]
A Cryptographic Compendium
This site contains a brief outline of the various types of cipher systems that have been used historically, and tries to relate them to each other while avoiding a lot of mathematics. Its chapters are: 1. 2. 3. 4. 5. 6. 7. Introduction Paper and Pencil Systems Electrical and Mechanical Cipher Machines Telecipher Machines The Computer Era PublicKey Cryptography Miscellaneous Topics
You can also go directly to a complete table of contents. Thus, although this page is about cryptography, it does not fall into certain categories of worthwhile and helpful pages about cryptography that are more common; it is neither:
q
q
q
a page introducing beginners to methods of solving different kinds of paper and pencil ciphers, a page explaining how you can obtain a copy of PGP, ScramDisk, or Private Idaho to start protecting your own communications, or a page devoted to the history of cipher machines, with photographs of various ones.
There are links to some of the pages in these categories in the Links section of this site. Occasionally, some methods of cryptanalysis are briefly touched upon here, but the details are very limited, compared to the excellent material available elsewhere.
This site has a great deal in common with sites of the third category, but alas, it doesn't include any photographs. What it does have are schematic diagrams (in my own, somewhat nonstandard symbolism, designed to be easy to recognize at small sizes) and descriptions of the operation of many historical cipher machines. The story of the Enigma's decryption, derived from a multitude of secondary sources, is, I hope, explained with both completeness and clarity here. It covers forms of cryptography ranging from the simple paperandpencil methods to the modern computer cipher systems, and attempts to point out the common features that link them. One word of warning, however: I have indulged my own ego rather shamelessly here, and have described a series of block ciphers of my own design (under the name of "Quadibloc"; the first one was inspired by DES and Blowfish, although in a way it was the opposite of Blowfish, and the others are the result of appropriating various ideas found in the AES candidate ciphers), some paperandpencil fancies of mine, and a rather elaborate fractionation scheme for converting the binary output of modern encryption methods to letters for transmission by Morse, or base78 armor (more efficient than base64, if less efficient than base85), or encryption by classical letterbased methods. In only one section do I discuss, and very briefly, codes, in which words or phrases rather than letters, bits, or digits are the unit of encipherment. However, the word code is used legitimately in mathematics to refer to substitutions which are nonlinguistic (and hence, in cryptology, would be called ciphers) from Morse code to Hamming code (used for errorcorrection) and Huffman code (used for data compression). I have, therefore, been unable to be rigorous about the use of the word "code" in these pages.
Return to Home Page
Copyright (c) 1998, 1999, 2000, John J. G. Savard
[Next]
[Next] [Up/Previous/Index]
Introduction
This page is about codes and ciphers, which people use to communicate with each other in ways that other parties cannot (it is hoped) understand. Although secrecy in communication can precede literacy, for example by the use of obscure allusions, a spoken language that is different from the one commonly spoken, a jargon or cant of terms with special or secondary meanings, or a conventionalized way of speaking such as Pig Latin, the efflorescence of many and sophisticated methods of secret communications waited for the development of alphabetic writing, which allows any thought to be represented by a small number of easily manipulated characters. Even then, it took a conceptual breakthrough to realize that letters can be represented by other symbols; particularly in introductory books on the subject for children, this is often illustrated by various examples that are used today, such as Morse code, signal flags, Baudot, ASCII, or, as illustrated below, Braille and semaphore:
And, for another even more prosaic illustration, here is the color code used on resistors (as well as on the old mica capacitors) and the color code, if one can call it that, of pool balls:
One early and entertaining historical survey of the use of codes and ciphers was the book Secret and Urgent, by Fletcher Pratt, also the author of several novels. This book came out in the same year as Elementary Cryptanalysis, by Helen Fouché Gaines, which will be mentioned below. The title of this book is a particularly apt description of why methods of scrambling messages to keep them secret are used. Obviously, if a message contains nothing that is confidential, there is no need to bother putting it into code or cipher. But equally, if a message is not urgent, then even if it is secret, it can be communicated at some time when there is an opportunity to meet privately. Only when both conditions exist: when the contents of a message must be kept secret, and yet the message is so urgent that the risk must be taken of sending it by a means that may allow others to read it, would people take the time and effort to put a message into cipher, and take the risk involved in relying on cipher to maintain its secrecy.
Of course, today computers carry out the steps involved in enormously complicated cipher schemes at the push of a button, so neither the effort nor the risk looms as large as it did during most of the history of the subject. This site contains a brief outline of the various types of cipher systems that have been used historically, and tries to relate them to each other while avoiding a lot of mathematics.
Suggestions for Reading
The following books can be recommended for someone beginning to learn about the subject of secret writing: The Codebreakers, David Kahn, Macmillan (1st ed.) Simon and Schuster (2nd ed.). This book is a fascinating history of cryptography, dealing with the role it has played in many historical events. There are also some nuggets of technical information not seen in other books aimed at the general public, and there is historical information about subjects related to secret codes, such as cable codes (which do not involve secrecy, and were for saving money on sending telegrams). Elementary Cryptanalysis, Helen Fouché Gaines, Dover. Published under the title Cryptanalysis to avoid confusion with a book by Abraham Sinkov (also a good book), this book deals with pencil and paper ciphers, and is particularly aimed at people who solve such ciphers as a hobby. It describes a wide variety of ciphers and a multitude of solving methods. And I will also mention two other books here: Machine Cryptography and Modern Cryptanalysis, Cipher A. Deavours and Louis Kruh; Artech House. This book is a gold mine of information and was the source for much of what you will see in this web site about cipher machines of the rotor era. It is now out of print. Unfortunately, it was marred by a number of typographical errors. I had thought that regrettable, but felt that this was a common occurrence in books with a limited anticipated sale. An otherwise positive review in Cryptologia magazine (also a significant source, particularly for my account of the Siemens T52) did include the comment that one might expect better than
that, and as a result my faulty memory led me to categorize the review as "scathing", for which I apologize to its author (himself a significant source of information for my section on the Enigma's Uhr box), Frode Weierud. A number of the illustrations from this book were reprinted (with full permission, of course) in the more recent book Decrypted Secrets from SpringerVerlag. Applied Cryptography, Bruce Schneier; John Wiley and Sons. This book is aimed at the computer professional who needs to implement secure systems involving cryptography. As it describes a wide selection of algorithms and protocols, it will be of interest to anyone concerned with cryptography in the computer era. This book is one of the most widely available books covering the subject matter, and it is frequently cited as a source and as an authority on the USENET newsgroup sci.crypt. The 2nd edition is considerably expanded, with fascinating detail on a much larger number of cipher systems.
[Next] [Up/Previous/Index]
Return to Home Page Main Screen
Copyright (c) 1998, 1999, 2000 John J. G. Savard
[Next] [Up/Index] [Previous]
Pencil and Paper Systems
The most obvious way, perhaps, of taking text and concealing it from the prying eyes of those who don't know your secret is by replacing each letter by something else, like this:
ABCDE FGH IJKL MNO PQRST UVW XYZ       $7+Q@ ?)/ 2X3: !8J 9%6*& 15= (;4
which turns Please send me some money into
9:@$*@ *@8Q !@ *J!@ !J8@;
This is called substitution, and ciphers based on this principle date back to ancient times. For example, the diagram to the right illustrates several cipher alphabets used by the ancient Hebrews. Three of them are based on arrangements of the alphabet according to a definite pattern, and these patterns can be illustrated in terms of the 26letter alphabet used by the English language by showing what the equivalent substitutions are in that alphabet:
Atbash: A B C D E F G H I J K L M Z Y X W V U T S R Q P O N Albam: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Atbah: A B C D I H G F J K L M R Q P O E N S T U V Z Y X W
Note that all three of these are reciprocal, in that if one letter becomes another letter, then that other letter becomes the original letter in turn. The illustration also contains other information. The numerical value of each letter is given below the name of the letter, and the original Hebrew form of the name of the letter is also shown to the right. Also, Cryptic Script B, an alphabet used in the writing of part of the Dead Sea Scrolls is shown (albeit imperfectly; the symbol for Shin is only known to be used for one of the two values of that letter, as indicated by dots, and an additional specialpurpose character is not shown.)
The other method of concealing a message is called transposition, which was also used in ancient times, at least by the Spartans with the scytale, a baton around which a leather belt could be wound, so that a message could be written on the belt, crossing from one loop to the next, so that it could only be read while the belt was so wound. In transposition, instead of replacing letters with something else, the letters of a message are moved around, so that they aren't written down in order.
q q q
q q q
Cryptanalyzing the Simple Substitution Cipher Methods of Transposition Improving Substitution r Homophones and Nomenclators r Polygraphic Ciphers and Fractionation s Playfair and its Relatives s The Bifid, the Trifid, and the Straddling Checkerboard s Fractionated Morse, and Other Oddities s The VIC Cipher s Two Trigraphic Ciphers, and a Heptagraphic One r Polyalphabetic Substitution Code Books Fun With Playing Cards Conclusions
[Next] [Up/Index] [Previous]
Skip to Next Section Table of Contents Main Screen Home Page
[Next] [Previous] [Up/Index]
Electrical and Mechanical Cipher Machines
Using machinery to automate encryption permitted ciphers to be much more complicated than those which can reasonably be applied by hand without too many mistakes. And this was true even though machines had to be reliable and inexpensive, and this meant they could only carry out fairly simple operations. (Today, of course, the microchip has changed everything immensely!) There are several types of cipher machine that we will examine in this section; and a few more that belong to another section, since they hint at the computer age to follow.
q
q
q
q
Early Machine Ciphers r The Bazeries Cylinder r The Kryha Cryptograph r The Hill Cipher r The RED Machine r The Reihenscheiber r The A22 Cryptograph The Hagelin lug and pin machines r Cryptanalysis of the Basic Lug and Pin Machine Rotor Machines  and their PURPLE cousins r Rotor Machine Basics r The Interval Method r The Method of Isomorphs r PURPLE, CORAL, and JADE The Enigma: a unique rotor machine r Basic Principles of the Enigma r The Uhr Box r The Enigma A and Enigma B r Relatives of the Enigma r Cryptanalysis of the Enigma s Cliques on the Rods
q q
q
Indicators and Jefferys Sheets s The Bombe and the Diagonal Board An American Achievement: the ultimate rotor machine Miscellaneous Machine Ciphers r The Hagelin B211 r Sweden's HC9 r LACIDA Conclusions for Chapter II r Fantastic Rotor Machines r Child's Play r Irregular Rotor Movement
s
[Next] [Previous] [Up/Index]
Skip to Next Chapter Table of Contents Main Screen Home Page
[Next] [Up/Index] [Previous]
Telecipher Devices
This section looks at cipher machines that worked with teletypewriters. Just as today's computers represent printed characters as 8bit bytes using the ASCII code, teletypewriters used a similar code for communications purposes. However, they used only five bits per character, which conserved bandwidth, although it meant that shifting between letters and other characters such as numbers and punctuation marks required sending characters that indicated a shift was taking place. Thus, we have a family of cipher machines that, before the computer age, was already working in binary code. Two early American attempts at a telecipher machine were not used in practice, since they were found to be insecure. One was designed by Gilbert S. Vernam for A. T. & T., the twotape machine, where two punched tape loops of unequal size each provided a current character to be XORed with the plaintext character. The other was devised by Col. Parker Hitt, who was one of America's foremost cryptologists of the World War I era, for ITT, and involved ten cams with 96, 97, 98, 99, 100, 101, 102, 103, 104, and 105 positions, two of which supplied the bits to be XORed with one bit of the current plaintext character. The XOR or exclusiveor logical operation is the simplest possible way to apply a key to a plaintext to conceal it. This operation is also modulo2 addition, with the very small table:
 0 1 +0  0 1 1  1 0
If we view 0 as standing for "False", and 1 as standing for "True", then A exclusiveor B is true if either A is true exclusively (that is, A is true and B is false), or if B is true exclusively (B is true and A is false). However, the machine devised by Vernam was modified to a form which was secure, and many countries have used similar devices. Instead of increasing the number of punched tape loops used to XOR with the plaintext, the number of key inputs was reduced from two to just one: and that one took a key tape consisting of completely random bits, used only once. This, the onetime tape, is again the perfect case of polyalphabeticity, which was previously noted as the onetime pad under pencilandpaper methods. If anyone is unfamiliar with the alphabet used for 5level teletypewriters, which is called the Baudot code (although, more accurately, it is in fact derived, with slight modifications, from
the Murray code, a later 5unit printing telegraph code, just as the code for transmitting chess moves by telegraph is called the Uedemann code, for the first person to invent such a code, even though the code actually used is a later one, properly known as Gringmuth notation; also, the International Morse Code, though it has several characters in common with the code of dots and dashes originally devised by Samuel Findley Breese Morse, is actually a revision of his code devised by one Frederick Gerke from Austria, as I have recently learned thanks to Terry Ritter) a table of it is given here.
(In the interests of making complete information handy, the table included is one with some additional information from one of my USENET posts.) International Telegraph Alphabet No. 5 is the international version of ASCII; International Telegraph Alphabet No. 1 was a version of Emile Baudot's original 5unit code, the one that included a 'letters space' and a 'figures space'. (I've seen a web site that incorrectly claims that International Morse, formerly Continental Morse, was ITA 1.) International Telegraph Alphabet No. 2 is what is most commonly called Baudot; it is the 5level code derived from the Murray code. ITA 3 and ITA 4 are obscure, but they are both derived from ITA 2, as are a couple of other codes. The final code, ten bits long, is AUTOSPEC. All the codes, except for CCIR 476, are shown in order of transmission; CCIR 476 is shown the other way around, being assumed to be sent LSB first as is ASCII.
Characters ITA 2 (ITA 2 on left, some national ones follow) Character 32 Space Q W E R T Y U I O P 1 2 3 4 5 6 7 8 9 0 00000 00100 11101 11001 10000 01010 00001 10101 11100 01100 00011 01101 11000 10100 10010 10110 01011 ITA 4 ITA 3 CCIR 476 AUTOSPEC
100000 000100 011101 011001 010000 001010 000001 010101 011100 001100 000011 001101 011000 010100 010010 010110 001011
0000111 1101000 0001101 0100101 0111000 1100100 1000101 0010101 0110010 1110000 1000110 1001010 0011010 0101010 0011100 0010011 1100001
1101010 1011100 0101110 0100111 1010110 1010101 1110100 0101011 1001110 1001101 1110001 0101101 1000111 1001011 1010011 0011011 0110101
0000000000 0010011011 1110111101 1100100110 1000001111 0101001010 0000111110 1010101010 1110000011 0110001100 0001100011 0110110010 1100011000 1010010100 1001010010 1011001001 0101110100 Q W E R T Y U I O P A S D F G 1 2 3 4 5 6 7 8 9 0 ' % @ q w e r t y u i o p a s d f g ! $ ^ & ~ _ " ` }
A S ' BEL D WRU $ F % ! G @ &
H £ # STOP J BEL ' K ( L ) Z X C V B N M + / : = ? , . " ;
00101 11010 11110 01001 10001 10111 01110 01111 10011 00110 00111 00010 01000 11011 11111
000101 011010 011110 001001 010001 010111 001110 001111 010011 000110 000111 000010 001000 011011 011111
1010010 0100011 0001011 1100010 0110001 0010110 1001100 1001001 0011001 1010100 1010001 1000011 1011000 0100110 0001110 0101001 0101100 0110100
1101001 0010111 0011110 1100101 1100011 0111010 0011101 0111100 1110010 1011001 0111001 1111000 1101100 0110110 1011010 0001111 0110011 1100110
0010100101 1101000101 1111011110 0100101001 1000110001 1011110111 0111010001 0111101111 1001101100 0011000110 0011111000 0001011101 0100010111 1101111011 1111100000
H J K L Z X C V B N M
# * ( ) + / : = ? , .
h { j k [ l ] z x c v b n m \ ;  < >
CR LF FIGS LTRS alpha beta SYNC repetition
(all 0) 000000 (all 1) 111111 110011
Unlike ITA 3, CCIR 476 has a pattern that relates it to ITA 2: except for the letters B and U, whose natural codes are used for alpha and beta, those ITA 2 characters which have 4, 3, or 2 one bits set are represented by 0x0, 0x1, and 1x1 respectively, where x is the five bits of the ITA 2 character; and 1nnnnn0 represents the characters that don't fit into this range, with again exactly 3 of the n bits set. Note that ITA 3 is a 3 of 7 code, while CCIR 476 is a 4 of 7 code. Perhaps this is why the newer CCIR 476 is the one US radio amateurs are permitted to use, and do use for AMTOR, while the older ITA 3 was used for ARQ purposes originally. But it's odd to see a new code developed to fill exactly the same purpose as an older code already accepted as an international standard. ITA 3 was known as, or derived from, the Moore ARQ code, also known as the RCA code. It appears to have been the first code used for ARQ (automatic repeat request) purposes, and to have been invented in or prior to 1946 by H. C. A. van Duuren. ITA 3 was adopted as an international standard in 1956, according to the source which first brought him to my attention.
AUTOSPEC repeats the fivebit character twice, but if the character is one with odd parity, the repetition is inverted. Thus, the parity bit is transmitted with high reliability, and every other bit of the character is effectively repeated twice. It can be thought of the result of applying an errorcorrecting code with the matrix:
1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 1 1 1 1 1 0 1 1 1 1 1 0 1 1 1 1 1 0 1 1 1 1 1 0
to 5level characters.
The entries
F % ! V = ; and
mean that, for F, no figures shift character is defined by ITA 2; however, the % sign is uses as a nationaluse figures shift character for Britain. The U.S. figures shift character is !. For V, however, the = sign is defined as the official figures shift character. The U.S. 5unit teletypewriter code, which is nonconformant to ITA 2, defines ; as the figures shift character for V instead. After the code bits, there are four more columns of characters, giving the characters used by ASCII over AMTOR. The allzeroes character is used to toggle between the ordinary character set in the first two columns, and the auxilliary one in the second two. The ordinary character set is that of the international version of the 5level code, rather than the U.S. version, but the figures shift of J, instead of being the bell, is the asterisk. Note that there is also an official standard of very recent vintage for using lowercase with 5level code, which works on a different principle: a LTRS code while already in letters case is used to toggle between upper and lower case. This standard does not include ASCII graphics characters, but it was designed to be compatible with the use of the allzeroes code for supplementary alphabetic characters; these characters could have their lower case available using their shift character in the same fashion as LTRS is used. This new standard works as follows: FIGS LTRS operates as a reset into uppercase mode. In normal uppercase mode, when returning to letters case from figures case, one is returning to uppercase letters. When in letters case, a superfluous LTRS code switches into lowercase. This is true even when reset into uppercase mode; but then it also clears lowercase mode, so that, whether one is printing uppercase or lowercase, when one returns from printing figures characters to print letters, one begins with lowercase letters. This is a bit confusing, so I will illustrate it:
ABC [FIGS] 1234 [LTRS] DEF [LTRS] ghi [FIGS] 1234 [LTRS] jkl [LTRS] MNOPQ [FIGS] 1234 [LTRS] rst [FIGS][LTRS] UVW [FIGS] 1234 [LTRS] XYZ
Essentially, toggling between upper and lower case with a superfluous LTRS is always on. FIGS LTRS resets (to uppercase, or capitals) only the default letters case that a normal LTRS, used for exiting figures printing, returns to. And that default flips back to lower case the first time lower case is accessed with an (otherwise) superflous LTRS. Thus, this example proceeds as follows:
ABC [FIGS] 1234 [LTRS] DEF
One begins by having only figures and uppercase letters available.
[LTRS] ghi [FIGS] 1234 [LTRS] jkl
The superfluous LTRS now switches one into lowercase mode, as well as immediately switching to printing lowercase letters. The FIGS shift still takes you to normal figures case, and a LTRS shift returns you to lowercase letters.
[LTRS] MNOPQ [FIGS] 1234 [LTRS] rst
A superfluous LTRS shift changes you to printing uppercase characters, but the mode remains lowercase mode. Thus, FIGS takes you to printing digits, and LTRS takes you to printing in the default case for the current mode, which is lower case.
[FIGS][LTRS] UVW [FIGS] 1234 [LTRS] XYZ
A superfluous LTRS toggles between printing uppercase and lowercase, but only moves you from uppercase mode to lowercase mode. To change mode in the reverse direction, the combination FIGS LTRS is required. Once that combination is used, not only do you print in uppercase, but a LTRS shift used after printing figures will return you to the new default case, which is again upper case. The bits are numbered from 1 to 5, in the order in which they are transmitted. They are normally preceded by one start bit (0) and followed by one and a half stop bits  that is, a 1 level on the wire for one and a half times the time used for transmitting a data bit. In ASCII, the bits of a character are transmitted least significant bit first; since the 5level code bits don't represent codes in any kind of numerical order, sometimes bit 5 and sometimes bit 1 is taken as the most significant bit, although the tendency has been to treat bit 5 as the MSB because of the use of the same UART chips for ASCII and 5level code. And here is a graphical version, showing the standard, U.S., financial, and weather character sets:
The top two lines show the original Murray code, from which the modern 5level code is derived. (The original Baudot code was completely different.) It too, like the original Baudot, used a letters space and a figures space. I'm not sure about the functions of the line feed and carriage return characters: one of them could be a newline, and the other might have had a different control function. Also, in my reference, the space for the figures shift of A was left blank. My guess is that that should have been a comma. Incidentally, the reason that this code is not so organized that when the letters are in alphabetical order, their codes are in binary numerical order, as is the case for ASCII, is because the codes were chosen so that the most common letters would have codes that would cause less wear and tear on the moving parts of teleprinters. The following chart shows the scheme by which the codes were assigned:
lsc lf EfprT AINO UCM KV SRH DL FG TP BW QX tiYZ * * * * * * * * ** ** **** * ** ** ** * * * ** * * ** ......................................... * ** *** ** * * * * ** * * * ** ** ** * * ** * * * ** * * * * * * * * ** ** ****
q q q q q q
1 2 3 4 5
The Lorenz Schlusselzusatz SZ40 The Siemens Geheimschreiber T52 The Swedish SA1 An American patent Converter M228 Conclusions
[Next] [Up/Index] [Previous]
Skip to Next Section Table of Contents Main Screen
[Next] [Up/Index] [Previous]
The Computer Era
The era of computers and electronics has meant an unprecedented freedom for cipher designers to use elaborate designs which would be far too prone to error if handled by pencil and paper, or far too expensive to implement in the form of an electromechanical cipher machine. There are rumors that the secret cipher machines of the 1960s and beyond involved the use of shift registers, and, more specifically, that they used nonlinear shift registers, since it is known that a linear feedback shift register produces a sequence which, while it has a long period and an appearance of randomness, is not itself a secure additive key for a cipher. Since it is very difficult to guarantee that a shift register whose feedback is nonlinear will always have a reasonably long period, I think I will continue to doubt these rumors until the facts finally become declassified. (However, since the mathematical theory does exist by which the conditions for maximum period of the quadratic congruential generator are known, I definitely could be wrong.) However, some published papers use the term "nonlinear shift register" to describe a stream cipher system which has a linear feedback shift register at its heart, but which has as its output a nonlinear function of the shift register's state. Since it is trivially possible to produce any output sequence with the same period as the underlying LFSR in this way, (Proof: use the outputs from all the cells in the LFSR as inputs to the address lines of a onebit wide ROM programmed, in a suitable order, with the desired sequence) I have no problem accepting the existence of nonlinear shift register designs in this sense. Publicly known designs based on shift registers instead use linear shift registers, but do such things as combining the output from several, controlling the stepping of one shift register with another, as was done with the pinwheels in some of the more secure telecipher designs of the last chapter, or using one shift register to select between the outputs of two other shift registers. But the main thrust of the computer era has been in the development of block ciphers, starting with the LUCIFER project at IBM, which was the direct ancestor of DES, the Data Encryption Standard.
q q
q q q q q
q
LUCIFER The Data Encryption Standard r Details of DES r Variations of DES And Now For Something Completely Different: SAFER Something Not Quite As Different: IDEA Formerly Secret: SKIPJACK Blowfish My Own Humble Contribution: QUADIBLOC r Description of QUADIBLOC s Euler's Constant and the QUADIBLOC Sboxes r Variants with different key sizes r The QUADIBLOC FAQ r Key Enrichment r Quadibloc II r Quadibloc III r Quadibloc IV r Quadibloc V r Quadibloc VI r Quadibloc S r Quadibloc VII r Quadibloc VIII s The Standard Rounds s The Mixing and Whitening Phase s The Key Schedule s The Rationale of the Design r Quadibloc IX r Quadibloc X Towards the 128bit era: AES Candidates r The Advanced Encryption Standard (Rijndael) r Twofish (finalist) r SERPENT (finalist) r RC6 (finalist) r DEAL r MARS (finalist) r SAFER+ r FROG
q q
q
q
LOKI97 r CAST256 r Magenta r DFC Block Cipher Modes Cryptanalytic Methods for Modern Ciphers r Differential and Linear Cryptanalysis s Extensions of Differential Cryptanalysis s The Boomerang Attack r Cryptanalysis, Almost by Aimlessly Thrashing About r Hidden Markov Methods Stream Ciphers r ShiftRegister Stream Ciphers s An Illustrative Example s Other Constructions s More Realistic Examples r Other Stream Ciphers s Panama r A Note on the Importance of Galois Fields Conclusions r Modified Panama r Mishmash r Combining Two Unrelated Block Ciphers r A Base Conversion Block Cipher and Other Concepts r The LargeKey Brainstorm r The Inner Structure of the Feistel Round
r
[Next] [Up/Index] [Previous]
Skip to Next Section Table of Contents Main Screen Home Page
[Next] [Up/Index] [Previous]
Publickey Cryptography
Publickey cryptography is a very novel form of cryptography that first became known to the public during the decade of the 1970s. Not only is it novel, its very name seems paradoxical and confusing. Although cryptographic techniques have other uses besides sending secret messages, such as authentication, and this is especially true of publickey cryptography, sending secret messages is still one of the things publickey cryptography can be used for. And if a message is secret, that means that the key to unlock it must be a secret, or else anyone could decipher it. That is still just as true for publickey cryptography as it is for the regular kind. If that's the case, what does the word "public" in publickey cryptography mean? Normally, with a conventional cryptographic system, if you know both the key for sending a secret message, and the method of encryption in which that key is used, then you also know everything you need to know to decipher secret messages sent with that key and in that system. A few conventional encryption systems are reciprocal, so that exactly the same key and procedure serves for encryption and decryption; but in those that are not reciprocal, the key and procedure for decryption are both still easily derived from those for encryption, and in most cases, only one of the two differs. A publickey cryptosystem is one where a key, useful for sending messages, can be made public without revealing the stillsecret key that allows those messages to be read. How can this be possible? A twopart codebook is one where the code groups don't have the same order as the plaintext words and phrases they represent. If you publish only the enciphering half of such a codebook, keeping the deciphering part to yourself, then it is easier to send coded messages to you than it is to read them.
Of course, that doesn't really provide genuine security. But it hints as to how PKC can be possible. Another example, one of the first PKC concepts expressed in the open literature, goes as follows: Transmit a large number of encrypted messages to a correspondent. These messages are in a cipher that can be broken, but not without some work. The messages look something like this: "Key number 2126 is EXVRRQM" "Key number 1253 is PTXYZLE" and so on. The keys for each key number are chosen genuinely at random. You keep a table of what every numbered key is. The person who wants to send you a message picks any one of your large number of encrypted messages, and breaks it. Then, using the key found inside, he encrypts his message to you, and the precedes it with a note saying: "I am using key number 2126 to encrypt this message". He only had to decrypt one of the encrypted key messages to send you a message, but anyone who wanted to read it would have to keep decrypting all the messages until he found the right one. So, the principle of PKC is to find some trick that works one way without revealing how to reverse the process. And one good place to look for tricks like that is in higher mathematics, and each of the publickey methods we will look at in the remainder of this section will have had a basis that came from that source. Publickey cryptography is certainly very different from conventional cryptography, and is of general mathematical interest. But it is also of very considerable practical importance. Without publickey cryptography, you could still send an encrypted Email to a
friend who was away on vacation, if before he left you had given him a secret key to use. You could also encrypt your Emails to someone you hadn't met, provided you sent him, or he sent you, a secret key by a more secure method, such as a letter by regular mail. (Of course, letters can be read too by a determined adversary, but exchanging keys even in this simple fashion would keep your communications out of reach of someone who has the opportunity to intercept your Email but not the contents of your mailbox.) With publickey cryptography, however, no resort to an alternative more secure channel of communications for prior setup is required. Instead, encrypted communications can be set up on an impromptu basis, entirely over an insecure medium such as the Internet. It is not an overstatement to claim that publickey cryptography is the factor which changed cryptography from something which was only used by people with either a strong need for secrecy, or an interest in cryptography itself, to something used routinely by many people for such practical purposes as making creditcard purchases over the Internet. If PKC did not exist, however, creditcard companies could instead have issued secret passwords to creditcard holders. If a merchant verified a password by comparing a oneway hash of the password and the user's account number to a coded number on the credit card, knowing the oneway hash of the password wouldn't enable him to create a new password to decieve other merchants. Thus, even without publickey methods, it would be possible to avoid the requirement that every transaction would have to be directly verified with the creditcard company. But precautions would be needed to ensure that a hash code could not be used in place of a password, by being inserted into a stage of the verification process which comes after the password being converted to its hash. Including the account number in the hash prevents making forged credit cards for someone else's account with a different password, if the hash also involves a secret key. The RSA publickey cryptosystem is a straightforwards example of publickey cryptography: using the same operation, key E transforms plaintext to ciphertext, key D transforms ciphertext to plaintext, but it isn't possible to find D only knowing E; the two prime factors of the modulus used are required. But there are other ways to send a message from one place to another without prior exchange of a secret key. The DiffieHellman key exchange method relies on a oneway transformation from a private key x to a public key A^x, which has the property that two parties
can exchange public keys, and using either private key and the other public key, it is possible to arrive at the same secret session key which no one knowing only the two public keys can derive. The MasseyOmura cryptosystem is based on Shamir's threepass protocol, where an encryption method is used such that, after it is applied twice, the two encryptions do not need to be removed in the exact reverse of the order in which they were applied, but can be removed in any order. This allows one party to send an encrypted message, and the recipient can send it back encrypted again, and then the first party can remove his own encryption, sending it back to the recipient as if only the recipient had encrypted it. (While there are many encryption methods that are commutative, most, if used in this way would provide no security whatever, because relationships between the messages sent would reveal the secret keys used.)
q q
q
q q q
Modulus Arithmetic The RivestShamirAdleman (RSA) method r Looking for Primes r Finding d from e r Large Number Exponentiation r Factoring The DiffieHellman method r El Gamal r Digital Signatures Based on DiffieHellman Other Methods The Uses of Publickey Cryptography Conclusions
[Next] [Up/Index] [Previous]
Next Chapter Table of Contents Main Screen Home Page
[Next] [Up/Index] [Previous]
Miscellaneous Items
Computer programs that handle data encryption, such as the wellknown program PGP (Pretty Good Privacy) involve other functions besides encryption itself. The information to be encrypted is usually compressed first, because this squeezes out patterns in the plaintext that might be useful to a cryptanalyst. And, of course, it also saves bandwidth, and compression isn't going to be possible after encryption, because encrypted texts look random. But there is one oversimplification in that last statement. If an encrypted text consists of random binary bits, then if these bits are transmitted in the form of bytes containing eight random bits each, no further compression is possible. On the other hand, if they were transmited one bit to a byte, each byte either containing the ASCII character "0" or the ASCII character "1", then compression would be possible. While that would be silly, transmitting an encrypted series of bits in the form of printable ASCII characters only might make good sense, by making it easier to transmit your data without problems over a network where control characters have special meanings. Although TCP/IP was specifically designed to permit all 256 possible byte values to be transmitted transparently (the only control character with special meaning is DLE, Data Link Escape, and two DLEs in a row always represent a real DLE that is part of user data) binary data is usually transmitted over the Internet in "base64" format, where 64 printable ASCII characters, specifically chosen not to be different in the versions of ASCII used for different languages, and to be also present in EBCDIC, are used. Even the case of a simple pencil and paper cipher does, in a rudimentary form, illustrate these two additional phases of encryption. Changing
Please send more money.
to
WGRXT RTRVU IPQRI PVRE
actually involves three transformations of the plaintext to reach the ciphertext. First,
Please send more money.
is changed to
PLEASESENDMOREMONEY
to remove information that is harder to encipher securely, and which is not essential to the understanding of the text. This is a form of compression, even if it is not lossless, and functions more by discarding information than by compressing it. Of course, we've already seen the straddling checkerboard principle, which does use the same basic principle (prefixproperty variablelength coding) as Huffman codes, which are a serious method of compression. Then,
PLEASESENDMOREMONEY
is changed to
WGRXTRTRVUIPQRIPVRE
which is the actual encryption procedure, described in terms of the 26 letters of the alphabet, and nothing else. Finally,
WGRXTRTRVUIPQRIPVRE
is changed to
WGRXT RTRVU IPQRI PVRE
for ease of reading and transmission, which illustrates the process of applying armor to the output of an encryption process.
Finally, digital signatures need oneway hash functions. Ordinary checksums aren't adequate, since it is possible to construct a message with a different meaning having the same checksum as the one someone intended to sign. Oneway hash functions are similar to block ciphers in some ways, but different in others. Hash functions can also be used as a way of producing encryption keys from pass phrases or from random input of imperfect quality.
q
q q
q q
q
q
q
Data Compression r The Representation of Speech r SemiArithmetic Coding r Character Codes ErrorCorrecting Codes Armor, Message Termination, and Base Conversion r From 47 bits to 10 letters r ArmorRelated Fractionation r Tying up Loose Ends r From 93 bits to 28 digits r Keystream Base Conversion r Message Blocking r Optimized Morse Armor Steganography Oneway Hash Functions r Description of SHA Hardware Security r When Somebody's Looking Over Your Shoulder Key Management r The IBM Key Management Scheme for DES r Kerberos r Protocols and Privacy Amplification r Passwords and Protocols r Military Key Management r Red Thread Resistance r Key Escrow r Pass Phrases and Randomness r The Interlock Protocol Quantum Mechanics and Cryptography r Quantum Computing
q
q q q q q q
Quantum Cryptography Cryptanalysis r The Limits of Cryptanalysis r The Nature of Cryptanalysis Security Without Proof The Ideal Cipher Cryptography for Content Protection Fallacies of Cryptography and Compression The Politics of Cryptography Conclusions for Chapter VI
r
[Next] [Up/Index] [Previous]
Table of Contents Main Screen
[Up]
A Cryptographic Compendium
Contents
Introduction 1. Paper and Pencil Systems r Cryptanalyzing the Simple Substitution Cipher r Methods of Transposition r Improving Substitution s Homophones and Nomenclators s Polygraphic Ciphers and Fractionation s Playfair and its Relatives s The Bifid, the Trifid, and the Straddling Checkerboard s Fractionated Morse, and Other Oddities s The VIC Cipher s Two Trigraphic Ciphers, and a Heptagraphic One s Polyalphabetic Substitution r Code Books r Fun With Playing Cards r Conclusions 2. Electrical and Mechanical Cipher Machines r Early Machine Ciphers s The Bazeries Cylinder s The Kryha Cryptograph s The Hill Cipher s The RED Machine s The Reihenschieber s The A22 Cryptograph r The Hagelin lug and pin machines s Simple Cryptanalysis of the Basic Lug and Pin Machine
Rotor Machines  and their PURPLE cousins s Rotor Machine Basics s The Interval Method s Isomorphs s PURPLE, CORAL, and JADE r The Enigma: a unique rotor machine s Basic Principles of the Enigma s The Uhr Box s The Enigma A and Enigma B s Relatives of the Enigma s Cryptanalysis of the Enigma s Cliques on the Rods s Indicators and Jefferys Sheets s The Bombe and the Diagonal Board r An American Achievement: SIGABA, the ultimate rotor machine r Miscellaneous Machine Ciphers s The Hagelin B211 s Sweden's HC9 s LACIDA r Conclusions for Chapter II s Fantastic Rotor Machines s Child's Play s Irregular Rotor Movement 3. Telecipher Machines r The Lorenz Schlusselzusatz r The Siemens Geheimschreiber T52 r The Swedish SA1 r An American patent r Converter M228 r Conclusions for Chapter III 4. The Computer Era r LUCIFER r The Data Encryption Standard s Details of DES s Variations of DES r And Now For Something Completely Different: SAFER r Something Not Quite As Different: IDEA
r
r r r
r
r r
Formerly Secret: SKIPJACK Blowfish My Own Humble Contribution: QUADIBLOC s Description of QUADIBLOC s Euler's Constant and the QUADIBLOC Sboxes s Variants with different key sizes s The QUADIBLOC FAQ s Key Augmentation s Quadibloc II s Quadibloc III s Quadibloc IV s Quadibloc V s Quadibloc VI s Quadibloc S s Quadibloc VII s Quadibloc VIII s The Standard Rounds s The Mixing and Whitening Phase s The Key Schedule s The Rationale of the Design s Quadibloc IX s Quadibloc X Towards the 128bit era: AES Candidates s The Advanced Encryption Standard (Rijndael) s Twofish (finalist) s SERPENT (finalist) s RC6 (finalist) s DEAL s MARS (finalist) s SAFER+ s FROG s LOKI97 s CAST256 s Magenta s DFC Block Cipher Modes Cryptanalytic Methods for Modern Ciphers s Differential and Linear Cryptanalysis
Extensions of Differential Cryptanalysis s The Boomerang Attack s Cryptanalysis, Almost by Aimlessly Thrashing About s Hidden Markov Methods r Stream Ciphers s ShiftRegister Stream Ciphers s An Illustrative Example s Other Constructions s More Realistic Examples s Other Stream Ciphers s Panama s A Note on the Importance of Galois Fields r Conclusions for Chapter IV s Modified Panama s Mishmash s Combining Two Unrelated Block Ciphers s A BaseConversion Block Cipher and Other Concepts s The LargeKey Brainstorm s The Inner Structure of the Feistel Round 5. PublicKey Cryptography r Modulus Arithmetic r The RivestShamirAdleman (RSA) method s Looking for Primes s Finding d from e s Large Number Exponentiation s Factoring r The DiffieHellman method s El Gamal s Digital Signatures Based on DiffieHellman r Other Methods r The Uses of Publickey Cryptography r Conclusions for Chapter V 6. Miscellaneous Topics r Data Compression s The Representation of Speech s SemiArithmetic Coding s Character Codes r ErrorCorrecting Codes
s
r
r r
r
r
r
r
r r r r r r
Armor, Message Termination, and Base Conversion s From 47 bits to 10 letters s ArmorRelated Fractionation s Tying up Loose Ends s From 93 bits to 28 digits s Keystream Base Conversion s Message Blocking s Optimized Morse Armor Steganography Oneway Hash Functions s Description of SHA Hardware Security s When Somebody's Looking Over Your Shoulder Key Management s The IBM Key Management Scheme for DES s Kerberos s Protocols and Privacy Amplification s Passwords and Protocols s Military Key Management s Red Thread Resistance s Key Escrow s Pass Phrases and Randomness s The Interlock Protocol Quantum Mechanics and Cryptography s Quantum Computing s Quantum Cryptography Cryptanalysis s The Limits of Cryptanalysis s The Nature of Cryptanalysis Security Without Proof The Ideal Cipher Cryptography for Content Protection Fallacies of Cryptography and Compression The Politics of Cryptography Conclusions for Chapter VI
Return to Home Page
Copyright (c) 1998, 1999 John J. G. Savard
[Up]
[Next] [Up] [Previous] [Index]
Fractionated Morse, and Other Oddities
Fractionated Morse
Morse code uses variablelength symbols made up of dots and dashes, but unlike a straddling checkerboard, the length of a symbol is not determined by the dots and dashes within it. Instead, spaces are also needed to mark off the symbols from each other. But fractionation is still possible using Morse code as a basis. Elementary Cryptanalysis, by H. F. Gaines, gives a cipher devised by M. E. Ohaver, the author of an early series of magazine columns on cryptanalysis which was of value to her in the writing of that book, called a "mutilation" cipher, that works like this: Split the message in Morse code into two parts; the string of dots and dashes, and a series of numbers giving the number of dots or dashes in the representation of each letter. Then, take the numbers, divide them into groups of n, and reverse the order of the numbers in each group. Using the now transposed numbers as a guide, turn the string of dots and dashes back into letters. A table of Morse code follows (and, while I'm at it, I may as well include Japanese Morse, having the data available from one of my old USENET posts): E . CD he I .. DE [A] S U A . B2 i R W T  D1 mu N . C0 ta D K M  D6 yo G O ... D7 ra .. B3 u .. C5 na . D4 ya .. CE ho . DC wa . D8 ri  DA re H V F (1) L (2) P J B X C Y Z Q (3) (4) 6 D2 D3 D5 B7 BB D9 B4 7 CB BC B1 8 BD 9 .... ...... ..... .... .... .... ... .. C7 B8 C1 C9 B6 DB C2 A6 CA CF C6 B9 CC C8 BF BA nu ku ti no ka ro tu wo ha ma ni ke hu ne sho ko
5 4 (5) 3 (6) Inter 2 Wait (9) +
(a) (b)
..... ........ ....... ...... ...... ...... ..... ....
5 4 3 C4 D0 DF 2 B5 DD C3 B0 BE
6 = / to mi [B] o yi n te ye se (c) Start ( 7 (e) (f) 8 9
.... ...... ..... .... .... .... ... ..
me mo yu ki sa ru e hi shi a su
1
.
1
0

0
These notes represent two special marks in Japanese: [A] double stroke following kana (nigori), [B] small circle following kana (hannigori). These notes represent accented letters in European languages or Turkish: (1) u umlaut (2) a umlaut, cedilla (3) o umlaut or other accent (4) ch, s cedilla (5) s hat (6) e primary accent (usually acute, grave in Italian) (9) e accent grave (a) a accent (b) j hat (c) c cedilla or accent (e) z accent grave (f) n tilde To remove ambiguities, the Japanese syllables are preceded by the hex code, in the version of 8bit ASCII that includes kana, of the kana symbol represented. The symbols whose phonetic values I give as yi and ye have the appearance, respectively: * ******* * * * * * ******* * ******** * * * * * * * *******
Here is a graphic, giving all the kana used in Japanese Morse:
Since this system requires that the ciphertext letters must be able to represent all combinations of from one to four dots or dashes, four extra symbols, used in Morse for accented letters in some languages other than English, need to be included in the cipher alphabet. While the original system, having only the group length as a key, may not have been all that secure, the basic concept is clever and original. The character lengths could as easily have been transposed by means of a double columnar transposition, and the dots and dashes could be translated to 0s and 1s, and enciphered by any applicable method, even DES. While I consider Ohaver's "mutilation" cipher very interesting, for the principle which it illustrates, the term Fractionated Morse is normally used for a less elegant, but more secure, system, in which possible combinations of three symbols from the set of dot, dash, and x, the latter standing for the space between letters, are represented
by letters. Note that combinations with two consecutive "x"s are not required, so the ciphertext uses a 22letter alphabet. The letters will vary in frequency, and since two adjacent letters that would produce two consecutive "x"s do not occur, redundancy still remains in subtle forms as well.
Mixed Fractionation for the Computer
Also, fractionation can be done in a mixed fashion.
q
q
q
25 times 27 is one less than 26 times 26, so one could encipher bigrams (except 1 that is ignored) into objects consisting of two symbols from a fivecharacter alphabet and three symbols from a threecharacter alphabet, and then seriate the two kinds of symbols separately, also using two tables, one 125 entries long, and one 81 entries long, for substitution on them; 32 equals 27 plus 5, and 128 equals 125 plus 3, so there are two different ways to encipher a binary bitstream as a mix of symbols from a threecharacter and a fivecharacter alphabet; 26 to the 10th power is very slightly larger than 2 to the 47th power; this is noted in a section in the last chapter dealing with ways of preparing a binary message for transmission as text (known as "armor"), but even this could be made use of in an elaborate fractionation scheme.
Because there are convenient ways to convert both letters and bits to a mix of symbols from a 3element set and from a 5element set, as well as an efficient way to convert from bits to letters, intriguing possibilities suggest themselves. An elaborate fractionation scheme combining the threads mentioned here together is described later.
Enciphering Digits
One interesting way to produce a mixed fractionation scheme comes from the fact that the square of any triangular number is the same as the sum of the cubes of the consecutive numbers which, when added, produced that triangular number! Making use of that fact, and since 10 is a triangular number, one can construct a table like this: 0 AAA ABA ACA BAA BBA BCA aaa aab aac aad 1 AAB ABB ACB BAB BBB BCB aba abb abc abd 2 AAC ABC ACC BAC BBC BCC daa dba dca dda 3 * + CAA CBA CCA dab dbb dcb ddb 4 ++++CAB CBB CCB dac dbc dcc ddc 5 ++ ++ +++ CAC CBC CCC dad dbd dcd ddd 6 aca ada baa bba bca bda caa cba cca cda 7 acb adb bab bbb bcb bdb cab cbb ccb cdb 8 acc adc bac bbc bcc bdc cac cbc ccc cdc 9 acd add bad bbd bcd bdd cad cbd ccd cdd
0 1 2 3 4 5 6 7 8 9
As 1 cubed is just 1, and 2 cubed is 8, these symbols make up only a very small part of the square table above, and thus this part of the table is seldom used. One way to deal with that is to change the table, so that those 9 spaces are instead filled by two symbols from the ABC set of symbols. 0 AAA ABA ACA BAA BBA BCA 1 AAB ABB ACB BAB BBB BCB 2 AAC ABC ACC BAC BBC BCC 3 AA BA CA CAA CBA CCA 4 AB BB CB CAB CBB CCB 5 AC BC CC CAC CBC CCC 6 aca ada baa bba bca bda 7 acb adb bab bbb bcb bdb 8 acc adc bac bbc bcc bdc 9 acd add bad bbd bcd bdd
0 1 2 3 4 5
6 7 8 9
aaa aab aac aad
aba abb abc abd
daa dba dca dda
dab dbb dcb ddb
dac dbc dcc ddc
dad dbd dcd ddd
caa cba cca cda
cab cbb ccb cdb
cac cbc ccc cdc
cad cbd ccd cdd
Using the straddling checkerboard that we saw above, 9 8 2 7 0 1 6 4 3 5 A T O N E S I R B C D F G H J K L M P Q U V W X Y Z . /
2 6
we can encipher a sample message in this scheme, just seriating across the whole message for simplicity (in practice, one would want to do other things): TH EREISAP AC K AG EW AITING F ORY OU ATTH ESTATION 821151349699282492016093830202775667629882114898370 d A B C c c b C d A a d d A A c b c d c d A b c b c B C A d d a B d A a d c A A b d a a d c B c d b a B B B a d c a B a b b C C b a b a c a B c c b message straddling checkerboard fractionation encoding
For this example, I won't worry about enciphering the last digit of the message. Padding, or another encipherment step might take care of that. Now, I seriate the symbols from the ABC and the abcd sets independently, retaining the type of each pair of digits, and thus the symbols are rearranged as follows, leading to enciphered digits: d A B B c a c B d C a c d B C d b a c d d A a a a a B C B d d b A d A c b c B A b b b d a c A a b d a C A A a c d c C d c a A B b c c c d c B b b b 621250409618791394350978824034733881986584017071170 seriation
reconversion
One could also leave all the "d" symbols in their place, and seriate only the "abc" and "ABC" symbols as though case did not matter  but then convert either to capital or small letters so that the type of each two digit group is kept the same. (Some care, of course, must be taken when developing a variation so that decipherment remains possible.) That would produce the following result: d C A A b b b C d B c d d A B c a c d b d A c c b a A A B d d a A d A b d c B A a d c a d a C c d b b B A C a d b a A c c c A A b b b c c c C b b b 633400125659272392307894841030671787645864228797370 seriation
reconversion
and this method has its strengths, but also its weaknesses (mainly because the "d"s remain fixed).
Giant Playfair
Another technique I once described involved first using the straddling checkerboard to encipher a message as digits, and then to use Playfair to encipher it. But instead of using the Playfair technique over a 5 by 5 square of letters, one uses a 10 by 10 square containing digit pairs, like the following: 68 02 33 64 71 09 35 18 07 98 30 78 49 65 08 58 76 70 62 96 42 55 22 34 54 17 97 11 77 01 44 56 21 50 06 52 82 91 57 38
95 63 31 89 03 79
26 29 81 94 75 46
86 39 16 47 28 36
20 61 83 40 60 45
27 87 24 25 12 51
37 10 99 73 41 69
93 88 67 04 43 23
05 32 72 59 48 15
14 00 13 84 66 92
85 80 53 19 74 70
Thus, the four digits 2076 would encipher to 2749 with this square.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main page Home page
[Next] [Up] [Previous] [Index]
Armor
A number of methods are possible for converting binary bits to printable characters. One of the simplest is to take five or six bits of binary data to select one of 32 or 64 characters. Other, more complicated schemes are possible, though. If 85 characters can be used, then five characters are enough to represent four bytes of random data. If 86 characters can be used, a simplified scheme can achieve the same result, since 86 times 3 is 258, which is larger than 256. Assign not more than three of the 256 possible values for a byte to each of the 86 allowed characters. Then, after representing four bytes by one of those characters, one character from a set of 81 (3 times 3 times 3 times 3) can resolve which of the 256 byte values, or which of up to 3 values for the character given, is valid for each of the four bytes. The problem of converting messages to text form for transmission over the Internet is, of course, closely tied to the ASCII representation of characters. Here is a chart showing the printable characters in ASCII in graphical form:
and here is an ASCII chart in text form, first just the control characters:
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
0 0 0 NUL SOH STX ETX EOT ENQ ACK BEL BS HT LF VT FF CR SO SI
0 0 1 Null DLE Start of Header DC1 Start of Text DC2 End of Text DC3 End of Transmission DC4 Enquiry NAK Acknowledge SYN Bell ETB Backspace CAN Horizontal Tab EM Line Feed SUB Vertical Tab ESC Form Feed FS Carriage Return GS Shift Out RS Shift In US
Data Link Escape Device Control 1 Device Control 2 Device Control 3 Device Control 4 Negative Acknowledge Synchronization End of Transmission Block Cancel End of Medium Substitute Escape Field Separator Group Separator Record Separator Unit Separator
and now the entire 7bit ASCII code, with only the abbreviations of the first 32 control characters: 0 0 0 NUL SOH STX ETX EOT ENQ ACK BEL BS HT LF VT FF CR SO SI 0 0 1 DLE DC1 DC2 DC3 DC4 NAK SYN ETB CAN EM SUB ESC FS GS RS US 0 0 1 1 1 1 0 0 0 1 0 1 0 @ P ! 1 A Q " 2 B R # 3 C S $ 4 D T % 5 E U & 6 F V ' 7 G W ( 8 H X ) 9 I Y * : J Z + ; K [ , < L \  = M ] . > N ^ / ? O _ 1 1 0 ` a b c d e f g h i j k l m n o 1 1 1 p q r s t u v w x y z {  } ~ DEL Delete
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
The problem of transmitting data in ASCII text characters over the Internet is complicated by the fact that some of the characters in ASCII do not have counterparts in other data transmission codes used by some computers, such as the original version of EBCDIC. Also, some character positions in 7bit ASCII are used to represent different characters in other countries. Thus, the characters in the same columns as the letters are often used to represent accented letters; the symbol # is replaced in the United Kingdom by the British pound sign. In some transmissions over the Internet, a line beginning with a minus sign or hyphen () runs the risk of being interpreted as a header line, indicating the MIME type of a section of a document. Of course, if one wishes to send a text by Morse Code, or over a 5unit teletypewriter link, the best way to do it would be to convert the binary data to letters from the 26letter alphabet, using no other characters. I have worked out an elaborate and efficient scheme for doing this. This scheme could also serve other purposes. Since a great many historical encryption algorithms are aimed at the 26letter alphabet, one could apply them to a text already encrypted by modern methods in binary after such a conversion. And there is an easy way to send a text composed only of uppercase letters over the Internet efficiently, if a 78character character set is possible. Take four letters: the first can be encoded as three symbols from 1 to 3. Combine one such symbol with each remaining letter to determine which character to use from a character set with 3 times 26 characters, which is 78 characters. A section is also included here about the question of how to perform the special processing required to end a message efficiently and securely when the length of the original plaintext message isn't an integer number of blocks in size, whether those are blocks used by a block cipher or blocks for the conversion process used to produce armor for transmission. Also, since base conversion is discussed here, this spot seemed as good as any to place a discussion of base conversion as it applies to random or pseudorandom keystreams.
A Table of Powers, useful in finding ideas for ways to perform fractionation.
q q q q
From 47 bits to 10 letters ArmorRelated Fractionation Tying up Loose Ends From 93 bits to 28 digits
q q q
Keystream Base Conversion Message Blocking Optimized Morse Armor
[Next] [Up] [Previous] [Index] Skip to Next Section Table of Contents Main Page
[Next] [Up/Previous] [Index]
Cryptanalyzing the Simple Substitution Cipher
This page is not complete. It is placed here now to reserve space, to allow other changes to this section to take place. Here is a short message, enciphered only by replacing each of its letters by a different letter on a consistent basis: MGSVR WWJXS VPTRY SSOEF YYTMQ SVSYM MTPTR XYMGS RVRFJ NFVGX TYFWF EIFUS AXJJQ SJSNM QPMGS TJOTF IMLSS TYSJO SLQSL LPLTF OYSHM MRSVO FP How would one go about trying to read it? The first step that would occur to many people would be to make use of the fact that some letters are more common than others in English. E is the most common letter, and letters like J, Q, X, and Z are quite rare. And so, we count the letters in our message. This produces the following table of frequencies: A 1 E 2 F 9 G 4 H 1 I 2 J 7 L M 5 10 N 2 O 5 P 5 Q 4 R S 6 18 T 9 U 1 V 6 W 3 X 4 Y 8
In comparison, a frequency count I had my computer perform on a sample of literary text produced these frequencies: A B C D E F G 443747 8.03 88298 1.60 152187 2.75 225040 4.07 711756 12.88 139985 2.53 103279 1.87 H I J K L M N 331686 382552 7112 33872 220858 141726 383526 6.00 6.92 0.13 0.61 4.00 2.56 6.94 O P Q R S T U 420966 102205 5841 330126 351389 514613 156536 7.62 1.85 0.11 5.97 6.36 9.31 2.83 V 54921 W 114048 X 12081 Y 95514 Z 3519 0.99 2.06 0.22 1.73 0.06
Arranged in order of frequency, for clarity, they become: E 12.88 T 9.31 A 8.03 O 7.62 N 6.94 I 6.92 H R D L U C 6.00 5.97 4.07 4.00 2.83 2.75 F W G P Y B 2.53 2.06 1.87 1.85 1.73 1.60 K X J Q Z 0.61 0.22 0.13 0.11 0.06
S
6.36
M
2.56
V
0.99
Comparing these frequencies to those of the message: 18: 10: 9: 8: S M F T Y 7: 6: 5: 4: J R V L O P G Q X 3: W 2: E I N 1: A H U
it might be tempting to start by aligning like frequencies wherever possible: Cipher: S M Y J W Plain: e t n i f to begin deciphering the message like this: MGSVR WWJXS VPTRY SSOEF YYTMQ SVSYM MTPTR XYMGS RVRFJ t e ffi e n ee nn t e ent t nt e i NFVGX TYFWF EIFUS AXJJQ SJSNM QPMGS TJOTF IMLSS TYSJO n f e ii eie t t e i t ee nei SLQSL LPLTF OYSHM MRSVO FP e e ne t t Here, it looks like we've been luckier than we have a right to expect. With frequencies of 6.94 and 6.92 for N and I respectively, it isn't hard to imagine that I might be more common than N, instead of N being more common than I, in the text of a particular message. The combination te occurs three times from MGS, and once each from MQS and MLS, so it seems reasonable to think that G stands for h. eent might be event, and ffie might be office, although it is actually hard to take seriously that W necessarily stands for f. To make a good start on breaking a simple substitution, however, singleletter frequencies are not enough. They might work for picking out the letters E and T in most cases, but more information is available that can serve as a better guide. We've seen that N and I have frequencies of 6.94 and 6.92 respectively. This is a very small difference. But one is a consonant, and the other is a vowel. So we might expect them to behave differently. And they do.
