposition stages used a large secret key, in addition to being varied by the byte frequencies, then the
search for the key for the third DES stage would become much more difficult, although it is possible that
transposed bytes of a message with repeated blocks would still be distinguishable, particularly if a sufficiently
large number of chosen plaintexts is used.
However, this result is still relevant, because it illustrates how easily a measure which one might think would
make triple-DES more secure, by mixing the bytes of a message together in an unknown way, would actually
reduce security by allowing the keys of the three DES layers to be searched for independently of one another.
Other Modes
Also, another way in which to get more mileage out of a block cipher would be to use it as the heart of a sort of
nonlinear shift-register. Instead of using a shift register whose cells contain bits, however, the cells of the shift
register would contain entire 64-bit (or larger) blocks.
An example of what such a mode might be like is shown in the diagram below:
Plaintext
|
-------
| DES |
-------
|
XOR<---------ADD<----ADD<---
| | | |
------- | | |
| DES | | | |
------- -------------------
| | | | | | | | | | |
|-------->| | | | | | | | | |
| | | | | | | | | | |
------- -------------------
| DES |
-------
|
Ciphertext
Three layers of DES are shown; the first and the last are in ECB mode, and serve to keep the contents of the shift
register hidden.
The middle layer of DES is the one operating in an unusual mode. Its output is saved in a shift register. The output
blocks produced 2, 4, and 7 blocks previously are added together (with normal arithmetic addition, including
carries, so that the shift register actually contains 64-bit quantities, instead of merely being effectively 64 single-
bit wide shift registers in parallel), and the result is XORed with the input to the middle DES operation. This is
essentially a variation on cipher block chaining (CBC) mode.
Plaintext
| |
--->XOR -------->XOR
| | |
----------- | -----------
| DES 1 | | | DES 1 |
----------- | -----------
| | |
--->XOR |---| |-------->XOR
| | D | | |
| | E | | |
|-----| S |---- |-----
| | | |
| | 2 | |
| |---| |
Ciphertext
based on a different mode devised by Matt Blaze of AT&T, illustrates how additional security may be achieved by
using DES twice for each block encrypted. (Unlike Matt Blaze, though, I got things at least slightly wrong: with
2^32 known plaintexts, which may be hard to obtain under many circumstances, a birthday attack can provide the
necessary information for permitting a meet-in-the-middle attack on the mode shown here.)
Just encrypting each block twice in a row is usually not done; instead, if that type of mode is desired, encryption is
performed three times in a row.
This is because, with a stretch of both plaintext and ciphertext known, it is possible to try each possible key on the
plaintext and ciphertext separately, and then look for matches. This approach, called the meet-in-the-middle attack,
does require a large amount of memory. However, even if that attack is more theoretical than real, the fact that one
theoretical weakness exists indicates the possibility of other, more exploitable, weaknesses that may also exist
even if they are not known at present.
Ron Rivest, one of the inventors of the RSA public-key algorithm, noted that because of the desirable properties
of DES, it is possible to obtain a genuine increase in its key size simply by XORing the input to DES, and the
output from DES, each by an additional 64 bits of key material. This form of enhanced DES is called DESX.
Other enciphering modes that provide a genuine improvement in the security of DES are possible. For example,
here is a single-DES mode with variable whitening:
Plaintext
| | |
---SS1-->XOR ---SS1-->XOR ---SS1-->XOR
| | | | | |
| --------------- | --------------- | ---------------
|->| | | | | | | | | |->| | | | | | | | | |->| | | | | | | | |
| --------------- | --------------- | ---------------
| | --| | --| |
|---SS2-->XOR | |---SS2-->XOR | |---SS2-->XOR
| | | | | | | |
---------->XOR --------------->XOR --------------->XOR
| | | | | | | | | |
| |---------->XOR | |---------->XOR | |-----
| --------- | | | --------- | | | ---------
| | DES | | | | | DES | | | | | DES |
| --------- | | | --------- | | | ---------
| --------------------- | --------------------- | --------------
| | | | | | | | | | |
--- |----------------- |----------------- |-----
| | | | | |
|---SS3-->XOR |---SS3-->XOR |---SS3-->XOR
| | | | | |
| --------------- | --------------- | ---------------
|->| | | | | | | | | |->| | | | | | | | | |->| | | | | | | | |
| --------------- | --------------- | ---------------
| | | | | |
|---SS4-->XOR |---SS4-->XOR |---SS4-->XOR
| | |
Ciphertext
The DES layer in the middle uses CBC mode, so as to provide an additional source of random variation.
Before and after DES encryption, a 64-bit value is used to choose one of four whitening quantities to XOR with
the message, four times, and is used twice to choose one of eight invertible substitutions for each byte of the
block. Thus, this consumes 4+24+4+4+24+4 bits. Since each side is "guarded" by only a 32 bit unknown quantity,
the XOR of the input to DES for the previous block and the output from DES for the block before is used.
This 64 bit quantity could also be the output of another DES encryption, perhaps one operating in OFB or counter
mode, or the DES encryption of the previous ciphertext block as in CFB.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Many block ciphers appear to meet this condition. Two cryptanalytic methods that can
do slightly better with some of the earlier block ciphers, such as DES and LUCIFER,
are differential cryptanalysis and linear cryptanalysis.
Other techniques, which are of interest against weaker ciphers, and which partially
account for the fact that DES has sixteen rounds, instead of eight, such as hill-climbing
techniques and genetic algorithms, are discussed in the next section.
In the book The Hut Six Story, Gordon Welchman first revealed one of the innovations
used with the Bombe in connection with the cryptanalysis of the German Enigma. He
also noted that it embodied a general principle which made present-day ciphers weaker
than they might be expected to be.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
Differential Cryptanalysis
After two rounds of DES, knowing both the input and output, it is trivial to determine
the two subkeys used, since the outputs of both f-functions are known. For each S-box,
there are four possible inputs to produce the known output. Since each subkey is 48 bits
long, but the key is only 56 bits long, finding which of the four possibilities is true for
each group of six bits in the subkeys is a bit like solving a crossword puzzle.
Once the number of rounds increases to four, the problem becomes much harder.
However, it is still true that the output depends on the input and the key. For a limited
number of rounds, it is inevitable, without the need for any flaws in the S-boxes, that
there will be some cases where a bit or a combination of bits in the output will have
some correlation with a simple combination of some input bits and some key bits.
Ideally, that correlation should be absolute with respect to the key bits, since there is
only one key to solve for, but it can be probabilistic with respect to the input and output
bits, since there need to be many pairs to test.
Instead of saying "if this bit is 1 in the input, then that bit will be 0 (or 1) in the output",
we say "changing this bit in the input changes (or does not change) that bit in the
output".
In fact, however, a complete pattern of which bits change and do not change in the
input and in the output is the subject of differential cryptanalysis. The basic principle of
differential cryptanalysis, in its classic form, is this: the cipher being attacked has a
'characteristic' if there exists a constant X such that given many pairs of plaintexts A,
B, such that B = A xor X, if a certain statement is true about the key, E(B,k) = E(A,k)
xor Y for some constant Y will be true with a probability somewhat above that given
by random chance.
Linear Cryptanalysis
For a great many plaintext-ciphertext pairs, the key that would produce that pair from
the simplified cipher is found, and key bits which tend to be favored are likely to have
the value of the corresponding bit of the key for the real cipher. The principle is a bit
like the summation of many one-dimensional scans to produce a two-dimensional slice
through an object in computer-assisted tomography.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up/Previous] [Index]
Truncated differentials
It is of course possible that some of the bits of E(A,k) xor E(B,k) will be more likely to
match those of Y than others. If one can, in addition, ignore some of the bits of A and
B, one has a truncated differential for the cipher being attacked, and this technique, due
to Lars R. Knudsen, has been found to be very powerful. (Being able to ignore some
bits of A and B may allow two or more truncated differentials to be used together, and
this is why it is important.)
Higher-order Differentials
A differential characteristic of the type described above, where for a large number of
different values of A, B equals A xor X, and the encrypted versions of A and B for a
given key, k, are expected to have the relation E(A,k) = E(B,k) xor Y, if a target
statement about the key k is true, can be made analogous to a derivative in calculus,
and then it is termed that Y is the first derivative of the cipher E at the point X.
A second-order derivative would then be one involving a second quantity, W, such that
E(A,k) xor E(B,k) = E(C,k) xor E(D,k) xor Z is expected to be true more often than
would be true due to chance, where not only is B = A xor X, but C = A xor W and D =
B xor W. In that case, Z is the second derivative of the cipher E at the point X,W. Since
xor performs the function of addition and subtraction, the four items encrypted for any
A are just lumped together in this case, but if differential cryptanalysis were being
performed over another field where the distinction is significant, then Y=E(A+X,k)-E
(A,k) and Z=(E(A+X+W,k)-E(A+W,k))-(E(A+X,k)-E(A,k)) would be the appropriate
equations to use. This technique is important because a second order derivative can
exist at a point for the first coordinate of which no first order derivative exists, or is
probable enough to be useful.
And similarly, a third order derivative is derived from the difference of two second
order derivatives, based on another constant difference, and so on.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
This diagram shows how the attack might work if everything goes perfectly for a
particular initial block. The numbered points in the diagram show the steps involved in
the attack.
1. Start with a random block of plaintext. Based on the characteristic known for
the first half of the cipher, if we XOR a certain vector with it, called d1 (equal
to 00100000 in the diagram), the result after half-enciphering the two plaintext
blocks, before and after the XOR, will differ by c1 (equal to 00110110 in the
diagram), if what we wish to learn about the key happens to be true.
2. Since the characteristic applies only to the first half of the cipher, the results
after the whole block cipher won't be related. Take those two results, and XOR
each one with d2 (equal to 01001011 in the diagram), which is the vector
corresponding to the characteristic for the second half of the cipher. In each
case, XORing d2 with a ciphertext block is expected to change the result after
deciphering halfway by c2 (equal to 00010000 in the diagram), again, if
something is true of the key.
3. With two intermediate results that differ by c1, if each one has c2 XORed to it,
the two results of the XOR will still differ by c1. Since this difference now
relates to the first half characteristic, it can be seen in the final output, thus
indicating the truth or otherwise of two hypotheses about the key.
This increases the potential effectiveness of differential cryptanalysis, because one can
make use of characteristics that do not propagate through the complete cipher. Also,
certain kinds of added complexities, such as a bit transpose in the middle of the cipher,
do not serve as a barrier to this method, since two values differing by an XOR with
some value merely differ by an XOR with some other value after a bit transpose.
However, it has its limitations. It only produces a result if both characteristics are
present; it does not allow testing for each characteristic independently. Even so, it
seems to double the number of rounds a cipher needs to be considered secure.
Since at one end of a sequence of rounds, the precise difference between blocks that is
required for the characteristic must be input, it isn't possible directly to cascade this
method to break a block cipher into four or more pieces.
Note that any single Feistel round has a large family of "characteristics" that is 100%
probable, but which tells nothing about the key, since any pattern that involves leaving
the half that is input to the F-function unchanged, but involves an XOR to the half that
is XORed with the output of the F-function applies, so one of the things this method
can do is allow the use of attacks against the first or last 15 rounds of DES against 16-
round DES. Hence, if by some other trick a block cipher with 16 rounds could be
broken into 16 pieces like this, one could test for an informative characteristic which
applied to any single round.
A technique called the boomerang amplifier attack works like this: instead of
considering the pairs of inputs, differing by the XOR required for the characteristic of
the first few rounds, as completely independent, one could note that it would be quite
likely that somehow, taking two such pairs at a time, one could obtain any desired
XOR difference between two such pairs by the birthday paradox. This allows a
boomerang attack to be mounted with only chosen plaintext, instead of adaptive chosen
ciphertext as well.
I wondered if one could use the boomerang amplifier technique noted above to allow
breaking a block cipher up into three pieces instead of two.
First, you start by enciphering a large number of chosen plaintext pairs, differing by the
XOR amount required for the characteristic of the first piece. By the birthday paradox,
there will be a good chance of some pair of two of those pairs, somewhere among that
number, which differ by the right amount to engage the differential characteristic of the
middle piece.
I then take all the outputs of this process, and XOR them by the quantity required to
engage, upon decipherment, the characteristic of the third piece.
Doing so ensures that the corresponding two pairs of blocks also has the XOR amount
for the characteristic of the middle piece, this time in the reverse direction, as can be
seen more clearly when we look at the following diagram of the upwards journey by
itself.
Unfortunately, though, the thing about a differential characteristic is that it only refers
to the XOR between two blocks, and not the values of the blocks.
If a characteristic implies that A xor B equals X xor Y, and equals the characteristic,
then it is true that A xor X and B xor Y are equal, but the value to which both of them
are equal could have any value. Hence, we have not preserved any structure that
implies that we will have the correct differential for the first piece, during
decipherment.
Well, we can still apply the differential for the first piece, and then continue in the
reverse order again.
But we run into the same problem; we have no characteristic preserved on output. So it
appears that breaking a block cipher into three parts is hopeless. But then we notice
that, by iterating in this fashion over our large number of input pairs, we can
indefinitely preserve the characteristic in the middle.
This would only work if the characteristics involved had probability one, or very nearly
one. Assuming that somehow this could be overcome, though, since one has produced
a large number of pairs, in the same spot within our large number of pairs, that have the
middle differential activated, if one of the elements of each of two pairs differs from
the same element in another cycle by the right amount for the top differential, then the
one connected with it by the middle differential will also match, not the other member
of the same pair, and this is how the two pairs involved with the middle differential can
finally be distinguished.
But because the birthday paradox just says that, to find two matching values for a block
having N values, you only need a number of blocks proportional to the square root of
N. Using the birthday paradox twice means that the complexity of this attack is
proportional to the square root of N times itself, in other words, to N, and so this attack,
even if it were possible, has a complexity equivalent to that of the codebook attack: just
use as chosen plaintext every possible input block, and record the result.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Neither of these techniques is adequate to deal with many cipher systems, particularly
modern ones. A well-designed cipher will not offer a simple opportunity to try different
possibilities to find partial information about the key, and will have a key large enough
to make trying every possible key hopeless. Nor is ordinary statistical information
about the frequencies and contacts of bytes in the ciphertext likely to be much use.
Thus, approaches taken from the field of AI (artificial intelligence) have been tried. In
these approaches, it is attempted to combine the speed of the computer with steps that
at least slightly move towards the skill and judgement of a human cryptanalyst.
Hill-climbing
Because the individual bits of the subkeys in DES are actual bits taken from the 56-bit
DES key, an approach like the following to recover a DES key must have occurred to
many people.
Given a block of known plaintext, and its corresponding ciphertext, starting with a
random 56-bit possible key, do the following:
● Encipher the known plaintext with that key, and with every one of the 56 other
keys obtained by inverting one bit of that key.
● Compare the resulting ciphertext to the actual ciphertext.
● In those of the 56 cases where the flipped bit results in the ciphertext produced
differing in fewer bits from the actual ciphertext than that produced by the
original trial key, invert that bit of the trial key to obtain the next trial key.
It would, however, never work against DES. That is because of the avalanche property
of DES; changing a single bit in a DES key results in every bit of the block being
enciphered being changed randomly after only a few rounds.
Thus, even attempting to improve the hill climbing algorithm above by, for each trial,
enciphering the known plaintext for eight rounds with the trial key, and deciphering the
actual ciphertext for eight rounds with the trial key, and then determining the number
of bits by which these two results differed would not be enough to help.
Another idea would be to choose two rounds of DES, and by determining the input to
those rounds by enciphering the known plaintext by the previous rounds, and the
required output from those rounds by deciphering the actual ciphertext by the following
rounds, examine the two 48-bit subkeys for the rounds, and, by examining the four
possibilities for each group of 6 bits in those subkeys to produce the required change in
each half of the block, find those which are consistent with the origin of those two
subkeys from the original 56-bit key, and then try the resulting new 56-bit key or keys
on the basis that it or they might be improvements over the preceding trial key.
Genetic Programming
Programs or answers must be in the form of a chain of discrete elements, such that
there is at least a reasonable likelihood that a chain formed by taking one chain, and
replacing a span of elements within it by the corresponding elements from another
chain, will "make sense". (This may be noted as the second major use of sex for the
purpose of obtaining the codes of foreign powers.)
Random mutations are also usually used, although genetic crossover has been found to
be much more important.
Starting with a random selection of solutions, those that work best are retained, and
used as the parents of the next generation of solutions to be tried. Often, this retention
is also randomized, so that better solutions have a higher probability of being retained.
One type of mutation that happens in real life has not, to my knowledge, been used for
genetic programming yet. Occasionally, plants and animals will increase the size of
their genetic inheritance by duplicating part of it. Thus, a finite state machine could
mutate by becoming a machine with twice as many states. It might be useful to make
provision for this where a problem might be more complex to solve than initially
realized.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
The number of balls in the first container, which initially contained all of them, would
typically decline in a fashion that resembled exponential decay to containing only half
of the balls. This modelled the physical process of allowing two chambers, containing a
gas at different levels of pressure, previously separated, to be connected.
This illustrated the basic feature of a Markov process. It involves probability. But in
addition to a random event, the final result, in this case the number of balls in the first
container, also depended on the 'memory' of the system.
This particular example, however, involves a system with a large number of states,
although all the states with the same number of balls in the first container can be
considered equivalent due to symmetry. In the formulation of hidden Markov models,
each state is referred to individually, and thus illustrative examples of these models
have a small number of states.
In a hidden Markov model, then, a system has a number of states, S(1) to S(n). The
probability that the system, if it was in state i on one turn, will be in state j in the next
turn, is called P(i,j). The states of the system are not known, but the system does have
one observable value on output, which has m possible values from 1 to m. For the
system in state i, the probability that output value v will be produced is called O(i,v).
Note that the transition probabilities depend only on the state, not the output.
Someone with two dice, one red and one blue, the red die marked with H on two faces,
and T on the other four, and the blue die marked with H on four faces, and T on the
other two, is providing you with a sequence of H and T produced by the dice, based on
the rule that whenever H comes up, the red die is thrown next time, and whenever T
comes up, the blue die is thrown next time.
This produces a sequence of heads and tails that has each output equally often, but
which favors alternations over repetitions.
Such models can be transformed into models which depend only on the state by
including the previous output in the following state. This example, though, can't form
part of a hidden Markov model, since the previous output completely specifies the
following state.
where the lowercase letters indicate circled uppercase letters on the faces of the dice, as
illustrated below:
and the exact rules for using these dice will be given below.
But it will be easier to understand those rules if we think of this set of dice having been
gradually built up starting from just the red and blue dice, using simpler rules.
The red die favors T, and the blue die favors H. One way to produce a sequence of H
and T with the dice would be to always throw a die that favors the symbol opposite to
the one previously thrown.
Then we add a second set of dice, orange and purple. As with the red and blue dice, the
orange die favors T, and the purple die favors H. But with this pair of dice, the
favoritism is stronger.
So, now, we add some rules. When throwing the red or the blue die, if we get the result
that is not favored, thus throwing a second H or T in a row, we switch on the next turn
to the pair of dice with stronger favoritism. When throwing the orange or the purple
die, if we get the result that is favored, we relax, and switch to the less biased red and
blue dice. With the additional dice, a throw of H always implies we use one of the dice
that favor T, but now either the red die or the orange die is possible, and similarly for
the blue and purple dice and a throw of T.
Then we extend the model to bring in a green die, that is 'below' the red and blue dice
in the same way that the orange and purple dice are 'above' the red and blue dice. Now,
a favored result with the red and blue dice moves down to the green die. Results on the
green die are always treated as if they were not favored, resulting in a move to
increased bias with the red and blue dice.
But to allow some variation in how the model moves from state to state, even given the
previous state as well as whether an H or a T was thrown, I then added the circled H
and T, which cause one to stay with the dice having the current level of bias.
● On each turn, one die is thrown. The output from that turn will be either H, if H
or h is thrown, or T, if T or t is thrown.
● When H (or h) is thrown, the die thrown next turn will be one of (orange, red,
green); when T (or t) is thrown, the die thrown next turn will be one of (purple,
blue, green).
● When either h or t is thrown, the die used on the next throw will belong to the
same rank as the die used on the previous throw, where the ranks are (orange,
purple), (red, blue), and (green).
● When the less probable value, for the particular die thrown, of H or T is the
result (not h or t: the consequences of those results has already been dealt with,
and is not described in what follows) of a throw of the (red, blue) die, the next
throw will be of (orange, purple).
● When the only available value, for the particular die thrown, among the two
alternatives of H or T is the result of a throw of (orange, purple) dice, (red, blue)
dice will be used on the next turn.
● When the more probable value, for among the two alternatives of H or T is the
result of a throw of the (red, blue) die, the green die will be used on the next
turn.
● If either H or T (not h or t) thrown with the green die, the next throw will be of
(red, blue).
This does not have the proper form for a hidden Markov model as it stands, because the
next state depends on the output from a state as well as the previous state. If we take
the probability of the next state, interpreted as the color of the die being thrown, and
the probability of the two outputs H and T from each state, these probabilities are not
independent.
In order to consider this situation with a hidden Markov model, we need to do two
things. The first thing is to shift the outputs in time: to consider that the output from
throwing the red die is always H, based on the face that turned up in the previous throw
of the dice. This lets the random event of the die throw show up once only, in the state
transition, and not in two separate places where it is not independent.
The second thing is to divide the state of throwing the green die into two states, HG
and TG, indicating whether H (or h) or T (or t) was face up on the previous throw, so
that this forwards assignment of the output can work.
The numbers in the state transition matrix are chances out of six.
Knowing the details of the model, we can ask the question of how it will behave. This
is essentially a trivial question, because it can be solved by what is almost simple
arithmetic, and what is standard algebra.
One must find a set of probabilities for the states such that, when these probabilities are
fed into the state transition matrix, the same probabilities will come out. Since
probabilities must add up to 1, this problem is equivalent to finding the eigenvectors of
a matrix (vectors, that when multiplied by a matrix, produce the same vector, possibly
multiplied by a constant).
Here, it is obvious that each of O, R, and HG will have the same probability as its
counterpart P, B, and TG, and we can just consider the scaled-down matrix
OP RB G
OP 2 4
RB 1 2 3
G 4 2
in which we can promptly replace a', b', and c' by a, b, and c. (If a is the probability of
OP at time t, a' stands for its probability at time t+1, but we are looking for solutions
where the probability is constant.)
2/3 a = 1/6 b
2/3 b = 2/3 a + 2/3 c
2/3 c = 1/2 b
and the first and third equations are enough to tell us that
4a = b
4c = 3b
so a, b, and c are in the proportions 1:4:3, making the equilibrium probabilities that
each color of die will be used:
orange 1/16
purple 1/16
red 1/4
blue 1/4
green 3/8
Incidentally, without circled letters, except that the lone H on the orange die, and the
lone T on the purple die would still behave as if circled, the steady state probabilities
would instead work out to:
orange 3/31
purple 3/31
red 15/62
blue 15/62
green 10/31
OP RB G
OP 1 5
RB 2 4
G 6
Calculating the probability of an individual sequence of outputs from such a model can
be performed by straightforward arithmetic. Knowing the initial state, let us say that we
began by throwing the green die, what is the probability of throwing HTH?
On the second throw, our chance of using the green die again (having thrown h) is 1/3,
and the chance of throwing T or t with it is 1/2. Our chance of using the red die (having
thrown H) is 2/3, and our chance of throwing T or t with it is 2/3. So our total chance of
throwing T or t is 1/6 + 4/9, or 11/18.
On the third throw, our chance of using the green die is equal to the sum of 1/3 (our
chance of having used the green die on the last turn) times 1/3 (our chance of throwing
t with it, given that we threw T or t) and 2/3 (our chance of having used the red die on
the last turn) times 3/4 (our chance of throwing T with it, given that we threw T or t).
Using the green die, our chance of throwing H or h is 1/2.
Our chance of using the blue die, similarly, is equal to the sum of 1/3 times 2/3 and 2/3
times 1/4. Using the blue die, our chance of throwing H or h is 2/3.
The method used for solving this problem is called the Viterbi algorithm. (You may
have already heard this name in connection with the patented technique of Viterbi
decoding applied to error-correcting codes.)
We could assume that the color of die used for the first throw is selected according to
the equilibrium probabilities calculated above; but a Markov process does not need to
start at equilibrium, as our other example showed. So let us assume that the first throw
is of the green die.
In this example, though, each state produces a specific output with probability 1.
Having circled letters on the dice does mean at least that the (following) output and the
state do not together strictly determine the following state.
Because of this, to allow the Viterbi algorithm to be more properly illustrated, I will
complicate the model slightly more, by adding a white die with five blank faces, and
one marked with an X. If the face marked with an X turns up, the output will be
inverted, so that it will be H in the next turn when either T or t turns up in the current
turn, and T in the next turn when either H or h is thrown on the die.
H T H H T T H T H T H H T T
TG R TG R O B P R TG R TG R O B
is assumed as the sequence of states, the weighting for that particular sequence of states
would be calculated like this:
Given state TG, the probability of state R on the next turn is 1/3 overall, but given that
we know we will have an output of H, the weight of this particular sequence is 1/3 *
5/6, the overall probability of state R times the probability it will be associated with an
output of H in our more complicated model.
Note that when the white die is thrown doesn't really matter, again, in a sense we're
throwing it a turn early.
Then, given state R, the overall probability of state TG on the next turn is 1/2. The
probability that this state will be associated with an output of T is once again 5/6.
It is clear that for any sequence of outputs and states, a weighting can be calculated.
But for a given long sequence of outputs, there is an immense number of possible
sequences of states to choose from in order to find the most probable. This is what the
Viterbi algorithm helps to deal with.
If we consider the possibilities for the first n states, we retain not just the set of states
with the highest weight, but also the set of states with the highest weight for all other
possibilities for the state at time n in addition to the one in the set of states with overall
highest weight.
Then, to obtain the set of states with overall highest weight for the first n+1 states, and
also the set of states with highest weight for any possible state at time n+1, we only
need to consider possibilities involving the sets of states from time 1 to time n that we
previously retained.
This is the most complicated of the problems. Here, we assume that the model has one
or more variable parameters in its description, and we are looking for the values of
those parameters which would make an observed sequence of outputs the most likely.
Two major methods are used. One, the segmental K-means method is used for
obtaining an initial approximation to the model, and involves assuming that a particular
set of states accompanies the known outputs. The Baum-Welch estimation algorithm is
then used to obtain the best fit of the model to the output sequence considering all
possible sequences of states that could have produced the known output.
One of the statistical concepts used in carrying out these methods is the Kullback-
Leibler distance measure, used to compare two probability distributions. And yes, that
is Solomon Kullback, from among the team of cryptanalysts who solved PURPLE.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Stream Ciphers
Two methods of generating pseudo-random bits, both in themselves very weak from a
cryptographic point of view, because they are based on recurrence relations of a linear
nature, are still at the root of most stream ciphers. The same simple mathematical
properties that make them vulnerable to cryptanalysis at least ensure that they will
generate sequences with a long period.
One is the linear feedback shift register, most often used in hardware designs.
The first section following will deal with stream ciphers based strictly on single-bit
shift registers; the second section will deal not only with linear congruential
pseudorandom number generators, but with other techniques, including a byte-wide
shift register.
Although one usually thinks of pseudo-random number or bit generation when one
thinks of stream ciphers, the cipher produced by a rotor machine, which is a changing
substitution (as opposed to a changing displacement, as produced by a Hagelin lug and
pin machine) is still classed as a stream cipher. Also, even if the plaintext is modified
by a simple XOR, the value used, instead of being generated by a process that feeds
back only on itself, or which produces a function of a counter value, could be produced
by a function of the last few bytes of plaintext or ciphertext, thus giving a cipher of the
autokey type.
The Cipher Feedback (CFB) mode of DES is an example of this class of cipher,
although in that case one would need to know the boundary between 8-byte blocks to
recover.
in which the preceding eight bytes of ciphertext are fed back into DES encryption, and
then the eight output bytes from the DES encryption are XORed to the plaintext byte,
between eight byte-substitution stages (each one using a key-dependent permutation of
the 256 values from 0 to 255).
This produces a highly secure cipher, but takes eight times as long as conventional
DES encryption.
❍ Other Constructions
Next
Chapter Start
Skip to Next Section
Skip to Next Chapter
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
x^10 + x^6 + 1
---------------------------------------------------------------------
| | | | | | | | | | |
-->| x | x^2 | x^3 | x^4 | x^5 | x^6 | x^7 | x^8 | x^9 | x^10 |
| | | | | | | | | | | |
| ---------------------------------------------------------------------
| | |
----------------------------------------XOR--------------------------
The x^10 and x^6 terms in the polynomial correspond to the two tapped cells in the shift register shown; the 1 in
the polynomial does not correspond to a tap. If the polynomial to which an LFSR corresponds is primitive, which
means that in addition to being irreducible (a property similar to the property of being prime for an integer) it
satisfies some additional mathematical conditions, the LFSR will have its maximum possible period, which is
(2^n)-1 where n is the length of the shift register in cells. Because an LFSR works by taking the XOR of selected
bits in its internal state, any LFSR containing all zero bits will never move to any other state, and so that one
possible state must be excluded from any cycle of more than one state.
An LFSR with maximum period always has an even number of taps. Also, the cell with the oldest bit in the shift
register is always tapped. This rule is very general, and applies even to nonlinear shift registers, for a simple
reason that can be seen in the following diagram:
the sequence produced from a shift register whose last few cells are not tapped is identical to that produced by a
shift register otherwise identical from which those cells are omitted, except for a delay.
(Note that some popular references on cryptography erroneously show the x^n term in an LFSR's characteristic
polynomial, which is always present, as corresponding to the cell with the newest bits, and show the x term,
which is not always present, as corresponding to the cell with the oldest bits, which in fact must always be
tapped. This is a result of diagrams that show the bits in the LFSR as moving in the wrong way.)
It should be noted, however, that primitive polynomials have a reversal property that does allow an alternative
way of matching the terms in a polynomial to the possible taps in a shift register, as illustrated below:
but in the reverse case, the cell with the oldest bits corresponds to the always-present 1 term (thus, the
equivalents only go up to x^(n-1), and x^n does not correspond to a possible tap), not to the x term, which need
not be present in the polynomial.
is also primitive.
Well-known Polynomials
Incidentally, just as it is unwise to use a very well-known word or phrase as a key, some primitive polynomials
modulo 2 are also "well-known", since they have been used in common systems.
12 11 3
CRC-12: x +x +x +x+1
16 15 2
CRC-16: x +x +x +1
16 12 5
CCITT: x +x +x +1
32 26 23 22 16 12 11 10 8 7 5 4 2
AUTODIN II: x +x +x +x +x +x +x +x +x +x +x +x +x +x+1
Permitted (under regulations which are now out of date) for use in generating spread-spectrum sequences by
radio amateurs:
7
7-bit: x +x+1
13 4 3
13-bit: x +x +x +x+1
19 5 2
19-bit: x +x +x +x+1
19 5 2
x +x +x +x+1
22 9 5
x +x +x +x+1
23 4 3
x +x +x +x+1
Actually used in the A5 cellular telephone algorithm, according to more recent information:
19 5 2
x +x +x +x+1
22
x +x+1
23 15 2
x +x +x +x+1
17 5
x +x +1
10 3
x +x +1
10 9 8 6 3 2
x +x +x +x +x +x +1
Note that the A5 polynomials (in the older version, at least) are used with the x^n-1 to 1 convention, and
feedback is concentrated on the older bits in the shift register. (This, and not the x^n to x convention, going the
other way, may well be the usual one.)
Also, while all LFSRs, used directly, are insecure, LFSRs with many taps (not having "sparse" feedback
polynomials) produce a sequence that seems more random, and when used in a system that combines several
LFSRs, combined in a way that achieves cryptosecurity, they are better. Presumably, that feature is also useful
when LFSRs are used in performing CRCs; note especially the AUTODIN II (AUTODIN is a U.S. military
communications system) polynomial above.
In addition to the conventional configuration, where each new bit input to the shift register is the XOR of several
bits in the register, a shift register may also be implemented in Galois configuration, where the single bit shifted
out of the register is XORed with several bits in the shift register.
The following diagram illustrates the relation between the conventional configuration and the Galois
configuration of a shift register:
In the conventional configuration, the bits moving through the shift register are also bits in the sequence it
generates as output. Hence, each new bit entered into the register is the XOR of several previous bits in the
sequence.
In the Galois configuration, generated bits are also the XOR of previous bits in the sequence, but in this case as
the oldest bit included in that XOR moves through the shift register, it is XORed one at a time with the other bits
as it reaches the appropriate positions in the shift register.
Speaking of Evariste Galois, the reason that primitive polynomials modulo 2 are important is that by using them
as the modular polynomial in polynomial multiplication, one can create a Galois Field of order 2^n with a
polynomial beginning with x^n.
A field is an algebra with both addition and multiplication, the elements of which form a group under the
addition operation, and in which the multiplication operation, over all the elements of the field except zero, also
creates a group. Thus, addition and multiplication modulo a prime create a finite field.
The term Galois Field is used to refer to finite fields, because Galois proved that the only finite fields were either
those whose order was a prime, and were of the type described above, or those whose order was a power of a
prime, and whose elements were treated as polynomials, the coefficients of which were modulo that prime, the
polynomials themselves being modulo a modular polynomial which was not merely irreducible (not factorable
into smaller polynomials) but also primitive; the kind of polynomial that can produce a shift register.
+ 0 1 2 3 4 5 6 7 * 0 1 2 3 4 5 6 7
---------------- ----------------
0 | 0 1 2 3 4 5 6 7 0 | 0 0 0 0 0 0 0 0
1 | 1 0 3 2 5 4 7 6 1 | 0 1 2 3 4 5 6 7
2 | 2 3 0 1 6 7 4 5 2 | 0 2 4 6 3 1 7 5
3 | 3 2 1 0 7 6 5 4 3 | 0 3 6 5 7 4 1 2
4 | 4 5 6 7 0 1 2 3 4 | 0 4 3 7 6 2 5 1
5 | 5 4 7 6 1 0 3 2 5 | 0 5 1 4 2 7 3 6
6 | 6 7 4 5 2 3 0 1 6 | 0 6 7 1 5 3 2 4
7 | 7 6 5 4 3 2 1 0 7 | 0 7 5 2 1 6 4 3
This particular representation of that field is the one which uses x^3+x+1 as the modular polynomial. Thus, the
bits in the binary representation of the numbers in these tables are treated as the coefficients of polynomials.
Since polynomial addition deals with each coefficient independently, and it is done here modulo 2, the addition
table should look familiar: it is the table for the bitwise XOR operation.
The field illustrated can be denoted as GF(2^3) or GF(8). The group which multiplication, exclusive of zero,
forms is isomorphic to addition modulo 7; that is, it is the cyclic group of order 7. In general, this is true for any
Galois field; for GF(n), the multiplicative group is the cyclic group of order n-1. While the table looks different,
this means that it can be made identical to that for addition modulo 7 by replacing each of the numbers from 1 to
7 by another number from 0 to 6.
There is further discussion of Galois Fields in the description of the Decorrelated Fast Cipher, the description of
Rijndael, and on a page specifically about that topic.
We have seen above how to construct a shift register from its corresponding polynomial. And it is noted that the
polynomial must be primitive for the shift register to have maximum period.
One way is to construct arbitrary polynomials which correspond to the properties of the shift register sought, in
length and in number of taps, and test them. This, at least, can be done fairly simply.
If the polynomial is of the form x^n + ... + 1, that is, of degree n, then (for a polynomial whose coefficients are
modulo 2) the condition that must be met is that x^(2^n-1) must be equal to 1 modulo the polynomial, but x^
(2^n-1)/p for any prime p which divides 2^n-1 must not be equal to 1 modulo the polynomial.
If the coefficients of the polynomial were modulo 3, we would use 3^n-1, and so on.
Let us take the polynomial x^7+x+1. This corresponds to the binary string 10000011. 2^7-1 is 127, and is the
maximum period of a shift register built from a polynomial of degree 7. x^127 modulo x^7+x+1 is what the
binary string consisting of a 1 followed by 127 zeroes would become, after being XORed with 10000011 shifted
as far left as necessary to zero out its first digit, repeated until one obtains a 7-bit string. Doing that is exactly
equivalent to running the shift register in the Galois configuration, and so the reason for the condition is now
obvious: if the shift register has maximum period, the 0000001 state will recur at the end of that period; and if it
does so recur, this recurrence mustn't be a repeated occurrence. The only possibilities to eliminate to exclude that
are the periods of which the maximum period is a multiple, and dividing the maximum period by its prime
factors alone eliminates them all: the state 0000001 might recur more often, but it won't miss having one of those
numbers as a multiple of the period.
Of course, applying 10000011 to 1 followed by 127 zeroes would be somewhat slow, and for a much longer shift
register, 2^n-1 would be an enormous number. However, finding x^n by polynomial multiplication can be done
by repeated squaring, just as that technique can be used to speed up taking numbers to powers, it can be used for
exponentiation in other domains as well.
When n is composite, 2^n-1 has some obvious factors. That's because 111111 is equal to 111 times 1001, and it's
also equal to 11 times 10101. That's as true in binary notation as in decimal notation. This doesn't mean that
there aren't other factors of 2^n-1, though. Thus, when n is prime, 2^n-1 is not always prime. Sometimes it is,
though, and then 2^n-1 is called a Mersenne prime. If the degree of the polynomial to be tested is a value of n for
which 2^n-1 is a Mersenne prime, it is simpler to test if the shift register polynomial is primitive. However,
doing the extra tests is not too great a problem; it's factoring 2^n-1 which, in general, might be the difficult step.
The output from an LFSR is often strengthened by using another LFSR to control how often it is stepped. This
technique can be applied in the same ways that were used with pinwheels in the chapter on telecipher devices.
Another technique, the Geffe generator, uses three LFSRs with different periods. One is used to choose which of
the two other ones has its output used. Although a simple Geffe generator is still not secure, more elaborate
constructions using that principle may be effective.
--------
|LFSR 1|----------------------------
-------- |
|
-------- |
|LFSR 2|---------------------- |
-------- | |
| |
-------- | |
|LFSR 3|---------------- | |
-------- | | |
| | |
-------- | | |
|LFSR 4|---------- | | |
-------- | | | |
--- --- | |
-------- \ \ / / | |
|LFSR 5|-------->| | | |
-------- / / \ \ | |
--- --- --- ---
| | \ \ / /
| ----->| |
| / / \ \
| --- ---
| |
| |
--------------->(XOR)
|
--- output
The generator pictured uses five LFSRs. One is used to choose which of two other LFSRs is used for two
purposes (each one is used for one of those purposes, the bit only swaps them):
● choosing which of two other LFSRs is used to contribute to the output, and
● being XORed with the output of the chosen LFSR.
If only four shift registers are used, so that we XOR the output of one shift register with the output of a Geffe
generator, then we still have the same weakness that the Geffe generator alone had. That is because the XOR of
two LFSRs, by itself, is a linear construct, and thus is as vulnerable to attack as an LFSR of the length of the two
combined. So, since the one Geffe generator means that the first LFSR is XORed to one of two others, we have
two alternating possibilities, both weak, which the output bitstream matches 75% of the time.
The design as given, however, provides the XOR of two shift registers, both of which can be either of two
possibilities. So would the XOR of the outputs of two Geffe generators.
The design above has the advantage of requiring one fewer input. Is it secure? As noted above, the XOR of two
LFSRs is no more secure than the output of a single longer LFSR. The output of this construct will agree with
the XOR of LFSR 1 and LFSR 4, for example, 75% of 75% of the time, which is 56.25%: for each of the two
inputs to the final XOR, as for a Geffe generator, 50% of the time the correct LFSR is used, and 25% of the time,
the wrong LFSR agrees with the right one. So there is still an output bit stream which is biased towards matching
an easily solved bit stream, but at least the bias is fairly weak.
As a nonlinear function of the bits in an LFSR can produce any series of output bits produced by any other
device with the same period (proof: use all the bits in the LFSR's state as an address to find a bit in a ROM
containing the desired sequence in a suitable order), and an LFSR has a maximum period of 2^n-1, which is only
one less than that of any other device with n bits of internal state, it seems it is not necessary to pursue
developing the theory of nonlinear feedback shift registers with known period.
Thus, one way of using a shift register to create a series of pseudorandom bits is to take some of its bits, and use
circuitry to produce a nonlinear function of them, as illustrated at right.
● An Illustrative Example
● Other Constructions
● More Realistic Examples
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up/Previous] [Index]
An Illustrative Example
The following diagram:
Symbols used:
illustrates various ways in which shift registers can be used to produce pseudorandom
bits, combining them in an elaborate construction.
The device is based primarily on the Kinetic Protection Device, a stream cipher device
produced by a defense contractor which has been openly described. But I have
modified it significantly; in some ways to improve security, in others to reduce the
number of components to fit into a reasonably sized diagram. And I have added
sections illustrating other stream cipher principles, one based on a claimed cellular
telephone cipher algorithm.
The output bitstream of the main portion of the device is XORed to a bitstream
produced by a combination of two different constructs.
The first of these, illustrated in section E of the diagram, is based mainly on the A5
cellular telephone algorithm, but made simpler to draw by replacing its self-clocking
principle by that of the T-52. The second, in section F illustrates the use of J-K flip-
flops to combine shift registers nonlinearly.
The Kinetic Protection Device generated an 8-bit output each time the shift register in
it was clocked. A shift register of 61 stages was used, and the feedback polynomial
applied was selected from a set of 1024 such polynomials stored in ROM. Eight
different nonlinear functions, each taking six bits of input from six stages of the shift
register, were used to produce the eight bits of output.
The design pictured here uses a 44 stage shift register, with a ROM having only 256
feedback polynomials in it. The main part of this circuit is section A of the diagram.
The modified Geffe generator, here found in section D, shown earlier on this page in
ASCII graphics, takes five inputs from five stages of the shift register; the newest bit in
the shift register is then XORed to the result. While there is only one nonlinear
function, the five inputs to the modified Geffe generator can each be chosen from eight
sources in the shift register, and this is determined by bits from three other shift
registers in section C. The output of these three shift registers is XORed with signals
produced in other parts of the device for some extra difficulty in analyzing its output.
Thus, the design produces only one bit of output, not eight bits, each time the shift
registers in it are stepped.
Instead of the feedback polynomial of the main shift register being set once as part of
the key, it varies during encipherment. The eight-bit input to the feedback polynomial
ROM is produced by selected bits from two shift registers moving in opposite
directions, XORed together in section B. These shift registers are clocked by the AND
of three bits from a third shift register, so that the feedback polynomial only changes at
intervals. Since all the feedback polynomials in the ROM are maximal period ones, as
long as the initial state of the LFSR stages is nonzero, it will remain nonzero.
That arrangement does have the weakness that all eight output bits are parts of the
same sequence of bits, although at widely separated intervals: the bits produced by
XORing the output of the two shift registers with different periods. (That may not be
strictly true if the periods of the two generators is not relatively prime.) This weakness
is reduced by using the OR of two other bits of the clocking shift register to AND one
of the clock signals, so that the two main shift registers will not be perfectly in step.
The result is, however, still the same sequence of bits being produced on each line, but
a different sequence with a longer period is appearing there, at least. This shows the
merit of the original Kinetic Protection Device design, since, unlike my efforts here, it
does avoid that; however, this circuit is at an earlier position. Thus, we can choose to
stop at any point, as otherwise we get infinite regress, or what one book on computer
graphic displays has called the "wheel of reincarnation".
This output is XORed with the output of a J-K flip-flop, which has as inputs the
bitstreams produced in sections E and F of the diagram. A J-K flip-flop is a good way
to combine two bitstreams for reasons which are explained below, in the description of
the section of the device which illustrates their use.
The first bitstream used is produced by three shift registers which clock each other, in
section E of the diagram. Each one is clocked by the OR of two bits (one inverted)
from each of the other two shift registers. Since each shift register supplies one bit and
the negation of that same bit to the clocks of the two other shift registers, it is never
possible for all three shift registers to stop moving at the same time. Just as the main
part of the schematic is inspired by the Kinetic Protection Device, this part is inspired
by the A5 algorithm used with GSM cellular telephones.
The second bitstream comes from a circuit which includes one element that is very
likely to have been part of the electronic cipher machines of the early 1970s, the J-K
flip-flop. This is section F of the diagram. In the book Basic Methods of Cryptography,
by Jan C. A. van der Lubbe is noted something I really should have recalled from
learning about digital circuitry as an undergraduate: a J-K flip-flop, in addition to being
set if a signal is sent on J alone when it is clocked, or being reset by K alone, is
unaffected if neither is present, and is toggled when both are present. This makes it as
unbiased as an XOR for combining two bitstreams, but its memory makes it nicely
nonlinear.
The circuit supplying the second bitstream consists of four shift registers. Two of them
are used as inputs to both a J-K flip-flop and an XOR gate. Then, the two output
bitstreams resulting are selected by the output of a third shift register. One is used as an
input to another J-K flip-flop, along with the output of a fourth shift register, and the
other output bitstream resulting from the first two shift registers is XORed with the
result.
The following table, showing for two inputs the outputs of a J-K flip-flop and an XOR
gate,
illustrates the property of the J-K flip-flop used here: not only is its output a random
stream if it has two random streams as input, but this output is uncorrelated with the
output of an XOR gate with the same two inputs. So, having a third input choose
between the two modes of combining the first two inputs produces an output hard to
relate to the raw outputs of any of the shift registers involved. The circuit used in
section F of the diagram, as we have seen, begins by using that principle.
In addition to the bits initially loaded into the shift registers of the device, another
possible keying element for such a device is the order in which the shift registers of
different lengths are connected to the different areas which take input from a shift
register. Only those shift registers that are used in a plain fashion, with no values taken
from within the shift register and with no special clocking are shown as being
switchable via plugboard terminals. In practice, a plugboard would not be used; some
circuit with switches would be used instead. The idea of continuously varying the
connections with a rotor machine hardly bears thinking about.
Note that I have generally neglected to show the clock pulses explicitly; essentially, all
the J-K flip flops and shift register stages are clocked by one master clock pulse, with
the exceptions of the shift register gating the clock for the two shift registers used to
address the feedback polynomial ROM, and of an implicit 1/2 clock pulse delay for the
signals by which the three shift registers in section E of the diagram clock each other.
Also, the reason for my use of nonstandard logic symbols here and in other diagrams is
to provide legibility in a small number of pixels (the standard symbols for AND and
OR, for example, look alike).
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Previous] [Up] [Index]
Other Constructions
One construction suggested for making use of the properties of the J-K flip-flop is due to Pless: four pairs
of shift registers feed into four J-K flip-flops, and their outputs are used in rotation. This eliminates direct
information about the raw shift register sequences, which can be obtained from two consecutive bits of
their output some of the time.
While attacks on that device have been shown to exist, in practice it would be elaborated upon, and as a
starting point it is not a bad idea. The following diagram:
illustrates a possible elaboration. Instead of four groups of two shift registers, we have four groups of
seven shift registers. Five are grouped in the fashion we saw in the green-background area of the large
diagram above; two feed both a J-K flip-flop and an XOR gate, and these two outputs, together with the
outputs of three other shift registers, are applied to the extended Geffe generator circuit described earlier.
Two additional shift registers are used to control swapping of the outputs from two pairs of shift registers.
Instead of using the outputs of the four segments in sequence, two shift registers select a segment at
random; and that segment is omitted, the outputs of the other three being XORed to produce the final
result.
An interesting, secure, and simple shift-register based design is illustrated within the High-bandwidth
Digital Content Protection System specification developed by Intel:
The XOR of the outputs of four shift registers generate a sequence of bits with a long period. The XOR of
four other taps, one from each shift register, produce another part of that sequence of bits: since these taps
are not all at the same distance from the outputs, that XOR produces a distant part of the same sequence.
Another set of four taps from these shift registers controls four switchable delay or memory cells: each
cell stores two previous inputs, and the control signal determines which of those two values is output. The
new input replaces the value output, but the two values remaining are then also swapped.
Since what this does is buffer the sequence of bits from the four earlier taps, allowing them to be output
after an irregular number of cycles, it is similar to what the MacLaren-Marsaglia random number
generator does. Each bit input to these four cells can take many different numbers of cycles before being
output, and so there is no one sequence of bits similar to those of a shift register which is particularly
likely to match the actual output.
However, it is still true that there is an average amount of time that the bits from the delayed sequence
will take to go through the four delay cells, and so it has been claimed that this might be sufficient to
provide for a correlation attack, such as that used against the Geffe generator.
The first change is that between each pair of delay cells, another output from the shift registers is XORed
with the bits as they progress. This means that different cases of individual amounts of delay in the four
cells which add up to the same total delay are no longer equivalent.
The second change is that another shift register is used to store several successive outputs from this
generator, and the actual output used is the XOR of four of these outputs. Now, a bit of output will belong
to the 'most likely' case sought by a correlation attack only if the four output bits of the previous part of
the generator all belong to that case.
However, that last bit of the generator, while it does prevent a direct correlation attack, doesn't really add
any security, since the input to that stage can be derived from its output by a very simple process of
deconvolution. So it is not enough to use multiple bits of the output, they must be chosen unpredictably. A
valid design using this principle might look like this:
where three of the old bits are combined by a nonlinear function, and the other one goes through another
variable delay cell. Now, an actual, although modest, gain in security against a correlation attack is
obtained.
However, a simple idea allows the very large gain in security against a correlation attack aimed at by the
first of the extended versions of this design to be achieved. In the following diagram:
the outputs of the main generator are directed alternately to one of two shift registers. The one that
recieves the output is the one that is stepped, and the one from which the XOR of four bits is used. In this
way, the four outputs of the main generator which are used vary over a large number of possibilities.
Since the decorrelator circuit added at the end of the device seems to be so powerful, perhaps we could go
back to taking only the original number of taps from the shift registers:
but replace the variable delay cells of the original design with decorrelator circuits. In this way, the final
output is formed from any of a huge number of possible combinations of the shift register outputs.
Incidentally, it may have occurred to you from viewing the diagrams above that a decorrelator circuit
could as easily be built using the principle of selective recycling used in the delay cells in the original
design, as shown here:
as by using the principle of selective clocking. The XOR of other bits besides the one clocked out could
even include bits from the shift register row not used, as well.
Hence, even if the design shown is not considered perfect, minor changes can strengthen it considerably.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Previous] [Up] [Index]
Here, five Geffe generators produce five bits. But the five unused shift register outputs, instead of being discarded, are used to control
swapping the five Geffe generator outputs. Note that the unused bit from one Geffe generator is always used to swap the two outputs of two
other Geffe generators (at least if no preceding swaps take place).
Since electronic circuitry is much faster than the mechanical components of teletypewriters, however, a design like the above will not be
considered for long before the idea of running it five times faster, and producing a serial bitstream from its output, is considered:
Since the circuit that takes five bits of input, and produces one bit of output, involves some swaps of adjacent input bits, and the device
producing those five bits also swapped adjacent bits, the order of the bits has been shuffled before the last combining circuit, so that swaps of
bits not previously subject to exchange will take place instead.
When the signal from a teletypewriter is in serial form, it is accompanied by stop and start bits; the idea might occur to a cipher machine
designer to use this as an opportunity for an extra complication; another shift register could control whether, during the stop and start bits,
when the machine's output is not XORed with the communications signal, the device is clocked. Since the start and stop bits take as much
time as two and a half data bits, 0, 1, or 2 clock ticks could take place without any increase of speed. Double the speed of the device (and, of
course, a tenfold discrepancy between electronic and electromechanical devices is far from unreasonable), and the opportunity arrives to have
either 1 or 2 clock pulses between the data bits in a single character as well.
When this fairly simple stratagem of designing a cipher machine around the characteristics of 5-level code signals is illustrated by a timing
diagram,
along with a block diagram, illustrating the use of each of the timing signals,
(the box with three shift registers in it represents the apparatus with five Geffe generators whose output is combined to produce a single
output bit shown above) it looks quite complicated.
Other constructs, instead of Geffe generators, could be used to generate the bitstreams the device starts with, more than one extra clock pulse
for optional clocks could be used per baud, and, perhaps most important, instead of clocking, or not clocking, all fifteen shift registers in the
cipher assembly during an optional clock pulse, one could instead use more than one tap, or more than one shift register, to control the
clocking of the various shift registers independently during the extra time periods.
Various references have noted that the early electronic cipher machines were often of a self-synchronizing nature. Also, the SKIPJACK block
cipher design was described in the document revealing its design as a kind of shift register, suggesting how a shift register could be used for a
simplified form of block encipherment. Taking these ideas together, one arrives at the following illustrative diagram:
This diagram is scaled down. On the right, the basic characteristics of a self-synchronizing cipher are shown: a shift register without feedback
stores the last several ciphertext bits. A nonlinear function of these bits, which can be varied by a plugboard, is used as the keystream which
is XORed to the plaintext to become the ciphertext.
Such a design, in itself, would have to be made extremely elaborate, with a very large number of logic gates, to offer any security. On the
right half of the diagram is shown how, with a limited number of gates, using a shift register to do block encipherment, more security might
have been obtained.
The area enclosed by dotted lines is clocked differently from the rest of the diagram. It produces a bit to be XORed with the plaintext by a
process that has to be described; it can't be easily shown in the diagram. An attempt has been made, though, with arrows showing the order in
which the paths shown in the diagram are used. First, the bits of old ciphertext are loaded into the feedback shift register inside the dotted
lines; the entire register is filled from the outside. This takes place during cycle 1, as indicated by the first arrow. Then, the feedback shift
register is cycled several times through its entire length. This register is shown as being stepped 40 times, during cycles 2 to 41; since the
shift register contains 16 cells, the bits in it cycle more than twice through its whole length. The final state of the register is then used to
produce the output bit used to XOR with the plaintext, by means of another nonlinear function. This output is taken at the last, during cycle
42.
Note that the state transition function of the feedback shift register is invertible; the oldest bit of it is XORed to a nonlinear function of five
other bits before being recycled. This is invertible for the same reason that a Feistel round is invertible; the five inputs to that function are
only moved, not changed. This doesn't guarantee a long period, but it does mean that after any fixed number of cycles, each different initial
state will result in a different final state. This means that there is no possibility, despite the fact that the shift register has nonlinear feedback,
and therefore many of its properties are hard to understand, that after some large number of cycles a large number of different initial states
will lead to the generator winding up in the all-zero state (or some other degenerate condition) and getting stuck there.
In other words, the state space is incompressible under the state transition function provided by a nonlinear shift register with the property
that the eldest bit is not altered, and is XORed with the output in the last stage of calculating the output. (The usefulness of setting up a
nonlinear shift register in this way was in fact briefly noted in Applied Cryptography, where it is stated that the danger of its sequence dying
out to all zeroes can be "easily cured".)
The nonlinear function applied to the final state includes the newest bit in the shift register as one of its inputs, so that none of the cycles the
shift register went through to produce that state is wasted.
The arrangement of the two plugboards in the diagram is one part of the key; in practice, something less messy than plugboards would have
been used, but not worrying about such details leaves the diagram simple. Another place where key material is used may be during the
stepping of the fast feedback shift register, which may be fed one character of a 40-character key during that stepping.
With known plaintext, if the first shift register, the one without feedback that simply stores old ciphertext bits, is short, a codebook attack on
the cipher is possible as a direct consequence of its self-synchronizing nature. That is, one could make a table of the possible values of the
preceding N ciphertext bits, for increasing N until N reaches the length of that shift register, and find that for each entry, whether the current
plaintext bit is inverted or not is consistent.
It may be noted that this arrangement, although it is greatly simplified, is essentially a scaled down version of operating a block cipher in
Cipher Feed-Back mode, with the addition that the "block cipher" output is further condensed by a nonlinear function of several of its bits.
Although the correlation attack is primarily a problem for designs based on linear-feedback shift-register outputs, the decorrelation circuit
met on the previous page can be combined with this form of design as well. Thus, the block-cipher like stage can generate two bits of output,
one which is decorrelated, and one which controls the decorrelation. It should be noted, of course, that it takes a number of cycles for this
type of decorrelator to be filled with output bits, particularly as the random control of which shift register is filled can mean the time required
is variable. Special circuitry to enable an initial fill mode is possible, just as in the MacLaren-Marsaglia random number scheme, the buffer is
initially filled with a number of consecutive PRNG outputs.
More elaborate constructs are also possible, like the one below:
Here, 30 bits of previous ciphertext are cycled three times through one nonlinear shift register with an incompressible state space, and three
bits of output are produced. One bit is fed into a decorrelator, the second controls the decorrelation, and the third is used for another
decorrelator later in the circuit.
The decorrelated output is again fed into another block-cipher like nonlinear shift register, this time one which acts on a 16-bit block, as in the
previous example. The output of that stage is decorrelated under the control of the third bit used earlier. Here, however, instead of the
decorrelator simply XORing together multiple old output bits, a nonlinear function of old output bits is XORed with the one being shifted out
of the shift register being clocked, making this a nonlinear decorrelator. The five-input nonlinear circuit that I have used throughout these
examples is expanded by making one of its inputs the OR of two ANDs, and another the AND of two ORs; thus, the significance of the bit
that chooses between these two somewhat biased values is increased.
Also, in this diagram, it is necessary to make explicit the timing signals used; the following chart:
The leading edge of the phase 1 signal must occur at some time when the previous ciphertext bit is valid; after the trailing edge of the phase 8
signal, the output of the ciruit is valid, so the new ciphertext bit will be valid when the new plaintext bit is valid.
Until such time as the cipher machines of the 1970s become declassified, these imaginative reconstructions of mine may perhaps prove useful
to spy novelists wanting to insert authentic-looking cipher machine plans into their works.
When the real thing is revealed, of course, it will be far more secure than my careless effort. I think my first diagram, the one based on the
Kinetic Protection Device, is likely to be rather more elaborate and complicated than anything actually used, while the first of the two designs
shown on this page, showing five Geffe generators, is probably more straightforwards and simple than anything actually used. As the second
one is based on various public comments concerning the electronic cipher machines of the U.S. during that period, although it is scaled down,
it may illustrate a principle that had actually been used, or, of course, one that we are intended to think was used. In that case, the "real thing"
would have had longer shift registers, and more complicated nonlinear functions (and three different ones) than my simple improved Geffe
generator which I used three times in the diagram. Also, there may have been an attempt to encipher the five bits of a teleprinter character in
parallel. It should also be noted that, for purposes of the illustrative diagrams on these pages, I have not troubled to ensure that all the shift
register polynomials used are actually of maximal period, which would be required in practice.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
The most common method used for strengthening a mixed congruential generator is to
use it as part of a MacLaren-Marsaglia random number generator.
Let us suppose that random binary bits are desired. Then, one uses one generator
modulo two to some power, so that one is starting with numbers with a uniform
distribution. Since the most significant bits of the output from such a generator have
the longest period, one might take only the 4 or 8 most significant bits of the output.
Again, a simple MacLaren-Marsaglia generator is still not secure, although the paper in
which one was cracked used one where all the bits of the binary MC generator were
used and none were discarded. If only the first few bits are used, and a long binary MC
generator, perhaps one requiring multi-precision arithmetic, is used, there is already a
greater level of security present. But more elaborate constructs are again possible.
But there are many other techniques that can be applied to bytes or words, rather than
bits, to produce a keystream to XOR with plaintext.
Gifford's cipher used only eight bytes of internal state, but produced a cipher that was
only shown to have weaknesses after some very involved analysis.
It actually was a kind of shift-register cipher, but with the shifting being done by byte.
The shift register was eight bytes long. Feedback involved taking three bytes from the
register, and obtaining the new byte by XORing together one of the bytes, the
arithmetic right shift of another byte, and the logical left shift of the third.
The output from the generator is produced by taking four bytes from the register,
forming two 16-bit integers from them, and taking the second least-significant byte of
their product. This output is what is XORed to the plaintext to produce ciphertext.
A stream cipher is any cipher which, like Vigenere, or that produced by a rotor
machine, changes how it behaves during a message. Thus, most block cipher modes,
other than Electronic Codebook Mode, produce stream ciphers.
A stream cipher which does produce pseudorandom bits to XOR with plaintext can be
improved merely by substituting new values for the bytes of the plaintext from a secret
table, both before and after the XOR.
Another way of using the output of a pseudorandom bit generator was developed by
Terry Ritter, which he called Dynamic Substitution.
The principle is very simple. A secret table, with a random sequence of the 256
possible byte values, is used.
A message byte is replaced by its substitute in that table in order to encrypt it.
Then, a byte from the pseudorandom bit generator is taken. The two table entries
corresponding to that byte, and the plaintext message byte, are swapped. In the event
both the plaintext byte and the psudorandom byte are the same, nothing is done.
This is a simple, but secure technique. Every time a table entry is used, it is relocated
somewhere else at random. So, since each table entry is used once and once only, no
useful information about the table seems to be made available.
If one knows some corresponding plaintext and ciphertext, it is true that since you
know that the table entry you encountered when one byte was enciphered was sent to
the byte the PRNG sent it to at that time, and may stay there for a while, if that same
byte turns up shortly after, you can conclude that the PRNG byte in the past is the same
as the plaintext byte when the byte value turned up again.
The main reason this technique may not become popular even after its patent expires is
because it is an autokey method; the encipherment of plaintext bytes depends in part on
the values of previous plaintext bytes. This is not good for error-propagation, which
need not be a consideration (since once text is encrypted, it can be sent along with
extensive error-correction; and encrypted texts are often compressed, which already
results in wide propagation of any errors) but it is usually considered to be a problem.
The idea of shuffling elements in a table of the 256 different byte values can also be
used to generate pseudorandom bytes.
One very popular stream cipher has been alleged to function as follows:
Using two variables that store one byte each, in addition to the table, generate bytes as
follows:
● Replace B with the sum of B and the A-th element of both tables.
● Increment A.
● Swap the A-th element and the B-th element of the table to be used later,
leaving the one containing the key alone.
● Panama
Next
Chapter Start
Skip to Next Chapter
Skip to Next Section
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
Panama
Panama is billed as a "cryptographic primitive". Designed by Joan Daemen, also responsible for 3-Way, and one
of the collaborators in the design of Rijndael, Panama is essentially a stream cipher engine with a large state. It
is, however, equally usable as a hash function.
Panama contains two main elements. A shift register, with 32 cells, each containing a vector with eight 32-bit
words, and a recirculating mixing function, resembling the f-function in a block cipher, which operates on a
"state" consisting of seventeen 32-bit words. (While it has been noted that SHA-1 inspired Panama, I do not find
the resemblance obvious.)
● Panama is reset by setting both the 17-word state and the contents of the shift register to all zeroes.
● A vector of eight 32-bit words is fed to Panama through a Push operation. Operations unique to the Push
function are shown by the light dotted lines in the diagram. In a Push operation, the incoming vector is
used as one of the inputs to the state transition function (the other input is the contents of one of the cells
in the shift register), and is also used to XOR with the recirculating values in the shift register.
● A vector of eight 32-bit words is recieved from Panama by means of a Pull operation. The line of
alternating dots and dashes shows the operations unique to the Pull function in the diagram. In a Pull
operation, the 32-bit words numbered 9 through 16 in the state are used as the output, and words 1
through 8 are XORed with the recirculating values in the shift register. The inputs to the state transition
function both come from stages in the shift register, one not used for any special purpose in the Push
operation replacing the input, absent from a Pull operation.
When Panama is used as a stream cipher, first the key is input by one Push operation, and then an initialization
vector is input by a second Push operation. Then, 32 Pull operations are performed, discarding their output, to
allow the internal state of Panama to be fully mixed.
When Panama is used as a hash function, the message to be hashed, followed by a 1 bit and as many zeroes as
are needed to cause the message to occupy an integer number of 256-bit blocks, is input to Panama through a
series of Push operations. Then, after a number of Pull operations with their output discarded, so that the effects
of even the last block of the message are fully diffused, the output from a final Pull operation constitutes the hash.
The state transition function of Panama operates on 17 32-bit words, numbered 0 through 16. Its steps are visible
in the diagram, and are, in order:
● Nonlinearity: each word is XORed with the OR of the previous values of the next word and the
complement of the word after, going around the circle from word 0 to 16 and back to 0.
● Bit Dispersion: first, the words are transposed (by a simple decimation with interval 4), then the words
undergo circular left shifts of different sizes.
● Diffusion: each word is XORed with both the previous values of the next word and the word four
positions ahead, again going around the circle.
● Buffer Injection: Word 0 is XORed with 1; words 1 through 8 are XORed with the first input to the
function, and words 9 through 16 are XORed with the second input to the function.
The huge size of the internal state of Panama makes it look very impressive. Of course, one might want to add an
extra XOR here or there, such as using the state function output during Push cycles. But Panama has been
designed to be very efficient on internally parallel microprocessors, and thus throwing in extra operations would
interfere with that.
However, a closer look at first creates the impression that Panama might be weak instead of strong. The problem
for the cryptanalyst is to discover the internal state of the cipher, both the 17-word state and the shift register
contents. But the state is used as the output of the cipher, and the state transition function has only a single round.
Thus, knowing two successive 17-word states, one can easily discover the two 8-word inputs to the state
transition function.
The only thing that prevents this from happening is that only eight of the seventeen words of the state are used as
the output of Panama. At one point, having mistakenly thought that the first eight words of the state, words 0
through 7, were the output block, I worked out a simple way to find the value, with 75% probability, of one of
the words in the buffer, but Panama does not in fact allow such a simple attack. Thus, the cryptographic strength
of Panama seems to equal that of a two-round version of the state transition function, since just under half the
state is used.
However, that attack involves reconstructing the internal state of Panama from known plaintext, which means
that, knowing part of a message, one can find the rest of that message. What about attacking other messages with
the same key, but a different initialization vector?
Unfortunately, this too is possible. The nonlinearity stage of the state transition function of Panama, resembling
as it does the small S-Box of 3-Way, can be inverted (unlike the nonlinear part of the f-function of DES), so it is
possible to run Panama backwards if one had a full knowledge of its internal state, and obtain the original 8-word
key.
Tracing the path of information through the state transition function of Panama shows that a trivial application of
differential cryptanalysis principles does not suffice to obtain some bits of the buffer by means of a known
plaintext attack on Panama when used as a stream cipher. The following diagram illustrates what happens when
an attack is attempted:
With known plaintext, one knows the value of the output bits from Panama. If one has two successive output
blocks from Panama, tracing through the state transition function leads to the following results:
After the nonlinearity step, words 9 through 14 of the state are still known for certain. The bits of word 15 which
correspond to 1 bits in the former value of word 16 are known as well, but the other bits of word 6 are unknown.
The bits of word 16 are, with a probability of 75%, the inverses of their former values.
After the bit dispersion step, the words known with certainty are words 2, 4, 9, 11, 14, and 16, and the words
about which partial information is available are words 7 and 12. The right words in the right places are not
available to allow a known or partly known word to exit the diffusion step for comparison with a word known
from the current output block, by which means some buffer contents could be found.
Even so, the fact that it comes this close to solution makes one wary of the danger of a differential attack.
Panama is an impressive and promising design, but because of the superficial appearance that it is close to being
susceptible to a differential attack, I have taken the liberty of proposing variant with a few modifications (so
don't blame Joan Daemen if, instead of making it more secure, I've ruined it) which is illustrated in the
conclusions section of this chapter.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Looking at other cipher designs, and their effective use of more familiar operations,
such as addition, exclusive-OR, conventional and modular multiplication, and table
lookup in S-boxes, one might be forgiven for wondering if the use of such exotic and
advanced mathematics is really necessary in a symmetric-key cipher.
However, in attempting to answer a question about the simplest way to fully correct a
flaw in a particular type of stream cipher, one can see that Galois fields do have an
important property which is useful in cryptography.
In the former case, if one knows the exact plaintext of a message being sent, one could,
by inverting the same bits of the ciphertext as one wishes to invert of the plaintext, alter
a message in any way one likes without knowing any part of the keystream.
However, I still found it interesting to investigate the question of what would be the
minimal enhancement to the basic PRNG (pseudorandom number generator) with XOR
stream cipher to obtain a varying alphabet.
More specifically, I sought a combiner (which could be used alone as a variation on the
one-time-pad) with the following properties:
The addition table for a simple cipher with these properties, where N=3, is as follows:
Key
| A B C D E F
----------------
P 0 | 0 1 2 0 1 2
L 1 | 1 2 0 2 0 1
N 2 | 2 0 1 1 2 0
Cipher
Note that what is happening here is that the one-time-pad effect is produced by adding
0, 1, or 2 to the plaintext to produce the cipher output, while the resistance to the
equivalent of a bit-flipping attack is produced by previously multiplying the plaintext
either by 1 or -1 (equivalent to 2 in modulo-3 arithmetic).
This can also be done for binary data; the minimal way to do so would be to take two
bits at a time, as in the following table.
Key
A B C D E F G H I J K L
------------------------------------------
P 00 | 00 01 10 11 00 01 10 11 00 01 10 11
l 01 | 01 00 11 10 10 11 00 01 11 10 01 00
a 10 | 10 11 00 01 11 10 01 00 01 00 11 10
i 11 | 11 10 01 00 01 00 11 10 10 11 00 01
n Cipher
In the first four columns of the table, using one of keystream symbols {A,B,C,D} is
equivalent to performing an XOR of the plaintext symbol with the respective element
of {00, 01, 10, 11}.
It can be verified by inspection that this table does have the property I am looking for.
Note that keystream symbols {E,F,G,H} and {I,J,K,L} also perform XORs with the
plaintext symbols, after a substitution is performed on them, the substitutions being the
ones in the columns labelled E and I.
A E I
00 01 10 11
----------------
00 | 00 00 00 00
01 | 00 01 10 11
10 | 00 10 11 01
11 | 00 11 01 10
shows the three substitutions in use, along with an extra column to make the table
symmetric.
Since any operation involving 00 produces 00, this resembles a multiplication table.
And, indeed, it is the multiplication table for the representation of GF(2^2) with
modular polynomial x^2+x+1.
So, just as with base 3, we obtained the desired property by performing first a
multiplication and an addition, here we performed a Galois Field multiplication,
followed by an XOR, which is the operation corresponding to addition in such a Galois
Field. (Doing the XOR first and the multiplication afterwards, of course, would also
work.)
Is this a general method for obtaining a substitution which has this desired property?
Yes; this is a direct consequence of the distributive property. Multiplication over the
Galois Field, and XOR, behave like multiplication and addition do in ordinary
arithmetic, and thus they will be denoted by * and + respectively below.
Given that (p*B)+A=q and (p*B')+A'=q, if B is not equal to B', then for q' not equal to
q, we wish to prove that (p'*B)+A=q' and (p''*B')+A'=q' implies p' cannot equal p''.
This follows from the distributive property, and a few other basic properties of a field.
If p' did equal p'', but not p, then for p' not equal to p, the difference between (p'*B) and
(p'*B') cannot equal the difference between (p*B) and (p*B'), since the one is p'*(B
+B') and the other is p*(B+B'), and B is not equal to B'. (Here, + is equivalent to -,
because XOR performs both roles.) However, the difference between A and A' hasn't
changed, and so a contradiction results.
Thus, when two operations behave like addition and multiplication, they complement
each other as well as two operations can, and thus using them together provides a result
which, in the particular respect examined here, resembles the result of having a
completely indeterminate permutation.
And to obtain two such operations for symbols that are made up of two or more bits
each, the only choice is Galois Field multiplication along with XOR. If, instead, a set
of symbols with a prime number of elements is used, one can use ordinary modular
multiplication and addition. Thus, this property can be approximated by using, for
example, addition modulo 2^n and multiplication modulo (2^n)+1, with the advantage
that the inputs to both steps can have all 2^n possible values.
Twofish and Rijndael use two different representations of GF(2^8). For 5-level-code
characters, as used in telecipher devices, x^5+x^2+1 is a suitable modular polynomial.
Since GF(2^5) multiplication has the distributive property with respect to XOR, the
following abbreviated multiplication table is sufficient:
In the age before inexpensive computers, and ciphers like DES, and hash functions like
MD5, this is a technique, as it involves math that was known quite a long time ago, and
requires circuitry of moderate complexity even if discrete components are used, which
could have been used to protect secure teleprinter links years ago, by using one one-
time-tape in the conventional manner, but also using a second one-time-tape, not
including the all-zero code, for a multiplication operation. (Actually, of course, it
would make more sense to use a special 10-channel one-time-tape.) While it would not
have been as direct a solution as a hash function, but it would not have the failure mode
of a human in the link ignoring a bad checksum and accepting a fraudulent message.
It does not appear that this was used for the Moscow-Washington hot line, but it is not
impossible that it was at least considered.
Also, perhaps such a technique might have something to do with the Soviet cipher
device described as applying a 15-channel one-time-tape to 5-level-code characters.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
In DES, the basic cipher operation is in essence a degenerate form of the autokey. Each
half of the block modifies the other half alternately with several repetitions.
Yet, the number of the repetitions alone at least seems to have the effect of concealing
the key.
Also, the standard modes proposed for using DES all seem to be designed to avoid
increasing its security, except for the removal of trivial vulnerabilities. It would seem
that combining DES with some form of stream cipher, even a fairly poor one, would
also remove those vulnerabilities at little cost, with additional benefits in security.
Also, it is time to note something about fashions in ciphers, adopted for reasons other
than security. Although the reasons are not really quite so whimsical as the term
fashion implies, as they are instead connected to the practicalities of using the ciphers
in the real world.
Stream ciphers are usually viewed as sources of bits which appear random to be
XORed with the plaintext. They are very poor relations to block ciphers at present.
Transposing the bytes of a message, perhaps between two encryptions in DES in ECB
mode, would probably produce a highly secure cipher, especially if the transposition is
both controlled by a secret key, and yet varies with each message. But this is an option
seldom considered.
Some of the techniques we have seen in this chapter will now be explored in a number
of conceptual designs, some of them perhaps a bit over-elaborate.
● Modified Panama
● Mishmash
● Combining Two Unrelated Block Ciphers
● A Base Conversion Block Cipher and Other Concepts
● The Large-Key Brainstorm
● The Inner Structure of the Feistel Round
Next Chapter
Chapter Start
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
Modified Panama
Having noted that in the cryptographic primitive Panama, it looks as if a differential attack only just misses being
possible, I have taken the liberty of proposing variant with a few modifications (so don't blame Joan Daemen if,
instead of making it more secure, I've ruined it) which is illustrated below:
the first thing I propose to do is to XOR words 0 through 7 of the state with words 9 through 16 of the state. I
also use the least significant three bits of word 8 of the state to determine which of words 9 through 16 is XORed
with word 0 (the remaining ones proceed in succession) to produce what I call "deep nonlinearity".
in Push cycles only, the word of the state that was XORed with word 9 of the state is also XORed with word 8 of
the state. This makes the state transition function not invertible. This is not appropriate for Pull cycles, since it
may lead to short cycling of the state transition function; but Push cycles are limited in number. This prevents
recovery of the key from the state.
Then, one proceeds with the normal nonlinearity and bit dispersion steps.
An extra buffer injection step is added. This also makes it even more difficult to trace words through the state
transition function.
Then, the regular diffusion and buffer injection steps take place.
The output from the state transition function is modified. During Pull cycles, the first eight words of the state are
XORed into the buffer at the start, as before. During Push cycles, words 9 through 16 are also used; this does not
seem to be excessively revealing of the state, and increases the speed of diffusion in the buffer.
During Pull cycles, the output is now only one word, and that word is the XOR of two words in the state, chosen
by other bits of word 8. Limiting the output to one word changes the basic security of Panama from that of two
rounds of the state transition function to that of sixteen rounds. Outputing the XOR of two unknown words
further reduces the usefulness of the output for determining the internal state of the buffer.
Because of the enhanced diffusion and the noninvertibility of the Push cycle, instead of using 32 blank Pull
cycles, I propose replacing the blank Pull with a blank Push - where an all-zero block is Pushed into the system.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Mishmash
In thinking about ways to give a block cipher the kind of deep nonlinearity found in the
rotor machine SIGABA, one idea I had is the kind of block cipher one round of which
(for obvious reasons, I proposed only four rounds be used in it) is illustrated by the
diagram below, and which I chose (also for reasons to become obvious) to call
Mishmash:
The cipher operates on a 128-bit block, and has a Feistel-like structure of sorts. The
right half of the block is enciphered by four rounds of some block cipher with a 64-bit
block and Feistel rounds, perhaps DES. The four f-function outputs of that process are
also take, put through another f-function (otherwise, their XOR would be equivalent to
the XOR of the two inputs and the two outputs), and XORed together to produce a 32-
bit word that controls the encipherment of the left half of the block.
In a very schematic form, the left half of the diagram illustrates five operations to
which the left half of the block will be subjected:
Since IDEA is protected by patents, one will have to use both Blowfish and
QUADIBLOC, or some other cipher instead for now; IDEA is shown because it has a
unique basic structure.
Since 5! is 120, seven bits of the 32 bit word are sufficient to indicate the order in
which the five operations are to be applied. 25 bits remain; 5 of them can be assigned
to each of the 5 operations to choose one of 32 subkeys for each (there would be four
separate sets of 32 subkeys for each for each of the four rounds of this block cipher as a
whole).
Next
Next Chapter
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Essentially, each round of encryption consists of applying four rounds of DES to the
left half of the block, and two rounds of SAFER to the right half of the block. Six
rounds of encryption are used, alternating with seven stages in which the left and right
halves of the block are combined. (Even four rounds of encryption may be adequate.)
These fencing stages consist of applying a key-dependent S-box (whose inverse will be
required for decryption) to the bytes of the block, and then swapping bits between
halves by using a mask to indicate which bits are to be swapped with their
corresponding bits in the other halves. This method was pioneered in the block cipher
ICE.
To ensure that each bit being encrypted is evenly divided between the two halves of the
block by each fencing stage, a 48-bit subkey, expanded by the use of a 4 of 8 code (as
seen in the definition of QUADIBLOC) is used, so that exactly four bits of each byte
are swapped.
An additional ICE-style swap is used at the beginning of the cipher, so that the use of
byte substitution for whitening is not reduced in effectiveness by the use of the S-box
at the start of the cipher. This swap uses a plain 64-bit subkey for maximum
randomness, since equal division between halves does not serve a purpose in that
position.
The intent of this design is, of course, that since two completely different ciphers are
intimately mixed, analysis to find a weakness is essentially impossible.
For generating the key schedule, both the 48-bit keys for the fencing stages and the 48-
bit DES subkeys are most easily generated in units six bits long; thus, if a source of
bytes is used to produce the subkeys, it might be quickest to take only the least
significant bits of eight bytes to form one of those 48-bit keys.
Next
Next Chapter
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Another interesting idea for a block cipher happens to lead to one with an 80-bit block size,
which has the advantage of being a multiple of five bits as well as eight, for use with characters
in older systems using 5-level code.
Most block ciphers involve using S-boxes that operate on groups of bits, alternating with
transpositions of individual bits, and XORs of subkey material. Some involve other binary
operations.
But if one converts to other number bases from binary, one can shuffle around fractions of a bit,
thus adding another kind of complexity to the design.
The fact that 33 is both 3 times 11 and one more than 32 is used, along with the fact that 9 is
close to 8, and 121 is close to 128. Key-dependent S-boxes (since fixed ones would introduce
bias, which could be exploited) operating in both directions are used, for example, both one with
33 entries consisting of all 32 5-bit combinations plus one duplicate, and one with 32 entries
containing all but one of the 33 combinations of one 3-symbol and one 11-symbol.
The following are the steps that would comprise an f-function for a block cipher based on this
construct:
3) Using four key-dependent S-boxes that produce three output bits from two 3-symbols, and
another four key-dependent S-boxes that produce seven output bits from two 11-symbols, use
the following symbol pairs as input:
4) The binary result of the above step is to recieve an additional bit permutation, as follows:
11 22 33 14 25 36 7 18 29 40 21 32 3 24 35 6 17 28 39 10
31 2 13 34 5 16 27 38 9 20 1 12 23 4 15 26 37 8 19 30
5) Subkey K2 is XORed to the result.
6) Using key-dependent S-boxes that operate in the reverse direction, producing two 3-symbols
from three bits (thus having eight entries with one combination omitted) and two 11-symbols
from seven bits, produce
S' T' a' b' U' V' c' d' W' X' e' f' Y' Z' g' h'
7) Group the symbols into the following pairs to produce, from eight key-dependent S-boxes,
eight groups of five bits:
8) Apply the following bit permutation to the S-box outputs (numbers represent sources of bits,
and are in the positions of result bits, as in the DES standard):
6 17 23 29 40 11 22 28 34 5 16 27 33 39 10 21 32 38 4 15
26 37 3 9 20 31 2 8 14 25 36 7 13 19 30 1 12 18 24
35
In generating these S-boxes in this form, it would make sense to first select eight different
symbol pairs to omit in each of the eight permutations of 32 symbol pairs of which such a box
should be composed.
40 23 6 1 2 3 4 5 5 28 11 6 7 8 9 10
10 33 16 11 12 13 14 15 15 38 21 16 17 18 19 20
20 3 26 21 22 23 24 25 25 8 31 26 27 28 29 30
30 13 36 31 32 33 34 35 35 18 1 36 37 38 39 40
Fractal Feistel
Another bright idea I had toyed with I discarded as excessively inefficient and probably
insecure; but when the release of Skipjack indicated that the micro-Feistel rounds I used as the
basis of this might actually be secure, I drew the following diagram to illustrate it:
The basic idea behind this has been used before by others, for example in the MISTY block
cipher developed by Mitsuru Matsui of Mitsubishi, and in the block cipher DEAL proposed by
Richard Outerbridge as an AES candidate, that is: using a block cipher with Feistel rounds as the
f-function for a larger block cipher with twice the block size. However, the diagram illustrates
taking this to extremes.
The innermost function operates on a 16 bit block with four rounds, using a 256-byte lookup
table as the f-function; this is the same as the "G permutation" in Skipjack.
That function is used as the f-function for four rounds within a block cipher acting on 32 bit
blocks, which is, in turn, used for four rounds as the f-function of a block cipher operating on 64-
bit blocks.
The diagram only includes one instance of this cipher - acting as the f-function for the actual
block cipher, which operates on a 128-bit block.
Essentially, the Feistel round structure is replicated inside itself repeatedly, creating a block
cipher with a fractal structure.
This design may have serious security flaws, but it is at least interesting to look at.
Another Sketch
illustrates the rounds of a type of cipher that may well be secure even though it tries to be
efficient and though it is limited to operations that are efficient on general-purpose computers.
Feistel rounds using a key-dependent S-box (called "S8" in the diagram, due to Quadibloc II)
but no subkeys are combined with an ICE-style interchange between block halves and a fixed
interchange of bytes designed to cause diffusion different from that provided by the cipher's
other components to form four rounds, consisting of two batches of four mini-Feistel rounds and
one ICE-style interchange, with three fixed byte interchanges between them.
[Next] [Up] [Previous] [Index]
Next
Next Chapter
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
● Plaintext is encrypted, or ciphertext decrypted, using a block cipher with independent subkeys.
● A separate list of subkey values is used to supply each subkey.
● With each block enciphered, one advances through each of these lists - sometimes by one step, sometimes
by two, three, or four steps.
● Another block cipher with a fixed key, operating in a combination of output feedback and counter modes
(the output is fed back, but XORed with the value in a counter) supplies the bits which determine stepping
through the list of subkeys.
The diagram shows, however, a scaled-down version of the cipher. A more specific description rests on the
following principle: the number of bits used to control the stepping of all the lists must equal or exceed the
number of bits in a block. In this way, the stepping alone is enough, or at least nearly enough, to cause any
plaintext block to become any possible ciphertext block, making it hard to obtain information about the subkeys
in the lists. (In turn, the randomness and secrecy of the list contents make it hard to obtain information about the
stepping sequence.)
● DES, but with 32 rounds as well as with independent subkeys, is used as the main block cipher here. In
this way, there are 32 lists, the advance of each of which is controlled by two bits, thus meeting the
important criterion noted above.
● A block cipher with a 128-bit block is used to generate the stepping bits; it operates once for every two 64-
bit blocks enciphered, its output being used a half at a time. This ensures a very long period for the
stepping sequence. As that cipher is not exposed to view, even one with weaknesses with respect to
differential cryptanalysis could be used, such as the original LUCIFER cipher.
With a large key, key management is a problem. The key comes in four main parts:
● The bytes in all the lists of subkey values. Also, the lengths of these lists can be part of the key.
● The key for the block cipher used to generate stepping values.
● The initial value, and the counter value, for the generation of stepping bits.
● The starting positions within each of the lists of subkey values.
The last item on the list is only needed as part of the key if one is going to start up the encipherment operation
several times with the same lists of subkeys, but it is reasonable to do so, since that part of the key is very large
and difficult to set up.
The first two items can be regarded as semi-permanent, while the last two should be changed with every
message. However, the last two must be kept secret, not sent in the clear, otherwise attacks on the contents of the
lists of subkey values can become possible if there is enough traffic for the same values of the first two items in
the key.
With a key too large to send inside a public-key block, and such a high level of security as to be wasted by any
practical method of key distribution, perhaps I have only solved the problem of cryptanalysis for the case when
another solution to that problem already exists! However, one could use a one-time-pad to encipher the key
distribution keys, and use this cipher with those keys for key distribution. That would avoid too great a loss of
security.
The long-term portions of the key need to be couriered, of course, combined with encrypting them by some
other, weaker, method. Sending two different couriers, by two different routes, with an XOR-split key may be
appropriate here.
Although the design above already provides far more security than required for any practical purpose, against the
kind of computing power that exists today, the possibility that a practical quantum computer might be
constructed might be felt to be worthy of consideration. If the obstacles to constructing a quantum computer can
be overcome, such a computer could essentially try all the possible keys to a block cipher at once, in a circuit the
size of the conventional circuit used to apply a single key, and output the value of the key for the one case where
some known plaintext is matched.
To protect against a threat like that, one would like a design that requires an inordinate amount of known
plaintext before any facts about the key can be derived with certainty. A design like what we've just seen is
perhaps a step towards that kind of cipher. This design can certainly be elaborated further, with yet another level
of indirection, where a second block cipher produces the 64 bits that control the subkeys of the block cipher used
to encipher plaintext. Further on, a diagram will show that type of design, but instead of the final block cipher
enciphering plaintext, it will be used to encipher previous ciphertext to produce a 64-bit output used to encipher a
single byte of plaintext.
Perhaps the second block cipher might be 32-round Blowfish, or even a modified Blowfish changed to use 48-bit
subkeys and an expansion permutation along these lines:
23 32 9 18 1 2 3 4 5 6 7 8 31 8 17 26 9 10 11 12 13 14 15 16
7 16 25 2 17 18 19 20 21 22 23 24 15 24 1 10 25 26 27 28 29 30 31 32
so that the four S-boxes can each have 4,096 entries. To keep the time required to generate the S-boxes within
some semblance of reason, though, I propose to use just 4-round Blowfish, rather than 32-round or 16-round
Blowfish, for filling them.
Since I am going to extremes, instead of LUCIFER, let's let the 128-bit block cipher be the 40-round variation of
Quadibloc II, using one of the more complicated variant round types. The stream cipher can consist of the XOR
of the output of an expanded version of Gifford's cipher with the output of an elaborate MacLaren-Marsaglia
construct.
Another preventive measure would be to use an enciphered random initialization vector that modifies the key in
use for the next block of the message with message blocks that are always shorter than the size of the key, so that
there is never enough known plaintext to attack any one key. Of course, the relationship between different
message blocks and their initialization vectors can still be attacked; this device has been tried with simple ciphers
and has not made them invincible. Applied to a sufficiently complex cipher, the gain in difficulty by using that
trick, however, may, just possibly, be enough to provide some resistance to quantum computer attack.
This can be taken still further in the direction of wretched excess, in order to obtain increased security on the
principle of an elephant giving birth to a gnat, by making use of the cipher-feedback principle of stream cipher
design:
Here, we do not gain the advantages of limited error-propagation that a pure cipher-feedback design can offer; in
fact, we not only have a large internal state, but previous ciphertext even influences that state, for the messy
worst case of the autokey.
To encipher a single byte of the plaintext, we use the preceding twenty-four bytes of the ciphertext as input to the
process. Sixteen bytes are XORed to the output of the initial stream cipher, which might as well be something
elaborate, such as Panama or my modification of it; this is recirculated through a 128-bit block cipher.
Half of the result controls the subkeys for a 64-bit block cipher which enciphers the other half of the result.
The output of that cipher then controls the subkeys for another 64-bit block cipher which operates on the
remaining eight bytes of preceding ciphertext.
And finally, that eight-byte output is applied to the one byte of plaintext being enciphered, being alternately
added and XORed to it a byte at a time through eight layers of substitution.
Here we are: a truly secure symmetric-key cipher! And so it is, but it is outrageously excessive and wasteful. But
perhaps the schematic diagram above will brighten a cubicle at the NSA and give some of the people there a
chuckle.
Unless, of course, somebody actually implements this, and they would have liked to decrypt his traffic.
But, as noted, even the fact that this design is likely to produce (once the details are filled in) a genuinely secure
cipher is not, in itself sufficient to mean it is suitable for practical use: a rough estimate of the time enciphering a
message would take by this method is 64 times as long as it would take to encipher it with DES. Presumably,
genuine security can be obtained at a somewhat lesser cost in computational resources.
Although wildly impractical in the specific form shown, before abandoning this design completely, some things
should be noted:
● A scaled-down version of this type of design, not using full-scale block ciphers as its components, and not
involving the somewhat gratuitous use of previous ciphertext (sixteen bytes, in the diagram above) to
affect the very beginning of the encipherment process, and thus to affect large portions of the internal
state, with the attendant consequences for error propagation, not only could be practical, but may even
have been actually used.
● Also, assuming that a cipher of this kind did not evade the scrutiny of a quantum computer due to its sheer
size, it is true that trivially some initial states, and consequently some keys, would produce the same
ciphertext from the same plaintext, since some portions of the subkey pools for the various block cipher
stages might be unused. However, such trivial duplicate keys will not foil quantum computer attack, since
the program could be modified to say "don't think you're the right answer and collapse the wave function
unless all unused parts of the key are zero", hence restoring uniqueness. By enciphering only a single byte
at a time, however, some possibility of nontrivial duplicate keys is created. And certainly the difficulty of
obtaining analytical insights that allow a reduction of effort over that of a brute-force search is increased.
● Finally, it should also be noted that despite the complexity of this kind of cipher, one limitation was
retained. Although each block cipher stage is supplied with a subkey from a pool, at each step only four of
the elements in that pool can be used. Ideally, one would like to use any possible subkey, and to prevent
using the same one twice, use the principle behind the MacLaren-Marsaglia random number generator,
and produce a replacement for each subkey after it is used once. However, that means that if the final
block cipher has 16 rounds and 16 subkeys in each pool (each one, say, 32 bits wide) then the previous
stage, instead of producing 64 bits each time to support a 32-round block cipher, must produce 64 bits to
select subkeys, and 512 bits for use in replacement subkeys.
An article in Cryptologia entitled The Aryabharata Cipher discussed the following idea for a cipher:
To encipher a message, generate a random series of letters as long as the message. Encipher the message with
that series of letters by means of Vigenere.
Then, send the random series of letters in enciphered form, and also send the enciphered message, again
enciphered as well.