[Next] [Up/Previous] [Index] Next Skip to Next Chapter
Table of Contents Main page
[Next] [Up] [Previous] [Index]
Methods of Transposition
After looking at ciphers which can replace the letters of one's message by completely different letters, a cipher that can't change any letters at all seems weak. And, if your message might mention, or might not mention, someone with, say, a Q or an X in his name, then a transposition cipher will indeed give that away, although one could solve that by adding some garbage to the end of your message before encrypting it. But transposition ciphers can be secure in themselves, and as well, transposition methods are useful to know, since they can be mixed with substitution methods for a more secure cipher. The best known method of transposition, simple columnar transposition, works like this: Using a key word or phrase, such as CONVENIENCE, assign a number to each letter in the word using this rule: the numbers are assigned starting with 1, and they are assigned first by alphabetical order, and second, where the same letter appears twice, by position in the word. Then, write in the message under the keyword, writing across  but take out columns, in numerical order, reading down. Thus: C O N V E N I E N C E 1 10 7 11 3 8 6 4 9 2 5 H E R E I S A S E C R E T M E S S A G E E N C I P H E R E D B Y T R A N S P O S I T I O N produces HECRN CEYI ISEP SGDI RNTO AAES RMPN SSRO EEBT ETIA EEHS Of course, it wouldn't be left with the spaces showing the columns that were used. Decoding is harder  to read a message scrambled this way, you first have to count the
letters to determine, in this case, that there are 45 letters, and so the first column will have five letters in it, and the other ones four, so that you know when to stop when filling the letters in vertically to read them out horizontally. Since the text being transposed is split into nearly regular divisions of almost equal length, even double columnar transposition can be broken without recourse to multiple anagramming: the use of several messages of the same length, enciphered in the same key, to recover the transposition by matching together columns of letters that form reasonable letter pairs. Another method of transposition, which appeared in a book by General Luigi Sacco, is a variant of columnar transposition that produces a different cipher: C O N V E N I E N C E 1 10 7 11 3 8 6 4 9 2 5 H E R E I S A S E C R E T M E S S A G E E N C I P H E R E D B Y T R A N S P O S I T I O N produces HEESPNI RR SSEES EIY A SCBT EMGEPN ANDI CT RTAHSO IEERO Here, the first row is filled in only up to the column with the key number 1; the second row is filled in only up to the column with the key number 2; and so on. Of course, one still stops when one runs out of plaintext, so the eighth row stops short of the key number 8 in this example. This method has the advantage of dividing the text being transposed in a more irregular fashion than ordinary columnar transposition. Various methods of modifying ordinary columnar transposition slightly to make it irregular have been used from time to time. For example, during World War I, the French army used a transposition in which diagonal lines of letters were read off before the rest of the diagram. Also, several countries have used columnar transpositions in which several positions in the grid were blanked out and not used. The method of transposition used on the digits produced by a straddling checkerboard
in the VIC cipher can be illustrated here with the alphabet; first, knowing the number of letters to be encrypted, the area to be filled is laid out, and then the triangular areas on the right to be filled with plaintext last are marked out: 2 4 3 1 5 a b c d e f g h i U j k l V W m n X Y Z o p q r s t here, the alphabet becomes DIVYR AFJMOT CHLXQ BGKNP EUWZS. Another interesting form of transposition is the "turning grille", used by Germany during the First World War. A square grille, divided into a grid of squares, onequarter of which are punched with holes, is placed over a sheet of paper. The message is written on the paper through the holes, and then the grille is rotated by 90 degrees, and then the message continues to be written, as the grille is turned through all four possible positions. The trick to designing such a grille is to divide the grille into quarters, numbering the squares in each quarter so that as the grille is rotated, corresponding squares have the same number. Then, choose one square with each number for punching. In World War I, the Germans used turning grilles with an odd number of holes on each side as well as with an even number; to do this, they marked the square in the centre, which was always punched, with a black border to indicate it was only to be used in one of the grille's positions. Example of a turning grille and its use: Grid numbering: 1 2 3 4 5 16 6 7 8 9 10 17 11 12 13 14 15 18 16 17 18 19 20 19 5 10 15 20 X 20 4 9 14 19 20 19 3 8 13 18 15 14 2 7 12 17 10 9 11 6 1 12 7 2 13 8 3 14 9 4 15 10 5 18 17 16 13 12 11 8 7 6
1
6 11 16
5
4
3
2
1
Layout: O O O O O O O O O O X O O O O O O O O O O 1 8 12 18 19 3 7 11 10 14 6 20 X 13 9 15 17 5 4 16 2
Fillingin: first position T H I S S A M E S S A E T H A T I M (this is a message that I
I
G
A am)
O O 
O O 
O O O
O O 
O O O 
O O 
O O 
O O 
O O O 
second position t E h N s R
i Y
C i

O 

O
O 
O

O 

s I I h
P m G e A
T e s T a
a N a
s W t
g T a
U i R N m I (encrypting with a turni)
H t
O O O
O 
O O 
O O 
O . 
O 
O O
O O 
O 
third position t e h n i N c G s r G y R i s p I t a L i L m e E n s T O g s a w g i P e R t O t h h V a a I t D t u i E r a n m T H i I (ng grille to provide thi)
O O O 
O O 
O O 
O O
O . O 
O O
O O O 
O O 
O O
fourth position t e S h n i n c g L s r g y L r U s p i t S a T i l m R e e n s t T o g s I a w i p V e r t o t h h v a E a X i d t i A i M e r n P m t L h i E (s illustrative example)
I i l A g E t a i
O 
O O O
O O 
O O 
. O O
O O O 
O O 
O O
O O O 
to produce the encrypted result: TESHN INCIG LSRGY LRIUS PITSA TLILM REENS AITOG SIAWG IPVER TOTEH HVAEA XITDT IAIME RANPM TLHIE I
There are two important uses of transposition which are connected with substitution ciphers. Transposition can be used to generate a scrambled order of the letters in the alphabet for use as a substitution alphabet. Transposition forms part of a fractionation cipher, where letters are divided into parts, then the parts are put back together in a different order, belonging to different letters.
[Next] [Up] [Previous] [Index] Next Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Improving Substitution
A cipher based on the use of a secret alphabet is not very secure; such ciphers are presented as puzzles in crossword puzzle magazines. To achieve security it is required to do something better. Today, even to people not acquainted with cryptography, a number of possibilities suggest themselves. Originally, though, the new ideas came one at a time, separated by hundreds or thousands of years. The basic ways to improve on simple substitution are the following:
q
q
Instead of using just 26 substitutes, make the problem harder by using a bigger substitution. This is divided into several cases: r Use several substitutes for each letter (homophonic substitution) r Replace every two letters, or every three letters, by something else that stands for that combination of two letters or three letters (polygraphic substitution) r Replace common combinations of letters, or words, or phrases, by their own substitutes (nomenclators and codes) Instead of using the same set of substitutes all the time, change from one secret alphabet to another as you encipher a message (polyalphabetic substitution).
Another way of improving on simple substitution is less obvious. Today, text is often converted from the letters, punctuation marks, digits, and other symbols you find on a typewriter to the binary bits of ASCII. Before that, other representations of text were used to substitute for the printed word, such as Morse code. The ancient Greeks used the Polybius square for signalling, by means of which each letter was represented by two groups of from one to five signal fires. If a letter can be broken up into smaller pieces for purposes of signalling, those smaller pieces can also be used in a cipher. For example, one can take the letters of a message apart into smaller pieces, transpose the smaller pieces, and then put the pieces back together again into letters.
This is called fractionation, and is closely related to polygraphic substitution for two reasons; one is that both deal with different sized units  parts of letters and letters, or letters and pairs of letters  and the other is that fractionation is sometimes used as a method of polygraphic substitution.
q q
q
Homophones and Nomenclators Polygraphic Ciphers and Fractionation r Playfair and its Relatives r The Bifid, the Trifid, and the Straddling Checkerboard r Fractionated Morse, and Other Oddities r The VIC Cipher r Two Trigraphic Ciphers, and a Heptagraphic One Polyalphabetic Substitution
[Next] [Up] [Previous] [Index]
Next Skip to Next Section Chapter Start Table of Contents Main Page Home Page
[Next] [Up/Previous] [Index]
Homophones and Nomenclators
One of the earliest methods used to create ciphers stronger than simple substitution was to create cipher tables which had more than one substitute for each letter, and which had additional substitutes for names that would be commonly used. Because of the significance given to proper names, these systems were called nomenclators. Some of the early nomenclators were fairly unsophisticated; the substitutes for the letter B might be the letter M or the digit 4, written in several distinctive styles  and then the substitutes for C might be the letter N or the digit 5, again written in distinctive styles. Thus, a cryptanalyst willing to try a simple guess would only need to solve a Caesar cipher  a simple substitution where the alphabet is merely displaced instead of being thoroughly scrambled  instead of facing the full problem of finding substitutes for the full set of symbols individually. One ingenious modern method of producing a homophonic cipher, called the Grandpré cipher, involves choosing ten tenletter words, which can be ordered so that their first letters form an eleventh tenletter word, and which collectively include all 26 letters of the alphabet. For example:
0 1 2 3 4 5 6 7 8 9 0 S U B M A R I N E S 1 T N A A S E N E F Q 2 R D R J T E V G F U 3 A E K O R X E A E E 4 T R E R O A S T R E 5 I S N I L M T I V Z 6 F T T T O I M V E I 7 I O I I G N E E S N 8 E O N E E E N L C G 9 D D E S R D T Y E S
The advantage it has, over a more routine type of homophonic table, for example:
1,2,7,8 0,4,5 3,9 6 0,3,8 E H M V 4,7 T R F W 9 A D G X 1 O L J Y 5 I U K Z 2 N B P 6 S C Q
is that the multiple substitutes for each letter are not closely related. The book The American Black Chamber, by Herbert Osborn Yardley, illustrated a cipher wheel used by the Mexican Army which could be set up to produce a homophonic cipher with a key that could be easily changed. Changed from a wheel to a slide, it would look like this:
A 15 43 61 92
B 16 44 62 93
C 17 45 63 94
D 18 46 64 95
E 19 47 65 96
F 20 48 66 97
G 21 49 67 98
H 22 50 68 99
I J K L M N O P 23 24 25 26 01 02 03 04 51 52 27 28 29 30 31 32 69 70 71 72 73 74 75 76 00 79 80 81
Q 05 33 77 82
R 06 34 78 83
S 07 35 53 84
T 08 36 54 85
U 09 37 55 86
V 10 38 56 87
W 11 39 57 88
X 12 40 58 89
Y 13 41 59 90
Z 14 42 60 91
having four movable disks, one containing the twodigit pairs from 01 to 26, the second the pairs from 27 to 52, the third the pairs from 53 to 78, the fourth the pairs from 79 to 99, followed by 00 and four blank, unused spaces. The key consisted of the four twodigit pairs aligned under the letter A, and the possible substitutes for any letter were the four (or possibly three) twodigit pairs aligned under it. Obviously, the system would have been more secure had the alphabet and the sequence of digit pairs been mixed. The most important weakness of a homophonic system is that the person using it can become lazy, and use the same substitute for a letter over and over, or use the substitutes in rotation, rather than using them randomly. Also, as many homophonic systems are devised by amateurs, they can have defects of one kind or another. Helen Fouché Gaines in Elementary Cryptanalysis notes that Givierge, author of the Cours de Cryptographie, described a homophonic system of the following kind:
E J G F D O K M H S P R W a b c d e f g h i j k l m n o p q r s t u v x y z V X Y Z U
IT AL BQ CN
This is a type of straddling checkerboard, and we will meet a more elegant form of it later in the section on fractionation. The word straddling refers to the fact that while most letters have a twoletter group as their substitute, consisting of the letters indicating their row and column (which may, incidentally, be taken in either order, as the alphabet has been split in half for this purpose), five lessfrequent letters represent each other. Thus, the presence of occasional oneletter symbols is intended to complicate the problem for the cryptanalyst, making it difficult for him to find out where the letter pairs that make up most of the message begin and end. Although this cipher has many nice features, it does have a number of defects. Since the letters that have only one letter as their substitute are, essentially, in a separate table, why use only a 25letter alphabet? Of course, in French, the letter W is so little used as almost not to be part of the alphabet. But there are other defects.
q
q
Although a group can begin with a letter from either half of the alphabet, the second letter always has to be from the other half. Also, the second letter of a twoletter group can't be one of the five letters that represent themselves, although since the first letter already indicates that there is a twoletter group, that would not cause confusion.
Hence, this cipher omits a large number of twoletter substitutes which it could be making use of. An improved design could be the following:
E J G F D O K U H S V W r q l m x e u w h n c i k z a o j t s d E A C F G I B H J L P D O K M Q T R N V S U Z X W Y bM fT gN pR vP yQ
IZ AL BY CX
DFOQTX CJLNPWY AEGKUV BHIMRSZ
Here, six midfrequency letters have singleletter substitutes, but these substitutes are drawn from other letters in the alphabet. The rest of the alphabet is divided into two halves, but once a letter is chosen to indicate either a row or a column, the other coordinate of the plaintext letter is chosen from a set made from the entire alphabet. Hence, if a letter on the left begins a twoletter group, it is ended with a letter below; if a letter on the top begins a twoletter group, it is ended with a letter on the right. Thus, the plaintext letter R can become ED, EO, OO, IQ, ZQ, or II. As noted previously, the basic concepts of cryptography were slow to emerge. David Kahn's book The Codebreakers illustrates the earliest known example of a cipher with homophones, from the year 1401. It looked like this:
a b c d e f g h i k l m n o p q r s t u x y z Z y x D t s r q p o n l m k j h g f e d c b a 2 4 8 F 3 H 9 T + J L ~
where the capital letters stand for various special symbols (Z indicates a reverse script lowercase z, F indicates an ff ligature, and J indicates the astrological symbol for Jupiter, for example). To modern eyes, what is particularly striking about this cipher is that, even though the step of improving on simple substitution by using multiple equivalents was taken, the basic cipher alphabet itself is not thoroughly mixed, but instead varies only slightly from a simple reversed alphabet. Incidentally, the British publisher Hodder and Stoughton has an extensive series of books on various subjects in a series called "Teach Yourself Books": particularly noteworthy in this series are the instructional books for foreign languages, which the case of some languages are the only readily available introductory book in print in English. (These are the books that used to have yellow covers, but which changed to light blue covers some years back.) The book Codes and
Ciphers by Frank Higenbottam in this series, while a general introduction to the subject, is distinguished by its uniquely extensive coverage of the topic of breaking messages enciphered using nomenclators.
[Next] [Up/Previous] [Index]
Next Chapter Start Skip to Next Section Table of Contents Home page
[Next] [Up] [Previous] [Index]
Polygraphic Ciphers and Fractionation
Instead of arbitrarily choosing a list of common words or syllables to give cipher equivalents for, one might be able to achieve the same increased security another way, by enciphering several letters at once using some simple system that handles all possible combinations of two letters, or three letters. Of course, one could just use a random list of all 676 possible combinations of two letters, and this would give the maximum possible security for a system that handles two letters at a time. Or, one could even follow the lead of Giovanni Battista della Porta, and use a table giving different symbols for every pair of letters:
This is a redrafting of the table of 400 symbols for the digraphs of a 20character alphabet given by Porta in his De Furtivis Literatum Notis. In the original, there are a
few typographical errors, leading to some duplicate symbols: ZI is a duplicate of ZO, VM is a duplicate of LL, NG is a duplicate of NB. The replacements for the first two were obvious, that for NG is somewhat arbitrary. Naturally, since Porta was expressing the idea of a digraphic cipher in print for the first time, he did so in a way that seems unsophisticated by modern standards.
The columns in Porta's diagram all contain characters related in shape. This makes it easier to look up a symbol, but also gives away information. One way to retain the advantage of easily finding a symbol, but without giving away information to the cryptanalyst, is illustrated in the diagram above: have similar symbols arranged along the diagonals of the diagram, and use mixed alphabets along the edges. While a digraphic symbol cipher is something that isn't too practical, similar techniques have been used for small code charts to make them practical and secure. Systematic methods of enciphering several letters at once, without simply using a very large table, will be outlined in what follows. Fractionation lends itself to many complicated and bizarre developments, a few of which will be illustrated there. Hopefully, all the examples that will be contained in the following pages will prove a
starting point from which you can let your imagination run wild. Fractionation, although a powerful technique, has seldom been used in paperandpencil ciphers, because it is too complicated and prone to error. Two schemes that actually were used, the ADFGX or ADFGVX cipher used by Germany in the First World War, and the VIC cipher used by Reino Hayhanen while engaged in espionage in the United States, involved substituting multiple symbols for each letter, and transposing the letters or digits so obtained, but did not attempt to then reconstitute the symbols back into letters. Representing letters by five symbols from a set of two, or three symbols from a set of three, has tended to be used mostly for steganography, as proposed by Bacon and Trithemius. (That is, in the former case, if one does not count the use of the 5level code for teletypewriters.) The Hagelin B21 and its relatives also involved fractionation, combined with polyalphabeticity but without transposition.
q q q q q
Playfair and its Relatives The Bifid, the Trifid, and the Straddling Checkerboard Fractionated Morse, and Other Oddities The VIC Cipher Two Trigraphic Ciphers, and a Heptagraphic One
A Table of Powers, useful in finding ideas or opportunities to perform fractionation.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main page Home page
[Next] [Up/Previous] [Index]
Playfair and its Relatives
Since 26 by 26 tables are awkward and bulky, and certainly impossible to memorize, various systematic methods were developed to encipher more than one letter at a time.
Playfair
The most famous polygraphic system is, of course, the Playfair cipher, which works as follows: given a 5 by 5 square, containing a jumbled alphabet, such as: T L N C F X K Z G B V M O W S H U J Y D R P E A I
doing without one letter by some rule: i.e. if Q is omitted, as here, use KW to stand for QU; or treat I and J, or U and V, as one letter. Then, a pair of letters is converted to a ciphertext pair using one of three possible rules, whichever one applies:
if the two letters are neither in the same row or the same column, replace each letter by the one that is in its own row, but in the column of the other plaintext letter. Examples: TI becomes RF, TW becomes VC, KA becomes PG, UB becomes KD, WX becomes GV T>R  K M U   Z O J   G W Y  F<I T>V  K   Z  C<W F B S H U J Y D R P E A I
if the two letters are both in the same column, replace each one by the one below it, wrapping around if necessary. Examples: VW becomes MS, TN becomes LC, TL becomes LN, TF becomes LT, KB becomes ZX T L N C F X K Z G B V M  W S H U J Y D R P E A I
it the two letters are both in the same row, replace each one by the one to the right of it, wrapping around if necessary. Examples: TH becomes XR, KP becomes ML, NZ becomes ZO. T L N C XH K M U Z O J G W Y R P E A
F B S D I
Double letters aren't allowed within a single digraph, and must be split up by inserting a letter used as a null (for example, an X) between them. If the Playfair cipher is used on a computer, perhaps in combination with other ciphers, it might be more convenient to make a rule for double letters, such as using the letter that is both below and to the right of the plaintext letter, and also doubling it. Then, EE would become CC.
The FourSquare and TwoSquare Ciphers
Playfair has inspired some related bigraphic ciphers that, on the one hand, improve security by involving multiple, unrelated alphabets, but on the other hand, are simpler in that they use fewer rules than Playfair. In the FourSquare cipher, two squares are used to find the two plaintext letters, and two others are used to find the two ciphertext letters: D W X Y M  E P T O L R J E K I  C V I Y Z U V H P S  R M A G B A L B Z N  F W J H S G C O F T  U N D X K J T B U E  V I M A G Z H N D X  S W P O H L A F R G  U T Z K E P M I Y C  N R D X Y V S K W O  B J L C F D W X Y M  E P T O L R J E K I  C V I Y Z U V H>M A G B A L  Z N  F  J H S G C  F T  U  D X K J T  U E  V  M A G Z H N<W P O H L A F R G  U T Z K E P M I Y C  N R D X Y V S K W O  B J L C F
and the only rule for finding the substitute for a digraph is similar to the first rule given for Playfair: the first letter is replaced by the letter in its row, and the second letter's column, and so on. Thus, as the diagram above illustrates, HW becomes MN. With only two squares, the first plaintext letter and the second ciphertext letter are found in the square on the left, and if both plaintext letters are in the same row, each one is replaced by the other letter. (Other rules are possible, as long as the result is a pair of letters, the first from the square on the right, the second from the square on the left, in the same row. For example, each letter could be replaced by the letter to the right of, or below, the other letter in the other letter's own square.) During World War II, several digraphic ciphers were used by the German armed forces. All had the common feature that text was broken up by seriation before being enciphered: that is, the message MORE TROOPS NEEDED HERE would be broken up like this: MORET NEEDE ROOPS DHERE and the digraphs to be enciphered would be MR OO RO EP TS ND EH EE DR EE. While the seriation step is an essential part of some fractionation ciphers we will see below, using it with a digraphic cipher has been questioned, since it allows the cryptanalyst to pretend he is dealing with simple substitution with 26 homophones for each letter, and therefore may make solution easier instead of harder. According to the book Codebreakers, a collection of reminiscences by those who worked at Bletchley Park during the war, the German army used a cipher in which the digraphs were then enciphered using the twosquare cipher. The German Navy used a reciprocal table of digraphs, again after a seriation step, in what was called the Dockyard cipher. Jim Gillogly has noted that declassified NSA documents refer to another cipher of this type, in which the digraphs were enciphered twice by means of the twosquare cipher. Since each letter enciphered the first time was then found in the square on the other side for the second encipherment, the relation between plain and cipher digraphs was much more complicated than in regular Playfair.
[Next] [Up/Previous] [Index] Next
Chapter Start Skip to Next Section Table of Contents Main page Home page
[Next] [Up] [Previous] [Index]
The Bifid, the Trifid, and the Straddling Checkerboard
The Bifid and Trifid ciphers
The first of the three rules for Playfair encipherment changes one twoletter group, or digraph, to another by exchanging column coordinates. This suggests using row and column coordinates in a more general fashion. Let's take the 5 by 5 square above, but number the rows and the columns, like this: 1 2 3 4 5 T X V H R L K M U P N Z O J E C G W Y A F B S D I
1) 2) 3) 4) 5)
Then, another method of encipherment would be as follows: Divide a message into groups of letters of a fixed length, say five letters, and write the row and then the column coordinate of each letter beneath it, like this: THISI SMYSE CRETM ESSAG E 11555 52453 41312 35544 3 14535 33435 15513 53352 5 and then, going across within each group, read the numbers in order, and turn them, in pairs, into letters: that is, read 11555 14535 52453 33435... and turn them into the letters corresponding to 11, 55, 51, 45, 35, 52, and so on. 1155514535 5245333435 4131215513 3554453352 35 T I F A E B A O J E C N L I V E D A O B E This is the Bifid cipher of Delastelle, and the general principle of this form of cipher is called seriation. This is one of the most secure pencilandpaper ciphers that is still used by hobbyists as a puzzle. It isn't hard to make this kind of cipher just a little bit more complicated, and thereby obtain one that is genuinely secure. It belongs to the class of cipher methods known as fractionation, where letters are divided into smaller pieces, or "fractions". Just as two symbols from 1 to 5 give 25 letters, three symbols from 1 to 3 give 27 letters; and five binary bits provide a 32character alphabet. The Trifid, also due to Delastelle, is the analogous cipher using a 27letter alphabet represented by three symbols from 1 to 3: W 111 A 112 K 113 M 121 & 122 B 123 Z 131 Y 132 H 133 N 211 E 212 Q 213 O 221 V 222 R 223 L 231 P 232 S 233 C 311 X 312 I 313 T 321 J 322 F 323 U 331 G 332 D 333
to encipher a message by seriation like this: THISISM 3132321 2313132 1333331 YSECRET 1223223 3311212 2321321 MESSAGE 1222132 2133131 1233222
which again is read off horizontally after being written in vertically, yielding a cipher message like this: 313 232 123 131 321 333 331 I P B Z T D U 122 322 333 112 122 321 321 & J D A & T T 122 213 221 331 311 233 222 & Q O U C S V Representing the letters as combinations of two groups of from one to five signal fires was originally proposed by Polybius in his Histories, as being a general method of communications, unlike ones he noted as being previously used that depended on a small list of prearranged messages. It looked like this:
with the letters of the Greek alphabet placed on five numbered tablets, and each letter being numbered on each tablet. Other forms of dividing a character into smaller pieces, such as ASCII or Baudot, or Morse Code (to be seen below) were also developed to allow communications over various types of channel, as were the signal flags used by ships, to use an example of a different type.
The Straddling Checkerboard
Some ciphers actually used by Soviet spies used a square like this: 9 8 2 7 0 1 6 4 3 5 A T O N E S I R B C D F G H J K L M P Q U V W X Y Z . /
2 6
Eight of the most common letters are translated to a single digit. The two digits not used in this way begin twodigit combinations that stand for the remaining letters. This is an example of a variable length code with the prefix property. When it is possible to tell, from the digits one has already seen of a symbol, whether or not one needs to include the next digit in the symbol, then spaces between the digits of a symbol are not needed, and this is what is known as the prefix property. At one time, telephone numbers in North America had this property, because the middle digit of an area code was always 0 or 1, and the first three digits of a regular telephone number, also known as the exchange, never had 0 or 1 as the middle digit. Therefore, it was possible to dial 1 plus the sevendigit number to make a longdistance call within one's own area code, since the first three digits could not possibly be an area code. However, the increased need for more telephone numbers made it necessary to abandon this rule, in January 1995 and therefore when dialing a longdistance call within one's own area code, it is now still necessary to dial the area code. This method of dealing with the increased demand for telephone numbers had the advantage that the number of digits in a telephone number did not have to be increased, and this avoided problems with computer dataprocessing systems that allocated the fixed minimum amount of space for a telephone number, as well as limiting the amount of alteration needed for older telephone equipment. In Britain, on the other hand, it was necessary to lengthen every telephone number by one digit, and this was done by inserting the digit 1 in every number in the second position on a day called "phONE day", April 16, 1995, although permissive dialing remained in effect until April 22, 2000. A number of other countries also modified their systems of telephone numbers during roughly the same period; Australia began in 1996, and Finland changed over its phone system on October 12, 1996. Since in Morse code, a dot is the letter E, and a dash is the letter T, but other Morse code symbols also begin with a dot or a dash, Morse code is a variablelength code that does not have the prefix property, and so spaces are required between letters in Morse code. Of course, the second digit of a twodigit combination could also have stood, by itself, for another letter; but because when you start from the beginning and move forwards, there is no chance of confusion, this is a workable and usable system. Thus, the message SENDMONEY would become 4 1 0 22 25 7 0 1 66, or, rather, 41022 25701 66 because spaces to show where the letters begin are not needed; the first digit representing a letter determines if its substitute is one or two digits long. More complicated codes that work this way, using only the two binary digits 0 and 1, are used as a form of data compression. The most famous variablelength prefixproperty binary codes are the Huffman codes; but this term only applies to such a code when symbols were assigned in it by a specific algorithm, which has been proven to be optimal, within the limitations of only considering singlesymbol frequencies, and only using this kind of code: arithmetic coding, which doesn't work in whole bits, can be more efficient. Before Huffman's proof, codes of that nature assigned in a different fashion, which are known as ShannonFano codes, were the best known. In one case, the VIC cipher used by Reino Hayhanen (the message in that cipher on microfilm, inside a hollow nickel, was the background to the page introducing this section) the digits produced by a straddling checkerboard were then subjected to a form of columnar transposition which was varied by selecting triangular areas to be filled with plaintext last. In other cases, after the message was converted to digits, encipherment similar to the Vigenère to be described in the next section was performed. Since Vigenère is a form of addition, doing addition on
digits is easier for most people, without special equipment, than doing it on letters.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main page Home page
[Next] [Up] [Previous] [Index]
The VIC Cipher
The VIC cipher is an intricate cipher issued by the Soviet Union to at least one of its spies. It is of interest because it seems highly secure, despite being a pencilandpaper cipher. It was the cipher in which a message was written which was found on a piece of microfilm inside a hollowedout nickel by a newspaper boy in 1953. The workings of this cipher were explained by Hayhaynen to FBI agents shortly after his defection to the United States in 1957. David Kahn described that cipher briefly in an article in Scientific American, and in full detail in a talk at the 1960 annual convention of the American Cryptogram Association which was later reprinted in his book Kahn on Codes. The VIC cipher, which I will demonstrate here adapted to the sending of Englishlanguage messages, begins with an involved procedure to produce ten pseudorandom digits. The agent must have memorized six digits (which were in the form of a date), and the first 20 letters of a key phrase (which was the beginning of a popular song) and must think of five random digits for use as a message indicator. Let the date be July 4, 1776, to give the digits 741776. (Actually, the Russians used their customary form of dates, with the month second.) And let the random indicator group be 77651. The first step is to perform digit by digit subtraction (without carries) of the first five digits of the date from the indicator group: 77651 () 74177 03584 The second step is to take the 20letter keyphrase, and turn it into 20 digits by dividing it into two halves, and within each half, assigning 1 to the letter earliest in the alphabet, and so on, treating 0 as the last number, and assigning digits in order to identical letters. Thus, if our keyphrase is "I dream of Jeannie with t", that step proceeds: I D R E A M O F J E 6 2 0 3 1 8 9 5 7 4 A N N I E W I T H T 1 6 7 4 2 0 5 8 3 9
The result of the first step is then expanded to ten digits through a process called chain
addition. This is a decimal analog of the way a linearfeedback shift register works: starting with a group of a certain number of digits (in this case five, and later we will do the same thing with a group of ten digits), add the first two digits in the group together, take only the last digit of the result and append it to the end of the group, then ignore the first digit, and repeat the process. The 10 digit result is then added, digit by digit, ignoring carries, to the first 10 digits produced from the keyphrase to produce a tendigit result, as follows: 6 2 0 3 1 8 9 5 7 4 (+) 0 3 5 8 4 3 8 3 2 7 6 5 5 1 5 1 7 8 9 1 And these 10 digits are then encoded by encoding 1 as the first of the 10 digits produced from the second half of the keyphrase, 2 as the second, up to 0 as the tenth. using code: 1 2 3 4 5 6 7 8 9 0 1 6 7 4 2 0 5 8 3 9 6 5 5 1 5 1 7 8 9 1 0 2 2 1 2 1 5 8 3 1
becomes
This ten digit number is used by chain addition to generate 50 pseudorandom digits for use in encipherment: 0 2 2 1 2 1 5 8 3 1 2 4 3 3 3 6 3 1 4 3 6 7 6 6 9 9 4 5 7 9 3 3 2 5 8 3 9 2 6 2 6 5 7 3 1 2 1 8 8 8 1 2 0 4 3 3 9 6 6 9 The last row of these digits (which will still be used again) is used like the letters in a keyword for transposition to produce a permutation of the digits 1 through 9 (with 0 last again): 1 2 0 4 3 3 9 6 6 9 1 2 0 5 3 4 8 6 7 9 and those digits are used as the top row of numbers for a straddling checkerboard:
1 2 0 5 3 4 8 6 7 9 A T O N E S I R 0 B C D F G H J K L M 8 P Q U V W X Y Z . / One detail omitted is that the checkerboard actually used had the letters in the bottom part written in vertical columns with some columns left until the end. That doesn't work as well in an English example, as there are only two leftover spaces after the alphabet. With the straddling checkerboard in place, we can begin enciphering a message. Let our message be: We are pleased to hear of your success in establishing your false identity. You will be sent some money to cover expenses within a month. Converting this to numbers, we proceed: W EAREP L EASED TOH EAROF Y OU RSU C C ESSINESTAB L ISH ING 834194810741640025044195058858096800202466734621010776047303 Y OU RF AL SEID ENTITY Y OU W IL L B ESENTSOM EM ONEY TOC O 88580905107647004327288885808370707014643265094095348825025 V EREX P ENSESW ITH INAM ONTH 854948481436468372047310953204 For the sake of our example, we will give our agent a small personal number of 8. This number is used to work out the widths of the two transposition tableaux used to transpose the numbers obtained above. The last two unequal digits, which in this case are the last two digits (6 and 9) of the last row of the 50 numbers generated above, are added to the personal number with the result that the two transpositions will involve 8+6, or 14, and 8+9, or 17, columns respectively. The keys for those two transpositions are taken by reading out the 50 numbers by columns, using the 10 digits used to generate them as a transposition key. Again, 0 is last, so given the table above: 0 2 2 1 2 1 5 8 3 1 2 4 3 3 3 6 3 1 4 3 6 7 6 6 9 9 4 5 7 9
3 3 2 5 8 3 9 2 6 2 6 5 7 3 1 2 1 8 8 8 1 2 0 4 3 3 9 6 6 9 we read out the digits in order: 36534 69323 39289 47352 36270 39813 4 stopping when we have the 31 digits we need. Our first transposition uses the first 14 digits as the key of a conventional simple columnar transposition: 36534693233928 83419481074164 00250441950588 58096800202466 73462101077604 73038858090510 76470043272888 85808370707014 64326509409534 88250258549484 81436468372047 3109532049 Since our message consisted of ten rows of 14 digits, plus one extra row of 9 digits, it is 149 digits long. At this initial stage, one null digit is appended to the message, making it 150 digits long, so that it will fill a whole number of 5digit groups. Thus, with the null digit added, it gives us the intermediate form of the message: 09200274534 6860181384 80577786883 15963702539 11018309880 75079700479 4027027992 90628086065 42040483240 30833654811 44818035243 4864084447 84005470562 1546580540 The fact that our message is 150 digits long was important to note, since the next step in the encipherment, although it is also a columnar transposition, includes an extra complexity to make the transposition irregular, and so it is necessary to lay out in advance the space that will be used in that transposition. The remaining 17 digits of the 31 we read out above, 9 47352 36270 39813 4, are the key for this second transposition. The numbers, in addition to indicating the order in
which the columns are to be read out, indicate where triangular areas start which will be filled in last. The first triangular area starts at the top of the column which will be read out first, and extends to the end of the first row. It continues in the next row, starting one column later, and so on until it includes only the digit in the last column. Then, after one space, the second triangular area starts, this time in the column which will be read out second. Since we know that our message is 150 digits long, we know that it will fill 8 rows of 17 digits, with 14 digits in the final row. This lets us fill in the transposition block, first avoiding the triangular areas: 94735236270398134 09200274534686 018138480577786 8831596370253911 01830988075079700 47940 270279 9290628 08606542 040483240 and then with them filled in as well: 94735236270398134 09200274534686308 01813848057778633 88315963702539116 01830988075079700 47940548114481803 27027952434864084 92906284478400547 08606542056215465 04048324080540 from which the fully encrypted message can be read out: 36178054 289959253 507014400 011342004 746845842 675048425 03100846 918177284 83603475 035007668 483882424 283890960 350713758 689914050 008042900 873786014 472544860
The last digit, 6, in the date shows that the indicator group is to be inserted in the final message as the sixth group from the end, so the message in the form in which it will be transmitted becomes: 36178 05428 99592 53507 01440 00113 42004 74684 58426 75048 42503 10084 69181 77284 83603 47503 50076 68483 88242 42838 90960 35071 37586 89914 05000 77651 80429 00873 78601 44725 44860
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main page Home page
[Next] [Up] [Previous] [Index]
Two Trigraphic Ciphers, and a Heptagraphic One
Playfair for Three
Based on the Playfair cipher, I once thought of a way to make a cipher that worked on groups of three letters. Using a square, as with Playfair: T L N C F X K Z G B V M O W S H U J Y D R P E A I
encipher with the following rules:
q
q
q
If all three letters are the same, replace them by three repetitions of the letter diagonally below and to the right of that letter. Thus: MMM becomes JJJ in the square above. Below, and to the right, are always interpreted cyclically, so DDD becomes RRR, and PPP becomes NNN, and even III becomes TTT. If two of the letters are the same, encipher the two letters as if they were part of a digraph to be enciphered with Playfair. r If the two letters are in the same row, replace each one with the letter to its right. Thus: PKK becomes LMM, NON becomes ZJZ. r If the two letters are in the same column, replace each one with the letter below it. Thus: HUH becomes UJU, ZZB becomes GGX. r If the two letters are neither in the same row nor the same column, replace each letter with the letter that is in its own row, but in the column of the other letter. Thus: BOO becomes SZZ, MIM becomes PSP. When all three letters are different, follow these rules: r If all three letters are in the same row, replace each one with the letter to its right. Thus, CYG becomes GAW, ZEN becomes ONZ. r If all three letters are in the same column, replace each one with the letter below it. Thus, MOW becomes OWS, KGB becomes ZBX. r If two letters are in the same row, and one of those two is in the same column as the third letter, replace the letter that is in the same row as one other letter and the same column as the other other letter with the letter that is in the same column as the letter with which it shares a row, and in the same row as the letter with which it shares a column. Replace the two other letters by each other. Thus, YUK becomes KGY, WVY becomes HYV, POE becomes OPM, GAP becomes PKG. r If two letters are in the same column, but the third letter is neither in that column nor in the same row as either of those two letters, replace each letter by the letter which is in its own row, but in the other column used by the three letters. Thus, TCO becomes VWN, TAN becomes RCE, HUG becomes XKY. r If two letters are in the same row, but the third letter is neither in that row nor in the same column as either of those two letters, replace each letter by the letter which is in
r
its own column, but in the other one of the two rows used by the letters. Thus, NED becomes FIJ, GAS becomes BIW, LOP becomes NME. If no two letters share either a row or column, each letter is replaced by the letter in its own row, but in the column of the next letter of the trigram, the first letter being the 'next letter' for the last one. Thus, TOY becomes VJC, LOB becomes MZF, GET becomes ANX.
Note that since a trigram with repeated letters always enciphers to a trigram with repeated letters, one could use a separate square for each of the three possibilities, or even just use an arbitrary substitution alphabet for the case of three identical letters.
Trigraphic from Fractionation
If one uses a substitution where each letter of a 27letter alphabet is replaced by three digits from 1 to 3, then the obvious method of constructing a trigraphic cipher from this is to write the equivalents of the three letters in by columns and take them out by rows; thus, with the alphabet W 111 A 112 K 113 M 121 & 122 B 123 Z 131 Y 132 H 133 N 211 E 212 Q 213 O 221 V 222 R 223 L 231 P 232 S 233 C 311 X 312 I 313 T 321 J 322 F 323 U 331 G 332 D 333
we encipher like this: T 3 2 1 H 1 3 3 E 2 X 1 L 2 Y
For 26 Letters
But how can we adapt these two ciphers to a 26letter alphabet? Let's imagine that we want to have a method that doesn't require, as the original Playfair did, inserting a letter like X into the plaintext when a double letter occurs; we want something that can be applied mechanically to any arbitrary input text. This would make it suitable for use as a step in encryption performed by a computer. For the cipher derived from Playfair, the structure of the rules provides a clue. When the extra letter turns up, ignore it for encryption, but place it in the ciphertext without alteration, and treat two remaining letters, if they are different, as in regular Playfair, and a single remaining letter (or two identical remaining letters) as if they were three identical letters. How, though, can we possibly make the cipher which requires a 27letter alphabet work with only 26 letters? First, choose a substitution table such that the unused letter, &, is represented by the code 333. U 111 X 112 H 113 F 121 J 122 M 123 P 131 I 132 O 133 Q 211 C 212 S 213 D 221 A 222 Z 223 W 231 K 232 L 233 B 311 Y 312 E 313 R 321 T 322 N 323 G 331 V 332 & 333
Now then, any combination that does not contain an ampersand, but which produces a combination that does contain one, will have produced a combination that, when enciphered again, doesn't contain an ampersand. L 2 3 3 O 1 3 3 G 3 S 3 & 1 G S 2 1 3 & 3 3 3 G 3 L 3 O 1 G
That appears to be a trivial consequence of the fact that this cipher is reciprocal. Since an ampersand is represented by the code 333, however, that means that whether or not a square produces an ampersand depends only on the positions of the 3s in that square; the other two digits, 1 and 2, are irrelevant. Thus, we can do better than leaving trigrams which encipher to combinations including an ampersand unenciphered. Between the two encipherments, we can apply a substitution to the letters of the first result, as long as that substitution leaves the 3s unchanged. Since this substitution operates perpendicular to the plaintext and the ciphertext, the cipher still mixes the letters of the trigram together in this case. Such a substitution might look like this: 111 112 121 122 211 212 221 222 212 122 211 221 121 222 111 112 113 123 213 223 123 223 113 213 131 132 231 232 232 231 131 132 311 312 321 322 321 311 322 312 133 233 313 323 331 332 233 133 313 323 332 331
333 333
With such a substitution, our encipherment would become: L 2 3 3 O 1 3 3 G 3 S 3 & 1 G H 1 1 3 & 3 3 3 V 3 O 3 O 2 V
213 > 113 (H) 333 > 333 (&) 331 > 332 (V)
Heptagraphic encryption
Having now obtained two trigraphic ciphers which both operate on trigrams of the 26alphabet, but which operate on different principles, one is immediately tempted to combine them to create a cipher which will be much stronger than either one alone. One way to do this is simply to apply both in sequence. However, inspired by recently encountering the polymorphic block ciphers of Kostadin Bajalcaliev, I have thought of a more elaborate way of doing this. Let us encipher a block of seven letters at a time. Three letters are enciphered trigraphically by one of
the two systems given above, and the next three are enciphered using the other system. The seventh letter is used to indicate which system is used. Then, the letters are rearranged according to the permutation from 1 2 3 4 5 6 7 to 4 7 1 2 3 5 6 and the process is repeated. Since it seems wasteful to leave a letter unenciphered just to use it as the source of one bit of information, that letter could also be used to choose between twelve possibilities: there could be three different sets of tables for one of the block ciphers, and four different sets of tables for the other. For the one based on Playfair, it is not even necessary that the omitted letter be the same for each set of tables.
Nonagraphic Encryption
Of course, with two different trigraphic ciphers, performing some sort of transposition between applying them is another way to produce a very strong cipher. Just as the trigraphic cipher based on a 27character alphabet places digits in a square by columns, and takes them out by rows, one could encrypt nine letters at a time by placing them in a square array, and encrypting first the columns by one cipher, and then the rows by the other. One could even do that twice, inspired by Square, the predecessor of Rijndael, the new Advanced Encryption Standard.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main page Home page
[Next] [Up] [Previous] [Index]
Polyalphabetic Substitution
The idea of using substitution ciphers that change during the course of a message was a very important step forwards in cryptography. David Kahn's book, The Codebreakers, gives a full account of the origins of this idea during the Italian Renaissance. The earliest form of polyalphabetic cipher was developed by Leon Battista Alberti by 1467. His system involved writing the ciphertext in small letters, and using capital letters as symbols, called indicators, to indicate when the substitution changes, now and then through a message. The plaintext alphabet on his cipher disk was in order, and included the digits 1 through 4 for forming codewords from a small vocabulary. Subsequently, more modern forms were devised, which change the substitution for each letter:
q
q
q
A progressivekey system, where keys are used one after the other in normal order. This was first published posthumously, in a book by Johannes Trithemius that appeared in 1518. The key ABCD...Z was used with regular alphabets in the form depicted therein. A keyword indicating the alphabets to use in turn. Although this system is what is called the Vigenère, it originated with Giovan Batista Belaso in 1553. In 1563, Giovanni Battista Porta added the use of mixed alphabets to this system. The autokey system, where a key starts the choice of alphabet, but the message itself determines the alphabets to use for later parts of the message. Although an unusable form of this was first proposed by Girolamo Cardano, it was Blaise de Vigenère who proposed the modern form of the autokey cipher in 1585.
The following compact table provides 26 alphabets, each labelled with a letter of the alphabet: B G L Q V B C D E F C H M R W G H I J K D I N S X L M N O P E J O T Y Q R S T U F K P U Z V W X Y Z ZABCDEFGHIJKLMNOPQRSTUVWXY UVWXYZABCDEFGHIJKLMNOPQRST PQRSTUVWXYZABCDEFGHIJKLMNO KLMNOPQRSTUVWXYZABCDEFGHIJ FGHIJKLMNOPQRSTUVWXYZABCDE ABCDEFGHIJKLMNOPQRSTUVWXYZ BCDEFGHIJKLMNOPQRSTUVWXYZA CDEFGHIJKLMNOPQRSTUVWXYZAB DEFGHIJKLMNOPQRSTUVWXYZABC EFGHIJKLMNOPQRSTUVWXYZABCD
The A alphabet isn't shown, since in that alphabet, every letter stands for itself, and so, if nothing is done, nothing need be looked up in the table. For any other alphabet, use the letter indicating the alphabet to find a row among the top five, and a row among the bottom five; using those two rows, the upper row stands for plaintext, the lower for cipher. Thus, for alphabet Q, the top row begins KLMNO... and the bottom row begins ABCDE..., and so K becomes A, Q becomes G, and A becomes Q in that alphabet. If you think of A as standing for zero, B for 1, up to Z for 25, this particular set of alphabets is nothing more than the modulo 26 addition of the plaintext and the key to obtain the ciphertext. Circular disks or sliding scales can be used to carry out the addition. This, perhaps, can be more easily seen if we exhibit the Vigenère tableau in full, accompanied by the table for modulo26 addition:
ABCDEFGHIJKLMNOPQRSTUVWXYZ  0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 19 20 21 22 23 24 25 + +AABCDEFGHIJKLMNOPQRSTUVWXYZ 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 19 20 21 22 23 24 25 BBCDEFGHIJKLMNOPQRSTUVWXYZA 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 20 21 22 23 24 25 0 CCDEFGHIJKLMNOPQRSTUVWXYZAB 2 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 16 17 18
16 17 18 17 18 19 18 19 20
21 22 23 24 25 0 1 DDEFGHIJKLMNOPQRSTUVWXYZABC 22 23 24 25 0 1 2 EEFGHIJKLMNOPQRSTUVWXYZABCD 23 24 25 0 1 2 3 FFGHIJKLMNOPQRSTUVWXYZABCDE 24 25 0 1 2 3 4 GGHIJKLMNOPQRSTUVWXYZABCDEF 25 0 1 2 3 4 5 HHIJKLMNOPQRSTUVWXYZABCDEFG 0 1 2 3 4 5 6 IIJKLMNOPQRSTUVWXYZABCDEFGH 1 2 3 4 5 6 7 JJKLMNOPQRSTUVWXYZABCDEFGHI 2 3 4 5 6 7 8 KKLMNOPQRSTUVWXYZABCDEFGHIJ 3 4 5 6 7 8 9 LLMNOPQRSTUVWXYZABCDEFGHIJK 4 5 6 7 8 9 10 MMNOPQRSTUVWXYZABCDEFGHIJKL 5 6 7 8 9 10 11 NNOPQRSTUVWXYZABCDEFGHIJKLM 6 7 8 9 10 11 12 OOPQRSTUVWXYZABCDEFGHIJKLMN 7 8 9 10 11 12 13 PPQRSTUVWXYZABCDEFGHIJKLMNO 8 9 10 11 12 13 14 QQRSTUVWXYZABCDEFGHIJKLMNOP 9 10 11 12 13 14 15 RRSTUVWXYZABCDEFGHIJKLMNOPQ 10 11 12 13 14 15 16 SSTUVWXYZABCDEFGHIJKLMNOPQR 11 12 13 14 15 16 17 TTUVWXYZABCDEFGHIJKLMNOPQRS 12 13 14 15 16 17 18 UUVWXYZABCDEFGHIJKLMNOPQRST 13 14 15 16 17 18 19 VVWXYZABCDEFGHIJKLMNOPQRSTU 14 15 16 17 18 19 20 WWXYZABCDEFGHIJKLMNOPQRSTUV 15 16 17 18 19 20 21 XXYZABCDEFGHIJKLMNOPQRSTUVW 16 17 18 19 20 21 22 YYZABCDEFGHIJKLMNOPQRSTUVWX 17 18 19 20 21 22 23 ZZABCDEFGHIJKLMNOPQRSTUVWXY 18 19 20 21 22 23 24
3 3 4 4 5 5 6 6 7 7 8 8
4 5 6 7 8
5 6 7 8
6 7 8
7 8
8
9 10 11 12 13 14 15 16 17 18 19 20 21
9 10 11 12 13 14 15 16 17 18 19 20 21 22
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8
9 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 1010 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 1111 12 13 14 15 16 17 18 19 20 21 22 23 24 25 1212 13 14 15 16 17 18 19 20 21 22 23 24 25 1313 14 15 16 17 18 19 20 21 22 23 24 25 1414 15 16 17 18 19 20 21 22 23 24 25 1515 16 17 18 19 20 21 22 23 24 25 1616 17 18 19 20 21 22 23 24 25 1717 18 19 20 21 22 23 24 25 1818 19 20 21 22 23 24 25 1919 20 21 22 23 24 25 2020 21 22 23 24 25 2121 22 23 24 25 2222 23 24 25 2323 24 25 2424 25 2525 0 0 1 0 1 2 0 1 2 3 0 1 2 3 4 0 1 2 3 4 5 0 1 2 3 4 5 6 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8
9 10
9 10 11
9 10 11 12
9 10 11 12 13
9 10 11 12 13 14
9 10 11 12 13 14 15
9 10 11 12 13 14 15 16
9 10 11 12 13 14 15 16 17
And, of course, instead of the modulo26 addition table for our 26letter alphabet, a Vigenere table can be constructed for any alphabet. Thus, modulo24 addition would be used for the Greek alphabet, modulo32 addition for the Russian alphabet, or, as shown in the picture at left, modulo22 addition for the Hebrew alphabet. Here, the table is written from right to left, in the same direction as normally used for Hebrew writing.
The message "Wish you were here" can be encrypted by the three possible methods, using SIAMESE as the keyword:
Straight keyword: Message: WISHYOUWEREHERE Key: SIAMESESIAMESES Cipher: OQSTCGYOMRQLWVW Progressive key: Message: WISHYOUWEREHERE Key: SIAMESETJBNFTFU Cipher: OQSTCGYPNSRMXWY Autokey: Message: WISHYOUWEREHERE Key: SIAMESEWISHYOUW Cipher: OQSTCGYSMJLFSLA For the progressive key, the keyword, followed by the keyword advanced one position at a time through the alphabet, is used. Just using ABCDEF... as the key would not have been unique enough to serve as a real cipher. The table shown here can be thought of as a table for the addition of letters, which is equivalent to addition modulo 26, where A stands for 0, B stands for 1, continuing on to Z, which would stand for 25. The plain keyword system can be solved by the Kasiski method; look for repeated sequences of letters in a message, and count the number of letters between them. From this, it is easy to spot common factors, and determine the length of the keyword used. This lets one sort the letters into the ones enciphered with the same alphabet. If normal alphabets are used, looking at the profile of the frequency count makes solution trivial. For the other two methods, elementary cryptanalysis only allows solution for normal (or at least known) alphabets. The progressive key case can be made to yield its period if one looks not for repeated letters, but for repeated distances in the alphabet between adjacent letters; this subtracts out the slow movement of the keyword through the alphabet. The autokey can basically be solved by bruteforce trial on the length of its starting keyword. Of course, these systems can still be solved with mixed alphabets, but more advanced methods are needed, involving statistics or multiple messages with the same key. In addition to using mixed alphabets for greater security, there are other systems of historical importance. The Gronsfeld, which added a numeric key to the plaintext, meant that there were only ten possible equivalents for each letter, but was easier to do by hand without a table or slide or disk. The Porta system used a smaller table; the first half of the alphabet was stationary while the second half moved, and equivalents for letters in each half of the alphabet were found in the other half. The table for the Porta system (converted to the modern 26letter alphabet) is as follows: ABCDEFGHIJKLM NOPQRSTUVWXYZ OPQRSTUVWXYZN PQRSTUVWXYZNO QRSTUVWXYZNOP RSTUVWXYZNOPQ STUVWXYZNOPQR TUVWXYZNOPQRS UVWXYZNOPQRST VWXYZNOPQRSTU WXYZNOPQRSTUV XYZNOPQRSTUVW YZNOPQRSTUVWX ZNOPQRSTUVWXY
AB CD EF GH IJ K KL e MN y OP QR ST UV WX YZ
The Gronsfeld, and, even more easily, the Porta, because they only allow some letters, but not others, as equivalents for any
given plaintext letter, can be attacked through this weakness. In attempting to devise a cipher that, like the Gronsfeld, lends itself to mental arithmetic, I used (for the English alphabet) the method of representing numbers as letters that was used by the ancient Hebrews and the ancient Greeks: A B C D E F G H I 1 2 3 4 5 6 7 8 9 J K L M N O P Q R 10 20 30 40 50 60 70 80 90 S T U V W X Y Z 100 200 300 400 500 600 700 800
Then, the rule for encipherment is this: a) If the plaintext and key letters are in the same column, they are added: B (2) + F (6) = H (8) L (30) + J (10) = M (40) b) If the plaintext and key letters are in two different columns, their nonzero digits are added, and the letter in the third column which contains neither key nor plaintext containing the sum is taken: D (4) + L (30) = Y (700) W (500) + K (20) = G (7) If we had a 27letter alphabet, we would only have to add that when the sum is greater than 9, subtract 9 (in the appropriate digit place): M (40) + Q (80) = L (30) For the 26letter alphabet, it's easy to modify rule (a): if the two letters are in the third column, subtract 800 instead of 900. U (300) + Y (700) = T (200) Rule (b) is modified in this way: always subtract 9; if the cipher letter and the key letter produce 900 as the result, use instead the letter that would be produced by enciphering a letter with the value 900 with the key letter. Since there is no letter with that value, when one is produced by deciphering, decipher 900 with the key to get the true plaintext letter. This produces the table seen below: Plaintext ABCDEFGHI JKLMNOPQR STUVWXYZ ABCDEFGHIA TUVWXYZJS KLMNOPQR BCDEFGHIAB UVWXYZKST LMNOPQRJ CDEFGHIABC VWXYZLSTU MNOPQRJK DEFGHIABCD WXYZMSTUV NOPQRJKL EFGHIABCDE XYZNSTUVW OPQRJKLM FGHIABCDEF YZOSTUVWX PQRJKLMN GHIABCDEFG ZPSTUVWXY QRJKLMNO HIABCDEFGH QSTUVWXYZ RJKLMNOP IABCDEFGHI STUVWXYZR JKLMNOPQ JTUVWXYZAS KUVWXYZBST LVWXYZCSTU K MWXYZDSTUV e NXYZESTUVW KLMNOPQRJ LMNOPQRJK MNOPQRJKL NOPQRJKLM OPQRJKLMN BCDEFGHI CDEFGHIA DEFGHIAB EFGHIABC FGHIABCD
y OYZFSTUVWX PZGSTUVWXY QHSTUVWXYZ RSTUVWXYZI SKLMNOPQRJ TLMNOPQRJK UMNOPQRJKL VNOPQRJKLM WOPQRJKLMN XPQRJKLMNO YQRJKLMNOP ZRJKLMNOPQ
PQRJKLMNO QRJKLMNOP RJKLMNOPQ JKLMNOPQR BCDEFGHIA CDEFGHIAB DEFGHIABC EFGHIABCD FGHIABCDE GHIABCDEF HIABCDEFG IABCDEFGH
GHIABCDE HIABCDEF IABCDEFG ABCDEFGH TUVWXYZS UVWXYZST VWXYZSTU WXYZSTUV XYZSTUVW YZSTUVWX ZSTUVWXY STUVWXYZ
This table is slightly imperfect. For each of the first eighteen letters in the alphabet, when they occur in the plaintext, there is one letter that no key letter will cause to be its ciphertext equivalent, and there is another letter that will be that plaintext letter's ciphertext equivalent for two different key letters. However, although imperfect, it is less so than the Gronsfeld cipher, and so the system might be of some use (although just converting to digits with a straddling checkerboard achieves the same goal, of simplifying applying a key, without any imperfections, and considerably more simply). It is, however, more important to recognize the names of two other systems. If Vigenère can be thought of as plaintext + key = cipher, Beaufort amounts to key  plaintext = cipher. Since cipher = key + plaintext, Beaufort, like Porta, is reciprocal: the same steps exactly will both encipher and decipher. Variant Beaufort is plaintext  key = cipher, and is the same as deciphering for Vigenère. Slides and disks are often used for the Vigenère and other polyalphabetic ciphers, particularly mixedalphabet Vigenère. Helen Fouché Gaines' Elementary Cryptanalysis gives a classification of mixed alphabet slides into four types:
q q q q
Type 1: Mixed plaintext alphabet, plain cipher alphabet. Type 2: Plain plaintext alphabet, mixed cipher alphabet. Type 3: The same mixed alphabet for plain and cipher. Type 4: Different mixed plain and cipher alphabets.
I would like to extend this classification slightly to make it comprehensive:
q q q q q q q
Type 0: Plain plaintext and cipher alphabet. Type 0a: Plain plaintext alphabet, reversed cipher alphabet. Type 1: Mixed plaintext alphabet, plain cipher alphabet. Type 2: Plain plaintext alphabet, mixed cipher alphabet. Type 3: The same mixed alphabet for plain and cipher. Type 3a: Mixed plaintext alphabet, the same alphabet in reverse for cipher. Type 4: Different mixed plain and cipher alphabets.