Since both the pad and the message are sent, the absolute security of the one-time-pad is not obtained. But the
pad and the message can each be enciphered in different ways, and because both are random, the cryptanalyst
can only make progress by working on both together.
Perhaps doing so would be more difficult than cracking a simple double encryption, using the two ciphers
applied to the two pieces of the message as expanded in sequence on the message instead. And perhaps not; it is
hard for me to say for certain.
But it does seem as though forcing the cryptanalyst to relate different messages to crack a cipher creates a
problem, although this happens anyways with modern ciphers of any difficulty. Thus, the scheme is of interest
even if there is some question about whether this is the method referred to in the Indian classic.
Thus, I came up with the following scheme, which prevents progress from being made through attacking a single
message in a different way, which also shows an alternate way of making effective use of a large key.
● Two parties wishing to communicate share a secret key which is 12,000 bytes long.
● When sending a message, they use a public-key block to establish 2,048 bits of key, which provides up to
four session keys of 512 bits each.
● Messages consist of message segments, which are limited to a maximum of 4,096 bytes in length.
● To encipher a message segment:
❍ First, one operates on the 12,000 byte secret key to obtain key material for use with that message
segment:
■ The 12,000 byte secret key is subjected to a transposition, governed by 128 bits of the
session key.
■ It is then enciphered in some fashion that results in propagation of the encryption, such as a
block cipher in CBC mode, using another 128 bits of the session key.
■ The last few bytes of the result could then be used as a key to perform additional
encryption. One possibility is another transposition; since quite a bit of key is potentially
available, one could even perform a transposition, then a propagating encryption, then
another transposition. Ending with a transposition seems to have nice properties. A specific
possibility is as follows:
■ The enciphered secret key is divided into two parts, 10,240 bytes to be further
scrambled, and 1,760 bytes to be used as the key for that scrambling.
■ First, all 10,240 bytes of the first part are transposed.
■ Then, the first 9,216 bytes of the first part are transposed, leaving the last 1,024
bytes not affected. (This will result in the keys used to encipher the 128-bit keys
used for plaintext encipherment including the most propagated part of the scrambled
secret key in the XOR that produced them.)
■ The output of that encryption is then divided into two halves, which are XORed together.
This ensures that it is difficult to derive any part of the long secret key from the bits to be
used later.
■ The result of the XOR is divided into a part that is 4,096 bits long, and two small parts that
■ Finally, the message segment is encrypted in CFB mode with a block cipher, using the
The specific possibility for the additional encryption noted in the steps above is shown explicitly in this
expanded version of the diagram:
and although it is based on a different principle, the same concept that it is more difficult for a cryptanalyst to
correlate multiple messages than to directly solve a single one is used as was used in the Aryabharata cipher. Of
course, the possibility of still performing such correlations is exactly what allows modern ciphers to be attacked,
through such things as differential cryptanalysis. As I propose using block ciphers currently considered secure in
this, I hope it at least compounds the problem they create.
Note, too, that the message segment itself is encrypted first in ECB mode, to ensure that it goes through the block
cipher, then by being XORed with bits that are a function of part of the session key and of the long secret key,
then in CFB mode. So good error-propagation characteristics are still retained for the message segment.
In addition to error-propagation, the modes used mean that, since the encryption of the large shared secret key
can be performed ahead of time, as long as a time lag between session keys and their use is present, and
sufficient processing power is available, this method is not limited to off-line uses such as E-mail, but could be
used on a continuous basis, even for a digital voice transmission or a similar application, since the plaintext need
only be delayed by the simple operations directly performed on it.
Some additional discussion of ideas suggested by the "Aryabharata" cipher is on this page.
This cipher could be developed further. Instead of performing a transposition based on the session key first,
before that, a simple stream cipher could be applied to the shared secret key. This way, a shared secret key with
repeated bytes in it would not be weaker.
Also, a larger shared secret key could be used, so that the result of the encipherment operations performed on it
could be used as input to a cipher like the large-key example which began this page.
If a one-time-pad is not available for transmitting session keys, perhaps something involving a large shared
secret key could be worked out for that. With some further thought, it might be possible to develop a cipher that,
while not posessing true information-theoretic security, might posess some degree of resistance even to attacks
from quantum computers.
Next
Skip to Next Chapter
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
The block of data to be enciphered is divided into two halves, and in a Feistel round, only one half is
changed, by being XORed with a function of the other half. Since the other half isn't changed, it is still
available after the round is over; thus, even if the function of that half used to XOR with the half that is
changed is not invertible, the round is still invertible.
Thus, one could make some horrible programming error in implementing the f-function in a Feistel
cipher, and the result would still "work" for sending and receiving messages, even if the resulting cipher
was not secure. This is not necessarily a good thing.
It also means that the direct data path from plaintext to cipher only includes XORs, instead of actually
going *through* an S-box whose inverse is then needed for decryption. Just on general principles, this
tended to make some people nervous, at least in the early days of DES.
For an extremely scaled-down version of a Feistel cipher, I have produced a complete table of what it
does for every possible key.
But first, let us examine for comparison the tableaux for some simpler operations.
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | 0 1 2 3 4 5 6 7 8 9 A B C D E F
1 | 1 2 3 4 5 6 7 8 9 A B C D E F 0
2 | 2 3 4 5 6 7 8 9 A B C D E F 0 1
3 | 3 4 5 6 7 8 9 A B C D E F 0 1 2
4 | 4 5 6 7 8 9 A B C D E F 0 1 2 3
5 | 5 6 7 8 9 A B C D E F 0 1 2 3 4
6 | 6 7 8 9 A B C D E F 0 1 2 3 4 5
7 | 7 8 9 A B C D E F 0 1 2 3 4 5 6
8 | 8 9 A B C D E F 0 1 2 3 4 5 6 7
9 | 9 A B C D E F 0 1 2 3 4 5 6 7 8
A | A B C D E F 0 1 2 3 4 5 6 7 8 9
B | B C D E F 0 1 2 3 4 5 6 7 8 9 A
C | C D E F 0 1 2 3 4 5 6 7 8 9 A B
D | D E F 0 1 2 3 4 5 6 7 8 9 A B C
E | E F 0 1 2 3 4 5 6 7 8 9 A B C D
F | F 0 1 2 3 4 5 6 7 8 9 A B C D E
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | 0 1 2 3 4 5 6 7 8 9 A B C D E F
1 | 1 0 3 2 5 4 7 6 9 8 B A D C F E
2 | 2 3 0 1 6 7 4 5 A B 8 9 E F C D
3 | 3 2 1 0 7 6 5 4 B A 9 8 F E D C
4 | 4 5 6 7 0 1 2 3 C D E F 8 9 A B
5 | 5 4 7 6 1 0 3 2 D C F E 9 8 B A
6 | 6 7 4 5 2 3 0 1 E F C D A B 8 9
7 | 7 6 5 4 3 2 1 0 F E D C B A 9 8
8 | 8 9 A B C D E F 0 1 2 3 4 5 6 7
9 | 9 8 B A D C F E 1 0 3 2 5 4 7 6
A | A B 8 9 E F C D 2 3 0 1 6 7 4 5
B | B A 9 8 F E D C 3 2 1 0 7 6 5 4
C | C D E F 8 9 A B 4 5 6 7 0 1 2 3
D | D C F E 9 8 B A 5 4 7 6 1 0 3 2
E | E F C D A B 8 9 6 7 4 5 2 3 0 1
F | F E D C B A 9 8 7 6 5 4 3 2 1 0
Here is the table for the permutations produced by the successive positions of a 16-contact rotor wired
by the interval method. As the rows represent the successive positions of the rotor, their number is first
subtracted from the input, then the rotor substitution is performed, and then that number is added to the
result. Hence, the diagonals running down from left to right show the normal sequence (0, 1, 2, 3, 4, ...
D, E, F) with some starting point.
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | 1 C 7 F B 8 6 4 E 0 3 D A 5 2 9
1 | A 2 D 8 0 C 9 7 5 F 1 4 E B 6 3
2 | 4 B 3 E 9 1 D A 8 6 0 2 5 F C 7
3 | 8 5 C 4 F A 2 E B 9 7 1 3 6 0 D
4 | E 9 6 D 5 0 B 3 F C A 8 2 4 7 1
5 | 2 F A 7 E 6 1 C 4 0 D B 9 3 5 8
6 | 9 3 0 B 8 F 7 2 D 5 1 E C A 4 6
7 | 7 A 4 1 C 9 0 8 3 E 6 2 F D B 5
8 | 6 8 B 5 2 D A 1 9 4 F 7 3 0 E C
9 | D 7 9 C 6 3 E B 2 A 5 0 8 4 1 F
A | 0 E 8 A D 7 4 F C 3 B 6 1 9 5 2
B | 3 1 F 9 B E 8 5 0 D 4 C 7 2 A 6
C | 7 4 2 0 A C F 9 6 1 E 5 D 8 3 B
D | C 8 5 3 1 B D 0 A 7 2 F 6 E 9 4
E | 5 D 9 6 4 2 C E 1 B 8 3 0 7 F A
F | B 6 E A 7 5 3 D F 2 C 9 4 1 8 0
Such a tableau is referred to as a Friedman square. From the property of its diagonals, a method
analogous to symmetry of position can be derived for use in the late stages of cracking a rotor cipher.
Since the position, and value, of corresponding equivalents in different rows changes with each row,
however, this only works if one knows the displacement between the two alphabets being compared,
which is unlike the case for conventional symmetry of position. Since in rotor machines, rotors usually
move one step at a time, and in the same direction, this condition can be met.
And here is the tableau for a Feistel round, which, for this example, is two rounds of a cipher that
operates on four bit values with the S-box (3,1,0,2) as the f-function. In this table, the columns represent
the plaintext input, and the rows represent the four-bit value which is the concatenation of the two two-
bit subkeys for the two rounds (which are XORed with the input to the S-box, following DES). I am
using in-place Feistel rounds, and the first round uses the left half of the block as the input to the f-
function.
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | B 2 5 C 1 8 F 6 4 D A 3 E 7 0 9
1 | 3 A D 4 9 0 7 E C 5 2 B 6 F 8 1
2 | 7 E 9 0 D 4 3 A 8 1 6 F 2 B C 5
3 | F 6 1 8 5 C B 2 0 9 E 7 A 3 4 D
4 | 5 C B 2 F 6 1 8 A 3 4 D 0 9 E 7
5 | D 4 3 A 7 E 9 0 2 B C 5 8 1 6 F
6 | 9 0 7 E 3 A D 4 6 F 8 1 C 5 2 B
7 | 1 8 F 6 B 2 5 C E 7 0 9 4 D A 3
8 | C 5 2 B 6 F 8 1 3 A D 4 9 0 7 E
9 | 4 D A 3 E 7 0 9 B 2 5 C 1 8 F 6
A | 0 9 E 7 A 3 4 D F 6 1 8 5 C B 2
B | 8 1 6 F 2 B C 5 7 E 9 0 D 4 3 A
C | 2 B C 5 8 1 6 F D 4 3 A 7 E 9 0
D | A 3 4 D 0 9 E 7 5 C B 2 F 6 1 8
E | E 7 0 9 4 D A 3 1 8 F 6 B 2 5 C
F | 6 F 8 1 C 5 2 B 9 0 7 E 3 A D 4
Because only two rounds are performed, the last two bits are only changed by being XORed, for any
key, with a fixed function of the first two bits, as they are on entry. The first two bits are changed by
being XORed, for any key, with a fixed function of the last two bits as they are on exit. This leads to
some of the patterns which are visible in the tableau above.
If, instead, we use the right half as the f-function input first, other patterns become visible (still using
the first part of the row number as the first subkey):
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | E 4 1 B 8 2 7 D 5 F A 0 3 9 C 6
1 | C 6 3 9 A 0 5 F 7 D 8 2 1 B E 4
2 | D 7 2 8 B 1 4 E 6 C 9 3 0 A F 5
3 | F 5 0 A 9 3 6 C 4 E B 1 2 8 D 7
4 | 5 F A 0 3 9 C 6 E 4 1 B 8 2 7 D
5 | 7 D 8 2 1 B E 4 C 6 3 9 A 0 5 F
6 | 6 C 9 3 0 A F 5 D 7 2 8 B 1 4 E
7 | 4 E B 1 2 8 D 7 F 5 0 A 9 3 6 C
8 | 3 9 C 6 5 F A 0 8 2 7 D E 4 1 B
9 | 1 B E 4 7 D 8 2 A 0 5 F C 6 3 9
A | 0 A F 5 6 C 9 3 B 1 4 E D 7 2 8
B | 2 8 D 7 4 E B 1 9 3 6 C F 5 0 A
C | 8 2 7 D E 4 1 B 3 9 C 6 5 F A 0
D | A 0 5 F C 6 3 9 1 B E 4 7 D 8 2
E | B 1 4 E D 7 2 8 0 A F 5 6 C 9 3
F | 9 3 6 C F 5 0 A 2 8 D 7 4 E B 1
Note, interestingly, that the columns are also permutations of the hexadecimal digits from 0 to F. This is
a consequence of using an invertible f-function, one without an expansion permutation. It is well known
that DES with only two rounds would be easy to crack.
Could one throw a curve to a cryptanalyst by exchanging the roles of subkey and plaintext in a two-
round Feistel cipher such as this? In other words, can the subkey in this case be produced with a simple
formula?
Yes: if we note our S-box as f(x), and its inverse as F(x), and the two halves of the plaintext as p1 and
p2, the two halves of the ciphertext as c1 and c2, and the two subkeys as s1 and s2, a two round Feistel
cipher becomes:
c2 = p2 XOR f( p1 XOR s1 )
c1 = p1 XOR f( c2 XOR s2 )
To solve for s1 and s2, given both c and p, and having F(x), we first XOR both sides of the equations
with p2 and p1 respectively:
c2 XOR p2 = f( p1 XOR s1 )
c1 XOR p1 = f( c2 XOR s2 )
Then, invert f:
F( c2 XOR p2 ) = p1 XOR s1
F( c1 XOR p1 ) = c2 XOR s2
p1 XOR F( c2 XOR p2 ) = s1
c2 XOR F( c1 XOR p1 ) = s2
In other words, with a two-round Feistel cipher, the f-function output is always the plaintext XOR the
ciphertext, and so the subkey is found by inverting the f-function, and comparing the result to the input,
which is visible in the ciphertext for the second round, and visible in the plaintext for the first round.
With DES, one has four possibilities for the subkey for every nybble, because of the two extra bits due
to the expansion permutation. This can be overcome when one just has two rounds to solve.
QUADIBLOC, on the other hand, has an invertible f-function, but three subkeys, not just one, go into
the f-function.
What would be of concern in connection with the general security of block ciphers would be if one
could easily take two known plaintexts, and solve a four-round Feistel cipher by imposing the constraint
(essentially, on the result after the second round) that both sets of equations simultaneously have the
same subkeys.
Then, if the same process could be repeated and generalized, eight known plaintexts would be sufficient
to crack a cipher like DES but without an expansion permutation.
In this case, then, our equations would be (denoting our two plaintexts and ciphertexts by p and P and c
and C respectively, and using t and T for the intermediate two-round results, and S for the second set of
two subkeys):
s1 = p1 XOR F( t2 XOR p2 ) = P1 XOR F( T2 XOR P2 ) [1]
s2 = t2 XOR F( t1 XOR p1 ) = T2 XOR F( T1 XOR P1 ) [2]
S1 = t1 XOR F( c2 XOR t2 ) = T1 XOR F( C2 XOR T2 ) [3]
S2 = c2 XOR F( c1 XOR t1 ) = C2 XOR F( C1 XOR T1 ) [4]
The number of equations and the number of unknowns is correct for solution. I've labelled the four
equations with the numbers from 1 to 4 for the next step.
But while f is invertible, it is also, in the general case, nonlinear. In our reduced-scale example, because
we used only a four-element S-box, we can't produce a permutation that is neither linear nor affine, but
that ceases to be true as soon as we go to a wider S-box; even one with eight elements that is nonlinear
is possible, as used in the cipher 3-Way.
Does a nonlinear S-box prevent us from going further in solving these equations?
Note that with chosen plaintexts and ciphertexts, it should be possible to crack a four-round cipher if we
can crack a two-round one directly with a single known plaintext, by a variation of David Wagner's
boomerang method; but that method does not generalize to higher number of rounds, and we will
therefore not consider it at this stage. However, if we can get to eight rounds before the equations
become impractically complex, the boomerang attack would get us the rest of the way.
In the equations above, our problem is that t and T are unknown. What we have to overcome this is that
the same key, and hence the same subkeys, are used in both cases.
Does the fact that t1 and T1, and t2 and T2, are separated from each other by F and f prevent us from
going further, except by trial-and-error methods, which will become useless as more rounds are added,
or can a Feistel cipher fall to this type of analytic attack?
We can certainly substitute for t1 and t2, and also for T1 and T2, since we can reverse the roles of the
two known plaintexts and use the same equations, but that doesn't eliminate unknowns; thus, T1 can be
expressed as a function of known quantities and t1, but that identity is simply the inverse of the one
labelled "from 4" above.
If we apply this inversion to the equations marked "from 3" and "from 2", we do get a set of equations
that appears to fit together:
because now, by substituting, we can eliminate t1 and t2, and just obtain two equations in T1 and T2.
And it is at this stage that it appears that further simplification is indeed made impossible if f and F are
general S-boxes, and so it appears that Feistel ciphers are safe against a simple attack by algebra.
Next Chapter
Chapter Start
Table of Contents
Main Page
[Next] [Up/Previous] [Index]
+ | 0 1 2 3 4 5 6 * | 0 1 2 3 4 5 6
------------------- ------------------- ^ | 0 1 2 3 4 5 6
0 | 0 1 2 3 4 5 6 0 | 0 0 0 0 0 0 0 -------------------
1 | 1 2 3 4 5 6 0 1 | 0 1 2 3 4 5 6 1 | 1 1 1 1 1 1 1
2 | 2 3 4 5 6 0 1 2 | 0 2 4 6 1 3 5 2 | 1 2 4 1 2 4 1
3 | 3 4 5 6 0 1 2 3 | 0 3 6 2 5 1 4 3 | 1 3 2 6 4 5 1
4 | 4 5 6 0 1 2 3 4 | 0 4 1 5 2 6 3 4 | 1 4 2 1 4 2 1
5 | 5 6 0 1 2 3 4 5 | 0 5 3 1 6 4 2 5 | 1 5 4 6 2 3 1
6 | 6 0 1 2 3 4 5 6 | 0 6 5 4 3 2 1 6 | 1 6 1 6 1 6 1
If you remove the row and column from the multiplication table that are filled with zeroes, the six
numbers in each row and column are all different. And, because of that, for every number from 1 to 6,
some number from 1 to 6 will, when multiplied by that number, give 1. This is not always true in
modular arithmetic: it is true here because 7, the modulus, is a prime number.
The exponentiation table repeats when you get to 6 as an exponent. For exponentiation, if the base is a
number modulo 7, the exponent has to be thought of as being modulo 6!
This is true, in general, for all prime bases. What about a base that isn't prime?
If you know the remainder after a number is divided both by 5 and by 7, you can determine (because 5
and 7 are relatively prime, having no common factors) the remainder after that same number is
divided by 35. So the properties of arithmetic modulo 35 are in a way a combination of those of
arithmetic modulo 5 and modulo 7. Therefore, instead of the exponent being modulo 34, it is modulo
24: exponents for modulo 5 arithmetic are modulo 4, and exponents for modulo 7 arithmetic are
modulo 6, and so exponents for modulo 35 arithmetic are modulo 4 times 6, or 24.
This explains (well, okay, only a little bit) the role of the number (p-1)(q-1) in the RSA public-key
method.
^ | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
---------------------------------------------------------------------
1 | 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 | 2 4 8 16 32 9 18 36 17 34 13 26 52 49 43 31 7 14 28 1 2
3 | 3 9 27 26 23 14 42 16 48 34 47 31 38 4 12 36 53 49 37 1 3
4 | 4 16 9 36 34 26 49 31 14 1 4 16 9 36 34 26 49 31 14 1 4
5 | 5 25 15 20 45 5 25 15 20 45 5 25 15 20 45 5 25 15 20 45 5
6 | 6 36 51 31 21 16 41 26 46 1 6 36 51 31 21 16 41 26 46 1 6
7 | 7 49 13 36 32 4 28 31 52 34 18 16 2 14 43 26 17 9 8 1 7
8 | 8 9 17 26 43 14 2 16 18 34 52 31 28 4 32 36 13 49 7 1 8
9 | 9 26 14 16 34 31 4 36 49 1 9 26 14 16 34 31 4 36 49 1 9
10 | 10 45 10 45 10 45 10 45 10 45 10 45 10 45 10 45 10 45 10 45 10
11 | 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
12 | 12 34 23 1 12 34 23 1 12 34 23 1 12 34 23 1 12 34 23 1 12
13 | 13 4 52 16 43 9 7 36 28 34 2 26 8 49 32 31 18 14 17 1 13
14 | 14 31 49 26 34 36 9 16 4 1 14 31 49 26 34 36 9 16 4 1 14
15 | 15 5 20 25 45 15 5 20 25 45 15 5 20 25 45 15 5 20 25 45 15
16 | 16 36 26 31 1 16 36 26 31 1 16 36 26 31 1 16 36 26 31 1 16
17 | 17 14 18 31 32 49 8 26 2 34 28 36 7 9 43 16 52 4 13 1 17
18 | 18 49 2 36 43 4 17 31 8 34 7 16 13 14 32 26 28 9 52 1 18
19 | 19 31 39 26 54 36 24 16 29 1 19 31 39 26 54 36 24 16 29 1 19
20 | 20 15 25 5 45 20 15 25 5 45 20 15 25 5 45 20 15 25 5 45 20
21 | 21 1 21 1 21 1 21 1 21 1 21 1 21 1 21 1 21 1 21 1 21
22 | 22 44 33 11 22 44 33 11 22 44 33 11 22 44 33 11 22 44 33 11 22
23 | 23 34 12 1 23 34 12 1 23 34 12 1 23 34 12 1 23 34 12 1 23
24 | 24 26 19 16 54 31 29 36 39 1 24 26 19 16 54 31 29 36 39 1 24
25 | 25 20 5 15 45 25 20 5 15 45 25 20 5 15 45 25 20 5 15 45 25
26 | 26 16 31 36 1 26 16 31 36 1 26 16 31 36 1 26 16 31 36 1 26
27 | 27 14 48 31 12 49 3 26 42 34 38 36 37 9 23 16 47 4 53 1 27
28 | 28 14 7 31 43 49 52 26 13 34 17 36 18 9 32 16 8 4 2 1 28
29 | 29 16 24 36 54 26 39 31 19 1 29 16 24 36 54 26 39 31 19 1 29
30 | 30 20 50 15 10 25 35 5 40 45 30 20 50 15 10 25 35 5 40 45 30
31 | 31 26 36 16 1 31 26 36 16 1 31 26 36 16 1 31 26 36 16 1 31
32 | 32 34 43 1 32 34 43 1 32 34 43 1 32 34 43 1 32 34 43 1 32
33 | 33 44 22 11 33 44 22 11 33 44 22 11 33 44 22 11 33 44 22 11 33
34 | 34 1 34 1 34 1 34 1 34 1 34 1 34 1 34 1 34 1 34 1 34
35 | 35 15 30 5 10 20 40 25 50 45 35 15 30 5 10 20 40 25 50 45 35
36 | 36 31 16 26 1 36 31 16 26 1 36 31 16 26 1 36 31 16 26 1 36
37 | 37 49 53 36 12 4 38 31 47 34 48 16 42 14 23 26 27 9 3 1 37
38 | 38 14 37 31 23 49 47 26 53 34 27 36 48 9 12 16 3 4 42 1 38
39 | 39 36 29 31 54 16 19 26 24 1 39 36 29 31 54 16 19 26 24 1 39
40 | 40 5 35 25 10 15 50 20 30 45 40 5 35 25 10 15 50 20 30 45 40
41 | 41 31 6 26 21 36 46 16 51 1 41 31 6 26 21 36 46 16 51 1 41
42 | 42 4 3 16 12 9 48 36 27 34 53 26 47 49 23 31 37 14 38 1 42
43 | 43 34 32 1 43 34 32 1 43 34 32 1 43 34 32 1 43 34 32 1 43
44 | 44 11 44 11 44 11 44 11 44 11 44 11 44 11 44 11 44 11 44 11 44
45 | 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45
46 | 46 26 41 16 21 31 51 36 6 1 46 26 41 16 21 31 51 36 6 1 46
47 | 47 9 38 26 12 14 53 16 37 34 3 31 27 4 23 36 42 49 48 1 47
48 | 48 49 42 36 23 4 27 31 3 34 37 16 53 14 12 26 38 9 47 1 48
49 | 49 36 4 31 34 16 14 26 9 1 49 36 4 31 34 16 14 26 9 1 49
50 | 50 25 40 20 10 5 30 15 35 45 50 25 40 20 10 5 30 15 35 45 50
51 | 51 16 46 36 21 26 6 31 41 1 51 16 46 36 21 26 6 31 41 1 51
52 | 52 9 28 26 32 14 13 16 7 34 8 31 17 4 43 36 2 49 18 1 52
53 | 53 4 47 16 23 9 37 36 38 34 42 26 3 49 12 31 48 14 27 1 53
54 | 54 1 54 1 54 1 54 1 54 1 54 1 54 1 54 1 54 1 54 1 54
Since 55 isn't a prime number, it makes sense that the numbers divisible by 5 and by 11 cannot, by
repeated multiplication, yield anything not divisible by them, such as 1.
Only numbers relatively prime to (p-1)(q-1) can be used as enciphering and deciphering exponents in
RSA. This excludes, in this case, everything divisible by 2 or by 5.
And here we do have valid choices for e and d. 3 and 7 are inverses. So are 13 and 17.
Of course, the situation will improve as we move up to larger moduli. And RSA requires the use of
very large moduli to be secure in any case.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Rivest-Shamir-Adleman
The RSA method, ever since the knapsack method was shown to be insecure, along
with some variants of it, is almost the only "true" public-key method, in that it directly
encrypts messages with the public key.
It was described to the public in August 1977, and was the invention of Ronald Rivest,
Adi Shamir, and Leonard Adleman. However, it was recently revealed that this method
was originally invented in 1973 within GCHQ by Clifford Cocks.
If you raise a number to a power (d), modulo a prime, you can get the original number
by raising the result to another power (e). And it can be easily determined, knowing the
prime modulus, and the one power, what the other power is.
If the modulus (M) is not a prime, there is still another power which reverses
exponentiation by any power. But finding it depends on knowing the factorization of
the modulus, or, which is equivalent, knowing something called the "Euler Totient
Function" of the modulus.
(Actually, although the name "Euler Totient Function" sounds pretty forbidding, it isn't
that bad. For a prime number p, the ETF of it is p-1. For the product of two prime
numbers, p and q, which is the sort of number used as a modulus in RSA, the ETF is p-
1 times q-1.)
Choose for e a number that is relatively prime to (p-1) and (q-1). Then, d is the
reciprocal of e modulo (p-1)(q-1). As long as neither p nor q is 2, (p-1)(q-1)/2 will also
work just as well, and if (p-1) and (q-1) have any other common factors, they too can
be divided out so that they will only appear only once. (The resulting number is called
the Carmichael function of pq. The book Decrypted Secrets from Springer-Verlag is
one of the few references noting this important fact about RSA.)
Actually using RSA, of course, requires more than the brief description of it that we
have already seen. Several questions need to be answered.
Next Section
Chapter Start
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
Sometimes this will be true for some values of b even if n is not prime. There are even
some numbers, called Carmichael numbers, for which this is true for all values of b,
except those few values of b which are factors of n.
This is the Fermat test. There are two newer probabilistic primality tests which also
involve trying different values of a number which we can still call b to test if n is
prime. There are no values of n which are not prime that will nearly always fool these
tests the way Carmichael numbers pass the Fermat test. These tests are the Solovay-
Strassen and Miller-Rabin tests. The Miller-Rabin test is more complicated to
understand than the Solovay-Strassen test, but it is also somewhat quicker and indicates
the compositeness of some composite n for additional values of b, while never failing
to indicate the compositeness of a value of n that is composite for any b for which the
Solovay-Strassen test will show n to be composite, and is thus superior.
For the Solovay-Strassen algorithm, one chooses b within the range 1 to n-1. One tests
to see if b is relatively prime to n; if not, clearly n isn't prime; this needs to be tested
since the other half of the test will not work in this rare case. A function of b and n,
called J(b,n), must also equal b^((n-1)/2) modulo n.
J(b,n) is called the Jacobi symbol of b and n. For the values of b and n which we will
be using, where b is less than n, and b and n are relatively prime, J(b,n) will always be
either 1 or -1, and it can be calculated as follows:
One reference stated that this method for calculating J only worked when n was odd.
Since the third alternative in the recursion process sets n equal to b, and b doesn't have
to be odd, it would break down: instead, the condition that n must be odd needs to be
applied specifically to the second alternative (since n squared minus 1 won't be
divisible by 8 when n is even) where it belongs.
Otherwise, do the following for a maximum of s times, where s is the number of times
n-1 was divided by 2 to get m or until n either passes or fails, set the new value of t to
be t squared modulo n. If t becomes 1 as a result, n fails the test for b; if it becomes n-1
as a result, n passes the test for b, and if neither happens during the s attempts, n fails.
As I understand the references I used, one omits immediate failure when t becomes 1,
and another omits limiting the test to s trials. I have been informed via E-mail that the
limitation to s trials cannot be omitted, as t can loop indefinitely in a sequence
including neither 1 nor n-1.
Another issue to deal with in selecting prime numbers to use with RSA is to make sure
that one chooses them completely randomly; if one's method of search is not random, it
could make it easier for someone else to find the number you are using by some type of
search. (Of course, the numbers involved are so large that a brute-force search for
factors is not a real threat, but possibly knowing something about the primes used
might be used in conjunction with a better factoring algorithm.)
The simplest way to choose a prime at 'random' would be to choose a large number at
random, and then count upwards from it until you come to a prime number, of course
skipping the even numbers.
One can do a bit better than that, by skipping all numbers divisible by 2, 3, 5 and 7 in
blocks of 210 numbers, for example.
But then the chance of choosing a prime number is proportional to the distance
between it and the next lower prime number. This can be avoided as follows: choose a
large number, N, at random, and look for prime numbers of the form 210*N+k, where
the values of k are chosen from a table of the numbers from 0 to 209 that are not
divisible by 2, 3, 5, or 7, shuffled into a random order. One then continues by adding
one to N.
If one is looking for a prime number with special properties, or a very large prime
number, so that these primes are so rare there is less than one of them in every 210
numbers, one can go further yet. One can begin by choosing a random starting point
within the table for the values of k used. And before using a new value of N, one can
encipher its last 64 bits using DES. In that way, one will hop around an area of
numbers 210*(2^64) consecutive numbers in size in an order that is haphazard,
although not truly random. But the fact that one stays in blocks of 210 numbers does
not affect the fact that the first number in the area one is hopping around in that one
picks will be random.
Of course, one must start completely over before looking for the second prime. Also,
two primes very close together are easily factored by a simple method also due to
Fermat. Since (a+b) times (a-b) equals a squared minus b squared, the product of two
numbers close together is equal to a large square number minus a much smaller one.
The method based on this was the first one to be significantly faster than intelligently
applied trial division.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Finding d from e
As we have seen, d can be the reciprocal of e, modulo (p-1)(q-1). Where p and q are
two large primes, neither one is equal to 2, and so p-1 and q-1 will have 2 as a common
factor. Thus, the reciprocal of e modulo (p-1)(q-1)/2 will also work. If p-1 and q-1 have
other common factors, then they too can be divided out before the reciprocal of e is
calculated; this, however, creates a risk that raising an encrypted plaintext to the e
power again a few times will yield the original plaintext. This is a reason to choose
'strong' primes even if the current fastest methods of factoring do not benefit from
having a prime that is not strong, since weak primes benefit other attacks on RSA.
A common choice for e (or d in the case of a signature key; for whichever exponent is
made public) is one of the following numbers: 3, 5, 17, 257, or 65537, to make
exponentiation (the procedure for which is discussed in the next section) particularly
speedy and convenient.
If p and q have been specifically chosen to both be of the form 2r+1, where r is another
large prime, then if e is any small prime (other than 2) there will be no problem with it
not being relatively prime to (p-1)(q-1)/2. Otherwise, that e and this modulus are
relatively prime will have to be checked. This can be done using Euclid's algorithm.
It turns out that when e is tested against a modulus using Euclid's algorithm, the
information needed to find d is generated. But d itself isn't produced unless extra steps
are taken to put that information to use. And so e will be tested against (p-1)(q-1)/2
even when it is known that they are relatively prime.
Euclid's algorithm for finding the greatest common divisor of two numbers works like
this:
First, let b be the larger of the two numbers, and s the smaller. (In this particular case,
(p-1)(q-1)/2 will be the starting value of b, and e will be the starting value of s.)
Divide b by s, and note the remainder, r. The new b will be the old s, and the new s will
be r. Repeat until r is zero; the value of r in the preceding step will be the greatest
common divisor. If r becomes one, you can stop early, knowing that the two numbers
had 1 as their greatest common divisor, since dividing any integer by 1 will produce a
remainder of zero, which means they were relatively prime.
If two numbers are successfully proven to be relatively prime, the reciprocal of the
original s modulo the original b can be obtained as follows from the intermediate
values encountered in performing Euclid's algorithm:
It is desired to find an equation of the form 1=s(0)*d-b(0)*n, where s(0)=e and b(0)=(p-
1)(q-1)/2, and n is an arbitrary integer.
If it is in step i that dividing b by s yields 1 as the remainder, then that means that b(i)-s
(i)*q(i)=1, where q(i) is the quotient of the division at step i. So, when we use Euclid's
algorithm to determine inverses, we will need to retain not just the values of b and s for
each step, but also the quotient at each step, in an array that we will treat like a stack.
From the outline of Euclid's algorithm above, s(i-1)=b(i); r(i-1)=s(i); and b(i-1)-s(i-1)*q
(i-1)=r(i-1). Therefore, s(i-1)-r(i-1)*q(i)=1, by substituting the previous names for the
values, and s(i-1)-(b(i-1)-s(i-1)*q(i-1))*q(i)=1 by substituting for r(i-1) from the
equation for the previous division step.
Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
One can raise a number, preferably a suitably small one, such as 1.0001, to the 1024th
power on a pocket calculator fairly quickly. Just push the x squared button ten times.
Thus, the algorithm for fast exponentiation resembles a method of multiplication called
"Russian Peasant Multiplication", and proceeds as follows:
Let result=1.
Convert the desired exponent to binary notation, and note its length in bits. Let n be
this length, and store the bits of the exponent in an array, with the least significant bit
in a(1), up to the most significant bit in a(n).
How on Earth can such a thing work? How can arithmetic still be done with a number
after its digits have been subjected to so frightful an insult?
An old idea of a way to perform addition and multiplication very quickly on large
numbers is called radix arithmetic. If you have, for two numbers, their remainder
modulo a series of relatively prime numbers, then you have uniquely identified each
number modulo the product of all those relatively prime numbers.
And you can add, subtract, or multiply the separate residues independently, and get a
correct result within the range of representable numbers.
An old way of finding the value of a decimal number, modulo 9, is by adding all its
digits together.
The remainder when you divide a number by 11 can be found by subtracting the digits
in even positions (counting the last digit as digit 1) from the digits in odd positions.
Adding all the digits together is, in Fourier-transform terms, taking the DC component
of the digit string; taking the differences of alternating digits is, from that viewpoint,
taking the component with a wavelength of length two digits.
Thus, a number from 0 to 9999 can be uniquely identified by its remainders modulo 99
and modulo 101, which can be found by breaking the number into halves and adding
and subtracting the halves. 99 can be split into 9 and 11 in the same way; since 101 is
bigger than 99, and 10001 is bigger than 9999, the method becomes a little more
complicated than would be nice, but it can still be made to work.
Taking a number apart into its remainders modulo various numbers is easy enough. But
how does one put a number back together from this form?
For example, 1001 is 7 times 11 times 13. So one could identify any three-digit number
uniquely with its remainders after division by 7, 11, and 13.
These remainders are determined by division, but given the remainders, how does one
determine the number?
One uses a linear combination of the various moduli, modulo their product.
For the case where there are three moduli, a, b, and c, and x, y, and z are the
remainders of our number for each of these moduli respectively, the formula for the
original number is:
( ibcx + jacy + kabz ) modulo abc
ibc modulo a = 1
jac modulo b = 1
kab modulo c = 1
Thus, if we know the residues modulo 7, 11, and 13 of a number (say they are 1, 5, and
6) then the number must be
Since 143 is equal to 3 modulo 7, i must equal 5 (5*3=15, one more than 14=2*7);
since 91 is equal to 3 modulo 11, j must equal 4 (4*3=12, one more than 11); since 77
is equal to 12 modulo 13, k must equal 12 (12*12=144, one more than 143=11*13).
And, indeed, 71 is 1 modulo 7 (71 - 7*10 = 1), and 5 modulo 11 (71 - 6*11 = 5), and 6
modulo 13 (71 - 5*13 = 6).
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Factoring
Because d can be derived from e once (p-1)(q-1) is known, factoring M into its prime factors p and q is a way of cracking the
RSA cipher.
Factoring large numbers is difficult. There are ways to improve on dividing a number by every prime number that is smaller
than it is. The first is to note that one only needs to divide by the numbers smaller than the square root of the number to be
factored. But other improvements are possible.
One relatively easy-to-understand improved algorithm for factoring is called Fermat factorization. This makes use of the fact
that
2 2
(a+b)*(a-b) = a -b
So, if a number to be factored is the product of two numbers, both of which are odd, the difference between them will be an
even number, and so these two numbers can be expressed in the form a+b and a-b for two positive integers a and b.
The following diagrams illustrate how one might go about trying to factor the number 319 (which is 11 times 29) by Fermat
factorization:
This diagram shows the two changes we have made so far, and an
additional one; now, we have moved to a 20 by 20 square, as
shown by the 39 grey squares on the outside. Removing the same
number of squares on the inside this time produces an empty space
there of exactly 81 squares. So we have found our factors.
Looking at this diagram, one notes that four consecutive regions of different colors in the interior of the square are about two
rows thick. This suggests that it is possible to improve Fermat factorization, to allow one to skip several steps that one can
tell will not be able to produce the final answer.
Let us look at the steps shown in the diagram for factoring 321, to compare Fermat factorization with trial division.
Thus we see that after the first few tries, Fermat factorization has, in this case, lost its advantage over trial division.
However, that is because the regions involved are only two rows thick. For larger numbers, very many tries could still be
required even in all but the very last stages, when Fermat factorization still retains its advantage over trial division.
As noted, four times in a row, the region being shifted outwards was about two rows thick on the inside. This can be used to
speed up Fermat factorization because the differences between consecutive squares are the odd numbers. Thus, not only do
successive L-shaped regions one row thick differ by two in the number of squares they contain, successive regions two rows
thick differ by eight, successive regions three rows thick differ by eighteen, successive regions four rows thick differ by
thirty-two, and so on (each difference being twice the square of the number of rows).
What we see from this table gives us hope, but also shows that there is a problem. The number left over changes in a
predictable pattern, but that pattern is not linear, it is quadratic.
Extrapolation
How much can this speed up Fermat factorization? And what exactly are the steps involved? To try and see the answers to
these questions, here is a more realistic example. In the book Codebreaker in the Far East, Alan Stripp, who worked as a
British cryptanalyst during the Second World War, noted that his serial number in the Army was for a time 14429743, which
his father informed him was the product of two prime numbers. How fitting that was, of course, would not be known for
decades.
[3799^2] 14432401 - 14429743 = 2658 = [52^2] 2704 - 46 ; 3747 rows with 46 left
[3800^2] 14440000 - 14429743 = 10257 = [102^2] 10404 - 147 ; 3698 rows with 147 left
[3801^2] 14447601 - 14429743 = 17858 = [134^2] 17956 - 98 ; 3667 rows with 98 left
[3802^2] 14455204 - 14429743 = 25461 = [160^2] 25600 - 139 ; 3642 rows with 139 left
But this doesn't mean the optimization noted here is completely useless. The number of rows would change slowly if the
inner square is near to the outer square in size. For a larger square, this would happen before the difference in sizes of the
two squares involves only two rows, so the optimization would become useful while Fermat factorization remained more
powerful than trial division.
Looking at the steps in Fermat factorization, however, long before the number of rows becomes constant over long stretches,
it starts declining by exactly one for step after step. Hence:
Since the number of rows is changing at a constant rate, this can be handled by a formula as well.
The big square starts at 4359 squares on a side, at the beginning of the uniform stretch. Thus, it grows by 8719 squares, then
8721 squares, then 8723 squares, and so on, two more each time.
The little square starts at 2139 squares on a side, and grows by two rows each time. So it grows by 8560 squares, then 8568
squares, then 8576 squares, and so on, eight more each time.
The number of odd squares left over first changes from 4183 to 4024, for a decrease of 159 squares. Each succeeding time,
this decrease itself decreases (eventually changing to an increase) by six squares each time.
Thus, one has a quadratic equation for the number of squares left over. How do we use it to find out if that number becomes
zero, and to find out when the uniform stretch ends, and a new calculation is needed?
Finding where a quadratic equation yields zero is, of course, easy enough.
2
a x + b x + c = 0
when
________
2 /
-b ± \/ b - 4ac
x = ----------------
2a
as we learned in school.
The stretch ends when the number left over either becomes negative, or exceeds the size of the outermost row of the inner
empty square; the former case is indicated by the roots of the quadratic, and since the second case involves the intersection
of the quadratic with a straight line, subtracting the equation from the straight line from that of the quadratic yields another
quadratic.
This is but the beginning of the ways in which Fermat factorization may be accelerated by extrapolation.
Enlargement
Given that Fermat factorization works best when the factors are equal in size, if the two factors, p and q, of the number being
factored happen to be such that p is about three times as large as q, then trying to factor 3pq would first turn up p and 3q as
the factors.
Thus, one could first try to factor pq. When the L-shaped region has a large enough bite out of it as to indicate factorizations
into two components differing by a factor of three have been reached, one could switch to trying to factor 3pq. Then, when
the two components differ by a ration of 5/3, switch to trying to factor 5pq, and so on.
Where the little square is of side b, and the big square of side a, one is comparing the ratio between a+b and a-b, since those
are the candidates for p and q, to determine what ratio between p and q has been reached.
Since a+b and a-b differ by 2b, we have been only considering the case where p and q are both odd. But this would also
work if they were both even, so one could also, for example, try to factor 8pq; if p were about twice the size of q, twice p and
four times q would turn up early in the search for factors.
If we are now looking for cases where a squared minus b squared equals some multiple of pq, why not simply look for cases
where a squared and b squared are equal modulo pq?
Not all such cases, though, will really factor pq. After all, 107pq can be factored into 107 and pq.
The factor base method works like this: starting with the numbers just after the square root of pq, the number to be factored,
find those numbers which are the product only of numbers from a set of small prime numbers.
Once one has enough such numbers, one can find among them a set of numbers which, when multiplied together, produces a
result with only even powers of those prime numbers. The two products of any two pieces in which you split that set will be
the kind of number you are looking for. (In practice, the number -1 is included in addition to several small prime numbers;
this doubles the chance of dealing with a smaller number, which is more likely to be the product of small primes.)
Instead of looking at all the numbers after the square root of pq, numbers likely to be small modulo pq can be found by the
continued fraction method of factoring. A more complicated method of even more quickly finding numbers worth trying,
which requires a special choice of the small prime numbers, is called the quadratic sieve method. Even more advanced and
efficient methods of factoring now exist.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Diffie-Hellman
This key-exchange algorithm was invented by Whitfield Diffie and Martin Hellman in
1976, and it too was previously invented within GCHQ in Britain, this time by
Malcolm Williamson in 1974.
The Diffie-Hellman method, like RSA, also uses modulus arithmetic, but here the
modulus is just a prime number, which we will call P. Exponentiation is involved as
well. But, while in RSA the encryption function applied to x is x to the d power, which
is inverted as x to the e power, in Diffie-Hellman the function applied is a hash
function, in effect, because it has no inverse: A to the x power, modulo P.
(Of course, with real number arithmetic, that has an inverse, the logarithm of x to the
base A. And the inverse of x to the e power is the e root of x as well. Note that this
does indicate one weakness of RSA: if e happens to be 3, and the encrypted message is
a perfect cube, then the conventional cube root, which is easy to find, is also the cube
root modulo M. This requires both a low exponent and a small number as the message,
and is therefore easily avoided in practice.)
So, in Diffie-Hellman, the two parties each think of a secret random number,
respectively x and y. Each transmits A to that power. So, one party knows x and A^y,
and the other party knows y and A^x. Each party can calculate A^(x*y), since that is
(A^y)^x and it is also (A^x)^y, but an eavesdropper, only knowing A^x and A^y,
cannot do this.
A potential danger when Diffie-Hellman is used is that one could, for some values of
the modulus P, choose values of A such that A^x has only a small number of possible
values, no matter what x is, which would make it easy to find for a value of x that was
equivalent to the original value of x. This can be defended against by using a modulus
P such that P-1 is equal to twice another prime number. This second, smaller prime
number is known as a Sophie Germain prime, after a noted mathematician who was
able to prove Fermat's Last Theorem for the case when the exponent was such a prime.
The Key Exchange Algorithm (KEA) which was used with SKIPJACK in the Clipper
chip, and which was declassified at the same time, uses Diffie-Hellman in an
interesting manner which highlights some of its properties. As in the Digital Signature
Algorithm, the prime modulus P is required to be one such that P-1 has a factor that is
160 bits long. Since P is 1024 bits long, (or 512 to 1024 bits long, in the case of the
Digital Signature Standard) this appears to be less secure than the use of a prime
derived from a Sophie Germain prime. Also, it is somewhat more cumbersome to use:
where f is the 160-bit long prime factor of P-1, A cannot simply be chosen at random;
instead, another number less than P-1, B, is chosen at random, and B^((P-1)/f) is used
as A as long as it is not equal to 0 or 1 (modulo P, of course) and it also requires that
each A^x used be tested to determine that A^(xf) is equal to 1 modulo P.
Although this may be less secure than the use of a Sophie Germain prime, it is certainly
more secure than simply choosing P at random, and making no effort to avoid the
problems that small factors of P-1 could cause.
The protocol involved in KEA is of more interest. The session key is derived by
hashing
(x1*y2) (x2*y1)
A + A
all calculated modulo P, where x1 and x2 came from the first party to the
communication, and y1 and y2 came from the second.
If doing Diffie-Hellman once isn't good enough, what is the point of doing it twice?
The important thing about KEA is the difference between where the x values and the y
values came from.
The first user retains x1 as a persistent private key, and when A^x1 is presented as his
public key, it is accompanied by a digital certificate. Similarly, the second user has a
digital certificate for A^y1 as a public key.
On the other hand, x2 and y2 were random numbers generated at the time of the
communication, and thus A^x2 and A^y2 do not have certificates corresponding to
them. Thus, by involving the four parameters, a persistent and a temporary key from
each user in the procedure, both users prove their identity with a digital certificate, but
the resulting session key is something that is different for every message.
Since the x2 and y2 values are not persistent (they are sometimes called nonces), an
attacker could only obtain them through access to the computers or other equipment of
the parties to the communication at about the same time as the message with which
they are associated is itself present in plaintext form on that equipment. Thus, unlike
persistent private keys, nonces do not contribute to the security burden of key storage.
This means that a passive attacker would need to compromise the persistent private
keys of both parties (if that attacker could not also obtain one of the nonces) to read a
message whose key was generated through KEA. This, however, was not likely to have
been a major design consideration, because additional security against passive attacks
could be gained by making the protocol more elaborate (for example, A^(x2*y2) could
be used in addition in the generation of the session key); but this by itself would not
increase security against an active attack. Although this technique could be combined
with other measures that do combat active attacks, an attacker who could also partially
compromise keys is not only likely to be able to mount an active attack of the "man-in-
the-middle" type, but may even be able to tamper with the encryption hardware or
software being used.
The technique for deriving an 80-bit key for SKIPJACK from the 1024-bit value A^
(x1*y2)+A^(x2*y1) mod P, which value I will call k1, included for completeness, is as
follows:
The 80 most significant bits of k1 are XORed with the 80-bit constant
X'72F1A87E92824198AB0B', and the result of this will be called k2.
The 80 next most significant bits of k1 are split into 64 more significant bits and 16
less significant bits. The 64 more significant bits are encrypted twice in SKIPJACK
with a key of k2. The 16 leftmost bits of the result of the first of these two encryptions
is XORed with the 16 less significant bits. The concatenation of the 64-bit result of the
double encryption with the 16-bit result of the XOR forms the 80 bit key that will
actually be used for the conventional encryption, with SKIPJACK, of the actual
message. The following diagram illustrates this process, and it is similar to a diagram
included in the document describing SKIPJACK and KEA on the occasion of their
declassification:
Since k1 is a number modulo P, where P is a prime that is 1024 bits long, its most
significant digit is somewhat more likely, depending on the choice of P, to be a zero
than a one, and this could be considered a slight weakness in choosing to use the most
significant bits of k1 instead of some other part of it. Note also that the value of the 80-
bit constant used, were it secret, as it was originally, would provide an additional layer
of protection to the actual key used from the values exchanged. Also note that I am
assuming that the convention for taking the 80 most significant bits and the 80 next
most significant bits of k1 and submitting them to SKIPJACK in the form of binary
bytes is a big-endian convention; anything else would be too confusing for me to
attempt to explain.
Also note that the technique used for converting the 80 next most significant bits of k1
to the 80-bit key actually used, while suitable to its purpose here, is not a secure
technique in general for increasing the block size of a block cipher.
● El Gamal
● Digital Signatures Based on Diffie-Hellman
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
El Gamal
The Diffie-Hellman key exchange algorithm is usually described as an active exchange
of keys by two parties:
and then both parties communicate using A^xy mod P as their session key.
Nothing, however, prevents the second party placing A^y mod P on file as its public
key, allowing anyone else to send a message which the second party can read by
choosing an x, and sending A^x mod P along with the message, encrypted using A^xy
mod P as the key.
In El Gamal, to send a message to a party whose public key is A^y mod P, we send our
own public key, A^x mod P, and in addition the message is enciphered by multiplying
it by A^xy mod P, the multiplication also being modulo P.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
To execute a digital signature using the Diffie-Hellman key agreement algorithm as the
basis requires a different approach.
The basis of digital signature algorithms of this type is as follows: the person knowing
x produces a set of two or three numbers that have a relationship to each other such that
they can only be generated knowing x, but the presence of the relationship can be
verified by those who only know A^x.
Thus, one simplified attempt at a discrete log signature algorithm would be to take a
message m, and calculate s such that s = x * m, modulo Q, where P is a Sophie
Germain prime such that P-1 = 2Q. Then, someone knowing only A^x could see that
A^s = (A^x)^m. However, this wouldn't be effective, because a signed document
consists of s and m, and since Q is public, your secret key x could easily be obtained by
dividing s by m.
The signature methods actually used, therefore, involve additional parameters, so that
the signature s is masked in a way that prevents it from giving away the value of x.
Let us, to simplify matters, assume that the modulus P used for our Diffie-Hellman
operations is not only a Sophie Germain prime, and thus
P - 1 = 2 * Q
where Q is also a prime, but in addition, Q is a Sophie Germain prime as well, so that
Q - 1 = 2 * R
for some prime R.
Primes other than Sophie Germain primes can be used; in that case, Q is simply some
large prime factor of P-1. R is not used, but Q should also be a prime such that Q-1 has
at least one large prime factor, since Q is used as a modulus for carrying out Diffie-
Hellman operations as well in the type of algorithm described below.
This means that not only is P suitable as a modulus for securely carrying out Diffie-
Hellman key setup, but so is Q, although Q is smaller.
Someone wishing to sign a document, m, has a permanent secret key x, to which A^x
modulo Q (rather than A^x modulo P) is the corresponding public key. In addition, a
nonce secret key y is generated, for which A^y modulo P, this time, not A^y modulo Q,
is the corresponding public key.
Also, Y is calculated, where Y equals (A^y modulo P) modulo Q. The message and the
signature are both numbers modulo Q.
ax + by = c
modulo Q.
This shows why it's vitally important that a different y is chosen for every signature. a,
b, and c are all public information; so if you have two sets of a, b, and c for the same x
and y, you can solve for the secret keys x and y.
Given s, m, A^x modulo P, and A^y modulo P (in the DSA, only Y is disclosed, but
this makes verifying signatures more difficult; note also that Y can be calculated easily
from this value, and Y is used in signature verification), the relationship between a, b,
and c can be verified using the equation
The possible values for a, b, and c (following a different convention from the one I use
here) are given in Bruce Schneier's book Applied Cryptography as:
and the sign convention may be altered; any of a, b, or c may be replaced by its
additive inverse. (All possibilities, of course, can be reached by changing the signs of
only two of them.) The Schnorr signature scheme, subject of a patent which still has a
considerable time to run, is noted as being related to the fifth of these equations in
Applied Cryptography, although elsewhere it is noted that the systems El Gamal and
the Digital Signature Algorithm, based on the fourth of these equations, are special
cases of Schnorr. The first and second equations, which avoid the need for a division to
calculate s, are noted as being related to schemes described in various published papers.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
A proposal by Dr. Adi Shamir, called the Shamir three-pass protocol, requires ciphers
that can be applied to a message in either order to produce the same final enciphered
result; that is, ciphers that commute with each other.
A wishes to send a message to B. So, A takes the message, and enciphers it in cipher A,
sending the result to B.
A can still decipher in cipher A, and does so, leaving behind the message only
enciphered in cipher B. This is sent back to B.
It was hoped that this method might make public-key cryptography easier, in that it
might be more possible to design ciphers that commute and that are secure in this
protocol. Like public-key cryptography, it allows secure communications without prior
exchange of a shared secret key in a secure manner. However, there is no public "key"
in this protocol, and therefore it is considered to be distinct from public-key
cryptography by some authorities.
However, only the Massey-Omura cryptosystem (and perhaps other essentially similar
ones) is a secure method based on this protocol.
A, knowing the value of A, can easily find the corresponding decryption exponent that
takes the A-th root modulo M, and sends back the message, now only raised to the B-th
power.
Since the modulus is a prime, finding the decryption exponent from the encryption
exponent is easy for both parties; but the algorithm is secure because neither exponent
can be found from the messages, because the discrete logarithm problem is hard.
Thus, it appears for now that the Shamir three-pass protocol is only effective when
used with operations such as exponentiation, which are also suitable for use in public-
key ciphers of the conventional type.
A public-key system that has been found to be unsafe, and which is therefore of
primarily historical interest today, is the knapsack method. Unlike RSA and Diffie-
Hellman, this system was based on a mathematical problem which was known to be
NP-complete, and thus one that was tougher to crack than either factoring or the
discrete logarithm problem.
The knapsack problem is this: given a set of numbers, and another larger number which
may be the total of some of them, determine if it is such a total, and if so, of which of
the numbers in the set.
This problem is very hard in general. But if the set of numbers was such that every
number is greater than the sum of all the ones smaller than itself in the set, then solving
the knapsack problem becomes fundamentally no harder (it just requires a tiny bit of
extra arithmetic) than converting a number decimal notation to binary notation.
The knapsack cipher worked as follows: start with a superincreasing knapsack
composed of many large numbers. Then, disguise the knapsack by multiplying all the
numbers in it by some quantity, modulo a limit which must be larger than the sum of
all the numbers in the knapsack.
Then, a message can be sent to you in the form of the sum of selected elements of the
knapsack. (Note that a message needs to have a significant number of both 1 and 0 bits
in it to be secure.)
Because the knapsack cipher was based on disguising such a set of numbers, called a
superincreasing knapsack as an ordinary knapsack, although solving the general
knapsack problem had been proven to be an NP-complete problem, someone attacking
a knapsack cipher had one piece of information that someone trying to solve the
general knapsack problem did not: that the knapsack to be solved was a disguised
version of a superincreasing knapsack. Thus, the flaw was that the security of the
cipher depended not only on the difficulty of the knapsack problem, but on the security
of the disguise.
Of course, there are ways to improve the knapsack cipher, but they have been broken
too. A knapsack could be disguised twice, modulo two different primes; but the
iterated knapsack was broken too. Instead of starting with a true superincreasing
knapsack, one could start with one that was 'close' to superincreasing, one which
involved one small knapsack problem (or perhaps several) that had to be solved the
hard way; this wouldn't be too impractical, since it is only as an NP-complete problem
becomes large that the time required to solve it becomes excessive; and this would
presumably make an attack more difficult, because the properties of the knapsack
under the disguise would not be as straightforward. Doubtless, though, this too is not
secure.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Publish your public key. People can send you messages that no one but you can read.
That's simple enough. But if other people don't really know who you are, why would they send you messages
that need to be encrypted?
A big corporation could put a one-way hash or checksum of its public key on its billboards or its magazine ads,
to make you feel safe about sending your credit card number to it over the Web with that public key. However,
things are usually done a bit differently.
Another use of some public key algorithms, particularly RSA, is digital signatures. Suppose you encrypt a
message using your private key. Then, anyone can decrypt it who knows your public key; but only you could
have encrypted it in the first place. Thus, you've proved that you saw that message, and chose to encrypt it.
So, one of the commonest uses of digital signatures is in key certificates. The company that wrote your web
browser includes, built right into the program, the public key of a company that certifies the ownership of other
public keys. When you visit a site where you want to make a credit card order, your browser can then check that
the public key you will use to encrypt your credit card number really belongs to the company you think you're
ordering from.
Certificates can also be used in a less hierarchial fashion. A program like PGP allows your friends to vouch for
the key of any new person you wish to use PGP to communicate with, and uses a system of weighting to consider
certificates from a friend of a friend; this system is called the 'web of trust'.
Just as a public key algorithm can be used to encrypt the key (for use with a conventional algorithm like DES) by
which a message is encrypted, rather than the whole message, to sign a message you can simply encrypt a good
one-way hash of that message rather than the message itself.
Some types of digital signature don't require public-key cryptography, only hash functions. To prove that you
knew something a year before you're willing to make it public, publish today a one-way hash of what you know,
and a year later, publish what you had hashed then. This technique was used hundreds of years ago; the discovery
that Venus has phases like the moon, and the discovery that Saturn has rings, were both claimed prior to
publication by the act of publishing phrases which were anagrams of the statements of the discoveries.
The Diffie-Lamport signature scheme is closely related to this idea of using a hash of a message to sign that
message in advance of sending it. To be able to sign a single message to be sent in the future, without knowing
its text in advance, generate a pair of DES keys for every bit in the message or a hash of the message. Publish a
plaintext/ciphertext pair of blocks for each of these keys, indicating which two pairs correspond to a given bit in
the message to be signed, and which one corresponds to that bit being a 0, and which one corresponds to that bit
being a 1.
Then, when the time comes to sign the message, release the keys which correspond to the actual values of the
bits in the message, and only those keys.
Note that the signature is 56 times as long as the message. This can be reduced to 7 times, by generating DES
keys in sets of 256, only one of which will be released, corresponding to the actual value of a byte in the message.
Note also that the plaintext/ciphertext pairs of blocks are functioning as a one-way hash of the key, so this
scheme could be implemented equally well if one generated a pair of random messages for each bit of the
message to later be sent and signed, and released their hashes in advance along with the bit values to which they
corresponded, and then released the actual messages corresponding to the actual bits of the message to be signed.
Because the only information released corresponds to the actual bits of the message being signed, it does not
allow other messages to be forged. Thus, the large ensemble of keys or messages that are randomly calculated
can only be used to sign one message.
If only authentication, rather than a signature, is desired, then a very much simplified procedure can be used.
First, make available a random plaintext block, and its encrypted form, again under conditions where that is
known to be authentic. Then, send the message to be authenticated, along with its hash, encrypted by the same
key. Finally, reveal the key. This proves to the recipient that you have sent the message, although it now reveals
enough data to forge messages. Thus, the reciept of the message to be acknowledged has to be securely
confirmed before the key is revealed.
Signing an individual message is one form of authentication; for a user to demonstrate his identity in response to
a challenge, with the assumption that the communications channel used at the time of the challenge will not be
later interrupted with a spurious message, is a less ambitious form of authentication that can more easily be
performed with only classical techniques.
is more usually used in the form of a disk, with the vertical window showing ten numbers in the diagram in the
form of ten individual holes staggered in a spiral.
In use, the holder of such a device would prove his posession of it by responding "536" to a challenge of VY2 or
CP2, for example.
Such devices have been used as a means of copy protection for computer games, where the letters may be
replaced with the names of items in the game, and the three-digit numbers by numbers of five or six digits.
Devices of a somewhat similar nature were used during World War II to authenticate unencrypted
communications, and apparently this was true of the conflicts in Korea and Vietnam as well.
Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Before, it was possible to achieve any desired level of security merely by piling
complication on top of complication.
Here, we are dealing with techniques that will not work at all for their intended purpose
unless left in their pristine simplicity.
The only way to increase security is to use larger-sized numbers as keys. And all the
security depends on the difficulty of a specific mathematical problem.
On top of that, these techniques seem only to offer a method of doing something that is
useless and dangerous. They let you encrypt a document, so that its secrets are
protected, which you are able now to send...to a complete stranger. Why else couldn't
you have exchanged a secret key?
It is mainly the slowness of these techniques, and not any security considerations, that
lead to them only being used when they are necessary. But there seem to be good
security reasons to only use public-key methods when all else fails as well.
In the next chapter, it will be noted that in a military environment, if the various parties
that will be communicating with each other are issued "black boxes" that generate
public and secret key pairs, but only divulge the public keys, keeping the secret keys
for internal use, then there are no keys available to betray. Thus, PKC has strengths that
complement those of other forms of encryption and other security measures (such as
tamper-resistant hardware). This will be discussed further in the section entitled
Military Key Management.
This does point to a real advantage of public-key cryptography, but the statement as
commonly encountered needs some amplification to make this clear.
If N people are actively communicating with each other, each one needs to keep on file
the keys of the other N-1 people. This is true whether they are agreed-upon secret keys,
or public keys. But without the use of public-key methods, each person needs to have
keys for communicating with everyone else at the start. With public-key methods, if
each site simply has its own key, plus a certificate with which to demonstrate the
authenticity of its public key, any two sites can later begin secure communications. If
one site acts as a key server, even using conventional secret key methods, each site
would only need initially a secret key to communicate with the key server; however, in
that case, any two sites not having previously communicated would be dependent on
the availability of the server to establish secure communications. It is in this that the
advantage of having fewer keys to contend with actually consists.
Note, therefore, that no significant practical disadvantage is incurred if two sites, after
establishing communications by public-key methods, generate a conventional key to be
used in all future communications, since, unless maintaining a key ring is entirely
avoided, and each site obtains the other site's public key for every transmission, a list of
sites with their keys is already being maintained. Maintaining such a secret key, in
addition to one's own private key, does pose a slight additional security risk, as its
compromise allows both, rather than one, side of communications between oneself and
other parties to be read.
This created understandable nervousness on the part of the British authorities, who
feared that a "magic screw" could be uncovered which, once turned, would cause the
whole system to fall apart, or, in other words, would vitiate the security of their
communications if they were to base them upon a public key method. Also, in the time
between the original discovery of those methods and their open discovery, while the
microprocessor revolution was in its early stages, the computing equipment required
for handling large-number arithmetic would still have been bulky and expensive.
Next
Chapter Start
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
Data Compression
English-language text uses only a fraction of the possible strings of the 26 letters. For example, no one would mistake
xwllygrZPXll mRRtQzryWx
It is possible to make use of the fact that certain sequences of letters are more common than others to fit a text
document, or a data file of another type, into less than the usual amount of space.
Graphics and audio files can be compressed by specialized techniques. Often, they have long stretches where values
either do not change, which can be dealt with by run-length encoding, or stretches where changes are small, which
can be handled by, for example, replacing a 16-bit number by an 8-bit value showing the difference between the
current number and the previous one belonging to the same family (an image file might contain alternating R, G, and
B pixels, and the three values would be independent, so one compares an R value to the corresponding value in the
previous pixel, that is, the previous R value, not to, say, that pixel's B value), called delta modulation.
Other, more specialized techniques of compression for such files involve Fourier transforms. The most popular such
technique is the Discrete Cosine Transform, used to produce JPEG files. Wavelet compression is another related
technique.
A very popular data compression technique is Lempel-Ziv compression. This is used with general purpose file
compression programs on computers. Its basic principle is that, as a file is read, the part of the file that has already
been processed is used as a dictionary of sequences of bytes likely to occur in that file. When a repeated sequence of
bytes is long enough, a pointer back to the earlier part of the file is shorter than repeating the bytes. While the original
concept of this kind of file compression is not patented, patents cover Lempel-Ziv-Welch compression, and many
other variants which are more practical or efficient than the original form.
Huffman coding is the other major data compression technique applicable to text files.
In the chapter on paper-and-pencil methods of encryption, we met the straddling checkerboard method of converting
letters to digits for easier manipulation:
A T O N E S I R
-------------------
0 1 2 3 4 5 6 7 8 9
-------------------
2 B C D F G H J K L M
6 P Q U V W X Y Z
in which the eight most common letters are represented by only a single digit, and the left over two digits begin two-
digit codes for all the other less common letters.
A Huffman code is also a code with variable length equivalents that can be distinguished unambiguously from the
front (which is known as having the prefix property). However, the term 'Huffman code' has a specific technical
meaning that goes beyond this. Even if some effort is made to assign the shorter codes to the more frequent symbols,
one does not necessarily have a Huffman code.
The distinguishing feature of a Huffman code is how the binary codes are assigned to the symbols being encoded. Let
us say that one wishes to encode the 26 letters of the alphabet. Then, one takes the least frequent two letters of the
alphabet, which happen to be Q and Z, and combine them into a single symbol for the next step, recording that the
code for Q will be that symbol's code plus a 0 tacked on the end, and the code for Z will be that symbol's code plus a
1 tacked on the end, thus distinguishing Q from Z.
Repeat that process until the alphabet is reduced to a single symbol, which needs no code, and you have produced a
Huffman code. One might wish to change the binary codes around without changing their length so as to have all the
symbols with four bit codes in alphabetical order, and one still can call the code a Huffman code.
Working from a set of letter frequencies due to Jim Gillogly, based on a famous body of literary work, which are as
follows:
we can link the first few letters together with no uncertainties, since the symbol totalled together from all the previous
letters is either the one with the lowest or the second-lowest frequency remaining:
V 1.02 - 2.21
K 0.80 - 1.19 -
X 0.15 - 0.39 -
J 0.10 - 0.24 -
Q 0.09 - 0.14 -
Z 0.05 -
Then the frequencies stop changing so rapidly, and we make some independent compounds:
P 1.56 - 3.01
B 1.45 -
F 2.09 - 3.91
G 1.82 -
Y 2.11 - 4.32
... 2.21 -
W 2.64 - 5.12
C 2.48 -
M 2.77 - 5.78
P 1.56 - 3.01 -
B 1.45 -
U 3.04 - 6.95
F 2.09 - 3.91 -
G 1.82 -
R 5.72 - 11.50
M 2.77 - 5.78 -
P 1.56 - 3.01 -
B 1.45 -
N 6.62 - 12.90
S 6.28 -
I 6.89 - 13.57
H 6.68 -
O 7.81 - 14.76
U 3.04 - 6.95 -
F 2.09 - 3.91 -
G 1.82 -
A 8.17 - 16.45
D 4.31 - 8.28 -
L 3.97 -
T 9.05 - 18.49
Y 2.11 - 4.32 --- 9.44 -
... 2.21 - |
|
W 2.64 - 5.12 -
C 2.48 -
and finally, the most frequent letter of the alphabet, E, joins up with a chain:
E 12.32 - 23.82
R 5.72 - 11.50
M 2.77 - 5.78 -
P 1.56 - 3.01 -
B 1.45 -
At this point, we now have only compound symbols in the running, and our compound symbols have the following
probabilities:
23.82
18.49
16.45
14.76
13.57
12.90
which total to 99.99%, due to rounding error in calculating the individual letter frequencies independently. So, we
haven't forgotten any letters!
Applying the Huffman code rule to these six pseudo-symbols ends up with the following result:
and that means we can now put our trees of letters together, and arrive at our Huffman code for the alphabet in the
English language. Here is the complete tree:
I
6.89 - 13.57 --- 26.47 --- 57.68 ---
H
6.68 - | | |
| | |
N 6.62 - 12.90 - | |
S 6.28 - | |
| |
A 8.17 - 16.45 --- 31.21 - |
D 4.31 - 8.28 - | |
L 3.97 - | |
| |
O 7.81 - 14.76 - |
U 3.04 - 6.95 - |
F 2.09 - 3.91 - |
G 1.82 - |
|
E 12.32 - 23.82 --- 42.31 -
R 5.72 - 11.50 |
M 2.77 - 5.78 - |
P 1.56 - 3.01 - |
B 1.45 - |
|
T 9.05 - 18.49 -
Y 2.11 - 4.32 --- 9.44 -
V 1.02 - 2.21 |
K 0.80 - 1.19 - |
X 0.15 - 0.39 - |
J 0.10 - 0.24 - |
Q 0.09 - 0.14 - |
Z 0.05 - |
|
W 2.64 - 5.12 -
C 2.48 -
and we make a code from it by using the two bits 0 and 1 to distinguish between the two branches coming from every
fork on the tree, and so we get our Huffman code as follows:
Of course, only the length of the symbols is important, so we can re-assign the codes as we like, as long as we keep
the same length. To ensure that every letter can be assigned a code, this is done by assigning codes to the letters with
the shortest codes first, and then converting all the unused codes to longer codes by appending both a 0 and a 1 to
each one, creating two codes for each code that was present before, and then assigning these codes to the letters
whose code is one bit longer. This method can even be used in a computer program to create randomized Huffman
codes.
● Have available a prepared list of information, giving for each required code length in bits that length and the
number of symbols with that length of code, in order from shorter to longer.
● Start with the shortest length in the list, and call it N.
● Fill a buffer with all possible combinations of N bits.
● For the number of characters that have N bit codes, select for each one an element from the list at random, then
remove that element from the list, making it shorter.
● For each of the remaining code lengths in that list, do the following, starting from the second shortest length
and ending with the longest:
❍ Call the length currently being considered M.
❍ Make 2 to the (M minus N) power copies of each element in the list, and append each of the possible
random, then remove that element from the list, making it shorter.
❍ Change the value of N by placing the current value of M in it.
This has been proven to be the way to produce the most effective possible binary code for symbols, if you are not
making use of any information except the frequencies of the symbols in isolation. An earlier code of this type, the
Shannon-Fano type of code, worked from the top down instead of the bottom up. This led to some letters starting out
placed with other letters whose frequencies were too far away, leading to slightly clumsy code assignments.
Often, in practice, a Huffman code for one kind of symbol will be mixed with other binary codes that are assigned
based on guesses instead of actual frequencies. Sometimes this is hard to avoid. A Huffman code for the 26 letters of
the alphabet is (well, almost) the best one can do to compress text, after it has been encrypted using a transposition
cipher. Unencrypted text, though, still has other properties besides letter frequencies to exploit.
Fax machines use a clever modification of the Huffman principle. One Huffman code is used to represent stretches of
black on the paper. Usually, these stretches are very short, the width of a line within a printed or typed character.
Another code represents stretches of white. Their lengths vary more widely, and so a different code represents them.
With text, a multi-state code is useful also. Digraph frequencies can be exploited by preparing a separate Huffman
code for the alphabet based on every possible value of the preceding letter in the message. Or one could make things
simpler, by just having a code for letters after vowels, another for letters after consonants, and (if spaces are also
represented somehow) another for letters at the beginning of words.
If text with spaces and punctuation marks is being reproduced, one could add these symbols to a Huffman code. But
more efficiency would be obtained, and more security would be obtained as well, by eliminating the frequent
repetition at almost regular intervals of the code for a space character, by prefixing each word, encoded with a
Huffman code for letters only, with an indicator of the word's length, also Huffman-coded based on the frequency of
words of different lengths.
With this kind of an arrangement, the provision for punctuation marks and digits will probably be ad hoc rather than
based on exact frequency counts. Presumably, the codes for words of different lengths would be accompanied by a
code for switching to punctuation, and the common case of just one punctuation mark followed by a return to normal
text would have a relatively short code.
One can do slightly better than a Huffman code if one uses arithmetic coding. This allows symbols to be assigned a
fractional number of bits, to better fit the frequencies of symbols. There are patents affecting this technique as well,
and it involves quite a bit of extra trouble for a very small improvement.
The principle behind arithmetic coding is illustrated by this example: supposing we have five symbols, with the
following probabilities:
A 1/4 C 1/6
B 1/4 D 1/6
E 1/6
While representing A by 00 and B by 01 would be optimal, one would like to switch, when representing C, D, and E,
from starting with the base-2 digit 1 to a base-3 digit. This could be done, since if one's message were thought of as a
number, then the rule might be:
0 - 0.24999... multiply by 4,
discarding the integer part,
and write A.
This is obviously optimal for this particular alphabet. There are algorithms to allow arithmetic coding to be performed
without having to perform arithmetic on one's entire compressed message for every symbol being added to it.
A nomenclator might give two or three digit codes to every item it encodes, whether a single uncommon letter like Z,
or a common three-letter sequence like ENT or ING. This idea, using the unequal probabilities of a source stream to
map variable-length chunks of the source to fixed-length (and therefore convenient to handle) codes was explored in a
thesis by B. T. Tunstall, in which he showed that the following simple algorithm:
is optimal if only individual symbol probabilities are taken into account. When other probabilities are taken into
account, by using bigram and trigram frequencies, one has a more accurate value for the probability of each code; but
one also can see that it makes no sense to assign a code to THZ just because one wishes to assign a code to THE:
thus, the proper way of assigning codes is more complicated. (If one has assigned codes for all common cases of a
letter following TH, should one retain a code for TH, or just retain codes for T and H?) The problem of performing
this type of coding optimally for sources with memory is still a current subject of research.
Next
Skip to Next Section
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
A Compact Disc stores stereo musical recordings in the form of two digital audio
channels, each one containing 44,100 16-bit signed integers for every second of sound.
This leads to a total data rate of 176,400 bytes per second.
For transmitting a telephone conversation digitally, the same level of fidelity is not
required. Only a single audio channel is used, and only frequencies of up to 3000
cycles per second (or 3000 Hertz) are required, which requires (because of a
mathematical law called the Nyquist theorem) 6000 samples of the level of the audio
signal (after it has been bandlimited to the range of frequencies to be reproduced,
otherwise aliasing may result) to be taken each second.
For many communications applications, samples of audio waveforms are one byte in
length, and they are represented by a type of floating-point notation to allow one byte
to represent an adequate range of levels.
Simple floating-point notation, for an eight-bit byte, might look like this:
S EE MMMMM
0 11 11111 1111.1
0 11 10000 1000.0
0 10 11111 111.11
0 10 10000 100.00
0 01 11111 11.111
0 01 10000 10.000
0 00 11111 1.1111
0 00 10000 1.0000
The sign bit is always shown as 0, which indicates a positive number. Negative
numbers are often indicated in floating-point notation by making the sign bit a 1
without changing any other part of the number, although other conventions are used as
well. For comparison purposes, the floating-point notations shown have all been scaled
so that 1 represents the smallest nonzero number that can be indicated.
One way the range of values that can be represented can be extended is by allowing
gradual underflow, where an unnormalized mantissa is permitted for the smallest
exponent value.
S EE MMMMM
0 11 11111 11111000
0 11 10000 10000000
0 10 11111 1111100
0 10 10000 1000000
0 01 11111 111110
0 01 10000 100000
0 00 11111 11111
0 00 10000 10000
0 00 01111 1111
0 00 01000 1000
0 00 00111 111
0 00 00100 100
0 00 00011 11
0 00 00010 10
0 00 00001 1
S EEE MMMM
0 111 aaaa 1aaaa000
0 110 aaaa 1aaaa00
0 101 aaaa 1aaaa0
0 100 aaaa 1aaaa
0 011 aaaa 1aaa.a
0 010 aaaa 1aa.aa
0 001 aaaa 1a.aaa
0 000 aaaa 1.aaaa
Here, the variable bits of the mantissa are noted by aaaa, instead of being represented
as all ones in one line, and all zeroes in a following line, for both compactness and
clarity.
Today's personal computers use a standard floating-point format that combines gradual
underflow with suppressing the first one bit in the mantissa. This is achieved by
reserving a special exponent value, the lowest one, to behave differently from the
others. That exponent value is required to multiply the mantissa by the same amount as
the next higher exponent value (instead of a power of the radix that is one less), and the
mantissa, for that exponent value, does not have its first one bit suppressed.
S EE MMMMM S M EE MMMM
0 11 1aaaa 1aaaa000000000000000 0 1 11 aaaa
0 10 1aaaa 1aaaa00000000000000 0 1 10 aaaa
0 01 1aaaa 1aaaa0000000000000 0 1 01 aaaa
0 00 1aaaa 1aaaa000000000000 0 1 00 aaaa
S MM EE MMM
0 11 01aaa 1aaa000000000000 0 01 11 aaa
0 10 01aaa 1aaa00000000000 0 01 10 aaa
0 01 01aaa 1aaa0000000000 0 01 01 aaa
0 00 01aaa 1aaa000000000 0 01 00 aaa
S MMM EE MM
0 11 001aa 1aa000000000 0 001 11 aa
0 10 001aa 1aa00000000 0 001 10 aa
0 01 001aa 1aa0000000 0 001 01 aa
0 00 001aa 1aa000000 0 001 00 aa
S MMMM EE M
0 11 0001a 1a000000 0 0001 11 a
0 10 0001a 1a00000 0 0001 10 a
0 01 0001a 1a0000 0 0001 01 a
0 00 0001a 1a000 0 0001 00 a
S MMMMM EE
0 11 00001 1000 0 00001 11
0 10 00001 100 0 00001 10
0 01 00001 10 0 00001 01
0 00 00001 1 0 00001 00
Although usually a negative number is indicated simply by setting the sign bit to 1,
another possibility is to also invert all the other bits in the number. In this way, for
some of the simpler floating-point formats, an integer comparison instruction can also
be used to test if one floating-point number is larger than another.
This definitely will not work for the complicated extremely gradual underflow format
as it is shown here. However, that format can be coded so as to allow this to work, as
follows: the exponent field can be made movable, and it can be placed after the first 1
bit in the mantissa field. This is the format shown in the third column above.
When this is done, for very small numbers the idea of allowing the exponent field to
shrink suggests itself.
S EE MMMMM S MMMMM EE
0 11 00001 1000 0 00001 11
0 10 00001 100 0 00001 10
0 01 00001 10 0 00001 01
0 00 00001 1 0 00001 00
S MMMMMM E
N/A 0.1 0 000001 1
N/A 0.01 0 000001 0
S MMMMMMM
N/A 0.001 0 0000001
Something very similar is used to represent sound signals in 8-bit form using the A-
law, which is the standard for European microwave telephone transmission, and which
is also sometimes used for satellite audio transmissions. However, the convention for
representing the sign of numbers is different.
Also, if this method, with a two-bit exponent, were used for encoding audio signals
with 16 bits per sample, the result, for the loudest signals, would have the same
precision as a 14-bit signed integer, 13 bits of mantissa. Many early digital audio
systems used 14 bits per sample rather than 16 bits. But the dynamic range, the
difference between the softest and loudest signals possible, would be that of a 56-bit
integer.
One problem with using floating-point representations of signals for digital high-
fidelity audio - although this particular format seems precise enough to largely make
that problem minor - is that the human ear can still hear relatively faint sounds while
another sound is present, if the two sounds are in different parts of the frequency
spectrum. This is why some methods of music compression, such as those used with
Sony's MiniDisc format, Philips' DCC (Digital Compact Cassette), and today's popular
MP3 audio format, work by dividing the audio spectrum up into "critical bands", which
are to some extent processed separately.
Transmitting 6000 bytes per second is an improvement over 176,400 bytes per second,
but it is still a fairly high data rate, requiring a transmission rate of 48,000 baud.
Other techniques of compressing audio waveforms include delta modulation, where the
difference between consecutive samples, rather than the samples themselves, are
transmitted. A technique called ADPCM, adaptive pulse code modulation, works by
such methods as extrapolating the previous two samples in a straight line, and
assigning the available codes for levels for the current sample symmetrically around
the extrapolated point.
The term LPC, which means linear predictive coding, does not, as it might seem, refer
to this kind of technique, but instead to a method that can very effectively reduce the
amount of data required to transmit a speech signal, because it is based on the way the
human vocal tract forms speech sounds.
In the latter part of World War II, the United States developed a highly secure speech
scrambling system which used the vocoder principle to convert speech to a digital
format. This format was then enciphered by means of a one-time-pad, and the result
was transmitted using the spread-spectrum technique.
The one-time-pad was in the form of a phonograph record, containing a signal which
had six distinct levels. The records used by the two stations communicating were kept
synchronized by the use of quartz crystal oscillators where the quartz crystals were
kept at a controlled temperature. The system was called SIGSALY, and an article by
David Kahn in the September, 1984 issue of Spectrum described it.
The loudness of the portion of the sound in each of ten frequency bands, on average
280 Hz in width (ranging from 150 Hz to 2950 Hz), was determined for periods of one
fiftieth of a second. This loudness was represented by one of six levels.
The fundamental frequency of the speaking voice was represented by 35 codes; a 36th
code indicated that a white noise source should be used instead in reconstructing the
voice. This was also sampled fifty times a second.
The intensities of sound in the bands indicated both the loudness of the fundamental
signal, and the resonance of the vocal tract with respect to those harmonics of the
fundamental signal that fell within the band. Either a waveform with the frequency of
the fundamental, and a full set of harmonics, or white noise, was used as the source of
the reconstructed sound in the reciever, and it was then filtered in the ten bands to
match the observed intensities in these bands.
Since 6 to the 12th power is 2,176,782,336, which is just over 2^31, which is
2,147,483,648, this roughly corresponds to transmitting 200 bytes a second. This uses
only two-thirds of the capacity of a 2,400-baud modem, and is quite a moderate data
rate.
The sound quality this provided, however, was mediocre. A standard for linear
predictive coding, known as CELP, comes in two versions which convert the human
voice to a 2,400-baud signal or to a 4,800-baud signal.
Next
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Semi-Arithmetic Coding
It was noted that a method of compression called arithmetic coding allows an
additional amount of compression to be achieved over and above that provided by
Huffman coding, since the effective length of the symbols used may now be in
arbitrary fractions of a bit.
For example, one could design a coding tree such that at each level, either two or three
alternatives existed, so that only base-2 or base-3 digits are used. An example of such a
tree for the 26 letters of the English alphabet might be, based on the letter frequencies
used previously as given by Jim Gillogly, without making any claim for optimality:
This code, as it is patterned after arithmetic coding, has the additional prefix property
that at any stage one knows whether the next symbol is a two-way branch (0 or 1) or a
three-way branch (A, B, or C).
As 3 to the 5th power is 243, a simple way of encoding five base-3 digits in 8 bits can
be used, following this scheme:
Let us designate our five base-3 digits as pqrst. Then, in the resulting binary code, we
can use QQ, RR, SS, and TT to represent the last four digits, as coded by the scheme:
A 00
B 01
C 10
Then, we might code groups of five base-3 digits to groups of eight bits as follows:
Aqrst QQRRSSTT
BArst 11RRSSTT
BBrst RR11SSTT
BCrst RRSS11TT
CArst RRSSTT11
CBAst 1111SSTT
CBBst 11SS11TT
CBCst 11SSTT11
CCAst SS1111TT
CCBst SS11TT11
CCCst SSTT1111
Thus, the positions of the inadmissible 11 value are used to encode first the first base-3
digit, and then others for which no room is left to directly code. The later section From
47 bits to 10 letters discusses the principle behind this form of coding, and notes that it
was originated by IBM as an efficient way of storing decimal digits on a binary
medium.
Here we are, now: we have a code to convert a sequence of letters into base-2 and base-
3 digits; the codes always begin with a base-2 digit, and we always know what kind of
digit is to come next, and we have a reasonably efficient way of converting base-3
digits into bits.
becomes
1CC01C01AC1CB1AB0011CA0000011CB01AB000
which, when separated into bit and base-3 digit streams, becomes
10101110011000001101000 and
CCCACCBABCACBAB
where the x indicates a bit to be filled with padding, which, for this example, will be
assumed to be zero, and the base-3 digits, which are converted to bytes which start
from the end of the message, convert to bytes as follows:
CCCAC 00101111
CBABC 11110110
ACBAB 10010001
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Character Codes
As noted in the page on data compression, text can be represented more efficiently using Huffman coding. Since text is
composed of words having lengths in a relatively narrow range, separated from each other by single spaces, a multi-state
Huffman code, with one set of symbols for word lengths, and another set of symbols for letters, can be used, and it has the
added attraction of obscuring this aspect of the structure of a text document.
Even when it is not intended to perform explicit compression, codes representing characters for transmission can be
designed for efficiency.
ITA 2, 5-level code, or the Murray code, generally known as Baudot, as it is based on his principle, even if it does not
resemble his original code,
uses only five bits to represent a character, but sometimes extra characters are needed to shift between cases.
ASCII requires seven bits per character, and is simpler to use, since no shifts are required:
0 0 0 0 1 1 1 1
0 0 1 1 0 0 1 1
0 1 0 1 0 1 0 1
0000 NUL DLE 0 @ P ` p
0001 SOH DC1 ! 1 A Q a q
0010 STX DC2 " 2 B R b r
0011 ETX DC3 # 3 C S c s
0100 EOT DC4 $ 4 D T d t
0101 ENQ NAK % 5 E U e u
0110 ACK SYN & 6 F V f v
0111 BEL ETB ' 7 G W g w
1000 BS CAN ( 8 H X h x
1001 HT EM ) 9 I Y i y
1010 LF SUB * : J Z j z
1011 VT ESC + ; K [ k {
1100 FF FS , < L \ l |
1101 CR GS - = M ] m }
1110 SO RS . > N ^ n ~
1111 SI US / ? O _ o DEL Delete
But with seven bits per character, the temptation is strong to use a whole 8-bit byte for a character.
Originally, there were many versions of 8-bit ASCII in use, providing extra characters on a number of computer systems.
One common 8-bit ASCII character set found on printers was the one which supported the Japanese katakana syllabary; the
IBM PC, the Macintosh, and the Atari ST all had their own 8-bit character sets. Today, there is a standard; the Amiga was
one of the first computers to use it, but it is also used in most fonts in Microsoft Windows. In this standard, the extra
characters consist of 32 additional control characters, followed by 95 printable characters, most of which are accented
letters for the major European languages. Characters commonly found on typewriters, including a superscript 2 and 3, but
not a complete set of superscripts, for use in typing measurements, are found. Where the OE ligature was originally placed,
the arithmetic symbols for multiplication and division were put in the middle of the accented letters, rather than with the
new graphic symbols (this part of the standard was still undecided when the Amiga was designed, so those two characters
were omitted from its character set; some printers have the original version as a "Unix character set").
Various languages have their own variants of ASCII. Many of them are described and illustrated here, on Roman
Czyborra's web page.
While printers often have their own escape code sequences to switch between some of these character sets, today there are
ambitious proposals to create a single code to encompass nearly all the world's languages.
There is the 16-bit Unicode character set, and the larger 31-bit ISO 10646 character set which includes it.
For transmitting such characters, an elegant (if somewhat inefficient) scheme which represents all 7-bit ASCII characters in
a single byte known as UTF-8 is the current standard.
Character: Representation:
0000000 00000000 00000000 0abcdefg : 0abcdefg
0000000 00000000 00000ABC Defghijk : 110ABCDe 10fghijk
0000000 00000000 ABCDEfgh ijklmnop : 1110ABCD 10Efghij 10klmnop
0000000 000ABCDE fghijklm nopqrstu : 11110ABC 10DEfghi 10jklmno 10pqrstu
00000AB CDEfghij klmnopqr stuvwxyz : 111110AB 10CDEfgh 10ijklmn 10opqrst 10uvwxyz
ABCDEfg hijklmno pqrstuvw xyzabcde : 1111110A 10BCDEfg 10hijklm 10nopqrs 10tuvwxy
10zabcde
The capital letters denote bits that must not all be zero. These bits are showed by areas peppered with dots in the diagram
below:
This coding has many desirable properties, one of which is that is unambiguous which transmitted bytes begin a character,
and which merely continue one. Also, there are no shifted states in the code. This coding also does not affect mechanical
sort order of strings.
However, it allows only 2,048 characters to be encoded in two bytes; yet, many existing codes allow over 8,000 Chinese
characters to have two-byte codes. Also, this means that every letter in a Greek or Hebrew language document will take up
two bytes, and every symbol in a Thai-language document will take three bytes. Being able to shift into a character set
appropriate to the language to be used would seem to be an important property for an efficient coding.
If one is prepared to surrender the desirable properties of this coding, there is sufficient room within it that an efficient
coding could be created that is compatible with it.
and so on. Having the second-last byte, instead of the last byte, of the form 01xxxxxx would indicate shifting into a mode
where two bytes of the form 1xxxxxxx xxxxxxxx indicate a character contained in the same 32,768 character expanse as
the character whose code was thus modified.
Leaving any of these modes would require the use of a control character, perhaps SO (shift out).
And this would still leave room for an additional set of more efficient codes for characters:
10xxxxxx 0xxxxxxx
10xxxxxx 1xxxxxxx 0xxxxxxx
10xxxxxx 1xxxxxxx 1xxxxxxx 0xxxxxxx
and so on.
Next
Table of Contents
Home Page
[Next] [Up/Previous] [Index]
Base-26 Armor
Since
ten letters can represent 47 bits with fairly good efficiency. In fact, the information content of 10
letters from a 26-character alphabet amounts to 47.00439718 bits, less than 1/227th of a bit extra.
However, one would like to avoid performing 48-bit multiplications to do the conversion.
A method devised by IBM for representing three decimal digits in 10 binary bits can illustrate a way
in which to do this.
Let ooo (or ppp, qqq) represent a digit from 0 to 7 represented by the following code:
000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7
0 8
1 9
then, any three decimal digits can be represented within 10 bits as follows:
It may or may not already be obvious, but the table illustrating the decimal to binary code is based on
ooo, ppp, and qqq representing the first, second, and third digits respectively (if they are from 0 to 7)
and on d, e, and f representing the first, second, and third digits respectively if they are instead either 8
or 9. This same notational convention will be used within the description of the coding that takes 47
bits to ten letters.
Here, we have some binary values left over, so we can go from decimal to binary, but we cannot use
this code to represent arbitrary binary data as decimal digits without some modification.
With the lengths that I am choosing, it will be the other way around for letters; we will use all possible
binary combinations, and still have a few alphabetic combinations left over.