A slide of type 0a produces a reciprocal cipher, and can be used for Beaufort. The mechanical equivalent of such a slide is an element of a Hagelin machine. The Type 1 slide is more easily cryptanalyzed than the Type 2 or above slides since once the different alphabets have been determined by discovering the period of the cipher by the Kasiski method (looking for repeated digrams, trigrams and above, noting the distance between them, and looking for a common factor to most of the distances, giving greater weight to longer repetitions) the frequency counts can be lined up, since they are displaced along the cipher slide, which in this case has the known regular alphabet along it. Even in the mixedalphabet case, once the period is found, letter frequencies and bigram frequencies can be used to read the message. For a frequent letter, whether only a few letters, or a wide variety of letters, appear before or after that letter helps to identify whether the letter is a vowel or a consonant, or to determine exactly which letter it is. When some alphabets are partly reconstructed, if you know that the alphabets have been produced by a slide, even one with two mixed alphabets, there are certain logical inferences that you may be able to make that will obtain the values of additional letters. This technique is known as symmetry of position.
Let us suppose that we know that the plaintext letters E and N become, in one alphabet, the ciphertext letters P and Q, and in another alphabet the ciphertext letters K and V. Since the distance between the letters E and N on the slide with the scrambled plaintext alphabet does not change, even though it is unknown, we know from this that the letters P and Q are the same distance apart on the ciphertext slide as the letters K and V are. And since one goes from one alphabet generated by a slide to another by moving one of the alphabets a certain distance, one also knows that the two equivalents for E, the letters P and K on the ciphertext slide, are the same distance apart as Q and V. Of course, these two facts are really consequences of one another: since PQ = KV, then it must also be true that PK = QV, where P, Q, K, and V are now standing for unknowns in modulo26 arithmetic. In any event, if we then find that in a third alphabet, the plaintext letters R and T become the ciphertext letters P and K, respectively, and if we are fortunate enough to have an alphabet in which R becomes Q, we can then conclude that T will become V in that alphabet. Later, when at least two alphabets are almost completely reconstructed, it may be possible to work out what alphabets were present on the slide that generated them. This can help in continuing the solution, or in reading future messages. For example, a slide in two consecutive positions generates these alphabets: QWERTYUIOPASDFGHJKLZXCVBNM BOXWITHFVEDZNLQURJGSPACKMY QWERTYUIOPASDFGHJKLZXCVBNM OXWITHFVEDZNLQURJGSPACKMYB abcdefghijklmnopqrstuvwxyz dkanxlqufrjgymvebwzihcopts abcdefghijklmnopqrstuvwxyz zmclwqurvjgsbyedointfkxahp
On the left is the way the slide looks, and on the right are the alphabets as they appear to the cryptanalyst, who does not yet know what alphabets are on the slides. Consecutive alphabets are shown; the method works for any odd shift between alphabets except 13 (not because it's unlucky, but because it is exactly half of 26, the number of letters in the alphabet); for an even shift, partial information about the slide is obtained: two separate 13letter pieces. The slides can be reconstructed because of the information the alphabets above give about them: D and Z are the equivalents for A in the two alphabets. So, the distance between D and Z on the bottom slide must be the amount by which the slide must be moved to get from one alphabet to the other. But that is also true of K and M, the two equivalents for B, and A and C, the two equivalents for C, and so on. So, we start with the letter D. The letter Z is our displacement ahead of it: here, it happens that the displacement is one, so we'll get the exact alphabet on the slide, instead of simply an equivalent alphabet. To move another displacement forward, we find Z as the equivalent for S in the first alphabet, and N as its equivalent in the second. Thus, we reconstruct the alphabets like this: a s d f g h j k l z x c v DZ ZN NL LQ QU UR RJ JG GS SP PA AC CK b n m q w e r t y u i o p KM MY YB BO OX XW WI IT TH HF FV VE ED If the shift were three instead of one, then the alphabets would be subjected to decimation, so that instead of DZNLQ... the first few letters after D would be in positions D..Z..N..L..Q..., but the slides would still generate the same cipher alphabets, only after different shifts. It is particularly because the Kasiski method of attacking the simple keyword form of the Vigenere is so powerful that other methods, such as key progression and the autokey were originated to avoid it. The Lanaki Classical Cryptography Course, available at The Crypto Drop Box, notes two other methods sometimes tried. One is to repeat the letters of one's keyword an increasing number of times, with a period different from the length of the keyword: thus, the keyword SIAMESE might be repeated with the pattern 12345, so that one's key would begin
SIIAAAMMMMEEEEESEESSSIIIIAAAAAMEESSSEEE... and an idea suggested by W. F. Friedman is then noted, where instead of using a simple sequence like 12345, one uses the lengths of the Morse Code symbols for the letters in a keyword to control the pattern of repetitions. These methods don't make a truly aperiodic cipher the way the autokey does, but like the progressivekey method, they provide a longer period. However, the presence of stretches of plaintext enciphered with the same keyletter at least seems like a weakness. Of course, one could take Friedman's idea, and make it more complicated (and therefore impractical for actual use!) in a number of ways. Let us use a Morse Code keyword of BAKER, which is, in dots and dashes, ... . . . .. and use two other keywords, ORANGE and CHOCOLATE, for Vigenere use. A dot selects a letter from the first keyword, a dash selects a letter from the second keyword. And let both keywords also experience key progression. While this will still lead to a sequence with a finite period, the period will be a long one, and will start like this: ORAN CHOC ... CRAN GE OL .GL PSB ATE . ATB O D . O HFQ IPD .. HPQ TCPI PMBU ... PCPI GR FE .GE UDQ JQE . JQQ J Q . J HSV NCV .. HCV ERKI GFKR ... GRKI TW FR .TR FSL ODW . ODL J H . J UXG GLS .. ULG TMKV GSPE ... GMKV YH XI .YI UNL HMT . HML W H . W ZIV TQF .. ZQV
alternatively, the ends of each letter in the Morse keyword could control key progression for the first keyword, and the end of each occurence of the whole keyword could control key progression for the second keyword, like this: ORAN CHOC ... CRAN HF OL .HL QTC ATE . ATC Q C . Q KIS HOC .. KOS WFSL PMBU ... PFSL KU FD .KD YHU IPD . IPU O P . O NXA MBU .. NBA KXQO GEJQ ... GXQO ZC EQ .ZQ MZS NCV . NCS R G . R CFO EJQ .. CJO CVTD FROD ... FVTD HQ WH .HH EXV FKR . FKV G F . G KTG ROD .. KOG
thus making use of more of the information in the Morse keyword, but, since such things are clearly impractical by hand, we shall instead let such devices as rotor machines and the Hagelin lug and pin machine introduce complicated polyalphabetic ciphers, as it was with such devices that such ciphers finally became usable. Cipher disks are harder to make than slides, but they do look prettier. One type of cipher disk I invented independently looks like this:
This disk was the best of my attempts to devise something which would be easy to use, but involve something more than just sliding one alphabet against another. My intention was to approach the power of a rotor machine. The wheel is built from four components, as illustrated below:
Essentially, the wheel is constructed from four disks, one of which has half of its outer portion removed. On the bottom is a disk with the mixed plaintext alphabet, shown as item 1 in the diagram. Above it is item 2, a disk with the numbers 1 through 13 repeated twice, against a backround of one color (shown here as purple).
Then comes item 3, a disk of the same diameter, but with half of its perimeter removed to expose thirteen of the spaces on the disk below. The half remaining has a background of a color contrasting with that disk (shown here as green), and a mixed sequence of the numbers 1 through 13. Finally, there is the smallest disk on the top, item 4, with the mixed cipher alphabet. How the disks are stacked one on top of the other is illustrated by item 5 in the drawing, a view of the four disks one on top of the other, but slightly offset to allow the perspective to be visible. In use, one looks up a letter in the plaintext alphabet, and proceeds to the number in the next inner band. Then, starting from the same number, against the background of the opposite color, also in that band (but on the other of the two middle disks) one proceeds to the cipher letter on the innermost circle with the cipher alphabet. This is illustrated by item 6 in the picture. One idea I had for making this type of device useful, by making it easier to move the disks with each letter enciphered, was to add to each disk a rim (presumably with 26 notches or bumps around the outside, not shown for simplicity) so that the four disks could be advanced like thumbwheels. Versions of the disks using latticework to hold the outside rim in place, while allowing all the letters and numbers in lower disks to be visible, are shown as items 7, 8, 9, and 10 in the diagram. Item 11 shows an oblique view of the disks stacked, item 12 a faceon view. One way to make use of this construction would be to have layers of cardboard between the disks, so that each rim is individually exposed for a short distance. The 26 possible key letters would be allocated so that seven of them are used to indicate that the lowest disk is to turn counterclockwise from 1 to 7 spaces, another 7 turn the smallest disk clockwise 1 to 7 spaces, and 6 indicate the disk shown with a purple rim is to turn counterclockwise from 1 to 6 spaces, and 6 indicate the disk with half its periphery cut away is to turn clockwise from 1 to 6 spaces. For use with text as a key, the letters would be allocated so that the frequent letters represented odd displacements, and were distributed evenly among the four disks. A version of the same device as a slide instead of a disk would look like this: F S H G Y M L Q K X O N E R Z A D I V C U T P W J B  1 1 1 1 7 4 1 6 3 5 0 1 9 2 3 2 8 1 1 1 1 3 4 5 6 7 8 9 0 1 2 3 1 2 X V I D U J C G M E Z A F T W O S H K Y P B R N Q L The Byrne Chaocipher, which was mentioned in David Kahn's The Codebreakers, was subsequently the subject of a Cryptologia article, which indicated that the principle of this wheel may have been used before in that cipher. Another device I designed myself in trying to produce a convenient cardboard approximation to a rotor machine is the following slide:
The slide has a frame with an approximately rectangular pattern of holes, but with two corners clipped. Behind the frame, there are two slides; one with slots in it that moves vertically, and a solid one that moves horizontally behind it. The letters on the vertical slide are arranged so that as it moves up or down one position, the letters that become concealed are rearranged and fill the spaces on the slide that now become visible, like this: P E H L V F O I B Q Y X T M J S K G D C A R Z W N U p V B T H e F Q M L h O Y J S s K G D P c R W U A a Z N E
l I X C
The same principle applies to the horizontal slide. However, since space is required for the vertical sliding alphabets, and the spaces between the open rectangles, instead of being filled with merely one set of alphabets, it contains three interlaced alphabets, which independently change in this way. In the previous section, we saw how a straddling checkerboard like this: 9 8 2 7 0 1 6 4 3 5 A T O N E S I R B C D F G H J K L M P Q U V W X Y Z . /
2 6
could be used to convert letters to digits. Since it takes account of letter frequencies, the conversion is an efficient one. This type of conversion makes the various types of polyalphabetic encipherment more convenient by hand, since the Vigenere encryption is now simply addition (on a digitbydigit basis, ignoring carries). The table for this operation is, of course: 0123456789 +00123456789 11234567890 22345678901 33456789012 44567890123 55678901234 66789012345 77890123456 88901234567 99012345678 and, as this is the table for addition modulo 10, it is not surprising that it resembles the table above for addition modulo 26, or the equivalent Vigenère table. So, using this conversion from letters to numbers to perform the equivalent of the examples above:
Repeating key: W ISH Y OU W EREH ERE 603421667626015121151 439251414392514143925 032672071918529264076 Progressive key: W ISH Y OU W EREH ERE 603421667626015121151 439251415403625265147 032672072029630386298 Autokey: W ISH Y OU W EREH ERE 603421667626015121151 439251416034216676260 032672073650221797311 so the same methods are as applicable to digits as they are to letters. However, the ease of doing addition on digits as opposed to letters also means that the equivalent of the use of mixed alphabets is not found often with digits. As noted in the previous section, Soviet spies using a straddling checkerboard for converting letters to digits have then often encrypted these digits using a polyalphabetic substitution of the Vigenere type. However, the attempt was made to use a perfect form of Vigenere encryption. (As the declassified information concerning VENONA reveals, the attempt wasn't made quite well enough: supposed "onetime pads" were used at least twice on many separate occasions.) If, ahead of sending a message, you and your correspondent have arranged to share a key consisting of:
q q
genuinely random digits, long enough to be used only once, that is, matching in length all the messages you will be sending
then there is no way to "break" your messages by cryptanalysis. (Of course, the length and timing of messages may still give information away.) Why is there no way to break messages in such a case? Because, if the key is random, and if it is never used anywhere else but with just one message, so there is no other way to get information about that key, then that key could be anything. So any possible message having the same length as the intercepted message remains possible, because there is no way to exclude the key that would give rise to any hypothetical message. If the key were not random, but generated by some rule, then perhaps the key that would transform some possible plaintexts into the ciphertext actually intercepted could not have been generated by that rule, thereby ruling out those plaintexts. If the key were used another time, then one possible text for the first message could be ruled out because the other message would not make sense. But without either of these opportunities, one speculative plaintext is only as good a guess as any other, and no better. This survey of cryptographic algorithms has not gone very far, still being in its first chapter, and already we have found perfection. But not only is quite a bit of key required, but more importantly, when that key is used up, no more secure communications are possible using this method. And since the key is bulky, and impossible to memorize, this is only useful where the messages are easy to intercept but the key is safe, for example, in communications, but not in protecting files on your hard disk. Also, it can't complement publickey cryptography, since it doesn't provide a way by which encrypting a small session key by a slow method with some useful special properties (making it possible to start communicating securely without any advance secret exchange of a key) can protect a large message. The onetime pad is perfect, and it is relatively easy to understand why it is impregnable. In general, it is not suitable for everyday use, since computers make it very easy to carry out conventional encryption with methods of enormous complexity. Such enormous complexity that there seems to be no rational reason to doubt their security. But just as there is a
tendency in some quarters to advocate the use of methods that aren't quite complex enough (for example, DES with its 56bit key, or other block ciphers that are only a step or two better), there is a tendency in other quarters to say that the "experts" should not be trusted, and only the onetime system, in one of its various forms, is any good. Incidentally, for the polyalphabetic encryption of a stream of message digits by a stream of key digits, it is not strictly necessary to use only addition without carries. Just as either addition modulo 10 or addition modulo 26 are equally valid, depending on whether the message is made up of digits or letters, addition modulo 100,000 is also equally valid. That is, five message digits could be added to five key digits to produce five cipher digits using normal addition with the propagation of carries within the fivedigit group. The one carry, though, that must be discarded is the one out of the five digits, if it is not propagated to the preceding fivedigit group. Sending the sum of 53478 and 88412 as 141890 instead of 41890 is a serious mistake, as it proves that both the plain and key groups at that position must be larger than 41889, as neither of those fivedigit groups can be larger than 99999. One method of polyalphabetic encipherment that suffered from this error is any cipher of the Nihilist type. A fivebyfive square like that illustrated below was used to convert both a message and a key (repeatedly used, as in Porta's cipher commonly known as the Vigenère) into a stream of digits: 1 2 3 4 5 P Y O G S 1 Z A H D J 2 R V K X C 3 M F W B E 4 T I N U L 5
However, when the stream of key digits was added to the stream of cipher digits, instead of using a modified modulo5 tableau such as:  1 2 3 4 5 1  2 3 4 5 1 2  3 4 5 1 2 3  4 5 1 2 3 4  5 1 2 3 4 5  1 2 3 4 5 the digits were simply added by normal decimal addition without carries. Hence, while each digit which was added belonged to a family of only five digits, the sum as transmitted could have any of nine values, (a sum of 1 could not occur) and only one of those values, the digit 6, did not place some constraint on both the key digit and the message digit, as can be seen from the table of that operation:  1 2 3 4 5 1  2 3 4 5 6 2  3 4 5 6 7 3  4 5 6 7 8 4  5 6 7 8 9 5  6 7 8 9 0 The actual Nihilist cipher, as described in Gaines, was even worse than this: the letters in the checkerboard square were in their normal order, and the addition was performed with carries, to the extent that messages were sent in twodigit groups, and three digit sums (such as 45 + 55, or 52 + 51) were sent in three digit form, preserving the carry out of the group. However, the Russian language, before the Russian Revolution, had a thirtysix letter alphabet, and the use of a full 6 by 6 square would have improved things slightly. Since the most natural way to apply a stream of key letters to a stream of plaintext letters is the Vigenère, and the most natural way to apply a stream of key digits to a stream of plaintext digits is modulo10 addition, when applying a stream of key bits to a stream of plaintext bits, the very simple operation of modulo2 addition, or exclusiveOR (XOR) is often used, with the very short table:
 0 1 0  0 1 1  1 0 The following two tables:  0 1 2 3 4 5 6 7 0  0 1 2 3 4 5 6 7 1  1 2 3 4 5 6 7 0 2  2 3 4 5 6 7 0 1 3  3 4 5 6 7 0 1 2 4  4 5 6 7 0 1 2 3 5  5 6 7 0 1 2 3 4 6  6 7 0 1 2 3 4 5 7  7 0 1 2 3 4 5 6  0 1 2 3 4 5 6 7 0  0 1 2 3 4 5 6 7 1  1 0 3 2 5 4 7 6 2  2 3 0 1 6 7 4 5 3  3 2 1 0 7 6 5 4 4  4 5 6 7 0 1 2 3 5  5 4 7 6 1 0 3 2 6  6 7 4 5 2 3 0 1 7  7 6 5 4 3 2 1 0
the first for modulo8 addition, and the second for an independent exclusiveOR of each of the three bits of an octal digit, shows how these two operations differ in their algebraic structure; thus, some modern computer ciphers alternate between XOR and addition modulo 256 or modulo 65,536 within a complicated sequence of operations to make the cryptanalyst's path a more tangled one. The following two tables:  0 1 2 3 4 5 6 7 0  0 1 2 3 4 5 6 7 1  1 2 3 0 5 6 7 4 2  2 3 0 1 6 7 4 5 3  3 0 1 2 7 4 5 6 4  4 5 6 7 0 1 2 3 5  5 6 7 4 1 2 3 0 6  6 7 4 5 2 3 0 1 7  7 4 5 6 3 0 1 2  0 1 2 3 4 5 6 7 0  0 1 2 3 4 5 6 7 1  1 2 0 4 5 6 7 3 2  2 0 1 5 6 7 3 4 3  3 4 5 6 7 0 1 2 4  4 5 6 7 1 3 2 0 5  5 6 7 2 3 4 0 1 6  6 7 3 0 2 1 4 5 7  7 3 4 1 0 2 5 6
illustrate two ways of obtaining tables that are different algebraically from either of the previous two. The first is a table of the operation of adding the last two bits of a threebit octal digit with modulo4 addition, and XORing the first bit independently. The second results from deliberately constructing a table which must be algebraically distinct from anything like this, by beginning with a subtable for modulo3 addition, which could not occur in a table built from exclusiveOR and addition modulo a power of two, and then using displacements of the other five digits in the shadow of that subtable. Finally, the remaining five by five square is filled; at first, some diagonals are filled systematically, and then the rest is filled through trial and error, with some backtracking.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main page Home page
[Next] [Up] [Previous] [Index]
Code Books
Before it became possible to build complex electrical and mechanical cipher machines, cipher systems requiring many complex manipulations would have been impractical and error prone. A code book, with its long list of equivalents for thousands of words and phrases, as opposed to the 26 letters of the alphabet, offers a degree of security without requiring a large number of operations for each word encoded. Codes have also been used for sending messages by telegraph at lower prices, by representing common phrases used in business with single codegroups. Such codebooks are arranged so that both the codegroups and their meanings are in easytofind alphabetical order. A codebook arranged this way is called a onepart code. Most (but not all) secret codebooks are called twopart codes; the codegroups are assigned in a random order to the words encoded, and there is both an encoding section, with the words in alphabetical order, and a decoding section, with the codegroups in alphabetical (or numerical) order. Thus, the decoding section of a codebook might look like this imaginary example that I also used as the background to this page: EZNLJ EZNKL EZNLM EZNMN EZNNO EZNOP EZNRS EZNST EZNTU EZNUV EZNVW EZNYZ EZNZA EZOAA EZOBB EZOCC EZODD Shanghai OUGH 270 degrees Ship may not be Docking facilities Diesel fuel France Repairseding Ship has Cancun 43 degrees 500 23 knots Maintenance urgently required Perth 15 metres Captain will be
EZOEE 23 3/4 The rationale behind the sequence of 5letter groups shown is explained in the section on ErrorCorrecting Codes. Some codebooks assign both numeric codegroups and alphabetic codegroups to words; the alphabetic codegroups are easier to actually transmit by Morse code, but the numerical codegroups are easier to manipulate. For secret codes, the manipulation might consist of superencipherment, the encipherment of a message that is already in code. But many nonsecret cable codes also provided numeric codegroups. This allowed people in a specialized business to, by agreement, use the codegroups in one section of a large codebook, which contained words and phrases they did not use, to instead represent the words and phrases another, shorter codebook or in a section of another codebook. All that was needed was to add or subtract an offset from the codegroups in the other codebook to fit them into the unused space. To increase security, secret codebooks often included nulls, that is, codegroups which were to be ignored upon decipherment. Also, many codebooks included more than one substitute for the most common words or phrases. David Kahn's book The Codebreakers is illustrated with actual pages from oncesecret codebooks, such as the British and Allied Merchant Ship code, and the Hudson code of the American Expeditionary Force. Another codebook illustrated was Cypher SA, the codebook of the British Navy in the last months of World War I. Another illustration of a different part of this codebook also appeared in David Kahn's article in the July 1966 issue of Scientific American. This codebook was perhaps unique, in that it used a strippeddown form of the autokey principle. It used a considerable number of nulls, and every message had to start with a null, because many of the most common words and phrases in the code could not begin a message. Each fivedigit codegroup in the code was followed by one of the three letters A, B, or C. Many of the more common words and phrases had three different substitutes, preceded by A, B, and C in order, and the one to be used was determined by which letter had followed the previous codegroup. Naturally, only the numbers were transmitted in the enciphered message.
Some of the most common words and phrases were also homophones in the ordinary sense; instead of merely having one set of three substitutes, they might have had three sets of substitutes, so that for each letter ending the previous word, there would still be three arbitrary choices for the codegroup to use. Since what we have is essentially three different codes, A, B, and C, although these codes are the same in part, determined for each group by the codegroup enciphered before, Cypher SA is properly classed as a form of autokey. With many codes, a form of polyalphabetic substitution is used. In addition to the twopart codebook, with numerical equivalents for the words or phrases to be sent, a second book, filled with random numbers, is required. This second book's contents are called the additive. A random starting point in the book is chosen for each message, and that starting point is sent at the beginning of the message. Then, the numbers in the book are added to the codegroups from the codebook before transmission. Always, carries past the start of a codegroup are discarded; almost always, all carries are ignored, the individual digits being added in isolation. This is the decimal equivalent of doing an XOR instead of addition. Sometimes other methods of encrypting an already coded message, called superencryption, are used. For example, a short table giving subsitutes for pairs of digits can be used, either on the codegroups, or just on the group which gives the starting point of the additive. When a long running key is used for Vigenere encryption, but that key is reused, Kerchoffs superimposition can be used to align different messages encrypted with the same key. The messages are slid against each other, and positions that provide a high number of coincidences, particularly those involving groups of consecutive characters, are chosen. For breaking codes used with additives, Kerchoffs superimposition is usually used in a more sensitive form, as improved by W. F. Friedman. The kappa test compares the proportion of coincidences that would be found, in the Vigenere case, between two sequences of random letters, which would be exactly 1/26, and between two normal plainlanguage texts. That is higher, because the letters are not all equal in frequency. That figure equals the sum of the squares of the probabilities of all the plaintext symbols; the chance of an A in the first message times the chance of an A in the second message, plus the chance of a B in the first message times the chance of a B in the second, and so on. The same applies to two strings of random groups of five digits, which would have one group in 100,000 matching by chance, and two coded messages without an additive applied. If two messages are aligned so that their additives coincide, as far as coincidences between them at that position are concerned, it is as if no additive was applied.
The following illustates why the random kappa is always smaller than the plaintext kappa:                                                   
The square of a number gains size from both of its factors, so taking size from a smaller number squared and giving it to a larger one causes that size to be placed more advantageously; therefore making all the numbers equal minimizes the sum of the squares.
[Next] [Up] [Previous] [Index] Next Skip to Next Chapter Table of Contents Home page
[Next] [Up] [Previous] [Index]
Fun With Playing Cards
To accompany the recent novel Cryptonomicon, Bruce Schneier, author of Applied Cryptography, developed a cipher using the 52 playing cards and two jokers called Solitare, which is described on the Counterpane web site. This has been an inspiration to both myself and others; for example, Paul Crowley has developed another cipher using playing cards called Mirdek.
My Playing Card Cipher
I, too, have now succumbed to the temptation to construct an alternative to Solitare. The basic cycle that takes a deck that has already been scrambled to produce a keystream operates as follows: Step 1: From the prepared deck (the order of the cards in it is the key), turn up, and deal out face up in a row, successive cards until the total of the cards (A=1, J=11, Q=12, K=13) is 8 or more. Step 2: If the last card dealt out in Step 1 is a J, Q, or K, take its value, otherwise take the total of the values of the cards dealt out in Step 1. (This gives a number from 8 to 17.) In the next row, deal out that many cards from the top of the deck. Step 3: Deal out the rest of the deck under that row, in successive rows that begin on the left, and end under the lowest card in the top row, the next lowest card in the top row, and so on, in rotation. A red card is lower than a black card of the same denomination, and when there are two cards of the same color and denomination, the first one in the row is considered lower. These first three steps may lead to a layout which looks like this: 7S 3D 5H 10C QS 2H 9H 8C QH 6S AC 9D 3S 6H 2C
3C 6D 5D KD 7H
2D KS
QD
4S
8S
JS
JD 10H
QC
8H
JH JC
2S 4C
9C 8D 3H KC 7D 6C AH 4H
5C 10D 10S AD 5S AS
7C
9S
KH
4D
Step 4: Take the cards dealt out in Step 3, and pick them up by columns, starting with those under the lowest card in the row dealt out in Step 2. The top card in the column is to be on the bottom of a pile of face up cards, and the first column picked up is to be on the bottom of the reassembled deck. Step 5: Place the cards dealt out in Step 2 (the last one on the bottom) in faceup form on top of the reassembled deck, and then the cards dealt out in Step 1, again, the last one on the bottom of a face up pile put on top of the reassembled deck. Step 6: Turn the deck of cards over to facedown position to repeat Step 1. Thus, these steps would cause the following new order of the deck to result from the layout above: KS JH 5D KD 10D 5S QC 10H JC 7C 7H 10S 4H 3H JD JS 5H 10C AS 9C 4D 6C 8S 4S QS 8D 7D QD 2H KH KC 2D 9H AC 2S 3C 8C 9D 4C 6S 5C 3S 9S 3D AD 6H AH QH 6D 2C 8H 7S
And the cards that were at the beginning of the deck, and thus controlled the transposition, are now at the end of the deck, and will be subject to the next transposition instead of controlling it. After doing this three times, obtain a keystream digit as follows: Looking at the cards from the top of the deck, ignore all J, Q, and K cards; take the first other card, from A to 10, and count down that many cards to find a card from A to 10. Do the same from the bottom of the deck. The last digit of the sum of the values of those two cards is the keystream digit. Applying this to the scrambled deck obtained above (which is cheating a bit, since in practice the transposition has to be done three times), it works this way: KS JH JC 7C (7) 7H 10S 4H 3H JD JS 5H 10C 1 2 AS 9C 4D 6C 8S 4S 6 5 QS 8D 7D QD 2H 3 KH KC 2D 4 9H 4 AC 2S 3C 3 8C 5 9D 4C 6S 2 5C 6 3S 9S 3D 1 AD 7* 6H AH QH 6D 2C 8H 7S (7)
5D KD 10D 5S QC 10H 7*
the two selected cards are the ace of diamonds and the ten of hearts, so the keystream digit is a 1. This way, people don't have to memorize a bridge ordering of the suits, and they use a straddling checkerboard to allow false addition to apply the key, instead of trying to do Vigenere or modulo26 arithmetic in their heads. By limiting the mental arithmetic required, I'm trying to make my method simpler. However, the way in which the cards are rearranged is more complex; the cards are dealt out in a layout, not merely manipulated in a straight line, and thus the result looks somewhat more like a game of solitare. In the novel, the cipher Solitare was based on a computer stream cipher; my method for using playing cards is instead based on an old pencilandpaper cipher. The method of transposition used is the one given by General Luigi Sacco, that breaks up a block into uneven units, and which perhaps has some advantages over ordinary columnar transposition. Of course, some of the rules used mean that there are biases in the transposition; if every card had a distinct value, the order of the columns would be slightly more random, and the rule intended to limit the row size to 17 instead of 21 makes 11, 12, and 13 more likely row lengths. Note that Step 4 is set up to make the scrambling invertible, so I did accept some good advice from Bruce Schneier's Solitare. The wellknown reason for this is noted elsewhere on this site: a noninvertible transformation risks shrinking the state space of the thing transformed. That is: the fact that the transformation is invertible is no guarantee of a long or maximal period. But if every possible ordering of the deck is possible at the start, then every possible ordering of the deck remains possible after 20, 30, or 2000 iterations of an invertible transformation. If two orderings of the deck both transformed to the same ordering of the deck, then the transformation would not be invertible. On the other hand, with a noninvertible transformation, the number of possible orderings can continue to shrink as the transformation is repeated.
The Keying Procedure
Starting with a deck in a fixed order, say AS 2S ... KS AH 2H ... KH AD 2D ... KD AC 2C ... KC, the procedure to obtain a scrambled deck order from a keyphrase is as follows: Divide the keyphrase into parts that are eight or more letters in length as follows: first, use all the words that are eight or more letters long in the phrase, then, go through the phrase, and, using only the shorter words, take as many words as needed at a time to reach eight or more letters. When the last part is formed, and there are less than eight
unused letters in the key phrase, include them in the last part. Then, take these parts of the keyphrase, and use them in pairs. First, for each part, imagine the word as standing above the columns of cards, and then perform Step 3 and Step 4 of the normal cycle, but on the entire deck. Example: Phrase: THE QUICK BROWN FOX JUMPED OVER THE LAZY DOG This phrase has the parts: THEQUICK BROWNFOX JUMPEDOVER THELAZYDOG So, the first two parts lead to the deck being scrambled as follows: First, the deck is laid out like this: T 7 AS 8S JS 4H 6H AD 5D 6D JD 5C 8C H E 4 2 2S 3S 9S 10S QS KS 5H 7H 8H 2D 3D 7D 8D QD KD 6C 7C 9C 10C Q 6 4S AH U 8 5S 2H I 3 6S 3H JH QH KH C 1 7S K 5
9H 10H 4D 9D 10D AC 2C JC QC
3C KC
4C
Since the first card of a column is placed on the bottom when the cards are face up, and the first column picked up is at the bottom of the cards when they are face up, they will be on the top when the deck is in normal facedown order, and so this step leads to the cards being in the order: 7S 3H QH JH 4C 3C 3S 10S KC 2S KS 9S 8H QS 3D 5H 8D 7H KD 2D 7C 10C 7D QD 6S 6C
9C 6H
KH AD
4S 5D
AH 6D
9H JD
4D 5C
9D 8C
AC 5S
JC AS 8S 2H 10H 10D
JS 2C
4H QC
Now, the deck is then laid out like this for the second part: B R 1 6 7S QH 4C 3D 8D 6S 3H 3C KC 2D 7D QD 6C 4S AH 8S JS 4H JD 5C 10H 10D QC O 4 W 7 N 3 F 2 8H O 5 X 8
3S 10S KS KD 7C 10C JH 2S 9S QS 9C 9H 6H 8C 2C KH 4D AD 5S
5H
7H
9D 5D 2H
AC 6D
JC
AS
which, when picked up, places the deck in this order: 7S 8H 2S 6C QH 5H 9C AH 3D AC 9H 4H 6S 3C 2D 6D KS 10C 6H 8C 2C 5C 10D 10S QD QS 7H 7C 4S 9D JC 9S 8S 5D 4C KH JS 2H 8D 4D JD 10H 3S KD 3H KC AD 5S QC JH 7D AS
Then, each of the two parts is used to scramble half of the deck again; the transpositions above depended on the order of letters in each part, but this step will instead depend on which letters are present. Go through the alphabet, from A through Z, as you take cards from the top of the deck. When you reach a letter that is part of the current part of the keyphrase, that card completes the current pile you are making. The next card starts a new pile. Z always completes the last pile, even if it is not present. Then put the piles back together, but in the reverse order in which they were obtained. Thus, the first part, THEQUICK, divides the first half of the deck like this: A 7S B QH C 3D
D E 6S 3C F G 2D QD J K JS KD L M 10H QC R S KS 10C U 9D V W 5D 2H
H 4S
I 8S
N 8H T QS
O 5H
P AC
Q 6D
X 3S
Y KD
Z JH
causing that half of the deck to be placed in the order: 5D AC 2H 6D 3S JS KD KD JH 2D 9D QD KS 10C 4S 8S QS 10H 6S 3C QC 7S 8H QH 5H 3D
Then, the second half, BROWNFOX, is applied to the second half of the deck. When there is an odd part of the key phrase, then the deck is transposed with that part, and only its first half is mixed again. Once the entire keyphrase is applied to the deck of cards, the deck is then subjected to a noninvertible triple cut, as follows: From each end of the deck, a card with a value from A to 10 is located, by the procedure used to find the keystream numbers in normal encipherment. Then, starting from the top of the deck when it is face down, which we will assume is placed on the left, additional cards are counted from that card according to its value: one more card if it is an ace, two more if it is a deuce, and so on, but this time, face cards are not ignored. This part of the deck is then placed on the righthand side. The procedure is repeated from the other keystream card, again counting inwards. If cards are left, these stay in the middle, and those from the bottom of the deck to the end of the count are placed on the lefthand side. Using the previous example of obtaining a keystream digit to illustrate how this works: KS JH JC AH 5H 10C QS 2H 9H 8C//KC AD 6D
5D 7D
KD 5S
(1) 7H 6C 3H 10D JD JS
1* AS 4D 8S 6
QC 10H 1 7*
1 2 3 9C 8D 5C 9S 10S//2S 7 4S QD 2D 5 4
4 AC 4C 6 3C 3
5 9D 4H 5 6S 2
3S KH 4 3D 1
6H 7C 3 QH
2C 8H 2 7S (7)
the pairs of slashes indicate the points at which the deck will be cut, ending up in the order 2S...7S, KC...10S, KS...8C from the order above. Finally, the cards are laid out according to the word spacing of the keyphrase: T 2S Q KH B JD F 2D J 3D O 5D T AS L 5C D 6H T 5S Q 4D B JC F 2H H E 4C 4H U I C K 7C 8H QC 10H R O W N JS 8S 4S QD O X 3C 6S U M P E QH 7S KC AD V E R KD 7H 6C H E 9C 8D A Z Y AC 9D 3S O G 2C 7D H E 3H 10D U I C K 9S 10S KS JH R O W N AH 5H 10C QS O X 9H 8C
D 6D
repeated until the deck is all laid out, and then they are picked up in face up form with the last column, and its top card, on the bottom. In the example, that leads to the cards ending up in this order when turned face down:
6D 10H 4H 8H 4C 7C 2S KH
QD 8S JS JD
AD 6S 3C 2D
JH 7S QH 3D
QS 7H KD 5D
QC 8D 9C AS
4S 9D AC 5C
KC 6C 3S 7D 10D 10S 2C 3H 9S 6H 5S 4D
KS 10C 5H 8C AH 9H JC 2H
[Next] [Up] [Previous] [Index] Next Table of Contents Main page
[Next] [Up] [Previous] [Index]
Conclusions for Chapter 1
This first chapter has touched on the major basic elements that apply to any form of encryption. Its treatment of them has been brief, almost to the point of being perfunctory. Encyclopedia articles and inexpensive books cover this territory fairly well. The more recent methods of encryption are covered in more specialized publications; that, and a fascination with their intricacies, has led me to cover them in more detail. Because most methods of substitution require some sort of chart or table (the Gronsfeld was specifically designed to avoid this problem), or a slide or disk for polyalphabetics, transposition ciphers were quite popular with armies as field ciphers. Although it is easy to create a cipher that is very difficult to solve by a sufficiently complicated combination of transposition and substitution, some simple ciphers combining both are breakable. During World War I, for a short time Germany used Vigenere encipherment with key ABC (and, later, with key ABCD  but only for deceptive transmissions and not important messages) followed by a simple columnar transposition. For puzzlesolving purposes, the "Nicodemus" cipher breaks a message into complete rectangular blocks, which are transposed by exactly the same keyword as was previously used to encipher them in Vigenere. Thus, the enciphered message consists of groups of plaintext letters encrypted in Vigenere with the same key, which can, of course, be exploited by the cryptanalyst. Claude Shannon, the father of information theory, who also contributed to the theory of chessplaying computers, wrote a paper in The Bell System Technical Journal the title of which was The Communications Theory of Secrecy Systems in which he noted that the two basic elements of a cipher system are confusion and diffusion. This has influenced the design of some cipher systems. A preliminary sketch of the design of IBM's LUCIFER block cipher, appearing in Scientific American embodied these elements in almost a pure form. (The actual LUCIFER cipher as implemented was quite different, although it also embodied those elements, but in a less straightforward way.)
Generally, confusion is understood as substitution, and diffusion is understood as transposition. These terms are, however, general and inclusive. Based on the specific methods of attaining security found in the actual pencilandpaper systems we've met so far, I feel it is warranted to take the dangerous step of moving to a more specific and concrete division of the operations within a cipher system. The danger is that it could limit the imagination of cipher designers by being more concrete. But since the terms 'confusion' and 'diffusion' are tending to be identified with the simplest forms of substitution and transposition, it seems to me that more detail might instead stimulate cipher designers to consider more options. Thus, I propose the following set of basic elements in a cryptographic system: Confusion replacing symbols by other symbols. Diffusion moving of plaintext symbols to other positions within the ciphertext. Convolution the achievement of diffusion by means of confusion; the effect of performing diffusion on a finer scale than confusion. This refers to what happens in polygraphic and fractionation systems. Alternation changing, from one portion of the ciphertext to the next, of the rules for confusion and/or diffusion. Indirection placing elements in a cipher 'behind' other elements so that their effects are harder to analyze. With this division, more of the methods actually used suggest themselves. Also, a measure of quality can perhaps be noted. For confusion and diffusion, bigger seems to be better. For alternation, the complexity of the scheme of alternation, its unpredictability, is the measure of quality. Associated with these goals are specific means, such as substitution for confusion. If we view a message as an array of symbols, where P(n) is the nth element of the plaintext message P, and C is the ciphertext message, one can illustrate the various techniques by formulas.
Substitution (Confusion) Transforming a message by replacing the values of its elements according to some rule; for example, C(i)=S(P(i)) over all i in the message, where S is a substitution table indexed over the elements of the alphabet used. Transposition (Diffusion) Transforming a message by placing its elements in different locations within the message; for example, C(T(i))=P(i) over all i in the message, where T is a transposition table indexed over all the character positions in the message. Fractionation (Convolution) Transforming a message from being expressed in a number of symbols of one alphabet to a different number of symbols in an alphabet of a different size, combined with transpositions and substitutions on those alphabets. Such a transformation might have a form such as C(i/2) = S(P(i)*N+P(i1)) where i starts as 2 and goes over all the evennumbered characters of the original message, and N is the number of characters in the original alphabet. Its inverse would be P(2i) = SL(C(i)) and P(2i1) = SR(C(i)), where SL and SR are substitutions such that mapping the characters c of the original alphabet to pairs ( SL(c), SR(c) ) is bijective; that is, different inputs become different outputs in both directions. This is most useful when substitutions are applied to the message with the larger alphabet size and fewer characters, and transpositions are applied to the message with the smaller alphabet size and more characters. Polyalphabeticity (Variation) Applying a different substitution rule to different characters of the message. Thus, C(i)=S(P(i),i) where the output of the substitution is a function of the character's position in the message as well as the particular character. Autokey (also Variation) Causing the rule of encipherment for a part of a message to depend on another part of the same message. C(i)=S(P(i)+P(i1)) is a classic form of autokey, which requires adding a dummy P(0) character to the start of the message. This results in encipherment differing from one message to another. Indirection involves preparing things like substitution tables in ways that are ciphers in their own right; hence, it isn't found very much in simple paperandpencil ciphers, where the amount of work to be done must be kept limited. The methods used for forming substitution alphabets from a keyword by means of a transposition block, such as the Ohaver method, noted previously, involve indirection in a sense, but only once during a message. So there is no basic pencilandpaper technique which is an effective example of indirection. However, later on we will see the rotor machine SIGABA, which may be considered the classic illustration of indirection.
[Next] [Up] [Previous] [Index] Next Table of Contents Main page
[Next] [Up/Previous] [Index]
Early Machine Ciphers
This section looks at some of the simpler ciphers involving mechanical aid to the cryptographer. Cipher disks or slides are left in the pencilandpaper section, but the Wheatstone cryptograph (a set of geared cipher disks which achieved polyalphabeticity by using plain and cipher alphabets of different lengths) would go here if it were covered.
q q q q q q
The Bazeries Cylinder The Kryha Cryptograph The Hill Cipher The RED Machine The Reihenschieber The A22 Cryptograph
[Next] [Up/Previous] [Index] Next Section Chapter Start Skip to Next Chapter Table of Contents Home Page
[Next] [Up/Previous] [Index]
The Bazeries Cylinder
Although originally invented much earlier, by Thomas Jefferson, this type of cipher machine became generally known after its later reinvention by Commandant Etienne Bazeries, who wrote a book about cryptology which recommended this device. About 20 or 30 disks, each with a different scrambled alphabet on the edge, and with a hole in the centre so they can all be stacked on a common axle, make up the device. The disks can be numbered on one side, and the order in which they are stacked can be used as a key that can easily be changed. To encipher a message, rotate the disks so that its letters line up in one row, and take the letters in any other row as the encrypted message. Decipherment is possible, because it is easy to pick out one row of plaintext among 24 others of gibberish that are possible. This is quite a secure cipher device, especially considering that it doesn't involve a lot of fancy technology. Since every letter in a block is displaced through a different alphabet, and every block has a different displacement, it is even possible to mistakenly assume that it is unbreakable. However, it isn't unbreakable. Like the Enigma, which we will meet later, no letter can represent itself. This allows probable plaintext to be positioned against intercepted messages. The main attack against this type of cipher is the de Viaris method. If the alphabets on the cylinder are poorly chosen, it may be that the fifth letter clockwise from E, for example, can never be some letters, and is one particular letter several times. Thus, an opponent who has a copy of the cylinder itself and some plaintext may be able to identify the displacement for a block  and, with that, then determine the order of the disks. The alphabets on the M94, a version of the Bazeries cylinder made from aluminum, and used by the U.S. during the Second World War, were chosen to be part of a Latin square to be more resistant to a de Viaris attack. A Latin square is an N by N square containing the numbers from 1 to N, each N times, so that no number occurs twice in either the same row or the same column. For example, 1 2 3 4 5 3 1 4 5 2 2 5 1 3 4
5 4 2 1 3 4 3 5 2 1 is an example of a Latin square. However, since 1 2 3 4 5 2 3 4 5 1 3 4 5 1 2 4 5 1 2 3 5 1 2 3 4
is also a Latin square, and is obviously not a good type of sequence for a cylinder cipher, as every cylinder has the same alphabet, only shifted by one, there is more to choosing a good set of alphabets for a cylinder than simply using a Latin square. Ideally, if one were using 25 cylinders for a 26character alphabet, one would like a sequence such that, if one aligns any one letter to form a solid row of that letter, then the remaining 25 letters on the 25 cylinders are, in each case, a Latin square. Then, for each displacement, and each letter, all substitutes would be equally possible. I do not know whether or not it is possible to fulfill this condition. Even when the de Viaris attack is not possible, cylinder ciphers can be broken. During World War II, the U.S. used an improved version of the cylinder cipher. Strips instead of disks were used (which, of course, makes no difference in itself), and there were 100 of them to choose from. The cipher procedure involved choosing 30 strips, but breaking up the message into blocks of only 15 letters long. Despite all this, and the fact that they did not have a captured specimen of the device to work with, cryptanalysts in Nazi Germany were able to break messages enciphered with the M138A. If one does not have a copy of the device, and in any case the strips or disks used have been made resistant to the de Viaris attack, it is still possible to attack a Bazeries cylinder if one has several hundred messages, all sent with the same key. Using the kappa test (the fact that two unrelated plaintexts will have more identical characters in corresponding positions than two sequences of random letters, which will have one coincidence for every 26 letters), one can group together messages with the same displacement from the row with the plaintext message. Once this is done, and if one had enough messages to work with, frequency counts can be used for each position. After the war, a further improvement was made to the strip cipher. In addition to a daily
order for the strips, keylists also gave a table with a column number (or a blank) under each of the 26 letters. A random set of five letters was chosen for each message; the column numbers in the frame corresponding to these letters were not used to encipher that message. These were called "Channel Elimination Numbers", and the numbers where the numbers of positions in the frame, not strips. (Since which strip went in which column was also part of the same daily key, this was important operationally  for ease of sending different messages, each with its own indicator, during the one day, not cryptographically.) As this essentially varied the key for every message, it prevented the statistical attack outlined above. The Bazeries cylinder relies on the input plaintext being plaintext, with some redundancy, so that it can be found. Of course, if one allows expanding the text with an extra letter, or using a prearranged scheme to pick the ciphertext row, variations of the cipher method can be designed without this limitation, and therefore useful for the subsequent encipherment of ciphertext. The following diagram, showing a different kind of strip used for this type of encipherment:
retains the limitation, while reducing it somewhat. The plaintext SEND MONEY is being enciphered to the numerical ciphertext 345589628759, and its redundancy is being reduced in the process by the same amount as a straddling checkerboard would do so. The principle involved is that a plaintext letter, if found on the right side of the strip, is represented by that single strip; otherwise, two strips, the first with the symbol > or >> on the righthand side, and the second with the plaintext letter in the first, or second, column on the lefthand side are aligned to represent that letter. Such a method, though, is only practical if, at least with practice, the row containing plaintext "leaps out" at the eye of the decipherer. In the diagram above, the first row contains the nonsense string OGOSRIERH, while the second one contains the desired plaintext SENDMONEY, and the third contains YORNEPCF, but that does seem to take some effort to see.
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Kryha Cryptograph
The Kryha cryptograph had a number of variations. It had two disks, each with a scrambled alphabet that could be changed by the user. One disk moved for each letter enciphered. The movement was controlled by a pinwheel; if there were, on the pinwheel at one place, five teeth out followed by one pushed in, then that caused the moving disk to move five places forwards for one letter. An earlier model used a fixed gear, which caused the following movements, in order: 7 6 7 5 6 7 6 8 6 10 5 6 5 7 6 5 9 Essentially, the cipher it produced was similar to a progressivekey encipherment with a keyword and mixed alphabets. Although it took W. F. Friedman only a few hours to solve a message enciphered on one of these machines, the principles required are already beyond those normally dealt with in books on cryptanalysis aimed at amateurs and beginners. Although the version of the machine solved by W. F. Friedman in "2 Hours, 41 Minutes" (the title of the chapter in Machine Cryptography and Modern Cryptanalysis by C. Deavours and L. Kruh discussing the Kryha machine) appears to have been the fixedgear version, since Friedman was not given the machine to examine, he did not have the opportunity to solve its cipher even more quickly, as in that case, only 17 trials would have been needed to sort the letters of the test message into monalphabeticallyenciphered groups.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Home Page
[Next] [Up] [Previous] [Index]
The Hill Cipher
This cipher was once implemented in the form of a machine using gears and chains like those used with bicycles. That, and the fact that it is impractical for hand use, while it predates the computer age, has caused me to put it in this section, although the appropriateness of this choice is also doubtful. Supposing you are given the following problem to solve: 2x + y = a x  y = b and you want to find out what x and y are in terms of a and b. The steps you can take to find it are the following: You can add or subtract a multiple of one equation from another. You can multiply one of the equations by a number. You can change the order of the equations. That last step may seem trivial, but it is included for completeness. You can make a chart to save you copying the letters x, y, a, and b every time you perform a step: x y a b 2 1  1 0 1 1  0 1 and the rows of this chart can be treated like the equations were. In this case, one might proceed as follows: x y a b 2 1  1 0 1 1  0 1
2x + x 
y = a y = b
3 0  1 1 1  0 3 3 3 0
1 1
3x x 
= a + b y = b
0  1 1 3  0 3 0  1 1 3  1 2
3x = a + b 3x + 3y = 3b 3x = a + b 3y = a  2b
Of course, the last step of multiplying each row by 1/3rd (or, equivalently, dividing each row by 3) is still to be taken. I've avoided it here, to omit dealing with fractions. If one works with numbers in modular arithmetic, particularly if the modulus is not a prime number, the rules change slightly. If you add or subtract a multiple of one of the equations from another, you can still use any multiple, since a multiple of zero is the same as doing nothing, and so since that does not destroy information, neither will using a number that is not relatively prime to the modulus. When multiplying a single row by a number, however, you cannot use a number unless it is relatively prime to the modulus. The Hill Cipher deals with modulo26 arithmetic, and so in addition to zero, 13 and all the even numbers are disallowed for this manipulation. Enciphering in the Hill Cipher is the same as finding a and b given x and y, where x and y are numbers from 0 to 25 substituted for two letters of a digraph being enciphered, and deciphering is solving for x and y given a and b. Note that not all systems of linear equations can be solved, and you must choose one that has an inverse. One way to do this is by performing the manipulations allowed for finding an inverse on a square with zeroes everywhere except along the diagonal, since this will always result in a square that can be brought to that form by these same manipulations. Also, the square formed by the coefficients of this kind of equation is called a matrix. The act of finding a and b for x and y, using the original form of the equations which directly give a and b as functions of x and y, thought of as an operation using the square of numbers we began with in the x and y columns (called a matrix) is called multiplying the vector (x,y) by the matrix to get the vector (a,b). The square representing x, y, and z or a, b, and c on one side of a set of equations, with a 1 at the start of the first row, in the second place in the second row, and so on, with zeroes everywhere else, is called the identity matrix, since if a=x, b=y, c=z, then finding a, b,
and c for x, y, and z gives you the same numbers. The linearity in the Hill cipher is its weak point. So a scrambled alphabet for converting letters to numbers needs to be used, and it is important to remember that that scrambled alphabet is a very important part of the key.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Home Page
[Next] [Up] [Previous] [Index]
The RED Machine
A rotor machine usually uses a disk with 26 contacts arranged in a circle on each side. When the rotor moves, the contacts on both sides of it advance. A rotor which had 26 contacts in a circle on one side, and a spindle with 26 contact strips on the other side, is always sure, when it moves, to take each letter to a different substitute. Such a rotor is called a halfrotor, and the Hagelin B211, which we will meet later, uses such rotors as well. The Japanese cipher machine which was codenamed RED by American codebreakers behaved as if it consisted of two halfrotors, one with 20 contacts for 20 consonants, and one with 6 contacts for 6 vowels, counting Y as a vowel. This property allowed encrypted text to be pronounceable, thus allowing use of the commercial telegraph system. This division of the alphabet was perpetuated in the PURPLE machine, which was a weakness of that machine, although it at least had a plugboard so that the six letters handled by themselves could be any six letters. Also, while American codebreakers built their own RED workalikes that really did have two halfrotors, the actual machine used by the Japanese had only one halfrotor; the spindle had all 26 strips, and the wheel face had two sets of 60 contacts, one wired with the same scramble of 20 characters repeatedly, and the other wired with the same scramble of the other 6 characters repeatedly. The 60contact wheel usually moved one step for each character enciphered, but not always. Its motion was controlled by a 47position gear or pinwheel. Only eleven of the teeth could be disabled, including four adjacent pairs of teeth. When an enabled tooth is active, the rotor advances one position for the letter currently enciphered. When a disabled tooth is encountered, the rotor also advances one position, but the 47position gear continues to advance for the current letter. Thus, occasionally the rotor will move two or even three positions when a letter is enciphered, but it will always move exactly 47 positions for each cycle of the 47position gear. That cycle will take less than 47 letters, one less for every disabled tooth.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Home Page
[Next] [Up] [Previous] [Index]
Reihenschieber
This device really belongs among the paperandpencil systems. But it is placed here in consideration of the fact that, briefly, from 1958 to 1960, it was considered adequate to safeguard even top secret material. The Reihenschieber resembled a slide rule in shape. Ten square sticks, taken from a set of 26, were placed in it, and a grille slid along the device. The 26 sticks that came with the device were each labelled with a letter of the alphabet. Which ten sticks to use in the device was determined by the daily key, a sequence of ten different letters. Each stick had ten dimples on each of its four sides, which allowed it to be placed between the Reihenschieber's rails in ten positions. These were determined by another daily key, this time of ten digits. The ten digits (with the last one repeated to make an eleventh digit) were used to encipher a five letter area indicator, which was sent with the message, repeated twice using the same method that the digits the Reihenscheiber generates are used to encipher messages: each digit indicates the column in a table containing the enciphering alphabet, and in addition the following digit, depending on whether it is low (04) or high (59), selects one of two tables. The sticks were printed with random sequences of digits, interspersed with the odd dot. The dots were ignored when encountered, being present to make the sequence of digits produced by the device irregular. To the left of these digits, there was an expanse with some letters and blank spaces; this expanse contained each of the 26 letters once in an area 10 characters long on the four sides of the stick. The ten letters, generated from the ten digit key called the "message key", were placed in a line, and thus these 10 letters specified both the horizontal placement and the side which was to be uppermost, for each stick. A frame that held grilles on the front and back (the strips were also printed with digits on the back) slid along the device like the cursor on a slide rule. With each month's supply of key material, three sets of grilles were supplied, each for use for a period of 10 or 11 days. As the strips ran along the device, going from left to right, the numbers the device produced were those read out from the grille vertically, first from top to bottom, and then from the leftmost column to the rightmost column. After reading out the digits shown at one slide position, the slide was flipped over to read the numbers showing on the back as well before the slide was advanced along the ruler for the next group of numbers. The grilles had 10 columns; the article which is my source claims they had 25 holes, but gave an example with 26. The grille could be slid through 52 positions, labelled first with the lowercase alphabet and then the uppercase alphabet. The first position used was the one with the lowercase letter corresponding to the last letter of the enciphered area indicator as used to slide and rotate the ten sticks. Therefore, the Reihenschieber looked something like this: ____________ ______ /     X u ae l pr  E i qj  G m uwi o  P a  V oi u xm ______________ ___________________________  _  abcdefghijklmnopq     1701.5433.626.90512.3  7 4     ooo 849.216.55.1034.2 6 .      o 65.20473.12.9.14516 4 .3        ooooooo 9.250.3961490  0 7        oo 131.6150492.747318 9 2 5
    A py x q r  24619.43.529.6565.34 . 5.        W hwm z oooo 5.1693.40453.112  . 3         C i eqrl oo 87.21295.306172.91 4 3        T c oooooooo .40541.331.6  1.8        J u mtnw oooo 259.10129.6542.3 84 1  _        abcdefghijklmnopq \______ ___________________________ ____________ ______________ and in the position shown, the encipherer would read off the digits 6944870142537331458 for use in enciphering. The slide continues on like this: _____ _____________________________________  \ IJKLMNOPQRSTUVWXYZ  802.1221607.435549.2076.24391462 EF .4335.20623.49.17029.33406.415.3307. EF 
 4    
Also, the four sides of one of its sticks would have looked something like this: A py x q r oooooooooo 24619.43.529.6565.3471.52.403569.19382.1 A u mvjo zt oooooooooo .95190.317.45602.12995.138.440.27061.630 A ek lbd c s oooooooooo 437.1512.44691.703977.69.405631.29331.95 A nh gfi aw oooooooooo 2026.19.5113.4072.6198.20541.35622.9271. The A at the left end indicated which square stick it was; on the other end, a code of two capital letters indicated which set of sticks a stick belonged to. There are 52 usable positions for the grille; as the grille is 10 columns wide, and there are 10 possible horizontal positions for the slide, the area of numbers and dots is 52 + 9 + 9 or 70 characters long. Thus, the Reihenschieber did not encipher text directly. It simply was used to generate a stream of digits, which was used as a key. The digits were used to encipher text using a table of twenty alphabets, organized as two tables of ten alphabets. One digit was used per letter to be enciphered; the digit picked one of the alphabets from a table; which table was decided by whether the next digit (which will later be used to encipher another letter) was high (59) or low (04). A new set of tables was provided each month. My source for the information in this section is an article from the April 1996 issue of Cryptologia. The author, Michael van der Meulen, had also done a few previous articles on German paperandpencil systems.
Comments on the Reihenschieber
The Reihenschieber as described here is certainly an interesting and unusual type of device. It is possible that the old cipher device known as Ducros' Scotograph was somewhat similar to this, rather than being a variant of the Bazeries cylinder as usually thought. And a device of this type has the potential to be quite secure. But the Reihenschieber as described here seems to have some flaws that reduce its potential security.
q
q
q
q
The grille has more than 10 holes. Although the dots on the sticks help, this still means that digits will repeat at almost regular intervals. Of the forty possible positions for each stick, only 26 are ever used. This would not be a problem if the sticks were frequently replaced, but they are part of the "hardware" of the device. The "area key" is the only thing that varies the keying of one day's messages using the same key list. There is no indicator that varies randomly with each message. There is no reason for the message key not to consist of eleven digits, even if the last one need only be either 0 or 5. Or, for that matter, why not twelve digits, so that the starting position of the grille can be derived separately.
If one is ambitious, one might even advocate using a monthly table with 100 alphabets, and using two digits to encipher every letter, rather than using 20 alphabets (a number less than 26, and therefore also dangerous).
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Home Page
[Next] [Up] [Previous] [Index]
The A22 Cryptograph
This cipher machine was a simple one of purely mechanical construction, but it produced a cipher with a long period. A drum, containing 29 mixed cipher alphabets, advanced two positions each time the machine was used to encipher a letter. An alphabet in normal order contained the plaintext letters. A window high enough to expose two of the alphabets on the drum was present on the device. The plaintext alphabet was moved in an irregular sequence to cover either the top or the bottom alphabet of the two on the drum that were behind the window, but whether the normal alphabet was the high one or the low one, it was always the one used for plaintext. Thus, the movement of the bar with the plaintext alphabet simply controlled which of two of the 29 cipher alphabets would be used at each step. The irregular movement of this bar was controlled in two steps. First, a 25pin pinwheel advanced with each letter enciphered. Active pins on this pinwheel advanced a chain with a variable number of links; some of those links were shaped to call for the plaintext alphabet bar to be in its lower position, some were shaped to call for it to be in its higher position. Unfortunately, the cipher produced by this machine as described so far is quite weak; if one knows that an A22 has been used, one simply divides the encrypted message into groups of 29 letters. Then, for each column of letters at that spacing, only two alphabets are used, and this fact diminishes the benefit of the elaborate mechanism devoted to alternating between those two. Instructions provided with the machine, however, suggested advancing it two or three steps after enciphering some letters; those who went to this extra effort would have obtained a greater degree of security.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Home Page
[Next] [Up] [Previous] [Index]
The Hagelin Machines
Although the Swiss firm founded by Boris Hagelin has manufactured, and continues to manufacture, many kinds of cipher machine, the words "Hagelin machine" will normally inspire thoughts of their unique lug and pin based machines. The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the C38, used by the U.S. Army as the M209, six pinwheels, with 17, 19, 21, 23, 25, and 26 positions on them, can be set by the user with an arbitrary series of pins that are active. For every letter enciphered, all the pinwheels rotate one space. The combination of active and inactive pins is presented to a cage with 27 sliding bars. Each bar has two sliding lugs on it, which can be placed either in a position where it is inactive, or in a position corresponding to any of the pinwheels, so that it will slide the bar to the left, if the pin currently presented by that pinwheel is active. The number of lugs sticking out rotates the cipher alphabet against the plaintext alphabet. The two alphabets used are just the regular alphabet, and the alphabet in reverse order, from Z back to A. This meant that encipherment was reciprocal, although the machine still had a switch to select encipherment or decipherment: this determined if the machine printed its output in five letter groups, or if it translated one letter, chosen by the user, to a space. The C52, a postwar version of the Hagelin lug and pin machine, added an extra five sliding bars to the cage that, instead of moving the cipher alphabet, caused the stepping of the pinwheels to be irregular. The first pinwheel always moved, but the remaining five pinwheels only moved when their corresponding bars were slid to the left. The six pinwheels were labelled A, B, C, D, E, and F from left to right; bar 1 controlled pinwheel B, bar 2 pinwheel C, and so on. Also, on the C52 the lugs could be moved from bar to bar, and the six pinwheels were chosen from a set with lengths 25, 26, 29, 31, 34, 37, 38, 41, 42, 43, 46, and 47. Using the pinwheels with lengths 34, 38, 42, 46, 25, and 26 allowed one to achieve compatibility with the C36: provided one also turned off the irregular pinwheel stepping feature. The alphabet always started from its normal position, instead of the position last used, before being rotated by the projecting slide bars. This was perhaps the machine's main weakness, as it made attacks based on frequency counts of displacements possible, but it was perhaps unavoidable, since there was always a slight possibility of occasional
mechanical errors. Particularly as the machines were often used on battlefields. In setting the lugs on the sliding bars, it was important to put many lugs for some pinwheels, and few lugs for others, so as to get an even distribution of displacements: basically, although some bars with two lugs active were desirable for irregularity, the arrangement needs to approximate a binary coding of the active pins  that is, one pinwheel might have only one lug facing it, another two, another four, and another about eight, and another about thirteen or so. For the C52, in setting up lugs on the first five bars, it was important to ensure frequent movement of the pinwheels.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Home Page
[Next] [Up/Previous] [Index]
Simple Cryptanalysis of the Basic Lug and Pin Machine
Although the Swiss firm founded by Boris Hagelin has manufactured, and continues to manufacture, many kinds of cipher machine, the words "Hagelin machine" will normally inspire thoughts of their unique lug and pin based machines. The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the C38, used by the U.S. Army as the M209, six pinwheels, with 17, 19, 21, 23, 25, and 26 positions on them, can be set by the user with an arbitrary series of pins that are active. For every letter enciphered, all the pinwheels rotate one space. The combination of active and inactive pins is presented to a cage with 27 sliding bars. Each bar has two sliding lugs on it, which can be placed either in a position where it is inactive, or in a position corresponding to any of the pinwheels, so that it will slide the bar to the left, if the pin currently presented by that pinwheel is active. In this section, we will examine how messages sent on the original C38 machine could be cryptanalyzed, in the simplest case. That is, I will assume that a large number of intercepts for a given day (or whatever period intervenes between key changes) are available, and that the message indicator, giving the initial positions of the pinwheels, is not encrypted (or, which is the same thing in practice, any method of encryption used for the pinwheel position has been revealed to the cryptanalyst by some other method of intelligence). The first thing to do is to find a pair of messages that have pinwheel settings that overlap. To find overlaps, the first step is to convert a pinwheel setting into a number in the sequence of pinwheel positions that the machine experiences. (Note that when the machine was improved to have an irregular pinwheel motion, this approach could not be used; overlaps could still be found, but then one would have to perform kappa tests on every pair of messages, a tedious process requiring automated assistance.) Such conversion relies on the Chinese Remainder Theorem: given a series of integers, such as a, b, and c, which are all relatively prime to one another, the remainder of a number after division by a, b, and c is sufficient to uniquely identify that number if it is known to be within a range of length a times b times c. Thus, for example, the numbers 1 through 15 have different remainders modulo 3 and modulo 5:
1 2 3 4 5
    
1 2 0 1 2
1 2 3 4 0
6 7 8 9 10
    
0 1 2 0 1
1 2 3 4 0
11 12 13 14 15
    
2 0 1 2 3
1 2 3 4 0
How can we quickly convert a pair of remainders to the number it is associated with, without performing a table lookup? Basically, we can take one remainder as is; the remainder modulo 5 tells us something we will need to know to find the number. But we then want to use the other remainder, the one modulo 3, to tell us how many times a whole 5 needs to be added to this remainder. How might we do this? Looking at the way the groups of five numbers start, it seems that the difference between the two numbers might be considered. That difference is: 1 2 3 4 5      1 2 0 1 2 1 2 3 4 0 0 0 3 3 2 6 7 8 9 10      0 1 2 0 1 1 2 3 4 0 1 1 1 4 1 11 12 13 14 15      2 0 1 2 3 1 2 3 4 0 1 2 2 2 3
From this, it can be seen that if we take the difference modulo 3, it nicely separates the numbers into three groups of five, but we have to shift to starting with 0, as is only to be expected, since the remainders modulo 15 run from 0 to 15. Since 5 modulo 3 is 2, the difference increases by 2 for each group of 5. Thus, the rule, which can be applied repeatedly to convert a group of several remainders to a remainder modulo their product, is: Given two prime numbers, A and B, where A is less than B, and the remainders modulo those primes, a and b, of an unknown number, the remainder of that number modulo AB is determined as follows:
q q q
Let k equal a minus b, modulo A. Divide k by the value of B modulo A, and call the result m. The remainder of our number modulo AB is b plus m times B.
Once we have found two overlapping messages, the second step is to solve for the plaintext of those messages over the extent of the overlap. Because the machine produces successive shifts of a known alphabet, we know that the distance between two ciphertext letters at a given position corresponds to the distance between the two plaintext letters they represent, so for each position, we have only 26 out of 676
possibilities to consider for two letters. (Remember, the plaintext alphabet and the cipher alphabet are the normal alphabet and the reversed alphabet, and the distances between letters must be considered in their own alphabets.) Eliminating pairs which have an uncommon letter in either position narrows down the possibilities for each letter in each message. For a machine like the Sigaba, which produces a different alphabet for each letter, an attack at a "depth of two" is probably impossible without much additional information. Having some plaintext and corresponding ciphertext, we can derive from that the series of displacements generated by the operation of the lugs and pins over the part of the sequence of pinwheel positions in question. At this stage, one can apply sophisticated techniques, which have been described elsewhere, to attempt to reconstruct the lug and pin settings of the machine. In order that different combinations of active and inactive pins will tend to produce different numbers of shifted lugs (different displacements of the alphabet), the lugs need to be distributed among the positions corresponding to pinwheels in a manner that assigns different weightings to the different pinwheels, resembling, but not identical to, the weighting of binary numbers (16, 8, 4, 2, 1). Thus, if one looks for large displacements and how they alternate with small ones, one may find a pattern that indicates where the lugs are on at least one pinwheel. The third step is to find messages which have an almost overlap. A list of all the pinwheel positions in the overlap will help with this; it can be compared to the start and end pinwheel positions of other messages (and middle positions, if the other messages are long enough, and the overlap is short enough). An almost overlap is a span of letters in a message where the positions of five of the six pinwheels have matching positions to the pinwheels enciphering the (full) overlap sequence with which it is being compared. Since each pinwheel contributes only a single bit of input to the cage which determines the displacements (note that for a computer version of this type of cipher, which XORed together whole bytes in lists of differing length as input to an Sbox, this would not work), half the time, the displacement would match that of the displacement in the message with which the almost overlap exists. So, a trial decipherment can be made using those displacements, and it should not be hard to pick out the half of the letters that are right. This gives information on whether a pin in one position on a pinwheel has the same active or inactive state as a pin somewhere else. Multiple almost overlaps involving the same odd pinwheel allow reconstruction of the pinwheel; so does the fact that an extra active pin results in an increased displacement (although there are exceptions to that rule once the cage has more than 25 lugs in it).
Constructing a table with 64 entries (corresponding to the combinations of active and inactive pins) giving displacements is sufficient to read messages, although it is doubtless possible to reconstruct the lug settings from the displacement table.
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Home Page
[Next] [Up] [Previous] [Index]
The Hebern Rotor Machine, and PURPLE
The rotor machine is what many people will think of when they think of a cipher machine. And the most straightforward type of rotor machine is the one invented by Edward Hebern, in the United States. Here's a very crude artistic impression (in ASCIIArt, yet!) of what this beautifullymade machine looked like: ___ ___ '. _ ___ '. \ _ o\_____ ___ '. \ ______ _ \  ___ '. \  _/\ _ o\  ___ '. \  _/ _  / \ ___ '. \  _/ _/o\ \  O  ___ '. \  _/ _/o   _/ .' '. \  _/ _/o o \ \ _/ / \  _/ _/o o o   /_______ _____ _/ _/o o o _/ _/ === ===  ..  /o o o _/ _/ === === ===  /. )_________ \ \ o o _/ _/ === === ===  ( )________ \   o _/ _/ === === ===   \_________ \ ) \ \o _/ _/=== === === _   ( )  / _/__   _  ..  '' \ _/_________  ( ) ______    ___  '' \ /  _____ \_____======O===========O/ ________________________________/ The Japanese cipher machine the American solvers of which called it PURPLE didn't have any rotors in it, but instead used telephone stepping switches. However, in some ways, it was still closely related to a rotor machine, and so it will be discussed here as well. While the term code as distinct from cipher sometimes refers to a substitution on words and phrases as distinct from one on letters or digraphs, and sometimes (as in "Morse code", "Hamming code", or "Huffman code") seems to be applicable to any fixed substitution, forcing me to employ it somewhat loosely, I have been fastidious in
restricting the use of the term "rotor machine" to cipher machines with wired rotors, which operate by changing a substitution produced by wires inside the rotor to its contacts when the rotor is rotated. Other cipher machines, operating on different principles, but with rotating parts (such as the Hagelin lug and pin machines, or the Lorenz SZ40) which operate on entirely different principles, have occasionally been referred to in print as "rotor machines". I wish to disparage this trend, as it would make the term "rotor machine" much less useful, by causing it no longer to refer to a family of cipher machines which all are based on a common cryptographic principle.
q q q q
Rotor Machine Basics The Interval Method The Isomorph Attack PURPLE, CORAL, and JADE
[Next] [Up] [Previous] [Index] Chapter Start Skip to Next Section Next Chapter Table of Contents Home Page
[Next] [Up/Previous] [Index]
Rotor Machine Basics
A rotor is a small disk of insulating material, with perhaps 26 equallyspaced electrical contacts in a circle on each side. The contacts on one side are connected to the contacts on the other side in a scrambled order. In Hebern machines, the contacts on the rotors were simply flat circles of metal; the machine had ball contacts on springs to make contact with them. This allowed the rotors to be put in upside down, for more possible keys. The Enigma, on the other hand, was built more cheaply; the rotors had plain metal contacts on one side, and spring contacts on the other. This almost halved the number of contacts needed, provided you didn't decide to use a new set of rotors. A rotor provided a changing scrambled alphabet, by (you guessed it!) rotating. A rotor with 26 contacts on each side, each corresponding to a letter of the alphabet, that changed E to M before rotating would now change D to L (or F to N, depending on the direction in which it rotated), while E could become any other letter, depending on the way the different wire went that was now brought into position to encipher it. Note that the example given had the rotor moving "backwards" by default. If the rotors are labelled with letters going in the same direction as the use of the input contacts, and they advance so that the next letter in the alphabet becomes visible at a fixed position, the result will be to move the contacts on the rotor to the input contacts corresponding to the previous letter from the ones to which they were previously connected. The five rotors on a Hebern machine came close to moving like the wheels of an odometer. However, they did not move precisely in this way. There were fast rotors, which moved once for every letter enciphered, medium rotors, which moved once for every 26 letters, after a carry from the fast rotors, and there were slow rotors, which moved once after 650 (rather than 676) letters were enciphered. And there could also be rotors that didn't move at all, except that they could be set by hand before encipherment began. Some versions of the fiverotor Hebern machine had control levers, which determined which rotors moved each way. The 'carries' between rotors were handled by ratchet gears that were at the two ends of the shaft carrying the rotors. The reason for the slow rotors moving after every 650 letters was because the machine was designed to avoid having the slow rotor moving at exactly the same time as the medium rotor, since having all the rotors move together seemed like a weakness. A good picture of a Hebern rotor machine appears in the July, 1966 issue of Scientific American, which has an article on cryptology by David Kahn. The following diagram may illustrate a little about how a rotor machine works:
In the first section, we see the keyboard connected to a set of contacts, arranged in a circle, forming the input to the first rotor. Often, the contacts are arranged so that the contacts on the circle are in alphabetical order; the early commercial Enigmas were wired so that the contacts matched the keyboard arrangement instead. In the second section, I attempt to illustrate that the contacts on both sides of a rotor are connected so that each contact on one side is connected to one contact on the other side, but in a scrambled way. In the third section, I follow the fate of the letter E through three rotors, before and after the one in the middle advances one step. The path of electricity through the first rotor stays the same; but the movement of the second rotor has brought a second wire into contact with the electricity; the wire formerly used is shown as a dotted line in its new position. The third rotor has not moved, but since the electrical current has left the second rotor from a different contact, a different wire in that rotor is used also, the old one also shown as a dotted line, but this time in the same position.
The Hagelin HX63
One late rotor machine design that has become known to the public is that of the Hagelin HX63, which was offered for sale in the early 1960s, but was quickly phased out by electronic cipher devices. It had nine rotors, each with 41 contacts. As it enciphered a 26letter alphabet, wires looped 15 of the rotor bank's output contacts back to its input. There were two plugboards with the machine; one scrambled the 26 plaintext letters on input, and another scrambled the 15 loopback connections. (It is somewhat surprising that a plugboard
scrambling the plaintext on input was chosen over one scrambling the ciphertext on output: it would seem the latter would provide better protection against cryptanalysis, for the same reason that a Type II slide is to be preferred over a Type I slide.) The following diagram illustrates the wiring of an HX63, showing the wires that are looped back and the plugboards:
It is described as having a "very irregular" motion of the rotors, and each rotor had a set of 41 switches the setting of which would vary the effective wiring of that rotor. Although I do not know what wiring scheme was chosen for those switches, one possibility might be something like this:
Friedman Squares and Symmetry of Position for Rotors
The alphabets produced by a single rotor in its various positions can be shown in a tableau similar to those used for Vigenere; such a table would look like this: Rotor position
Plaintext  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A  L N K Y U W Z J X H E I A O G S P V C T D R B Q F M B  M J X T V Y I W G D H Z N F R O U B S C Q A P E L K C  I W S U X H V F C G Y M E Q N T A R B P Z O D K J L D  V R T W G U E B F X L D P M S Z Q A O Y N C J I K H E  Q S V F T D A E W K C O L R Y P Z N X M B I H J G U F  R U E S C Z D V J B N K Q X O Y M W L A H G I F T P G  T D R B Y C U I A M J P W N X L V K Z G F H E S O Q H  C Q A X B T H Z L I O V M W K U J Y F E G D R N P S I  P Z W A S G Y K H N U L V J T I X E D F C Q M O R B J  Y V Z R F X J G M T K U I S H W D C E B P L N Q A O K  U Y Q E W I F L S J T H R G V C B D A O K M P Z N X L  X P D V H E K R I S G Q F U B A C Z N J L O Y M W T M  O C U G D J Q H R F P E T A Z B Y M I K N X L V S W N  B T F C I P G Q E O D S Z Y A X L H J M W K U R V N O  S E B H O F P D N C R Y X Z W K G I L V J T Q U M A P  D A G N E O C M B Q X W Y V J F H K U I S P T L Z R Q  Z F M D N B L A P W V X U I E G J T H R O S K Y Q C R  E L C M A K Z O V U W T H D F I S G Q N R J X P B Y S  K B L Z J Y N U T V S G C E H R F P M Q I W O A X D T  A K Y I X M T S U R F B D G Q E O L P H V N Z W C J U  J X H W L S R T Q E A C F P D N K O G U M Y V B I Z V  W G V K R Q S P D Z B E O C M J N F T L X U A H Y I W  F U J Q P R O C Y A D N B L I M E S K W T Z G X H V X  T I P O Q N B X Z C M A K H L D R J V S Y F W G U E Y  H O N P M A W Y B L Z J G K C Q I U R X E V F T D S Z  N M O L Z V X A K Y I F J B P H T Q W D U E S C R G This kind of table, for a rotor, is called a Friedman square. Just as a Vigenere table has a regularity, in that it shows the same alphabet in its rows (and columns) repeatedly, only shifted, here a regularity is visible as well, but it is subtler: the diagonals of this square are shifted regular alphabets. A powerful technique, symmetry of position, is used with polyalphabetic ciphers produced by mixedalphabet slides. Since this table also has regularities, the same technique can be adapted to its structure. In a mixedalphabet Vigenere, if the letters A and B become Q and V in one alphabet, and T and R in another, then Q and V are separated by the same distance as T and R in the cipher alphabet.
In a rotor machine where the entry rotor is the fast rotor, the principle is the same, except now if the fast rotor has moved one position between the two alphabets, the comparison would be between A and B becoming Q and V in one position, and Z and A becoming T and R in the other position. So in this case, the two mixed alphabets being considered are the one provided by the fast rotor, and the one provided by the other rotors. The shifts of the fast rotor need to be compensated for in the input. Similarly, if the output rotor were the fast rotor, the shifts would be adjusted for in the ciphertext letters. What about the case when the input and output permutations to a rotor are both unknown? For example, when the fast rotor is in the middle of a stack of five rotors. At first, it might seem hopeless to apply symmetry of position to that case, because there seems no way to tell when an input or output in one case involves the same wire in the moving rotor or not as in another case. But there is a way to apply symmetry of position in this case, given enough text with overlapping key settings. Incidentally, if the entry and exit alphabets of the rotor machine as a whole are known, in the case we are considering, where rotor 3 is the fast rotor, positions where rotors 1, 2, 4, and 5 are all displaced by the same amount, the known plaintext, known ciphertext, and fast rotor position can all be translated to permit including known plaintext from such a key setting for comparison. One thing is assumed to be known, the position of the rotor being examined, which advances one step each time while the other rotors do not move. With nearly complete alphabets, some progress can definitely be made in this case. Another possibility does not produce certain results, only probable relationships. Suppose that in position 1 of the rotor under study, plaintext A becomes ciphertext B; in position 7 of the rotor under study, plaintext C becomes ciphertext B; in position 11 of the rotor under study, plaintext C becomes ciphertext D; and in position 14 of the rotor under study, plaintext A becomes ciphertext D. This creates a closed cycle of equivalents, separated by a given pattern of rotor displacements. If we also knew that in position 2 of the rotor under study, plaintext W became ciphertext X; in position 8 of the rotor under study, plaintext Y became ciphertext X; in position 12 of the rotor under study, plaintext Y became ciphertext Z; and in position 15 of the rotor under study, plaintext W became ciphertext Z, then we might think it likely that the two structures correspond, and the same rotor wires are involved in corresponding steps of the two cases. If so, then W precedes A, and Y precedes C, on the input side of the rotor, and X precedes B, and Z precedes D, on the output side of the rotor, by exactly one position in each case. Since all our elementary facts about the rotors are of the form perm(e7)=R7, that is, a relationship between one plaintext letter and its equivalent for one particular rotor position, there
is no way to directly amass equations that can be used to solve for any direct facts about the structure of the rotor as an unknown; instead, differences and patterns have to be relied upon.
Entry Into a Rotor System
Symmetry of Position is a technique that is used to reconstruct rotor wirings when a large amount of information is available about the alphabets produced by a rotor. But how does one get started attacking ciphertext produced by a rotor machine? Let us assume the simplest case, where one knows the initial positions of the rotors for each message, and where the fast rotor is the exit rotor. However, we can allow an unknown assignment of the exit contacts from the rotor bank to the display or printer of the rotor machine, and we will assume that only ciphertext is available. With the exit rotor the fast rotor, one has stretches, 26 letters long, where the fast rotor, in its different positions, is the only thing enciphering monalphabetically enciphered text. But each stretch deals with text enciphered in a different monalphabetic cipher, so how can that help us? The chance that two texts, enciphered independently, will have the same letter at any given position, is 1/26. Two plainlanguage texts, or two texts enciphered in an identical manner by means of a polyalphabetic cipher, will have a greater number of coincidences; aligning messages on the basis of single letter coincidences is called the kappa test. But let us assume we do not have any overlapping rotor settings to help us. How can the principle of the kappa test help us? Monalphabetically enciphered texts, even if they are not enciphered by the same monalphabetic cipher, still have one thing in common: they have an uneven frequency distribution. In English, the letter E makes up 12% of an average text, and the letter T makes up 9%. Twelve percent of 26 is just over three. Thus, one can take our stretches of 26 enciphered letters, and compare them with each other. When we find coincidences, it is likely that the monalphabetic substitutions which provided the inputs to the fast rotor in both cases used the same letter or letters as substitutes for one or more highfrequency plaintext letters. Thus, in the ideal case, by coincidences we might find a number of stretches with many coincidences with each other, and in each of the 26 positions in a stretch, the letter involved in the most coincidences would be the substitute provided by the fast rotor for the particular letter that, for most of those stretches, was the substitute for plaintext E produced by the rest of the rotor machine. Since there are several highfrequency letters in English, the result is not likely to be that easily obtained; instead, there will be many possibilities, and the technique of symmetry of position, above, will be one of the things used to narrow down the possibilities.
[Next] [Up/Previous] [Index]
Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Interval Method
If you could rotate only one side of a rotor, then you would be guaranteed that for each of the 26 possible positions, every input letter would be connected to a different output letter. A special kind of rotor, called a halfrotor, can do this, by having contacts in a circle on one side, and bands around an axle on the other side. But this kind of rotor is bulky and expensive compared to a normal rotor. To ensure that moving a rotor through its possible positions will produce 26 alphabets that are as different as possible, a method called the interval method can be used in wiring rotors. Edward Hebern originated this method himself; this perhaps is less surprising than it seems (one would, perhaps, have expected the master cryptologist W. F. Friedman to come up with it, for example) when one considers that his first rotor machine, made for use by users in the commercial world, only had one rotor in it. Finding an interval method rotor sequence is related to solving the Eight Queens problem, except in this case the problem involves a chessboard that allows one to move off any edge and then back on on the opposite edge, and the "queens" can only move and capture along one diagonal, the same diagonal for all of them. A perfect solution is possible only on a board of odd order; seven queens on a 7x7 board, nine queens on a 9x9 board, but for this modified problem, there is no solution for eight pieces. A simple proof of this fact depends on properties of triangular numbers. The nth triangular number is (n^2+n)/2. If n is an odd number, this is a multiple of n, but if it is an even number, this is an odd multiple of n/2. On both sides of a rotor, one wire is connected to each contact. So, if the wires are connected to each contact on the opposite side, the sum of the displacements must be equal to zero, modulo the size of the rotor, since the wires are still connected to contacts with the same numbers, contact 1 through contact n. If one tries to use all possible displacements from 1 to n, (or from 0 to n1, if you prefer) then for even n, the sum will be wrong. Here is an example of an interval method wiring: From: To: (Difference: 1 5 4 2 4 2 3 3 0 4 2 7 5 1 5 6 9 3 7 8 1 8 7 8 9 6 6)
An interval method wiring for an even number of contacts will have exactly one possible difference omitted, and one repeated twice. Fortunately, while the above example of an interval method sequence is highly symmetrical, there are many possible arrangements that satisfy the interval criterion, and most appear almost random. Here is another example of an interval method wiring, this time for a 26contact rotor: From: X Y Z To: Q F M A L B N C K D Y E U F W G Z H J I X J H K E L I M A N O O G P S Q P R V S C T T U D V R W B
(Difference: 11 12 19 7 13)
8 21 16 17 19
2 15 24 20 23 14
1 18
3 25
4 10
0
9 22
5
Here, only the difference of 6 is omitted, and only the difference of 19 occurs twice. Note that it is the alphabet used for constructing an example of a Friedman square on the previous page.
Table of the number of interval method wirings
Ignoring rotations of the whole rotor and one side by Ignoring rotations of the whole rotor All
itself 1contact rotors: 2contact rotors: 1 3contact rotors: 4contact rotors: 1 5contact rotors: 6contact rotors: 4 7contact rotors: 8contact rotors: 32 9contact rotors: 10contact rotors: 464 11contact rotors: 12contact rotors: 8,768 13contact rotors: 14contact rotors: 227,008 15contact rotors: 16contact rotors: 7,814,144 17contact rotors: 1 2 1 4 3 24 19 256 225 4,640 3,441 105,216 79,259 3,178,112 2,424,195 125,026,304 94,471,089 1 2 3 16 15 144 133 2,048 2,025 46,400 37,851 1,262,592 1,030,367 44,493,568 36,362,925 2,000,420,864 1,606,008,513
where the number of oddcontact rotors in the third column is from integer sequence A006717 in the Handbook of Integer Sequences, while the number of evencontact rotors is calculated by my own computer program. Note that, in the case of 2contact rotors, one does not multiply by n (which is 2) going from the second to the third column, because in that case the arrangements are symmetric. The same type of backtracking algorithm as is used to solve the Eight Queens problem was used in my program to generate the numbers for evencontact rotors, but instead of trying various permutations of the output contact numbers from 1 to n, I instead tried permutations of the set of intervals I was using. This let me exploit a symmetry (instead of considering all possibilities for the duplicated and omitted intervals, I only needed to work with one), and divide the number of arrangements I generated by n, as well as reducing the number of levels the program went through to build an arrangement by one, since the two duplicate intervals of zero were fixed by an outer loop.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Return to Home Page
[Next] [Up] [Previous] [Index]
Isomorphs
It is possible to break even the complicated cipher produced by a rotor machine. Especially when only one rotor moves with every letter enciphered, that rotor is at either the input or output end of the rotor machine, and no other rotor moves more often than once every 26 letters. Of course, having some cribs, that is, plaintext for a number of cipher messages, will be helpful. As will cracking the 'indicator system', that is, the method by which the sender notifies the recipient of the starting positions of the rotors for each message. When only one rotor moves, and the rest of the machine stands still, and the moving rotor is on the outside, then the only difference between the cipher applied for one such period of 26 letters and any other is a monalphabetic substitution. With enough overlapping cribs, one may be able to reconstruct little pieces of the fast rotor relative to more than one of the monalphabetic substitutions produced by the others, and it may even be possible to link these pieces together. As soon as it becomes possible to nullify the effect of the fast rotor, messages become almost trivial to solve. If you know the wiring of all the rotors, and you have some known plaintext, and the fast rotor is on the outside, the procedure is to try each rotor, in all 26 rotational positions as the fast rotor (this amounts to 130 trials for a machine with five rotors) until you find one that produces a monalphabetic result. If the fast rotor is on the output side, you use it to decipher the ciphertext. If it is on the input side, you use it to encipher the plaintext. Either way, if the plaintext and ciphertext are made to match, so that repeated letters in both match up, you have found an isomorph. Note that while frequent or complicated rotor movement can make it impossible to mount an isomorph attack, having the fast rotor in the middle of the rotor stack makes such an attack more difficult, since one has mixed alphabets to deal with, and these will not be the same in all messages, it does not make attacks based on this principle completely impossible.
[Next] [Up] [Previous] [Index] Next Chapter Start
Skip to Next Section Table of Contents Return to Home Page
[Next] [Up] [Previous] [Index]
PURPLE, CORAL, and JADE
The Japanese cipher machine which the American cryptanalysts codenamed CORAL is perhaps the easiest to understand of the three. All three machines were built from common telephone stepping switches. These switches had six input wires. Each wire was connected to a wiper, and each wiper could make contact with one of twentyfive terminals. All six wipers moved together, and each one had its own set of 25 terminals to contact. A solenoid controlled the movement of the wipers. When a current pulse was fed to it, the wipers advanced one position, except that, if the wipers were already at position 25, a spring caused the wipers to go back to the first position. Thus, although the 25 terminals were arranged in a semicircle, the switch acted as though they formed a full circle, with stepping in only one direction. In CORAL, a stack of five stepping switches did the same job as a rotor would do in a Hebern rotor machine. 26 input wires carried current to 26 outputs, in 25 different ways. The alphabets for each of the 25 wiper positions, unlike the alphabets for the different positions of a rotor, were completely independent and unrelated. JADE was just about the same as CORAL, except that it was used to encipher messages written with the Japanese katakana syllabary, which has 48 symbols. Thus, it added a shift key to the keyboard. The shifts weren't enciphered; only a 25symbol alphabet was, giving equivalents to the 48 kana and the two diacritical marks used with katakana. PURPLE, the earliest of the three machines, had a somewhat stranger structure. A plugboard selected 20 letters of the alphabet to be enciphered through banks of four stepping switches. The other six letters were enciphered by means of only one stepping switch. This division of the alphabet was easily detected through frequency counts, and was perhaps the most serious weakness of the machine. (Another very serious weakness, and also a strong contender for the title of "most serious", was the fact that the stepping switch banks were, for obvious reasons, not removable, so one could never perform the operation equivalent to changing the rotor order.) The following diagram:
attempts, with many parts omitted, to illustrate how PURPLE worked. The plugboard reassigned letters for both input and output. The stepping switches only have fifteen tick marks around them  representing the 25 contacts each wiper actually has. For only one wiper position for each switch or bank of ganged switches, the scrambled arrangement in which the wires are connected to corresponding wires in the next stage are shown. However, the 20 versus 6 division is easily visible in the diagram, as is the general arrangement of the device.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Enigma
In 1974, the British government permitted the disclosure of the story of the decipherment of the German Enigma cipher machine in World War II. That the Enigma had been broken by the Allies in World War II, however, was not in fact secret up until that time; the account of the capture of the German U505 submarine in David Kahn's book The Codebreakers from 1967 notes not only that a German cipher machine was captured along with its monthly keys, but that messages on machines of this type were already being read, "with the help of a mass of machinery that filled two buildings". Also, the book "The Broken Seal" by Ladislas Farago referred to a meeting between British and U.S. representatives to discuss a swap of American information on PURPLE for British information on the Enigma (the Americans were generous, but went away emptyhanded at the time, but Britain very shortly thereafter relented, as later revealed). But only after 1974 did the details of this cryptanalytic feat emerge. Despite some continued secrecy, it can fairly be said that the cryptanalysis of the Enigma is the only case in which not merely the story of an isolated cryptanalytic success, but instead the ongoing saga of coping with changes in a cipher system, has become public. Because of the intense concern in the United States about whether or not the Japanese bombing of Pearl Harbor could somehow have been prevented, it was officially revealed quite shortly after the war that cryptanalysts working for the U. S. Government and Armed Forces had solved both Japanese codes and Japanese ciphers, including the cipher produced by the socalled "PURPLE machine". Had this not been the case, perhaps this would have been kept secret for the same amount of time as the British success in cracking the cipher of the Enigma machine, as a result of the normal reticence of nations concerning matters relating to an activity of such high sensitivity. As well, given the role of Polish nationals in the early part of the Enigma story, a genuine concern to avoid any of them still residing in Poland being summoned for, at the least, debriefing, may well have been a consideration. As to the sale of used Engimas, I would think that the rule of caveat emptor, rather than any imputation of fraud, would be applicable. Starting with the commercial Enigma C, the Enigma differed from other rotor machines (although, later, the British Typex and a commercial machine from Ottico Maccina Italiana were based on it) in that the electrical signal for a plaintext letter did not just go in one end of the rotor stack and out the other, but also was sent back to go
through the rotors the other way by a reflecting rotor. This strengthened the cipher in some ways, but also gave it important weaknesses. And it also meant that quite a number of unique cryptanalytic techniques were developed for the Enigma which were specific to it. In comparison, CORAL, although a more difficult target, would still be approached with almost the same techniques as would be used against a Hebern rotor machine, with the exception that the unrelated nature of the alphabets provided by a stepping switch increased the amount of text required for applying those techniques.
q q q q q
Basic Principles of the Enigma The Uhr Box The Enigma A and Enigma B Relatives of the Enigma Cryptanalysis of the Enigma r Cliques on the Rods r Indicators and Jefferys Sheets r The Bombe and the Diagonal Board
[Next] [Up] [Previous] [Index] Skip to Next Section Chapter Start Table of Contents Return to Home Page
[Next] [Up/Previous] [Index]
Basic Principles of the Enigma
The Enigma had a stack of three or four normal rotors, not in principle unlike those in a Hebern machine. They had 26 contacts in a circle on each side, those on one side were connected in a scrambled order to those on the other, and the rotors moved to vary their effects on the alphabet. There was a mechanical difference: the rotors had plain contacts on one side, and springloaded contacts on the other. A Hebern machine had only plain contacts on its rotors, and the machine itself therefore needed twice as many springloaded contacts as a permanent part of the machine. This cut total costs for an Enigma, but it meant that rotors were more expensive, and indeed during the war, the German forces kept on using their old rotors, only gradually adding the odd new one to the set. In addition to the contacts and the wires between them, a rotor often has two other parts of significance to the cipher it will generate which are often overlooked. Like the wheels in an odometer or a mechanical adding machine, rotors in some rotor machines include what is essentially a gear with one tooth to cause the next rotor to move one position forwards at one point in its own rotation. Some rotor machines, of course, use completely different principles to move the rotors; the Hebern machine did use this principle, but still kept that part of the gearing physically separate from the rotor itself. Also, the rotor has to be labelled, so that there is some way of recording and communicating the starting position in which the rotors of a rotor machine are to be set. Otherwise, the two parties to a communication will be unable to set up their machines the same way. On the Hebern machine, the rotor itself was marked. In the Enigma, a movable alphabet ring was labelled with the letters identifying rotor positions. The rotor itself, of course, was marked so that alphabet ring settings could be written down too. The ratchet wheel, which determined when one rotor would cause the next slower one to advance, was attached to the alphabet ring. This is quite important to note, as it determined how methods of exploiting the Enigma's indicator method would work, and how the Bombe had to be designed. But the main distinguishing feature of the Enigma was its reflecting rotor. Instead of plaintext going in one end with ciphertext coming out the other, the reflecting rotor, with the 26 contacts on one side connected to each other in a scrambled fashion, caused the electrical signal to go through the rotors a second time in the opposite direction, coming out on the same side it came in, but at a different contact. This meant two contacts on the entrance side of the rotor stack were "live". Instead, therefore, of the switch operated by a typewriter key on the Enigma merely connecting the battery to the proper contact of the outermost rotor, it instead took the contact of that rotor, and disconnected it from the lamp under the same letter as well as connecting it to the battery. As an extra security feature, the Enigmas used by German forces during World War II included a plugboard. The wires leading from the lamps and keyboard to the rotors were all cut, and then wired to a socket that acted like the socket for a phone plug. If nothing was plugged in, the two wires to the plug were connected together. If a plug was inserted, the two wires were not connected to each other, instead, each one was connected to one of the two contact points in the plug. Although a commercial Enigma, modified by Polish cryptanalysts to match a military Enigma, used phone plugs, the plugs in the plugboard of the actual Enigma had two prongs, but they still functioned electrically in the same way as phone plugs. So, think of 26 phone plug sockets, and a set of ten wires, with a phone plug at each end, with the tip at one
end wired to the shaft at the other end, and you will have an accurate electrical picture of the plugboard of the Enigma. An attempt at a diagram of the Enigma in ASCII graphics:          /  \ /   \ /     \ \ /    /  \ /  \ /  \ \ /      \\ _     \ /  \ /  _\\    \      \ /  \ /  \      __ _       _\  /_  _           Slow  Medium  Fast                    ( ) (*) ( ) ( ) ( ) ( ) Lamps                                      I I / I I I Keyboard                _ _      _X_ I I I I Plugboard                                  And here is a similar diagram in graphic form:
To make it simple to understand the principle which allows pressing a key on the Enigma to light the lamp to which the key is connected through the rotors, but not the lamp connected to the key itself, the wires have been colored red and blue, depending on whether they are at a positive or negative potential (I've chosen the battery orientation in the diagram arbitrarily for clarity, and do not claim it matches that of the actual Enigma) and wires carrying current are shown in a lighter red or blue, and, where convenient, are shown thicker, with little yellow arrowheads showing the direction of current. The Germans themselves broke messages transmitted by Republican forces during the Spanish Civil War on conventional Enigma machines without plugboards. And it was the plugboard, more than anything else, that convinced them that the Enigma was unbreakable. The rotor wirings of the Naval Enigma, most of which were also used by the Wehrmacht, were: Initial input contact: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Output contact from rotor #: I II III IV V * VI * VII * VIII : : : : : : : : E A B E V J N F K J D S Z P Z K M D F O B G J Q F K H V R V H H L S J P G O G T G I L Z I U R L D R C J T M C X Q U P A Y F X O V X R Y U Y M C Z B T Q P Q Y B N L X U S B S J T H V I D E W S O W Z R N N B P W T N H H H O D Y M Y X L Z U Z H C E L X R F R X Q I N A D A A U G W F W K I M S Z G T M A V E P N A G J S L W A P K K Q X P N I Y M D O L E I B F U C F I K U R V S M E C Q Y C O Q W C T D G J E O B K W T V In window for "carry": Q E V J Z MZ MZ MZ
Thick reflecting rotors: B : Y R U H Q S L D P X N G O K M I E B F Z C W V J A T C : F V P J I A O Y E D R Z X W G C T K U Q S B N M H L Extra ("Greek") rotors inserted before thin reflecting rotors:
* Beta: L E Y J V C N I X W P B Q M D R T A K Z G F U H O S * Gamma: F S O K A N U E R H M B T I Y C W L Q P Z X V G J D Thin reflecting rotors: * B : E N K Q A U Y W J I C O P B L M D X Z V F T H R G S * C : R D O B J N T K V E H M L F C W Z A X G Y I P S U Q The first five regular rotors, and the two reflecting rotors above were used in both the Wehrmacht and the Navy. Only the Navy used the last three regular rotors, numbers 6 through 8, and two thin rotors, one reflecting, to replace the reflecting rotor. The rotors only used in the Naval Enigma are marked with an asterisk. Each rotor, other than the reflecting rotor, is described this way: the line at the top with the letters in order from A to Z indicates the contact which is on the side of the rotor facing the wires from the keyboard and lamps, and the table entry indicates the contact on the side facing the reflecting rotor connected to that contact, when the alphabet ring is in the A position, and A is the letter showing through the window at the top of the machine. While this form of the Enigma was used by the Wehrmacht, and by the Navy with improvements, other forms of the Enigma were used during the war by other military and governmental organizations within Nazi Germany. One of the most famous is the Abwehr Enigma, which used rotors with 11, 15, or 17 notches, but which had no plugboard. Its keyboard had numerals and punctuation marks on the keys above the letters. The Mil Amt, which succeeded the Abwehr, used a machine with a set of six rotors, all with nine notches. The Railway Enigma was an Enigma with a typewriter keyboard entrance permutation, like the commercial Enigma C and Enigma D. Although the Army and Navy continued to use their original rotors throughout the war, each of the other groups using Enigmas used their own rotor wirings. This was a natural security precaution. Probably the reason that other Enigma machines used did not have plugboards is also because security kept groups using Enigma machines from knowing about the Enigmas used by other groups: it may well be that the different Enigmas were made in separate factories. However, the Mil Amt seems to have learned the same lesson as was used in the Naval Enigma, by switching to rotors all having the same notches.
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Uhr Box
The Uhr box was a replacement for the patch cords that were plugged into the Enigma's plugboard. Each day, the relationship between the alphabet and the contacts on the Enigma's rotors was changed in accordance with the daily key by plugging in the patch cords as it specified. I am indebted to some USENET posts, in reply to questions of my own concerning the Uhr box, by Frode Weierud from Switzerland in clearing up some of the details about how it worked. The facts he provided allowed me to propose a tentative reconstruction of how the Uhr box might have been wired internally. By using the cords coming out of the Uhr box instead, it became convenient to change the plugboard setting more often, because it could be changed just by turning the knob on top of the Uhr box. The knob had forty settings, numbered from 0 to 39. These settings were indicated by a two letter code, given by a sticker on the lid of the Uhr box. When set to setting 0, the Uhr box acted like a set of ordinary patch cords. Of the twenty plugs coming out of the Uhr box, ten were painted white, and ten were painted red. The plugs in the two groups were numbered from 1 to 10, and the pairs of one red plug and one white plug both bearing the same number each behaved like a patch cord in setting 0. Even in other settings, although the connections between the input of one plug and the output of another plug were now scrambled, it was still true that the input of any red plug was always connected to the output of a white plug, and the input of any white plug was always connected to the output of a red plug. Because patch cords always connected their input and output to the output and input on the other end, they produced a reciprocal permutation of the alphabet. The Uhr box allowed this to be avoided. This didn't change the fact that the Enigma's cipher was reciprocal, since the permutations of the Enigma's individual rotors weren't reciprocal either, but the cipher of the Enigma as a whole was still reciprocal, since the reflecting rotor caused the electrical signal from the keyboard to the glowlamps to go through each rotor twice, first one way, and then the other. The same thing was true of the Uhr box. But the fact that ordinary patch cords produced a permutation which was reciprocal on, as it were, a second level did prove helpful to British cryptanalysts. For one thing, it permitted an adjunct to the Bombe called the 'diagonal board' which allowed it to be
both more versatile and more effective.
Reconstruction of the Uhr box
Based on these facts concerning the Uhr box, I had suspected that it may have been wired as follows: The knob on the Uhr box would have turned what was, essentially, a reflecting rotor with 40 contacts. These 40 contacts could be thought of as being labeled with the letters ABCDABCDABCD... over and over again. The contacts marked A would all have wires connecting them to the contacts marked C, but in scrambled order. Similarly, the contacts marked B would all be connected to the contacts marked D, again in a scrambled order. The contacts in the box which connected to this movable reflecting rotor would also be divided into four groups, which we can also think of as being labelled ABCDABCDABCD... and so on. The input contacts from the red plugs would be connected to the contacts marked A, and since these were always to be connected to the output contacts of the white plugs, those would be connected to the contacts marked C. Similarly, the input contacts from the white plugs could go to the contacts marked B, and the output contacts from the red plugs to the contacts marked D. The order in which the plugs were connected to the contacts would match the scrambled wiring in the 40contact reflecting rotor, so that when it was set to position 0, the desired objective of emulating plain patch cords would be achieved. It would be possible, although unnecessary, for all the input contacts, for example, from the patch cord plugs to be wired in numerical order around the circle. The following diagram may make the description of my tentative reconstruction of the Uhr box clearer:
However, a paper in the July 1999 issue of Cryptologia has now explained the actual workings of the Uhr box, and it differed somewhat from my tentative reconstruction. Instead of having 40 contacts, the reflecting rotor that was the heart of the Uhr box had 80 contacts, of which only 40 were used at any one time. The contacts on the reflecting rotor were in two consecutive rings of 40 contacts, and either the even or odd ones were used in any position. Thus, the contacts on the Uhr box were in two rings of 20. The outer ring was wired to the red plugs, and the inner ring was wired to the white plugs. In both rings, the evennumbered contacts of the Uhr box were wired to the thick pin of the two pins on the plugs. The wires from the red plugs were wired to these contacts in order, but those from the white plugs were wired in a scrambled fashion.
Essentially, therefore, the Uhr box worked somewhat like my hypothetical reconstruction, except that it had two sets of scrambled wirings, each one of which could be rotated to only half as many positions. However, there was another peculiarity of the wiring of the Uhr box that led to a weakness. Although the wires from the white plugs were not wired to the Uhr box contacts in order, they were wired to those contacts in pairs. This meant that of the two wirings in the reflecting rotor, one, in order to allow the zero setting to emulate ordinary plugboard wires, had to take pairs of contacts (with a contact in between belonging to the other wiring) to pairs of contacts in the other ring, reversing the two elements in the pair (so as to take a large pin from a red plug to a small pin on a white plug and vice versa). This meant that every fourth setting of the Uhr box behaved like a set of conventional plugboard wires. A diagram of the actual Uhr box may help to make its design clearer:
in this diagram, only the wires in the rotor are shown that are in the set used in the zero position, which reflect the flaw in the device that makes every fourth setting (every second setting using that set of wires) reciprocal. The Uhr box is shown here set in the zero position. Because of the extra complexity of inner and outer contacts, a more schematic diagram, rather than one showing the rotor contacts in a circle, is given.
While the Uhr box did not do much by itself, only providing a fixed substitution that did not change during a message, this kind of design illustrates how one could, for example, build an interesting type of rotor machine for a 26letter alphabet using especiallywired 52contact rotors. The idea of wiring a rotor with a number of contacts that is a multiple of the size of the alphabet used, so that it acts like two different rotors that are used alternately, also will surface in the Hagelin B21, which we will meet later. Another enhancement used on some Enigmas late in the war was a reflecting rotor that could be completely rewired by the user based on a daily key.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Enigma A and Enigma B
The very first cipher machines sold under the Enigma trademark were rotor machines, but they did not have the reflecting rotor that made the Enigma so unique. Also, they both looked like very large typewriters, and printed their output rather than merely indicating letters with glowlamps. The Enigma B used the normal 26letter alphabet, while the Enigma A had a 28letter alphabet, including three accented letters for the German language, but omitting one letter of the alphabet not often used in German. Instead, they had four rotors, used once in normal fashion, controlled by four cams, with 11, 15, 17, and 19 positions. These cams all moved one position with every letter enciphered, and a raised tooth on any one cam caused the rotor corresponding to that cam to advance one step. Occasionally, none of the four rotors would advance between letters, and this probably made the machine appear weak. However, this kind of irregular rotor movement does eliminate the isomorph method of attack, and therefore this kind of design appears to be quite promising. Since, however, it was cams and not usersettable pinwheels that were used, an adversary knowing the sequence of raised teeth on each cam would no doubt have been able to develop alternative methods of attack on this system. Had the machine had five rotors instead of four, then the thirtytwo possible rotor motions would have exceeded the number of letters in the alphabet. With four rotors, there were at most only sixteen possible alphabets the machine could present at each step, and this could also be exploited. A machine with ten pinwheels, all of different sizes, with the XOR from two pinwheels controlling each of five rotors? Such a machine might well have been very strong. However, the search for the ultimate in irregular rotor movements was pursued in a different direction by the Americans, resulting in an even stronger machine, the SIGABA, which we will meet later. Another variation of the Enigma was the one used by the Abwehr. It was an Enigma without a plugboard, but the rotors had a large number of notches, so that the slower rotors still moved fairly often. In the chapter of Codebreakers (not David Kahn's book, but a collection of contributions by former cryptanalysts at Bletchley Park, published by Oxford
University Press) entitled "The Abwehr Enigma", it was observed that multinotched rotors created a serious difficulty for the cryptanalyst, but not quite as serious as that created by the plugboard. It was seen as peculiar  but fortunate  that the Germans did not get the idea of putting both improvements on the same Enigma. As at that time, thanks to the book Machine Cryptography and Modern Cryptanalysis by Cipher A. Deavours and Louis Kruh, it was already public knowledge that the British were doing exactly that: the Typex, which we will meet in the next section, used extra entrance rotors as a nonreciprocal plugboard (thus also gaining the advantages of the Uhr box) and highly multinotched rotors, this comment was worth a raised eyebrow when I first encountered it. It may also be noted that the Abwehr Enigma's reflecting rotor moved as the slowest rotor during encipherment. Also, like the commercial prewar Enigma C and D, in addition to not having a plugboard, the keyboard and lamps were connected to the rotors following the layout of the typewriter keyboard rather than in alphabetical order; thus, an Abwehr Enigma had the rotating reflecting rotor, and the multiple notches on the rotors, as its only changes from the commercial model Enigma. With one other minor, but interesting, addition: this version of the Enigma also had digits and punctuation marks printed above the letters on both the keyboard and the lampboard.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Home Page
[Next] [Up] [Previous] [Index]
Relatives of the Enigma
Despite the fact that the Enigma never enciphered a letter as itself, thereby making it easy to align probable plaintext with an intercept, several other rotor machines were based on the Enigma. W. F. Friedman devised Converter M325. It was similar to the Enigma, except that the rotor nearest the reflecting rotor, rather than the rotor farthest from it, was the fast rotor. This produced a machine that did not need a plugboard to be reasonably secure. The British cipher machine during World War II was the Typex. Its rotors were notched several times for frequent and irregular motion. Three rotors moved, and the farthest of them from the reflecting rotor was still the fast rotor. But there were two other rotors beyond the fast rotor, and they acted as a plugboard replacement. Some models of the Typex had two concentric sets of 26 contacts. According to those who have had the opportunity to examine surviving specimens of this machine, they were not used for the obvious purpose of providing a return path for electrical current, thus allowing the unique weaknesses of the Enigma design to be avoided. Despite this, I still wonder; there is a simple way, using dummy rotors connected by cables, to turn a SIGABA into a plain Hebern machine. As the SIGABA and the Typex were made to interoperate by means of accessories which turned them into the "Combined Cipher Machine", it makes sense to conclude that the second set of contacts was used as a return path on the Typex, since then suitably wired rotors with some sets of contacts wired without scrambling could allow Hebern type operation of such a machine as well, thus facilitating this particular method of interoperation. Although the fact that the fast rotor is on the entrance side (like an Enigma, unlike an M325) makes it more difficult to turn a Typex into a Hebern machine with the fast rotor in the middle, it is not impossible: an auxilliary wiring harness, with dummy rotors, is also required as with the SIGABA, and the reflecting rotor is one of those that has to be replaced. The following diagram shows a principle that may have been used:
As the details of the actual CCM are available, no doubt I will soon be hearing if my reconstruction is near the mark or not. As only three rotors aren't much, the actual CCM may have been somewhat more complicated, for example by including entry and exit plugboards to replace the two stators in a real Hebern fiverotor machine. As the Typex is said to have very closely resembled the Enigma, I had assumed that it had a "650 break" as well, and this would have further complicated interoperation with the SIGABA. However, since the Typex used heavily multinotched wheels, such a gearing arrangement would have shortened its period considerably, so perhaps that problem did not arise. (It's even possible there was a lever somewhere to choose with!) On some later models of the Typex, the two entrance rotors also moved. This is merely a speculation on my part, but one simple way in which they could have been caused to move is this: the entrance rotor would be the slow rotor, the next one the medium, and the same notches in the wheels that caused the regular carry would also cause movement of the wheels on the entrance side, but the ratchet wheels would be displaced. So, if the positions B, G, J, M, O, R, T, V, and X caused the original medium wheel to move when the fast wheel reached them, and the original slow wheel to move when the medium wheel reached them, then perhaps the positions Z, E, H, K, M, P, R, T, and V, each two positions earlier, would cause movement on the other side of the fast rotor. Or another row of notches could be present on the wheels, and the number of notches in that row could very well be even, since the ordinary rotor motion would already be providing the maximum period. No such motion, however, unlike the original motion with those two rotors as stators, or better yet a motion resembling that of the Converter M325, would allow easy interoperation with a SIGABA using dummy rotors by emulating a Hebern machine, basically the lowest common denominator of the two machine types. Some time after World War II, Switzerland, which had been using a version of the Enigma for its own communications, designed its own significantly improved cipher machine based on the Enigma, the NEMA (for Neue Maschine, not National Electrical Manufacturers Association). Recently, a computer program simulating its operation, accompanied by a description of the machine, became available. One of the program's authors, Frode Weierud, has a forthcoming article in Cryptologia
about the machine.
It used lamps to indicate the letters it produced as output, and physically it looked like a metal box with a sloped front in which a typewriter keyboard was sunk. Recently, examples have become available on the open market, at prices considerably below those of World War II Enigmas. The device had four rotors, plus a reflecting rotor, all of which (including the reflecting rotor) moved during encipherment. However, it had the appearance of having ten (rather thin) rotors. This was because each rotor was manually adjusted by means of a flange on its left with 26 segments labelled with the letters of the alphabet, and bore on its right a ring of appearance similar to that flange, but which contained a notched gear. Each rotor's movement was controlled by the ring to its right; when a notch on the ring came into position, its corresponding rotor did not advance for the current letter being enciphered. In addition, the ring on the entrance rotor, towards the right of the rotor bank, was distinctively colored (it was red) and had a second notched gear on it. This gear, when a notch on it came into position, prevented the second and fourth rotors, and their corresponding rings, from moving. Usually, all the rings would move with every character enciphered. Thus, the NEMA had a period of 17,576 letters, each ringrotor pair having a period of 676. If the red ring had stopped only two other rings, and not their corresponding rotors as well, the period could have been 26 times longer. In any case, it has a large number of initial settings, and a very irregular rotor movement, bettered only by that of the SIGABA (although the Enigma A and Enigma B also had a rotor movement that is more irregular than usual). Note that the diagram, for simplicity, shows the mechanics of the rotor movement by lines which may suggest electrical wires; actually, the result was achieved mechanically. Also note that the wheels with notched gears, although concentric on the same shaft as the rotors, are shown in the diagram in a row below the rotors, using the usual diagram symbol for pinwheels. And, during the sixties, an Italian firm, O.M.I., offered a version of the Enigma with seven rotors. But
it embodied an ingenious idea for providing security in a machine sold openly without requiring customers to rewire their rotors. The rotors came in two pieces, both with scrambled wiring, that the customer could interchange and rotate to form the rotor set to use. It would be a little harder to do this with rotors of the Hebern type, if one wished to take full advantage of the fact that both sides of these rotors are identical, but it could still be done using androgynous connectors positioned in alignment with the centers of the contacts, as shown below:
An interesting web site in Germany, which no longer exists, described several cipher machines from behind the Iron Curtain. Three of them were described in enough detail (which I tried to make out as best I could, not understanding German) that I found their mention of interest. The T217, or ELBRUS, is an electronic cipher machine, having at least a superficial external resemblance to the early electronic cipher machines used by the United States (as those machines are, as far as I know, still classified, I have no knowledge of whether the resemblance is more than superficial). A linearfeedback shiftregister generator feeds a longer shift register, and bits from that are selected under the control a key cassette to go into combinatorial logic to produce bits for stream cipher use. The M105 uses a principle I don't quite understand yet: 5level code characters are converted to a 12bit form, then XORed with a key tape, then converted back down to 5bit form. It isn't quite clear to me how transformations more involved than an XOR can actually be accomplished by this principle, particularly when decoding is also performed by precisely the same method. However, such a machine could work by cheating; for example, the 5bit character abcde could be converted to abcde0000000
to be enciphered, and then the 12bit result of being XORed with the key tape could be converted to 5 bits by taking the first 5 bits, performing a nonlinear operation controlled by the last 2 bits, and then XORing with the second 5 bits. To decipher using the same key tape, the 5bit ciphertext character pqrst would simply be converted to 00000pqrst00 before the XOR with the key tape. Even something like that, particularly if a plugboard can be used to scramble the 12 bits from the key tape, might not be entirely silly. Also, if the nonlinear transform controlled by the last 2 bits leaves something invariant, that, rather than 0, could be put in the last 2 bits. For example, if the last 2 bits are used to choose between different ways of transposing the 5 bits of a character, for encryption the parity of the plaintext character could be placed in one, or both, of those bits before the XOR, affecting which bit transpose is used. For decryption, the parity of the ciphertext character after being XORed with the five bits for that purpose on the tape, XORed with the parity of the five bits that will later be XORed to form the plaintext character, will produce the parity of the plaintext character before the bit transpose (affected by that parity) is known. And, finally, the M125, or the Fialka, is described on his site, which is why I am mentioning his site on this page: it is a variation of the Enigma.