Because the conversion from 47 bits to 10 letters is very efficient, a direct coding, since it would use a
large number of possible codes, would be very complicated. Instead, to derive a coding the description
of which would be reasonable in length, I have chosen to describe a method that has a two-layer
structure.
aaaa (or bbbb, cccc) will represent a letter from the code:
iii (or jjj, kkk) will represent a letter from the code:
0 Y 1 Z
Then, a coding generating three letters from 14 bits looks like the following:
This shorter coding of 14 bits as three letters is not quite as efficient as the overall coding of 47 bits to
ten letters we will construct using it as a component. 3 times 14 is 42, and so there are five bits left,
which don't quite fit in one letter. If the first five bits represent a number from 0 to 25, then they can
represent a letter, using the codings shown above, in one of the forms 0aaaa, 10iii, or 1100m.
Otherwise, codings which use the combinations of three letters which are not used by the above
coding of fourteen bits to three letters are used. These codings don't encode fourteen bits, since only a
small fraction of the possible combinations of three letters are left.
Some more codings, using the unused letter combinations, are now constructed for use in producing a
coding of 47 bits into ten letters that is manageable to describe, since a direct coding is very long and
complicated.
There are still some possible arrangements of three letters left over, although the number is now rather
small. 10 bits can still be encoded in those which remain, as follows:
iiino
and 3 bits:
mno
To encode 47 bits as ten letters, we now proceed as follows, using the codings that we've constructed
so far.
aaaa, iii, or m represent the first of the 10 letters.
The remaining letters are divided into three groups of three, coded using the method above.
For the first group of three, the 14, 10, 7, and 5 bit codings are represented by AAAAAAAAAA,
FFFFFF, PPP, and X respectively; for the second, BBBBBBBBBB, GGGGGG, QQQ, and Y; for the
third, CCCCCCCCCC, HHHHHH, RRR, and Z. The 3 bit coding is not required. Note that the length
of the strings is equal to the length of the coding in bits minus 4, so that the length of the symbols used
here are constant.
Attempting to produce a direct coding, using the aaaa/iii/m symbols for individual letters, produces a
very long list of codes. This nested approach is considerably more manageable.
11100011100011100011100011100011100011100011100
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
125, which is 5^3, is very close to 128, which is 2^7. And the difference between the
two numbers is 3. On the other hand, 32, which is 2^5, minus 27, or 3^3, is 5. So, if a
string of binary bits is broken into groups of seven and five bits, one can produce base-
3 and base-5 symbols from it; the seven-bit chunks will favor base-5 symbols, and the
five-bit chunks will favor, less strongly, base-3 symbols.
On the other hand, 25 is 5^2, and 27 is 3^3, and they bracket 26 on either side. These
modified alphabets have long been used in manual fractionation systems. An
interesting possibility for a computerized system would be to use the fact that 25*27 is
675, one less than 676, or 26 squared. Except, therefore, for choosing one digraph to be
ignored, a string of letters could be converted into strings of base-5 and base-3 digits.
We have just seen an efficient coding which allows 47 binary bits to be represented as
10 letters. Since both bits and letters can be converted to symbols from an alphabet of 3
and from an alphabet of 5 for fractionation, one could divide a binary message into
blocks of 47 bits, and convert half of them before fractionation and half after based on
a pseudorandom sequence of bits.
The blocks of 47 bits which are still in binary form would be grouped for fractionation
in a number of ways, from 5+5+5+5+5+5+5+5+7 to 7+7+7+7+7+7+5. (Unfortunately,
more equal divisions are not available. However, this can be dealt with by considering
the binary blocks in pairs whenever possible, even if they are not contiguous. A pair
could then be handled as nine groups of five bits and seven groups of seven bits.) As
noted above, the groups of seven bits usually become three base-5 digits, but
occasionally become one base-3 digit, and the groups of five bits usually become three
base-3 digits, but occasionally become one base-5 digit.
The blocks that are in alphabetic form are divided into pairs of letters, and all but one
value would become two base-5 digits and three base-3 digits.
10110100110001001110100101000101111010101111011
00000111010001011111010011010111010111011101101
0aaaa(14 bits/3 lt)(14 bits/3 lt)(14 bits/3 lt)
A11101aaaabbbbo1010iiijjjcccc1011iiibbbbkkk
B HZ T S O V N V
10110001111010001101101110011000001111010111011
Then, we take the message in its mixed form, and convert it to base-3 and base-5
symbols, using the different appropriate methods for its binary and alphabetic parts.
AB HZ TS OV NV
24CBC 13AAB 42CCA 51BAC 12ACB
The base-3 and base-5 components of the message are then separated out, and
enciphered independently. One effective method for doing so is to transpose, substitute,
and then transpose again. The substitution can be done from a table; perhaps one with
625 entries for enciphering base-5 symbols, and one with 243 entries for enciphering
base-3 symbols.
Base 3:
CONTINENTAL
-----------
CBABAAACBCA
CAACCBCAABC
CABACACBACC
BBBACC
CBC CCCB ACC ACCC ACC AABB ABAC CAB BAAB BCAA BAA
CBCCC CBACC ACCCA CCAAB BABAC CABBA ABBCA ABAA
ABACB BACCA CBACB ABACC CABAB ACBAC BABAC ABAA
IMPERIAL
--------
ABACBBAC
CACBACBA
BACCCABA
BACBACBA
BACABAA
Base 5:
DELUXE
------
312423
153241
342511
245153
451225
53
PROPINQUITY
-----------
12113154221
33512413321
3311453421
324 232 145 151 133 111 513 233 221 434 11
Finally, we convert the remaining binary blocks to alphabetic, thus completing the
armoring step of converting an initially all-binary message to an all-alphabetic form for
transmission. Such a method should truly blur the boundaries between bits and letters.
Next
Skip to Next Section
Chapter Start
Table of Contents
Home page
[Next] [Up] [Previous] [Index]
If every message were an exact multiple of 47 bytes in length, it would be very easy to apply the complicated
fractionation methods outlined in the preceding sections to encryption.
Then, breaking the message up into 47-byte chunks, for each chunk generate six pseudorandom bits. Convert that
into eight bits which include four 1s and four 0s, using a 4-of-8 code.
Four 47-bit segments of the chunk are immediately converted to ten letters each, and four remain unconverted.
The letters are converted to base-3 and base-5 digits in pairs. The bits are converted in groups of 5 bits and groups
of 7 bits, eighteen groups of 5 bits and fourteen groups of 7 bits.
The base-3 and base-5 digits thus produced are independently enciphered independently of each other, then
reconstituted to form bits and letters once again. Then the binary chunks are converted to ten letters each.
At this point, 47 bytes of the original binary compressed plaintext (and this is indeed where the problem comes in:
Huffman compression produces messages that are an arbitrary number of bits in length, not in whole bytes, never
mind exact multiples of 47 bytes) have become 80 letters.
And this number is a multiple of four, so the next step works out evenly as well. Using the following code for the
first letter of a group of four:
and using the three digits thus produced to modify the remaining three letters in that group as follows:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
----------------------------
1 %&'()*+,./0123456789:;<=>?
2 ABCDEFGHIJKLMNOPQRSTUVWXYZ
3 abcdefghijklmnopqrstuvwxyz
we now produce a line of 60 characters from an alphabet of 78 characters, suitable for efficient transmission as a
text string. While trying to have a simple ASCII coding, the first set of equivalents is made slightly more
complicated to avoid using the dollar sign ($), which is different in some national versions of ASCII, and to avoid
using the minus sign (-) which has a special meaning at the start of a line for some Internet messages.
Then, an error-correcting code can be applied to the line of 60 7-bit characters. One might produce 28 bits of error-
checking information from four 7-bit accumulators, rotated according to different schemes (one rotated only after
every 49 characters added to the three illustrated in the diagram, so that a single-bit error in the line can be
uniquely located, and with the result that 28 rather than 21 bits of error-checking information are produced).
To keep a correspondence between the bits of the error-checking characters and the bits they encode (so that
single-bit errors in transmission don't propagate in the error-checking part of the code in a way the code was not
designed to handle), and yet use only acceptable characters, the following code which places five bits in a
character might be used:
0 0 1 1
-------
000|P H p h
001|Q I q i
010|R J r j
011|S K s k
100|T L t l
101|U M u m
110|V N v n
111|W O w o
and thus a line might consist of 60 characters from the 78-character alphabet, a space, and six error-checking
characters from this 32-character alphabet, one of which would only take on eight possible values.
But as noted, this is all well and good if the message consists entirely of exact chunks of 47 bytes. What happens
if the last chunk falls short, how can we deal with this?
At the beginning of binary encipherment, just after the message has been compressed, it is reasonable to at least
pad the message to a whole number of bytes, so that the entire encipherment process does not have to
continuously account for an odd number of bits.
For a hash function, a common method of padding is this: append a single 1 bit to the end of the message, and
then append as many 0 bits as required to make the message come out to an even number of blocks.
This is not very suitable for encipherment, as it creates a likelihood that the message will end in a sequence of
zeroes. Here is a method that lets each individual bit of the end of the message be equally likely to be a 1 or a 0.
Consider only the last 6 through 13 bits of the message. (Since this includes eight consecutive values, one of these
values can always be chosen to make the preceding part of the message consist entirely of whole bytes.)
These will be encoded into two bytes which contain the following three fields (the last one may have zero length)
in order:
● Three bits will contain a number from 0 to 7, indicating how many bits of random padding have been
added to the message.
● The 6 through 13 remaining bits of the message.
● From 7 down to 0 bits of random padding.
Terminating Compression
Although this kind of padding does ensure that each bit is equally likely to be a 0 or a 1, it does not complicate a
brute-force search by ensuring that any random bit sequence, after being unpadded, will be one that decompresses
by the compression method used, to a whole number of symbols. This problem can be dealt with by applying
some form of encryption before padding, such as choosing the codes for Huffman coding in a random order.
However, it is possible to address this without introducing bias into the compressed form of the message. The key
insight is that Morse code is an example of a method of encoding binary strings that also takes advantage of length
information, and so if we encode the last symbol in a code similar to Morse code we can ensure that wherever the
message ends, it can decompress to something. However, to avoid ambiguity, we must exclude symbols that start
with one of our Huffman symbols.
For example, for a message composed only of letters, we might try to use the following Huffman and pseudo-
Morse codes:
where, for the last symbol in the compressed ciphertext, column (1) normally applies, but column (2) applies after
Z, ZQ, ZQQ, ZQQQ, and so on.
This is because we have run into trouble. We have run out of available Pseudo-Morse codes before having found
an equivalent for the least frequent letter, Z.
The number of Morse code symbols with four or fewer dots and dashes is 30, and considering the null string, we
obtain 31 symbols, one less than 32, the number of five-bit strings. Since these two different cases of a Morse
code avoiding the symbols in another prefix-property code both have the property that the Morse code has exactly
one symbol less, it becomes interesting to ask if this is always the case.
The minimal case of a pseudo-Morse code and its corresponding Huffman code is:
In this case, there is one more Huffman code symbol than there are pseudo-Morse symbols.
Any Huffman code can be obtained from the minimal Huffman code by successive transformations of the
following form: replace one symbol in the Huffman code by both itself followed by 0 and itself followed by 1.
Then, the pseudo-Morse code is also modified: the old symbol in the Huffman code that was replaced is added to
it.
Since both codes have exactly one element added to them by this operation, it is still true that the Huffman code
has exactly one more symbol in it than its corresponding pseudo-Morse code. This is therefore always true, by
mathematical induction.
There are a number of ways to deal with this problem, but now that we know that we will always have the
problem, and it will always only involve the least frequent symbol, it becomes easier to see which of them are
most appropriate.
● We could exclude the null string as a possible pseudo-Morse symbol. Then, all the strings which exactly
match a Huffman string would be usable as symbols, so we would always have more Pseudo-Morse bit
strings than Huffman bit strings.
● Or, we could use the Pseudo-Morse symbol for Q to stand for <nothing> and if our message ended in a Q
or Z, we simply end by using its Huffman code followed by the Pseudo-Morse code for <nothing>. In that
case, though, we have two rare symbols following one another.
● This can be improved by having two versions of the Pseudo-Morse code. One is used to follow the
Huffman symbol for any character other than Q or Z, and does not include a symbol for <nothing>, and
therefore does include a symbol for Q (but not Z). The other, following the Huffman symbols for Q and Z,
has a code for <nothing> but not for either Q or Z. In this case, since J is more common than Q and Z
combined, the symbol for <nothing> would still be the longest in the code, but in cases where the tail of the
frequency distribution is flatter, the symbol for <nothing> might move upwards in the code.
● Or, when <nothing> ends a message, assign the shortest Huffman codes to the characters that need to be
followed by it, so that E<nothing> stands for Q, and T<nothing> stands for Z.
● Finally, as actually recommended above, following Z or in a string of "Q"s of any length preceded by Z,
use a second version of the Pseudo-Morse code in which there is no code for Q or Z, but the code for
<nothing> is the shortest character; following anything else, use the normal version of the Pseudo-Morse
code in which there is a code for every letter except Z.
However, the first four methods, of which the fourth is the most efficient, all involve backtracking. Thus, the fifth
method, which is both efficient and which can be implemented without backtracking in either encoding or
decoding, is the most suitable.
Ignoring this detail for the moment, we can illustrate how well this scheme works by an example:
Let our message, using the convention given above, be nnn01010 10101010, where nnn takes on all possible
values from 0 to 7. Does the message have a valid decoding for each value of nnn?
Message: Decoding:
000 01010 10101010 0101 A 0101 A 0101 A 0 T
001 01010 1010101x 0101 A 0101 A 0101 A <null string> E
010 01010 101010xx 0101 A 0101 A 010 S
011 01010 10101xxx 0101 A 0101 A 01 I
100 01010 1010xxxx 0101 A 0101 A 0 T
101 01010 101xxxxx 0101 A 0101 A <null string> E
110 01010 10xxxxxx 0101 A 010 S
111 01010 1xxxxxxx 0101 A 01 I
The basic idea shown here is based on a description by David A. Scott of ideas used in his encryption programs,
but he is not responsible for the details of my proposal/example. Although I believe that this idea has probably
been thought of before, perhaps very early in the development of binary prefix-property codes, I suspect it is
entirely possible that Mr. Scott may well be the originator of the concept of generalizing this principle to
arithmetic coding.
There is even available an encryption program by Matt Timmermans which makes use of his compression
principle as well.
At this point, we now have a binary message that is a whole number of bytes in length. Such a message is
convenient for encrypting by a large number of techniques. Among one of the techniques we are likely to apply to
a binary message would be a block cipher, such as DES (which is still the best-known one, even if its key is too
short by today's standards).
But we've only ensured that our message is made up of a whole number of bytes, not a whole number of eight-
byte (or sixteen-byte, if we're using one of the AES candidates) blocks!
This is not a problem. We can encipher a message with the "wrong" number of bytes in it as follows:
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
| 1| 2| 3| 4| 5| 6| 7| 8| 9|10|11|12|13|14|15|16|17|18|19|
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
| | | | | | | | | | | | | | | | | | |
---------------------- ---------------------- | | |
| DES || DES | | | |
---------------------- ---------------------- | | |
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | ----------------------
| | | | | | | | | | | | DES |
| | | | | | | | | | | ----------------------
| | | | | | | | | | | | | | | | | | |
that is, after enciphering as much of the message as possible in whole eight-byte blocks, if there are between one
and seven left-over bytes, then encipher the last eight bytes of the message again, thus including the left-over
bytes with some bytes that have already been enciphered to make a whole block.
Bruce Schneier's justly famed book Applied Cryptography illustrates a somewhat modified technique for
accomplishing this purpose, called ciphertext stealing.
It differs from what is shown in the diagram above by making the extra block, which still contains the three left-
over bytes and the last five already-encrypted bytes, out of the three left-over bytes first, and then the five already-
encrypted bytes afterwards.
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
| 1| 2| 3| 4| 5| 6| 7| 8| 9|10|11|12|13|14|15|16|17|18|19|
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
| | | | | | | | | | | | | | | | | | |
---------------------- ---------------------- | | |
| DES || DES | | | |
---------------------- ---------------------- | | |
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | -----------------------
| | | | | | | | | | | | | | ----------------------- |
| | | | | | | | | | | | | ----------------------- | |
| | | | | | | | | | | | ---------------------- | | |
| | | | | | | | | | | ----------------------- | | | |
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | ----------------------
| | | | | | | | | | | | DES |
| | | | | | | | | | | ----------------------
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | ----------------------- | | | |
| | | | | | | | | | | | ---------------------- | | |
| | | | | | | | | | | | | ----------------------- | |
| | | | | | | | | | | | | | ----------------------- |
| | | | | | | | | | | | | | | -----------------------
| | | | | | | | | | | | | | | | | | |
This maintains the alignment of all the bytes of the unencrypted message relative to the blocks in which they are
first enciphered. This seems like a cumbersome method of dealing with some rather strange and obscure
weaknesses some block ciphers might have. (Thanks to the initial permutation, DES certainly does not have any
weakness of the kind this might address.)
However, if we hadn't already padded our message out to a whole number of bytes, or if we were using a block
cipher that was very fast, and consisted of operations on whole 32-bit words in our computer, the alignment-
preserving property of ciphertext stealing could be useful to save computer time.
If only alignment to the byte of a message that is an odd number of bits is desired, one could mix the simple
technique I've outlined with ciphertext stealing, by enciphering, as our extra block, some whole bytes that have
already been enciphered, the whole left-over bytes, and one byte composed of the left-over bits plus the last few
bits of the already-enciphered byte immediately preceding the ones we've already used.
Once binary encryption is finished, there is the matter of converting the message, in groups of 47 bits at a time, to
a message consisting of letters.
There is some good news with respect to the elaborate fractionation scheme discussed in the previous section. Any
group of more than 35 bits can be represented by some combination of groups of 5 bits and 7 bits. Thus, as long as
the message is sufficiently long, there will be no problem in converting it entirely to base-3 and base-5 digits for
fractionation. However, particularly if after the last chunk of 47 bytes, there are less than five bytes left, and on
general principles in any case (since transposition and fractionation over too small a block is less secure), the odd
part of the message should be fractionated together with the last whole chunk of the message.
But how will we deal with converting a leftover part of the message, less than 47 bits in length, to letters? Again,
some padding will be required.
In addition to the full conversion of 47 bits to 10 letters, the component coding which converted 14 bits to three
letters:
is a reasonably efficient method of converting bits into letters. As well, since two to the ninth power is 512, which
is under 676, we can convert nine bits into two letters as follows:
These charts are, of course, interpreted with the single-letter codings noted in the section on the 47-bit to 10-letter
coding:
aaaa (or bbbb, cccc) will represent a letter from the code:
iii (or jjj, kkk) will represent a letter from the code:
0 Y 1 Z
Using these smaller encodings, the amount of random padding required to convert an arbitrary number of bits to
letters can be reduced.
The amount of padding needed for various numbers of bits can be seen in the following table:
The coding [9][9] is allowed at the end because it produces a number of letters of the form 3n+1, which cannot be
confused with a number of the form 3n, involving only the use of [14] blocks, or a number of the form 3n+2,
resulting from the use of a single [9] block. Thus, the number of letters present uniquely identifies how to convert
the letters to bits, but the bits must then contain information on how many bits of padding are to be ignored (or
this information must be available from somewhere else).
Using the single letter coding [aaaa] once, for the smallest number of remaining bits, allows the maximum
required number of padding bits to be reduced to 4 from 8. This means that only three bits need to be added to the
message to indicate how many bits of random padding are used.
Here, it will be easiest to find the three bits giving the amount of padding if they are the very last three bits
converted, with any padding being between them and the message.
Unfortunately, representing a number of padding bits from 0 to 4 by a three-bit number means that the first bit of
that number has a high probability of being 0. The probability is not a full 80%, as some of the possible lengths
require only from 3 to 0 bits of padding, but it is still a significant source of bias.
One way of solving the problem is to put the information about how much padding is used outside the message,
without encrypting it, since usually the length of the message need not be secret. The only disadvantage of this is
that it complicates the format of messages. In any case, this small quantity of added redundancy should not be a
problem if the alphabetic form of the message is now well-encrypted, and if that encryption includes a
transposition cipher, so that the location of the slight extra redundancy is itself secret.
Once we have finished encrypting the message while it is in alphabetic form, for more efficient transmission, an
armoring of the message was shown above where groups of four letters from the 26-letter alphabet were combined
to form three symbols from a set of 78.
Since no letter as the first letter of a four-letter group coded to 333, a simple way to handle three or fewer leftover
letters is simply by printing the leftover letters all in lowercase. This would permit no confusion to arise.
Note that if one or two letters are left, it is not necessary to print them both in lowercase to remove ambiguity.
They could be printed in any of the three possible encodings, chosen at random. However, that is only useful if
further encryption is performed, and the scheme of 78-character armor was designed to be simple. The absence of
the code 333 during the message introduces bias, and thus if the key for the last encryption step were connected to
the key previously used, a potential weakness is introduced.
Next
Chapter Start
Table of Contents
Home page
[Next] [Up] [Previous] [Index]
Decimal Armor
Since
The method devised by IBM for representing three decimal digits in 10 binary bits which we
saw previously will serve as part of the basis for doing this.
Let ooo (or ppp, qqq) represent a digit from 0 to 7 represented by the following code:
000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7
0 8
1 9
then, any three decimal digits can be represented within 10 bits as follows:
Since 2^10 is 1,024, slightly greater than a power of 10, this method cannot serve directly for
storing binary bits in decimal digits; it is instead useful for performing the reverse task of
storing decimal digits in binary bits.
oAAABBBCCCDDDEEEFFFGGGHHHIII
Here, o represents a digit from 0 to 7, representing the first three bits of the 93 bits to be
represented. AAA through III each represent three digits, from 000 to 999, representing 10 bits
of the 93 bits to be represented, provided that each group of 10 bits belongs to one of the 1,000
codes out of 1,024 that can be so represented.
nnn0BBBCCCDDDEEEFFFGGGHHHIII
nnn1AAACCCDDDEEEFFFGGGHHHIII
nnn2AAABBBDDDEEEFFFGGGHHHIII
nnn3AAABBBCCCEEEFFFGGGHHHIII
nnn4AAABBBCCCDDDFFFGGGHHHIII
nnn5AAABBBCCCDDDEEEGGGHHHIII
nnn6AAABBBCCCDDDEEEFFFHHHIII
nnn7AAABBBCCCDDDEEEFFFGGGIII
nnn8AAABBBCCCDDDEEEFFFGGGHHH
Here, nnn is a series of three digits from 800 to 999. This involves 200 possible values, 192 of
which are used, to represent the 8 possible values of the first three bits of the 93 to be encoded,
times 24 possible values for one of the groups of 10 bits in the remaining 90 bits. The value
will be generated by the formula 800 + 24 * a + b, where a is the value of the first three bits
from 0 to 7, and b is a number from 0 to 23 representing each of the 10 bit codes, which did
not correspond to three digits in the coding of three digits to ten bits given above, in the
numerical order of these codes, as shown in the table below:
0 1111101000
7 1111101111
8 1111110000
15 1111110111
16 1111111000
23 1111111111
Thus, these codes cover the case where exactly one of those groups has one of the 24 values
which is not covered by the first encoding. Once we cover all possible cases where any
combination of those groups, even all of them, can have such a value, we will have our
complete encoding of 93-bit values into decimal digits. Note that the eight nnn values of 992
through 999 are not used so far.
Here, nnn represents the first 3 bits, and the additional combination from the set of 24 from the
first of the two groups of 10 bits that are of that form. pp, a series of two digits from 00 to 99,
has 100 possible values, 96 of which are used to represent the combination from the set of 24
from the second of the two groups of 10 bits, and which of the 4 arrangements of which groups
of 10 bits have these additional codes allocated to the current numeric code is present. The
numbers in parentheses after the first set of four arrangements show the displacements to be
added in the pp field to the number from 0 to 23 containing the information about the second
group with an auxilliary value.
Now we are dealing with the case where three of the nine groups of ten bits have a
representation from the additional 24 combinations. Together, pp and qq mean that sixteen
different arrangements of these three groups can be indicated. The displacements added to pp
and qq are noted in the parentheses after the first group of 16 combinations. One additional
digit lets us cope with 160 possibilities, but in fact we only need to worry about 84 possibilities.
Here, four of the nine groups of ten bits use one of the additional codes. This involves 126
possibilities. pp, qq, and rr together allow sixty-four combinations to be indicated, so the
additional digit need only be either 0 or 1.
nnn99990ppqqrrssFFFGGGHHHIII
nnn999990ppqqrrssttGGGHHHIII
nnn9999990ppqqrrssttuuHHHIII
nnn99999990ppqqrrssttuuvvIII
nnn999999990ppqqrrssttuuvvww
And there is no problem continuing the encoding, without needing to go back and use the eight
unused nnn values, since we are now dealing with 126, 84, 36, 9, and 1 combinations again,
which we have already seen comfortably fits in the space available, and we now have even
more space with more two-digit fields, each of which contributes a factor of four.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
People working with simulation problems on computers have developed techniques for
base conversion that are simplified because they do not need to take this constraint into
account.
One could have a standard pseudorandom number generation routine, and it might
produce numbers from 0 to 32,767 each time it is run. And for a particular problem,
one needs uniformly distributed integers from 0 to 922.
The simplest way of doing this is to note that 15 times 923 is 32,305. So, when you
generate a pseudorandom number, if it is from 0 to 32,304, take the remainder when it
is divided by 923 as your number from 0 to 922, otherwise, discard the result.
This isn't invertible, as more than one sequence of numbers from 0 to 32,768 will lead
to the same sequence of numbers from 0 to 922, but that is not a concern for such an
application. But because it throws away information, it is somewhat wasteful:
particularly worrying is the chance of a long run of pseudorandom numbers from
32,305 to 32,767, which could cause delays.
Let's say you want to convert a stream of random bits into uniformly distributed
numbers from 0 to 999.
Then, you start by taking the bits 10 at a time to give you a number from 0 to 1023. If
that number is less than 1000, you've got a number. (Note that here one does not have a
multiple of 1000, so there is nothing to save when a number is generated. In general,
this will always be true if we start from a stream of bits which we can use in groups of
any size, since if we are using enough bits to give us a number twice as large as the
desired number, we are using one bit too many.)
Otherwise, subtract 1000 from the number, to give you a number from 0 to 23. Treat
that as a base-24 digit, and introduce it into another accumulator (acc = acc*24 +
new_digit) that holds numbers up to 24^3, or 13824.
When this has happened three times, if the number in the accumulator is from 0 to
12999, take the last three digits as your number.
If you want, you can now repeat the process by taking the first few digits, as a number
from 0 to 12, and therefore a base-13 digit, and save them in an accumulator; and, if
you get a result you can't use, a number from 13000 to 13824, you can subtract 13000
and save that result as a base-824 digit.
The process for that case follows the same scheme as the direct process for producing
numbers from 0 to 999, but because the omitted powers of two change the size of the
numbers involved, an exact analogy between the digit sizes involved breaks down at
later steps.
Take seven bits from the keystream, giving a number from 0 to 127. If that number is
from 0 to 124, it is the result. Otherwise, subtract 125 from the number, giving a
number from 0 to 2. Introduce this base-3 digit into an accumulator that holds numbers
up to 3^5, or 243.
When that accumulator has 5 digits in it, it contains a random number from 0 to 242. If
it is from 0 to 124, accept it as the result. Otherwise, subtract 125, and put the resulting
number, from 0 to 117, in another accumulator, and so on.
Where you want to stop, and just throw away unusable results, depends on how
efficiently you want to convert the random bit stream to a random digit stream.
This can certainly be used in cryptography to allow a binary stream cipher to encipher
a plaintext composed of digits into a ciphertext also composed of digits.
If one is enciphering binary plaintext to binary ciphertext, one could use two keystream
generators, for example, one designed to produce pseudorandom base-7 digits from 0
to 6, and another designed to produce pseudorandom base-23 digits from 0 to 22,
independently converting the outputs of each to, say, base 256 using the technique
given above, and using the XOR of the two converted keystreams on the plaintext. The
use of two different bases to produce binary bits, which are then combined in the
binary world, would make many forms of analysis much more complicated. However,
this type of cryptography is vulnerable to timing attacks and related techniques such as
monitoring the power consumption of a chip, because sometimes extra steps are
required to produce the output in a new base.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Message Blocking
Messages sent by rotor machines were often divided into segments of perhaps 300
letters, each segment being enciphered separately, with its own randomly chosen initial
rotor position.
If one is writing a simple encryption program in a language like BASIC, there is a clear
advantage to doing something like this as well; it allows one to keep an entire block of
the message in an array in memory, instead of doing multiple passes of encryption over
a disk file. It is also particularly useful when transposition ciphers are being used
among the steps in the process. Avoiding saving intermediate results on disk has speed
advantages, and there are security advantages as well, although a discussion of dealing
with swap files (in Microsoft Windows, IBM OS/2, and Linux) is beyond the scope of
this discussion.
With computer encryption, the possibility occurs of turning message blocking into an
additional factor contributing to the difficulty of cryptanalysis. The beginnings and
endings of blocks could be concealed.
These rules are reproducible at the other end. The last rule, though, introduces some
bias into the length of the last two blocks that a more complicated rule could avoid (the
message should be divided into two parts, where the first part and the last part both
have a minimum possible length of 128). One could, if one has the length of the entire
message available initially, first calculate a division of the message into blocks, and
then transpose the block lengths.
A more complicated program could use a different division of the messages into blocks
for each phase of a multi-step encryption. One would simply need a pair of 383-byte
buffers between each stage of encryption. And one might only divide the message into
blocks for transposition phases, since such a division isn't needed for encrypting a
message with a block cipher like DES or with a stream cipher as urgently as it is for
transposition (and fractionation) stages.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
A reason for having messages armored as letters only would be to allow them to be
transmitted using Morse code. The characters of Morse code are different in length, and the
shorter symbols stand for the more common letters of the alphabet.
One could use a Huffman code for the English language to convert bits into letters; the
result then would have a frequency distribution that somewhat resembled English text. But
given that we know the bandwith cost of each Morse symbol, can we devise an optimal
coding into letters that minimizes transmission time of a message in Morse format?
Given that a dot takes one unit of time, a dash three units, and the spaces between dots and
dashes in letters take one unit, the time each letter takes can be calculated. However, since
one consideration in coding is how many letters are produced (if one wants to produce
fewer letters, one would use the ones with longer codes more often), one must also consider
overhead costs; the space between letters takes three units, and spaces between words take
five units. This last, if we are sending our message in five-letter groups, is convenient, since
it lets us avoid fractions, so 4 units of overhead are included in the bandwith cost of each
letter.
A 9 E 5 I 7 M 11 Q 17 U 11 Y 17
B 13 F 13 J 17 N 9 R 11 V 13 Z 15
C 15 G 13 K 13 O 15 S 9 W 13
D 11 H 11 L 13 P 15 T 7 X 15
One way to approach the problem of optimized coding into Morse is to ask this question:
for what set of probabilities p(letter) is Morse an optimal coding? Knowing these
probabilities, one can then construct a Huffman code for such a source of letters, and use
that in reverse to convert bits into letters, approximating, as closely as possible if we restrict
ourselves to such a simple technique instead of something better, such as arithmetic coding,
those probabilities in our stream of letters.
Huffman codes have different lengths; it is immediately obvious that a Huffman code is
optimal if the symbol with a 3-bit code has probability 1/8th, a symbol with a 5-bit code has
probability 1/32nd, and so on. But a variable length coding into digits would give symbols
with the same ratio of lengths probabilities of 1/1000 and 1/100000, which have a different
ratio to each other. Since working out a Huffman code involves adding probabilities, this
would make a difference. So we need to work out the "worth" of one unit of bandwidth cost
in Morse code to do this, for a reason that resembles our need to count the overhead in the
cost of each letter.
Thus, given that there is one symbol (E) with bandwidth cost 5, two symbols (I, T) with
bandwidth cost 7, and so on, we need to solve the equation:
in x. This equation is not linear (although, as a polynomial in 1/x, doubtless it can be solved
analytically with the aid of elliptic integrals), but it can be solved using a binary search
method to obtain an approximate value of x. The solution that can be obtained in this
fashion indicates that we should consider each bandwith unit to be a symbol with
1.35999638070642 possible values; in other words, each bandwidth unit contains about
0.4436028 bits of information. Note that this only applies when the transmitted message
consists only of letters, since it derives from that particular set of symbols; the value would
be higher if, for example, we allowed ourselves to send digits by Morse code as well.
5 E 0.214937 2 bits
7 I T 0.116208 3 bits
9 A N S 0.062829 4 bits
11 D H M R U 0.033969 5 bits
13 B F G K L V W 0.018366 6 bits
15 C O P X Z 0.009930 Four 7-bit codes, one 8-bit code
17 J Q Y 0.005369 8 bits
and when we work out a Huffman code on this basis, it comes out very nicely, with only
one case where we must assign different-length codes to symbols with the same probability.
which is the one that results from the tree used to determine the Huffman code; a more
direct one, based on the lengths in the table above, would of course be:
00 E 10110 D 110111 F 1111010 C 11111110 Q
010 I 10111 H 111000 G 1111011 O 11111111 Y
011 T 11000 M 111001 K 1111100 P
1000 A 11001 R 111010 L 1111101 X
1001 N 11010 U 111011 V 11111100 Z
1010 S 110110 B 111100 W 11111101 J
which just assigns symbols in order to the letters in the various length groups.
This particular coding sends an average of 968 bits in 2190 bandwidth units, for an average
of 0.4420091 bits per bandwidth unit, just under the theoretically possible maximum of
0.4436028 bits per bandwidth unit given above.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Steganography
The preceding section described a way of preparing the output from encipherment for transmission. There, the
purpose was simply to allow the text to be transmitted properly.
Another form of ciphertext preparation, which can be considered an encipherment method in itself, is designed to
conceal another secret: that there even is an encrypted message being stored or transmitted.
● A message could be concealed in the second letter of every word in a cover message, or in the third letter
in the first word of each sentence. ("Accepted your overture. Next Friday, about eleven, come away
anywhere." = Cover blown.)
● One could use a jargon code, where words related to a sensitive topic are replaced by equivalent words
about an innocuous topic. ("Uncle Bill is leaving on Tuesday" = The Saratoga sets sail on Tuesday; "Joe is
in the hospital" = Joe is being held by the police.)
● A series of lists of alternative phrases from which a paragraph can be built can be used, where each choice
of a phrase from a list conceals one letter of a message. This method was published in 1518 in the
Polygraphiae by Johannes Trithemius, but was also still used during World War II, as noted in the recent
book From Silk to Cyanide.
The first method listed above can lead to a stilted cover message that obviously has something wrong with it.
Thus, improved forms of this method that involve concealing something subtler than a letter of the message in
each word of the cover message have been devised.
As we saw in the section on fractionation, one can encode the letters of the alphabet as follows:
and so convert a message composed of letters into one composed only of the digits 1 through 3. Then, a word of 1
or 4 or 7 syllables could stand for 1, a word of 2 or 5 syllables for 2, a word of 3 or 6 syllables for 3. This system,
among others, is discussed in Helen Fouché Gaines' [Elementary] Cryptanalysis, which begins by discussing such
systems, continues with transposition ciphers, and only afterwards introduces substitution ciphers. This is, in a
way, a logical order for introducing the subject, since with each step the letters of the original message become
less accessible. (But on the other hand, the case of simple substitution, because it is so familiar, is one that is
attractive to discuss first.)
And, of course, a letter can also be converted into five digits which are all either 0 or 1. Long before Èmile
Baudot, using a and b as his two symbols, Sir Francis Bacon discussed such a representation of the alphabet
specifically for the purpose of steganography.
If we're discussing binary coding, we may as well address the computer era.
The fact that images can be usefully subjected to lossy compression methods has suggested that extra information
could be concealed in them.
One popular format for storing pictures on a computer involves first determining 256 colors, each one expressed
as three one-byte values for each of its Red, Green, and Blue components, which are optimal for rendering the
image with as little change as possible, and then providing first a table of the 256 colors used, and then the image
with one byte indicating the color from that table to be used for each pixel. The image in that form is compressed
using a form of lossless compression.
A popular steganography program conceals a bit in every pixel by ordering the 256 colors so that similar colors
are adjacent to each other in the table, and then modifying each pixel so that the least significant bit of the color
code for that pixel has the right value.
For other forms of image encoding, one might wish to place one's message more directly in the image itself. One
way of doing this might be as follows:
Compress the image using a lossy technique such as JPEG. Then, modify the original image so that the differences
between it and the compressed image, on a pixel-by-pixel basis, contain the message.
Since the idea will be to send only the modified image, it will be necessary to check that the modified image,
when compressed by the same technique, produces a compressed form which has the same differences from the
modified image as the compressed form of the original image did. This requires a coding which does not disturb
the compressed image excessively, and it requires a coding which is flexible, so that different ways of
representing the hidden message are possible.
An example of the kind of coding that might work is noted below. 0 represents an unchanged pixel, + one that is
made brighter, - one that is made less bright.
The table is not complete. First, one can choose to leave all pixels undisturbed if necessary, and in that case one
skips that group of eight pixels without encoding any data. If one can alter two pixels, and only combinations
where the net alteration balances out are shown, then there are 56 possibilities, so five bits can be coded. If one
can alter four pixels without altering the compressed form of the image, then there are 420 possibilities, so eight
bits can be coded.
If JPEG compression does not work well to form a baseline image, one can simplify calculations by using a very
simple lossy compression algorithm: averaging adjacent pixels in pairs.
Of the RGB components of an image, the Green component contributes the most to the brightness, and the Blue
component the least, so using the blue part of the pixel to encode information makes sense.
Note that, due to the current interest in watermarking images, it is entirely likely that the technique described
above may be covered by someone's patent at this time.
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Since some block ciphers, including DES, are very secure against someone
determining the key even when the plaintext as well as the ciphertext is known, using a
document somehow as the key to a block cipher like DES rather than as the plaintext
input might allow the ciphertext output to function as a secure hash.
This kind of approach, but used with specially constructed block algorithms which
operate on larger blocks, and with the text being hashed used as a source of subkeys
rather than keys from which keys for multiple rounds are derived, is the common
method of performing secure hash functions. Only one such method, the Secure Hash
Algorithm, an NSA design which is similar to, and based upon, MD4 from RSA
Laboratories (and also similar to MD5 from RSA Laboratories, also an MD4
descendant) will be described here.
In general terms, SHA-1 and MD5 look like a block cipher, operating on a fixed initial
value, with the message being hashed providing the subkeys for the block cipher's
operation. However, they do somewhat more than that, and they must do so, because it
is trivial with DES, for example, to produce any desired value for the final output by
varying the last two subkeys; thus, collisions could be produced essentially at will for a
hash function which operated in that way.
SHA-1, which we will examine in full detail in the next section, expands 16 32-bit
words of message text to 80 32-bit subkey words with a shift-register technique. And,
after 80 rounds of the hash function are applied to the 160-bit value, the original value
and the result value are combined together (using 32-bit addition with no carries
between words) to make the hash operation noninvertible.
Thus, SHA-1 heeds the lessons of work done on using DES or similar block ciphers to
hash messages. The following diagram illustrates the two basic methods of doing that
involving a single encryption for a message block which are believed to be secure, plus
a method using two encryptions per block:
The first method uses the same principle as found in SHA-1: the message block is used
as the key for encrypting the previous hash value, and then both the previous hash
value and the encrypted version are XORed together.
Seeing these methods had inspired me to think of the third structure shown in the
diagram, where the results of encrypting the previous hash value with the message
block as the key and of encrypting the message block with the previous hash value as
the key are XORed together to produce the new hash value.
While that would be an unnecessary complication for a hash using actual block ciphers,
with their complicated key schedules and large number of rounds, this might well be a
useful structure on which to base the design of a new hash function.
But although this method has greater security in some ways, it has one flaw: one can
produce a zero hash result with a message block that equals the preceding hash value,
because it is symmetrical. There might be a way to exploit this to cause hash collisions.
● Description of SHA
Table of Contents
Main Page
[Next] [Up/Previous] [Index]
Description of SHA-1
Expand each block of 512, when it becomes time to use it, into a source of 80 32-bit subkeys as follows:
the first 16 subkeys are the block itself. All remaining subkeys are generated as follows: subkey N is the
exclusive OR of subkeys N-3, N-8, N-14, and N-16, subjected to a circular left shift of one place. (This is
the mysterious circular left shift added after the original version of SHA was released.)
as input for the processing of the first 512-bit block of the modified message,
Encipher the starting value using the 80 subkeys for the current message block.
Add each of the 32-bit pieces of the ciphertext result to the starting value, modulo 2^32, of course, and
use that result as the starting value for handling the next message block.
The starting value created at the end of handling the last block is the hash value, which is 160 bits long.
The main calculation in SHA enciphers a 160-bit block using 80 32-bit subkeys in 80 rounds. This
calculation is somewhat similar to a series of Feistel rounds, except that instead of dividing the block into
two halves, it is divided into five pieces. An F-function is calculated from four of the five pieces,
although it is really the XOR of a function of three of the pieces and a circular left shift of a fourth, and
XORed with one piece, which is also modified by being XORed with the current round's subkey and a
constant. The same constant is used over each group of 20 rounds. One of the other blocks is also altered
by undergoing a circular left shift, and then the (160-bit) blocks are rotated.
Calling the five pieces of the 160-bit block being "encrypted" a, b, c, d, and e, the rounds of the SHA
"block cipher" component proceed as follows:
● Change a by adding the current constant to it. The constants are, in hexadecimal:
❍ For rounds 1 to 20: 5A827999
❍ For rounds 21 to 40: 6ED9EBA1
❍ For rounds 41 to 60: 8F1BBCDC
● Change d by giving it a circular right shift of 2 positions (or, for consistency, a circular left shift
of 30 places).
● Then swap pieces, by moving each piece to the next earlier one, except that the old a value is
moved to e.
New algorithms were announced shortly after the selection of Rijndael as the Advanced Encryption
Standard, SHA-256, SHA-384, and SHA-512. The SHA-384 algorithm is essentially the same as the
SHA-512 algorithm, but with a different starting value, and with the final result truncated to 384 bits.
Although full specifications for the three new algorithms are available here, I thought I might explain
them here as well. (Although I have a description of RIPE-MD available, it was rather too complicated to
easily describe in full.)
Description of SHA-256
The SHA-256 algorithm is very similar in structure to SHA-1, but not only does it use eight, rather than
five, 32-bit subblocks, but there are other ways in which it is not analogous.
For SHA-256, the message is padded, and divided into 512-bit blocks, in the same way as for SHA-1.
From each block, considered as 16 32-bit words, 64 (rather than 80) 32-bit words are produced, the first
16 being the block itself, and the remaining words being the sum, modulo 2^32, of the following
quantities:
One round of the part of SHA-256 that looks like a round of a block cipher is performed for each of these
64 words. For the first block, the initial input values to SHA-256 are:
which are the beginnings, in hexadecimal, of the fractional parts of the square roots of 2, 3, 5, 7, 11, 13,
17, and 19.
● a word consisting of those bits in the sixth word of the block which correspond to bits of the fifth
word of the block that are ones, and those bits in the seventh word of the block that correspond to
bits of the fifth word of the block that are zeroes;
● the current one of the 64 words to which the 16 word block is expanded;
● the current one of 64 constants introduced into this phase.
The eighth word of the block is modified by having this intermediate result added to it modulo 2^32.
The resulting incompletely modified new value of the eighth word in the block is then added to the fourth
word in the block modulo 2^32.
Then, two additional quantities are added to the eighth word in the block modulo 2^32:
● A word whose bits are 1 if and only if two of the corresponding three bits taken from each of the
first, second, and third words in the block are 1;
● The XOR of the following three quantities:
❍ The first word in the block rotated right 2 bits,
Finally, each of the eight words of the block that will ultimately become the hash is moved to the position
of the next word in the block, with the first word in the block being replaced by the modified eighth word
in the block.
The 64 constant words, added to each word in the expanded block, are:
After this has been done 64 times, the final result is the sum, by individual words modulo 2^32, of the
result of this transformation and the original eight-word input.
Thus, one important difference between SHA-256 and SHA-1 is that the nonlinear functions do not
change during the hashing of a block, but instead of having only four constants, each of which is used for
20 words, there are now 64 constants, each used for only one word.
Description of SHA-512
SHA-512 is very similar to SHA-256, but not in the way that SHA-256 is similar to SHA-1. SHA-256
and SHA-1 both operate on 32-bit words, although the former operates on a block of eight of them, and
the latter operates on a block of five of them. On the other hand, SHA-512 operates on eight 64-bit
words, but the procedure it applies to them closely resembles that of SHA-256.
From each block, considered as 16 64-bit words, 80 64-bit words are produced, the first 16 being the
block itself, and the remaining words being the sum, modulo 2^64, of the following quantities:
One round of the part of SHA-512 that looks like a round of a block cipher is performed for each of these
80 words. For the first block, the initial input values to SHA-512 are:
6A09E66713BCC908 BB67AE8584CAA73B
3C6EF372FE94F82B A54FF53A5F1D36F1
510E527FADE682D1 9B05688C2B3E6C1F
1F83D9ABFB41BD6B 5BE0CD19137E2179
which are the beginnings, in hexadecimal, of the fractional parts of the square roots of 2, 3, 5, 7, 11, 13,
17, and 19.
● a word consisting of those bits in the sixth word of the block which correspond to bits of the fifth
word of the block that are ones, and those bits in the seventh word of the block that correspond to
bits of the fifth word of the block that are zeroes;
● the current one of the 80 words to which the 16 word block is expanded;
● the current one of 80 constants introduced into this phase.
The eighth word of the block is modified by having this intermediate result added to it modulo 2^64.
The resulting incompletely modified new value of the eighth word in the block is then added to the fourth
word in the block modulo 2^64, and this is the permanent modification of that word for the round.