It enciphers a 31character alphabet. A punched card is used to perform the function of the Enigma plugboard, but for only of 30 of the 31 symbols enciphered. The punched card has been described to me as square, with two centering holes, and with the regular punched holes only below a diagonal on the card. This suggests to me that each hole position controls a doublepole doublethrow (DPDT) switch, determining if two lines in a folded crossbar pattern are crossed.
There are 10 highly multinotched rotors, and they have fixed contacts on one side and springloaded contacts on the other, like those of the Enigma. Now, these 10 rotors all have 31 contacts on each side. There is also a reflecting rotor, but how can a reflecting rotor with an odd number of contacts work? One contact of the reflecting rotor, instead of being connected to another contact, is connected to a circuit that causes the machine to encipher the input letter as itself. Note, however, that the machine's cipher is fully reciprocal. Like the Typex, we have an Enigma with both multinotched rotors and a plugboard; British cryptanalysts working on the Abwehr Enigma on the one hand, and the Army and Navy Enigmas on the other saw that to be an effective combination. This may not be terribly surprising, as there was Soviet penetration of the British Ultra effort during World War II. The patch panel, like the Uhr Box, avoids the problem of the plugboard substitution being reciprocal in itself. Although the machine is connected to 5level tape equipment, instead of enciphering normal 5level code (leaving, perhaps, the allzeroes character unenciphered) the Germanlanguage version of this device omits the letters W, X, and Y, and uses J to represent the space (thus printing a space when deciphering, and a J when enciphering), leaving room for the digits from 2 through 9 in the character set. As Russian has a 32letter alphabet, presumably the original Russianlanguage version did not include digits in its character set. My initial attempt to reconstruct the Fialka from the information I had found resulted in a somewhat different machine, with its own features of interest.
In the a block diagram I saw, there were three signals going from the reflecting rotor to a transistor symbol. I thought that perhaps this meant that three contacts were wired in a loop, with diodes going from one to the next, in rotation. As a DC current is used to go from the keyboard to the rotors and
back to the output mechanism, this can mean that A becomes B, B becomes C, and C becomes A. (However, there is nothing to prevent the current from going through two diodes in a row. This can be avoided by the use of resistors or multiple diodes, and a suitable choice of voltage threshold, or by a simple transistor circuit.) That would mean the cipher of the machine as a whole would not be quite reciprocal, but no letter could represent itself. The easiest way to reverse the action of such a circuit during decipherment would be simply to reverse the polarity of DC current through the machine. The fact that the punchedcard "plugboard" affected only 30 of the machine's 31 characters was baffling to me, and implied some sort of external constraint. As I assumed a simple crossbar arrangement for card sensing, to minimize parts count, the fact that a standard 80column card has over 900 holes in it meant that it could indeed control a 30 by 30 crossbar patch panel. (One needs 961 hole positions for a 31 by 31 crossbar patch panel!) The diagram shows a possible arrangement for the crossbar circuitry that uses the first 75 columns of the card, and which, by taking into account the zone and digit positions of the card, allows key cards to be produced with conventional punched card equipment, using only &, , /, and the digits and the uppercase letters. Perhaps the construction I reached through speculation will be helpful to amateur builders intending to build a replica of the Fialka at home, but with the use of more standard parts, even if it departs from the historical reality. The following diagram is provided for those who aren't familiar with the code used on the 80column punched card:
or, if that diagram is difficult to understand, here is a more explicit one:
Gordon Welchmann, the inventor of the diagonal board, has commented that it would have been possible, but difficult, to design an Enigma that did not have the feature of being unable to encipher a letter as itself. Obviously, the simplest method to avoid this problem with the Enigma would be to revert to sending the signal through the rotors in only one direction, as with the Enigma A and Enigma B, or as with the original Hebern machine. But if one wanted to avoid having to switch a large number of wires when changing from encipherment to decipherment, or if one felt it useful to have the signal going through the rotors twice instead of just once, how would an Enigma not having this problem be designed? One can begin by merely changing the labels which are over the indicating light bulbs. If the light bulb that is on the circuit with the Q key is now labelled B instead of Q, then it is B that the letter Q will not be enciphered as. But then one would have to have one wiring for encipherment, and a different wiring, either selected by a large and complex switch, or by constructing enciphering Enigmas and deciphering Enigmas. One way to avoid the problem would be to replace the plugboard of the Enigma with two switchboards, one connecting the keys to the machine, and one connecting the lamps to the machine. Then one could select any wiring configuration for encipherment, and its counterpart, with lamp and key wirings exchanged, for decipherment. Could a suitable choice of new labels for the light bulbs allow a simpler solution, one that involved a lesser change to the way the Enigma worked? One possibility would be, given the keys are connected to the rotor contacts in alphabetical order, to label the light bulb connnected to the A key with N, the light bulb connected to the B key with O, and so on. Then, if the setting rings are labelled with two alphabets similarly displaced, in contrasting colors, and the gear teeth by which one ring advances the next are so arranged that if a tooth is at one position, there is also a tooth at the position diametrically opposite (shortening the period, because all the rotors must now have an even number of teeth), one could indeed have a machine that behaved almost exactly like the Enigma. However, the fact that the letter A can now never be represented by N, instead of never by A, is just a fixed substitution that would soon be discovered, and then it would cause no real difficulties for the cryptanalyst. A normal Enigma plugboard would not change this: and the sockets on it would also have to be labelled in two colors, as the plugboard wiring would have to be displaced 13 positions to
decipher. Another thought would be, instead of having two switchboardtype plugboards, where a set of 26 sockets is matched by 26 plugs from within the Enigma, to have a second plugboard of the regular Enigma type in a single Enigma. In addition to the one between the rotors and the lamps and keys both, the additional plugboard would be between the lamps and the keys. The reciprocal nature of the plugboard substitution would not be a problem, and would in fact allow the same wiring to serve for encryption and decryption. This arrangement is illustrated below:
However, it wouldn't quite work as illustrated. Although the rotor substitution and the plugboard substitution are both reciprocal, that does not mean that they commute. But a more complicated wiring based on this principle would be possible, such as placing the rotors on the lamp side for decipherment; this would require a bank of 26 relays to simulate the effect of the switches in the keyboard. One simple way to make this work, with some limitations, is this: for encipherment, use only the plugboard between the lamps and keyboard. For decipherment, also use the regular plugboard, and wire it in the same way as the plugboard between the lamps and keyboard. This works because plugboard wirings are reciprocal. The basic problem of this sort of arrangement is that the rotors are connected to the keyboard and not the lamps in an Enigma, hence a permutation between the keyboard and lamps disrupts the relationship between the rotor contacts and the lamps and keys that makes decipherment possible when it is reversed for decipherment. Could an Enigma be modified so that the rotors were connected to the lamps? Yes, if each lamp were shorted with a diode:
This diagram shows the flow of electricity in an Enigma. On the left, a simplified diagram of the Enigma is shown. Wires at a positive potential are red, wires at a negative potential are blue, and wires carrying current are shown thicker with yellow symbols indicating the direction of current. On the right, the arrangement involving diodes needed to allow the rotors to be connected to the lamp side of a modified Enigma is illustrated. Current that pressing a key allows to flow goes first through the shorting diode belonging to the lamp with the same letter, then through the rotors, and on its return trip lights the correct lamp, since it is going the other way, and cannot be shorted by that lamp's diode. Suitable switching circuitry, allowing either arrangement to be selected, and reversing other connections, would allow a twoplugboard Enigma of the type shown above to even have an Uhr box connected at either or both plugboards.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Cryptanalysis of the Enigma
The story of the cryptanalysis of the Enigma is perhaps the only story of military cryptanalysis ever recounted where a detailed view was given of that cryptanalysis on an ongoing basis, over multiple revisions and modifications of the cipher system under attack. The cryptanalytical methods used are sorted by type in the following sections, and thus a more chronological summary may help to make the story more understandable. Initially, the Enigma was without a plugboard. The method of "cliques on the rods" was used against it at this stage; this was a version of the isomorph attack against a Hebern machine, modified as required for the Enigma. Next, a plugboard was used, but only three cords were plugged into it, affecting only six of the twentysix letters. A common ground setting was used to encipher the starting setting which operators were supposed to choose at random; this setting was enciphered twice. Here, the tables generated by the cyclometer were used: the doublyenciphered indicator meant that if one message had A as its first letter and Q as its fourth, A as the first letter of the message always implied Q as the fourth. Thus, the relation between the first and fourth letters of a day's intercepts defined an alphabet, and the same was true of the second and fifth letters and the third and sixth. The characteristics of these alphabets allowed those tables to pinpoint the day's ground setting. Then, instead of a ground setting, a setting picked also at random, and sent in the clear, was used. This nineletter indicator was attacked on the basis of watching for cases where corresponding letters in the doublyenciphered indicator, now the fourth and seventh, fifth and eighth, and sixth and ninth letters of the message, were the same. The original Polish Bombe, and also the perforated sheets, were used at this stage. When the number of rotors in the rotor set was increased to five from three, the British took over from the Poles, and relied mainly on the perforated sheets. When the rotor starting position for an individual message was enciphered only once, the Turing Bombe, soon augmented by the diagonal board, allowed decrypting Enigma messages to continue. On the Naval Enigma, eight rotors as well as a split reflecting rotor were used. This was dealt with by aligning messages to find key overlaps; from this, and a study of the
indicators, constraints on the possible rotor orders were found, allowing the Bombe to still be used. Near the end of the war, the Uhr box and a rewirable reflecting rotor were used in some places. The Uhr box merely required giving up the diagonal board. The reflecting rotor required a major redesign of the Bombe, but decoding continued.
q q q
Cliques on the Rods Indicators and Jefferys Sheets The Bombe and the Diagonal Board
[Next] [Up] [Previous] [Index] Next Section Chapter Start Table of Contents Home Page
[Next] [Up/Previous] [Index]
Cliques on the Rods
Before the plugboard was added to the Enigma, the fact that the fast rotor was on the side opposite the reflecting rotor meant that it was vulnerable to an isomorph attack. But the isomorph attack had to be modified from that used on a Hebern machine, in the obvious way. Both the probable plaintext and the ciphertext had to be put through the fast rotor, and it was the two results that had to match, that is, be monalphabetic encipherments of one another, having repeated letters in the same places. Since a rotor can be in 26 different positions, changing both the input and output letters, one needs 26 different strips. Each strip shows, for one particular input letter, the possible output letters for each position of the rotor. Thus, if a rotor is wired as follows: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z E K M F L G D Q V Z N T O W Y H X U S P A I B R C J the strip for the letter A would contain the sequence E J K C H... and the strip for the letter B would contain the sequence K L D I... since in the A position of the rotor, A becomes E, the A strip begins with E. When the B contact, that takes B to K in the A position, is moved back to the A position, then it will take A to the letter before K, or J. Similarly, when the C contact is moved two positions back, its destination, the M contact, is moved two places back to K. Of course, the strips might also be prepared for the rotor moving the other way, with the letters in reverse order. The strips will have their sequences of letters repeated twice; one chooses the strips which correspond to plaintext and ciphertext, and puts them next to one another, but staggered, because the fast rotor is always moving one step for every letter. Then, the rows across, between the strips, show the possible encipherments of the plaintext or
ciphertext letters for every starting position of the fast rotor. Strips with the rotor outputs on them were aligned to produce the results, and thus the method was called "La Méthode des Bâtons" in French, and in Britain the strips were called rods, with the repeated letters that matched up called cliques. The sequence of 26 letters that a rotor would produce from a given letter in different positions cannot be a scrambled alphabet, with no letter repeated, for reasons seen in the previous section on the interval method. In the colorful terminology of Bletchley Park, the duplicated letter on a rod resulting from two wires producing the same displacement was called a "beetle", and the result of two wires having exactly opposite displacements was called a "starfish", as recently revealed in papers by C. H. O'D. Alexander available on Frode Weierud's web page. These papers note, among other things, that the rods were sometimes used against Enigmas with plugboards as well, in cases where the indicators could not be interpreted. (Two of the papers, about something called JNA20, appear to be about PURPLE or CORAL, even though they still use the term "Stecker" in reference to its plugboard.)
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Home Page
[Next] [Up] [Previous] [Index]
Attacking the Indicators
As is recounted in the several books and articles recounting the story of the Enigma, the Germans used two very dangerous indicator systems with it. First, they started the Enigma, for a given day, with a fixed secret setting, called the ground setting or Grundstellung. At this setting, the actual starting rotor setting was repeated twice and enciphered. Then, still before the war started, while only the Poles were breaking the Enigma, a change was made. Instead of a secret ground setting, a starting point was picked by the user at random, and started the message in the clear. Then the starting rotor setting used for the message itself was again repeated twice and enciphered. In both cases, the relationship between the two repetitions of the rotor start position gave too much away.
The Common Ground Setting
In the first case, since one had many messages for a given day, all with the same ground setting, one could look at the alphabet formed by combining that produced by the machine at the ground setting with that produced three letters later. This alphabet was visible in the clear: if a message began VBT RSQ, then V became R in that compound alphabet. Essentially, tables could be made of the distinguishing features of the alphabets created at each starting position. And alphabets had such features, even after the plugboard was used. These were visible when an alphabet was reduced to 'cycle form': if V becomes R, then what does R become, and how many steps does it take to get back to V? Any scrambled alphabet basically divides the alphabet into pieces of various sizes, and those sizes aren't changed by the plugboard. The cyclometer, used to create these tables, will be described along with the Bombes in the next section. The three alphabets derived from a day's intercepts (or three months' intercepts, actually) had, when reduced to cycle form, some very special properties. Although they were formed by comparing two encipherments at positions separated by 3, they could also be thought of, since decipherment and encipherment were the same, as the results of applying the encipherments at those two positions, one after the other.
This has the following curious result: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z U V T X R W M I H Z Q P G S Y L K E N C A B F D O J A B C D E F G H I J K L M N O P Q R S T U V W X Y Z G K R P S Y A J M H B Q I U W D L C E V N T O Z F X In the pair of reciprocal alphabets shown above, A becomes U, and then U becomes N. So, in the compound alphabet, A becomes N. Note that U also becomes A in the first alphabet, and N becomes U in the second, but these don't connect, so the compound alphabet is not reciprocal. As noted, in the compound alphabet, A becomes N. Then N becomes (S, then) E, E becomes (R, then) C, C becomes (T, then) V, V becomes (B, then) K, K becomes (Q, then) L, L becomes (P, then) D, D becomes (X, then) Z, Z becomes (J, then) H, H becomes (I, then) M, and M becomes (G, then) A. So, we have a cycle, involving the letters: (a n e c v k l d z h m) What happens if we follow the fate of the letter U, which becomes A in the first alphabet, just as A became U? U becomes A, which becomes G. G becomes M, which becomes I. I becomes H, which becomes J. In starting with the middle letter of each twostep substitution, we simply go through exactly the same cycle, but in reverse. So we have a second cycle of exactly the same length, with the letters: (u g i j x p q b t r s) Because this sequence consists of the middle letters, taken in reverse order, of the previous cycle, the individual substitutions can be found at one of the positions these two sequences have when slid against each other after one is reversed: A N E C V K L D Z H M U S R T B Q P X J I G are all pairs in the first alphabet, and A N E C V K L D Z H M
G U S R T B Q P X J I are all pairs in the second. Because at that stage poorly chosen rotor starting positions, both consisting of adjacent letters on the keyboard, and also consisting of the same letter repeated three times, were common, it was possible to eliminate ambiguity in aligning the cycles and determine the rotor starting positions, without as yet knowing either the alphabet ring settings, the rotor order, or even the wiring of any rotors.
The Slotted Sheets, or Grilles
Knowing the letters visible in the little windows on the enemy's Enigma was an accomplishment, but by itself it did not let you read any messages. The Poles did know the rotor wirings of the Enigma, though. They had not captured a machine, and doing so in peacetime would have made it obvious that one was missing. Instead, a spy had given the French, and the French had given them, keys for a period and some matching plain and enciphered messages, from which they laboriously reconstructed the rotor wirings and internal connections of the Enigma. In addition to knowing the initial rotor settings, applying the pencilandpaper method noted above provides you with six successive alphabets produced by the Enigma. At this stage, only a limited number of letters are modified by the plugboard, and the Enigma had only three rotors to insert in any of six different orders. If, for the encipherment of the first six letters after the ground setting, the medium rotor did not move, these alphabets are produced from an inner alphabet, produced by the medium, slow, and reflecting rotors, at six consecutive positions of the fast rotor. The grille or slotted sheet method involved sheets with the successive alphabets produced by one rotor printed on them, which were slid over a piece of paper on which these six alphabets were written. If it weren't for the plugboard, negating the fast rotor would produce six identical alphabets: even with the plugboard, the right position produced six alphabets with many letters in common, and from the similarities and differences, both the plugboard settings and the inner permutation could be determined. The initial rotor settings are known in terms of where the alphabet rings are; now the ground setting is known in terms of the positions of the rotors themselves. Still more work needs to be done to read messages: the original Polish Bombe automated that next step.
Arbitrary Ground Settings
Since the ratchet that allowed one rotor to move the next slower rotor and the alphabet ring which was used to refer to rotor positions were fixed together, in the second system it was often possible to determine, since the Enigma's original five rotors all had their one carry in different positions, which rotor was the fast rotor. Among the many indicators for a day, there would be some with repeated letters. And there would be some with the starting positions given in the clear possibly adjacent to each other. Which positions are adjacent depends on when carries occur. And if the same letter becomes first N and then V three letters later, and then fails to change from N to V when it is apparently in the same two positions, then one is mistaken about when the medium rotor moved. Combinations where the same letter becomes the same letter in the same message, in two positions three places different could not always occur, and these indicators, called "females", eliminated possible indicator settings. Also useful to Bletchley Park at this stage were "Herivel tips", which were the result of Enigma operators choosing, after setting up their machine for the day, to use as their first setting the position of the rotors as they stood, or possibly moving them only a few places, from the position after setup which meant the rotors were near their initial positions, and the setting sent in the clear would give away the alphabet ring settings (either by itself, or in combination with the arbitrary ground settings of other operators making the same mistake).
The Perforated Sheets
The perforated sheets were one set of 26 square sheets, with punched holes, for each possible rotor order. They were used when the ground setting was sent in the clear, followed by two encipherments of the current setting. Each sheet corresponded to the position of one of the wired rotors (in Poland, apparently the slow one) and the rows and columns on the sheets corresponded to the positions of the other two rotors. The rows and columns, except the first one, were repeated twice. A hole was punched in a sheet whenever a letter would be enciphered to itself by an Enigma with that position of the three rotors plus an Enigma with the fast rotor three places further ahead. Since a rotor order is assumed by one's choice of perforated sheet set to use, one can exclude all indicators in which the medium rotor moved. This is because the ratchet wheel and the alphabet ring are attached to each other. In practice, unless there is other information available, one needs to try all 60 rotor orders. And, yes, one also needs to try 26 stacks of sheets for each rotor order. However, 1560 trials is not an unmanageable bruteforce search, even by manual methods.
One finds numerous indicators with repeated letters in the same position, and places, one on top of each other, alphabet sheets so staggered as to match the relative displacements of the ground settings for the different messages. Then, a hole through the stack of alphabet sheets indicates which position of the wired rotors corresponds to each of the ground settings.
The Final Period
During the war, the double encipherment of the indicator was eventually abolished. This increased the reliance of cryptanalysts on a large piece of electrical machinery, the Bombe. But for a period of time before it became available messages were still deciphered, as the result of the continuation of the practice of choosing adjacent keyboard letters, then called "cillies" by the British, (well, they were silly) even if settings consisting of three identical letters were by then suppressed. With the Naval Enigma, instead of switching to a single encipherment of the initial rotor position, the use of a common ground setting was revived; however, the indicators recieved an additional layer of encryption; the two repeated encipherments of the initial rotor setting were enciphered by means of a table of digraphs. If the enciphered starting setting was ABC DEF, then the digraphs that would be enciphered in the table would be AY BD CE XF where X and Y represent two additional letters chosen by the encipherer at random; that is, the starting setting was staggered like this: A B C X Y D E F and the digraphs were taken off by columns. This would have made the indicators useless for cryptanalysts, except that the digraph table was not itself part of the daily key. Instead, for one period, a set of nine digraph tables were used, and only which one was to be used was part of the key that changed each day. As copies of the digraph tables (which were, for convenience, reciprocal) were captured, the result was merely that all nine possibilities had to be checked. With a common ground setting, as noted above if letter 1 was A and letter 4 was D once, then letter 4 had to be D whenever letter 1 was A, and so one would normally be able, with 27 messages, to swiftly determine the right table to use. Had this method been used with the later indicator method used by the other services, an arbitrary ground setting and a single encipherment, considerably more work would have been multiplied by a factor of nine, even using the digraph tables that had been captured. Had the digraph tables been changed more often, that too would have
diminished the usefulness of the indicators, but by then the advanced Bombes in use eliminated the need to break the indicator system; it would have meant more work, but their Engima messages would not have become inviolate.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Home Page
[Next] [Up] [Previous] [Index]
The Bombe
The Bombe, in its various forms, was a device containing multiple sets of Enigma rotors that rotated quickly to try all possible positions of the rotors. Because the Enigma had a plugboard, and because no simple relay circuit would recognize valid Germanlanguage text, even having a device of that nature did not make it trivial to crack the Enigma machine's cipher. Thus, the Bombe came in different forms during the life of the cryptanalytic effort against the Enigma.
The Cyclometer
The cyclometer was the first modified Enigma mechanism used in cracking Enigma ciphers, but it was used to prepare tables in advance, rather than working on information from a specific day's intercepts. It consisted of two sets of Enigma rotors connected so as to face one another, and positioned so that the fast rotor was three positions different in the two sets, the other rotors being in the same position. A keyboard and lights was also connected to the 26 wires between the rotor sets. A key did not disconnect the light corresponding to it. The rotors were manually stepped. For each position, one depressed a key, and noted how many lights lit up, and then depressed a key corresponding to a light that hadn't yet lit up for that position, until all the letters were divided into groups of different size. The table thus generated was useful when the indicators of the Enigma were enciphered twice according to a common ground setting for the entire day. From the messages intercepted, one could form alphabets based on the indicators. Since the ground setting was always the same, if the first letter of the starting setting chosen by the operator was A, the same two alphabets would be applied to it at the ground setting position and the position three letters later, and so if the indicator was X Q for one message, it would be in the form X Q for every message where A was the first letter of the starting setting. Thus, one could compile an alphabet in which X became Q, and so on. The pattern of that alphabet which would survive changes in the plugboard settings was its cycle decomposition. That is, an alphabet might be made up of three letters that
stayed the same, two pairs of letters swapped with each other, one group of three letters in which each letter was replaced by the next one, and so on. The characteristics of the three alphabets produced from a days indicators would match three consecutive alphabets in the table produced by the cyclometer, unless the ground setting was chosen so that the medium rotor moved during the first six letters.
The Polish Bombe
The original form of the Bombe was designed back when the Enigma only had a set of three rotors to interchange, and when only three wires were connected to the plugboard, affecting only six out of 26 letters. It was used against the doublyenciphered indicator system of the Enigma during the period when ground settings were chosen at random by the operator, and sent in the clear with each message. If one has two "females", indicators where one letter is repeated in the two encipherments of the actual rotor starting position, and furthermore, they result in the same letter and are in different positions, which was a common enough occurence given the volumes of traffic in use, one could proceed as follows: Connect a voltage to that contact on four rotor sets. Take these in two pairs, each pair with positions offset by three, and if both pairs, at the same time, produce the same output letter (that is, both sets in each pair produce the same letter, but the two pairs may produce a different one) then one has found the right starting position. This won't work, however, if the letter found in the ciphertext was changed by the plugboard. The actual machine had six rotor sets, and could take advantage of finding the same letter in all three possible positions.
The Turing Bombe
The Turing Bombe exploited the fact that messages sent by the Enigma often included long stretches of probable plain text, particularly the titles, spelled out in full, of military officers. Since the Enigma never enciphered a letter to itself, it was possible to find possible exact alignments for such likely phrases, or "cribs". Let us suppose that, comparing some probable plaintext to matching ciphertext, we find the following: The 4th letter of the crib was a plaintext E that was enciphered to N.
The 8th letter of the crib was a plaintext E that was enciphered to X. The 19th letter of the crib was a plaintext N that was enciphered to X. These encipherments form a loop. For some position of the rotors, N becomes E at that position, and then for the position four steps later, E becomes X, and a further 11 positions later, X goes back to E. Since the Enigma has a plugboard, instead of N, E, and X, one can only say with certainty that "some letter" becomes "some other letter", which then becomes "yet another letter", which then goes back to "the first letter". So, a Turing Bombe worked this way: the three rotors plus the reflecting rotor of an Enigma were replaced by seven rotors, with a conventional rotor imitating the reflecting rotor in the middle. For the loop in the example, one would have three such sets (machines would be working in parallel for every possible rotor order, so as to avoid taking time to reorder rotors: in fact, one complete set of all 60 orders constituted a single Bombe at this point) positioned so that when one set was at the position it was in for the 4th letter of the crib, the next was in the position 4 steps later, and the next was in the position 15 steps later. Each set of rotors was connected to the next set by 26 wires in parallel. A voltage was applied to one of the wires at one point. That wire was chosen to be the wire for the actual letter found in the crib, so that if that letter was not changed by the plugboard, the actual closed loop in the crib would be the only part of the circuit reached by the voltage, and so each of the 26wire links would have only one live wire. Otherwise, when the correct position was reached, even if all 25 other wires in each link were reached by voltage, the actual closed loop would, being closed, be isolated, and not get voltage. So a relay circuit checked the 26 wires at one point in the loop, and halted the Bombe whenever not all 26 wires had voltage (presumably ignoring the times when the rotors were between positions). If the notches that caused one wheel to move the next slower wheel had been fixed to the rotor body, the Turing Bombe would have been simpler to understand, and would always have worked, since then for any position of the wired rotors, the position of the rotors a certain number of steps later would be known. Since the notches were in fact fixed to the alphabet wheel, what was done instead was to perform the carry from the fast wheel to the medium wheel, and one from the medium wheel to the slow wheel, at only one position in the apparatus, with
corresponding wheels in all rotor sets linked together. If only the fast wheel was displaced between rotor sets, the machine worked if the medium wheel did not move anywhere inside the crib. One could also displace the medium wheel by one place in some rotor sets to try different assumptions about where the medium wheel moved. It might be noted that, since we don't care which letter our test letter was taken to by the plugboard, a relative displacement of the whole rotor set would make no difference. Since the reflecting rotor could not even be moved to alternate positions by hand, however, different rotor positions were absolute, not relative. But if the reflecting rotor had been settable, the Bombe would not have had to run 26 times longer. In the example, only a single closed loop was taken from a crib. In fact, a single closed loop would have stopped the Turing Bombe with too many false alarms, and thus this Bombe had more than three rotor sets, and was used with cribs that gave more than one loop, with the loops connected to each other.
The Diagonal Board
The Turing Bombe, as noted, simply looked for cases where some letter became some other letter, and so on. But the cribs also included information about which letter became which other letter. Despite the plugboard, there was a way to make use of this information, and that way was the diagonal board. Let us begin with the simple 3letter loop used as an example above: N becomes E becomes X becomes N. Let us suppose that E was not modified by the plugboard, for ease of understanding, and so we apply our voltage to the wire corresponding to E at the point corresponding to where we encountered E in the plaintext and ciphertext. Then, E might become X at the point corresponding to X. On the other hand, X might have been affected by the plugboard. If so, E will become some other letter, which will become either N or some other letter, which becomes E again. Suppose E becomes N, at the point where X was expected. This means that X and N were switched by the plugboard, and so this N had better become an X at the point N is expected. Otherwise, an impossible plugboard arrangement is required, and so the apparent successful hit is a false alarm.
The diagonal board was used to cover all the possibilities of an inconsistency like this. It was a square matrix of sockets, wired so that column P in the Q row was wired to row P in the Q column, for every two different letters in addition to P and Q. The 26 wires for any position in a crib were also connected to the row of the diagonal board corresponding to the plaintext and/or ciphertext letter that was seen at that position of the crib. Current going through the wire for that actual letter was not connected anywhere, but current for a different letter was connected to the row for that different letter being seen, at the position where the original letter would be actually encountered. This provided additional connections. Yet, if the voltage entered the setup at the correct position, the closed circuit was not extended to other wires; so, if the voltage entered at another position, the closed circuit still recieved no voltage. Thus, the Bombe still worked as before, except that it automatically ignored many of the false alarms for which it had previously stopped.
The "Machine Gun"
An additional device attached to the Turing Bombe to eliminate additional false alarms performed the following function: When not all the wires were live, if all the wires but one were live, the voltage was redirected to that one wire. Then, all the different letters of the crib were scanned, to ensure that no two letters in the crib (including both its plaintext and ciphertext forms) which were different would have had to have been brought to the same letter, instead of to different letters, by the plugboard for the current bombe position to be valid.
Autoscritcher
Thanks to a Cryptologia article by Cipher A. Deavours, and an earlier paper in IEEE Annals of the History of Computing, the equipment used for dealing with the rewirable reflecting rotor has been unveiled as well, at least in part. For this device, a crib is required where, at several positions, the same plaintext letter has become the same ciphertext letter. A Bombe with sets of the three regular rotors only is used to find positions consistent with this. As the letters can be displaced by the plugboard, all possible pairs of
plaintext and ciphertext letters are tried by external circuitry for each position of the fast rotor. However, a very good crib is needed for there to be enough detectable inconsistencies for such an approach to be useful; the article itself notes that the description must still be incomplete. Incidentally, I recently found that this page has a very good description of how the Bombe worked as well.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Home Page
[Next] [Up] [Previous] [Index]
The ECM Mark II, also known as SIGABA, M134C, and CSP889
During World War II, the United States used a rotor machine which was so well designed that it appears to be immune to any kind of cryptanalysis other than a brute force attack, offering security somewhat comparable to that which DES very much later made available in the civilian sector. (Since writing these words, I have noted that, if one had over a dozen messages enciphered at the same initial rotor setting, which would be unlikely in practice, it is possible to compare different alphabets produced by the machine and obtain at least some information about the rotor wirings. From there, the technique used by Frank Rowlett against the M228 might allow further progress.) This machine was originally called the ECM Mark II within the predecessor of the NSA that developed it. The ECM Mark I was a machine developed by Edward Hebern, and the ECM Mark III was a machine that, like the Mark II, had irregular rotor movement, but which achieved it by a simpler system. Edward Hebern was involved with the development of both the ECM Mark I and the ECM Mark III, while the ECM Mark II, our present subject, was developed entirely within the U.S. Government. Its basic principles were originiated within the Army Security Agency, but its the ECM Mark II itself, in its specific form, was developed within the U.S. Navy. The basic principle of the SIGABA that made it so strong is the use of additional rotors, rather than gears, to control the movement of the rotors used to encrypt a message. As this excellent design has, very recently, been declassified in its entirety, it has become possible for you and I to examine and admire it. The SIGABA contains fifteen rotors, ten of which are conventional 26contact rotors, and five of which are smaller rotors with only 10 contacts on each side. These rotors are divided into three groups. Five 26contact rotors, called cipher rotors, encipher or decipher the message being transmitted in the same way as the rotors in a regular Hebern rotor machine. Any of them can move after a letter is enciphered; their motion is controlled by electrical signals. Another five 26contact rotors are called control rotors. On the input side, the four contacts (corresponding to the letters F, G, H, and I) get electricity. On the output side,
the contacts are wired together in nine bunches of various sizes, as follows: 1 B 2 C 3 DE 4 FGH 5 IJK 6 LMNO 7 PQRST 8 UVWXYZ 9 A
These rotors move as if they were controlled by conventional gearing (actually, electromechanical means are also used to move them, for reasons of parts commonality or due to patent considerations): the middle one moves one space for every letter enciphered; the one after it (closer to the output side) moves once for every 26 letters, and the one before the middle rotor moves once for every 676 letters. When a rotor changes from the letter O to the letter N is when a carry takes place to the next slower rotor. The five 10contact rotors are called the index rotors. They are only set by hand before starting to use the machine. Nine of their ten inputs are connected to the nine bunches of contacts which take the output of the control rotors, and the numbers of the bunches in the table above show which contact recieves the signal from that bunch. Their ten outputs are connected together in five pairs, each of which supplies the signal which controls the advance of the cipher rotors. The following diagram illustrates the wiring of the SIGABA:
Because exactly four inputs to the control rotors recieved a live signal, at most four of the cipher rotors could step after any letter was enciphered. Since no signal was ever thrown away, although the number of live signals could be reduced if two were both wired together, at least one of the cipher rotors had to step each time. When using the machine, the ten 26contact rotors were first set to their starting positions, which were the ones marked by the letter O instead of the ones marked with the letter A that one might expect, usually with the aid of an automatic feature in the machine. It could also be done by hand, but if the user was not careful, one of the control rotors, particularly one of the two on the outside, could be left in a halfway position, preventing the cipher rotors from ever moving.
The index rotors, however, were set by hand. Setting them was in a sense easier, or at least less problematical, and for each day there were three different settings for them, for three different levels of security classification of the message being sent. The order of the index rotors apparently was at one time changed each day, but during World War II the procedure was changed to always leave these rotors in order. The wiring of the index rotors (or at least a wiring used at one time with the index rotors) is known, and is as follows: Input 0 1 2 3 4 5 6 7 8 9 Rotor 1 7 5 9 1 4 8 2 6 3 0 2 3 8 1 0 5 9 2 7 6 4 3 4 0 8 6 1 5 3 2 9 7 4 3 9 8 0 5 2 6 1 7 4 5 6 4 9 7 1 3 5 2 8 0 These rotors are all wired by the interval method. In addition, it is always the interval 3 that is duplicated (and therefore the interval +2 that is omitted). And furthermore, the two wires with interval 3 both always start from two contacts which have exactly one contact between them. This means that they all belong to one class of the classes into which a program I wrote to count the number of interval method wirings for rotors of even size divided the possible wirings into. As it turns out, rotor wirings recorded for the 26contact rotors of machines Edward Hebern made for the U.S. Navy to test had the same structure, which has led me to suspect that this may also have been true of the 26contact rotors of the SIGABA, no actual specimens of which (the wirings, not the rotors) have been preserved. However, the actual wirings of two rotors for SIGCUM, a telecipher machine, which were recovered by Frank Rowlett during tests of its security have survived, and have recently been disclosed, and these rotors were not wired according to the interval method. Since SIGCUM was manufactured by the same contractor as SIGABA, and it was also contemporary with the later period of the use of SIGABA, this seems to be more conclusive. The keyboard on the SIGABA had a row of digits like the keyboard on a regular typewriter. While the SIGABA didn't encipher messages containing digits, the keys for the digits 1 through 5 were used, when the machine was switched to a setup mode, to advance the control rotors. When sending a message, the operator first picked five letters at random, which were sent with the message as an indicator. Then, starting from the OOOOO position, using the 1 to 5 keys, the control rotors were moved to spell out the five letter indicator, starting with the first control rotor (which the 1 key moved). Although the mechanical gears that usually moved the control rotors were not
active during this setup mode, each time a number key was pressed, the cipher rotors moved based on the electrical signal travelling through the control and index rotors in the same way as during normal encipherment. Thus, the indicator specified a position for the cipher rotors as well as for the control rotors, but the starting position of the cipher rotors was, in effect, well encrypted. When messages were enciphered, the space bar could be used on the keyboard, and caused the letter Z to be enciphered; on the other hand, the Z key as well as the X key both caused the letter X to be enciphered. Also, the machine inserted a space after every five letters enciphered for ease of reading for transmission. For decryption, Z printed as space, thus restoring the spaces in the original message. In the postwar period, the CSP889, as the SIGABA was known in the Navy, was replaced by a modified version, the CSP2900. This had some interesting differences. Six, rather than four, inputs to the control rotors were live. These corresponded to the letters D, E, F, G, H, and I. Since this meant that all five cipher rotors could move at the same time, cipher rotors 2 and 4 were changed to move backwards when they moved, so that if all the rotors moved, they still wouldn't all move in step. The outputs of the control rotors were now gathered in ten bunches instead of nine, and the largest connected together only four contacts, not six. Also, three control rotor outputs were left unused, instead of none, as before. Since the number of discarded outputs was less than six, it was still true that at least one rotor would always move. The arrangement was: 0 1 2 3 UV B C DE 4 5 6 7 FGH IJK LMNO ST 8 WXYZ 9 A not connected: PQR
This diagram is modified to illustrate the newer form of the ECM Mark II:
Machines of the ECM Mark II type used for a communications link between the President of the U.S. and the Prime Minister of the U.K., which was called "POTUSPRIME", were operated in a fashion that produced additional security. The five cipher rotors were set by hand, and apparently so were the control rotors, and the settings for the cipher and control rotors were taken from a list of thirty fiveletter groups for use as either of cipher rotor settings and control rotor settings, with a threeletter codeword which was pronounceable and had errorcorrection properties, for each one. (The two threeletter codewords were combined into a single sixletter group for transmission.) Thus, the idea of increasing the SIGABA key length by using a tenletter indicator was indeed considered, and it was used, along with the other possible way of achieving ultimate rotor security, a codebook for message indicators, where circumstances warranted the extra effort.
This link was used during World War II, and the British were not allowed access to the American cipher machines at their end at that time. The SIGABA, or the Electric Code Machine Mark II, was developed before World War II by people from both the U.S. Army and the U.S. Navy. The story of its development is a somewhat complicated one. The basic idea of electricallycontrolled rotors was originated by W. F. Friedman, who implemented it in the original M134 machine, which had five rotors that enciphered text, the motion of which was controlled by a paper tape. A plugboard was included to vary which channel of the paper tape controlled which rotor. Frank Rowlett then came up with what could be considered the core concept of the SIGABA: the idea of using rotors to control the rotors that enciphered text. At the time, the U.S. Army had limited funding for the development of new cipher machines, and thus Friedman and Rowlett embodied this new principle in an addon device, called the M229 or SIGGOO, that connected to the M134. The M229 had three rotors. A sixposition switch controlled how these rotors moved (shown as a plugboard with three plugs and sockets in the diagram). Five inputs to these three rotors, having the role of the control rotors in the SIGABA, were live. The outputs were connected together in two groups of five and three groups of four. Here is a diagram of the combined M134 and M229:
Meanwhile, this new idea was conveyed to the cryptological department of the U.S. Navy as well. Laurence F. Safford and Donald J. Seiler developed the Electric Code Machine Mark II (Mark I was the Hebern rotor machine) which was essentially the SIGABA in its final form there. For a period during this development, ArmyNavy
collaboration was disrupted by other factors, but when channels were reopened, the Army group recognized that the ECM Mark II was a superior embodiment of their ideas, and were happy to accept it as a cipher machine for use by both services. The source for most of the information on this page is the U.S.S. Pampanito web site, which has an entry in my Links section.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Miscellaneous Machine Ciphers
This section looks at a number of cipher machines which are more secure than the relatively simple devices examined in the first section of this chapter, but which still can be dealt with in less space.
q q q
The Hagelin B211 Sweden's HC9 LACIDA
[Next] [Up] [Previous] [Index] Next Skip to Next Section Skip to Next Chapter Chapter Start Table of Contents Home Page
[Next] [Up/Previous] [Index]
The Hagelin B21 and B211
The Hagelin B21 makes an interesting use of half rotors for encipherment. It uses a 25letter alphabet, and the row and column coordinates of each letter are enciphered separately. For enciphering, coordinate signals entered on the spindle side of a halfrotor with ten positions. Essentially, it worked like two separate halfrotors with five inputs and outputs: the odd contacts were wired one way to the five contact strips on the output side, and the even contacts were wired another way. The following illustration:
shows how such a half rotor works: the five contact strips on the spindle side are shown in yellow. Five wires in blue proceed to the rotor side; then these five wires are connected in a random order to one group of five rotor contacts by green wires, and to another group by purple wires. The B21 had pinwheels of sizes 17, 19, 21, and 23. These advanced one step for each letter enciphered. An OR (not an XOR), between two pinwheels caused each half rotor to move one step if the result was a 1. The B211, in addition to printing its output on a strip of paper, had two plugboards with five plugs and five sockets to scramble the five outputs taken from the half rotors.
The arrangement of the B211 is illustrated below:
The French military used a variation of the B21 which had a second pair of half rotors. The extra pair of halfrotors had fifteen rather than ten positions.
[Next] [Up/Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The HC9
The HC9 is a handheld mechanical cipher machine used by the Swedish armed forces during the postwar era. It is of some interest in that, although it operates by a completely different principle, it and the original version of the Hagelin lug and pin machine are the only secure modern cipher machines that are both very compact and of allmechanical construction. It behaves as if it contained five pinwheels, of sizes 29, 31, 33, 34, and 35. Each "pinwheel" advances one space for every letter enciphered, and their outputs are used to select one of sixteen cipher alphabets as follows: four bits are formed from the five bits presented by the five sequences by taking the XOR of each pair of adjacent bits. This result is treated as a fourbit number. Thus, the XOR of the bits from the 29bit and 31bit sequences controls displacing the list of alphabets by eight places. But instead of pinwheels, the sequences are supplied by a punched card, which sits in the device and whose large round holes are sensed by little metal fingers inside the device. Another replaceable card inside the device gives the sixteen alphabets in use. These alphabets were all chosen to be reciprocal in practice for ease of use.
[Next] [Up] [Previous] [Index] Next Skip to Next Chapter Chapter Start Table of Contents Home Page
[Next] [Up] [Previous] [Index]
LACIDA
LACIDA, a rotor machine developed in Poland, uses conventional rotors, like a Hebern machine. However, it is unusual in that its moving rotors come in three different sizes; with 24, 31, and 35 contacts. These rotors each move one step with every character enciphered, thus providing a period of 24*31*35, or characters. The input alphabet consists of the alphabet with the letters Q and V omitted; the output alphabet uses all the letters, and all the digits except zero. The conversion between 24 contacts and 31 contacts, and the conversion between 31 contacts and 35 contacts, are claimed, in the accounts I have read, to be accomplished by stators: rotors that don't move during encipherment, but which can be set initially to any position. (The rotors and stators are marked with the alphabet from A to Z, and at most 26 initial positions are used with any rotor.) In addition, an extra 35 contact rotor is used as a stator on exit. Originally, I thought that rather odd, as it seemed to require rotors made of rubber, but because mechanically, the rotors are similar to those of the Enigma, in that they contain one set of springloaded contacts, and a flange that serves as a gear, upon further reflection I realized that the conversion stators were possible, and would probably be achieved by placing the teeth on their gear flange at somewhat irregular positions.
[Next] [Up] [Previous] [Index] Next Skip to Next Chapter Chapter Start Table of Contents Home Page
[Next] [Up] [Previous] [Index]
Conclusions for Chapter 2
Here, we have met a series of cipher systems that are fascinating in their intricacy. Most of them, however, share many common features. The Hill Cipher and the Bazeries Cylinder are the unusual members of this group in that they deal with several characters at once. Putting them aside, the other designs reflect the relative difficulty of incorporating any kind of memory in a simple electrical or mechanical device. Rotor machine usage illustrates an elaboration of the concept of a key to a cipher system. In addition to a general method of enciphering, cipher systems require a key that is easily changed. This allows many messages to be sent in a given system, while the number of messages enciphered in exactly the same way is kept limited by varying the key. In the case of rotor machines, the key is split up into three parts, which are treated differently. There are the rotor wirings. These are difficult to change, but they are worth keeping secret, and do need to be varied periodically. The order of rotors in the machine, and other settings depending on the type of the machine (index rotor settings in the SIGABA, plugboard and alphabet ring settings in the Enigma) are changed perhaps each day, on the basis of a list of daily keys which is distributed once a month. The initial setting of rotors for a given message is also a part of the key. This part, however, is sent with the message, perhaps in some way encrypted, as it is chosen randomly for each message by the operator of the rotor machine. (It is often termed a message indicator, which is prefixed to a message along with a system indicator which identifies the particular type of cipher used or the particular family of keys used.) This same kind of multilevel key structure can be found in modern block ciphers, despite the fact that they operate on very different principles. The contents of Sboxes can be thought of as at least potentially subject to change, and therefore as corresponding to rotor wirings. The key proper is secret, and must be somehow distributed like a rotor order. For many block cipher modes, an initialization vector is required, which functions like a message indicator. Thus, rotor ciphers illustrate how care must be taken, for a system that will be used widely, to limit the number of messages that will be sent with the same key, and to vary as much of the key as often as is feasible. So, the parts of the key that are harder to vary are varied less often. The different strengths of the different types of rotor cipher also teach us something about good cipher design. The fact that the SIGABA stands head and shoulders above the other devices here illustrates the importance of allowing elements in a cipher design to have the power to scramble the plaintext, and yet having these elements do so in an indirect way, so that even with matching plaintext and ciphertext, their values are hard to determine. The Enigma and the Bazeries cylinder shared a very serious weakness; since no letter can represent itself, it is easy to align probable plaintext with enciphered messages. One apparently simple way to eliminate this weakness would be to use columnar transposition on the ciphertext produced by such a device. While that would create a very strong cipher, since the ciphertext produced by a Bazeries cylinder, let alone an Enigma, is so scrambled that it would seem there would be little in the way of clues for breaking the transposition cipher, such methods do not tend to be often used. That is because a pencil and paper transposition cipher is tedious to perform, thus negating the advantage of using a machine for cryptography in making encryption quick and efficient. Also, encrypted messages are often sent over the radio in Morse code. The problems caused by garbled
letters are magnified by a cipher of this type. However, as long as cipher letters are transmitted in fiveletter groups, and the total number of letters in a message is sent with every message, a garbled letter in the ciphertext would still imply only one garbled letter in the plaintext, so such a method is not completely impractical. For two of the systems covered in this chapter, an interesting question arises for the first time. For the Bazeries cylinder, instead of a random arrangement of letters on the disks, a Latin square is used to improve resistance to the de Viaris attack. For rotor machines, rotors wired according to the interval method may be used, to maximize the variety in the alphabets produced by each rotor as it rotates. The question arises: is good better than random? One way to look at it is to view any constraints on permutations as part of the system of a cipher, part of what is needed for it to work properly; and to compare the cipher in that form to one without the constraint, to evaluate whether a larger choice of keys, or the possibility of a design weakness without the constraint, is a more serious problem. While these examples seem to be ones in which the use of an optimum sequence is justified, there can be cases where the reverse is true. Sometimes, fairly poor sequences are used for paperandpencil digraph encipherment tables. Instead of an arrangement of all 676 digraphs, one winds up performing an encipherment which is equivalent to reversing every pair of letters, and then alternating between two cipher alphabets. Obviously, a random table of digraphs is much better than this. One might not be sacrificing much if one used a table that was reciprocal, since otherwise one would need two tables, one for enciphering and one for deciphering. The advantage of a random table is that changing one cipher letter almost always changes both cipher letters. It is possible to use a special form of table where changing one cipher letter is guaranteed to change both cipher letters: A aa qc mh im ps ju iq ne vz hi fv ot yg zp kr bf sf gy ln dj tx wo xd eb rl ck B xe bb rd ni jn qt kv jr of wz ij gw pu yh zq ls cg tg hy mo ek ux ap fc sm dl C bq xf cc se oj ko ru lw ks pg az jk ha qv yi zr mt dh uh iy np fl vx gd tn em D wx cr xg dd tf pk lp sv ma lt qh bz kl ib rw yj zs nu ei vi jy oq gm he uo fn E hn ax ds xh ee ug ql mq tw nb mu ri cz lm jc sa yk zt ov fj wj ky pr if vp go F qs io bx et xi ff vh rm nr ua oc nv sj dz mn kd tb yl zu pw gk ak ly jg wq hp G my rt jp cx fu xj gg wi sn os vb pd ow tk ez no le uc ym zv qa hl bl kh ar iq H cm ny su kq dx gv xk hh aj to pt wc qe pa ul fz op mf vd yn zw rb im li bs jr I jn dn oy tv lr ex hw xl ii bk up qu ad rf qb vm gz pq ng we yo za sc mj ct ks J td ko eo py uw ms fx ia xm jj cl vq rv be sg rc wn hz qr oh af yp zb nk du lt K zc ue lp fp qy va nt gx jb xn kk dm wr sw cf th sd ao iz rs pi bg yq ol ev mu L yr zd vf mq gq ry wb ou hx kc xo ll en as ta dg ui te bp jz st qj ch pm fw nv M di ys ze wg nr hr sy ac pv ix ld xp mm fo bt ub eh vj uf cq kz tu rk qn ga ow N sl ej yt zf ah os is ty bd qw jx me xq nn gp cu vc fi wk vg dr lz uv ro hb pa O vw tm fk yu zg bi pt jt uy ce ra kx nf xr oo hq dv wd gj al wh es mz sp ic qb P nz wa un gl yv zh cj qu ku vy df sb lx og xs pp ir ew ae hk bm ai ft tq jd rc Q gu oz ab vo hm yw zi dk rv lv wy eg tc mx ph xt qq js fa bf il cn bj ur ke sd R ck hv pz bc wp in ya zj el sw mw ay fh ud nx qi xu rr kt gb cg jm do vs lf te S ep dl iw qz cd aq jo yb zk fm ta na by gi ve ox rj xv ss lu hc dh kn wt mg uf T lo fq em ja rz de br kp yc zl gn ub ob cy hj wf px sk xw tt mv id ei au nh vg U fj mp gr fn kb sz ef cs lq yd zm ho vc pc dy ik ag qx tl xa uu nw je bv oi wh V kf gk nq hs go lc tz fg dt mr ye zn ip wd qd ey jl bh rx um xb vv oa cw pj ai W pb lg hl or it hp md uz gh eu ns yf zo jq ae re fy km ci sx vn xc ww da qk bj X ut vu wv aw ba cb dc ed fe gf hg ih ji kj lk ml nm on po qp rq sr ts xx yz zy Y rg sh ti uj vk wl am bn co dp eq fr gs ht iu jv kw la mb nc od pe qf yy zx xz Z iv jw ka lb mc nd oe pf qg rh si tj uk vl wm an bo cp dq er fs gt hu zz xy yx
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
The digraphs in this table form a GraecoLatin square of order 26. Something that Euler conjectured was impossible.
A GraecoLatin square of order 6 is impossible. For larger numbers of the form 4n+2 for some integer n, a special construction is required to create GraecoLatin squares, which was only discovered in 1960. The square shown above is, of course, constructed according to the method given in the original paper by Bose, Shirikande, and Parker. While the GraecoLatin square above could be dressed up to make it look more random, by applying a simple letter substitution to its contents (three letters are special, but they don't have to be x, y, and z) and rearranging rows and columns, it would seem that choosing such a square, instead of a random one, for a digraphic substitution would not be a sensible idea. However, as a mixing step, perhaps even an unkeyed mixing step, inside a block cipher with a long key in other areas, GraecoLatin squares may still be useful. This, in fact, is the subject of a patent for a technique called Balanced Block Mixing, held by Terry Ritter. Also note that odd order, or order 4n, both allow a much larger number of GraecoLatin squares than order 4n+2. Next, we can look at some elaborate rotor machine designs that combine the principles and original ideas of the rotor machine designs we have examined in this chapter.
q q q
Fantastic Rotor Machines Child's Play Irregular Rotor Movement
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up/Previous] [Index]
Fantastic Rotor Machines
Of course, many different encryption principles have been seen in the devices covered in this chapter. One could imagine combining many of these techniques in a single elaborate device, such as the following:
The heart of this device is two pairs of two half rotors, each pair with one with five inputs and ten outputs and one with five inputs and fifteen outputs, as in the improved French version of the B211. The coordinates for each letter of the alphabet are varied by preceding and following that part of the device by three conventional rotors. Almost conventional, that is, since these rotors all have two duplicate concentric sets of wiring, so that each letter is connected to its home in both row and column. Note that since these rotors have 26 positions, one letter bypasses the B21 like part of the device. And to top it all off, these six rotors are advanced by means of a SIGABAlike setup. Obviously too bulky and expensive to build out of real electromagnetic components, and yet fascinating. Here is an example of an interesting rotor machine design using some of the ideas suggested by the design of the Uhr Box:
The arrangement for rotor motion is of interest. With each letter enciphered, a pinwheel is used to select whether rotor 2 or rotor 4 moves. Rotor 3 moves whenever a notch on either of those rotors is advanced, and then it advances rotor 5, which advances rotor 1, normally. Given multinotched rotors, this produces a fairly irregular movement with only one pinwheel. However, the main unusual feature of the design is the way the rotors are wired. As may not be readily apparent from the diagram, unless you are familiar with the conventions I've used in previous diagrams in this chapter, the rotors have two concentric rings of 26 contacts on each side. Rotors 1, 2, 4, and 5 are wired like this:
q
q
The 26 contacts in the outer ring on one side are connected in a jumbled fashion to the 26 contacts in the outer ring on the other side. The 26 contacts in the inner rings are divided into 13 odd contacts and 13 even contacts. The 13 odd contacts in the inner ring on one side are connected in a jumbled fashion to the 13 odd contacts in the inner ring on the other side, and the same applies to the 13 even contacts on both sides.
The middle rotor connects the 26 contacts in the outer ring on one side to the 13 odd contacts of the inner rings on both sides, and the 26 contacts in the outer ring on the other side to the 13 even contacts of the inner rings on both sides. Plaintext enters through the contacts on the outer ring on the left side of the rotor stack, and ciphertext leaves through the contacts on the outer ring on the right side. On each side of the rotor stack, a plugboard controls the reflection of the odd contacts of the inner ring to the even contacts of the inner ring. When a letter is enciphered, its signal first passes through the outer rings of rotors 1 and 2 in a normal rotor machine fashion. Then, rotor 3 sends the signal through the inner rings, either of rotors 2 and 1 or of rotors 4 and 5, through their odd (or even) contacts, to be reflected back through the even (or odd) contacts of rotors 1 and 2 or rotors 5 and 4. And then rotor 3 takes the reflected signal, and sends it through the outer rings of rotors 4 and 5 to continue in a normal rotor machine fashion. There is some potential for additional flexibility in the design; for example, it would still work if the two plugboards were crosswired (but not if they were merged into one), and the speciallywired rotor used as rotor 3 does not absolutely have to be in the central position.
In the section on the Enigma, I noted that if one shorted the indicator lights with diodes, it would be possible to attach the rotors to the lamps instead of the keys. This would allow one to design an Enigma in which the rotors could be switched from being connected to the keys or the lamps, so that a plugboard could be placed between the keys and the lamps. In this way, enciphering and deciphering would both be possible, but a letter could represent itself.
This diagram illustrates how this principle could be taken to its ultimate conclusion. On the left hand side of the keyboard and lampboard, a letter is being shown as being enciphered, and on the right hand side a letter is shown as being deciphered. Note how the polarity needs to be taken into account in enciphering mode, so that the diodes across the lamps do not prevent normal Enigmalike operation. Here are a couple of other attempts to construct elaborate rotor machines combining principles we've seen in previous examples. The first also uses rotors with two concentric rings of 26 contacts, but this time the two sets of contacts are wired differently, not in parallel.
The cipher rotors act a bit like those in the Enigma; the plaintext letter causes electricity to go from left to right, and then the signal returns, going right to left, to produce the ciphertext letter. However, the returning signal uses the second set of contacts, and so the cipher is not reciprocal. The general structure of the machine is like the SIGABA; but the extra set of contacts in the control rotors is used to provide an everchanging "reflecting rotor" for the cipher rotors. The following (originally done for use as a background, with different colors) illustrates a doublesized SIGABA. However, five of the signals controlling the ten cipher rotors are created somewhat differently, using a method from a rotorbased telecipher machine, the SIGCUM, which we will encounter later.
The five new control signals have some poor properties, but they nicely complement the SIGABAtype ones, since they have an exact 50% probability of being active. Changing the wiring a bit (and making more rotors electrically controlled) gives us this:
While it has the drawback that the SIGABAstyle superior control rotors may occasionally remain immobile, because only the SIGCUMstyle ones have unused output contacts, this design causes five of the ten cipher rotors to be controlled by a set of control rotors (the SIGABAstyle ones) that are themselves controlled by control rotors (the SIGCUMstyle ones) also used to directly control the other five cipher rotors. Not explicit in the diagram is a timing issue requiring a more basic redesign; in the original SIGABA, the cipher rotors move in response to the control rotor position at one time, and the control rotors advance at another time, requiring two clock phases; as the SIGABAstyle control rotors can't move simultaneously with either the SIGCUMstyle control rotors or with the cipher rotors, we now need three clock phases. A simpler construct, based on the SIGABA, is illustrated below:
which is simply how I, and perhaps others, imagined the SIGABA might have worked after reading a brief description of it by David Kahn from about 1980, and seeing the first pictures of it that were released some years later. Since the actual design didn't involve the five tencontact rotors moving, this design would have been even more expensive to build.
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Child's Play
The M134 and the M229, as described in the section on the SIGABA rotor machine, have suggested to me the idea of a very flexible style of rotor machine, one which could even be used, if made from plastic, as an educational children's toy! As a toy, the heart of it would be three rotor machines of the type diagrammmed below.
These machines consist of a bank of five rotors. At each end, there is a plugboard like that of the Enigma, but using standard phono plugs. Beyond the plugboard, on each side, there is a 26contact connector used to connect a keyboard and a lampboard, only one of each being included in the set. The keyboard would also have a 26contact connector; plugging the lampboard into that connector would allow the Enigma to be simulated. The machine would use rotors that have plastic slip rings on the outside with bumps to control rotor motion, signalling a carry from one rotor to the other. The rotors and the rings would both be reversible. The complement of rotors provided would be:
q q
Four unnumbered dummy rotors, wired straight through. (white) Six randomly wired rotors in two sets of three identical rotors, numbered from 1 to 2. (grey)
q
q
q
q
q
q
Six randomly wired rotors in three sets of two identical rotors, numbered from 3 to 5. (grey) Ten randomly wired rotors, each of which is different, numbered from 6 to 15. (grey) Five rotors wired by the interval method, each of which is different, numbered from 16 to 20. (red) Three identical reflecting rotors, which have no contacts on one side, but which otherwise fit in the same space as a regular rotor. (green) Three rotors with a symmetrical wiring that produces the same permutation going through the rotor as is provided by reflection in the reflecting rotor. (blue) Six rotors in two sets of three identical rotors, wired so as to be mirror images of the grey rotors numbered 1 and 2, also numbered from 1 to 2. (purple)
All the slip rings would have only one bump on one side. They would have multiple bumps on the other side, and there they would differ.
q q
q
Five identical slip rings, with three bumps on the other side. (yellow) Five slip rings, with five bumps on the other side, each one having a different arrangement, and numbered from 1 to 5. (green) Five identical slip rings, with seven bumps on the other side. (blue)
As noted, the plugboards on the device use phono plugs, and work like that on the Enigma, so that straightthrough wiring is the default when no plugs are inserted. The cables provided with the machine will have the forms illustrated in this diagram:
Although it may not be obvious, the first cable crosses over the two parts of the contact. The complement of cables would be:
q
q
52 cables with phono plugs at both ends, with crossover wiring like those of the Enigma. (grey) 52 cables with phono plugs at both ends, and parallel wiring. These will primarily be used when connecting different machines together. (red)
q
93 cables with a phono plug at one end, accompanied by a socket for a banana plug, and a stackable banana plug (like the ones on cables made by Pomona Electronics) on the other end. These allow arbitrary permutations to be set up. 93 is 78 plus 18, so that one set is provided for each machine, plus six extra for the wheel advance section, with its smaller plugboard using the same connector.
The kit would include plans for many projects, starting with a Hebern rotor machine, going on to an Engima, and then the SIGABA, and even a small Turing bombe for use against a tworotor Enigma. (Maybe that would require some additional pieces not mentioned here. And, of course, I'd have to come up with a way to manufacture an economical diagonal board.) U. S. Patent 6097812 has recently been granted on the design used in the M138 (and M138T2 and M138A) cipher machine, and this design combines the M138 with the M228 and M229, and hence is likely to be affected by this patent.
[Next] [Up] [Previous] [Index] Next Skip to Next Chapter Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Irregular Rotor Movement
In this chapter, we have seen some examples of rotor machines with very irregular rotor movements. The SIGABA achieved very irregular rotor movement by a uniquely strong method, using the changing jumbled maze of wires in a part equivalent to a complete conventional rotor machine to supply electrical signals controlling the seemingly random stepping of rotors in what amounted to a second conventional rotor machine for enciphering the letters of the text. The Swiss NEMA cipher machine achieved irregular rotor movement by accompanying each rotor with an adjacent rotating ring, which had notches on it that inhibited that rotor's movement. The rings always moved, except for two rings that were sometimes prevented from moving by a second set of notches on the first rotor's ring. Also, U. S. Patent 4,143,978, filed on May 4, 1938, but only issued on March 13, 1979, with inventors Bern Anderson and Donald J. Seiler, describes a machine which made use of five pinwheels with 25 positions to control the five rotors with 26 positions. This patent appears to be for the ECM Mark I, which was the design which preceded the ECM Mark II, also known as the SIGABA. And, of course, the Enigma A and Enigma B had a very irregular rotor movement at the dawn of the rotor era, by having each rotor controlled by its own cam, and each cam having a number of positions relatively prime to all the others. Had the cams been resettable pinwheels, the design would have been quite impressive indeed. Descriptions of a later rotor machine imply that it achieved irregular rotor stepping based on a principle we will see later in the descriptions of the Siemens T52d and T52e Geheimschreiber telecipher machines: Given three or more pinwheels or cams, each of which produces a sequence of binary bits as it rotates, bits from each pinwheel (perhaps sensed at a different position on the cam than the bits used for the purpose of encipherment) could be used to control the movement of other pinwheels. Although this seems like a compromise of the potential security of a rotor machine, using the rotors to step themselves instead of having a separate set of pinwheels or cams to control stepping has the major advantage of making it simpler to set up the machine for an encipherment. But if one tries to do this in the simplest way, just using one pinwheel to cause another to step, what is there to prevent all the pinwheels from coming to a position where they are producing a zero value for their stepping output, so that they will all stay in one position thereafter? The Siemens Gehemschreiber prevented this by a scheme that looked something like this, illustrated with five cams labelled A, B, C, D, and E: A B C D E steps steps steps steps steps if if if if if D E A B C or or or or or (not (not (not (not (not E) A) B) C) D)
In this illustration, the output from each cam forces the stepping of one other cam, and the complement of that output forces the stepping of a third cam. This ensures that some stepping will always take place. In this case, as the bits from the cams are also used to encipher a binary signal by being XORed with it, active and
inactive positions on the cams need to be close to equal in number. Since each cam steps based on the OR of two inputs, this means that the cams step about 3/4 of the time. Since outputs from those cams are used for encipherment as well, they should step almost all the time. While occasional failures to step can make the bit sequence irregular, bits that do not change also allow plaintext patterns to be visible. The Lorenz Schlusselzusatz, which used two sets of five pinwheels, one which always moved, and another set which moved, or remained still, in unison, half the time either way, based on a more conventional scheme involving control from two other pinwheels, was cryptanalyzed with the aid of the early electronic calculating device COLOSSUS partly because the patterns of the constantly moving pinwheels were visible when the other ones did not move. (The fact that 5level teleprinter code is designed so that 0 bits strongly outnumber 1 bits, to prevent mechanical wear and tear and to make paper tape less fragile, also was an important factor.) In a rotor machine, however, moving even one rotor completely scrambles the cipher alphabet it provides. If each rotor moved with probability 1/2, then each new alphabet would be from the largest and most uncertain possible set of alternatives. Could the principle used in the T52 be modified to produce movement with probability 1/2, and yet still ensure continual movement which will not cease to involve any of the rotors? The first scheme I came up with to do this is illustrated by the following diagram:
It may be easier to understand with the diagram shown below and to the right: Using seven rotors in this example, I first start with four live inputs, which are turned into eight outputs having a 5050 chance of being live by being redirected by the active teeth on four of the rotors. This is shown in the diagrams above and to the right by a red wire, carrying a live input from the power supply, being switched to four of eight wires by four switches, each controlled by a rotor. In the diagram to the right, this is the first layer of the circuit, shown in the leftmost column. Then, six of these eight signals, in pairs from different rotors, are swapped (or not) under the control of three other rotors. One of the two remaining signals is selected by means of an extra pole in the switch under one of the first four rotors.
The swapping and the selection is always done under the control of a rotor which was not involved in determining if either signal used as input was live. The color scheme in the diagrams is chosen to make that clear. In the diagram to the right, this is the second layer of the circuit, shown in the middle column. The seven output signals then control the stepping of the rotors. Again, as the colors help to make visible, each signal is directed to a rotor that had no part in its creation, in either the first or the second layers. With reference to the color scheme in the diagrams: Green: Two signals controlled by rotors 1 and 2 are then swapped under the control of rotor 6. The two resulting signals control the movement of rotors 4 and 7. Dark Blue: Two signals controlled by rotors 3 and 4 are then swapped under the control of rotor 5. The two resulting signals control the movement of rotors 1 and 6. Purple: Two signals controlled by rotors 1 and 3 are then swapped under the control of rotor 7. The two resulting signals control the movement of rotors 2 and 5. Gray: Two signals controlled by rotors 2 and 4 then have one signal selected from them under the control of rotor 1. The resulting signal controls the movement of rotor 3. This basic principle, with little change, would work with any odd number of rotors, starting with five.
The specific arrangement in the diagrams shown above was selected to minimize wire crossings in the original (horizontal) diagram, so that it would be as legible as possible, and, with the rotors labelled in order from left to right as A, B, C, D, E, F, and G is: A B C D E F G steps steps steps steps steps steps steps if if if if if if if (D and ((not C) and ((not D) and (B and ((not C) and (D and (B and E) or G) or A) or F) or (not G)) or (not E)) or (not F)) or (C and ((not A) and ((not B) and (A and ((not A) and (C and (A and (not (not (not (not G) E) F) E)) G)) A)) F))
where the control signal different from the others is the one stepping rotor C. Since we start with eight signals, four of which are active, and swap them in pairs, only in one case selecting only one of two signals to use, half the time four rotors will advance, and the other half of the time three rotors will advance. With an even number of rotors, of course, the same principle could be applied even more simply, without the need for one control signal to be different from the others. But many other arrangements are also possible. An arrangement based on a slightly different principle is shown here:
Here, each rotor is controlled by the OR of the AND of two independent inputs, so, based on each rotor having half of its teeth present and half of them absent, causing each signal and its complement to be active half the time, the chance of any one rotor moving on average is 7/16 rather than 1/2. We start by creating seven signals. To ensure that at least one rotor will always move, two of them are the signal from one rotor and its complement; the other five are the signals from five other rotors. Then, we change these seven signals into fourteen signals, by switching them to one of two destinations, and the output from each of the seven rotors is used to perform one such switch. Finally, the wiredOR of two of these signals controls one rotor that had no direct part in creating it. Here, from one to six rotors will always move, creating more possibilities for the next rotor position. However, as we will see at the start of the following chapter, a 3 out of 7 code contains 35 entries, so with seven rotors rather than five, having only 3 or 4 rotors move each time already creates more than twice as many possibilities as are needed. The actual arrangement in the diagram shown, again chosen for clarity, with the rotors labelled as A, B, C, D, E, F, and G from left to right, is: A B C D E F G steps steps steps steps steps steps steps if (B if (C if (D if (E if (F if ((not A) if (A and and and and and and and D) E) F) G) A) B) C) or (E and (not G)) or (F and (not A)) or ((not A) and (not B)) or (A and (not C)) or (B and (not D)) or (C and (not E)) or (D and (not F))
While these arrangements will certainly produce rotor movements that seem jumbled and unpredictable, it is not immediately clear how long the period of such rotor motions might be; it might be only a few times larger than the number of positions on a rotor. Here is an example of a slightly more complicated setup, based on the same general principles.
Essentially, the wiring is the same as the first example, (although the ordering of the connections has been changed slightly, as indicated by the reversal of the colors green and blue in one portion of the diagram) but in addition, one signal is created using the scheme in the second example, and a switch controlled by rotor 4 determines whether that signal, shown in dark green, or the normal signal following the pattern of the first example, shown in purple, is fed to rotor 5. The sections of the diagram have been labelled. The first three sections show the switches which operate as in the first example. Section 1 shows the four switches which, given the live signal as input, produce eight outputs, four of which are active. Section 2 shows six switches, wired so as to swap three pairs (shown by blue, green, and purple wires) of signals from the first four switches. Section 3 shows one switch, which selects between the two remaining signals from the first four switches to provide the seventh output signal. The next two sections show the new wiring which creates an alternate signal that can be used to step rotor 5, following the principle shown in the second example. Section 4 shows two switches, fed the live input, which produce two outputs, each of which may be active or not. Section 5 shows two switches, fed those two outputs, producing two outputs which are only have as likely to be active, and which are then joined by a wiredOR. The final section selects the signal to use to advance rotor 5. Section 6 shows one switch, which selects between the output from section 5 or one of the outputs from section 2. Again, labelling the rotors from left to right as the letters A through G, the logic of the wiring in the diagram is equivalent to: A steps if B steps if ((not D) and F) (C and G) or or ((not C) and (not F)) (A and (not G))
C steps if D steps if ((not E steps if (( ((((not F steps if ((not G steps if ((not
(B B) (C F) B) D)
and and and and and and
(not E) (not B) (not (not
A)) or or G)) or or E)) or F)) or
(D ((not A) (A (G ((not A) ((not C)
and and and and and and
A) (not E)) G) ) and (not D)) or C) ) and D) E) F)
Note that the signal controlling the stepping of rotor E is a function of whether an active or inactive tooth position is found on all six other rotors. One could even use, with a suitable rearrangement of rotor assignments in one case, the complete wiring arrangements of both the first and second examples, with their outputs connected together in a wiredOR, and a single switch controlling whether the live input goes to the first or second circuit. However, even if the first or second examples would prove too simple, such a drastic remedy should not be required. Instead, the example above should be sufficiently complex to correct the problem, because although only the stepping of rotor 5 (or E) is made more complex in this example, it in turn affects the stepping of all the other rotors. Other arrangements, based on the more conventional scheme of moving rotors like the wheels on an odometer, which guarantees the maximum possible period, could be produced which also result in a fairly irregular movement of the rotors. Incidentally, before proceeding, it is very important to clarify the difference between the situation which I have
denoted in my schematic diagrams by
and the situation which I denote by
in a diagram. In the first
case, a tooth on one rotor causes another rotor to move only once, when the first rotor moves into the position distinguished by that tooth. In the second case, a tooth on one pinwheel, or cam, or even a rotor, causes the next one to move with the encipherment of each letter for as long as the first pinwheel remains in the position associated with that tooth. While the first type of movement is usually accomplished mechanically, the control rotors of the SIGABA and the rotors of the M228 and M229 moved this way under electrical control. The second type of movement seems like an obvious consequence of electrical control: a wheel that is in different positions turns a switch on and off depending on what position it is in. So how can the first type of movement also be electrical?
This diagram illustrates the difference between the arrangements required for the two types of motion. The large teeth shown in green correspond to the 26 normal positions of the rotor, where a tooth may be either present or absent. The small teeth shown in red are located between rotor positions, so that a tooth, if present, will move across the sensing position as the rotor advances from one position to the next. For the first type of motion, pulses occur when the rotor that is their source is moving, and so it is reasonable that another rotor would move when a pulse of electricity is switched on. Making a rotor move only one step per pulse seems like only a small mechanical detail. For the second type of motion, instead of an elaborate approach involving storing the signals sensed from the rotors in a buffer, what is necessary is, first of all, that the live inputs to the circuit are actually timing pulses, and, so that the rotors will not move while their positions are being sensed, rotors should move just after the trailing edge of a pulse. This can be achieved by having the pulse go through a
solenoid, pulling a lever back which is then restored to its original position by a spring after the pulse ends, with a rachet mechanism causing the lever to advance the rotor it controls only on its return journey: this is a very common and standard mechanical arrangement, illustrated in the diagram at left. Since the device also supplies a gentle push to the sawtooth gear when moving in the "wrong" direction, a conventional ratchet mechanism, which is not shown in the illustration, is also required to keep that gear moving only one way (although in some cases, friction may be sufficient). For the other case, the same mechanical arrangement could be used, although in that case, having the rotor advance on the leading edge of the pulse would be appropriate, as it would avoid unnecessary delay. This would involve reversing the positions of the electromagnet and the spring in the diagram above, and in that case, the spring would not have to be as strong, since it would only return the mechanism to position instead of also having to push on the gear. A similar mechanism, rather than a small motor, is likely to be found in those quartz clocks and quartz watches that have hands instead of a numeric display.
Now that this is clarified, let us examine a more complicated design based on the first type of rotor motion. Instead of having just one notch or tooth on a rotor, any number of teeth that is relatively prime to the number of positions on the rotor, if used in an odometerstyle arrangement, would still produce a maximal period, since when one rotor returns to its original position, the rotor it advances will be in a spot from which it will only return to its original position at the same time that the rotor preceding it returns to its original position after being advanced 26 times if it is a 26position rotor, even if it has also passed through its original positions at different times several times before then. Another thing that would not interfere with a maximum period would be for a rotor participating in such an arrangement to also be advanced any number of times for each revolution of a rotor which preceded the rotor directly controlling it. All such advances would ultimately cancel out, being a multiple of 26 or other rotor size, over a full revolution of the rotor immediately preceding the rotor. I would diagram such an arrangement in this fashion:
One important thing, to avoid problems with a mechanical version of this design, and to ensure that maximum period is achieved, is that the teeth used to advance a later rotor must never be in the same position as the teeth used to advance the next rotor. Of course, to achieve both a guaranteed long period, and a more irregular sequence of motions, one could combine both types of rotor motion, the first type, or transitiondriven advance, and the second type, or statedriven advance, in a single design. Thus, we might have two groups of rotors, ABCDE and GHIJK, which are connected for statedriven advance, and in addition, rotor E might drive rotor F, and rotor F might drive rotor G, using transitiondriven advance. Is it possible to combine a guarantee of long period with irregular rotor movement from the same source? Obviously, one could use five cams to produce an irregular motion, and another five cams to produce motion with a period equal to the product of their lengths. But can things be arranged so that the period is guaranteed to reflect
all the items used, and yet the motion is irregular as well? Already, we've seen in my example of a transitiondriven design with extra further forward carries one way to do this, but while the period is guaranteed, the motion is only irregular to a limited extent. Would the SIGABA have a guaranteed period of 26 to the tenth power if it were modified as shown in this diagram:
Here, all ten of the rotors are shown as being advanced by a conventional rotor mechanism, in addition to the cipher rotors being advanced by the unique control signals of the SIGABA. Instead of showing an OR gate controlling input to the rotor stepping mechanism, two separate symbols for rotor advance are shown, one behind the other. This indicates that, to ensure maximum period, I think it would be necessary to use different clock phases for the two types of rotor advance, so that it would be possible, if both systems of rotor advance would cause a rotor to advance, for that rotor to step twice. However, when one rotor advances due to a control signal, it would also have to cause conventional carries. But this separation of phases would then occur without (a certain kind of) special effort, since the control rotors cannot be moving when the cipher rotors are moving in response to the control signals which have passed through their wiring. One way that it seems obvious it is safe to combine transitiondriven and statedriven rotor advance would be through something like this:
Here, superimposed on a conventional transitiondriven odometerlike rotor advance, earlier rotors are also driving later rotors, further down the chain, but based on their state, not on transitions. Again, it seems that over a full cycle of transitiondriven advances, the extra statedriven advances should cancel out, not affecting the overall period, even if they provide additional movement in the interim.
[Next] [Up] [Previous] [Index] Next
Chapter Start Table of Contents Main Page
This page is about a dark and mysterious subject. (Or, more accurately, and for fairness' sake, a subject with a dark and mysterious reputation.) A subject that is fascinating both for the air of mystery that has surrounded it, and because of the complexities and intricacies which are unavoidably part of its subject matter.
My little book about cryptography:
A Cryptographic Compendium
This series of pages has information about a large number of cipher systems. So far, the coverage of cryptanalysis is quite limited, though.
Direct link to full table of contents Direct link to start
This page covers a wide range of topics. None of the things described on this page are, of course, secret today, although some were secret until fairly recently. It only mentions, here and there, a few things about breaking ciphers; it is mostly concerned with the various kinds of ciphers people have used. Except where unavoidable, the use of mathematics has been kept to a strict minimum. It begins with ciphers that only require pencil and paper to apply, and it continues with electrical and mechanical cipher machines of the type used during World War II, both the rotor machines and the machines used with teletypewriters. Then, it continues on into the computer age, with a discussion of block ciphers
like DES and then proceeds further, attempting to make understandable the advanced topic of publickey encryption which has made the use of encryption practical under circumstances where it had never been practical before. Finally, it addresses other miscellaneous topics relating to cryptography, such as data compression and key management. This site now contains a very useful table of powers of integers that uses frames. Also, this page is still under construction. Although there is no space for an archived version of the entire site, there is one, which may not be fully up to date at any given time, at this location.
I have many interests, such as old sciencefiction TV shows, and easy listening music from Tin Pan Alley. One interest, cryptography, is dealt with at length on this site. Items covering a number of other topics as well are at the following location: http://members.xoom.com/quadibloc/index.html At that site are charts for some methods of storing Chinese characters. Here in this site, you can find a space habitat design, a discussion about going to Mars, a tall building design, a page about signal flag systems as used by ships, a map projection, several topics concerning mathematics: (an explanation of the mathematical notion of infinity, a discussion of Gödel's proof and the halting problem, an explanation of two famous equations, a diagram of the rotations of a dodecahedron, a page about pentagonal tilings, a page about Archimedian solids, a little page about the fourth dimension), an attempt to explain the EinsteinPodolskyRosen experiments, and a discussion of the EldredgeGould theory of punctuated equilibria some color charts, an example of a computer architecture, a discussion of the musical scale, a couple of comments about chess, and three pages about calendars: (perpetual calendars for the Gregorian calendar which show not only the day of the week, but also the position of the day in the Chinese sexagesimal cycle of days, a lunisolar calendar, and a simplified calendar proposal), and, finally, a page containing some handy unit conversions.
Links to Other Sites
Other Topics
Highlights of the Cryptography Pages
Needless to say, any trademarks referenced are the property of their respective owners, and are used here only for purposes of identification. As this series of web pages contains some ideas and speculations about how to design and implement ciphers, readers are notified that I am not engaging in providing professional advice in these pages, and are advised to seek the direct advice of a competent professional before embarking on projects using cryptography.
Copyright (c) 1998, 1999, 2000 John J. G. Savard
[Next] [Up/Previous] [Index]
The Lorenz Schlusselzusatz
The Lorenz SZ40 and SZ42 cipher machines were widely used by German forces during World War II. It was primarily to break this machine's cipher that the British devised what is now considered the world's first electronic computing machine, the oncesecret COLOSSUS. It had twelve pinwheels, all of which could have all their pins set by the user. Ten of these pinwheels formed two groups of five, and one wheel from each group inverted its corresponding plaintext bit when a pin was active on it. The wheels of the first group had sizes 41, 31, 29, 26, and 23. Those of the second group had sizes 43, 47, 51, 53, and 59. Two additional wheels were of size 37 and 61. The wheels of the first group, and the wheel with 61 positions, advanced one position with every letter enciphered. When the current pin on the 61position wheel was active, the wheel with 37 positions advanced one space. When the current pin on the 37position wheel was active, then the wheels of the second group advanced one space. The following diagram illustrates the workings of the Lorenz Schlusselzusatz:
Although the SZ40 appears to be a simple design, and a very similar design proposed by Col. Parker Hitt, but without the feature that the stepping of five wheels was
irregular, was shown to be insecure, the British found breaking SZ40 messages to be a more difficult problem than breaking Enigma messages. Some cribs were available that helped them to break into the system; part of the difficulty seems to have come from the limited availability of resources, and another part from the lack of captured equipment and tables: for example, the list giving numbers representing wheel settings was never captured, while the bigram tables for the Enigma were. The machines used in cracking messages on the Lorenz Schlusselzusatz, known as HEATH ROBINSON and COLOSSUS, have been described to a limited extent in the open literature. A paper by F. L. Carter, in "Cryptography and Coding", the proceedings of the 6th IMA International Conference, from December, 1997, gave significant additional details of how COLOSSUS was used. HEATH ROBINSON, named after a British cartoonist who, like Rube Goldberg in the U.S., was famous for his drawings of elaborate contraptions (although the styles of the two artists were very different), worked by comparing the holes punched in two paper tapes, one containing an intercepted message, and one containing a reproduction of part of the sequence of bits the pinwheels of an SZ40 might be expected to generate. The tapes were padded with nulls to make them of relativelyprime length, and HEATH ROBINSON indicated at what point in the motions of both tapes a correlation between the two was found. This required the two tapes to move synchronously, and so the sprocket holes had to be used, which limited the speed at which the tapes could move. COLOSSUS was built to improve on HEATH ROBINSON by generating the SZ40 stream cipher output, or the portion thereof used for testing (such as the output of the five alwaysmoving wheels) electronically. This way, the tapes could be moved on pulleys, at very high speeds, without any problems. A glass mask with lensshaped patterns was used so that the light shining through the round holes on the paper tape would produce an approximation to a square wave. Thus, the paper tape, in addition to supplying input data, actually supplied the clock signal for COLOSSUS' internal logic. Apparently, in generating the pattern which a second paper tape provided on HEATH ROBINSON, COLOSSUS was capable of some sort of conditional branching, on which its claim (having been first installed in December 1943) to being the first electronic computer rests. The paper by Carter sheds considerable light on the cryptanalytic principles behind COLOSSUS. The 5level code used for teletypewriters was designed to minimize mechanical wear and tear; hence, the codes for the most frequent letters E and T, as well as the code for the space, consisted of a single 1 bit and four zeroes. This meant that zeroes predominated in the plaintext, and in addition, it meant that for any two characters in succession, corresponding bits in them were more likely than not to be the same. (Of course, this characteristic of the plaintext was weaker than the higher frequency of zeroes.)
Since one set of pinwheels in the SZ40 did not advance with every character enciphered, this meant that when two succeeding cipher characters had a corresponding bit that changed, then it was likelier than not that the fast pinwheel for that bit was at a point where two adjacent pins were in different positions, and when two succeeding cipher characters had a corresponding bit that stayed the same, then the probability that the fast pinwheel had two similar pins was also increased. (Since the slow pinwheels did move half the time, this correlation was again weakened, but it still existed.) Because the pin settings for the fast pinwheel were chosen so that like and unlike pairs of pins were as close to being equally likely as possible, it was not possible in practice to correlate a single pinwheel at a time, but correlations involving pairs of pinwheels were easier. (At first, this appears odd, since, the fast wheels all having relatively prime periods, they are independent. However, since all the slow pinwheels either move or not at the same time, a search for correlations in two wheels at once could improve its effectiveness by giving more weight to an observation in one wheel which takes place when another wheel is in the more common change or nochange state for its part of the period of that fast wheel.) An abbreviated notation was used to specify types of tests to be run with COLOSSUS: one test was a simple correlation on two particularly favored pinwheels; other tests searched for common pairs of characters, such as spacefigures shift, or figures shiftperiod. In some messages, doubled letters were quite common, and there was a test that looked for them as well. There is also a paper by W. T. Tutte, one of the cryptanalysts who worked on messages enciphered by the Schlusselzusatz at Bletchley Park, now available on the site of Frode Weierud that details the early days of the cryptanalysis of the Schlusselzusatz, codenamed Tunny by the British. That source notes the following: Originally, the machine was used with a 12letter indicator, which contained initial positions for all twelve pinwheels without encryption (e.g. under a "ground setting"). Each letter stood for an initial position, and the wheels had only 25 positions which a letter could indicate, except, of course, for the wheel with only 23 positions. The initial analysis which allowed the British to determine the basic principles of the Sclusselzusatz was aided by the reciept of some pairs of messages enciphered with the same starting positions, including one reencipherment of a long message with changes in word spacing and punctuation with exactly the same indicator. In 1943, the Germans switched to using a number as an indicator, which was assumed to signify a 12letter combination from a list. Later, they switched from changing pinwheel settings once a month to changing them each day, and they also modified the machine so that the wheels in the second group, instead of having their irregular motion controlled only by the 37 and 61 pinwheels, had that motion depend on a function of the pinwheels that moved with each character, or on the previous plain text (thus employing the autokey principle). However, the five wheels that stepped with
every character continued to do so, and although the five slow wheels were controlled differently, they still either all moved or all stayed still, so the existing cryptanalytic approaches remained valid.
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
ErrorCorrecting Codes
After text has been compressed, and even more so after it has been encrypted, the resulting output is random in appearance. This makes it easy to make mistakes in handling it, and hard to see errors if they are introduced through electrical noise on a communications link or any similar cause. Thus, even if redundancy is removed as far as is possible before encryption by means of data compression, after encryption is complete, it becomes desirable to put redundancy back in, to give resistance to errors. There are mathematical techniques, given an arbitrary text, to add more symbols to it in a way that gives resistance to a specific number of errors. Since they depend only on the input text, if the ciphertext is used as input, this kind of added redundancy does not help the cryptanalyst, except by giving both him and the legitimate recipient a copy of the ciphertext that is more likely to be accurate. Thus, telegraph codes were designed so that an error in a single letter of a codeword, or switching two adjacent letters in a codeword, would not result in another valid codeword, by the use of tables such as this:
AA BB CC DD EE FF GG HH II JJ KK LL MM NN OO PP QQ RR SS TT UU VV WW XX YY ZZ M DD N DC O DB P DA Q D& R DZ S DY T DX U DW AB BC CD DE EF FG GH HI IJ JK KL LM MN NO OP PQ QR RS ST TU UV VW WX XY YZ Z& N EE O ED P EC Q EB R EA S E& T EZ U EY V EX AC BD CE DF EG FH GI HJ IK JL KM LN MO NP OQ PR QS RT SU TV UW VX WY XZ Y& ZA O FF P FE Q FD R FC S FB T FA U F& V FZ W FY AD BE CF DG EH FI GJ HK IL JM KN LO MP NQ OR PS QT RU SV TW UX VY WZ X& YA ZB P GG Q GF R GE S GD T GC U GB V GA W G& X GZ AE BF CG DH EI FJ GK HL IM JN KO LP MQ NR OS PT QU RV SW TX UY VZ W& XA YB ZC Q HH R HG S HF T HE U HD V HC W HB X HA Y H& AF BG CH DI EJ FK GL HM IN JO KP LQ MR NS OT PU QV RW SX TY UZ V& WA XB YC ZD R II S IH T IG U IF V IE W ID X IC Y IB Z IA AG BH CI DJ EK FL GM HN IO JP KQ LR MS NT OU PV QW RX SY TZ U& VA WB XC YD ZE S JJ T JI U JH V JG W JF X JE Y JD Z JC & JB AH BI CJ DK EL FM GN HO IP JQ KR LS MT NU OV PW QX RY SZ T& UA VB WC XD YE ZF T KK U KJ V KI W KH X KG Y KF Z KE & KD A KC AI BJ CK DL EM FN GO HP IQ JR KS LT MU NV OW PX QY RZ S& TA UB VC WD XE YF ZG U LL V LK W LJ X LI Y LH Z LG & LF A LE B LD AJ BK CL DM EN FO GP HQ IR JS KT LU MV NW OX PY QZ R& SA TB UC VD WE XF YG ZH V MM W ML X MK Y MJ Z MI & MH A MG B MF C ME AK BL CM DN EO FP GQ HR IS JT KU LV MW NX OY PZ Q& RA SB TC UD VE WF XG YH ZI W NN X NM Y NL Z NK & NJ A NI B NH C NG D NF AL BM CN DO EP FQ GR HS IT JU KV LW MX NY OZ P& QA RB SC TD UE VF WG XH YI ZJ X OO Y ON Z OM & OL A OK B OJ C OI D OH E OG AM BN CO DP EQ FR GS HT IU JV KW LX MY NZ O& PA QB RC SD TE UF VG WH XI YJ ZK Y PP Z PO & PN A PM B PL C PK D PJ E PI F PH AN BO CP DQ ER FS GT HU IV JW KX LY MZ N& OA PB QC RD SE TF UG VH WI XJ YK ZL Z QQ & QP A QO B QN C QM D QL E QK F QJ G QI AO BP CQ DR ES FT GU HV IW JX KY LZ M& NA OB PC QD RE SF TG UH VI WJ XK YL ZM & RR A RQ B RP C RO D RN E RM F RL G RK H RJ AP BQ CR DS ET FU GV HW IX JY KZ L& MA NB OC PD QE RF SG TH UI VJ WK XL YM ZN A SS B SR C SQ D SP E SO F SN G SM H SL I SK AQ BR CS DT EU FV GW HX IY JZ K& LA MB NC OD PE QF RG SH TI UJ VK WL XM YN ZO B TT C TS D TR E TQ F TP G TO H TN I TM J TL AR BS CT DU EV FW GX HY IZ J& KA LB MC ND OE PF QG RH SI TJ UK VL WM XN YO ZP C UU D UT E US F UR G UQ H UP I UO J UN K UM AS BT CU DV EW FX GY HZ I& JA KB LC MD NE OF PG QH RI SJ TK UL VM WN XO YP ZQ D VV E VU F VT G VS H VR I VQ J VP K VO L VN AT BU CV DW EX FY GZ H& IA JB KC LD ME NF OG PH QI RJ SK TL UM VN WO XP YQ ZR E WW F WV G WU H WT I WS J WR K WQ L WP M WO AU BV CW DX EY FZ G& HA IB JC KD LE MF NG OH PI QJ RK SL TM UN VO WP XQ YR ZS F XX G XW H XV I XU J XT K XS L XR M XQ N XP AV BW CX DY EZ F& GA HB IC JD KE LF MG NH OI PJ QK RL SM TN UO VP WQ XR YS ZT G YY H YX I YW J YV K YU L YT M YS N YR O YQ AW BX CY DZ E& FA GB HC ID JE KF LG MH NI OJ PK QL RM SN TO UP VQ WR XS YT ZU H ZZ I ZY J ZX K ZW L ZV M ZU N ZT O ZS P ZR AX BY CZ D& EA FB GC HD IE JF KG LH MI NJ OK PL QM RN SO TP UQ VR WS XT YU ZV I J K L M N O P Q AY BZ C& DA EB FC GD HE IF JG KH LI MJ NK OL PM QN RO SP TQ UR VS WT XU YV ZW J K L M N O P Q R AZ B& CA DB EC FD GE HF IG JH KI LJ MK NL OM PN QO RP SQ TR US VT WU XV YW ZX K L M N O P Q R S A& BA CB DC ED FE GF HG IH JI KJ LK ML NM ON PO QP RQ SR TS UT VU WV XW YX ZY L M N O P Q R S T AA BB CC A& BA CB AZ B& CA AY BZ C& AX BY CZ AW BX CY AV BW CX AU BV CW AT BU CV
V DV W DU X DT Y DS Z DR & DQ A DP B DO C DN D DM E DL F DK G DJ H DI I DH J DG K DF L DE
W EW X EV Y EU Z ET & ES A ER B EQ C EP D EO E EN F EM G EL H EK I EJ J EI K EH L EG M EF
X FX Y FW Z FV & FU A FT B FS C FR D FQ E FP F FO G FN H FM I FL J FK K FJ L FI M FH N FG
Y GY Z GX & GW A GV B GU C GT D GS E GR F GQ G GP H GO I GN J GM K GL L GK M GJ N GI O GH
Z HZ & HY A HX B HW C HV D HU E HT F HS G HR H HQ I HP J HO K HN L HM M HL N HK O HJ P HI
& I& A IZ B IY C IX D IW E IV F IU G IT H IS I IR J IQ K IP L IO M IN N IM O IL P IK Q IJ
A JA B J& C JZ D JY E JX F JW G JV H JU I JT J JS K JR L JQ M JP N JO O JN P JM Q JL R JK
B KB C KA D K& E KZ F KY G KX H KW I KV J KU K KT L KS M KR N KQ O KP P KO Q KN R KM S KL
C LC D LB E LA F L& G LZ H LY I LX J LW K LV L LU M LT N LS O LR P LQ Q LP R LO S LN T LM
D MD E MC F MB G MA H M& I MZ J MY K MX L MW M MV N MU O MT P MS Q MR R MQ S MP T MO U MN
E NE F ND G NC H NB I NA J N& K NZ L NY M NX N NW O NV P NU Q NT R NS S NR T NQ U NP V NO
F OF G OE H OD I OC J OB K OA L O& M OZ N OY O OX P OW Q OV R OU S OT T OS U OR V OQ W OP
G PG H PF I PE J PD K PC L PB M PA N P& O PZ P PY Q PX R PW S PV T PU U PT V PS W PR X PQ
H QH I QG J QF K QE L QD M QC N QB O QA P Q& Q QZ R QY S QX T QW U QV V QU W QT X QS Y QR
I RI J RH K RG L RF M RE N RD O RC P RB Q RA R R& S RZ T RY U RX V RW W RV X RU Y RT Z RS
J SJ K SI L SH M SG N SF O SE P SD Q SC R SB S SA T S& U SZ V SY W SX X SW Y SV Z SU & ST
K TK L TJ M TI N TH O TG P TF Q TE R TD S TC T TB U TA V T& W TZ X TY Y TX Z TW & TV A TU
L UL M UK N UJ O UI P UH Q UG R UF S UE T UD U UC V UB W UA X U& Y UZ Z UY & UX A UW B UV
M VM N VL O VK P VJ Q VI R VH S VG T VF U VE V VD W VC X VB Y VA Z V& & VZ A VY B VX C VW
N WN O WM P WL Q WK R WJ S WI T WH U WG V WF W WE X WD Y WC Z WB & WA A W& B WZ C WY D WX
O XO P XN Q XM R XL S XK T XJ U XI V XH W XG X XF Y XE Z XD & XC A XB B XA C X& D XZ E XY
P YP Q YO R YN S YM T YL U YK V YJ W YI X YH Y YG Z YF & YE A YD B YC C YB D YA E Y& F YZ
Q ZQ R ZP S ZO T ZN U ZM V ZL W ZK X ZJ Y ZI Z ZH & ZG A ZF B ZE C ZD D ZC E ZB F ZA G Z&
R S T U V W X Y Z & A B C D E F G H
S T U V W X Y Z & A B C D E F G H I
T U V W X Y Z & A B C D E F G H I J
U V W X Y Z & A B C D E F G H I J K
AS BT CU AR BS CT AQ BR CS AP BQ CR AO BP CQ AN BO CP AM BN CO AL BM CN AK BL CM AJ BK CL AI BJ CK AH BI CJ AG BH CI AF BG CH AE BF CG AD BE CF AC BD CE AB BC CD
A miniature version of such a code construction table is shown in The Codebreakers by David Kahn, but here I've put the last two letters of the codeword in alphabetical order in the rows of the square on the lower right, since a code compiler would want to generate codewords in alphabetical order. The row of the top square, and the column of the square on the lower right, which contain digraphs beginning with &, are omitted, since those are unused if codewords from a 26letter alphabet are wanted. Valid codewords consist of two letters from the top, a letter from the lower left, and two letters on the lower right, such that the single letter shares the same column as the pair of letters from the top and the same row as the pair of letters from the lower right. The use of an extra dummy letter & is required to avoid codewords differing only by a swap of two adjacent letters. The middle square can start with any letter; here it is started with M to indicate that this feature can be used to produce codewords different from those in someone else's code. For example, given a string of bits, a single bit which contains the parity of that string of bits can be appended to it. In that case, if the result is transmitted, and exactly one bit is in error in what is recieved, the parity will be wrong, and the fact that an error has taken place will be detected. Another simple example would be to transmit one's message three times. For every group of three corresponding bits from the three copies of the message, if exactly one error takes place in communications, that error can be corrected, because of the three recieved copies of that bit, two will be correct, and only one will be wrong. These are the two trivial examples of perfect codes: adding a parity bit, and repeating each bit a certain number of times. If we confine ourselves to the even parity form of a parity bit, both these codes can be represented by matrices: A parity bit: 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1
0 0 0 0 0 0
0 0 0 0 0 0
1 0 0 0 0 0
0 1 0 0 0 0
0 0 1 0 0 0
0 0 0 1 0 0
0 0 0 0 1 0
0 0 0 0 0 1
1 1 1 1 1 1
Triple repetition: 1 1 1 In general, matrix multiplication works like this: introduce the numbers which are the elements of the vector being multiplied from the left, starting with the first one on the top; for each bit in that row, calculate the product of the number introduced from the side with the number in the matrix; then, after all the products have been calculated, total them down the columns to obtain the output. For errorcorrecting codes illustrated by matrices, it is the bits of the message that are introduced from the left. Then, an AND is performed (rather than a multiplication) between them and the bits of the matrix, and the results are accumulated by an XOR going down the columns (rather than addition). Illustrating this in the case of a parity bit applied to a nybble: 1 1 > 0 0 > 0 1 > 0 1 > 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 0 0 0 1 0 0 0 0 1 1 0 0 1 0 1 1
0 0 0 1 1 1 0 1 1 1
As this is a code applied to a binary signal, all arithmetic is done modulo 2 (hence, 1+1+1 = 1 instead of 3). Just using parity bits can allow correcting errors. One way to do this is to have both a parity bit for each byte of data, and a parity byte that results from the XOR of all the data bytes. If there is one error, the byte it is in is indicated by the parity bit for that byte, and the bit it is in is indicated by which byte of the final parity byte shows the wrong parity. A simple way to obtain row and column parity for a sequence of characters on a computer would be to add three parity characters to a line of 49 7bit characters on this basis:
q q
Start with three sevenbit accumulators, initialized to zero. With each character read, modify the three accumulators as follows: r XOR the character to the first accumulator, and rotate it right one bit. r XOR the character to the second accumulator, and rotate it left one bit. r XOR the character to the third accumulator, and after every seven characters, rotate it right one bit.
This would allow one singlebit error in a line to be found and therfore corrected, as follows: 33333X3******213333*3*2121212121 1212*33*333121212121212123**3333121212212121213**333321212121212121*33*33321121211212123333*3* ==? === ?== === === =?= ===
The X is at the only point where the three lines of bits marked by 1, 2, and 3 all coincide. Note that the asterisks mark points
where two of them cross. Assuming the shifts after a byte is XORed in even take place after the last byte, the question marks indicate where the three parity characters would show the wrong parity if there was an error at the point marked by the X. It is easier to do this for 7bit characters because 7 is an odd number, but it can also be done for 8bit bytes, simply by rotating only one accumulator by one bit for each byte, and not rotating one accumulator at all, as follows: 33313333111111113333*33311111122222*2222222*22*****X**22222*2222222*2222222*2222222*2222222*22 111333333*3111111113333333*111 11111*3333333111111113*3333331111111133*33333 ==? === =?= === === ?== === ===
However, approaches based only on using parity bits are unsophisticated, and more efficient ways of correcting and detecting multiple errors can be found if more sophisticated codes are used. Another class of errorcorrecting codes are called Hamming codes. No longer trivial, these codes are also perfect, which means they add exactly enough redundancy to a group of input bits to detect and correct a certain number of errors. Note that this perfection applies to one particular situation, where errors occur randomly among bits. Where there is a tendency for bits close together in a message to be in error together, this being called a burst error, other strategies are needed. One common way of dealing with this is simply to apply conventional errorcorrecting codes to widelyseparated bits at equal intervals in a message. This, or the strategy of applying the errorcorrecting code first, and then spreading out the bits of each output group, is called interleaving. In a Hamming code, after the group of bits being encoded, the extra parity bits are formed by allocating every combination of those bits with two or more of them equal to 1 to each bit position in the input. Hence, changing one bit in the input always changes at least three bits in the word with errorcorrection added. Since no two rows in the errorchecking part of the matrix are identical, changing two bits in the input still results in a threebit change at least; thus, the number of bits difference (or the Hamming distance) between possible outputs (valid codewords) is a minimum of three. A parity bit can be added to a Hamming code; the result is another perfect code, this time with a fourbit change resulting from any change in the input. The Hamming distance between valid codewords tells us how much errorchecking we have. If there is no errorchecking added, each different input still gives a different output, for a distance of 1. If the distance is 2, one error can be detected, as is the case for the code that just adds one parity bit. If the distance is 3, as for repeating a bit three times, or the basic Hamming code without a parity bit added, one error can be corrected. The errorcorrecting capabilities of an errorcorrecting code are given by the Hamming distance between codewords, but it is possible to choose how to make use of them. For example, if we repeat every bit three times, we can either choose to accept 011 as standing for 1, hence correcting one error when it occurs, but being fooled if two errors happen, or we can choose to discard it, accepting only 000 and 111. Thus, a Hamming distance of 3 can be used either to correct one error, or to detect two errors. A distance of 4, such as obtained by a Hamming code with a parity bit, or by repeating a bit four times, allows correcting one error and detecting two errors, or detecting up to three errors. Some Hamming codes are: 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 1 1 1 0 0 0 0 1 0 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 1 1 0 0 1 1 1 0 1 0 1 0 1 1 1 0 1 0 0 1
0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0
1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 1 1 0 1 1 1 1 1 0 0 0 1 1 1 0 0 0 1 0 1 1 1 0 0 0 1 1 1 1 0 1 1 1 1 0 1 1 0 0 1 0 0 1 0 1 0 1 1 0 1 1 0 0 1 1 1 0 1 1 1 1 0 1 0 1 0 0 1 0 0 1 1 0 1 1 0 1 0 1 0 1 1 1 0 1 1 1 1 0 1 0 0 1 0 0 0 1 1 1 0 1 1 0 1 0 0 1 1 1 1 0 1
Since a Hamming code, as shown, can only correct one error, decoding is simple:
q
q
Take the data portion of the recieved codeword (the portion that should just contain the unmodified input data), and place it through the Hamming code again. If there is a perfect match between the errorchecking part of the recieved block and the errorchecking part of the one now generated, or if there is no more than one bit difference, the data as recieved is assumed to be correct. If there are two or more bits of difference, find the row in the matrix where those bits are 1 bits in the error checking part. The data bit which is passed through by a 1 on the diagonal in the data part of the matrix is the one in error.
This, of course, assumes that the transmitted block actually was subjected to no more than one error. When a parity bit is added to the Hamming code, decoding is modified slightly:
q
q
If parity is correct, decode the first part of the block, but accept the result only if no errors are found. (In this case, the block is assumed to have been recieved correctly.) If parity is wrong, decode the first part of the block, and accept the result if either no errors are found (here, the error is assumed to be in the parity bit itself), or if one error is found (and therefore corrected).
These are just one particular form for each of the three Hamming codes shown. Rearranging the rows or columns, or certain other modifications, will not change the ability of the code to be used to detect or correct errors. Replacing one row of the matrix by the XOR of itself and another row is allowed, because that will result in the matrix generating exactly the same set of codewords, but they will be generated in some cases for different inputs. There are a number of other codes used for error detection and correction. Examples of codes used in the same kind of form as used with Hamming codes include Hadamard codes and ReedMuller codes. These codes all add slightly more redundancy than is required for the errorchecking they seek to attain. An example of a Hadamard code looks like this: 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1
1 1 1 1 1 1
1 0 1 0 1 0
0 0 1 1 0 0
0 1 1 0 0 1
1 1 0 0 0 0
1 0 0 1 0 1
0 0 0 0 1 1
0 1 0 1 1 0
0 0 0 0 0 0
0 1 0 1 0 1
1 1 0 0 1 1
1 0 0 1 1 0
0 0 1 1 1 1
0 1 1 0 1 0
1 1 1 1 0 0
1 0 1 0 0 1
These codes are obtained by a procedure similar to that used to create fractal designs: 1 1 1 0  becomes > 1 1 1 0 0 0 0 1 1 1 1 0
1 1 1 0
applied as many times as desired, and then the result has its complement appended to it. Mariner 9 used the code of this type that occupies a 32 by 64 matrix. This method only generates Hadamard codes of orders which are powers of 2. Hadamard codes and matrices of many other orders which are multiples of 4 are also known, and it is conjectured, but not yet proven, that one exists for every such order. These Hadamard codes are obtained by other, more difficult methods. Only one other perfect code for binary signals is known, the binary Golay code. It takes a 12bit input, and adds 11 errorchecking bits to it. Like the Hamming codes, an extra paritycheck bit can be added, and the code remains perfect. A modified form of the Golay code with parity bit added, so that the parity bit is no longer explicitly visible, is shown in a book by two of the three coauthors of the Handbook of Applied Cryptography, and an equivalent form, modified by some rearrangement of rows and columns (to obtain a shifting of the cyclic 11 by 11 portion of the errorchecking matrix, and to put the row and column of 1 bits in a more conventional position) is shown here: 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 1 1 1 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1 1 1 1 0 1 1 1 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1 0 1 1 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1 0 1 0 1 0 1 1 0 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 1 1 0
In this code, the minimum Hamming distance between valid codewords is eight; without the parity bit, it would be seven. A distance of seven allows either correcting three errors, correcting two errors and detecting four errors, correcting one error and detecting five errors, or detecting six errors. A distance of eight allows either correcting three errors and detecting four errors, correcting two errors and detecting five errors, correcting one error and detecting six errors, or detecting seven errors. Examine the errorchecking portion, the second square half, of the matrix for the Golay code shown above. The right and bottom edges consist of all ones except for a zero where they meet. The remaining 11 by 11 square consists of the sequence 10110111000 repeated in every row, but shifted one space to the left in each row. This sequence contains exactly six one bits, an even number. The matrix is symmetric, hence unchanged when flipped around the diagonal running from the top left to the bottom right. Hence, the fact that every row contains an odd number of 1 bits, the last row ANDed with any other row produces a row with six one bits, and any two of the first 11 rows, when combined by an AND, produces a rotated version of one of the following strings:
10110111000 10110111000 10110111000 10110111000 10110111000 10110111000 10110111000 10110111000 10110111000 10110111000
and and and and and and and and and and
01101110001 11011100010 10111000101 01110001011 11100010110 11000101101 10001011011 00010110111 00101101110 01011011100
= = = = = = = = = =
00100110000 10010100000 10110000000 00110001000 10100010000 10000101000 10000011000 00010110000 00100101000 00010011000
(3 (3 (3 (3 (3 (3 (3 (3 (3 (3
bits) bits) bits) bits) bits) bits) bits) bits) bits) bits)
preceded by a single 1 bit, means that, using modulo 2 arithmetic, the errorchecking matrix in the code as represented here is its own inverse. (If it weren't for that extra zero, a different decoding matrix would be required, and a slightly more complicated version of the decoding procedure given below would be required.) Because of the symmetry around the diagonal, this is true both in the usual convention for matrix multiplication (numbers go in from the top, and come out on the right) and the one used for errorcorrecting codes (numbers go in from the left, and come out on the bottom). For more information on matrix multiplication, see the section concerning the Hill Cipher. This helps to make it practical to check a codeword formed by this code, and then transmitted, for errors. The following procedure will find the correct original 12bit input if there were three or fewer errors in the transmitted 24bit block, or it will fail if there were four errors. (With more than four errors, of course, it can be fooled.)
q
q
q
q
First, take the first half, and put it through the code, to see what the codeword would have looked like, if the first half containing the actual data happens to be perfectly without error. Since we are able to correct up to three errors, if the errorchecking part of this result differs by no more than three bits from what was recieved, all the errors (if any) happened in the errorchecking part, so the data as recieved can be accepted. Second, take the second half, and put it through the code. Since the errorchecking part of the matrix is its own inverse, the errorchecking half of the result will be what the data was supposed to have been, if the errorchecking half of the block was recieved perfectly without error. If that result differs by no more than three bits from what was recieved in the data portion of the block, then the data as recovered from the errorchecking part can be accepted. Third, consider the possibility that there were errors in both the data and errorchecking part of the block. With three errors it is possible that there could be one error in one of the two parts of the block, and two errors in the other part. So, decoding continues by a limited amount of trial and error. Here, we will assume that exactly one bit in the data portion of the block is in error. Thus, we will take the data portion of the block, and for each of the 12 bits of it in turn, we will invert that bit, put the result through the code, and compare the errorchecking portion of the result with that recieved. If the result is two or fewer errors in the errorchecking portion then the right bit has been found, and the data portion with the bit you flipped is correct. Fourth, assume that exactly one bit in the errorchecking portion of the block is in error, and for each of the 12 bits in the errorchecking portion, invert that bit, apply the code to the result, and compare the errorchecking portion of the output to the data portion of the recieved block. If two or fewer errors are found, then the data calculated from the errorchecking portion with one flipped bit contains the correct data.
Another perspective on the binary Golay Code, which I also found understandable, is contained in this thesis. In the form of the Golay Code given above, eleven rows are cyclic, and one special, in the errorchecking matrix; in the form discussed in that thesis, all twelve rows are equivalent, but as they relate to the faces of a dodecahedron, there is no way to put them in a cyclic order. The form of the Golay code discussed there is: 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 1 1 1 1 1 1 0 1 0 1 1 0 0 0 1 1 1 1 0 0 1 0 1 1 1 0 0 1 1 1 0 1 0 1 0 1 1 1 0 0 1 1 0 1 1 0 1 0 1 1 1 0 0 1 0 0 1 1 0 1 0 1 1 1 0 1 1 0 1 1 1 0 1 0 1 1 0 0 1 0 0 1 1 1 0 1 0 1 1 0 1 1 0 0 1 1 1 0 1 0 1 0 1 1 1 0 0 1 1 1 0 1 0 0 1 1 1 1 0 0 0 1 1 0 1 0 1 1 1 1 1 1 0 0 0 0 0 1
Each of the twelve rows and columns of the errorchecking part of the matrix corresponds to a face of the dodecahedron, and it contains a zero for every pair of faces that are next to one another. (A face is not considered to be next to itself.) This is still a Golay code, with the same errorcorrecting property of a Hamming distance of 8 between codewords, and not only is the errorchecking matrix symmetric, but once again it is its own inverse as shown here. Because of the dodecahedral symmetry, once again, it is only necessary to AND one row of the matrix with the eleven other rows to establish that. For example, row 1 shares four bits with rows 2 to 11, and two bits with row 12. But being selfdual is not a necessary property of a Golay code; either example of a Golay code given here would still be a Golay code if the errorchecking matrix were reflected left to right, since the errorchecking properties would be identical, but then that matrix would not be its own inverse. This site contains a link to a paper in DVI format giving eight different constructions of the binary Golay code. (Unfortunately, you may have difficulty in viewing documents in DVI format on your system.) And here is an example of a form of the Golay code, again one that generates 24bit output, with the parity bit concealed, that may have actually been used in the transmission of information; it is part of an unofficial draft standard for automatically establishing radio links, and thus it may have been taken from previous actual practice or standards: 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 0 0 1 0 0 1 0 0 1 1 1 1 1 0 0 1 0 0 1 1 1 0 0 0 1 1 1 0 1 1 0 0 1 1 0 0 0 1 1 1 0 1 1 1 1 0 0 1 0 0 0 1 1 1 1 1 0 0 1 1 1 0 1 0 1 0 1 1 0 1 1 0 1 1 1 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 0 1 0 1 1 0 1 1 1 1 1 1 1 1 0 0 1 0 0 1 0 1 1 0 1 0 1 1 1 0 0 0 1 1
The errorchecking part of the matrix is not symmetric along the main (upper left to lower right) diagonal, and its transpose is shown as being used in decoding. Also, it is said to have been generated from the polynomial 11 x 9 7 6 5 +x +x +x +x +x+1
Each column has seven ones in it, so when multiplied by its transpose, there will be a 1 in every position on the diagonal in the result. Any two distinct columns have either four or two ones in common, (as I had to verify by brute force with a short BASIC program) and so the transpose of the errorchecking part of the matrix is indeed also the inverse of that part. Despite the fact that each column and row contains seven ones, the error matrix can't be produced simply by rearranging rows and columns of the one produced from the dodecahedron. This can be shown because the columns corresponding to opposite faces can be identified (no zeroes in the same row), and two nonopposite faces must be adjacent to two other faces, and those two faces must be adjacent to three other (than the first two: those two faces may be adjacent to each other if the two nonopposite faces were not adjacent) faces each, two from each group of which are opposite to two from the other group (which is the point at which it breaks down if you start with the first two columns). Errorchecking in this case involves the use of the inverse of the errorchecking part of the matrix, but otherwise the algorithm is the same as the one given above. The field of errorcorrecting codes, like the field of data compression, is still a very active one, with new research being done and patents being issued on new methods. In the 1970s, a set of errorcorrecting codes called "Fire codes" were developed. One of the simplest of these could be used as a direct replacement for a parity bit, used with each character in many existing systems, providing error correction instead of just the detection of erroneous characters. It worked like this: Data *        * *   *     *   *
bits
Parity =
* =
* =
* =
* =
* =
* =
* =
* * * * * * * P
=
* =
* =
* =
* * =
* * =
* * =
* * =
* * * * X * * !