Then, two additional quantities are also added to the eighth word in the block modulo 2^64:
● A word whose bits are 1 if and only if two of the corresponding three bits taken from each of the
first, second, and third words in the block are 1;
● The XOR of the following three quantities:
❍ The first word in the block rotated right 28 bits,
Finally, each of the eight words of the block that will ultimately become the hash is moved to the position
of the next word in the block, with the first word in the block being replaced by the modified eighth word
in the block.
The 80 constant words used in SHA-512, derived from the fractional parts of the cube roots of the first
eighty primes, are:
After this has been done 80 times, the final result is the sum, by individual words modulo 2^64, of the
result of this transformation and the original eight-word input.
Description of SHA-384
As noted above, SHA-384 is identical to SHA-512, except that only the first 384 bits of the hash value
are used, and the starting value to the portion that manipulates an eight-word block is different.
It is:
CBBB9D5DC1059ED8
629A292A367CD507
9159015A3070DD17
152FECD8F70E5939
67332667FFC00B31
8EB44A8768581511
DB0C2E0D64F98FA7
47B5481DBEFA4FA4
Next
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Hardware Security
Originally, encryption was carried out using pencil and paper. Some cipher machines,
such as the Enigma and the desktop Hagelin lug and pin machines, had lockable
cabinets. This meant that the machines could be operated by someone who, not having
the key, could not directly access either the rotor wirings or the alphabet ring settings
of the Enigma, or the lug and pin settings of a Hagelin machine.
Among the measures it is possible to take with dedicated cryptographic hardware are
the following:
● Opening the box can cut power to internal RAM, in which keys are stored.
● If keys are stored in non-volatile memory, these keys can be encrypted. The
decrypted versions would only be put in RAM, and the master key used to
decrypt them would not be placed in non-volatile memory, but would instead be
entered whenever the device is turned on, and then stored in RAM.
● The device must allow the input of keys, but need not allow their output.
● The device may allow output of keys in encrypted form only, for backup
external storage.
● And at the time of input, a key could be labeled as being for test purposes,
rather than for actual encryption. Such a test key, in addition to being allowed to
be output in plain form, would also allow the output of intermediate results in
the encryption process, for test and validation of the encryption device.
● The device can ask for passwords, allowing only authorized people to set keys
(so that an attacker could not set the device to use a key that he knew), or
perform diagnostic tests, or encipher or decipher with the device. Also, the
device could store several keys, with different users able to use only certain of
these keys, and perhaps for enciphering or deciphering but not both.
● Other measures, such as sealing the device with special labels, or covering
circuitry with a potting compound, can be used to protect the hardware against
tampering, such as attatching bugging devices, or altering the internal programs
to bypass some security features.
Another advantage of special-purpose hardware is that one element missing from the
desktop PC can be added; a hardware source of true random numbers.
Normally, when a home PC is used for encryption, the result of the encryption process
is a disk file, which is transmitted later, so any electronic leakage is in the form of
unwanted radiation from the computer at the time of encryption. If one is dealing with
special-purpose encryption hardware, however, the output may be an actual electrical
signal which is fed to a radio transmitter or a telephone line. In that case, it is necessary
to be concerned with electrical leakage within the device from wires carrying the signal
containing the plaintext to wires carrying the signal containing the ciphertext.
To prevent this, precautions are taken which are sometimes termed "red/black
separation". The portion of a device that handles the plaintext is termed red, and the
portion that contains only signals which may be sent to the outside world is termed
black. This is accomplished through separating functions on different circuit boards,
using shielding within the device to isolate its separate parts.
When a high level of security is required, since at least when the ciphertext is first
generated, it is generated inside a chip that gets plaintext as input, the possibly
contaminated ciphertext signal can be routed to a shielded area containing a circuit that
re-generates the plaintext waveform, with its own clean clock signal and so on.
Analogous techniques are used to separate the digital and analog areas of high-quality
CD players.
I have recently heard of an idea called "software TEMPEST". The paper by Markus
Kuhn and Ross Anderson deals with this topic in a sophisticated fashion, but I present
here a much more simplistic scheme that may also already be offered for use by
someone out there. While the simplistic scheme allows small characters and the use of
a limited number of colors, it is not something I take too seriously. While measures of
this sort cannot completely prevent electromagnetic eavesdropping, as they do weaken
the easiest method of exploiting such leakage, they might still be as effective as any
simple measure that ordinary computer users are likely to take.
Given that the typical PC uses a monitor with independent signals for Red, Green, and
Blue, rather than a monitor recieving a composite signal for CGA, it is difficult for an
eavesdropper to distinguish between the three colors. However, visually, green is much
brighter than blue, and red, although slightly brighter than blue, is also not as bright as
green.
This diagram illustrates both what this scheme is supposed to achieve, and how it may
fall short: the Red, Green, and Blue signals are shown as waveforms, and their sum,
although it is a square wave varying between one signal and two, and even spikes due
to signals crossing with slight time discrepancies are avoided, would still betray the
text on the screen because of real-world variations between the three electron guns in a
CRT. This is shown in the diagram in a very simplified form; a stray inductance causes
ringing in the blue signal, while too much capacitance to ground smears the green
signal.
A truly determined eavesdropper has the options to listen to other signals from your
computer, as well as finding small differences in timing or level between the three
color signals, or even exploiting the fact that the three electron guns in a CRT are
physically displaced from one another.
To avoid leaking any useful information at all, subject to the assumption that the
eavesdropper cannot distinguish between the Red, Green, and Blue signals these rules
are followed in producing text like this:
● In background areas, odd pixels are always purple; even pixels may be red or
blue.
● In foreground areas, odd pixels may be blue-green or yellow; even pixels are
always green.
● A transition between background and foreground only takes place where the
foreground pixel is odd and the background pixel is even. In such a transition,
either the background pixel is red and the foreground pixel is yellow, or the
background pixel is blue, and the foreground pixel is blue-green.
This requires that the text characters always begin and end on an odd pixel; this can
even be done with a 5 by 7 font, provided one allows it to have a chunky, squarish
appearance.
The intent of these rules is to ensure that, between any two pixels, there is always
exactly one of the three additive primaries, Red, Green, or Blue, that changes between
on and off, and furthermore, that the change always alternates between on and off, two
being on for every odd pixel, and one being on for every even pixel.
And, since web pages are viewed at higher resolutions than is consistent with the
normal use of a 5 by 7 font, here is the same illustration at double size:
which gives a more accurate illustration of how such text might appear in actual use, on
the type of low-resolution eight-color display to which it is suited.
The "software TEMPEST" technology and fonts of Kuhn and Anderson, for which
they hold a patent, involves fonts that are far less bizarre, perhaps looking somewhat
like this:
Their paper also notes that an early proposal for something similar took advantage of
the fact that early video displays needed to return to black after each pixel to prevent
blooming, and so I suppose that would have allowed one to get away with using a font
that looked .
Incidentally, my design for a strange font can be used to provide a fairly transparent
security against another form of interception with a small change: if one exchanges the
roles of the red and green components of the image, the text is no longer readable
normally, but becomes quite legible when viewed with a red filter:
and, of course, techniques for producing altered text with this property are quite old,
having been used in merchandising contests, children's games, and even for
programmed instruction.
It might also be noted while this variant would also provide the same limited protection
against RF interception from a CRT as my original variation, neither would be useful
for that purpose on a laptop, where the second version is most useful against casual
eavesdropping, since laptop displays go through the colors in sequence instead of
simultaneously. The principle of Kuhn and Anderson, on the other hand, can be used
with laptops, but the font needs to be designed for the particular ordering of red, green,
and blue stripes used in a given laptop. The principle required for a laptop, or other
LCD display, is illustrated below:
Can anything be done in the extreme case when this is absolutely not possible, and one
knows one's adversary can see everything you type, and everything that appears on
your computer screen?
This system, too complicated, I fear, for practical use, and not actually that highly
secure when an eavesdropper is present (the amount of time that one spends looking at
a particular screen is important side information) I at least think might be suited to the
purposes of a spy novelist who wants to write an exciting story involving a struggle to
decode a message.
Let us say that the individual trying to encode a message uses a computer program
which, using a key and a fancy algorithm, generates random numbers then used to
produce screens like these:
0 YEJTLUNSWRHPFKCQDAMOXBVGIZ
1 KGYQULXIAHZOCBJSTDNFWERVPM
2 ZGUXMLHQPOBYAIFDNJETRSCVKW
3 AVNUYLPSGXORIQFCBZKWTJDHEM
4 PJGAWRUCBLZQKYNSETIDMVXFOH
5 QRTNXSKLWUGBJHEZYOFMVCAPDI
6 ISJQBPAXGTYRWOLNHCMKUFZEDV
7 ZHJMRQCNKTWLXPYEOUBDAVGIFS
8 UNYQKLVAOPFTISRJMEXCHWGBDZ
9 LRCUOWIVGTEYASFPDXBJMQNZKH
0123456789
----------
0 9498261073
1 5032717568
2 3187503914
3 4270134132
4 6915325341
5 1766098250
6 7301650687
7 8523972825
8 0649849409
9 2854486796
To make use of these screens, our spy or diplomat or whatever has memorized a secret
number: 563. Also, the acronym PCB, standing for Plaintext/Cipher/Both (instead of
polychlorinated biphenyl) is part of the system.
The first step in enciphering a message letter is to look for the leftmost 3, 5, or 6 (the
three digits of one's current secret number, of course) in a column within the two rows
of digits under the set of alphabets. If none is found, or if both digits in the first column
with one are from that set, the screen is skipped. Also, if a blank rather than a digit
shares the column with our first digit from the set, we skip the screen.
Here, we find a 3 with a 7 above it in the first column. The two digits after the 3 are 12.
(If the two digits after the number found were the same, we would again skip the
screen.)
Since 3 is the third digit of our secret number, "Both" applies: which of the three digits
of the secret number is the one found alone in the two rows of digits determines
whether a Caesar shift of 1 is applied mentally to the plaintext letter, the cipher letter,
or both letters.
Our plaintext letter is T. We bump it ahead in the alphabet (Both includes plaintext) to
U, and look for U in alphabet 1.
X is found before it - we alternate from left to right as we go through our message (as
part of the 'system' and not the 'key', this sort of thing would provide no security, but
other agents could use a different rule) - in alphabet 2. It's changed to Y, since "Both"
includes ciphertext.
Meanwhile, after the 7, the next three digits are 428. These are used to derive the three-
digit secret number used for enciphering the next letter in the message.
On the next screen, we put the digits 428 in at the side, and our secret number 563 is
the key, used at the top. So our new secret number is 239. We only look for a new
secret number if we had not skipped the immediately preceding screen with rows of
letters.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Key Management
In the simplest case, when two individuals wish to communicate secretly, all that is
needed is that they prearrange a key which only they share. If each one generates a
public key, keeping secret the corresponding private key, then only authentication of
the public key, not secrecy, is required to allow the two to correspond securely.
Already, though, we have met one case where things become more complicated than
that. In the conclusions to Chapter 2, it was observed that if two correspondents, or a
larger pool of trusted correspondents, wish to exchange securely a large number of
messages, in a cipher with a limited resistance to cryptanalysis, it is necessary to
change the key that is used on a frequent basis.
The general practice for this has been to divide the key into three parts. One small part
is changed with each message, and may be sent in the clear or encrypted somewhat as
required. Another part is kept secret, and changed each day, from prepared lists issued
monthly. A third part involves secret elements of the cipher system, such as rotor
wirings, that are not practical to change rapidly, but which still can be altered from
time to time.
This illustrates how key management becomes more complicated in order to solve the
problem of limiting the amount of text transmitted with the same key.
We will be examining in this section key management measures intended to solve other
problems.
Looking at the IBM key management scheme outlined in their Journal of Systems and
Development shortly after the announcement of DES, we will see a system designed to
solve the problem of secure communications in a computer system where the operating
system is not fully trusted, and even legitimate users of the same computer system are
not trusted with each others' communications. Hardware with a very limited capacity to
store keys is used to provide the required security.
Kerberos is oriented towards a case where users, rather than terminals, have keys, and
deals with the problem of the initial identification and set-up of a user, in a system
where communication links can be tapped, but some computer systems are trusted to
some extent, and encryption may be performed in software.
The section on military key management discloses no secrets (I don't know anything
secret; if I did, I would not be writing so chatty a web page on so sensitive a topic as
cryptography) but it examines the problem of maintaining the security of
communications in a wide communications network, in the face of compromise of
some of its parts.
The section on "Red Thread" resistance discusses how computer (object) programs and
cryptographic hardware can be rigged, and ways to avoid that danger.
The section on Key Escrow deals with a subject that has aroused controversy; how to
provide supervisory access to encrypted communications without (otherwise)
compromising their security.
The functions provided by the terminal cryptographic facility were simple enough, and
besides being easy to understand, will make apparent the general thrust of this system.
An authorized person can set up a terminal with a "terminal master key". This is called
the WMK (Write Master Key) operation.
Regular users will, in normal operation, be supplied with session keys by the host
system which will be encrypted with their terminal's master key. Loading such a key
into the terminal cryptographic facility means that it will decrypt that key, using the
terminal master key, and will then store the result as the current working key. This
operation is called DECK (Decipher Key).
Once a working key is loaded into the facility, it can be used to encipher and decipher
via the ENC (Encipher) and DEC (Decipher) operations.
One can use an LKD operation, or even a DECK operation, to load the device with an
invalid key to clear the key after one is finished.
The Host Cryptographic Facility
The cryptographic facility at the host is, like that at the terminal, assumed to have only
limited storage for keys. However, it has to communicate with a number of terminals
which is not to be strictly limited. Also, the host is assumed to be a time-shared
computer system. Therefore, the cryptographic facility only retains master keys within
itself, and must be supplied, each time it is used for decryption or encryption, with any
session or terminal key (which may itself be encrypted) to be used for that operation.
(It is noted, however, that an encrypt or decrypt operation may be extended to encrypt
or decrypt multiple blocks for one decryption of the key.)
Like the terminal facility, there is an operation which can only be performed by
authorized personnel, SMK (Set Master Key) which initializes the device by loading
it with its master key. Later, we will see that there are some operations which need, for
security, to be done with master keys differing from each other. However, the
descriptions of this design note that it is possible, without destroying security, to use
variants, obtained by a known method, of the secret master key for those purposes -
even as trivial as the master key XOR 0101010101... in one case, and the master key
XOR 110011001100... in another.
The normal data encrypting and decrypting operations are ECPH (Encipher Data) and
DCPH (Decipher Data). These use the master key to decrypt a submitted session key
in external form, and then use that key to either encrypt or decrypt, respectively, one's
data.
Also available is EMK (Encipher Under Master Key), which enciphers data under
the host master key. This instruction is used to prepare keys for later use with the
ECPH and DCPH instructions.
With the instructions we have seen so far, it is clear how secure communications could
be set up with multiple terminals. Initially, at some time when the computer is secured
from other uses, the terminal master keys of all the terminals are randomly generated.
These keys are then entered into the terminals, using their WMK instructions.
Meanwhile, the host system applies the EMK instruction to all the terminal master
keys, retaining only the encrypted versions.
Later, when communications are to be set up with a terminal, one can proceed as
follows:
The host system will generate randomly a session key. Using the encrypted version of
the terminal's master key in storage, the host system can, using an ECPH instruction,
encipher the session key under the terminal's master key. This encrypted session key
will be sent to the terminal. The terminal can then use a DECK operation to load in the
encrypted session key. Meanwhile, the host computer must also apply an EMK
instruction to the randomly-generated session key to produce a copy of the session key
encrypted with the host master key. Now, when the terminal executes ENC and DEC
instructions with the key it has loaded in, and the host executes ECPH and DCPH
instructions with the encrypted session key, both will be performing DES encryption
and decryption with the original session key, and thus the terminal and host can
communicate.
This does, however, require that the session key be created, and temporarily be stored,
on the host system in clear form. Initially, the terminal master keys were on the host
system in clear form, which is even worse, but this need only be done once, when no
other users are allowed on the system. Additional instructions are present in the host
facility to allow this danger to be avoided.
Also, the session key is sent to the terminal enciphered under the terminal master key.
This can't be changed, but in the present set-up, it's unacceptably dangerous, because
the clear session keys are enciphered under that key using an ECPH instruction. Having
the terminal keys on the host system, enciphered under its master key, means that
someone could intercept the session key in transmission, find the encrypted terminal
master key in storage, and use it to decrypt the session key.
So we wish to keep the terminal master keys on the host system in a safer form, that
can only be used to encrypt session keys, not decrypt them. And we want to avoid
having to have session keys existing in the clear outside the cryptographic facilities at
both ends.
Initially, to create the copies of the terminal master key enciphered under the auxilliary
key, one can use a copy of KM1 enciphered with itself as the first input to an RFMK
instruction; as the second input, a copy of the terminal master key, encrypted under
KM0 as produced by the EMK instruction is used. The copy of KM1 enciphered under
itself is not left available afterwards, so as to avoid giving users the ability to encrypt
arbitrary values under KM1 - with this ability, they could take any quantity enciphered
under the host master key, and translate it to be enciphered under any key of their
choosing, essentially inverting the EMK instruction, and therefore being able to read
any session keys stored for use on the host system.
The other problem, of generating session keys in the clear, is avoided simply: since we
can now start from a session key enciphered under the host master key, and proceed
directly from it to a session key enciphered under a terminal master key, instead of
using the EMK instruction, when we generate a key as a 64-bit random number, we
consider that to be the session key after encryption under the host master key. (Note
that this means that, when we decipher encrypted keys for use with DES, we have to
ignore the parity bits that are usually used to validate DES keys.)
If instead we were to consider it to be the session key after encryption under the
terminal master key, we could instead use an instruction that deciphers under a terminal
master key and subsequently enciphers under the host master key. Such an instruction
might seem less dangerous, since it doesn't threaten to invert the EMK instruction.
Such an instruction will be examined shortly, for use in maintaining encrypted files.
Since the RFMK instruction is already present, and having an inverse of it available
would be dangerous, a second auxilliary key, KM2, is used with this new instruction.
But using such an instruction for communications security would allow people to take
an intercepted session key (enciphered under the terminal master key, from a
transmission) and make it more useful, by converting it to a form enciphered under the
host master key, with which the DCPH instruction allows them to decode the
transmission.
However, when we examine this objection, we also note that the session key encrypted
with the host master key is retained in the host computer's memory in the former case
as well. If we assume that the operating system on the host computer is not secure, then
plaintext going in to or coming out of the host cryptographic facility can always be
intercepted. Some additional assumptions, regarding how some areas of computer
memory are more secure than others, or that long-term security cannot be guaranteed,
but short-term security is assumed, are required to provide genuine effectiveness.
Possibly the RFMK instruction should be replaced by a variant of the ECPH and
DCPH instructions that takes as input, besides the data to be encrypted or decrypted,
the terminal key encrypted under KM1 and the session key encrypted under the
terminal key, so that the session key encrypted under KM0 need never be visible.
The instruction RTMK (Re-encipher to Master Key) takes as its two inputs a key
(generally, a secondary file key) enciphered under KM2, and another key (generally, a
file key) enciphered under the secondary file key (in its original, unencrypted form),
and produces the file key enciphered under KM0 (in which form, it is available for use
with the ECPH and DCPH instructions).
This allows the enciphered file key to be stored with the file. The secondary file key
unlocks the file, so it appears that this key must be kept secret. Instead, since it does
need to be kept in the computer's memory for later use, the RTMK instruction is made
a privileged instruction. While the SMK instruction may require a physical key to
enable it, the RTMK instruction is privileged in the sense that only the operating
system may use it. The RFMK instruction, since its use is in key management, is
restricted in this way as well.
Other master key variants are later discussed in connection with this protocol: KM3,
for handling communications between hosts; KM4 for random number generation; and
KM5 for authentication. These, however, are not stored in the cryptographic facility,
but are protected by the use of the RTMK and RFMK instructions.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Kerberos
The Kerberos protocol, developed at the Massachussets Institute of Technology as part
of Project Athena, is used to allow users to log in securely to computers which belong
to a network.
This protocol assumes a network of computers, with one trusted computer or several
verifying the identity of users to the computers to which they wish to log in, and
supplying session keys so that the communications between the user and that computer
can be encrypted.
Beginning a session with another computer under Kerberos requires the exchange of
five messages:
● First, a message is sent in the clear to the master security server (also called
Kerberos), consisting of the user's login ID and the identity of the security
server (called a ticket-granting server) from which the user is requesting
authentication to open a session with a computer on the network.
● Second, the security server generates a random session key and sends that to the
user, encrypted with the user's secret key. (The user's secret key is a hash of the
user's password.) It also sends the user, encrypted with its own permanent key, a
"ticket", which includes a timestamp, the user's identity, the random session key
divulged to the user previously within this message, and the service the user is
requesting (of the security server).
● Third, the user sends an authenticator to the security server, which consists of
the user's name and a timestamp, encrypted with the user's secret key. This
authenticator is then encrypted with the session key before sending. The ticket,
which identifies the user as authorized to request a ticket for a session with
another computer, is sent back as well, and it is intended that the security server
may safely rely on reading the ticket to find out what the session key is. Also,
the name of the other computer the user wants to communicate with is sent.
● Fourth, the security server responds with another random session key, this one
intended to be used with the requested computer, encrypted with the current
session key for use between itself and the user. And it sends the user another
"ticket"; this one includes a timestamp, the user's identity, the random session
key for use with the requested computer, and the service requested of the
requested computer. This ticket is enciphered with the permanent secret key of
the requested computer.
● Fifth, the user, now having a "ticket" for use with the requested computer,
generates another authenticator, consisting of the user's name and a timestamp,
encrypted with the session key for use with that computer, and also sends the
"ticket", from which the requested computer can verify the user's identity, and
discover what session key is to be used.
It should be noted that while the timestamp on a ticket is intended to prevent replay
attacks, it is valid for a somewhat extended period of time; the timestamp on an
authenticator is only valid for a very brief amount of time, as authenticators are
intended to be only used once.
In Kerberos version 4, when a ticket is sent to a user, it is also encrypted under the key
known to the user at that stage: by the user's secret key in the second message, and by
the session key for use with the security server in the fourth message. In version 5, this
encipherment, not being seen as necessary for security, is omitted to save computer
time. In version 4, the PCBC mode of DES is used for encryption; in version 5, CBC
mode is used, and there is provision for use of block ciphers other than DES.
Incidentally, PCBC mode was used without the transmission of an initialization vector:
instead, the DES key, known to both parties, served as the initialization vector without
being transmitted.
Also, in Version 5, the user's secret key is derived not only from the user's password,
but from "salt", consisting of the user's location on the system and a timestamp added
to the first message. This makes dictionary attacks on passwords somewhat more
difficult, but they are still possible. For this reason, and because there might be
applications where security is desired, but there is no secure initial contact for
communicating a password secretly to the user or the server, there are several proposals
to improve and extend Kerberos by adding steps involving the use of public-key
cryptography to it.
The Kerberos server knows the permanent secret keys of all the users, shown by a red
key beside it for the current user, and the permanent secret keys of all the ticket-
granting servers, shown by a blue key beside it for the ticket-granting server requested.
It responds by providing the user with a session key for communicating with the ticket-
granting server, shown as a purple key. This key was generated by the Kerberos server
at random, so it knows that key also, shown by a purple key popping out of thin air
beside the server. The purple key is in a red box, which means that it is encrypted with
the user's secret key. The user also recieves a ticket, which is shown as another purple
key, plus a red N, in a blue box: the red/blue session key, and the name of the user,
encrypted in the ticket-granting server's key.
The user then presents the ticket to the ticket-granting server, along with an
authenticator - a copy of its own name, and a timestamp, encrypted in the session key.
As well, it sends a green N to the ticket-granting server, to identify the computer for
which it wants a ticket. The ticket-granting server can unwrap the ticket, since the blue
key is its own secret key, and finding the session key it can verify the authenticator. As
well as knowing a secret key of its own, it knows the secret keys of the ordinary
computers it serves, shown by a green key, the secret key of the computer requested in
the example session.
The ticket-granting server then follows in the footsteps of the Kerberos server,
generating a session key (this time shown as brown) for communications between the
user and the computer the user had originally set out to use. This session key is given
to the user enciphered in the purple session key given to the ticket-granting server and
the user by the Kerberos server; it is also enclosed, with the user's name, in a ticket,
which this time is in a green box, that is, enciphered in the permanent secret key of the
computer the user wanted to use.
Finally, the user presents the ticket, and an authenticator, to the computational server,
thus providing it with the brown key which will protect their productive interactive
session.
Note that in the diagrams, the ticket is shown before the authenticator, since the
recieving server needs to unwrap the ticket before it can verify the authenticator. Also,
it might be noted that the use of a timestamp in the authenticator is what distinguishes
and simplifies Kerberos; a more traditional protocol might have the server generate a
random number, send it to the user, and the user then sends it back encrypted with the
session key inside the ticket for authentication. The server can be requested to
authenticate itself; in Kerberos, this is done by sending the timestamp plus one in the
session key.
Next
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
It had one important limitation: if a user chooses a poor password, that is, not one so
poor that it could be guessed in a few tries at a computer terminal for attempts to
directly log on to the actual system, but merely one poor enough that an attacker trying
thousands of passwords from a list on a computer of his own could find the password
on that list, that user's security can be compromised.
Note that the IBM system examined in the section before it did not have this weakness;
it, however, depended on tamper-proof hardware being present on the user terminals.
With this proviso, it is possible to do anything public-key methods can achieve, and
more. Kerberos, however, did not even use any public-key techniques.
This technique, a dictionary attack, had also been used against password files on
classic Unix systems: two countermeasures were employed to block this attack there:
one was salt, a random value which is hashed with the user's password (this prevents
the attacker from precomputing a dictionary of hashed common passwords, but a
dictionary attack remains possible, just somewhat slower, as the dictionary must be
hashed for each user under attack) and another was a shadow password file (in Unix,
unlike in most other timesharing operating systems, the file with user IDs and the
hashes of their passwords was actually readable by all normal users of the computer),
which meant that the attacker could not read the file with the hashes of user passwords.
Specifically, the second message, from the Kerberos server to the user, contains a copy
of the session key for the dialogue between the user and the ticket-granting server. This
session key is then used by the user to encipher an authenticator which is sent to the
ticket-granting server in the third message. That authenticator contains the current time
and the user's name, and since these two values are public information, a correct value
for the session key, which a correct guess at the password would yield, can be seen to
be correct when these two values emerge.
If the Kerberos server had a public key, and the first message from the user to the
Kerberos server were enciphered in that key, and included a random value which
would be combined with the user's permanent secret key to encrypt the first session
key, an eavesdropper would not have the information available to mount a dictionary
attack.
An attacker who impersonated the user would recieve a copy of the first session key,
encrypted by means of a known function of the user's permanent secret key. But since
the first session key is only a sequence of random bits, the encrypted first session key
would be of no use for a dictionary attack.
If the first message included an authenticator for the user's permanent secret key (the
user's name and the current time enciphered with it), that would further guarantee the
user was genuine, and encrypted it would not be available for a dictionary attack.
If, however, the user only sent the authenticator, encrypted with the server's public key,
and no random padding was used in the public-key encrypted block, then a brute-force
search would still be possible, by noting the time, and creating an authenticator, and
then encrypting it with the server's public key, for every password tried.
Privacy Amplification
Several related techniques have been developed for making use of a small shared secret
such as a password for achieving a high security of communications between two
parties. These techniques have been developed recently, and some of them are
protected by patents.
The simplest of these techniques to understand, and the one that most obviously
provides privacy amplification, is EKE, or Encrypted Key Exchange.
Instead of the parties having permanent public keys, they generate a new public/private
key pair for each session, but each party sends its "public" key to the other party
encrypted, using the small shared secret as the key.
In order for this to work, brute-force search on the small shared secret must be
impossible, hence the portion of the public key that is encrypted with it must have the
form of a string of random bits. Hence, this technique cannot be used by enciphering
the modulus for RSA.
Privacy amplification is obtained, because to read a message, if the encryption
techniques used are effective, one has to do a brute-force search on the conventional
encryption key, and then solve for the private key from a public key for each value
tried in the search.
In SPEKE, the common base, A, is derived from the shared secret. Also, x and y are
equal to twice random integers produced by each party.
Another technique is SNAKE. In this case, the modulus P is a function of the shared
secret. However, instead of just one modulus, a function is provided to create different
moduli based on other inputs in addition to the shared secret.
Thus, both users create a family of secret random numbers; the first one creates x1, x2,
x3 and so on, the second y1, y2, y3. Each user also creates a family of public random
numbers, the first a1, a2, a3... and the second b1, b2, b3 and so on.
P1 is a function of a1 and the shared secret; P2 is a function of a2 and the shared secret,
and so on. (The function is also varied each time, so that if a1=a2, it is not the case that
P1=P2.)
The first user calculates and discloses b1^x1 mod P1, b2^x2 mod P2, b3^x3 mod P3
and so on; the second user calculates and discloses b1^y2 mod P1, b2^y2 mod P2,
b3^y3 mod P3 and so on. So, as in Diffie-Hellman, both users can calculate b1^
(x1*y1) mod P1 and so on.
Finally, in SNAKE, the agreed-upon secret key depends on these secret values, but is a
hash of all the public information exchanged followed by the secret values obtained by
the Diffie-Hellman method.
Both the user and the host know what z is, so subtracting off A^z is not a problem for
the user, but it would be for the eavesdropper.
Thus, the user knows x, A^y, and z, and the host knows A^x, y, and z. The Diffie-
Hellman method is now modified so that what the user and host both know is (A^y)^(x
+z) which equals (A^x*A^z)^y. The user in this method is proving twice to the host
that it knows z. A hash of this calculated quantity is used as the session key.
Other Protocols
One interesting thing that can be done using only a hash function, is bit-commitment or
coin-flipping.
Given a one-way hash function, two people can proceed as follows: each one generates
a random number, and then transmits the hash of that random number to the other
person.
After both have done this, they can then transmit the original random numbers to each
other, and both can be sure that neither party altered his random number based on
finding out what the other person's random number was. Hence, the XOR of those two
random numbers can be treated as if it was a genuine random number by the two
parties (but not necessarily by anyone else) for basically the same game-theoretic
reasons that make playing randomly the best strategy for scissors-paper-stone.
It involves tamper-proof cards and machines into which the cards are inserted; both
customers and merchants have cards, but of two different types.
A customer card contains the customer's ID and two secret keys which are functions of
the customer's ID, and it is able to carry out two secret hash functions. A merchant card
is able to carry out the secret algorithm to produce a customer's two secret keys from
the customer's ID. Both cards can derive a 56-bit DES key from an encrypted message.
● The merchant card transmits the merchant's ID to the customer in the clear.
● The customer card transmits the customer's ID in the clear, and encrypts using
both secret customer keys in turn and sends a message consisting of the
customer's ID, the merchant's ID, and random padding.
● The merchant card decrypts and verifies the message recieved from the
customer. It then uses the encrypted message from the customer, as encrypted
with only one of the customer's secret keys instead of with both, (the
intermediate result in the original encryption is used) to produce a session key.
The merchant card then encrypts using first the session key, and then the other
one of the customer's secret keys, a message consisting of the merchant's ID, the
customer's ID, and random padding.
● The customer's card also generates the session key, and uses that as well as the
appropriate one of its own secret keys to decrypt and verify the message
recieved from the merchant. The merchant's message, encrypted with only the
session key, is used to produce a second session key. The second session key is
used to encrypt the transaction, which consists of the IDs of both parties, the
amount and type of the transaction, and the two secret hash functions of that
information. One secret hash function is for the use of the bank, and the other is
for the use of the clearing center. (Since the customer cards can carry out those
hashes, presumably the merchant cards can also safely be allowed to do so, so
that they can be verified as well.)
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
In the UNIX operating system, it was decided to put the list of user IDs and passwords
in a text file that was generally available to programs on the system to read, but not to
alter. This allowed programs on the system to make themselves available only to
certain users. To prevent revealing everyone's password, the list didn't contain actual
passwords, but instead a hash function of the password.
This was seen as such a good idea that other operating systems, which already made
the password file inaccessible (as UNIX and related operating systems later did with
"shadow password files") adopted it as well.
However, it still had its limitations. One could not calculate backwards from a hash to
obtain a password. But one could try a list of passwords, hashing each one, until one
matches the hash that is seen. This becomes easier for a computer to do when people
use passwords that are easy to remember; it is called a "dictionary attack", and is the
reason people are advised not to use a single word as a password, but to use special
characters and unconventional capitalization in passwords. Many systems limit
passwords to 8 characters in length, which increases the need to do this, and which
makes it considerably harder to construct a password which is both secure and easy to
remember.
One step that did not make this attack impossible, but which made it a bit less trivial,
was to include "salt" in password files. In this case, the list of passwords contained
hashes of the password plus a random value (which is what was called the "salt"), and
the hash and the random value both appeared in the list. This meant at least that an
attacker had to, based on the random value for a specific user, perform the hash of the
possible passwords in his dictionary once just to attack that user's password. Without
"salt", a dictionary containing precomputed hashes could be used directly against an
entire password file.
Another fundamental problem was harder to solve, since it required that the user's
terminal have local processing abilities: when the user types his password at a terminal,
an eavesdropper could discover the password.
Today, of course, people don't buy terminals, they use their PCs as terminals. So it is
possible for the link between a remote user and a computer to be encrypted.
We have seen in the preceding section that a short shared secret, such as a password,
can be very powerful in combination with public-key cryptography, using methods like
Encrypted Key Exchange.
A number of protocols have been proposed that address the problem of setting up a
highly secure connection between a user and a computer with the help of a password,
as well as addressing the question of security if an attacker can also read the password
file stored on the central computer.
To prevent an eavesdropper from finding information that can be used for a later
fraudulent logon, one can use a challenge-response protocol. In its simplest form, the
user provides his logon ID along with a hash of his password plus a random number
with which he was provided by the computer to which he seeks to log in.
To verify the hash, though, the computer needs a copy of the original password. Of
course, one could keep H(password) on the computer, and make H(H(password)
+random number) the response to the challenge-response protocol. But then H
(password) would be all the information needed to log in fraudulently.
This problem, though, was also addressed by Kerberos. While the password list needed
now to be kept secure, it was kept on a central computer used to maintain security.
Once a user's identity was verified, the user was given a coded credential to use to
prove his identity to the computer that he - and other users - were allowed to use. That
computer didn't have a copy of the password file, and so the fact that people could use
it for their own computations, and possibly compromise its security, didn't put user's
passwords at risk.
Now we will examine various proposals to address this problem which make use of
public-key cryptography as well to gain greater security.
SRP
Note that a dictionary attack on the password (the Diffie-Hellman base and modulus
used have to be available to all users of the system) is possible if an attacker reads
these two items, although the need to perform a public-key computation for each trial
does slow it down somewhat.
PAK-R
PAK-R also proceeds by masking a Diffie-Hellman key exchange. The host computer
retains the user's actual password, or at least the same quantity as is used in the user's
computations, so if the password file is compromised, it is directly insecure, without
even the need for a dictionary attack.
Again, this is not a fatal objection, since one can expect that SRP and PAK might be
carried out on a security server similar to the one in Kerberos.
For PAK-R, Diffie-Hellman calculations are performed on a prime P of the form uv+1,
where u is not a multiple of v. This facilitates masking the Diffie-Hellman exchange.
● The user generates a nonce Diffie-Hellman key pair (x, X=A^x), and calculates
a masked version of his or her public key by calculating a random value r, and
multiplying the public key by r^v and also by h, the hash of the user's password.
This value, X'=(A^x)*(r^v)*h, is transmitted to the host computer.
● The host computer generates a nonce Diffie-Hellman key pair (y, Y=A^y), and
transmits the public key portion of it to the user.
● The user calculates the session key in the normal Diffie-Hellman fashion, by
calculating Y^x, and the host computer determines X^y, also the session key, by
calculating (((X'/h)^u)^y)^U where U is the multiplicative inverse of u, modulo
v.
Again, I omit further steps where this common session key is hashed, and further
hashes are used to verify its joint posession.
Augmented EKE
Let a hash of the user's password (h) be used as the private key for a Diffie-Hellman
key pair, of which the public key is H=A^h.
Use H also as the conventional encryption key for EKE as described in the previous
section in the normal manner. The host computer has a copy of H, so, once again,
dictionary attacks are possible, but this isn't a problem if the host is a security computer
and not the ultimate computational host.
Then, using the session key established by EKE, the host computer generates a nonce
public/private key pair for Diffie-Hellman (y and Y=A^y), and the user's computer
proves that it knows h by successfully establishing communications using the normal
common session key Y^h=H^y additionally protected by the other session key.
Kaliski-Ford
The Kaliski-Ford protocol finally does address the question of dictionary attacks
directly. It does so by distributing the information needed for such an attack over a
network of computers which are peers, rather than having a hierachical system with a
security server. A scheme designed for such an environment is, of course, appropriate
for existing networks in many offices.
A given user has a certain set of servers with which he completes preliminary
authentication. Preliminary authentication produces a credential, or "hardened
password", for the user from each server as follows:
● The user's computer calculates a hash of the user's password. This hash is in the
appropriate range for being used as a private key for Diffie-Hellman with p=2q
+1 where q and 2q+1 are prime (hence, q is a Sophie Germain prime) as the
modulus. The public/private key pair is produced, h the hash and the private
key, and H=A^h the public key.
● The user's computer chooses a random blinding exponent k, and sends H^k to
the server from which a hardened password is desired.
● The server returns (H^k)^e, where e is a hardening exponent for the particular
user on that particular server.
● The user, knowing k, calculates 1/k modulo q, and by raising (H^k)^e which
equals H^(ke) to that power, obtains H^e, the hardened password.
After having obtained a complete set of hardened passwords from the required set of
computers, some sort of hash is taken of all these hardened passwords, and this result is
used as a Diffie-Hellman private key; the corresponding public key is kept on the
computer one wishes to use. So that the same set of hardened passwords can be used
for logging on to more than one computer, the target computer's ID is included in the
hash.
Conclusions
Before hearing of Kaliski-Ford, but because I noted that SRP and PAK were (in their
original versions as discussed here) susceptible to dictionary attacks, instead of simply
accepting that a security server could carry them out, I made the concept of a security
server explicit, and came up with a fairly complicated protocol. Originally, I was going
to use EKE to make the communications between the user and the security server as
secure as possible; but since the computational host can retain no long-term secrets, I
could not ultimately retain the increased security that would provide, so I was able,
without loss, to avoid the use of this patented algorithm.
The main thing that I attempted to add was allowing the actual computational host
computer, which could retain no secrets, to verify for itself that the user was authentic.
This could also have been done simply by having it retain a copy of the security
server's public key, to verify signed messages from it, but I went ahead and did things
the hard way.
The computational host computer is the resource access to which is being controlled.
Since it is a resource that users use directly, though, it cannot keep long-term secrets on
its hard drives, but it is assumed that it can keep short-term secrets in its memory.
Therefore, it is trusted, but not secure. The security server, on the other hand, only
performs the single task of verifying users, and can't be used directly. So the
information on its hard drives is secure. But because the host computer isn't secure, an
attacker might be able to mount an active attack on the connection between the host
computer and the security server, so while the security server itself is trusted, the host
computer does not trust messages recieved from it.
1. The user types his ID (UID) and password (UPASS) on the keyboard of his
computer.
2. The user's computer generates a random number (UR1).
3. The user's computer transmits the following to the computational host
computer:
❍ The user's ID (UID), and
❍ encrypted using the public key of the security server (SPUB), a message
(UR1)), and
■ A hash of this hash, encrypted conventionally with a hash of the
❍ The encrypted message from the user's computer intended for the
8. The host computer retains a copy of this message for future reference.
9. The host computer passes it on to the user's computer.
10. The user's computer thought of the user's random value, UR1, and was given the
user's password, UPASS, and so it knows the hashes of both of them, and can
decrypt message M, obtaining USALT, HR, SR, and HPUB from it. It then
calculates UVERIFY, a hash of H(UPASS) encrypted with USALT as the key.
(That is, UVERIFY = H(E(H(UPASS),USALT)).)
11. The user's computer transmits a message to the host computer encrypted with
the host computer's public key HPUB, consisting of:
❍ The user's random value, UR1,
Instead, it is HR that proves the identity of the user; HR was only transmitted originally
to the security server encrypted with its public key, so only the real security server
could have read it. And the real security server then sends HR to the user's computer
encrypted with H(UPASS) as a key; this value is kept secret by the security server, and
only the user's computer, with UPASS, can decode it.
The following is an extended version of the protocol that brings a modified version of
UVERIFY into the protocol more centrally, using the idea, from Augmented EKE
above, that one can prove knowledge of a quantity by using it as a Diffie-Hellman
private key to decrypt something sent to you by the posessor of the corresponding
Diffie-Hellman public key.
1. The user types his ID (UID) and password (UPASS) on the keyboard of his
computer.
2. The user's computer generates a random number (UR).
3. The user's computer transmits the following to the computational host
computer:
❍ The user's ID (UID), and
❍ encrypted using the public key of the security server (SPUB), a message
(UR)), and
■ A hash of this hash, encrypted conventionally with a hash of the
❍ The encrypted message from the user's computer intended for the
( HR2, UVPUB ).
Thus, the message transmitted is: UID + EPK(H(UR1) + E(H(H(UR)), H
(UPASS)), SPUB) + EPK(HR1 + HPUB, SPUB) + EPK(HR2, UVPUB)
6. The security computer generates a random value of its own (SR). As it knows
its own private key (SPRV) corresponding to SPUB, it can decode the first two
parts of the message transmitted to it. It also has a copy of H(UPASS) for each
user, and therefore it can verify that E(H(H(UR)), H(UPASS)) and H(UR)
correspond. In addition, it has a copy of USALT, a random salt value for the
user as well. This salt value, not stored on the user's computer or the
computational host, is used to calculate the private key corresponding to
UVERIFY. Because the security computer has a copy of H(UPASS), it knows at
this stage that the user is authentic, except for the possibility of a replay attack.
(If the user is not valid, the protocol is halted here.) Now, the task of the
protocol is to convince the computational host computer, which does not
contain any secrets, of that fact, and this will be done so as to eliminate the
possibility of a replay attack. Since information prepared at this stage for
transmission to the user's computer will be encrypted using both H(UR) and H
(UPASS), a replay attacker would not be able to read it.
7. Now the security computer sends a message to the host computer. It consists of:
❍ A copy of the following, encrypted first with H(UPASS) and then with H
12. The host computer has its own password file, which contains a copy of UVPUB
for the user, but not USALT or UPASS or even H(UPASS); since it also knows
HPRV and HR1, it can decode the message, and verify that the user correctly
decoded HR2, which nicely authenticates the user.
Using HR2 as an encryption key, and returning HR1 to the host computer, instead of
the other way around, as I mistakenly did originally in this modified protocol, prevents
an attacker impersonating the host computer from mounting attacks aimed at
discovering the value of UVPRV by transmitting chosen values not encrypted with
UVPUB in place of EPK( HR2, UVPUB ) to the user's computer. (Actually, this isn't
really a problem unless one were to use RSA encryption, instead of conventional
encryption with a key derived from Diffie-Hellman key agreement, but I think it's
appropriate to have a protocol that can be used in a flexible fashion.)
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
That person may be provided with the public keys of other participants in the network,
and asked to generate a public and private key for his own node.
If public keys are distributed directly to other network members in the same manner
that secret keys are distributed, the problem of authentication is avoided. However,
there is the limitation that a mathematical breakthrough might make it possible
someday to derive secret keys from public keys, because of the restricted number of
public-key algorithms.
That person may be provided with one or more secret keys for conventional encryption.
In that case, these keys are open to compromise by the participants in the network.
That person may be provided with a tamper-resistant hardware module containing key
material which performs encryption functions internally.
Here, no person is provided with key material that can be betrayed; the module can use
symmetric-key algorithms of arbitrary complexity and yet function as a physical
"public key" since it can refuse to perform some possible functions with the key
material it guards within it. However, tamper-resistance is not perfect, and physical
objects can always end up being left behind on a field of battle.
For a military system, it is possible to use all three of these methods of key
distribution, in such a way that the system will remain secure unless all three methods
are compromised.
For each communications session, the session key could be formed from three
components, combined so that no two of them would provide a useful clue to the actual
key.
One component would be transmitted enciphered under the recipient's public key.
Since only the recipient has a copy of his own secret key, unless the recipient's own
terminal is captured, messages to it cannot be read.
Another component would be enciphered under a key manually entered on the device
by the users at both ends. (This key could be enciphered under a user ID, so that while
both users would in effect be entering the same key, they would not know what any
other user would have to enter.) The manually entered key would be retained only in
volatile storage, and would have to be re-entered each time the device was used again
after being unplugged. Unless the keys are compromised in distribution, a person
would have to reveal a key, since it would not be transmitted, nor would it be still
present in the hardware if it were taken for inspection. Another way to provide a
manual component to security would simply be for other data, internally stored in non-
volatile memory, to be encrypted by a user password.
And the third component would be enciphered under key material hidden within
tamper-proof hardware. This would not be transmitted, nor would it be known to any
individuals.
Each of the three components of the system would be adequate to allow session keys to
be communicated securely, unless they were compromised. Since these three
components are vulnerable to compromise through different attacks: either overcoming
the mathematical basis of the public-key system used, or compromising individuals
using the system, or capturing hardware and defeating its tamper-resistance, a setup
that requires all three to be compromised before it will fail has a greater likelihood of
defeating the best efforts of a determined adversary.
In practice, it appears that the U.S. military is able to obtain the benefits of the second
leg of this triad while avoiding its weaknesses, by physically loading encryption
devices with key material from a modified handheld computer (the DTD, or AN/CYZ-
10), probably similar to those gadgets with barcode readers you may see in
advertisements in the back pages of computer magazines. This also allows keeping an
audit trail of the distribution of key material.