* =
* =
* * * * * * * !
Each parity bit is the XOR of parity for the data byte with which it is associated and parity for staggered bits from the eight previous bytes. Essentially, it is a clever way to obtain the same results as are provided by the use of row and column parity bits. (After the last byte of data, one extra byte, with the extra parity bit, is needed to provide parity for all the remaining diagonals.) More complicated forms involved XORing these parity bits with the parity of another group of eight bits, staggered by being from bytes separated by a larger distance. A very recent exciting development in errorcorrecting codes is the class of codes known as "Turbo Codes". These codes are based on the principle of applying two errorcorrecting codes to the data bits, but with different interleaving. Just as interleaving by itself turns a burst error into scattered individualbit errors, which errorcorrecting codes can deal with more easily, using two different interleaving schemes on the data being transmitted reduces to a very small value the chance that any bit will be unrecoverable due to an excessive number of random errors in both of the errorcorrecting code blocks in which it is found. (The same principle can also be applied to continuous errorcorrecting codes as well as block codes.)
[Next] [Up] [Previous] [Index] Table of Contents Home Page
[Next] [Up] [Previous] [Index]
The Siemens and Halske Geheimschreiber T52
This teletypewriter enciphering machine was bulky and expensive and complicated. Swedish cryptanalysts under Arne Beurling cracked the cipher of the simplest variant of this machine, the T52a and T52b. The British never achieved a regular penetration of T52 messages. It now appears that, at least during the war, that the only T52 messages they deciphered were messages that belonged to pairs sent with the same key, but they were able to determine how the T52 worked from those messages. One part of the reason for this is that many messages encrypted by the T52 were sent over land lines, which the Swedes, but not the British, had the opportunity to intercept. But another reason was that the T52 was used to encrypt highlevel strategic traffic for the Luftwaffe, which also sent similar messages using Enigmas. Thus, attacking the T52 was lower in priority than attacking the Lorenz Schlusselzusatz, which was used to encrypt highlevel strategic traffic for the German Army, or Heer, which, although it did use Enigmas for tactical messages, did not generally use them for messages with information of strategic importance. It may also be noted that the final version of the machine, the T52e, which included two improvements which previously appeared separately in the T52c and T52d, seems to be a very secure design, although the use of cams instead of resettable pinwheels was a serious flaw. Ten wheels, in this machine cams whose pattern of 0 and 1 positions could not be modified, of sizes 73, 71, 69, 67, 65, 64, 61, 59, 53, and 47, which were called A, B, C, D, E, F, G, H, and K respectively, provided the raw material for this machine's cipher. In additon to having their states sensed at the primary tap point, producing the output that was XORed with the plaintext characters or controlled their shuffling, they were also sensed at a point 25, 24, 23, 23, 22, 22, 20, 20, 18, and 16 positions earlier, respectively. This additional position controlled the movement of the wheels, so that they stepped in an irregular fashion. The way in which the wheels stepped can best be explained by an oversimplified form
of that motion. Each wheel moved unless both of two possible conditions was met, in which case it was prevented from moving: In the simplified model: These wheels remain still: A B C D E F G if ~C C ~E E G ~G J and ~B ~D D F ~F ~H H
H ~J K
J A ~K
K ~A B
Note that the twenty conditions involved both the extra tap on each wheel and its inverse, and no wheel controlled itself. Since every wheel had to be either 1 or 0, and the condition was OR for movement, at least five of the ten wheels had to move with this arrangement, so although the wheels controlled each other, they could not get stuck in a state where they never stepped. Mechanically, this worked as follows: both the plus and minus connections to an electromagnet were controlled by relays, so the electromagnet was energized only if the relays at both ends allowed current to flow. The magnets were interposer magnets: if active, they prevented the cam they controlled from moving. From the main sensing position on the cams A through K, ten signals were derived, labelled 1, 3, 5, 7, 9, and I, II, III, IV, and V, that performed the actual operation of modifying the plaintext to produce the ciphertext. I through V were XORed with bits 1 through 5 of the plaintext character. Then bits in the character were swapped: 1 caused (if its value was 1 instead of 0) bits 1 and 5 to be swapped; signals 3, 5, 7, and 9 swapped bits 4 and 5, 3 and 4, 2 and 3, and finally 1 and 2. First, bits A through K were exchanged, by a simple plugboard on the T52a, T52b, and T52d, and by a set of switches that performed the same function as a plugboard on the T52e, and by an elaborate set of five switches with eight positions on the T52c. Then, in the T52c and the T52e, the ten signals went into a bank of relays, so that each of the signals, 1 through 9 and I through V, that performed the actual encipherment was the XOR of several cam outputs. The following is a diagram of the T52e:
Circles, except when they are sockets or plugs for a plugboard, are XOR gates. The rectangles are AND gates. The black and white hourglasses are inverters. The wide white hourglasses swap the two inputs from the top to form the two outputs at the bottom depending on the input from the side. The logic being relay logic, wiredOR is present. The T52e, shown here, included all the features that this telecipher acquired over its development. The extra features, over and above a simple set of ten cams controlling XORs and swaps of plaintext bits, are divided into two groups; one group was also present only on the T52c, and the other group was also present only on the T52d. The relay bank was also present in the T52c, but it was wired differently. The T52c also had a means of altering the order in which cam outputs went to the relay bank, but instead of a plugboard, it was a set of five eightposition switches, each one controlling three swaps of the cam signals.
The T52d did not have those features, but it did have cam stepping logic; again, that logic was somewhat different from that of the T52e. Here is a diagram of the T52c:
In this diagram, the switchcontrolled swaps should be considered to be positioned as follows: 3 2 1 4 6 5 9 12 15 8 11 14 7 10 13
and the five switches control the fifteen swaps as follows: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P 0 0 0 0 1 0 0 0 1 1 0 1 1 1 1 S 0 1 0 1 0 0 0 1 1 1 1 0 0 0 0
T U W X Y Z
1 0 0 1 1 1
0 0 1 0 1 1
0 1 1 1 0 1
0 0 1 1 1 0
0 1 0 1 1 0
1 1 1 0 1 0
1 1 1 0 0 1
0 1 1 0 1 0
1 0 1 0 0 0
1 0 0 1 0 0
1 0 1 0 0 1
1 0 0 0 1 1
0 1 0 0 1 1
1 0 0 1 0 1
0 0 1 1 1 0
And here is one of the T52d:
The T52d and T52e are shown here in the "ohne Klartextfunktion" mode. They also had a feature where the third bit of a plaintext character, after a delay, was introduced into the cam stepping logic, which was also changed in that mode. This limited autokey, or "clear text function", caused serious problems of garbling in practice, and was therefore little used. However, that does not prevent me from including diagrams of the T52d and T52e in this mode, particularly as the stepping logic is somewhat more symmetrical in this mode in both cases. First, the T52e "mit Klartextfunktion":
then, the T52d "mit Klartextfunktion".
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Swedish SA1
This telecipher device combines some of the features of the SZ40 and T52, in a design that is secure yet economical. The device has two sets of five pinwheels, of lengths 19, 21, 23, 25, and 26. ( Toby's Cryptopage, now available again after a hiatus, also discusses the TA1, a later version with larger pinwheels of lengths 26, 29, 31, 33, and 35.) The pins are pushed in or pulled out by the user, and the five bits of each plaintext character are modified by being subjected to an exclusiveOR operation with the current pin of the corresponding pinwheel from each of the two sets. The first set of pinwheels steps one position for every character enciphered. An additional position on the pinwheels, besides the one used to XOR the plaintext, is sensed (two positions earlier). That alternate output, from all five pinwheels, is XORed together, creating a single bit; if 0, the second set of pinwheels steps only once; if 1, they step twice. The second set of pinwheels is also sensed at the same alternate position, and the output from all of them is combined by XOR. This time, the result, if 1, causes the entire output ciphertext character to be inverted. This design allows two identical modules to be used in the device, thus making manufacture more economical. It achieves irregular stepping, but only ten, not twelve, pinwheels are required. The source for the information on this page is the home page of Torbjörn Andersson, entitled Toby's Cryptopage, which has an entry in my Links section. It is well worth a visit, and includes original photos of many of the machines discussed here; not just the SA1, but also the T52 and the B211.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
An American Patent
U. S. Patent 4157453 is one of the few patents that were secretly issued to people working for the NSA or one of its predecessor agencies that has now been publicly issued in normal fashion, many years later. It was filed on October 10th, 1944, but issued on June 5th, 1979. The inventor was Leo Rosen, known to history as the one who had the inspiration to realize that the Japanese cipher machine codenamed PURPLE used telephone stepping switches. This patent refers only to scrambling the order of bits in a teletypewriter signal, without inverting any bits. However, in addition to shuffling the bits within a single character, as the T52 did, this device moved bits between characters. Originally, I was only able to see the claims of this patent, but the text of it has since become available. It turns out that it referred to buffering two or four 5levelcode characters, recieved serially, in banks of relays, transposing the stored bits, and then transmitting the result. Given the technology of the time, commutator switches were used to access relays serially; today, a designer thinking of how to perform such an operation would no doubt think of shift registers. Having just seen a brief description of the purpose of the invention, I had supposed that this patent could have been for a system that was actually applied to a combined time and frequency division voice scrambler, with its application disguised for security. However, as a telecipher device, one of the simplest ways in which to accomplish this kind of scrambling would be to do the following: use pinwheels to scramble the bits within a character; then, subject these bits to a fixed pattern of delays, so that they are distributed among two to five different characters; then, perform a second pinwheelcontrolled scramble of the bits within each character. To decipher, one first inverts the second scramble. Then, one delays the bits in a complementary fashion to that used for enciphering: if bits 1 to 5 are subject to delays 0 1 0 1 0 on enciphering, then use delays 1 0 1 0 1 on deciphering, for a net delay of every bit by 1 character; if bits 1 to 5 are subject to delays 0 1 2 3 4 on enciphering, use delays 4 3 2 1 0 for deciphering, for a net delay of 4 characters. Then, invert the first scramble, with the pinwheels controlling it offset so that their scramble is delayed to match the net delay of the enciphering delay stage and its deciphering complement.
[Next] [Up] [Previous] [Index] Next Skip to Next Chapter Chapter Start Table of Contents Home Page
[Next] [Up] [Previous] [Index]
Converter M228 or SIGCUM
This machine is described in an article in a recent issue of Cryptologia magazine, which also provides accompanying information of historical and human interest. It is a telecipher device built around a fiverotor machine. The original version supplied thirteen live inputs to the input rotor. Five outputs from the other end were XORed to the five bits of a teletypewriter character. The rotors advanced conventionally for each character enciphered, and had only one carry position. Like the SIGABA, the letter O, and not A, indicated the zero position of the rotors. The five rotors included one that moved for every letter enciphered, and one that moved only when that first rotor completed a full rotation and so on, like an odometer, but with one difference: which rotor moved with which frequency could be chosen arbitrarily. The original Hebern machine had three classes of rotor movement, and it too allowed the selection of how the individual rotors moved, but in a less straightforwards manner. Here is a diagram of the way the original SIGCUM was wired:
Since 13 inputs out of 26 were live, each bit of the five outputs had a 5050 chance of being live, but not all 32 combinations of all five outputs were equally likely: five ones or five zeroes were the least likely, and 2 or 3 of each was the most likely. This simple design was found to be insecure, after being put into use, for a particular case of operator error. A considerably revised version served for some time, and its description is as follows: In the revised version, there were only five live inputs to the input rotor. Fifteen outputs from the other end were wired together in five groups of three to provide the five output bits. This gave each bit a probability of about 48.846%, or exactly 381/780, of being a one. In the original design, all five rotors moved in the conventional manner of wheels on an odometer, except that the position of the rotor that moved with every character enciphered, and the position of each rotor that moved when another rotor completed a full circle, could be set arbitrarily. In the revised design, three rotors moved in that way, and two other rotors had movements called fast bump and slow bump that depended on the bits the rotors generated. If bit 1, bit 3, and bit 5 of the generated bits (to be XORed with the plaintext to create ciphertext) were all ones, the slow bump rotor would advance for the next character. If bit 2 and bit 4 were both 1, the fast bump rotor would advance. In addition, the slow bump rotor skipped an extra position when it reached O, as well as stepping the slow rotor (if the slow rotor was also at O; this may have been a misprint for 'slow bump', since that won't happen very often). Here is a diagram of the modified version of the SIGCUM:
The bump rotors meant that extra parts did have to be added to the machine to effect the conversion; it was not a simple case of rewiring. Even the early version of the machine appeared to be highly secure at first glance, which makes Frank Rowlett's feat of establishing its weaknesses impressive. An issue of Cryptologia some years previous to the issue in which SIGCUM or the M228 was described, quoted a government memo which referred to the M294. This machine was very similar to the SIGABA, except that the five "cipher rotors" supplied a bitstream to encipher a teletypewriter message; presumably using an arrangement similar to that seen here. Such a device would certainly provide a method of encipherment for teletypewriter messages of impressive security. SIGNIN was an alternative designation for the M294. The M138 and M138A, indirect predecessors of the SIGABA, were rotor machines, of the Hebern type, acting upon the 26 letters of the alphabet, but with the motions of their five rotors controlled by a paper tape; in a way, these machines were the exact inverse or complement of SIGCUM. Frank B. Rowlett passed away on June 29, 1998, at the age of 90.
[Next] [Up] [Previous] [Index] Next Chapter Start
Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Conclusions for Chapter 3
In some ways, the cipher systems outlined in this chapter are disappointing, compared to what we had seen in the previous chapter. This reflects the difficulty of manipulating binary signals with simple electromechanical devices, and it may also involve the psychological effect of overconfidence in the security of a system based on new and unfamiliar principles. The M228 is an exception to both halves of this generalization; it is secure, but it isn't entirely new, being largely based on a rotor mechanism. Of course, it is true that I could have described the T52 in more detail (at least in words, for those who cannot recieve the schematic diagrams included in that section, which do accurately describe it). It is certainly very complex. But the complexity and expense of the machine are beyond those of the SIGABA, while the security may well be less even than that of the Enigma. (Yes, it was broken less often than the Enigma; but there were fewer intercepts, and the more restricted distribution of the machine makes it likely that it was more carefully used.) Had the routing of signals to the various inversion and swapping relays changed with every character, instead of merely being a static part of the key, the system might have been significantly more secure. Of course, even more important would be the change to pinwheels instead of cams. It is interesting that one wire in the Swedish SA1 seems to hold the key to the security of that machine. That wire is the one from the first pinwheel bank which controls the stepping of the second pinwheel bank. But can something that contains only a single bit of information per fivebit character really provide security? The M228 is interesting, and as noted in the section on it, apparently a newer machine existed that was like a SIGABA, except that the cipher rotors were used to encipher teletypewriter signals in the fashion of the M228. The following diagram:
illustrates an interesting idea for taking that concept even further. The cipher rotors work like the old M228, in order to XOR the message with unbiased individual bits. The control rotors are also simplified, so that they can produce five extra signals, which are also XORed with the message. This appears to strengthen the machine, since bits from two essentially independent sources are XORed with the plaintext. Can we be sure that the bits from the cipher rotors completely mask those from the control rotors, though, or could this design have a weakness, by offering a "window" to the control rotors?
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up/Previous] [Index]
LUCIFER: the first block cipher
One could perhaps quarrel with the title of this section. What about Playfair, or the Hill cipher? But LUCIFER, part of an experimental cryptographic system designed by IBM, was the direct ancestor of DES, also designed by IBM. Like DES, LUCIFER was an iterative block cipher, using Feistel rounds. That is, LUCIFER scrambled a block of data by performing an encipherment step on that block several times, and the step used involved taking the key for that step and half of that block to calculate an output which was then applied by exclusiveOR to the other half of the block. Then, the halves of the block were swapped, so that both halves of the block would be modified an equal number of times. Incidentally, this page refers to LUCIFER as actually implemented, and described in an article in the journal Cryptologia by Arthur Sorkin. An article in Scientific American discussed plans for LUCIFER on a more general level, and described what was essentially a different kind of block cipher. LUCIFER enciphered blocks of 128 bits, and it used a 128bit key. The Ffunction in LUCIFER had a high degree of symmetry, and could be implemented in terms of operations on one byte of the right half of the message at a time. However, I will describe LUCIFER here in the same general fashion that DES is described.
Subkey generation
Each round uses a 72bit subkey. The subkey for the first round consists of the first byte of the key repeated twice, followed by the next seven bytes of the key. Rotate the key left by seven bytes, then generate the subkey for the next round.
The ffunction
XOR the right half of the block with the last eight bytes of the subkey for the round.
Based on the bits of the first byte of the subkey for that round, swap nibbles in the eight bytes of that result for those bytes which correspond to a 1 bit. Use Sbox 0 for the most significant nibble of each of these eight bytes, and Sbox 1 for the least significant nibble of each byte:
Input: 0 1 2 3 4 5 6 Sbox 0 output: 12 15 7 10 14 13 11 Sbox 1 output: 7 2 14 9 3 11 0 7 0 4
Input: 8 9 10 11 12 13 14 15 Sbox 0 output: 2 6 3 1 9 4 5 8 Sbox 1 output: 12 13 1 10 6 15 8 5
Permute the 64 bits of the result, numbered from 0 (for the most significant bit) to 63 (for the least significant bit), by the following permutation:
10 21 52 56 26 37 4 8 42 53 20 24 58 5 36 40 27 1 47 38 43 17 63 54 59 33 15 6 11 49 31 22 18 34 50 2 29 45 61 13 60 0 35 9 55 46 12 16 51 25 7 62 28 32 3 41 23 14 44 48 19 57 39 30
The General Structure
LUCIFER has sixteen rounds. In each round, the ffunction is calculated using that round's subkey and the left half of the block. The result is then XORed to the right half of the block, which is the only part of the block altered for that round. After every round except the last one, the right and left halves of the block are swapped.
Comments
Although LUCIFER has a larger block and key size than DES, it is considerably more vulnerable to attacks from differential cryptanalysis, and is also weak due to the regular nature of its key schedule. However, this does not mean that the LUCIFER algorithm is useless. If a reasonably good stream cipher is used both before and after LUCIFER, its weaknesses essentially become irrelevant, and its strengths are still present. It might indeed be argued that this kind of precaution ought to be used with DES as well.
[Next] [Up/Previous] [Index]
Next Chapter Start Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
The Data Encryption Standard
You may remember that when the Data Encryption Standard was first presented, there was a great deal of controversy. Since then, much of the dust has settled. We know now for sure that the key was much too short. (Since that was written, we learned that it was really much too short, thanks to this project.) But we also know that enciphering whole messages by means of publickey systems is not a reasonable alternative. Instead, just encrypt the key that way, and use a conventional cryptosystem, but a better one than just plain DES, for the message. It's clear that the secret the NSA asked IBM not to reveal was the method of differential cryptanalysis. Since the Sboxes were not optimized against linear cryptanalysis, this proves that IBM didn't know about that attack back then. Although the fact that the NSA did certify the design as secure might suggest that the NSA didn't have that technique either, the inference is not really warranted: the NSA is, after all, an agency noted for its reticence. And there is also a result showing that DES with all sixteen subkeys specified independently is not much stronger than a cipher with a 65bit key. DES is designed for implementation in hardware, and even includes some steps which do not appear to strengthen the cipher at all but which are hard to perform in software. If, however, DES had been a secret algorithm, these extra steps would have helped to make it harder to determine the algorithm by analysis. As it is a Frequently Asked Question, I think I really can't skip giving the algorithm here, although it appears in many other sources; the official standard is even available from the NIST web server. DES closely resembles LUCIFER, since it is also a cipher based on sixteen Feistel rounds.
[Next] [Up] [Previous] [Index]
Details of DES Variations of DES Next Section Chapter Start Skip to Next Chapter Table of Contents Main Page Home Page
[Next] [Up/Previous] [Index]
Details of the Data Encryption Standard
In my description of LUCIFER, I numbered bits from 0 to 127 or from 0 to 63; here, bits will be numbered from 1 to 64 or from 1 to 32. In both cases, the lowestnumbered bit is the MSB of the first character, and the highestnumbered bit is the LSB of the last character; that is, bigendian (68000like and not 8086like) conventions are observed throughout. First, for no particularly good reason (except, just possibly, to group together the most and least significant bits of uncompressed text characters) the bits of the block are transposed according to the following permutation:
58 62 57 61 50 54 49 53 42 46 41 45 34 38 33 37 26 30 25 29 18 10 22 14 17 9 21 13 2 6 1 5 60 64 59 63 52 56 51 55 44 48 43 47 36 40 35 39 28 32 27 31 20 24 19 23 12 16 11 15 4 8 3 7
As in the section on LUCIFER, all bit permutations are to be interpreted as follows: if the permutation begins 58 50 42..., that means that the first bit of the output came from bit 58 of the input, the second bit of the output came from bit 50 of the input, and so on. For 16 rounds, the left half, or the first 32 bits, is modified by being XORed with a 32 bit result calculated from the right half of the block in its current state and the subkey for that round. After each of the first 15 rounds, the halves are then swapped.
The ffunction
This calculation, known as the ffunction, proceeds as follows: The 32bit right half of the block is expanded to 48 bits by means of this, the expansion permutation:
32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13
12 13 14 15 16 17 24 25 26 27 28 29
16 17 18 19 20 21 28 29 30 31 32 1
20 21 22 23 24 25
The eight groups of four bits in the right half are each made the middle four bits of a group of six bits in the result, and they are joined, on each side, by the bits that were adjacent to them originally. Those two outer bits are, in a way, supplementary to the four bits in the middle, since the Sbox tables contain four encodings of the middle bits, in which every different value has a different result, selected by the two outer bits. (One could even implement DES with a permutation starting
32 5 1 2 3 4 4 9 5 6 7 8
to allow the Sboxes to be laid out more simply, provided that one generated and stored the subkeys with the same change in the order of their bits.) After the right half of the block has been expanded to 48 bits, it is XORed with the current round's 48bit subkey. The result is then used as the input to eight lookup tables, with a six bit input and a four bit output.
The DES Sboxes
Bit Bits 2, 3, 4, and 5 form: 1 6  0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 1  0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 1 0  4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 1 1 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 Bit Bits 8, 9, 10, and 11 form: 7 12  0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 0 1  3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 1 0  0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 1 1 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9 Bit Bits 14, 15, 16, and 17 form: 13 18  0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 0 1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 1 0 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 1  1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12 Bit Bits 20, 21, 22, and 23 form: 19 24  0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 0 1 1
0 1 0 1
 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4  3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
Bit Bits 26, 27, 28, and 29 form: 25 30  0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0  2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 0 1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 1 0  4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 1 1 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3 Bit Bits 32, 33, 34, and 35 form: 31 36  0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 0 1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 1 0  9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 1 1  4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13 Bit Bits 38, 39, 40, and 41 form: 37 42  0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0  4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 0 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 0  1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 1 1  6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12 Bit Bits 44, 45, 46, and 47 form: 43 48  0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 0 1  1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 1 0  7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 1 1  2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
Then, the 32 bit result formed by the output of the eight Sboxes above in turn is subjected to the following permutation, P:
16 2 7 20 21 29 12 28 17 8 24 14 32 27 3 9 1 15 23 26 5 18 31 10 19 13 30 6 22 11 4 25
One round of DES, with the ffunction shown in detail, is illustrated by the following diagram, accompanied by another diagram giving an overview of the whole block cipher: Round:
Overview:
Since bit transposition is slow in software, software implementations of DES will
normally use, for the Sboxes, a table with 32bit entries showing each fourbit output as it looks after going through permutation P. After the sixteen rounds of DES are complete, the left and right halves of the block together, not swapped in the last round, are then subjected to the inverse of the initial permutation, which takes the bits from 1 to 64 of the block, and puts them in the final result in this order:
40 38 36 34 8 6 4 2 48 46 44 42 16 14 12 10 56 54 52 50 24 22 20 18 64 62 60 58 32 30 28 26 39 37 35 33 7 5 3 1 47 15 55 23 63 45 13 53 21 61 43 11 51 19 59 41 9 49 17 57 31 29 27 25
Subkey generation
The 56bit key used by DES is, when in standard format, stored in eight bytes, in which the least significant bit of each byte is used for parity! Thus, the permutation, called Permuted Choice 1, which divides the 56bit key into two 28bit halves, acts on bits 1 through 7, 9 through 15, 17 through 23, and so on. Permuted choice 1 is the following: First half:
57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36
Second half:
63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4
Like the initial permutation and inverse initial permutation, permuted choice 1 is irrelevant to the strength of DES, except insofar as it makes things awkward for generalpurpose computers. On the other hand, the permutation P is vitally necessary to the cryptographic strength of DES. The two 28bit quantities are then subjected to successive circular left shifts of different sizes before the subkey for each round is determined from them. These circular left shifts, one of which is applied before the first subkey is taken, are in order of the following sizes:
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Note also that to decrypt, the only alteration in the DES algorithm is that the subkeys are used in reverse order. The 48bit subkey for each round is extracted from the two 28bit quantities, the first consisting of bits 1 to 28, and the second of bits 29 to 56, by the following permutation, Permuted Choice 2:
14 23 41 44 17 19 52 49 11 24 1 5 12 4 26 8 31 37 47 55 39 56 34 53 3 28 15 6 21 10 16 7 27 20 13 2 30 40 51 45 33 48 46 42 50 36 29 32
Note that, since only 48 bits are produced, some numbers from 1 through 56 are absent. This permutation is important to the strength of DES. (Also, if the implementation is modified to simplify the arrangement of the Sboxes, as noted in the preceding parenthetical note, then this permutation is the one that must be changed correspondingly, to 14 5 17 11 24 1, 3 10 28 15 6 21, and so on. Also, likely the subkeys would be stored in 8byte spaces, with each byte containing only six bits of the subkey.)
[Next] [Up/Previous] [Index]
Next Chapter Start Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Variations of DES
DES, being the best known of a whole class of ciphers, has inspired many suggestions for variations of it. The initial permutation and inverse initial permutation, and perhaps also permuted choice 1, could be removed, to obtain a cipher of equivalent intrinsic strength, but simpler to perform on a computer. The sixteen subkeys could be supplied directly as a key, instead of being derived from a short 56bit key. However, a result reported in Bruce Schneier's book Applied Cryptography shows that the strength of that is only a slight improvement on that of regular DES, essentially equivalent to using a 65bit key. If the eight Sboxes are moved, from their regular positions so that the order in which they are applied to the successive sixbit groups of their input is 2, 4, 6, 7, 3, 1, 5, and 8, without altering the permutation P, DES remains highly resistant to differential cryptanalysis, but becomes resistant to linear cryptanalysis as well. (Any reordering of the Sboxes in which Sboxes 1, 7, and 4 are consecutive and in that order can make DES very weak against differential cryptanalysis, as noted in Biham and Shamir's original paper on differential cryptanalysis.) RSA Data Security has recommended DESX, which is simply DES strengthened by performing an XOR against additional key bits at the beginning and at the end of encipherment. One way in which DES might be strengthened by a simple modification that has occurred to me is this: retain the initial and inverse initial permutations, but perform them after rounds 4 and 12 of the cipher respectively. This way, they are contributing something to its strength. Perhaps it would even be possible to use a 112bit key, as follows: for the first 56 bits, generate the regular key schedule, and use it during rounds 1 through 4 and 13 through 16. For the last 56 bits, use the decrypting key schedule from those bits during rounds 5 through 12. Unlike DESX, though, this kind of modification is only applicable if one is performing DES encryption in software, not when using existing DES hardware.
Another possible way of using a 112bit key would be by enhancing DES with an idea I use in QUADIBLOC: use 32 subkeys, by applying the ffunction twice, first to the right half of the block, then to the first ffunction output, before XORing the result to the right half. This propagates changes in the block more quickly. Also, it would seem to me that one could obtain a very strong cipher by alternating pairs of rounds of DES with rounds of SAFER, a block cipher based on very different principles. A more economical way to realize increased strength would be, perhaps, to take the variation suggested above, with IP after round 4, and IIP after round 12, and apply, before and after each of these permutations a usersupplied substitution, part of the key, acting on the eight bytes of the block. The inverse of this substitution would be used on deciphering. Since differential cryptanalysis depends on substitutions being known, this would seem to improve the strength of the cipher against that kind of attack; and, since a random substitution on the possible byte values from 0 to 255 takes quite a bit more than 56 bits to describe it, key size is also increased. Applying the substitution at the beginning and end of the block cipher would probably be advisable as well; this would increase the amount of this extra key that is actually used, and it would protect all sixteen, rather than just the middle eight, rounds of the block cipher from outside scrutiny.
[Next] [Up] [Previous] [Index]
Next Chapter Start Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
SAFER (Secure And Fast Encryption Routine)
This algorithm is of interest for several reasons. It is designed for use in software. Unlike DES, or even IDEA, it does not divide the block into parts of which some parts affect others; instead, the plaintext is directly changed by going through Sboxes, which are replaced by their inverses for decryption.
Description of SAFER
SAFER uses eight rounds. The first step for a round is to apply the first subkey for the round to the eight bytes of the block. The operation by which each byte of the subkey is applied to each byte of the block depends on which byte is used: the sequence is
XOR, add, add, XOR, XOR, add, add, XOR
Then, the Sbox is used. Those bytes to which the subkey was applied by an XOR go through the regular Sbox; those bytes to which it was applied by addition go through the inverse Sbox.
The Sboxes:
The regular box represents 45 raised to successive powers modulo 257 (with the modulo 257 result then squeezed into a byte by being taken modulo 256):
1 45 226 147 190 69 21 174 120 3 135 164 184 56 207 63 8 103 9 148 235 38 168 107 189 24 52 27 187 191 114 247 64 53 72 227 192 159 255 167 62 17 251 244 156 81 47 59 85 216 211 243 141 177 220 134 119 215 166 186 146 145 100 131 43 20 87
241 51 239 218 44 181 178 136 209 153 203 140 132 29 129 151 113 202 95 163 139
60 130 196
82
92
28 232 160
4 180 133 74 246 19 84 182 223 12 26 142 222 224 57 252 32 155 36 78 169 152 158 171 242 96 208 108 234 250 199 217 0 137 249 68 212 31 110 254 122 93 154 248 109 233 205 230 67 188 236 83 73 201 50 194 22 219 89 150 70 66 143 10
193 204 185 101 176 210 198 172 30 65 98 41 46 14 116 80 2 90 195 37 123 138 42 91 240 6 13 71 111 112 157 126 16 206 18 39 121 48 104 54 128 106 144 55 197 127 61 175 253 77 124 183 34 245 231 115 225 102 221 179 15 161 49 149 213 76 79 214 117 125 228 237 162 94 118 170 165 229 25 97 11 238 173 35 33 200 88 105 99 23 7 58 75 5 86 40
Since the second Sbox is the inverse of the first, it can be thought of as containing logarithms base 45 modulo 257, although, given the intractability of the discrete logarithm problem, it is not calculated that way directly, but is instead just the inverse of the preceding one:
128 0 16 18 192 56 25 222 112 255 201 13 237 171 250 110 176 9 96 239 185 253 159 228 105 186 173 248 194 101 79 6 148 252 106 27 93 78 168 130 232 236 114 179 21 195 182 71 68 1 172 37 142 65 26 33 203 211 254 38 88 218 50 15 132 152 5 156 187 231 197 225 115 198 135 102 39 247 87 183 92 139 213 84 163 147 204 205 241 17 131 188 214 53 191 217
32 169 157 34 140 99 175 36 91 244 150 177
121 223 170 246 62 202 245 209 23 123 189 82 30 235 174 8 200 138 180 226 208 80 89 63 72 136 181 86 210 61 60 3 117 74 145 113
77 98 52 10 76 46 107 158 19 251 151 81 35 190 118 42
95 249 212 85 11 220 55 49 22 116 215 119 167 230 7 219 164 47 70 243 97 69 103 227 12 162 59 28 133 24 4 29 41 160 143 178 90 216 166 126 238 141 83 75 161 154 193 14 122 73 165 44 129 196 199 54 43 127 67 149 51 242 108 104 109 240 2 94 153 124 184 64 120 146 144 125 40 206 221 155 234 20 134 207 229 66 45 58 233 100 31 57 111 224 137 48
Then the second subkey for the round is applied to the block. This time, the sequence of operations complements that used previously:
add, XOR, XOR, add, add, XOR, XOR, add
Then, the different bytes are mixed together without using a bit transpose. Instead, arithmetic is used. The first byte is replaced by twice the old first byte plus the old second byte. The second byte is replaced by the old first byte plus the second byte. Only the last eight bits of the sums are kept, of course. This same method of combining the bytes is applied to the third and fourth bytes, the fifth and sixth bytes, and the seventh and eighth bytes. Then the bytes are interchanged; after the interchange, the order of the bytes becomes
1 3 5 7 2 4 6 8
in terms of which byte each byte was before. The mixing is performed on pairs of bytes again, and then the interchange, and then the mixing. After the eighth round, an extra subkey is applied in the same way as the first subkey of each round. The following diagram illustrates a round of SAFER:
Decryption
Unlike most other block algorithms, SAFER is inverted by doing the reverse of each step, in reverse order, without the possibility of achieving the same result merely by some alteration of the subkeys used. The reverse of the method of mixing pairs of bytes is this: to get the old first byte, subtract the new second byte from the new first byte. The old second byte is the new second byte minus the old first byte, which is the same as twice the new second byte minus the new first byte.
Subkey generation
In the original version of SAFER, the first 64bit subkey was the key itself. To generate successive subkeys, the individual bytes of the key were given a circular left shift of 3 bits between the rounds, and the current result is then XORed with a fixed constant for each round. These constants are:
(for the first subkey, 0) 16733B1E8E70BD86 477E2456F1778846 B1BAA3B7100AC537 C95A28AC64A5ECAB C66795580DF89AF6 66DC053DD38AC3D8 6AE9364943BFEBD4 9B68A0655D57921F 715CBB22C1BE7BBC 63945F2A61B83432 FDFB1740E6511D41 8F29DD0480DEE731 7F01A2F739DA6F23 FE3AD01CD1303E12 CD0FE0A8AF82592C 7DADB2EFC287CE75 1302904F2E723385 8DCFA981E2C4272F 7A9F52E115382BFC 42C708E409555E8C
The first several constants are given, enough for up to 10 rounds. Originally, six rounds were proposed for SAFER, but this was increased to 8. The constants are also derived mathematically.
SAFER SK
A new version of SAFER, SAFER SK, has a more secure key schedule. The 64bit key is expanded by one byte, that byte being the XOR of all the previous bytes. For generating the first subkey, that byte is ignored; for the second, where the key would have been used, one instead takes the eight bytes starting with the second byte of the ninebyte expanded key; for the second, start with the third, and after the ninth go back to the first; and so on. SAFER SK40 A 40bit version of SAFERSK also exists, with the starting ninebyte expanded key beginning with bytes 1 to 5 being the 40bit key, and the remaining bytes
being, in order:
byte byte byte byte 1 1 2 2 xor xor xor xor byte byte byte byte 3 4 3 4 xor xor xor xor 129 byte 5 xor 66 byte 5 xor 36 24
SAFER128, SAFER SK128
The 128bit key schedule, both for SAFER and SAFERSK, consists of using the first subkey and the other odd subkeys from the sequence generated from the right half of the key, and the second and the other even subkeys from the sequence generated from the left half of the key.
[Next] [Up] [Previous] [Index]
Next Chapter Start Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
IDEA (International Data Encryption Algorithm)
IDEA, unlike the other block cipher algorithms discussed in this section, is patented by the Swiss firm of Ascom. They have, however, been generous in allowing, with permission, free noncommercial use of their algorithm, with the result that IDEA is best known as the block cipher algorithm used within the popular encryption program PGP. The IDEA algorithm is interesting in its own right. It includes some steps which, at first, make it appear that it might be a noninvertible hash function instead of a block cipher. Also, it is interesting in that it entirely avoids the use of any lookup tables or Sboxes. IDEA uses 52 subkeys, each 16 bits long. Two are used during each round proper, and four are used before every round and after the last round. It has eight rounds. The plaintext block in IDEA is divided into four quarters, each 16 bits long. Three operations are used in IDEA to combine two 16 bit values to produce a 16 bit result, addition, XOR, and multiplication. Addition is normal addition with carries, modulo 65,536. Multiplication, as used in IDEA, requires some explanation. Multiplication by zero always produces zero, and is not invertible. Multiplication modulo n is also not invertible whenever it is by a number which is not relatively prime to n. The way multiplication is used in IDEA, it is necessary that it be always invertible. This is true of multiplication IDEA style. The number 65,537, which is 2^16+1, is a prime number. (Incidentally, 2^8+1, or 257, is also prime, and so is 2^4+1, or 17, but 2^32+1 is not prime, so IDEA cannot be trivially scaled up to a 128bit block size.) Thus, if one forms a multiplication table for the numbers from 1 through 65,536, each row and column will contain every number once only, forming a Latin square, and providing an invertible operation. The numbers that 16 bits normally represent are from 0 to 65,535 (or, perhaps even more commonly, from 32,768 to 32,767). In IDEA, for purposes of multiplication, a 16 bit word containing all zeroes is considered to represent the number 65,536; other numbers are represented in conventional unsigned notation, and multiplication is modulo the prime number 65,537.
Description of IDEA
Let the four quarters of the plaintext be called A, B, C, and D, and the 52 subkeys called K(1) through K(52). Before round 1, or as the first part of it, the following is done: Multiply A by K(1). Add K(2) to B. Add K(3) to C. Multiply D by K(4). Round 1 proper consists of the following: Calculate A xor C (call it E) and B xor D (call it F). Multiply E by K(5). Add the new value of E to F. Multiply the new value of F by K(6). Add the result, which is also the new value of F, to E. Change both A and C by XORing the current value of F with each of them; change both B and D by XORing the current value of E with each of them. Swap B and C. Repeat all of this eight times, or seven more times, using K(7) through K(12) the second time, up to K(43) through K(48) the eighth time. Note that the swap of B and C is not performed after round 8. Then multiply A by K(49). Add K(50) to B. Add K(51) to C. Multiply D by K(52). The intricacies of IDEA encryption may be made somewhat clearer by examining the following diagrams:
Details:
Overview:
Decryption
How can the round in IDEA be reversed, since all four quarters of the block are changed at the same time, based on a function of all four of their old values? Well, the trick to that is that A xor C isn't changed when both A and C are XORed by the same value, that value cancels out, no matter what that value might be. And the same applies to B xor D. And since the values used are functions of (A xor C) and (B xor D), they are still available. This crossfooted round, rather than a Feistel round, is the most striking distinguishing factor of IDEA, although its use of multiplication, addition, and XOR to avoid the use of Sboxes is also important. Those that are added are replaced by their two's complement. Those that are multiplied in are replaced by their multiplicative inverse, modulo 65,537, in IDEA notation when used to change blocks directly, but those used to calculate the crossfooted Ffunctions are not changed. Keys XORed in would not need to be changed, but there aren't any such keys in IDEA. Due to the placement of the swap, the first four keys for decryption are moved somewhat differently than the other keys used for the same operation
between rounds. The decryption key schedule is: The first four subkeys for decryption are: KD(1) KD(2) KD(3) KD(4) = 1/K(49) = K(50) = K(51) = 1/K(52)
and they do not quite follow the same pattern as the remaining subkeys which follow. The following is repeated eight times, adding 6 to every decryption key's index and subtracting 6 from every encryption key's index: KD(5) KD(6) KD(7) KD(8) KD(9) KD(10) = = K(47) K(48)
= 1/K(43) = K(45) = K(44) = 1/K(46)
Subkey generation
The 128bit key of IDEA is taken as the first eight subkeys, K(1) through K(8). The next eight subkeys are obtained the same way, after a 25bit circular left shift, and this is repeated until all encryption subkeys are derived. This method of subkey generation is regular, and this may be a weakness. However, IDEA is considered to be highly secure, having stood up to all forms of attack so far tried by the academic community.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
Home Page
[Next] [Up] [Previous] [Index]
Skipjack
Skipjack, the originally secret algorithm associated with the infamous Clipper chip, was declassified on Tuesday, June 23, 1998, and appeared as a .PDF document at the NIST web site the following morning. The basic round type of Skipjack forms another alternative, alongside those offered by SAFER and IDEA, to the Feistel round structure seen in DES, LUCIFER and Blowfish, among other block ciphers. In each round, one of four quarters of the block is subjected to four Feistel rounds on a small scale, and one other quarter is modified by being XORed with the round number and the quarter that went through the miniFeistel cipher, either before or after that step. No bit transposes are required in Skipjack, making it efficient to implement on a generalpurpose computer. Skipjack has 32 rounds. These rounds are of two types, A and B. A type A round proceeds as follows: The first quarter of the block (called W1) is enciphered by the "G permutation", which is actually a fourround Feistel cipher. The result, and the round number (where round numbers go from 1 through 32), are XORed with the fourth quarter of the block (W4). Then each quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to W4, and W4 back to W1. A type B round proceeds as follows: The second quarter of the block (W2) is XORed with the round number and the first quarter of the block (W1). Then the first quarter of the block is enciphered by the "G permutation". Again, each quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to W4, and W4 back to W1. The rotation of quarters of the block is not omitted after the last round. The 32 rounds of Skipjack consists of eight type A rounds, eight type B rounds, eight type A rounds, and eight type B rounds. Note that by having a type A round first, and a type B round last, the form of the first quarter on the "inside" is XORed with one of the other quarters in the first and last rounds. Permutation G is a fourround Feistel cipher, involving dividing its 16bit input into two 8bit halves. Like DES, the left half of the block is not changed in each round, but acts as input to the ffunction, the output of which is XORed to the right half. Unlike DES, the two halves are swapped after the last round (as the algorithm has only four rounds, all four iterations of the ffunction can be illustrated, going alternately from right to left, and then from left to right; in that form, no swaps at all are required).
The ffunction of the G permutation is as simple as one might expect for an ffunction only 8 bits wide: the input is first XORed with the current round's subkey, and then the result is substituted according to a lookup table, called F. The subkeys for G, each one byte long, are simply four consecutive bytes of the 80bit key. The first four bytes are used in the first round, the next four bytes in the second, the last two bytes followed by the first two bytes in the third, and so on. The operation of Skipjack may be made clearer by the following diagram:
which illustrates the first 12 rounds of Skipjack. The first round, of type A, is shown with the G function illustrated in full. The next seven rounds, also of type A, are shown with the G function indicated by a box marked with a G. Then the last four of the twelve rounds shown, of type B, are showed the same way. There are dotted lines dividing the rounds in the diagram. Instead of rotating the quarters of the block, the functions move between columns; since the
last rotation is not skipped, this illustration will show, if continued to include all 32 rounds, the quarters ending up in their proper places without any final rotation being required. The Sbox of Skipjack, called F, which is the heart of the ffunction of the Feistel minicipher that is the G permutation, is as follows: a3 e7 0a 96 39 55 35 97 42 89 70 34 ad 0c 08 5e d7 2d df 84 b6 b9 d5 fc ed cb 88 4b 04 ef 77 6c 09 4d 02 6b 7b da c0 b2 9e 30 61 1c 23 bc 11 a9 83 8a a0 ba 0f 85 a7 c2 6e 1f 2c 73 9c 72 be 13 f8 ce 17 f2 c1 3f 33 b0 49 8d 9f d1 14 75 92 57 48 4c f1 63 93 41 06 fe 3c c6 0d c4 51 6f 4f 25 f6 ca 60 9a 81 bf 65 db cd 8f 2b fd 22 37 24 b5 f4 2e 68 19 1b e0 69 20 43 aa 87 3b f0 a1 c5 e3 b3 52 12 7c ee 5a 45 e1 27 c8 50 cc 29 ec 32 bd 21 95 b7 ae b4 58 00 eb d2 74 82 fb 79 d3 36 a8 15 d9 7a e5 1a 80 94 d6 07 dc 54 7f 71 8e 9d 3a 78 1e c3 f5 ea 5f 56 e4 d4 c9 64 ab 7e 62 cf 01 99 4e e9 f7 d0 66 6d dd de 5d 26 e6 ff 8b f3 05 b1 38 fa 16 91 0b 98 47 c7 5c 7d 3e 8c 86 a6 59 af 44 3d 6a 2f d8 9b 4a 67 31 03 5b 0e 10 bb 2a f9 28 53 a2 b8 90 76 1d 18 a4 40 a5 e2 e8 ac 46
or, in decimal form, 163 231 10 150 57 85 53 151 66 137 112 52 173 12 8 94 215 45 223 132 182 185 213 252 237 203 136 75 4 239 119 108 9 77 2 107 123 218 192 178 158 48 97 28 35 188 17 169 131 138 160 186 15 133 167 194 110 31 44 115 156 114 190 19 248 206 23 242 193 63 51 176 73 141 159 209 20 117 146 87 72 76 241 99 147 65 6 254 60 198 13 196 81 111 79 37 246 202 96 154 129 191 101 219 205 143 43 253 34 55 36 181 244 46 104 25 27 224 105 32 67 170 135 59 240 161 197 227 179 82 18 124 238 90 69 225 39 200 80 204 41 236 50 189 33 149 183 174 180 88 0 235 210 116 130 251 121 211 54 168 21 217 122 229 26 128 148 214 7 220 84 127 113 142 157 58 120 30 195 245 234 95 86 228 212 201 100 171 126 98 207 1 153 78 233 247 208 102 109 221 222 93 38 230 255 139 243 5 177 56 250 22 145 11 152 71 199 92 125 62 140 134 166 89 175 68 61 106 47 216 155 74 103 49 3 91 14 16 187 42 249 40 83 162 184 144 118 29 24 164 64 165 226 232 172 70
This was doublechecked by looking at the inverse of this Sbox generated by the same program that converted what I typed from hexadecimal to decimal, as the Sbox is a straight permutation of the numbers from 0 to 255. In the original document in its electronic form, lowercase c and e are sometimes difficult to distinguish.
For decipherment, each round is replaced by a corresponding deciphering round, and these rounds are, of course, executed in the reverse of the enciphering order. The deciphering equivalent of a type A round is as follows: The first quarter, W1, is XORed with W2 and the round number (rounds now counting down from 32 to 1). Then the second quarter, W2, is subjected to the inverse of the G permutation. Then, each quarter is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to W2, and W4 to W3. The deciphering equivalent of a type B round is the following: The second quarter, W2, is subjected to the inverse of the G permutation. The third quarter, W3, is then XORed with the round number and the changed value of W2. Again, each quarter is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to W2, and W4 to W3. The deciphering equivalent of the G permutation involves using the four subkeys in reverse order  and reversing the roles of the right and left halves of the 16bit quarter block.
Comments
SKIPJACK was declassified in order to facilitate finding private companies to manufacture devices using that algorithm for use by the U.S. Government. Some people have called attention to the fact that only a short time previously, government spokespersons were saying that the disclosure of that algorithm would harm national security. However, I have noted that the inconsistency involved may be more apparent than real. Between the statements cited, and the declassification of SKIPJACK, a paper was published by an academic researcher noting that Feistel ciphers of a particular type, specifically those in which the ffunction was itself a series of Feistel rounds, could be proven to be immune to differential cryptanalysis. SKIPJACK, although not precisely of that type, is closely related: one of the four subblocks undergoes Feistel rounds, but in addition to the result being used, as an ffunction output, on another subblock, the subblock is also retained in its modified state. Also, note that SKIPJACK consists of eight type A rounds, followed by eight type B rounds twice, instead of sixteen type A rounds and then sixteen type B rounds. Since the type A rounds are appropriate for the beginning of the cipher, and the type B rounds are appropriate for its end, it might seem at first that this weakened the cipher. However, the boomerang attack, which was discovered after the declassification of SKIPJACK, allows differential cryptanalysis to be done independently on the first and last half of a block cipher; thus, if SKIPJACK were composed of two halves, each with one type of round, it could have been attacked as if it consisted of only a single type of round. It may also be noted that a recent book, Top Secret Intranet, reveals that SKIPJACK was
considered adequate to safeguard information classified SECRET but not information classified TOP SECRET. This appears to refer to early 1999, and may still be the case as of this writing (May 1999). Also, note that SKIPJACK has an 80bit key, the keylength limit for exportable ciphers is 40 bits, and some suppliers of encryption equipment to the U.S. government have advertised their equipment provides a 120bit key or a 160bit key. This may be because 40 is a multiple of both 8 and 10, and 2^10 equals 1024, which is just over 1000. Thus every 40 bits in a key can have just over a trillion possible values, making it easy to express the number of possible keys in decimal terms. One notes that the key consists of 10 bytes, which is a number of the form 4n+2. While it might not increase the security of SKIPJACK to do so, if there are no subtle traps in the structure of SKIPJACK, which appears to have a simple and uniform structure, it might be possible to use a key composed of the next such number of bytes with it: 14 bytes. That is an interesting possibility, because such a key would be a 112bit key, exactly twice as long as the key used in DES.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Blowfish
The Blowfish program was developed by author and computer security and cryptography consultant Bruce Schneier. Blowfish is a cipher based on Feistel rounds, and the design of the ffunction used amounts to a simplification of the principles used in DES to provide the same security with greater speed and efficiency in software. The block ciphers Khafre and CAST have somewhat similar rounds. The main claim to fame of Blowfish, however, is in its method of key scheduling. The round keys, and the entire contents of all the Sboxes, are created by multiple iterations of the block cipher. This enhances the security of the block cipher, since it makes exhaustive search of the keyspace very difficult, even for short keys.
Description of Blowfish
Unlike DES, Blowfish applies the ffunction to the left half of the block, obtaining a result XORed to the right half of the block. Originally, I had said that this departure from convention may cause confusion in reading the description of Blowfish. However, upon further reflection, I think that it is really DES that is creating confusion; the time sequence of events should move from left to right (particularly in a design that is otherwise bigendian); this is generally what happens in more recent designs, such as the AES candidates, and particularly in ciphers with unbalanced Feistel rounds. Blowfish consists of sixteen rounds. For each round, first XOR the left half of the block with the subkey for that round. Then apply the ffunction to the left half of the block, and XOR the right half of the block with the result. Finally, after all but the last round, swap the halves of the block. There is only one subkey for each round; the ffunction consumes no subkeys, but uses Sboxes which are key dependent. After the last round, XOR the right half with subkey 17, and the left half with subkey 18.
The ffunction
Blowfish uses four Sboxes. Each one has 256 entries, and each of the entries are 32 bits long. To calculate the ffunction: use the first byte of the 32 bits of input to find an entry in the first Sbox, the second byte to find an entry in the second Sbox, and so on. The value of the ffunction is ((S1(B1) + S2(B2)) XOR S3(B3)) + S4(B4) where addition is performed modulo 2^32.
Decryption
Decryption is the same as encryption, with the 18 subkeys used in reverse order. At first, this seems unbelievable (although not quite as bad as understanding decryption of IDEA), because there are two XOR operations following the last use of the ffunction, and only one preceding the first use of the ffunction. However, if you modify the algorithm so that use of subkeys 2 through 17 takes place before the output of the ffunction is XORed to the right half of the block, and is done to the same data before that XOR, although that means it is now on the right half of the block, since the XOR of the subkey has been moved before a swap of the halves of the block, you have not actually changed anything since the same information is XORed to the left half of the block between each time it is used as input to the ffunction. In fact, you can even move the XOR still earlier, before the preceding swap of block halves. Once you do that, you have the exact reverse of the decryption sequence.
Subkey generation
Begin by initializing subkeys 1 through 18, followed by elements zero through 255 of the first S box, then elements zero through 255 of the second S box, all the way to element 255 of the fourth S box, with the fractional part of pi. The most significant bit of the fractional part of pi becomes the most significant bit of the first subkey. Then, take the key, which may be of any length up to 72 bytes, and, repeating it as often as necessary to span the entire array of 18 subkeys, XOR it with the subkey array contents. Then execute the Blowfish algorithm repeatedly, with an initial input of a 64byte
block of all zeroes as plaintext input. After each execution, replace part of the subkeys or S boxes with the successive outputs of Blowfish, in the same order as the digits of pi in binary (or hexadecimal) form were placed in them; after the first iteration, replace subkeys 1 and 2; after the tenth iteration, replace the first two entries (0 and 1) in Sbox 1; and so on. For each iteration of Blowfish in key generation, also use the output of the preceding iteration as input. (The original description of Blowfish in the April 1994 issue of Dr. Dobb's Journal could be interpreted to imply that zero should be used as input for every iteration. As the later iterations only change individual Sbox entries, this could lead to large stretches of identical data in the Sboxes, and is thus a misreading of the directions, not a slightly different original form of the algorithm.) Thus, loading Blowfish with a new key takes as much time as encrypting 521 blocks ((256*4+18)/2) in Blowfish. This gives Blowfish an extra 9 bits of security against a brute force search for keys shorter than maximum length, which makes the 32bit, instead of 40bit limit for export versions of Blowfish reported by one individual just about exactly right. (Seems you just can't fool the NSA.)
[Next] [Up] [Previous] [Index]
Next Chapter Start Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
QUADIBLOC (QUick And Dirty Implementable BLOck Cipher)
QUADIBLOC is a little block cipher that I developed myself. It was designed to be very easy to implement, so that any obstacles to the distribution of program source would not be too great an inconvenience for people using it. It uses a modified Feistel round; when the lefthand half is modified by the ffunction of the righthand half, instead of merely performing an XOR, the lefthand half first goes through an Sbox, then is XORed with the ffunction output, and then goes through an Sbox again. The main security feature of QUADIBLOC that is of interest is that the ffunction is iterated twice, thus accelerating the propagation of changes in the plaintext block through the entire ciphertext block. I claim trademark rights to the terms QUADIBLOC, QUADIBLOC80, QUADIBLOC64, QUADIBLOC40, QUADIBLOC320, QUADIBLOC640, QUADIBLOC 96, QUADIBLOC 99, QUADIBLOC SE, QUADIBLOC320SE, Quadibloc II, Quadibloc III, Quadibloc III SC, Quadibloc III MD, Quadibloc III SD, Quadibloc IV, Quadibloc V, Quadibloc VI, Quadibloc VII, Quadibloc VIII, Quadibloc IX, Quadibloc X, and Quadibloc S, but except for requiring that these terms be used only to designate the block ciphers described here, as they are described, the QUADIBLOC block cipher is freely available for anyone to use, although I do not warrant them as free from patent problems.
q
q q q q q q q q q q q
Description of QUADIBLOC r Euler's Constant and the QUADIBLOC Sboxes Variants with different key sizes The QUADIBLOC FAQ (includes funny stuff) Key Augmentation Quadibloc II Quadibloc III Quadibloc IV Quadibloc V Quadibloc VI Quadibloc S Quadibloc VII Quadibloc VIII r The Standard Rounds r The Mixing and Whitening Phase
q q
The Key Schedule r The Rationale of the Design Quadibloc IX Quadibloc X
r
[Next] [Up] [Previous] [Index] Next Chapter Chapter Start Table of Contents Main Page Home Page
[Next] [Up/Previous] [Index]
Description of QUADIBLOC
The intent of the following proposed block cipher is to provide a cipher which is at least as secure as DES, and possibly somewhat more secure, which is reasonably efficient when implemented in software, and is furthermore easy to implement. Changes required for QUADIBLOC 99, which corrects known weaknesses in the original QUADIBLOC (QUADIBLOC 96), are indicated in highlighted boxes. Two Sboxes, taking 8 binary inputs uniquely to 8 binary outputs, are used, as well as the inverse of the second Sbox. The Sboxes are constructed from Euler's constant (.57721...) as follows: start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for each iteration. The iteration where Number of choices is 2 is the last iteration. During each iteration, multiply ACC by Number of choices. Leave the fractional part of the result in ACC; swap A( Number of choices ) and A( Number of choices + the integer part of the result). This generates Sbox 1; repeat the procedure with the contents remaining in ACC to obtain Sbox 2. (ACC must be long enough to hold Euler's constant to sufficient precision to support both applications of the procedure.) The Sboxes are given on the page entitled Euler's Constant and the Quadibloc Sboxes. In QUADIBLOC 99, a third Sbox, generated by continuing the process, is also used.