Apparently, the job of generating a public/private key pair is not done by some
cryptographic devices that use public-key cryptography, but is instead handled on, of
all things, a desktop PC. At least they're running SCO Unix on the machines used for
this function, rather than DOS. This information comes from a publicly accessible web
site, operated by the U.S. Navy (at least access to their FTP server requires
authorization), a link to which I found on a site with a somewhat out-of-date link on it
to my page as well; the site also noted that at least as recently as 1992, eight years after
the arrests of Walker and Whitworth, the Navy was still using some systems with paper
keylists. This may not be as bad as it sounds, since it is not unreasonable for units to
require an ability to communicate securely even when the power fails. (Said U.S. Navy
site has a link to the "INFOSEC Tip of the Day" which uses a <BLINK> tag. However,
it isn't a header or in large type.)
While I originally thought that external generation of public keys was an unfortunate
concession to technical or cost limitations, I have since realized that my neat and tidy
model of a triad of security features does have one flaw. While there is no
mathematical flaw known in public-key encryption methods that would permit a
passive attack, if a terminal simply thought up its own key pairs for use with a public-
key system, then if the other components of the cryptographic system in use were
compromised, a man-in-the-middle attack could be performed. Thus, a key for a simple
public-key system is not able to make a real contribution to system security unless it is
certified. And it is precisely a connection to an external hierarchy that allows this.
However, the Key Exchange Algorithm illustrates how uncertified key pairs, generated
for each message, can still contribute to security when used in concert with key pairs
for the public component of which a certificate exists.
The ideal, though, would be for a secure communications device to generate its own
private and public key pairs, and submit only the public key to an external authority for
certification through a trusted channel.
As I have noted elsewhere, while a cryptographic program like PGP creates a new
session key for each message, and exchanges it using public-key techniques, one could
obtain greater efficiency by only using public-key techniques infrequently, to exchange
a conventional key used to encipher each message's session key. Such a key, as noted
in the section on the IBM key management system, is called a key-exchange key, or
KEK.
If we consider an encryption device which does not use public-key technology, the
following hierarchy of keys is possible:
● KEKEK: built into the hardware of the device, and not subject to change
● KEK: encrypted with the KEKEK, it is loaded into the device by direct physical
contact
● K: encrypted with the KEK, the key used to encrypt messages is transmitted
along with each message
Building a key into the hardware of a cipher machine, and not allowing it to be
changed, is a weakness. So why is the KEKEK treated this way?
Because one could omit the KEKEK entirely, and simply load the KEK into the device
directly. But this creates the problem that the KEK is carried around in unencrypted
form. If the KEKEK could be changed, with no key "above" it, then it would be the key
carried around unencrypted.
Thus, placing a permanent key on the top does provide some real benefit: the topmost
key loaded into the device is encrypted, even if the key used for that purpose might be
compromised. Continuing the hierarchy upwards, on the other hand, simply begs the
question of how keys are to be protected from compromise.
If public-key techniques are used, however, it becomes possible to usefully extend the
hierarchy upwards by one step:
Since the public key of the device is only used to encrypt a key that is loaded into the
device by physical contact, the problem of key certification is simplified. (It may not be
entirely eliminated, if a key encrypted at one point is carried over a long distance,
along which it is vulnerable to compromise, causing a key to be enciphered using a
public key one has generated may be a useful attack.)
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
As an example, let us take a program like PGP. How could a malicious programmer
use the available source to produce a modified version of the program that would
appear to operate normally in every way?
When performing conventional encryption, opportunities for mischief are few; but a
modified program could hide an encrypted version of the key used, and the name of the
file it was used on, somewhere on the user's hard disk.
When used for communications with both RSA and IDEA, however, there are many
opportunities for mischief. (Of course, the current version of PGP uses Diffie-Hellman
and Triple-DES instead, but I will avoid confusing complications.)
For example, the session key could be generated from the IV. Having only 2^64
possibilities for the 128-bit session key, out of 2^128, would be hard to detect.
Of course, that only lets the adversary read messages from the person who has the
modified program. What about the messages to him?
The method used to protect users of PGP against this is simple enough: the official
version of the PGP executable was itself signed using PGP.
As a Canadian, able to distribute source code under more favorable restrictions than U.
S. citizens, but still limited by U.S. law for executables I produce on compilers that
come from the U.S., I have considered the question of whether I could make a program
similar to PGP but which would have inherent resistance to tampering, by changing the
protocol used, so that people using such a program, despite my having no control over
the executables, would have some chance of safety.
I have recently learned that the technique which the following paragraphs describe may
be covered under one or more U.S. patents, including patent number 5,673,319, owned
by IBM, covering inventions by Mihir Bellare.
If one uses RSA as the public-key component of such a cipher (at the rate I'm going,
the patent [on RSA, that is. The Bellare patent dates from 1997.] will expire before I
write any code) one can save bandwith as well as improve security by the following
expedient: instead of padding the session key with "random" bits to create a block for
encipherment under RSA, encipher the following under RSA: the session key, the IV,
and as much of the message as will fit. Then, the remainder of the message is
enciphered using a conventional cipher system outside the RSA block.
A malicious programmer could still have the program choose several different values
for the IV and session key, encrypt each one under RSA, and choose to use the one that
had the desired value for a small number of bits to be leaked in the RSA block. This
would be very slow; but one could instead choose different values so as to leak
information in the conventionally-encrypted portion of the message, and the trials for
this would be much faster. Also, even if no information is leaked, if the number of
possible session keys were limited to some small value, say 2^40 or less, then (the
conventionally-encrypted portion of) messages could be read without any leaked
information.
So, I've taken this idea, which seems to help matters, and advanced another step with it.
I propose to allow a program which, like RIPEM or PGP, encrypts messages with a
combination of public and private key methods, to function without generating any
random numbers whatever.
Of course, random numbers are still used to set up an initial choice of RSA keys, and
so a modified program could be designed to choose primes from a set with only 2^40
members. So, 100% security is still not obtained.
What I would do is this: Given the message to be transmitted, I would divide it into
two parts: the first 160 bits, and all the rest. Then, I would obtain a 160-bit hash of the
rest of the message, using SHA. This hash would then be XORed to the first 160 bits of
the message. The result would be used as the session key and IV. (If 160 bits aren't
enough, I would simply take the remainder of the message, and repeat the process,
dividing it into a first 160 bits and all the rest.) Then, the rest of the message (whether
or not it will be later part of the RSA block; this will make chosen-plaintext attacke
more difficult) is encrypted conventionally. Finally, as much of the message as
possible, including of course the entire session key and IV, are encrypted in a block
using RSA.
If the user needs to encrypt multiple copies of the same message, the user can manually
add some random text to the message to prevent the multiple copies from enciphering
identically.
Suppose one is supplied with a chip (or a program) that merely carries out an unknown
encryption algorithm. Obviously, there is the hazard that this algorithm might be
poorly designed, and therefore weak. But there is a way to maliciously design an
algorithm that would appear and be strong, except against attacks by those who set it
up.
Next
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Key Escrow
The previous page examined illicit methods of transmitting key information to
someone who has tampered with an encryption program or device. This section looks
at methods where key information is overtly provided to supervisory personnel or
retained for future recovery use. The most well-known real-world proposal will be very
briefly examined here. There are more sophisticated approaches based on extending
public-key encrypton concepts as well.
Some of the systems examined here are intended to allow the government access to
keys for law-enforcement purposes. This is, of course, a highly controversial subject;
questions of the politics of cryptography will be examined in the next section.
Clipper
A secured voice conversation is set up with an 80-bit session key, possibly by the use
of public-key techniques. (If the Clipper chip can not execute any cryptographic
algorithm other than the Skipjack algorithm, which is, like DES, a block cipher acting
on 64-bit blocks, but with an 80-bit key, then the chip designers will necessarily have
at least the potential of eavesdropping on all Clipper-protected messages without use of
the LEAF.)
The Clipper chip encrypts only voice, not data. According to Applied Cryptography by
Bruce Schneier it does so by means of output-feedback (OFB) mode. This is noted as a
potential threat to the evidentiary value of wiretapped conversations, due to the
possibility of a bit-flipping attack. The Clipper Chip, however, performs the conversion
of speech to a bitstream internally; if the apparatus for carrying out authorized wiretaps
also does not provide the decrypted bitstream, but only the spoken conversation, this
criticism is mitigated.
The precise makeup of that field is secret, but it is made up of the following: the 80-bit
session key, a 32-bit unit ID, and a 16-bit checksum. The 16-bit checksum and the 32-
bit unit ID are only encrypted using a "Family key" which all Clipper chips in a
particular network, thus capable of interoperation, share. Thus, the recieving Clipper
chip checks the checksum for validity to enforce the presence of the LEAF.
The 80-bit session key is additionally encrypted by a secret "Unit key". The 32-bit unit
ID indicates which unit key is used.
Two separate government agencies, such as the FBI and the Department of Justice, are
each issued lists of 80-bit quantities associated with each 32-bit unit ID. One list is a
one-time-pad, the other the keys encrypted by that one-time-pad, so that neither list
alone is enough to intercept communications.
When a request for an authorized wiretap is made and accepted, however, the unit key
for the telephone to be tapped is not given out directly, but only as part of an encrypted
authorization message which also includes information about the period of time for
which the wiretap is authorized. (Since a wiretap may involve incoming calls to a
telephone, note that the recieving telephone also must transmit a LEAF of its own
when a connection is made.) Then, special tamper-proof devices would use these
authorization messages on behalf of police departments. Presumably, the two lists of
unit key "halves" are also protected by additional encryption, despite the fact that each
one is composed solely of useless random numbers, to prevent a unit key from being
obtained by simple collusion.
If the validity of the LEAF is determined solely by the 16-bit checksum, then there is a
one chance in 2^64 probability of establishing a connection even with a scrambled
LEAF; this was verified experimentally by Matt Blaze. A simple cure would be
obtaining authorization to wiretap the other telephone, as scrambling both LEAFs
would square the difficulty of obtaining a connection. However, the Clipper design
could have included a precaution to avoid this danger: after the normal key-exchange
method leads to agreement on an 80-bit key, and that key is included in the LEAFs
from both units, the actual 80-bit key used to encrypt the telephone conversation could
have been the XOR of the following three quantities: the 80-bit agreed key, the 80-bit
agreed key enciphered using the unit key of the first telephone, and the 80-bit agreed
key enciphered using the unit key of the second telephone. This would ensure that both
LEAF fields would have to be intact, since a modified LEAF field with a valid 16-bit
checksum would still not have its correct 80-bit contribution to the actual session key.
For recieving a message from a party belonging to an escrow agent, x is the current
date, encrypted by a key. This key is the recieving user's ID, encrypted by a key shared
between the two escrow agents involved.
The session key produced by Diffie-Hellman is only used by the parties to encrypt the
real session key; this way, messages can be broadcast to several parties while only
having their entire text encrypted once.
The escrow agents communicate these shared keys between themselves using the same
method, if they have an escrow agent above them. Thus, the number of escrow agents,
and the number of keys each one must handle, merely grows logarithmically as the
number of users increases. (This seems to answer another objection made to the
proposal.) This method allows international communications, since only escrow agents
directly above the two parties in a communication can decode it.
A third objection to this proposal was that, since the keys are known to the escrow
agents, why are public-key methods used; Kerberos was noted as an alternative.
However, an advantage is either gained or at least is hoped for from the existing
proposal: the escrow authorities do not have to be directly involved in every encrypted
communication, only a fraction of them.
Fair Cryptosystems
If, instead, a party generates several separate random numbers, and uses the sum of
them as x, then for each random number r, he can disclose to an escrow agent both r
and A^r. The escrow agents keep r private unless an escrowed key is to be used, but
A^r is public from the beginning.
Each escrow agent can verify that the number r is correct, since they can calculate A^r
themselves. Every escrow agent can verify that the A^r values must be correct, since
their product must equal the public A^x.
Next
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
But that keyspace still has over a trillion (a million million, or a British and Continental
billion) possibilities in it. Isaac Asimov once wrote a book with the title Only a
Trillion; that perhaps qualifies him as a prophet of cryptography.
The fact that 2^40 or 10^12 different keys is a hopelessly inadequate number in this
part computer age at first hardly seems troubling. There are many ciphers around with
128-bit keys, and it is fairly trivial to design one with an even longer key. Of course, it
isn't trivial to design a cipher well enough that there is no attack against it possible that
is more effective than a brute-force search over all those keys.
But there is another problem: how to come up with a random key of the required length.
For many paper-and-pencil ciphers, the key is a single word from the dictionary, like
"CONTINENTAL" or "INVIGORATING". There are thousands of words in the
dictionary, but not millions, and certainly not trillions.
Some computer operating systems only allow passwords that are 8 characters long.
Even if a password were composed of random letters, 26^8 is only 208,827,064,576 or
just over a fifth of a trillion.
A pass phrase is much better. But it is important that the pass phrase not be a well-
known phrase, a famous literary quotation, or the like, because that again limits the
possibilities severely.
Some people find it useful to compose a pronounceable pass phrase from nonsense
syllables chosen at random, or from random words in the dictionary, and there are tools
available to assist in this, such as Diceware.
One way to protect a key is to memorize it, and give it only to whoever you are
communicating with. However, public-key cryptography allows keys to be protected
without having to be carried from place to place. So your computer just thinks of a
random 128-bit key, enciphers it in RSA, and there is no problem?
Unfortunately, however, most computers today don't come equipped with special
hardware to generate random numbers. A typical method for obtaining a genuinely
random starting point for input to a pseudorandom number generator, so that, for
example, a game contains elements that vary each time it is played, is to use the current
date and time.
If one's computer provides the current time in thousandths of a second, and someone
trying to break your enciphered messages can guess when you've enciphered them to
within a week (often, messages are enciphered only minutes before they are sent, so
this is an optimistic assumption), then, given that there are 86,400 seconds in a day, we
are dealing with only 604.8 million possible keys; less than a billion.
In addition to the time, there are a few other sources of randomness in a computer, such
as the position of the hard disk in its spin, and some register contents, but they are quite
limited.
Counterpane Systems, the company of Bruce Schneier, author of the justly famed book
Applied Cryptography, has made available the program Yarrow, which is a well-
designed program for the purpose of obtaining randomness from a personal computer,
to address these difficulties. (The name of the program is, no doubt, a reference to the
traditional method of consulting the I Ching, or Book of Changes.)
At this point, it should not be hard to see why the earlier versions of PGP required the
user, prior to the generation of keys for RSA encryption, to type characters on the
keyboard for a time. The timing of those characters, not which characters were typed,
were used as a source of randomness. A program for creating encrypted virtual disk
drives obtains randomness by asking the user to move the mouse at random for a time.
The digits of pi look random, and for some purposes they are. But there is only one pi,
and it is well known, and it is an easy thing to guess. Good cryptographic algorithms
produce output that looks random. But a cipher is only as good as its key; a genuinely
unpredictable and unguessable starting point, big enough to be a good key, is required
for secure encryption. And obtaining such a key is harder than it may seem at first, and
it is something that is often and easily forgotten.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
But if one does not have any direct contact with the other party, there is the possibility
of the man-in-the-middle attack. An active eavesdropper could arrange for you to see
his public key in place of the public key of the party you actually want to send a
message to, then take your message when you send it, decode it and read it, then
encipher it again, this time in the other party's real public key, and send it on.
One method of dealing with this is through the use of key certificates. A trusted central
authority, having had direct contact with the intended recipient of your message, uses
public key methods to digitally sign a message that states what the public key of your
intended recipient actually is.
Another type of method has also been proposed to combat the man-in-the-middle
attack. These methods, by themselves, don't prove the identity of the party with whom
you are communicating: but they do prevent a man-in-the-middle from passing on
messages in both directions between two other parties at the same time. Thus, if these
methods are coupled with some other form of identity check, they can be useful.
The original interlock protocol, as devised by Ron Rivest and Adi Shamir, worked like
this: after both parties exchanged public keys, then each sent, in turn, the first half of an
encrypted message, and then each sent, in turn, the second half of his or her own
message.
This required that the messages were encrypted in such a way that only a whole
message, not half of one, could be decrypted with the key. This protocol works well
with RSA, since it enciphers data in large blocks, numbers modulo M, the product of
two large primes, and nothing can be done with half of the digits of a block.
With a public-key system like Diffie-Hellman, a similar result can be obtained by first
sending messages enciphered in a symmetric key system, and then afterwards sending
that symmetric key as a message enciphered using the normal Diffie-Hellman session
key.
Since an interlock protocol is only usable when two parties are communicating in real
time, it can't be used for E-mail. Could it be useful with a secure telephone?
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Quantum Mechanics so far has been found to relate to cryptography in two different
ways.
A quantum computer might be able to operate like the ultimate parallel computer: it
might be able to solve a problem for every possible set of initial conditions at once!
However, it could only give us one of the solutions when it finishes.
Quantum cryptography is the public-key cryptography answer to invisible ink; one can
send two particles out from a central location to two communicating parties, allowing
both parties to co-operate in generating a random one-time pad common to both of
them that no one else could have intercepted.
● Quantum Computing
● Quantum Cryptography
Quantum Computing
The site http://www.openqubit.org/ is co-ordinating a project to develop an open source
computer program to simulate a quantum computer, to help increase familiarity with
this new frontier in computation. The site also contains some papers describing how a
quantum computer may work.
The type of quantum computer discussed there incorporates another new computer
idea: reversible computation. I was very skeptical when I first heard of this idea: that
computations which do not destroy information can be made to run without using
energy. But while that would be difficult to do on a conventional scale, that it could be
achieved in a quantum system makes more sense. If a quantum computer is to perform
an extensive computation, since it must be isolated from the environment during the
entire calculation, avoiding any heat dissipation is essential.
This may be oversimplified, but here is a set of possible instructions for a quantum
computer:
Incidentally, these operations have some resemblance to the operations allowed when
one is inverting a matrix by pivoting. And they can be generalized to allow more
elaborate invertible operations, thus making programs easier to write:
The program counter can operate invertibly if it is set up as a ring counter, but that may
not be needed; incrementing a counter normally is also invertible.
The main distinguishing feature of this kind of computer is that some common
operations will use up memory space initialized to zero. Sometimes, after copying the
result to some blank memory, a computation can be run in reverse to clean up the mess
made by intermediate results.
Another important fact about a quantum computer is that since it is started, and
maintained externally in a superposition of equally probable states, the one "right"
state, where the computation has started out trying the right possible key, and found it
to be correct, even if it executes an instruction that tells it to signal the outside world
and thereby break up the computer's isolation, that doesn't guarantee that anything will
happen.
Thus, the program used has to be changed, so that if the wrong key is tried, the
program continues by trying the next key.
The good news is that since a quantum system does behave as if it is in all of its
superposed states, it doesn't just choose one of them and stay in that state. So the
"right" state has more than one opportunity to be randomly selected. As the other states
gradually find the right key, and decide in turn to do something noticeable, we have
that the number of states that have the right answer grows proportionally to the time,
and the number of chances each state has to be noticed if it is right also grows
proportionally to the time.
The probability of us recieving the answer is a fraction of the total number of states,
which equals the total number of possible keys. Hence, instead of giving us the answer
in the time taken to try one key, as would have been hoped for from the initial
oversimplified picture of a quantum computer, or in the time taken to try all (or half, on
average) the keys, like a conventional computer, the time required (which can vary
randomly) is actually proportional to the square root of the number of keys. A recent
paper has been published with a proof a quantum computer cannot do better than this
on problems of searching.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Quantum Cryptography
What is commonly called "Quantum Cryptography" is a method that exploits the EPR
(Einstein-Podolsky-Rosen) paradox to distribute a one-time-pad to two locations. It is
secure against undetectable eavesdropping, but although an active attack could be
detected, it could still lead to the attacker reading a message.
In quantum mechanics, a particle, instead of actually being a point object that can be in
only one place at a time, is really a wave function that is spread over a larger or smaller
area. The act of observing where a particle is consists of changing the shape of its wave
function to one with a sharp spike at one location.
If a particle's wave function spans a large area, and quick measurements of position are
made at the same time at two widely separated points in that area, the wave function,
whose amplitude determines the particle's probability of being located at each point,
controls two independent chances of the particle being where it is looked for, because
nothing can travel faster than light. So you have a chance of looking to see where a
particle is, and finding two of them. This led to the theoretical prediction of the
existence of antimatter; in this way, an extra particle can be created, and there is no
problem, because to make two position measurements so precisely and so quickly
actually takes enough energy to create an extra particle, and its antiparticle as well
(required to conserve various physical quantities).
But for some physical properties, one of which is angular momentum, this doesn't
happen. It's possible to measure angular momentum without contributing any angular
momentum to the system being measured. And it is possible for two particles to be
created under conditions that cause them to be heading off in two opposite directions,
with equal and opposite angular momentum.
When this happens, since the measurement can't contribute the missing angular
momentum to account for a discrepancy, it seemed, from the formulas for quantum
mechanics, that conservation of angular momentum and quantum mechanics would
have to take precedence over relativity: that, when measured at a large distance, two
such particles would have to always measure as having exactly equal and opposite
spins.
This was first noted in a paper by Einstein, Podolsky, and Rosen. It was advanced by
them as a paradox; a result indicated by quantum mechanics that could not possibly be
true, which therefore indicated that something was wrong with quantum mechanics.
If each of the two particles carried with it a set of instructions for what to do under
every possible condition of measurement, then angular momentum could be conserved
without apparent faster-than-light communications (or "nonlocality"; the faster-than-
light communications are internal to Nature, and not directly exploitable, so there are
those who object to the use of terms implying we know something to exist that we
cannot directly touch). This is known as a "hidden variables theory". Bell's Inequality
notes that if that were the case, but the spin on both sides was measured not for being
up and down relative to the same direction, but relative to a slightly tilted axis on one
side, the chance of the spins being opposite would be proportional to the angle of tilt.
But given the way a particle with a spin normally responds to measurement, the chance
of the spins being opposite should be much smaller, and proportional to the square of
the angle.
In any event, the experiment was finally actually performed, and J. B. S. Haldane
recieved partial vindication: the Universe was proved to be strange enough to cause us
trouble in imagining it. A pair of particles having opposing angular momenta, as a
result of the method of their creation, whose angular momenta were in no way
observed on the way to the separated detectors, thus leaving them in a pristine quantum
state of entanglement, really did behave as quantum mechanics predicted: always
having the same angular momentum when checked for angular momentum in the same
direction, and with the chance of a difference being proportional to the square of the
angle of tilt between the two detectors otherwise.
This can be used for forming a one time pad made up of ones and zeroes as follows:
After a particle is detected by one party, that party then randomly chooses again which
type of angular momentum to measure.
Then, the two parties can communicate, over an open channel, the times at which they
detected particles, and what kind of angular momentum they were measuring for at the
time of the event detected.
Finally, ignoring all events except those detected at the same time by both parties, and
additionally only counting those where both parties were measuring for the same type
of spin polarization, a one-time-pad can be generated by taking Up to be 1 and Down
to be 0, and Left to be 0 and Right to be 1, for example.
If an attacker sends particles with a known spin out, then if it happens both sides are
measuring for horizontal polarization when he sent the particles out with a fixed
vertical polarization, for example, the two parties may have mismatched digits in their
one-time-pads, thus encountering a garble and therefore detecting tampering. An
attempt to find the polarization of one of the particles, and replace it with one of the
same polarization, will also fail if the wrong direction is chosen in the same way.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Cryptanalysis
In previous sections of this work, I have briefly touched upon methods of
cryptanalyzing a few of the specific cipher systems presented.
Next
Table of Contents
Main Page
[Next] [Up/Previous] [Index]
Kinds of Attack
This is an interesting question, even if, in practice, any answer is likely to be deceptive.
An attacker seeking to eavesdrop on someone else's communications is not limited to
gentlemanly rules or to expected attacks. As we have seen in the section on block
ciphers, resistance to a ciphertext-only attack is not considered enough: a block cipher
is held to be weak even if it is only possible to deduce the key by enciphering vast
quantities of chosen plaintext on the equipment of the person whose communications
are to be read. From the viewpoint of the original military applications of
cryptography, it would seem that, if one has such access, why not just plant a bug?
But if a cipher is secure against such attacks, then it can be used for other applications:
for example, encryption can be provided as a kind of public utility, protecting terminal
to computer communications in a time-sharing environment. Also, using a block cipher
as a component in a hash function may be safer.
The one-time pad is an example of a cipher system that can be seen to be unbreakable.
This is because a key, having the same length as the message, is used only once, on that
message, in such a way that, because the key is random, any other message having the
same length as the message seen is entirely possible as far as someone not knowing the
key can possibly determine.
The requirements for this are:
● The key must be truly random. It cannot be generated by any algorithm that
takes as input a shorter key. And it must be without bias: the probabilities of all
symbols must be equal.
● The key must be the same length as the message. Not only must the key and the
message have the same number of characters, but the characters must come
from alphabets of equal size. A key consisting of 100 digits applied to a
message of 100 letters is actually shorter than the message, by a factor of log
(10)/log(26), representing the amount of bits (or digits, letters, or other symbols)
required to encode the key and the message respectively.
● The key must be applied to the message in such a way that, given that the key is
random and unbiased, for a given plaintext symbol, all ciphertext symbols are
equally probable, and conversely, for a given ciphertext symbol, all plaintext
symbols are equally likely.
● Except for its use in enciphering one message, the key is never used for any
other purpose, or otherwise exposed to interception in whole or in part,
permitting (for example) two uses of the same key to be worked against each
other to obtain information about the key.
When the message is longer than the key, some information about the message is still
gained, because the possibilities will be narrowed.
In practice, with normal text messages, that kind of compression is not possible. The
messages decoded by trying wrong keys might come close to making sense, but they
could not all be perfectly reasonable, and in fact it's highly unlikely that any doubt
about the correct message could really exist. But if the message consisted only of
random numbers to begin with, for example, a session key transmitted under a key-
exchange key, this does point out a case in which a conventional cipher becomes
resistant to attack.
Let us encipher a message by applying a sequence of random data to it after the manner
of a one-time-pad. The result of this is cipher message A, which, without knowing the
random data, is unbreakable.
Let us then also transmit cipher message B, consisting of the text of the one-time-pad,
enciphered in some fashion.
This system was once proposed in the pages of the journal Cryptologia, in an article
that claimed it was a simplified or modernized version of the Aryabharata cipher of
ancient India.
Sending both a message enciphered by a random OTP and the random OTP itself is,
essentially, a way of splitting a message into two parts, each of which are random in
themselves. The next step above the relatively weak system just discussed would be to
encipher message A by some system as well. While no theoretical immunity to
cryptanalysis is gained, it may well be true that cryptanalysis by establishing
correlations between two messages, each enciphered in a different way, is more
difficult than solving a message that has simply been enciphered twice, by the use of
each system in turn.
For example, if the two methods used are the Playfair cipher and simple columnar
transposition, if transposition is used first, the Playfair cipher can still be attacked,
because it takes each input letter to a limited number of substitutes; if the Playfair
cipher is used first, multiple anagramming, although now much more difficult, is still
possible because a text enciphered by Playfair still has digraph frequencies marked
well enough to allow a correct match to be detected.
Since the enciphered OTP, being transmitted, is known, one might, however, consider
the following arrangement, which involves sending only one message, to be equivalent:
take a fixed random sequence of letters (perhaps derived from the digits of pi; since
we're using Playfair, we need a 25-letter alphabet anyways), then encipher (or, to be
strictly equivalent, decipher) it using the current key by simple columnar transposition,
apply the result by Vigenere to the plaintext, then encipher the result with Playfair.
The main difference between that and double encryption is the presence of a fixed
random sequence. Thus, it would seem that message splitting only provides additional
strength by hiding statistical properties of the plaintext, whch is only of benefit against
weak or poorly designed ciphers.
Even so, a still more elaborate form of message splitting suggests itself. A base station
could send, to a remote station, a thousand pads of random data, each one accompanied
by an identification number, protected by one form of encryption.
Then, the remote station could, to send a message back to the base station, select two of
those pads to use (and then discard), sending a message, also encrypted by a different
key and cipher method, consisting of the numbers of the two pads chosen, the starting
points within them, and then the message with the two pads applied.
The messages sent in both directions are enciphered random data, impossible to break
individually, but now it is also not possible for the cryptanalyst to determine which
three messages to attempt to correlate with one another, or at what starting points. This
still isn't unbreakable in theory, but it certainly does seem like it would make things
considerably more difficult for an attacker. Although such a method, as it increases the
amount of bandwidth required for sending a message by a factor of three, as well as
requiring a lengthy amount of transmission in advance, would seem to be impractical,
it may be noted that some military communications systems transmit encrypted data
continuously, even though the actual message traffic being sent is much smaller, in
order to prevent an eavesdropper from gaining information on how much is being
communicated and to whom. Attempts to gain this kind of information, falling short of
actual message contents, through eavesdropping, are known as traffic analysis. In such
a case, instead of leaving the extra capacity of the channel entirely unused, it could be
used to send random superencipherment pads during the time when no messages are
being sent. Such a channel might work as shown in the diagram below:
While the idea of sending superencipherment pads during otherwise idle time may not
have been used, it is likely that encrypted channels resembling what is shown in the
diagram in part may have been used in practice.
To allow the reciever to keep track of where packets begin and end, a counter field is
shown. A special synchronization signal, not corresponding to any binary data value,
might also be used, as it may not be necessary to label each packet uniquely. In any
case, as the counter contains no information, but is a fixed sequence, it is shown as not
encrypted.
Beneath that layer, only the addressee is not otherwise encrypted. Different groups of
addressees may use even different encryption algorithms in addition to using different
keys.
Encryption layer 2 is unique to each addressee; each one has a unique key, and
different addressees may even use different algorithms in some cases. Some addressee
codes, however, may correspond to messages intended for more than one recipient, in
which case all those recipients would share the necessary key.
At this point, the information which identifies a block as either an encrypted message
or a pad of random data is in the clear.
Encryption layer 3 consists of the two different algorithms used by each recipient, one
for the superencipherment pads, and a completely unrelated one for messages. Using
unrelated algorithms is an important step in allowing the random data to be used to
make cryptanalysis more difficult.
Finally, the actual pads, labelled with their identifying numbers, are visible in
unencrypted form. The plaintext messages are still encrypted, but only by addition of
two pads, the identification numbers of which, and the starting points used in which,
appear at this stage in the clear without further encryption accompanying the plaintext
message.
However, the scheme as illustrated above is not quite practical. Three layers of
encryption are not really necessary, and sending each of possibly 65,536 addressees
their very own set of 4,096 superencipherment pads is rather excessive. A modified
version of this scheme more suitable to actual implementation is illustrated below:
Here, removing the first layer of encryption, common to the whole network,
immediately reveals whether a block is a keypad or a message. The identification
number of each keypad and the addressee of each message is also revealed; note that
keypads do not have addressees.
The second layer of encryption is unique to each addressee, at least in that each
addressee has a unique key. Different classes of addressee may also use different
algorithms. Also, once again, each addressee uses one algorithm to decrypt keypads,
and a completely different one to decrypt messages.
In this fashion, the hub of the network only requires one set of 4,096 keypads, but the
keypads are "decrypted" in a different way by each addressee (and by the hub for
communicating with that addressee).
Note that the displacement and pad number within a message must be random, and so
keypads must be exactly 256 elements long in the format shown. If an element were a
hexadecimal digit, or nybble, instead of a byte, we could say from the diagrams that in
the first format the message text field would be 249 nybbles long, and in the second it
would be 245 nybbles long. In an actual format, however, keypads would probably fill
more than one block, and the number of blocks in a message would be variable. If there
were fifteen allowed message lengths in blocks, this would work out nicely in using a
single hexadecimal digit to indicate the start of either a keypad or a message, and in the
case of a message, also its length.
It should be noted, though, that, if it is assumed that the first layer of encryption, since
it is shared among all the nodes in the network, can be compromised, then the fact that
the keypad numbers are not further concealed does weaken this system: for each value
tried in a brute-force search of the key for a message block, the related keypad is
immediately identifiable. One still doesn't know which one is the right one, but one of
the points of uncertainty is lost.
If the whole keypad, including the keypad number, was encrypted by most reasonably
secure methods, then there would be no assurance that a complete set of keypads was
recieved by any node. One way of solving this would be to give each node its own
codebook with 4,096 entries for interpreting the keypad numbers in its own way.
One could also do this: usually just send out random bits for keypads, which will be
treated by each recieving node as an encrypted keypad including an identification
number which is also covered by the encryption, but also decrypt these keypads that
are sent out for storage (as would be required anyways) using the keys of each node.
Then, monitor if for any node, any of the keypad numbers is excessively stale: if so,
using that keypad number, followed by random bits, create a keypad block by
enciphering it using the key for that particular node which needs a fresh keypad of that
number.
Another idea, which I feel is related to the form of message splitting examined above,
has recently been suggested by Douglas A. Gwyn in the sci.crypt newsgroup.
In many cryptosystems, a higher-security cipher with a longer key is used for the
occasional exchange of new keys used for the cipher system that is used for the actual
protection of plaintext.
What was suggested was that keys be exchanged much more frequently; instead of
taking into account how difficult the cipher being used is to break, use new keys so
frequently that if the keys were safe from attack, no unambiguous decryption of the
text encrypted under only one key would be possible. If the plaintext was well
compressed, this could be achieved while transmitting somewhat less key material than
plaintext.
A later extension of this proposal involved adding message splitting to the system by
sending a random mask as the first plaintext block, and then performing an XOR
between it and the plaintext of each succeeding block as the first step in that plaintext's
encipherment.
This, like message splitting, does force the cryptanalyst to work on two separately
keyed blocks at once, and thus it has some value, but I am not sure of exactly how
much value. Unlike message splitting, though, this does not double bandwidth
consumption, and unlike double encryption, it does not require twice as much work to
encrypt a message.
I found it sufficiently interesting to propose the following elaboration of it, which does
require as much time to encrypt a message as does double encryption, though:
Use the key that comes with each message block, and encrypt it with three different
keys to obtain three keys used for different purposes.
A changing key encryption key, followed by a second encryption with one of the three
fixed keys, obtains the key for encrypting the next block.
The second fixed key obtains the key encryption key for the next block.
The third fixed key obtains the key used to encrypt the mask, as used with the previous
block, to use with this block.
In this way, the keys for encrypting blocks aren't sent encrypted in exactly the same
way as the plaintext, but are protected by an extra layer of encryption. In addition,
having the mask constantly changing increases its effectiveness.
Initial keys:
First block:
E(P1, KA1), where the first plaintext message P1 is composed of R, random data 896
bits long, and K2, a 128-bit random vector.
Set:
● M1 = R
● KA2 = D( D( K2, KB1), Ka )
● KB2 = D( K2, Kb )
E(P2, KA2), where P2 is composed of 896 bits of plaintext sent in this block, XOR
M2, and K3, a 128-bit random vector.
Set:
Thus: each block consists of 896 bits of plaintext and a 128-bit random vector which is
used as a source of keys.
This obtains the plaintext XORed with the current mask (M2), and it obtains the key
source value.
● The regular key for the next block (KA3) is obtained by decrypting the key
source value (K3) first with the current key decrypting key (KB2), then with the
permanent key to block encryption key transformation key (Ka).
● The key decrypting key for the next block (KB3) is obtained by decrypting the
key source value (K3) with the permanent key to key encryption key
transformation key (Kb).
● Then, a key used to encrypt the mask value for use with the next block (KC2) is
obtained by decrypting the key source value (K3) with the permanent key to
mask encryption key transformation key (Kc).
Public-key Cryptography
However, the limitation to cryptanalysis discussed above, that if a plaintext has no non-
random distinguishing characteristics, there is no way to determine if a decryption key
being tried is really correct, does not apply to public key systems. There is no
conventional secret key in a system like RSA. There is a private key, which is very
difficult to deduce from the public key: but it is still a fact that, if one had enough
computer power available, the public key strictly determines what the private key must
be. Thus, knowing the public key means that there is only one way to decode a
message sent with it.
However, that perspective is not the whole story. The other half of cryptographic
security, called the "work factor", by Claude Shannon, refers to the difficulty of either
trying all possible keys, or of doing something better, to read a message. But in this
area, it is no longer possible to set definite limits to cryptanalysis, since no one knows,
for example, what new methods of factoring large numbers might be discovered
tomorrow.
Relying on the "work factor", rather than on the information-theoretic absolute limits,
lets one have the convenience of a short key that one can change at leisure (with
conventional encryption), or the additional convenience offered by public-key systems.
But it has a price: one no longer has a way of proving how truly secure one's messages
are.
Next
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
In the conclusions section of this chapter, I attempt to classify the cipher systems
themselves, based on the different constructions they use.
One basic technique involves trying every possible key until one has found the right
one. Sometimes, this technique is usable, for example, in cracking DES, or in
attempting to crack a route transposition.
The kappa test allows one to align parts of messages enciphered with the same part of a
keystream, which allows them to be read without any knowledge of the actual key
which may have been used to generate the keystream. This combines collecting
information, and switching from trying possibilities for the key itself to looking at the
key in a transformed form or at consequences of the key.
But to my mind the most common and fundamental cryptanalytic technique is to find
ways to replace a brute-force search on the key as a whole with brute-force searches on
parts of the key.
Thus, in breaking a monalphabetic substitution cipher, one can test the possibility that a
certain letter stands for E separately from all the possibilities of what the other letters
may stand for. The Bombe tested different rotor positions, and all the rotor orders also
had to be tried, but it was designed so that the plugboard settings could be found
separately. Differential cryptanalysis, when applied to DES, tests for the consequences
of individual bits of the key; when applied to a cipher with a fancier key schedule, it
tests for portions of the subkeys.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
As noted in the previous section, the cipher system known as the one time pad, if
employed correctly, makes reading your messages as difficult as guessing next week's
winning lottery numbers.
The one-time pad system is not totally impractical. It requires a bit of advance effort
before communications can begin. But even a floppy disk contains over a megabyte of
data, which corresponds in size to the contents of an entire book. And the price of CD-
R recorders has been coming down recently.
However, many people choose to employ other types of cipher systems to protect their
correspondence, for reasons of convenience which are outlined below:
● The one-time pad requires the previous exchange of an amount of key that
corresponds exactly to the quantity of messages to be transmitted.
● A conventional, or symmetric-key, cipher can protect a large volume of
messages with one small key, without a clear boundary beyond which further
messages become insecure.
● Public-key techniques can allow two parties to communicate securely without
any previous contact for the exchange of key material.
The one-time pad comes with a mathematical proof of security, and no other cipher
system has that. In fact, there is a good reason for believing that no other cipher system
can have a mathematical proof of its security.
One way is to look for corroborating evidence of security, however incomplete it may
be. For example:
Another way is to take as many precautions as one can in the use of any algorithm:
(I am particularly indebted to Terry Ritter for the third of these precautions, which I
have stated here in considerably shortened and simplified form.)
Some of these precautions directly conflict with being able to obtain corroborating
evidence of security. If you design your own algorithm and keep it secret, then unlike
DES it won't have recieved the cryptanalytic attention of the noted researchers in the
field.
But using multiple algorithms allows one to have the best of both worlds: one can use a
well-respected algorithm and then also use an unknown algorithm.
In order to ensure, however, that multiple algorithms do indeed provide added strength,
they have to be used properly. One algorithm can't be implemented in a way that adds
redundancy to the text to be enciphered by the next algorithm. The keys used by the
different algorithms have to be effectively independent, so that breaking a weak
algorithm won't provide a clue to the key used by a stronger algorithm, enabling the
stronger algorithm to be reversed without having to break it.
One way to make multiple keys effectively independent is to use a good one-way hash
function applied to an input key to generate the key for each algorithm; the input key
would be slightly modified each time it is to be hashed. However, unlike having truly
independent keys, this does mean that the security of the hash function limits the
security of the whole cipher system.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
These six desiderata, as they are phrased, are directly applicable to pencil-and-paper
ciphers. Some of the concerns they raise do not seem as important today, when the
ubiquitous personal computer stands ready to assist the cryptographer.
It may be noted that I have rather heavily paraphrased Kerckhoffs in my listing of his
six dicta above. The second dictum originally stated that "compromise of the system
should not inconvenience the participants". While my paraphrase makes explicit the
usual way in which this dictum is understood, there is at least one other way in which
the users of a cryptosystem could be inconvenienced by compromise of the algorithm
used.
During the Second World War, the highly-secure American cipher machine SIGABA
was handled with extreme physical security. One of the reasons for this was that it was
so secure that if an enemy had discovered how it worked, although that probably would
not allow that adversary to begin cryptanalyzing messages encrypted on the SIGABA,
it would enable the adversary to copy the principle, and thus deprive the Allies of the
intelligence they had been able to obtain from solving even the highest-level German
and Japanese cipher systems.
Hence, satisfying the first dictum too well caused it to fail the second dictum in a less
usual manner.
In any case, as amended for the computer era, Kerckhoff's desiderata might look like
this:
Thus, I claim that all six of Kerckhoffs' desiderata, not just those whose relevance is
most often acknowledged at the present time, still retain at least some degree of
importance, when correctly understood. But it is true that the ones regarded as obsolete
have retained less of their importance as stated, although the reasons behind them
remain valid in a different form.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Since these things can't be used while in an encrypted form, however, works protected
in this fashion still need to be accompanied, either as they are distributed, or in the
device on which they will be legitimately played or used, by all the information needed
to decrypt them. Thus, it appears that someone attempting to overcome such protection
will always have an alternative to cryptanalysis as a means of attack: prying the key out
of wherever it is hidden.
However, if a key is hidden inside the circuitry of a microchip, prying it out of there
requires specialized equipment; that, in itself, would be more reassuring if many
hackers weren't college students, but the military also uses various techniques to make
that more difficult, such as painting chips with chemicals that will catch fire if exposed
to the air. Because this limitation does mean that no content protection method can be
technically perfect, it is not surprising, whether or not one approves of it, that industries
relying on copyright have asked for (and have recieved in many cases, such as the
Digital Millenium Copyright Act in the United States) specific legal protection of
content protection schemes, to make it illegal to attempt to defeat them, and to reveal
the hidden keys to others once they are found.
I remember that, some years ago, there was a news story about a new microprocessor
that had, built into it, the capability of running programs that were encrypted. Actually,
two chips had this feature; they were the NEC V25 Software Guard and the NEC V35
Software Guard. These chips were 8086-compatible chips; the V35 (which also existed
in a plain form without this feature), in addition, had features that allowed it to address
16 Megabytes of RAM with a 24-bit address, but in a simpler fashion than that which
later became the standard with Intel's 80286 chip.
The encryption provided was, however, somewhat limited. Customers could specify a
256-byte translation table, and when the chip was executing encrypted software, this
table was used to decrypt the first opcode byte of instructions.
Since the address portion of an instruction usually appears in the clear on the address
bus in a later cycle, it made sense not to encrypt that, and thereby provide a window
into the translation table for anyone who could monitor the computer's bus.
One could imagine slightly enhancing this kind of encryption, while keeping its time
requirements comparable to those involved in address calculation:
Here, bytes being fetched by the CPU go through two translation tables or S-boxes, and
in between are XORed with a quantity calculated from the least significant two bytes of
the address from which they were fetched.
Four different S-boxes are present in each position. Another table, not shown in the
diagram, would determine which S-box is to be used for various types of memory
access, and it might look something like this:
00000 First opcode byte 00 00 00 00
00001 Other opcode bytes 01 01 01 01
00010 8-bit displacement X
00011 Address field X
00100 (not used) X
00101 one-byte data 10 10 10 10
00110 16-bit data, first byte 11 11 11 11
00111 16-bit data, second byte 00 01 10 11
01000 32-bit integer, first byte 01 10 11 00
01001 32-bit integer, second byte 10 11 00 01
01010 32-bit integer, third byte 11 00 01 10
01011 32-bit integer, fourth byte 11 10 01 00
01100 32-bit floating, first byte 10 01 00 11
01101 32-bit floating, second byte 01 00 11 10
01110 32-bit floating, third byte 00 11 10 01
01111 32-bit floating, fourth byte 00 11 00 11
so there would be nine bits for each entry, one turning off encryption, the other eight
specifying the four S-boxes to use. One could add another two bits, so that the two
XOR steps shown in the diagram could individually be switched to addition.
To allow a standard part to be used, the chip could contain the ability to do public-key
cryptography, so that it could load in the contents for all these tables from the outside.
But even with the additional complications shown, it seems like quite a mismatch to
start off by using something as powerful as public-key cryptography, and then protect
software with such an elementary type of cryptography.
So, instead of (or in addition to) using the chipmaker's public key to encrypt S-boxes
for use in this elementary fashion, it ought to be used to allow decryption of executable
code, which, in decrypted form, would be kept in memory on the chip itself, and not
allowed to leave there.
The program so decrypted could be a small program, including a key, which would
serve to conventionally decrypt by any algorithm additional program code to also be
placed in this internal memory. This would reduce the amount of dedicated encryption
hardware needed on the chip, but might create problems in connection with what I
propose below.
Decrypting a program by a secure algorithm, and only storing the result inside the
microprocessor chip for use, would be quite secure.
Do we allow every software maker to protect its own software in this fashion? Or will
making use of the mechanism be restricted to large, respected companies, that the
chipmaker will trust to abide by a non-disclosure agreement?
Using public-key cryptography would mean that the chipmaker could disclose the
public key corresponding to the private key built into every chip without compromising
the security. But what happens when writers of viruses and trojan-horse programs use it
to protect their efforts? Of course, the chipmaker would use its knowledge of its private
key to assist efforts to combat viruses, but this would still allow such code to be far
more damaging, and harder to detect.
In a USENET post, I proposed a scheme that would allow a facility of this nature to be
made openly available and yet have additional protection against misuse.
Hence, the only way that a program containing encrypted parts could successfully
execute on a user's computer would be if that user activated the program by using a
utility to superencrypt that program's encrypted parts with his own personal key.
This would be a fair approach to content protection, as it would provide a level playing
field for software writers, and it would also provide the user with control over his
computer, by being able to decide what programs he will trust to execute in encrypted
form on that computer.
Note that this proposal requires on-chip symmetric encryption capability, to handle the
user's key. Programs to be loaded into protected memory using this encryption might
also be required to be superencrypted with the user's key, in addition to requiring this
for the block encrypted with public-key techniques.
(There is no need to require this for programs which aren't decrypted once, and loaded
into chip-internal memory, but executed in regular memory using the simple scheme
illustrated in the diagram above, where the block containing the S-boxes for the
program has been activated. Although much less secure, it might be thought useful to
include this kind of ability on a chip that runs secured software, so as to allow all the
program to be protected somewhat, providing an additional nuisance to hackers, in
addition to protecting the small pieces of the program loaded into the internal memory
of the chip with more advanced encryption. Possibly also useful would be a secondary
user key, used to activate programs which are only allowed to use the multiple S-box
method of external protection, but which are not loaded in part into the chip's internal
memory.)
But even this would not be a foolproof way of preventing a protected program from
accepting other programs as protected in a fashion that bypasses the requirement of
explicit user activation, since a program could always be loaded in the form of P-code
into an on-chip data area, as a program which is to be hidden needs the ability to work
with data in private as well. This is particularly likely to be a problem if the computer's
operating system makes use of this protection, but if the operating system were
activated with the type of secondary user key proposed above, so that it was only
protected using the simple scheme in the illustration, it would have no direct access to
the internal memory. But that wouldn't stop it from accepting programs written in
encrypted P-code for execution, of course.
Also note that a protected program, using either type of protection, would have to be
treated like an interrupt service routine by the computer, so that it could only be called
at the entry points explicitly specified when it was loaded. However, that does not
mean that such programs should be privileged; limiting those externally protected to
being user-mode programs, and further limiting those executing on-chip to access to a
fixed area of memory, so that they can only serve as computational subroutines, is
another way to combat misuse of the security feature, although, again, it is not
foolproof.
Next
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
0000 0000
0001 0001
0010 0
0011 1
0100 00
0101 01
0110 10
0111 11
1000 000
1001 001
1010 010
1011 011
1100 100
1101 101
1110 110
1111 111
The table in this example is ordered to show what is going on. The 0 and 1
combinations are not compressed; all other combinations are replaced by the bits
following the first 1 bit.
If one were to compress each byte of a file in this fashion, the effect would be that of
converting a file from 5-level code to Morse code; and no actual compression would
take place, because recording the length of each symbol, or the breaks between
symbols, would lengthen the file enough to cancel out any gains. At least if the file
were composed of random bits: using real Morse code on a real text file, since the most
common letters have the shortest symbols, would provide real compression, but no
more compression than could be achieved by a Huffman code.
Some people have even had the bright idea of applying this method of compression
repeatedly:
0000 0000 000 000 00 00
0001 0001 001 001 01 01
0010 0 010 0 10 0
0011 1 011 1 11 1
0100 00 100 00
0101 01 101 01
0110 10 110 10
0111 11 111 11
1000 000
1001 001
1010 010
1011 011
1100 100
1101 101
1110 110
1111 111
If one records the particular path that compression took, then one has recorded enough
information to cause this scheme to no longer involve any compression.
0123456789
0 A IOSW
1 T IT A S
2 EEGT TS M
3 MEE HS BW
4 TR ETSO
5 IS HS
6 T E TAI T
7 IO S H
8 WFO E T T
9 WA H W I
3.14 15 92 65 35 89 79 32 38 46
I T W A S T H E B E
26 43 38 32 79 50 28 84 19 71
S T B E H I M E S I
o f t
69 39 93 75 10 58 20 97 49 44
T W A S T H E W O R
59 23 07 81 64 06 28 62 08 99
S T O F T I M E S I
86 28 03 48 25 34 21 17 06 79
T M A S T H E A I H
w g e
82 14 80 86 51 32 82 30 66 47
O I W T S E O M I T
f i d
09 38 44 60 95 50 58 22 31 72
W B R T H I H G E O
a s e a
Hmm, those errors just keep accumulating. Perhaps pi isn't really A Tale of Two Cities
in code after all.
3.14 15 92 65 35 89 79 32 38 46
I N T H E S E C O N
26 43 38 32 79 50 28 84 19 71
D C O C E U R Y O F
e n t
69 39 93 75 10 58 20 97 49 44
T H E C H R I S T I
59 23 07 81 64 06 28 62 08 99
A N E R A T H E E M
86 28 03 48 25 34 21 17 06 79
P H R E O F R O T E
i m
No, I guess it isn't Gibbons' Decline and Fall of the Roman Empire either.
Of course, I've only scratched the surface of the possibilities. Perhaps I need to apply a
fancier encryption technique to the digits of pi before trying a homophonic substitution.
If I used three digits, rather than two, at a time, I would get better results (simply
because it would take longer before a sequence of three digits would repeat). Perhaps I
need to start somewhere else in the decimal expansion of pi, rather than at the
beginning.
The answer is no, since if we take a random sequence of five digits, on average one
would have to go through the first 50,000 digits of pi to find a match for it.
Thus, the description of where something is hidden in pi is, almost always, as long as
the thing itself.
Next
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
On the other hand, the use of any form of encryption over mobile radio links, such as
Amateur Radio or Citizens Band radio, has long been banned; and this does not seem
unreasonable, both because the use of the airwaves is regulated in many ways, and the
use of radios to co-ordinate a bank robbery or outside assistance to a prison escape is
an obvious possibility. Thus, while the idea of putting a Clipper chip on every
telephone in the U.S. (this assuming every home in the U.S. had an ISDN line to hook
up a digital telephone to) naturally raised many eyebrows, using that same technology
in the limited province of cellular telephones doesn't seem unreasonable. This would
even have been a good place to start for a government with an agenda to put that chip
in other places; a claim the chip was for mandatory use in one specific area, highly
subject to regulation in any case, would be believable. A claim that it was for voluntary
use (what good is it to be able to tap the phones only of people who don't mind) was
simply not credible, and steered the whole thing into a sufficiently deep quagmire of
public objections that I must confess to being unsure that the U.S. government was ever
really serious about Clipper.
Since even an old 8-bit computer, such as a VIC-20, can be used to encrypt text
securely, using algorithms considerably more complex than those used by the cipher
machines of World War II, and since basic knowledge about cryptography is widely
available (unlike programs that implement DES, even the export control regime of the
U.S., which goes beyond the Wassenar agreements in several respects, does not restrict
the export of descriptions of DES or similar algorithms), and since how to program a
computer is a basic skill that is also very common, it is difficult to see how a
compelling national security need is met by placing restrictions on the export of
encryption software, particularly in source code form.
However, encryption hardware, not only offering additional security features, but also
being ruggedized for use under adverse battlefield conditions, is obviously military in
nature, and requires advanced technology to produce.
I cannot, therefore, deny that it is militarily useful, even if it is in the category of a dual-
use technology. Export controls impose costs, by on the one hand denying sales to the
commercial software industry, and on the other hand restricting the availability of
freeware and shareware software to consumers containing encryption, since this kind of
software is distributed in ways which make preventing export difficult to do.
Next
Table of Contents
Home Page
[Up] [Previous] [Index]
Conclusions
This chapter deals with ancilliary functions, rather than encryption itself.
However, the idea of converting text from binary form to letters of the alphabet does
suggest a way to complicate any attempt to analyze a cipher system. Since such a
conversion unavoidably adds a small degree of redundancy to the message being
encrypted, as a safety precaution the key used for encryption before conversion and the
key used for encryption after conversion should be unrelated.
The various forms of encryption we have seen here can be organized into groups based
on common properties: I once essayed to classify the ciphers of the first four chapters,
ciphers other than public-key systems, by the following scheme, based on the kind of
operations performed on the plaintext:
❍ Polygraphic ciphers
■ Fractionation
This form of classification only, however, addresses one dimension in which ciphers
vary. Another classification has been mentioned in a previous section in the current
chapter, which does include public-key systems:
● The one-time pad requires the previous exchange of an amount of key that
corresponds exactly to the quantity of messages to be transmitted.
● A conventional, or symmetric-key, cipher can protect a large volume of
messages with one small key, without a clear boundary beyond which further
messages become insecure.
● A public-key cipher can allow two parties to communicate securely without
any previous contact for the exchange of key material.
Also, the first classification is based on what happens to the plaintext. But when stream
ciphers are classified, while the classification takes into account what changes as
successive letters or bits or blocks are enciphered, how the changes are determined was
ignored. A classification of stream ciphers based on this dimension might look like this:
however, this classification is little more than a listing of methods commonly in use.
Another way of looking at the deficiency in the first classification that this one attempts
to remedy is that the first classification is based on the operation performed directly on
the plaintext to produce ciphertext.
But that operation may not be the principal difficulty in cracking a cipher.
I originally composed the classification of ciphers which appears first on this page to
illustrate my own view of how cipher systems should be categorized, as a response to
the classification entitled "A Cipher Taxonomy", by Terry Ritter. That illustrates
another approach to the classification of different types of cipher.
Table of Contents
Home Page
Left: [2] [3] [5] [6] [7] [11] [12] [13] [14] [15] [17] [18] [19] [21] [22] [23] [24] [26] [28] [29] [31] [33] [34] [35] [37] [38] [39]
Right: [2] [3] [5] [6] [7] [11] [12] [13] [14] [15] [17] [18] [19] [21] [22] [23] [24] [26] [28] [29] [31] [33] [34] [35] [37] [38] [39]
Back to Fractionation page Back to Armor page Back to Armor-Related Fractionation page
These tables show the powers of all the prime numbers less than forty, but also many composite numbers. The criterion for excluding a composite number from
this table is that numbers which were a power of another number were excluded, since those numbers could be seen in an earlier part of the table, and all multiples
of ten were excluded.
Powers of two
2 4
3 8
4 16 Powers of twenty-six
5 32 2
6 64 676
7 128 3
8 256 17576
9 512 4
10 1024 456976
11 2048 5
12 4096 11881376
13 8192 6
14 16384 308915776
15 32768 7
16 65536 8031810176
17 131072 8 20
18 262144 8827064576
19 524288 9 542
20 1048576 9503678976
21 2097152 10 14116
22 4194304 7095653376
23 8388608 11 367034
24 16777216
25 33554432
26 67108864
27 134217728
28 268435456
29 536870912 4486987776
30 1073741824 12 9542895
31 2147483648 6661682176
32 4294967296 13 248115287
33 8589934592 3203736576
34 1 7179869184 14 6450997470
35 3 4359738368 3297150976
36 6 8719476736 15 16 7725934228
37 13 7438953472 5725925376
38 27 4877906944 16 436 0874289942
39 54 9755813888 8874059776
40 109 9511627776 17 11338 2731538515
41 219 9023255552 0725554176
42 439 8046511104 18 294795 1020001391
43 879 6093022208 8864408576
44 1759 2186044416 19 7664672 6520036189
45 3518 4372088832 0474622976
46 7036 8744177664 20 199281488 9520940915
47 14073 7488355328 2340197376
48 28147 4976710656 21 5181318712 7544463796
49 56294 9953421312 0845131776
50 112589 9906842624 22 13 4714286531 6156058698
51 225179 9813685248 1973426176
52 450359 9627370496 23 350 2571449822 0057526153
53 900719 9254740992 1309080576
54 1801439 8509481984 24 9106 6857695372 1495679981
55 3602879 7018963968 4036094976
56 7205759 4037927936 25 236773 8300079675 8887679516
57 14411518 8075855872 4938469376
58 28823037 6151711744 26 6156119 5802071573 1079667428
59 57646075 2303423488 8400203776
60 115292150 4606846976 27 160059109 0853860900 8071353149
61 230584300 9213693952 8405298176
62 461168601 8427387904
63 922337203 6854775808
64 1844674407 3709551616
65 3689348814 7419103232
66 7378697629 4838206464
67 1 4757395258 9676412928 28 4161536836 2200383420 9855181895
68 2 9514790517 9352825856 8537752576
69 5 9029581035 8705651712
70 11 8059162071 7411303424
71 23 6118324143 4822606848
72 47 2236648286 9645213696
73 94 4473296573 9290427392
74 188 8946593147 8580854784
75 377 7893186295 7161709568
76 755 5786372591 4323419136
77 1511 1572745182 8646838272
78 3022 3145490365 7293676544
79 6044 6290980731 4587353088
80 12089 2581961462 9174706176
81 24178 5163922925 8349412352
82 48357 0327845851 6698824704
83 96714 0655691703 3397649408
84 193428 1311383406 6795298816
85 386856 2622766813 3590597632
86 773712 5245533626 7181195264
87 1547425 0491067253 4362390528
88 3094850 0982134506 8724781056
89 6189700 1964269013 7449562112
90 12379400 3928538027 4899124224
91 24758800 7857076054 9798248448
92 49517601 5714152109 9596496896
93 99035203 1428304219 9192993792
94 198070406 2856608439 8385987584
95 396140812 5713216879 6771975168
96 792281625 1426433759 3543950336
97 1584563250 2852867518 7087900672
98 3169126500 5705735037 4175801344
99 6338253001 1411470074 8351602688
100 1 2676506002 2822940149 6703205376
101 2 5353012004 5645880299 3406410752
102 5 0706024009 1291760598 6812821504
103 10 1412048018 2583521197 3625643008
104 20 2824096036 5167042394 7251286016
105 40 5648192073 0334084789 4502572032
106 81 1296384146 0668169578 9005144064
107 162 2592768292 1336339157 8010288128
108 324 5185536584 2672678315 6020576256
109 649 0371073168 5345356631 2041152512
110 1298 0742146337 0690713262 4082305024
111 2596 1484292674 1381426524 8164610048
112 5192 2968585348 2762853049 6329220096
113 10384 5937170696 5525706099 2658440192
114 20769 1874341393 1051412198 5316880384
115 41538 3748682786 2102824397 0633760768
116 83076 7497365572 4205648794 1267521536
117 166153 4994731144 8411297588 2535043072
118 332306 9989462289 6822595176 5070086144
119 664613 9978924579 3645190353 0140172288
120 1329227 9957849158 7290380706 0280344576
121 2658455 9915698317 4580761412 0560689152
122 5316911 9831396634 9161522824 1121378304
123 10633823 9662793269 8323045648 2242756608
124 21267647 9325586539 6646091296 4485513216
125 42535295 8651173079 3292182592 8971026432
126 85070591 7302346158 6584365185 7942052864
127 170141183 4604692317 3168730371 5884105728
128 340282366 9209384634 6337460743 1768211456
129 680564733 8418769269 2674921486 3536422912
130 1361129467 6837538538 5349842972 7072845824
131 2722258935 3675077077 0699685945 4145691648
132 5444517870 7350154154 1399371890 8291383296
REM Copyright (C) 2000 John J. G. Savard
IF ca% = 0 THEN 90
pt% = 256 - ch%
ta% = pt% + ca%
t% = s%(pt%)
s%(pt%) = s%(ta%)
s%(ta%) = t%
90 REM
NEXT ch%
NEXT bx%
DATA 5772, 1566, 4901, 5328, 6060, 6512, 900, 8240, 2431, 421
DATA 5933, 5939, 9235, 9880, 5767, 2348, 8486, 7726, 7776, 6467
DATA 936, 9470, 6329, 1746, 7495, 1463, 1447, 2498, 708, 2480
DATA 9605, 401, 4486, 5428, 3622, 4173, 9976, 4492, 3536, 2535
DATA 33, 3742, 9373, 3773, 7673, 9427, 9259, 5258, 2470, 9491
DATA 6008, 7352, 394, 8165, 6708, 5323, 3151, 7766, 1152, 8621
DATA 1995, 150, 7984, 7937, 4508, 5705, 7400, 2992, 1354, 7861
DATA 4669, 4029, 6043, 2542, 1519, 587, 7553, 5267, 3313, 9925
DATA 4012, 9674, 2051, 3754, 1395, 4911, 1685, 1028, 798, 4234
DATA 8775, 8720, 5038, 4310, 9399, 7361, 3725, 5306, 889, 3312
DATA 6760, 172, 4795, 3783, 6759, 2713, 5157, 7226, 1027, 3492
DATA 9139, 4079, 8430, 1034, 1777, 1778, 881, 5495, 7066, 1075
DATA 101, 6191, 6633, 4015, 2278, 9358, 6796, 5497, 2520, 3621
DATA 2879, 2265, 5595, 3669, 6281, 7638, 8792, 7268, 132, 4310
DATA 1047, 6505, 9637, 394, 7394, 9576, 3890, 6572, 9679, 2960
DATA 1009, 151, 2519, 5950, 9222, 4350, 1409, 3498, 7122, 8247
DATA 9497, 4719, 5646, 9763, 1850, 6676, 1290, 6381, 1051, 8241
DATA 9744, 4867, 8363, 8086, 1749, 4551, 6989, 2792, 3018, 7739
DATA 1072, 9457, 8155, 4316, 50, 218, 2844, 960, 5377, 2434
DATA 2032, 8547, 8367, 151, 7739, 4398, 7003, 237, 339, 5183
DATA 2869, 1, 5581, 9398, 8042, 7074, 1154, 2227, 8197, 1652
DATA 3011, 735, 6583, 3967, 3487, 1765, 491, 9418, 1230, 40
DATA 6546, 9314, 2999, 2977, 7956, 9303, 1005, 308, 6303, 4185
DATA 6980, 3231, 836, 9164, 25, 8929, 7089, 985, 4868, 2577
DATA 7364, 2882, 5395, 4925, 8736, 2959, 6133, 2985, 7473, 9302
DATA 3734, 3884, 7070, 3702, 8441, 2920, 1664, 1785, 248, 7333
DATA 7908, 562, 7549, 9843, 4590, 7616, 4316, 7103, 1467, 1072
DATA 2370, 218, 1074, 5044, 4186, 6475, 9134, 8036, 6902, 5532
DATA 4586, 2544, 2225, 3451, 8138, 7912, 4345, 7350, 1361, 2977
DATA 8227, 8288, 1489, 4590, 9863, 8460, 629, 3169, 4718, 8714
DATA 9587, 5254, 9236, 6493, 5204, 7324, 3641, 972, 6827, 6160
DATA 8775, 9508, 8095, 1262, 840, 4544, 4779, 9229, 9157, 2482
DATA 9251, 6251, 2784, 2765, 9657, 832, 1461, 298, 2146, 1795
DATA 1957, 9590, 9592, 2704, 2089, 8962, 7971, 2553, 6321, 7948
DATA 8737, 6421, 660, 6070, 6598, 2561, 9901, 288, 756, 1251
DATA 9913, 7511, 6782, 1764, 3619, 570, 5844, 783, 5735, 158
DATA 56, 774, 5793, 4213, 1449, 8850, 786, 4151, 7161, 5194
DATA 5657, 617, 432, 4507, 5008, 1687, 523, 789, 937, 461
DATA 4306, 6848, 1791, 6496, 8425, 4915, 496, 7243, 1218, 3783
DATA 8753, 5648, 9495, 868, 4541, 234, 601, 6225, 851, 5583
DATA 8672, 3494, 4187, 8804, 4094, 770, 1068, 8379, 5111, 3078
DATA 7202, 3426, 3952, 2692, 971, 6088, 5690, 8382, 5113, 7871
DATA 2836, 8204, 9117, 8925, 9447, 8486, 1991, 1852, 9391, 293
DATA 990, 5925, 5266, 9172, 7446, 8920, 4438, 6971, 1147, 1745
DATA 7157, 4573, 2039, 3520, 9122, 3160, 8508, 6827, 5588, 9010
DATA 9451, 6811, 8101, 6874, 9754, 7096, 9366, 6712, 1020, 6304
DATA 8271, 6589, 5049, 3273, 1486, 874, 9402, 700, 6742, 5909
DATA 1824, 8759, 6213, 7384, 2311, 4426, 5313, 5029, 2303, 1751
DATA 7225, 7221, 6283, 2488, 3811, 2458, 9574, 3862, 3987, 375
DATA 7662, 8551, 3033, 1439, 2999, 5401, 8531, 3414, 1586, 2127
DATA 8864, 8076, 1100, 3015, 2119, 6578, 68, 1177, 7376, 3501
DATA 6818, 3897, 3389, 6639, 8689, 5793, 2991, 4563, 8864, 4310
DATA 3706, 807, 8174, 4899, 5795, 8324, 5794, 1896, 2026, 498
DATA 4104, 3922, 5078, 6046, 362, 5277, 2602, 2919, 6829, 9586
DATA 988, 3390, 1378, 7171, 4226, 9178, 8381, 9529, 8445, 6079
DATA 1605, 1972, 7973, 6047, 5910, 2510, 9957, 7913, 3515, 7917
DATA 7225, 1502, 5492, 9324, 6325, 287, 4767, 7948, 4215, 8405
DATA 759, 9290, 4018, 5576, 4599, 186, 2692, 6776, 4372, 6605
DATA 7117, 6813, 3655, 9088, 1554, 8107, 4700, 62, 3363, 7252
DATA 8894, 9554, 6369, 7143, 3012, 79, 1308, 5552, 6395, 9549
DATA 7823, 231, 4403, 9149, 7404, 9474, 6825, 9473, 2084, 6185
DATA 2460, 5877, 6694, 8828, 7953, 104, 634, 9172, 2921, 8580
DATA 870, 6770, 6904, 2792, 6743, 2844, 4696, 8514, 9718, 2567
DATA 8095, 8416, 5449, 1851, 4575, 3319, 6406, 3311, 9937, 3821
DATA 5734, 5087, 4988, 3255, 6088, 8873, 5280, 1901, 9155, 896
DATA 8855, 4682, 5924, 5444, 5277, 2817, 3057, 3010, 8060, 6177
DATA 113, 6377, 3182, 4629, 2466, 81, 2771, 6210, 1867, 7446
DATA 8495, 9514, 2817, 9014, 5111, 9489, 3422, 8834, 4825, 3075
DATA 3118, 7018, 6097, 6122, 4623, 1767, 4977, 5564, 1246, 1983
DATA 8564, 148, 4123, 5871, 7724, 9554, 2248, 2016, 1517, 6579
DATA 9408, 629, 6834, 2428, 9057, 2594, 7392, 6963, 8633, 8387
DATA 4380, 5471, 3196, 7642, 9268, 3724, 9076, 875, 737, 8528
DATA 3702, 3046, 8650, 3490, 5120, 3422, 7217, 4366, 8979, 2848
DATA 6297, 2908, 8926, 7897, 7703, 2624, 6239, 1226, 1888, 7653
DATA 57, 7862, 7436, 609, 4443, 6039, 2809, 7708, 1338, 3693
DATA 4235, 5085, 8394, 1126, 7092, 1873, 4414, 5121, 8780, 3276
DATA 1505, 947, 8055, 4663, 58, 6845, 5631, 5245, 4605, 3151
DATA 1325, 2818, 8910, 7923, 1491, 3110, 3234, 4302, 4509, 3345
DATA 3, 765, 5864, 8742, 2297, 1770, 331, 7845, 3915, 566
DATA 9401, 5998, 8492, 9160, 9114, 29, 4869, 208, 8485, 3816
DATA 9700, 9551, 5663, 4705, 5445, 2217, 6403, 5862, 9398, 2865
DATA 8131, 2387, 132, 5358, 8006, 2568, 6626, 9269, 9776, 7737
DATA 7306, 8322, 6900, 9160, 8510, 4515, 22, 6107, 1802, 5546
DATA 5928, 4938, 9492, 7759, 5897, 5407, 6155, 9933, 7826, 4824
DATA 1979, 5064, 1868, 1437, 8817, 1850, 8854, 803, 6799, 6314
DATA 2395, 4009, 1964, 3887, 5007, 8900, 6, 2799, 7942, 8098
DATA 8637, 2992, 5919, 7776, 5040, 4099, 2203, 7940, 4276, 1681
DATA 7837, 1566, 8653, 669, 3983, 916, 5243, 2270, 5955, 3041
DATA 7667, 3664, 116, 7929, 5901, 2930, 5374, 4971, 8308, 42
DATA 7584, 8635, 838, 804, 2466, 7350, 9355, 9832, 3241, 1696
DATA 9214, 8606, 4989, 2763, 6244, 3295, 8854, 8737, 8970, 1489
DATA 7133, 4353, 8448, 28, 9046, 6650, 9028, 4537, 6896, 2239
DATA 8304, 8814, 627, 3054, 879, 5911, 8967, 574, 9385, 4432
DATA 4786, 9148, 853, 3770, 2640, 6775, 8081, 2754, 5873, 1117
DATA 6364, 7878, 7430, 7392, 664, 2011, 2513, 5272, 7499, 6175
DATA 4505, 3085, 5823, 5668, 3068, 3229, 1767, 6677, 410, 3523
DATA 1535, 325, 1012, 4656, 3861, 5670, 6449, 8471, 3269, 5969
DATA 3301, 6786, 6138, 3333, 3344, 1657, 9006, 586, 7497, 1036
DATA 4689, 5174, 5695, 9718, 1553, 7640, 7837, 7650, 1842, 7834
DATA 5991, 8420, 1599, 5431, 4490, 4772, 5552, 3061, 4767, 165
DATA 9934, 1639, 660, 9120, 5400, 5322, 1589, 209, 1340, 8027
DATA 8225, 1533, 8528, 9951, 1665, 4522, 4586, 9185, 9936, 7122
DATA 132, 1501, 4480, 1424, 2309, 8625, 4604, 4886, 7256, 9343
DATA 1488, 7049, 1593, 446, 4018, 9164, 5020, 2240, 5495, 3862
DATA 9184, 7586, 2930, 7788, 9350, 6437, 7159, 6606, 9096, 468
DATA 1243, 7023, 546, 5703, 1606, 7999, 2587, 1666, 7524, 7219
DATA 4097, 7798, 186, 3626, 2563, 3582, 5262, 7942, 2393, 2548
DATA 6013, 2693, 5307, 138, 8937, 4369, 2384, 2878, 9385, 1276
DATA 4740, 8565, 4865, 281, 5630, 6774, 442, 2030, 6440, 3756
DATA 8263, 910, 2917, 5145, 7223, 4441, 503, 6931, 7711, 4521
DATA 7088, 8907, 4464, 1604, 8688, 7010, 8386, 2311, 4261, 2844
DATA 1425, 9609, 5637, 400, 6192, 57, 9335, 341, 5524, 2624
DATA 262, 646, 5693, 5430, 6125, 8526, 5834, 5219, 2121, 4977
DATA 7187, 8069, 5866, 851, 6334, 9221, 483, 6737, 9945, 9259
DATA 4340, 3795, 6000, 2192, 7854, 1837, 9417, 7602, 336, 5594
DATA 6730, 7887, 9838, 848, 1631, 4678, 2414, 9235, 4649, 1488
DATA 7668, 3368, 4074, 9289, 3865, 2818, 6304, 8589, 8203, 5481
DATA 8624, 3838, 4817, 5997, 6358, 4907, 5180, 7914, 8063, 4943
DATA 9162, 8470, 5482, 2007, 5494, 5348, 9861, 3382, 7235, 7309
DATA 2219, 30, 7400, 9680, 337, 6668, 4493, 2505, 5676, 5493
DATA 7530, 3181, 1251, 6410, 5524, 9238, 4077, 6451, 4984, 2395
DATA 7620, 1278, 1552, 3229, 4492, 8854, 5578, 5382, 248, 9189
DATA 4244, 1857, 959, 1955, 8208, 1000, 7157, 8384, 396, 2747
DATA 9985, 8178, 8088, 8865, 7168, 3069, 9436, 607, 3599, 421
DATA 685, 1142, 7913, 1696, 9959, 6792, 3008, 2898, 8156, 975
DATA 3833, 8059, 1093, 6034, 1252, 9986, 5679, 389, 5687, 9567
DATA 3455, 833, 6290, 7823, 8626, 3856, 3490, 7473, 1927, 5278
DATA 7401, 6655, 7531, 1901, 1154, 3470, 181, 8625, 6971, 2611
DATA 2012, 6852, 9231, 2993, 7161, 4039, 696, 5112, 2248, 1661
DATA 5082, 3536, 4398, 2396, 6205, 3263, 3322, 2485, 519, 1593
DATA 6826, 9071, 5004, 3155, 8987, 1802, 7833, 5384, 5448, 3091
DATA 724, 9498, 578, 8096, 1717, 9963, 3716, 7036, 5541, 8004
DATA 1464, 6675, 3871, 9586, 9484, 8333, 1543, 5833, 3064, 1935
DATA 9294, 8742, 951, 4788, 3234, 7748, 4814, 1814, 9776, 8716
DATA 9441, 3640, 566, 4515, 6936, 1165, 2416, 1555, 7341, 4193
DATA 5424, 7213, 7306, 7468, 3338, 4905, 4426, 6260, 3837, 2788
DATA 2175, 5270, 9930, 9581, 4102, 6136, 9795, 78, 6465, 8767
DATA 7160, 8630, 8044, 6074, 9802, 8015, 7696, 2675, 9138, 9779
DATA 4772, 2143, 3751, 5470, 8293, 4587, 9123, 8984, 3305, 5067
DATA 2234, 7496, 9984, 9424, 8670, 6721, 5025, 6927, 3529, 5850
DATA 6586, 9588, 9974, 8653, 5562, 1869, 5804, 3997, 1251, 6897
DATA 6654, 1698, 6265, 3862, 8919, 7754, 2187, 7219, 3960, 5817
DATA 11, 423, 6414, 1587, 8081, 386, 1721, 155, 7551, 9237
DATA 1116, 49, 8806, 8229, 1618, 977, 3242, 1958, 3289, 7486
DATA 9227, 1839, 7919, 467, 7165, 4266, 8138, 8933, 7929, 6036
DATA 8154, 5793, 9611, 3396, 2192, 2245, 4301, 5158, 631, 7437
DATA 840, 5608, 5364, 1603, 1384, 9829, 6951, 8566, 9526, 1282
DATA 2123, 7169, 3936, 8130, 3212, 9656, 1939, 7187, 1020, 7098
DATA 79, 4883, 3910, 1975, 3510, 4307, 4418, 2344, 8833, 3317
DATA 9697, 8277, 3320, 9114, 3324, 5143, 508, 6573, 4575, 68
DATA 7391, 4754, 7077, 7577, 5599, 1846, 7118, 3085, 8366, 159
DATA 4371, 9371, 8449, 390, 6177, 232, 5365, 6797, 7596, 7444
DATA 7574, 7511, 5841, 9574, 6700, 9973, 4500, 2454, 4284, 658
DATA 5024, 5085, 8564, 6392, 7912, 4611, 9879, 936, 9307, 2019
DATA 8040, 2930, 3603, 7388, 3843, 742, 1628, 2120, 1635, 3864
DATA 6622, 6097, 1989, 5843, 6799, 4305, 7203, 149, 6380, 5083
DATA 2232, 3658, 2555, 7724, 5342, 3718, 7737, 4398, 1833, 3306
DATA 4546, 6290, 6993, 3111, 2597, 3721, 9502, 7464, 6899, 654
DATA 5715, 5440, 3039, 1783, 5419, 7564, 3431, 5739, 348, 8386
DATA 6750, 5427, 4216, 1831, 500, 6055, 464, 2235, 4570, 8427
DATA 3935, 4935, 9051, 7627, 1747, 9299, 4723, 9890, 8632, 9701
DATA 190, 5610, 1077, 4269, 926, 4752, 3574, 304, 6301, 5924
DATA 3442, 4649, 83, 4188, 6308, 5932, 685, 5225, 779, 910
DATA 1958, 5889, 5314, 3287, 9981, 7570, 9819, 1682, 9315, 9404
DATA 5300, 5632, 5433, 1448, 8517, 3573, 269, 8256, 9372, 5346
DATA 9964, 134, 4087, 1580, 1081, 4528, 7865, 7904, 866, 3637
DATA 9450, 7110, 8505, 1042, 4179, 7691, 9112, 9261, 5132, 103
DATA 1636, 3498, 866, 694, 8624, 4078, 66, 8400, 6716, 9622
DATA 1463, 7181, 1477, 7268, 3418, 4664, 6364, 2427, 3405, 3003
DATA 1380, 7734, 9611, 9981, 4686, 1768, 5854, 6312, 816, 3164
DATA 7989, 3796, 4263, 7383, 5661, 8938, 3137, 1098, 3289, 5649
DATA 521, 1488, 1340, 2974, 2388, 8686, 3154, 3132, 9787, 6579
DATA 9125, 4542, 4333, 8563, 4720, 268, 1290, 4899, 4955, 426
DATA 9808, 8213, 267, 2635, 8153, 2480, 6753, 8790, 3230, 5742
DATA 1040, 3301, 4978, 8786, 7523, 7786, 705, 4688, 6147, 2100
DATA 9926, 3294, 2510, 8878, 197, 284, 1179, 2240, 2591, 914
DATA 6658, 4809, 2578, 5719, 2786, 2821, 4766, 7074, 878, 6351
DATA 9714, 2562, 9242, 7867, 284, 770, 3241, 4375, 6993, 1883
DATA 2433, 3155, 9002, 4333, 476, 9111, 92, 4797, 9118, 62
DATA 8620, 2213, 7078, 62, 1725, 7329, 473, 5994, 3988, 8313
DATA 9279, 9279, 6939, 7063, 5676, 2811, 6694, 541, 2885, 9081
DATA 9820, 2383, 8277, 354, 8349, 6879, 7340, 4888, 8293, 167
DATA 3677, 941, 5846, 5440, 954, 8624, 6514, 6101, 3539, 1349
DATA 6855, 9120, 4023, 6361, 8721, 5099, 2980, 6519, 586, 1682
DATA 8153, 287, 5042, 7545, 2586, 533, 1963, 4325, 9577, 7478
DATA 8134, 3723, 9394, 9912, 4380, 6143, 7544, 9859, 686, 751
DATA 8563, 1427, 2552, 5564, 2593, 9670, 1498, 414, 2598, 1823
DATA 7852, 5768, 2943, 6395, 9656, 2438, 8520, 6565, 4807, 1038
DATA 8454, 6394, 4537, 7019, 1784, 5718, 7410, 1186, 2232, 2780
DATA 2525, 1943, 6265, 7438, 2422, 5609, 3567, 6925, 8238, 7749
DATA 1160, 7377, 5945, 1401, 4470, 3190, 2241, 5355, 9112, 5061
DATA 3817, 8297, 4212, 6498, 2641, 6187, 2460, 6313, 3408, 9192
DATA 6702, 3597, 9580, 2365, 8416, 3175, 5679, 2335, 6621, 123
DATA 1335, 8454, 9459, 590, 699, 8420, 672, 2602, 5116, 7743
DATA 8473, 6482, 4385, 7154, 714, 6265, 9456, 4239, 1127, 1707
DATA 8030, 6371, 4169, 2638, 6440, 1005, 7131, 958, 9606, 3264
DATA 9637, 5529, 5676, 9364, 6894, 1051, 7952, 6, 1645, 2021
DATA 8843, 5340, 4730, 1824, 3930, 5148, 8198, 4593, 762, 9640
DATA 4445, 6877, 6241, 6528, 7162, 727, 6731, 8606, 3254, 801
DATA 4288, 7457, 1198, 6573, 747, 1701, 8866, 368, 7970, 3647
DATA 7085, 4852, 8716, 7000, 3622, 9285, 2883, 7468, 2466, 588
DATA 1411, 7540, 4744, 6061, 6763, 5430, 3739, 9237, 5659, 6593
DATA 6967, 879, 2316, 7744, 6856, 9310, 8382, 1078, 3048, 3159
DATA 1964, 3002, 1441, 2597, 228, 9063, 2031, 7410, 1149, 3664
DATA 8095, 2903, 117, 1633, 4531, 9179, 2293, 9242, 4287, 7283
DATA 7872, 3495, 6992, 9232, 1360, 9223, 4947, 2264, 5824, 3755
DATA 945, 1533, 5520, 1176, 1289, 7517, 3395, 1371, 7829, 3328
DATA 7158, 6094, 3866, 2701, 1791, 8415, 5458, 7264, 8982, 5139
DATA 2555, 9437, 9519, 7317, 8674, 4876, 9925, 3261, 7942, 3381
DATA 2999, 4127, 9398, 6026, 4424, 5196, 60, 5436, 8186, 6467
DATA 986, 5944, 3659, 3015, 4376, 2914, 8697, 9597, 6949, 9653
DATA 3527, 2100, 2002, 967, 9104, 3948, 2547, 2441, 1334, 2244
DATA 8700, 5463, 7656, 8408, 6676, 2153, 3736, 2746, 1591, 2054
DATA 7008, 6290, 5716, 9825, 7353, 7052, 3976, 1231, 2384, 1256
DATA 4349, 4117, 8949, 8615, 8285, 9702, 971, 970, 3919, 6352
DATA 1681, 2258, 2247, 5627, 1951, 9382, 7282, 8520, 9147, 1823
DATA 7534, 3655, 2540, 2074, 6203, 667, 3047, 6952, 4700, 9441
DATA 3814, 5617, 8282, 6663, 1961, 3967, 3593, 6725, 7264, 6033
DATA 8849, 4642, 4894, 7244, 8978, 4815, 9671, 5306, 1538, 4671
DATA 2236, 9871, 2823, 1978, 4769, 3110, 5716, 6236, 3732, 6207
DATA 5959, 7118, 401, 5143, 8962, 3170, 6019, 5857, 982, 3813
DATA 9246, 6613, 5279, 1369, 5637, 6559, 486, 1676, 2051, 2974
DATA 998, 3149, 6559, 7860, 2534, 1012, 9454, 3998, 6728, 8300
DATA 6244, 844, 186, 1815, 1175, 687, 887, 6467, 1609, 7992
DATA 9201, 7769, 6249, 6330, 1575, 8292, 5961, 8849, 4858, 7200
DATA 2292, 2480, 6062, 8812, 1778, 7338, 3145, 8825, 5129, 3953
DATA 6510, 8819, 1865, 1200, 4492, 3154, 9839, 4773, 1473, 5786
DATA 8897, 3142, 473, 1094, 5381, 4648, 2263, 2102, 3310, 7943
DATA 9597, 4628, 5235, 4129, 5751, 9106, 3558, 7923, 19, 5618
DATA 1312, 9461, 2030, 1575, 7634, 159, 7856, 8175, 1749, 8423
DATA 7788, 2447, 3753, 9824, 7457, 5996, 8677, 740, 8545, 5743
DATA 2942, 4026, 7819, 3848, 2203, 5409, 6210, 6060, 7219, 2499
DATA 825, 1048, 5400, 3184, 9631, 9986, 3221, 5690, 8909, 7614
DATA 531, 716, 5113, 1293, 2685, 3498, 5244, 286, 4482, 9347
DATA 591, 6085, 8699, 5981, 9889, 395, 9955, 9181, 1076, 4134
DATA 4665, 8814, 5254, 2565, 8815, 3545, 288, 8473, 9975, 3243
DATA 2780, 9021, 5225, 6952, 1844, 1452, 9865, 835, 5129, 8398
DATA 226, 2382, 6497, 4881, 8115, 8152, 5034, 5997, 4991, 5966
DATA 4009, 8320, 1452, 70, 4803, 5556, 8589, 9730, 9981, 5031
DATA 419, 2238, 5089, 7453, 7327, 6129, 4717, 1268, 1653, 886
DATA 7005, 4728, 8657, 7922, 4670, 1782, 6594, 8272, 6097, 2290
DATA 3471, 5741, 4031, 6697, 3107, 505, 782, 9610, 8260, 7287
DATA 429, 1260, 8231, 1974, 1510, 1473, 5784, 7810, 1072, 7971
DATA 1242, 7976, 284, 8141, 1516, 3388, 6896, 9078, 6717, 5772
DATA 5938, 1524, 7961, 2378, 9999, 366, 6175, 6035, 8821, 8132
DATA 5467, 5634, 4830, 9148, 7296, 2669, 3721, 9885, 270, 188
DATA 2981, 7301, 7024, 9442, 1406, 3172, 6519, 7139, 5062, 2108
DATA 2764, 5071, 8166, 3910, 4366, 8329, 5663, 8073, 719, 4543
DATA 2112, 5505, 3620, 8967, 8323, 310, 8517, 1481, 1492, 8588
DATA 9936, 2870, 6488, 7558, 4389, 1300, 4718, 6846, 7985, 8165
DATA 5521, 5901, 3925, 6032, 613, 7642, 7156, 2801, 1897, 1096
DATA 1140, 239, 1303, 9340, 6061, 7784, 8211, 221, 7165, 9926
DATA 5959, 6829, 5889, 544, 9896, 4857, 4041, 2204, 7497, 3542
DATA 5646, 7184, 236, 5046, 7905, 8274, 8590, 6950, 4735, 5535
DATA 3118, 3835, 8089, 6528, 8615, 8894, 1744, 1621, 9886, 8042
DATA 3034, 9243, 8958, 1497, 3672, 2274, 9518, 1127, 1453, 4386
DATA 9749, 9243, 2421, 3868, 4148, 4837, 5770, 3310, 8761, 7671
DATA 3319, 9442, 6349, 8806, 7216, 6702, 9837, 1723, 571, 3049
DATA 7256, 3819, 8844, 3653, 9981, 9479, 7022, 3275, 4329, 1144
DATA 4433, 4632, 5211, 4793, 1884, 6497, 3594, 6944, 8480, 9517
DATA 3477, 940, 7261, 914, 9351, 518, 5504, 3188, 8516, 3801
DATA 8002, 4268, 1763, 1726, 4589, 5778, 8146, 5894, 7316, 2199
DATA 1354, 2179, 7069, 6392, 9591, 2560, 3838, 485, 8583, 1567
DATA 2725, 4184, 6146, 9966, 351, 9007, 6701, 1178, 2305, 2799
DATA 9831, 3186, 9807, 2478, 2168, 1733, 8984, 6912, 4905, 5791
DATA 867, 654, 3025, 6293, 8081, 948, 2360, 9111, 8296, 668
DATA 9497, 3819, 7631, 5105, 1538, 4935, 1755, 2397, 1928, 5356
DATA 7163, 9294, 2133, 6526, 9580, 4910, 3950, 3518, 4024, 2187
DATA 1935, 4618, 1447, 7959, 7003, 349, 8159, 5797, 2043, 677
DATA 7594, 9449, 172, 3142, 3798, 5974, 7626, 7707, 8008, 9801
DATA 1891, 8522, 2292, 9262, 3297, 2928, 631, 4764, 8100, 1191
DATA 7099, 9353, 1769, 7308, 9422, 6374, 201, 70, 9335, 666
DATA 2278, 5533, 7722, 1764, 9569, 4295, 1334, 2217, 561, 681
DATA 8127, 5696, 1404, 4749, 5829, 392, 8608, 5745, 7388, 2919
DATA 3650, 8052, 2428, 6122, 2127, 5463, 6351, 513, 6722, 1258
DATA 2245, 5750, 7710, 9355, 4824, 1864, 4081, 8218, 6806, 5780
DATA 8079, 9719, 5177, 947, 4197, 6777, 3212, 4823, 7146, 2384
DATA 3954, 8793, 7267, 5599, 9117, 281, 9706, 756, 3576, 6641
DATA 128, 1350, 990, 870, 5335, 6200, 5233, 6929, 6054, 2950
DATA 9254, 5419, 7352, 3808, 7726, 1644, 7265, 3722, 3075, 6826
DATA 5054, 8450, 9679, 7718, 9920, 854, 8913, 4740, 7396, 4160
DATA 4941, 2403, 5553, 2681, 5724, 6269, 238, 3938, 5187, 1880
DATA 2550, 6849, 2576, 6238, 7484, 587, 6020, 8515, 6822, 6963
DATA 7595, 9505, 1924, 7241, 5113, 3516, 3399, 7915, 7222, 4009
DATA 6108, 7839, 2752, 2588, 2213, 913, 7090, 3982, 5360, 2681
DATA 267, 1419, 2457, 6566, 1757, 7459, 7781, 4068, 7748, 392
DATA 7288, 1158, 3817, 5631, 1947, 7376, 5607, 6600, 5726, 4678
DATA 9529, 7998, 4580, 9862, 3666, 3728, 8604, 2022, 1081, 5746
DATA 2248, 753, 4447, 1068, 2668, 2453, 1314, 6783, 139, 7955
DATA 6546, 9446, 5699, 2479, 8847, 7387, 2509, 6467, 6238, 9036
DATA 7941, 5569, 2945, 8900, 7614, 5200, 7886, 8536, 3678, 5881
DATA 2639, 9189, 5915, 7620, 432, 1719, 9636, 7902, 6988, 2911
DATA 2413, 5380, 382, 6280, 3150, 4030, 397, 4901, 4353, 6007
DATA 2497, 1492, 2144, 7964, 3758, 8216, 4985, 2142, 9139, 1538
DATA 4273, 4092, 6605, 6541, 1078, 5900, 9804, 7548, 5015, 6339
DATA 6294, 1100, 6873, 2270, 8858, 389, 2093, 8666, 266, 9800
DATA 647, 3728, 2478, 2041, 2411, 9241, 7329, 6188, 7633, 8055
DATA 6482, 7656, 3436, 2806, 224, 3482, 6427, 5294, 4486, 6804
DATA 7095, 5821, 4825, 8986, 4430, 1688, 1299, 3853, 8646, 3056
DATA 323, 6099, 7731, 2396, 870, 2975, 4227, 948, 3861, 8748
REM Copyright (C) 2000 John J. G. Savard
REM Redistribution is only permitted if no charge is made
REM Use, including commercial use, is permitted
cc = 0
nc = 0
lc = 0
ac = 0
os$ = "data "