In addition, the following 4 of 8 code for the numbers 0 to 63 is used during subkey generation:
given the 6 bits abcdef, in the output word, let c stand for 01 if the bit c is 0, or 10 if the bit c is 1, and let DD stand for 0011 if the bit d is 0, or 1100 if the bit d is 1, then 00cdef 010def 011def 100def 101def 110def 111def becomes becomes becomes becomes becomes becomes becomes cdef DDef deFF dEEf DefD DeDf dEfE
or, giving the 64 equivalents in hex, 55 35 4D 1D 56 36 4E 1E 59 39 71 2D 5A 3A 72 2E 65 C5 8D D1 66 C6 8E D2 69 C9 B1 E1 6A CA B2 E2 95 53 17 47 96 5C 1B 4B 99 63 27 74 9A 6C 2B 78 A5 93 D4 87 A6 9C D8 8B A9 A3 E4 B4 AA AC E8 B8
The cipher is an iterative block cipher, with 16 rounds and 48 subkeys, and uses Feistel rounds: half the block is used to encipher the other half in each round. It operates on a 64bit block, and has a 160bit key. Initially, the first 4 bytes of data to encrypt are taken as the left half, and the last 4 bytes are taken as the right half.
Each round proceeds as follows:
A copy of the right half, which will actually be unchanged by this round, is taken.
This now describes the ffunction
The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for round 2, to subkey 46 for round 16). Then, each byte is replaced by its substitute in Sbox 1. In QUADIBLOC 99, the fourth byte is instead replaced by its substitute in Sbox 2. The bits of the result, considered to be numbered from 1 (most significant bit of the first, leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the pattern in DES, are to be transposed to lie in the following positions:
1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24 17 18 11 12 5 6 31 32 25 26 19 20 13 14 7 8 Note that this arrangement posesses a great deal of symmetry: only ONE version of Sbox 1, with 256 32bit entries is needed to perform both the Sbox substitution, and the subsequent permutation, in a single step for efficiency on a computer without hardware instructions for bit transposition. And, since no bits change their position within a byte, a slower implementation, using Sbox 1 with single byte entries, and doing the transposition using masking, is also possible. In QUADIBLOC 99, the symmetry of the bit transposition remains, but one expanded version of Sbox S2 is also required. The 32 transposed bits are now XORed with the round's second subkey. In QUADIBLOC 99, the value generated at this point is also retained, and is called the intermediate result of the ffunction. Each byte of the result is again replaced by its substitute in Sbox 1, and the bits of the result are transposed as before. In QUADIBLOC 99, in the second part of the ffunction, the second and third bytes are instead replaced by their substitutes in Sbox 2. The result is XORed with the round's third subkey. This produces the output of the ffunction.
Applying the ffunction output to alter the left half of the block:
In a QUADIBLOC 99 type A round, the first (leftmost) half of the intermediate result of the ffunction is used to control an ICEstyle swap of bits between the halves of the left half of the block at this time: each bit in that 16bit quantity which is 1 indicates that corresponding bits in the two halves of the 32bit left half of the block are to be swapped. Each byte of the left half is replaced by its substitute in Sbox 2.
In QUADIBLOC 99, Sbox 3 is used for this purpose. In a QUADIBLOC 99 type B round, the first (leftmost) half of the intermediate result of the ffunction is used to control an ICEstyle swap of bits between the halves of the left half of the block at this time: each bit in that 16bit quantity which is 1 indicates that corresponding bits in the two halves of the 32bit left half of the block are to be swapped. The result is XORed with the result of the ffunction applied to the right half. In a QUADIBLOC 99 type B round, first the second and third bytes of the left half of the block are swapped, and then the second (rightmostmost) half of the intermediate result of the ffunction is now used to control another ICEstyle swap of bits between the halves of the left half of the block: each bit in that 16bit quantity which is 1 indicates that corresponding bits in the two halves of the 32bit left half of the block are to be swapped. Each byte of the result is replaced by its substitute in Sbox 2. In QUADIBLOC 99, Sbox 3 is used for this purpose. In a QUADIBLOC 99 type A round, first the second and third bytes of the left half of the block are swapped, and then the second (rightmostmost) half of the intermediate result of the ffunction is now used to control another ICEstyle swap of bits between the halves of the left half of the block: each bit in that 16bit quantity which is 1 indicates that corresponding bits in the two halves of the 32bit left half of the block are to be swapped.
The sequence of rounds:
In QUADIBLOC 99, the type A and type B rounds alternate as follows: Round: Type: 1 A 2 A 3 B 4 B 5 A 6 A 7 B 8 B 9 10 11 12 13 14 15 16 B B A A B B A A
Except for the four middle rounds, this ensures that the ICEstyle bit transpositions alternate with the byte substitutions using Sbox 3.
The swap:
After every round except round 8 and round 16:
the left half for the next round is the unchanged right half from the previous round; the right half for the next round is the modified left half, after the XOR and the two substitutions, subjected to a circular left shift of 8 bits (which can be carried out by moving whole bytes, of course). In QUADIBLOC 99, the swap is performed in all rounds except round 16 only. The bit transpose after round 8 is removed as not having as much effectiveness as was hoped for, and instead the ICEstyle bit swap is added to every round. The circular left shift of 8 bits is no longer part of the swap, and is replaced by the exchange of two bytes preceding the last bit swap. After round 8: Each byte of the right half is replaced by its substitute in Sbox 2. Subject the bits of the block, numbered from 1 to 64, from left to right, to the following (reciprocal) bit transpose: 1 34 11 44 21 54 31 64 17 50 27 60 5 38 15 48 33 2 43 12 53 22 63 32 49 18 59 28 32 6 47 16 9 25 41 57 42 3 36 58 19 52 10 35 4 26 51 20 29 13 61 45 62 23 56 46 7 40 30 55 24 14 39 8
Each byte of the right half of the result is replaced by its substitute in Sbox 2. As previously mentioned, this operation is completely omitted from QUADIBLOC 99, and a simple swapping of halves takes place instead. After round 16: Nothing happens: the result at that point, without further swapping, is the output of the cipher. The following diagram illustrates what happens during a normal round of QUADIBLOC 96 (from 1 to 7, or 9 to 15), to help make the description clearer:
And these are the corresponding diagrams for QUADIBLOC 99: For a type A round:
For a type B round:
Some comments at this stage:
Using a 'double' ffunction means: a) every bit of the ffunction output depends on every bit of the right half of the block, thus making propagation very rapid, and b) the first half of the ffunction can be thought of as substituting for the absence of an expansion permutation and auxilliary Sbox inputs as found in DES. Decipherment is the same as encipherment, except: a) Sbox 2 is replaced by the inverse of Sbox 2 (Sbox 1 is unchanged), In QUADIBLOC 99, for decipherment, Sbox 3 is replaced by its inverse, and Sboxes 1 and 2 are unchanged. b) after every round except rounds 8 and 16, the modified left half from one round
becomes the right half for the next, and the unmodified right half receives a right circular shift of 8 bits before becoming the left half for the next round, and In QUADIBLOC 99, the swap of the second and third bytes in the left half of the block is changed to take place after the first ICEstyle swap and before the first use of Sbox 3. Also, now the ICEstyle swap that occurs first uses the second (rightmost) half of the intermediate result of the ffunction as input, and the ICEstyle swap that occurs second uses the first (leftmost) half of the intermediate result of the ffunction as input. c) the 16 groups of three subkeys for the 16 rounds are used in reverse order, but the three subkeys within each group are still used in the same order. The bit transpose with partial substitution between rounds 8 and 9 is intended to create a 'wall' between the first 8 and the last 8 rounds that will make the cipher much harder to analyze and solve. The bit transpose has been removed since the boomerang attack has cast some doubts on its efficacy.
Subkey generation:
The 160bit key shall be expanded to 176 bits by applying the 4 of 8 bit code specified above to each group of 6 bits in the last 48 bits of the key, thus expanding these 48 bits to 64 bits. (This is done to prevent weak keys.) In QUADIBLOC 99, the last 64 bits of the 160bit key shall be used, reduced to 48 bits by ignoring the most significant two bits of each byte, as input to the 4 of 8 bit code. This avoids having to perform unnecessary shift operations. Then, the 160bit key will be expanded to the following: the first 96 bits of the original 160bit key, the 64 bits generated from the 4 of 8 code, and the last 64 bits of the original 160bit key XOR the first 64 bits of the original 160bit key (so that the expanded key does not contain both the original form, and the 4 of 8 encoding, of the same bits) to produce an expanded key that is 224 bits long. The first 128 bits of the result shall be divided into four 32bit blocks, which shall be called, from left to right, P, Q, R, and S. The subkeys shall be generated for the 16 encipherment rounds in order. P, Q, and R will be taken as the three subkeys for the current round, subject to an XOR to be subsequently described.
Then, P, Q, and R shall be shifted left n bits, and S shall be shifted left 3n bits, with the first n bits of P, then the first n bits of Q, then the first n bits of R being shifted into S, while the bits shifted out of S into P, Q, and R will alternate, one bit at a time, into these three registers/locations. Thus, when n is 6, we have: Before: P) Q) R) S) P1 Q1 R1 S1 P2 Q2 R2 S2 ... ... ... ... P32 Q32 R32 S32
and after: P) Q) R) S) P7 P8 ... P32 S1 S4 S7 S10 S13 S16 Q7 Q8 ... Q32 S2 S5 S8 S11 S14 S17 R7 R8 ... R32 S3 S6 S9 S12 S15 S18 S19 S20 ... S32 P1 P2 ... P6 Q1 Q2 ... Q6 R1 R2 ... R6
The value of n to use for each round in turn shall be 5, 7, 7, 5, 6, 7, 8, 6, 5, 7, 7, 5, 5, 7, 7, 5.
Each of the 48 subkeys thus generated will now be XORed with the leftmost 32 bits of T, where T begins as the last 48 bits of the expanded key, and is given a right circular shift of 17 bits after each use. In QUADIBLOC 99, a right circular shift of 11 bits will be used after generating all but the last of the 27 subkeys used by the first nine rounds, and then a right circular shift of 17 bits will be used afterwards. Since the expanded key is 224 bits long, rather than 176 bits long, T will be 96 bits long and will initially contain the last 96 bits of the expanded key.
q
Euler's Constant and the QUADIBLOC Sboxes
[Next] [Up/Previous] [Index]
Next Chapter Start Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up/Previous] [Index]
Euler's Constant and the Quadibloc SBoxes
The initial values of the subkeys and Sboxes in Blowfish are based on pi. To dispel worries about Sboxes with a designedin weakness in my amateur designs, I have chosen a standard mathematical constant as their source. The constant I am using is Euler's constant, sometimes called the EulerMascheroni constant, also known as gamma. Its value is .57721 56649 01532 86060 65120 90082... Euler's constant is defined as the limit, as n tends to infinity, of the sum of 1 + 1/2 + 1/3 + ... up to 1/n, minus the natural logarithm of n, normally written: n ____ \ > /___ i=1
/ lim n > infinity    \
\ 1 i /    ln(n) 
Since _n /    _/ 1 that is, the integral from 1 to n of 1/x with respect to x is the natural logarithm of n, the following diagram illustrates what Euler's constant is in graphical form: 1 , dx = ln(n) x
Allowing the graph to continue on indefinitely to the right, the boxes shown which are divided into green and gray areas have a total overall area of 1. (Note that the vertical scale in the graph is exaggerated compared to the horizontal scale for clarity.) Euler's constant, .57721 56649... is the total of the areas of the gray parts of the boxes. Because only scaling makes the shape of the graph of 1/x from 1 to 2 different from the graph of 1/x from 2 to 4, or the graph of 1/x from 4 to 8, the following diagram:
illustrates a way in which it is possible to derive a formula for Euler's constant that would only involve calculating the natural logarithm of 2. This formula is: (i+1) infinity 2
gamma = (1  ln(2)) +
____ \ > (1  ln(2)) /___ i = 1
____ \ > /___ i j = 2 +1
1 1   i j 2
By superimposing the areas from 1 to 2, from 2 to 4, and 4 to 8 after adjusting them to fit, one sees that another series for Euler's constant, not involving any logarithms, is possible, as it is (1/2  1/3) + 2 * ((1/4  1/5) + (1/6  1/7)) + 3 * ((1/8  1/9) + (1/10  1/11) + (1/12 1/13) + (1/14  1/15)) + ..., or, in other words: (i+1) infinity 2  1 ____ ____ \ \ (j1) 1 gamma = > i * > (1) * /___ /___ j i = 1 i j = 2 Euler's constant is more difficult to calculate than the square root of 2, e, or pi, and it is less well understood. Mathematicians have not yet proven which of rational, algebraic, or transcendental it is. The Sboxes constructed from Euler's constant (.57721 56649...) for use in the Quadibloc series of block ciphers are derived as follows: start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for each iteration. The iteration where Number of choices is 2 is the last iteration. During each iteration, multiply ACC by Number of choices. Leave the fractional part of the result in ACC; swap A( Number of choices ) and A( Number of choices + the integer part of the result ). This generates Sbox 1; repeat the procedure with the contents remaining in ACC to obtain Sbox 2. (ACC must be long enough to hold Euler's constant to sufficient precision to support both applications of the procedure.)
A BASIC program to generate these Sboxes is given here. And this BASIC program produced the DATA statements it required from a file containing the value of Euler's constant. Here are the Sboxes thus produced. Sboxes from 1 through 4 are used in several of the ciphers in the Quadibloc series. Sboxes 5 and 6 are combined into one Sbox with 512 entries, called S5, in Quadibloc II and III, and similarly Sboxes 7 and 8 become S6 and Sboxes 9 and 10 become S7. Sbox 11 is used under the name S9 in Quadibloc III. Sbox 1 is: 147 192 122 50 48 167 0 134 168 187 76 4 70 91 20 233 106 54 111 251 119 57 154 87 34 216 179 252 191 199 85 249 196 207 94 135 126 46 204 171 209 214 38 95 96 102 136 213 208 190 219 226 78 21 25 26 163 31 80 170 189 117 160 155 164 17 60 133 125 228 212 72 238 145 7 217 13 61 33 47 2 243 49 239 146 15 29 37 206 159 218 174 116 121 235 184 55 58 10 186 12 74 254 151 43 231 79 127 131 241 56 11 140 253 220 180 123 234 139 248 44 62 66 8 3 89 109 185 9 52 153 183 137 201 97 169 83 172 156 152 41 22 93 16 230 181 143 98 88 150 114 75 69 27 129 200 67 157 158 63 6 112 245 1 104 5 65 19 84 210 100 198 39 73 108 188 82 255 142 130 45 40 59 86 173 244 148 124 242 42 178 149 90 227 195 177 105 68 14 211 53 36 222 32 250 247 193 224 166 138 161 107 120 64 144 202 81 30 225 18 229 51 176 110 236 221 194 132 77 165 113 71 101 175 103 128 205 28 182 240 99 237 162 24 118 35 215 197 92 232 246 203 141 115 223 23
Sbox 2 is:
187 19 180 63 115 247 197 105 233 83 43 155 246 12 191 224 183 177 114 119 1 73 182 98 85 107 137 89 160 94 199 206
91 23 20 236 62 124 188 53 251 14 34 4 64 227 232 138 140 77 81 152 21 32 84 153 194 254 75 129 189 164 90 9
192 210 79 201 29 101 93 163 146 174 117 213 49 121 8 170 217 208 97 250 74 226 47 158 249 141 132 131 230 82 30 110
149 35 100 69 166 24 65 145 161 96 157 186 147 17 116 11 228 78 0 88 70 95 136 134 51 241 108 16 106 202 54 52
175 104 45 118 253 135 123 190 193 27 56 245 71 68 238 39 237 25 154 220 252 150 3 172 128 148 58 203 215 26 57 218
80 31 173 181 67 87 142 18 211 151 5 66 61 143 59 205 209 242 13 171 200 99 162 239 33 46 243 255 55 179 40 234
48 72 240 248 60 221 207 130 10 126 219 214 133 165 184 36 212 15 216 127 92 167 125 168 38 120 225 44 222 6 109 169
231 111 113 185 41 144 195 76 235 112 22 196 37 176 102 244 42 50 2 103 156 122 139 178 223 198 204 86 229 7 28 159
Sbox 3 is: 169 85 53 195 255 230 212 89 73 179 101 233 11 60 18 106 217 26 7 123 98 210 150 127 78 40 147 187 86 107 166 135 105 143 132 175 74 115 24 49 37 201 141 165 251 153 240 38 82 194 253 79 198 42 159 20 174 220 16 154 215 5 219 64 213 81 171 51 164 204 99 239 234 121 245 23 97 249 250 94
66 180 35 247 145 61 185 59 120 57 128 244 27 225 48 229 152 34 129 224 15 236
118 167 114 19 246 33 63 243 226 9 146 190 139 72 109 133 2 173 149 39 71 241
231 29 186 103 148 13 69 75 21 168 163 130 44 88 206 14 92 214 182 238 111 181
183 119 197 6 12 58 178 235 155 30 205 17 62 3 218 110 176 170 196 208 237 140
22 46 138 31 156 36 228 202 93 116 95 242 50 232 126 100 199 223 45 124 76 91
113 96 191 102 144 216 172 221 32 252 157 87 4 104 112 162 207 77 200 70 131 108
192 117 52 227 189 41 125 80 25 56 222 161 54 136 43 158 1 184 160 137 0 55
188 28 122 254 8 68 142 151 209 203 177 83 65 10 90 211 84 67 47 193 248 134
Sbox 4 is: 56 177 64 120 93 12 47 9 189 74 24 206 15 71 244 111 50 89 180 116 130 185 84 103 53 26 209 70 125 40 145 39 124 121 201 126 162 139 248 221 28 66 51 61 34 118 146 236 135 99 188 179 222 168 163 92 58 183 154 166 112 5 192 63 1 164 204 133 245 158 31 90 132 134 142 187 113 214 199 94 157 235 8 42 131 228 4 127 72 247 79 16 210 14 38 211 161 128 208 140 174 82 25 2 13 246 251 0 100 195 149 230 136 159 20 19 171 97 153 250 175 68 115 182 229 86 69 219 106 27 240 32 76 77 21 55 232 249 215 181 186 110 207 160 169 176 73 102 60 17 231 202 212 223 147 48 243 119 36 203 167 226 213 11 98 194 88 59
225 178 242 238 253 198 41 104 165 62 141
7 255 33 67 152 148 227 49 91 46 81
52 143 129 101 3 200 6 239 150 144 23
18 218 122 137 123 75 254 196 184 170 156
57 114 155 138 217 10 252 45 44 117 224
205 95 35 216 190 233 83 65 173 78 241
234 29 80 108 96 30 43 172 107 151 54
237 109 191 85 197 37 220 105 22 87 193
Sbox 5 is: 218 90 93 249 94 117 100 86 103 18 200 116 186 155 154 131 183 48 3 179 79 215 133 239 190 38 137 193 73 247 67 241 16 43 145 74 105 7 91 2 244 58 42 146 175 255 21 166 125 216 163 187 121 51 84 214 227 25 80 49 64 15 95 37 5 170 46 254 128 83 34 98 177 68 78 8 47 1 243 196 197 52 219 115 171 181 62 29 168 4 246 250 89 61 54 248 224 153 135 149 206 169 6 147 27 198 176 164 194 28 92 111 220 85 99 110 108 53 113 119 189 63 232 120 124 158 228 172 122 221 10 192 114 31 223 77 184 138 20 88 195 24 70 173 126 242 33 56 208 199 157 231 76 71 174 101 44 235 0 130 22 213 72 45 162 143 240 204 112 251 234 32 141 217 212 123 136 132 211 14 50 167 226 97 11 237 202 96 238 19 87 55 160 140 229 225 23 109 30 188 191 253 150 222 127 252 139 118 69 35 236 66 60 201 40 81 107 182 134 75 148 156 17 104 207 178 102 245 233 230 210 106 9 12 144 59 41 165 205 209 26 36 39 142 13 180 159 57 185 151 203 152 65 129 161 82
Sbox 6 is: 237 94 217 75 204 32 20 92 10 232 49 42 246 218 45 184 133 227 84 236 76 186 172 78 230 123 149 166 173 231 178 199 205 5 63 234 60 176 249 71 129 153 121 200 67 59 24 14 111 35 126 100 252 183 171 228 254 65 212 240 225 242 188 88 82 244 119 37 195 165 83 108 91 247 79 250 17 68 28 51 120 16 56 44 54 11 48 141 113 175 221 191 98 66 177 174 124 127 245 167 34 197 31 214 8 159 138 137 248 70 25 85 43 30 150 206 145 6 13 39 4 109 201 136 131 161 80 112 69 104 61 134 151 38 46 253 160 12 64 47 142 224 202 1 128 122 211 182 125 15 185 213 95 93 57 241 101 189 29 106 99 115 72 19 229 152 117 144 207 36 219 62 135 97 251 239 215 238 26 158 155 9 164 194 168 196 181 179 33 58 220 89 132 192 222 243 116 41 103 190 157 163 53 107 139 233 169 255 96 193 50 162 156 3 105 90 55 7 148 170 187 198 235 114 0 77 118 210 130 180 87 102 223 27 203 23 154 81 74 21 2 40 146 18 73 140 143 209 147 110 216 52 208 86 22 226
Sbox 7 is: 182 47 142 74 79 107 161 42 195 39 188 242 168 205 57 244 111 228 51 237 73 164 190 227 36 251 41 83 222 61 189 224 239 130 48 211 213 55 162 75 105 175 19 33 88 219 134 118 253 245 201 8 97 123 148 143 54 221 225 70 139 160 30 66
45 174 231 109 136 241 223 16 87 80 91 191 99 122 96 177 32 10 62 34 250 120 135 38
63 159 12 65 131 217 108 102 11 90 100 68 95 176 158 71 78 85 215 5 192 50 204 156
0 220 125 56 101 184 194 113 154 64 238 26 206 144 72 60 82 89 246 128 59 53 240 140
29 178 170 209 197 7 216 104 183 146 126 145 165 13 127 167 203 196 248 149 199 43 150 37
103 92 49 6 233 163 166 27 214 185 243 52 173 17 28 232 25 202 93 110 124 234 94 81
67 236 255 181 15 116 114 14 218 119 226 9 4 46 208 249 24 152 210 200 20 84 2 129
252 22 155 235 230 31 187 86 106 151 172 23 207 1 18 58 21 147 44 193 138 141 3 171
247 132 169 198 117 153 112 229 40 254 77 179 137 98 35 133 69 157 212 76 115 180 121 186
Sbox 8 is: 170 48 107 4 36 183 84 29 94 114 177 14 33 151 236 66 21 83 245 12 41 68 159 119 189 72 202 212 31 227 232 198 228 255 199 77 218 157 142 50 54 108 150 184 249 144 55 224 179 208 217 88 92 235 49 99 176 79 44 175 242 110 11 30 90 160 149 181 34 219 167 86 154 197 186 128 20 67 28 23 168 239 243 241 38 103 165 18 22 132 253 112 233 220 240 169 166 133 207 201 45 158 80 32 97 216 52 121 251 3 248 139 185 178 211 237 190 130 156 60 81 135 164 210 252 57 147 63 100 102 6 254 10 194 62 214 136 85 140 42 111 122 174 82 71 43 78 188 53 105 91 75
0 120 19 76 234 65 124 118 231 161 2 47 59
129 123 250 141 205 215 56 195 229 17 61 113 171
155 182 27 244 246 172 152 115 134 9 1 222 146
24 143 126 221 58 40 26 203 163 25 137 104 74
238 191 73 35 95 16 46 223 125 87 70 209 193
7 116 39 15 173 69 93 225 98 230 13 200 5
117 8 162 37 206 109 145 64 226 138 89 96 180
51 196 247 204 187 192 148 131 213 153 106 101 127
Sbox 9 is: 143 15 253 136 145 62 94 128 1 144 70 20 126 247 248 84 55 160 66 251 85 190 37 51 139 110 114 79 178 3 174 68 219 229 239 46 95 104 99 175 170 181 255 193 250 134 129 47 156 11 98 207 185 188 21 162 155 223 220 43 59 182 154 197 103 226 209 64 194 60 167 107 249 234 206 127 39 35 183 153 221 10 100 27 205 54 113 202 38 184 186 65 42 161 168 91 87 81 180 14 237 36 52 67 133 49 165 216 101 230 233 61 28 131 88 45 203 115 130 112 83 146 135 4 235 173 86 198 0 176 215 41 214 33 102 243 138 148 76 90 241 73 118 13 29 159 140 53 172 105 80 189 164 224 245 77 246 236 240 25 142 92 150 210 163 244 117 195 71 211 6 187 16 169 141 111 75 177 192 12 63 179 74 120 152 22 8 78 125 31 149 72 40 242 199 96 32 218 24 158 69 157 56 17 231 48 208 30 119 212 121 18 196 238 93 109 122 26 204 222 254 166 7 50 2 132 82 225 124 200 227 123 106 9 108 232 97 217 171 57
58 201
19 151 89 252 213 228 116 44 34 147 191 5 137 23
Sbox 10 is: 18 40 48 231 188 35 243 34 19 170 106 60 111 215 125 92 167 203 219 193 156 166 41 108 37 71 157 102 62 213 12 133 230 51 105 8 209 134 10 162 253 196 104 54 159 59 250 242 224 241 74 214 124 2 189 17 175 235 93 149 147 38 151 139 126 68 33 154 76 164 158 205 207 42 24 110 240 128 195 163 30 208 26 249 72 98 113 180 228 75 246 1 107 197 220 36 161 43 16 168 64 222 239 84 218 155 177 185 47 65 138 77 153 152 200 95 236 237 194 184 130 29 23 176 142 58 122 25 150 192 118 181 27 244 15 90 0 212 140 50 160 112 245 141 252 114 14 67 169 172 136 69 4 81 187 198 87 21 129 174 80 3 6 97 131 145 121 9 178 143 255 91 70 204 247 146 190 52 101 89 56 57 226 44 127 100 86 232 88 82 31 254 132 233 227 223 210 206 171 234 115 119 144 78 22 186 5 55 46 85 20 135 183 217 248 66 53 109 79 165 225 201 202 251 11 179 28 221 13 199 238 99 137 148 120 191 39 216 96 83 103 32 117 94 123 61 63 116 49 211 45 73 182 229 7 173
Sbox 11 is: 45 216 52 146 179 234 195 38 199 56 32 25 229 72 190 163 2 12 221 242 154 188 113 0 233 173 251 207 243 231 107 6 16 184 91 50 162 94 51 230 205 30 165 210 187 74 129 232
178 235 70 220 175 98 24 126 136 80 82 102 141 236 48 211 63 254 92 194 41 42 81 18 46 227
150 14 212 73 79 169 75 19 255 151 171 241 101 131 87 166 122 60 112 248 225 140 104 68 170 226
177 90 64 110 15 33 61 182 159 121 186 124 9 53 147 29 69 200 222 8 100 116 144 172 219 76
105 203 247 62 238 17 117 193 138 20 164 249 99 103 223 28 4 208 239 142 176 250 137 135 108 168
22 59 180 27 40 167 115 31 96 246 114 26 174 88 152 36 217 95 1 157 23 133 125 3 158 185
156 85 120 39 78 228 35 11 89 143 57 5 84 58 123 13 197 54 204 44 97 106 65 21 244 55
213 183 218 245 86 181 66 47 160 155 119 71 77 118 132 237 201 7 67 34 93 128 83 214 209 153
215 139 240 49 111 253 224 109 10 206 161 192 145 127 252 202 148 130 191 189 198 196 37 43 134 149
[Next] [Up/Previous] [Index] Next Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Variations of QUADIBLOC
QUADIBLOC80
Using QUADIBLOC with the initial key formed by concatenating the 80bit key with its inverse (one's complement, bitwise negation), encipher the following: 1) Expand the first 18 bits of the key to 24 bits using the 4 of 8 bit code in QUADIBLOC; repeat these as often as required to XOR with the last 64 bits of the key. (Yes, 2 bits are used twice.) 2) Take the first 64 bits of the key; XOR with the 24 bits formed by expanding the last 18 bits of the key, repeated starting from the right. 3) Form a 48bit string by XORing the first 40 bits + 00000000 with 00000000 + the last 40 bits; convert that to 64 bits using the 4 of 8 bit code on all of it. Using the 192 bits which result from these three block encryptions, convert to a 160bit key as follows: concatenate the 64 bits of 1) enciphered with the 64 bits of 2) enciphered and the first (leftmost, most significant) 32 bits of 3) enciphered, and XOR these 160 bits with the last 32 bits of 3) enciphered, repeated five times.
QUADIBLOC64
Expand a 64bit key to an 80bit key by converting the first 48 bits of the key to 64 bits, using the 4 of 8 bit code. This, concatenated with the last 16 bits, makes 80 bits. Produce a 160bit key from this as outlined for QUADIBLOC80. Then XOR the 64 bit key with that, repeated 2 and 1/2 times. (The last onehalf uses the first 32 bits.)
QUADIBLOC40
Expand the 40bit key to an 80bit key by concatenating it with its inverse.
Produce a 160bit key from this as outlined for QUADIBLOC80. Expand the 40bit key to 52 bits by converting the first 36 bits to 48 bits using the 4 of 8 bit code. XOR the 52 bit result (48 expanded bits + 4 original bits) starting with a whole block on the left repeatedly with the 160bit result to get the 160bit key to use.
QUADIBLOC320
The first half is used to generate subkeys normally, and so is the second half. Firsthalf subkeys are used in rounds 1, 2, 5, 6, 9, 10, 13, and 14; secondhalf subkeys are used in rounds 3, 4, 7, 8, 11, 12, 15, and 16.
QUADIBLOC640
The key is divided into four quarters, each of which is used to generate subkeys normally, and the subkeys generated from the first quarter are used in rounds 1, 2, 9, and 10; from the second in 3, 4, 11, and 12; from the third in 5, 6, 13, and 14; and from the fourth in 7, 8, 15, and 16.
Enhanced QUADIBLOC
Sbox 2, in QUADIBLOC, is used only when enciphering, and its inverse is used when deciphering. Since this Sbox gets changed anyways, Enhanced QUADIBLOC is QUADIBLOC changed in that Sbox 2 is part of the key, and supplied by the user, instead of being the fixed value shown in the definition of QUADIBLOC.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
The QUADIBLOC FAQ
1) Why is this bozo cluttering up my computer with a 12K file? 2) What are the design goals of Quadibloc? 3) Where can I get source code? 4) What are the known weaknesses of Quadibloc? 5) How could it have been made stronger? 6) Where does Quadibloc get its security from? 7) How does Quadibloc compare to DES? 8) How does Quadibloc compare to Skipjack? 9) How does Quadibloc compare to Blowfish? 10) What is the likely impact of Quadibloc?
1. Why is this bozo cluttering up my computer with a 12K file?
Obviously a shameless attempt to obtain 15 minutes of fame by getting mentioned in the third edition of Schneier.
2. What are the design goals of Quadibloc?
There are three goals, in the following order:  Ease of implementation,  Security, and  Efficiency in software and hardware.
The primary goal, ease of implementation, was addressed by keeping the size and number of Sboxes in the cipher to a minimum. Ease of implementation and efficiency were also promoted by keeping the few bit transposes in the cipher simple. Because of the order of the goals, security was obtained by performing part of the Ffunction twice, rather than relying on fancier Sboxes, and a full bittranspose was included ONCE in the cipher.
3. Where can I get source code?
I haven't written any yet. Maybe in a couple of years. At least, in addition to distributing the source, I'll NEED to implement it at least once in order to generate test vectors. Which everyone else will probably want before they try their hands at it.
4. What are the known weaknesses of Quadibloc?
QUADIBLOC640 can have its effective key size shortened by from 32 to 64 bits through a meetinthemiddle attack. Since Quadibloc uses one Sbox all the way across in the Ffunction, if Quadibloc had weak keys (which, fortunately, it doesn't) it would have a rotational symmetry for all rotations of a multiple of 8 bits applied to the two halves of the block together. The permutation after round 8 also limits the damage this would do. It probably has much worse ones than that, but I don't have the prestige to get Eli Biham et al to do my work for me... . Other possible weaknesses: Does doing an XOR after the substitution and Ppermutation in the Ffunction leak key bits? Should an odd value, instead of 8 bits, be used for the circular shift done along with the swap of halves? The Ffunction is more complicated than that of DES in some ways, but unlike that of DES, it isn't a oneway hash; it's invertible. The Ppermutation, and the "wall" permutation used after round 8, are both regular. Additional notes: The use of a single Sbox all the way across in the ffunction also means that if characteristics are found for applying differential cryptanalysis, it is easier to use them
in successive rounds. However, the fact that the Sbox has 256 entries, the fact that the ffunction is doubled, and the use of Sbox 2 on the left half, all make a differential attack unlikely. The use of a permutation after round 8 is not as total an obstacle to analysis as I had originally thought. It is no hindrance whatever to the boomerang attack, discussed in the section on differential cryptanalysis. However, in addition to a permutation, I also put the right half of the block through S2 both before and after (the left half goes through S2 anyways). Thus, it does not appear at this time that the boomerang attack requires immediate alterations to the QUADIBLOC design.
5. How could it have been made stronger?
I can think of two obvious improvements that I avoided for the sake of ease of implementation.  Replace the swap plus circular shift with a straight swap, but in ALL 16 rounds, after the XOR, and before the second use of Sbox 2, do a right circular shift of 12 bits on the left half of the block.  Replace Sboxes 1 and 2 by two sets of 8 Sboxes.
6. Where does Quadibloc get its security from?
DES could be made TOTALLY insecure by stripping just TWO elements from it:  remove the expansion permutation, changing all the Sboxes to have 4 inputs as well as 4 outputs;  replace the permutation P with the identity permutation. Then, DES would become a set of 8 ciphers applied to 8 blocks of 8 bits. Quadibloc relies on the fact that it uses a simple Sbox followed by a regular P permutation, and repeats that process twice. The first application substitutes for the expansion permutation, as well as providing some security of its own. In addition, after round 8, a nonkeyed scramble that makes every bit of the block depend on every other bit is applied, in hopes of frustrating analysis. Sbox 2 gets extra use here, but the bit transpose differs from the rest of the cipher. The key is expanded slightly, from 160 bits to 176 bits, using a 4 of 8 code. The 4 of 8 code is not intended to have any security properties, since it would not contribute to the
security of the cipher if it were more random. What it DOES do is eliminate weak keys, like all zeroes or all ones. Also, by XORing key material before AND after the use of S box 1, complementation properties are eliminated.
7. How does Quadibloc compare with DES?
DES has a 56 bit key, 48 bits of which are used in each round. Quadibloc has a key of 160 bits. This is expanded to 176 bits; then, 128 bits are used in each round to generate an effective round subkey which is 96 bits in length. DES uses engineered Sboxes with auxiliary inputs from adjacent nibbles for heightened nonlinearity, and an irregular bit transpose P. The Sboxes are based on multiple permutations of (0..15). The key material is applied by an XOR prior to using the Sboxes. Quadibloc uses a random Sbox containing a single permutation of (0..255) and a regular bit transpose. But this is applied twice, and key material is XORed three times, at the start, in the middle, and at the end. DES simply XORs the ffunction output with the left half. Quadibloc uses a second Sbox before and after the XOR with the ffunction output. Thus, plaintext actually goes through an Sbox, which seems intuitively more satisfying.
8. How does Quadibloc compare with Skipjack?
Originally, I wrote the following: How should I know? After all, it is secret, and I have had no access to the secret. However, some comparisons can be made on the basis of publicly available information. Quadibloc was deliberately designed to have two desirable properties claimed for Skipjack: no 'weak keys', and freedom from complementation properties.
Quadibloc has only 16 rounds, not 32 as for Skipjack. Quadibloc has a 160bit key, which is longer than an 80bit key. Quadibloc does not have a 48bit internal structure. Quadibloc was designed to be easy to implement, and has Sboxes of minimal size. Quadibloc was designed in one weekend by one person with neither any particularly relevant academic credentials nor relevant cryptanalytic experience (hey, I do have an M.Sc. in Nuclear Physics!). Skipjack was designed by the top cryptographers and cryptanalysts in the U.S., entrusted with guarding the nation's security. You and I don't get to make use of Skipjack without key escrow, Quadibloc doesn't have this problem. (Note that, since this was written, Fortezza PCMCIA cards without key escrow were made available to the public in the U. S., which was an interesting, and perhaps even amusing, development in the ongoing Clipper Chip saga.) Quadibloc is available for open review. However, it is probably so insignificant that it will never recieve any such review. At present, I no longer have the excuse I began that section with, as Skipjack has now been declassified. (I write these words as part of the update of these pages to include its description!) Skipjack has a regular key schedule, which would seem to open up the possibility of relatedkey attacks; Quadibloc has an irregular one, based on that of DES. Quadibloc's ffunction has two stages to it, which was an apparent innovation at the time. However, Skipjack's G permutation is actually a fourround miniature block cipher with a 16bit block. Skipjack is both easier to implement than Quadibloc, and more efficient.
9. How does Quadibloc compare to Blowfish?
Quadibloc40, Quadibloc64, and Quadibloc80 all have a relatively simple method of expanding the key size to 160 bits; they do not explode the work factor in the way
Blowfish does to handicap attempts at bruteforce searching. This was done deliberately, both for ease of implementation, and in hopes that Quadibloc40 might be approved for export, thus giving U.S. software authors a royaltyfree alternative. The natural key size of Quadibloc is only 160 bits, while Blowfish makes full use of a key up to 384 bits in length. On the other hand, the added complexity of the Ffunction may be to the credit of Quadibloc. On balance, though, it may be fair to say that the advantages of Blowfish over Quadibloc in security are of a sort likely to have real world value, while the advantages of Quadibloc are of a more theoretical nature.
10. What is the likely impact of Quadibloc?
Very little. Possible results:  revealing Quadibloc to unevolved uninitiates may lead to burdening of my karma Not worried. Saddam Hussein has already heard of IDEA, TripleDES, Blowfish...if the NSA thinks I have endangered U.S. national security, then they've done so, by choosing to live in a fool's paradise.  NSA releases Skipjack patent in order to prevent use of Quadibloc Probability slightly lower than that of one of the primes in your RSA modulus actually being a Carmichael number.  Complications of Quadibloc found illusory; new cryptanalytic method discovered that is an extension of differential/linear cryptanalysis I can dream, can't I? That would be a noble way to have failed. The intent of boring the world with yet another block cipher should, however, be stated. Due to restrictions on source code export, (which may not apply to us lucky Canadians) I have chosen to lead the way in showing that a secure algorithm can be designed to be so simple to implement that coding it is trivial, and does not depend on giant Sboxes or difficult mathematics which requires access to a reference source code implementation. Also, Quadibloc illustrates techniques that could be applied to other ciphers. Doubling
the Ffunction is possible in Blowfish quite simply (you will need more pi); and it could even be done in DES, with more violence to the key schedule. (In fact, it is probably one of the more secure ways to create a 112bit key DES variant.)
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Key Augmentation
The key schedule of QUADIBLOC, while designed to avoid weak keys, and resist relatedkey attacks, is still something of an afterthought compared to the rest of the cipher. A procedure to add 64 bits to the key of any variant of QUADIBLOC, and improve its key schedule (which may be applied repeatedly, even to the extent of modifying the key for every block enciphered, causing QUADIBLOC to act as sort of a stream cipher) is described here. First, the key to be augmented is to be used normally to generate the 48 32bit long subkeys used by QUADIBLOC. Then, the augmented schedule of subkeys is generated as follows: The 64 bit supplementary key is to be encrypted normally by QUADIBLOC with the schedule of subkeys in place. (The encrypted result is to be made available externally by hardware implementations of QUADIBLOC, to allow iterated key augmentation with a single 64bit key supplement.) However, both the encrypted result of the QUADIBLOC encipherment, and the 32bit output of the ffunction in each round of that encipherment, are to be retained (in internal storage). These results are to be applied to the subkeys of QUADIBLOC as follows: The subkeys are to be moved as follows: The second subkey for each round is to be replaced by the previous value of the first subkey for the previous round. The second subkey for round 1 is to be replaced by the previous value of the first subkey of round 16. The third subkey for each round is to be replaced by the previous value of the second subkey that round. The first subkey for each round is to be replaced by the previous value of the third subkey for that round. Then, the saved ffunction values are to be applied by being XORed with subkeys (the result replacing the former value of the subkey) in the following sequence:
The ffunction for round: 9 7 11 5 13 3 15 1 16 2 14 4 12 6 10 8
is to be XORed with the first subkey for round: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
The left half of the result of the QUADIBLOC encryption is to be XORed with the second subkey for the first round. The right half of the result of the QUADIBLOC encryption is to be XORed with the third subkey for the ninth round. Three key augmentations will ensure that every subkey is XORed with one ffunction output; twentyfour key augmentations will ensure that every subkey is XORed with one of the halves of an encryption result. Key augmentation is equally applicable to QUADIBLOC 96 and QUADIBLOC 99. In the plain form described here, key augmentation adds at least 64 bits to the length of the key. Some block ciphers include a process like key augmentation, but with a fixed input value, as a standard step in the key generation process to improve the quality of the key schedule. To operate QUADIBLOC in this fashion, which will be referred to as closed key augmentation, after generating the initial key schedule from the 160bit key, perform three iterated key augmentations, the latter two using as their input value the output value from the previous one, and the first one using the constant value 55330FAACCF05533 as the input value.
Key Extension
In addition to key augmentation, the use of a longer key can be permitted by the use of the following operation, intended to be applied after key augmentation has been applied to a previous set of subkeys. In key extension, a new 160bit key is used to generate subkeys in the normal fashion, but the resulting subkeys are then XORed to the existing subkeys instead of replacing them.
Thus, an alternative variant of QUADIBLOC with a 320bit key can be achieved by:
q q q q
Using the first 160 bits as a key to generate an initial set of subkeys. Performing closed key augmentation. Performing key extension with the remaining 160 bits of the key. Performing closed key augmentation.
This variant shall be known as QUADIBLOC320SE (96 or 99), and QUADIBLOC with closed key augmentation will be known as QUADIBLOC SE (96 or 99).
[Next] [Up] [Previous] [Index] Next Start of Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Quadibloc II
Although this expanded version of Quadibloc is a cipher with a 128 bit block size, I am not trying to detract from the importance of the candidate ciphers for the AES process. Prior to the deadline for a submission, I had considered a few designs, but I had nothing that I was quite satisfied with. Precisely because the other designs were now available to examine, I was able to find the "missing pieces" needed to complete a design. This design allows key lengths of 128, 192, or 256 bytes, and in fact also allows keys of any length in the sequence starting 128, 144, 160, 176... provided that the key is not longer than 36 bytes times the number of rounds. The number of rounds can be 8, 12, 16, 20, 24, 28, 32, 36..., any multiple of 4 greater than or equal to 8. One round of Quadibloc II takes perhaps 7 1/2 times as long as a round of DES, although a more optimistic estimate might be 3 3/4 times as long. Thus, 8round Quadibloc II might manage to take less than 6 times as long as DES even with the initial estimate, and that would make Quadibloc II more efficient than TripleDES. (The estimate is based on the fact that a round of DES requires eight fetches of a 32bit quantity from a table; a round of Quadibloc II requires 24 fetches of a 32bit quantity, and 24 fetches of an 8bit quantity.) This design also begins life with an unfair advantage: it partly results from the inspiration provided by the various AES candidates, and has, in fact, swiped good ideas from two or three of them at least. In any case, this design is proposed not as something that would have been a potential candidate were it not too late, but instead, particularly in its 32round form, as something for those people who want a very secure block cipher without concern for efficiency. Instead of two Sboxes, this design uses ten Sboxes generated from Euler's constant, by repeating the following process, the same one as used in the original QUADIBLOC:
q q q
q q
q
q q q
Load Euler's constant into a very long multiprecision register which is simulated by an array. Repeat the following for each Sbox to be created. Load an array with the numbers from 0 to 255 in order. A pointer to an element of the array is set to point to the first element in the array, and is called TARGET. Repeat the following for each of the integers from 256 down to 2; call the current integer SIZE. Multiply the contents of the multiprecision register by SIZE. Leave the fractional part of the result in the multiprecision register; call the integer part of the result CHOICE. (CHOICE will be an integer from 0 to SIZE minus one.) Swap the elements TARGET and TARGET + CHOICE in the 256element array. (If CHOICE is zero, do nothing for this step.) Proceed to the next number from 256 down to 2. The 256element array now contains a complete Sbox. Save or print out its contents. Proceed to the next Sbox to be generated.
As previously noted, I chose Euler's constant instead of, say, pi, because the mathematical theory behind Euler's constant is more complicated than that behind pi, which in turn is somewhat more complicated than e, the base of the natural logarithms. The first four of these Sboxes are likely to be stored as arrays of 256 32bit words, with the bits spread out reflecting the P permutation, which is again the same one as used in QUADIBLOC, and is as follows: The bits 1 2 3 4 5 6 7 8 17 18 19 20 21 22 23 24 9 10 11 12 13 14 15 16 25 26 27 28 29 30 31 32
become 1 2 27 28 21 22 15 16 17 18 11 12 5 6 31 32 9 10 3 4 29 30 23 24 25 26 21 22 13 14 7 8
and this permutation is to be interpreted according to the following convention: the numbers in the bottom sequence identify the source of each bit in the permuted result in order. The round structure of Quadibloc II uses essentially the same ffunction as was used in QUADIBLOC, with one addition: after the second substitution/permutation layer, and the third XOR of subkey material, the 32bit subblock then goes through a keydependent Sbox. No permutation follows this Sbox. Three out of four 32bit subblocks are used as input to ffunctions. The ffunction of the first subblock is used to supply additional inputs both to the other two ffunctions and to the application of their outputs to the fourth subblock, which they modify. There are other things going on in the round, and there are some minor changes to the ffunction as well. The following diagram shows how the main part of a round proceeds:
The dotted lines show a part of the round which is required if less than 32 rounds are used, but which, involving as it does use of intermediate results from the ffunction might produce some theoretical advantages if omitted. Before the regular rounds of Quadibloc II begin, and after they end, there is an additional phase of extra manipulations the purpose of which is to make life more difficult for the cryptanalyst. This phase is shown in the following diagram which gives an overview of Quadibloc II:
The wide boxes are the keydependent byte permutations; the fixed permutations that take place between regular rounds are shown as wire crossings. Initially, the block is divided into 16bit units, which undergo substitution by means of a miniature block cipher of four Feistel rounds with the keydependent Sbox S8 as the ffunction. First the leftmost byte in each pair of bytes is used to index into S8, finding the byte to XOR with the rightmost byte, and then it is done in the reverse direction, and so on, alternating for four rounds. The 16 bytes of the block are rearranged according to a keydependent permutation. Then, each half of the block undergoes two rounds of Feistel encryption with a simplified ffunction having only one S/P (substitution/permutation) layer. For faster diffusion, each ffunction output is, in two of the rounds, XORed with the two subblocks in the other half of the block, and in the other two used to control swapping bits bitween those two subblocks, in the fashion pioneered by ICE. This operation is illustrated below:
The ffunction consists of:
q q q
XOR one subkey with the current subblock. Use Sboxes S1, S2, S3, and S4 in order to substitute for each of the bytes in the result. Use the QUADIBLOC Ppermutation to transpose the bits.
Four rounds are performed. In each round, the ffunction of one subblock is XORed to the other subblock in the same half of the block. In the outer two rounds, that output is also XORed to the two subblocks in the other half; in the inner two rounds, it is used to control the swapping of bits between those two subblocks, a 1 bit corresponding to a bit position where swapping occurs, as was done in the block cipher ICE. The four subblocks are chosen in order, from left to right, as the input to the ffunction. Then, the bytes of the block are again rearranged according to a keydependent permutation. A similar transformation takes place at the end. (MARS, of course, uses a different round structure before and after the main part of the cipher, but here the main idea swiped, but placed in a new form, is the idea of FROG. Instead of making the targets of XORs keydependent, a keydependent rearrangement of the bytes before a series of XORs achieves the same thing with a simpler key setup.) The changes required to decipher in Quadibloc II are hinted at by the following diagram:
The initial and final miniature Feistel rounds need not be changed. The degenerate rounds with a short ffunction have to operate on the four subblocks in reverse order, as well as using the subkeys in reverse order. The regular round experiences these changes: the steps changing the fourth subblock need to be reversed as well as being done in reverse order: thus, the substitution layers use the inverses of S7, S6, and S5; and the XOR/plus stages take the ffunction of the third subblock first, then that of the second; also, more subtly, the order in which the two intermediate results of the ffunction of the first subblock are XORed to the second and third subblocks are reversed. The first four Sboxes generated above are called S1 through S4, and function as Sboxes with 8 inputs and 8 outputs in the first ffunction. But in the next two ffunctions, they are combined in pairs to form Sboxes with 9 inputs and 8 outputs. This is shown on the diagram: S1/S3 is an Sbox that acts like S1 when the extra input is zero, and like S3 when the extra, most significant or leftmost, input is one. Sboxes S1, S2, S3, and S4 are as given in the page on Euler's Constant and the Quadibloc Sboxes.
The Rounds
In detail, the round proceeds in this manner; and hopefully the diagram above will enable you to follow the lengthy description below:
q
The first subblock is used as input to the first ffunction, calculated as follows: r The first subkey for the round is XORed to it. r The four bytes of the current value are substituted using S1, S1, S2, and S2, from left to right. (Note that this method of avoiding cyclic symmetry, with a bare minimum of Sboxes, comes from
q
q
q
q
q
LOKI 97.) The result is permuted by the QUADIBLOC permutation P. (This permutation is simple and uniform, to minimize storage needed to hold the Sbox outputs after permutation for a common optimized implementation of ciphers like this and like DES: this is one way in which I am specifically differing from LOKI 97.) r The current subblock value is the first intermediate value from the first ffunction, and is used later. r The second subkey for the round is XORed in. r The current value's four bytes are substituted in Sboxes S3, S4, S3, and S4 from left to right. r QUADIBLOC permutation P is applied. r This result is now the second intermediate value from the first ffunction. r The third subkey for the round is XORed in. r The four bytes of the result are substituted by means of the keydependent Sbox, S8. r The result is the output of the first ffunction. Its bits are considered to be numbered from 1 to 32 from left (MSB of first byte) to right (LSB of last byte), and they will be used individually in groups of four in what follows. The first subblock remains unchanged going into the next round, although an ffunction was calculated from it. The second subblock is modified: its new value will be itself XORed with the XOR of the two intermediate results from the first ffunction. The third subblock is also modified in this same way. However, the input to the second ffunction is the second subblock XORed with the first intermediate result only, and the input to the third ffunction is the third subblock XORed with the second intermediate result only. This can be achieved as follows: r XOR the second subblock with the first intermediate result. r Take the result as the input to the second ffunction. r XOR the second subblock with the second intermediate result. r XOR the third subblock with the second intermediate result. r Take the result as the input to the third ffunction. r XOR the third subblock with the first intermediate result. (Note that this method of applying the intermediate results to the middle subblocks is similar to the ingenious technique of applying key material in LOKI 97. Here, the intent is twofold: to conceal the ffunction input, and to minimize the risk of attack created by the additional use of intermediate ffunction results in the round.) The second ffunction is calculated using its input and the fourth, fifth, and sixth subkeys for the round. It differs from the first ffunction in these particulars: r The intermediate results are not saved. r The first Sbox stage consists of placing all four bytes of the current result into the compound Sbox S1/S3. For each byte, the corresponding bit from bits 1 to 4 of the first ffunction output indicate whether that Sbox acts like Sbox S1 for that byte or like Sbox S3. r The second Sbox stage consists of placing all four bytes of the current result into the compound Sbox S2/S4. For each byte, the corresponding bit from bits 5 to 8 of the first ffunction output indicate whether that Sbox acts like Sbox S2 for that byte or like Sbox S4. The third ffunction is calculated using its input and the seventh, eighth, and ninth subkeys for the round. It is very similar to the second ffunction, but the Sboxes are again slightly different, as follows: r As with the second ffunction, the intermediate results are not saved. r The first Sbox stage consists of placing all four bytes of the current result into the compound Sbox S1/S4. For each byte, the corresponding bit from bits 9 to 12 of the first ffunction output indicate whether that Sbox acts like Sbox S1 for that byte or like Sbox S4. r The second Sbox stage consists of placing all four bytes of the current result into the compound Sbox S2/S3. For each byte, the corresponding bit from bits 13 to 16 of the first ffunction output indicate whether that Sbox acts like Sbox S2 for that byte or like Sbox S3. The fourth subblock is the one that undergoes the most thorough modification, the change that is the point of the round. (The changes to the second and third subblocks were an afterthought that may create the risk of a weakness in the cipher, but which were necessary to make it possible that the cipher could be secure after only eight rounds, instead of thirtytwo, as might be needed if only one subblock were modified in each round.) This modification proceeds as follows: r The four bytes of the subblock are substituted for using Sbox S5, with bits 17 through 20 of the first ffunction output used as the most significant bit of the Sbox input for each byte (that
r
r
r
r
r
switches between two different permutations of the numbers 0 through 255). The output of the second ffunction is applied to the result. Bits 29 through 32 of the first ffunction output determine if each byte of the second ffunction output is XORed (0) or added (1). The four bytes of the subblock are substituted using Sbox S6, with bits 21 through 24 of the first ffunction output supplying the most significant bit of Sbox input associated with each byte. The output of the third ffunction is applied to the result. Bits 29 through 32 of the first ffunction output determine if each byte of the second ffunction output is added (0) or XORed (1). (This use of an addition or an XOR followed by its opposite is, of course, reminiscent of SAFER.) The four bytes of the subblock are now substituted using Sbox S7, with the most significant bit of each Sbox input coming from bits 25 through 28 of the first ffunction output.
This involved procedure constitutes the round. After each round except the last, a step corresponding to the swap of left and right halves of the block in DES is performed. Here, however, the movement of individual bytes is involved. Bytes 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
become 15 16 8 11 13 1 9 10 2 14 5 6 7 4 3 12
if the number of rounds is a multiple of 16, and 5 10 15 16 9 14 3 12 13 6 7 4 1 2 11 8
if that is not the case (but the number of rounds must still be a multiple of 4, and must be at least 8). Both byte permutations are presented as a series of 16 numbers giving the number of the source byte for each byte in the result in order. It might be noted that some time before I designed Quadibloc II, the idea of using different operations in a block cipher, based on a datadependent result in the cipher, played an important role in the block cipher "Anigma" designed by Kostadin Bajalcaliev.
Key Generation
Each round of Quadibloc II requires nine 32bit subkeys. In addition, the extra scrambling phases at the beginning and end of the cipher require four subkeys each. Thus, 8round Quadibloc II uses 80 subkeys, from K1 to K80, requiring 320 bytes of RAM. The key for Quadibloc II must be at least eight bytes, or 64 bits, long, and may be any whole number of bytes up to twice the length of the total size of the subkeys plus sixteen bytes, or 128 bits. Many maximumlength keys will lead to duplicate internal key states of the cipher, of course; this maximum is an absolute maximum, beyond which some bits of the key will simply be ignored in the keying process. As well, S8, the keydependent Sbox, is subkey material, and requires an additional 256 bytes of RAM. This total requirement of 576 bytes of RAM is the amount of storage needed for a key after key generation, which may have to be nonvolatile in some applications; additional RAM is of course also needed for scratchpad storage in calculations, particularly during key generation.
Note: the bytes of S8 are stored as single bytes; they do not need to be expanded to fourbyte entries to speed up a permutation, as is true of the fixed Sboxes S1 through S4, and the inverse of S8 is not required for deciphering, unlike Sboxes S5 through S7; the Sbox requiring the least storage was chosen as the key
dependent one. (Having a keydependent Sbox, of course, is a way to achieve a high degree of resistance to differential and linear cryptanalysis.)
Initially, the subkeys are filled in the following order: K1 K5 K14 K23 ... K68 K77 K2 K8 K17 K26 K3 K4 K11 K6 K9 K12 K20 K15 K18 K21 K29 K24 K27 K30
K7 K10 K13 K16 K19 K22 K25 K28 K31 K70 K73 K76
K71 K74 K69 K72 K75 K78 K79 K80
and so on; thus the subkeys are filled for one round before going on to the next, but the first subkey for each ffunction is filled before the second subkey for each ffunction, and so on. The subkeys for the degenerate rounds are just filled in numerical order, the first four at the start, and the last four at the end. They are filled from the following sources, in turn: First, the actual key is placed directly into the subkeys. It must consist of a whole number of bytes, and be at least eight bytes long, for the rest of the procedure to work. Next, generate additional bytes of initial subkey material as follows: Fill A1, A2, A3, and B1, B2, B3, B4, and B5 with the first eight bytes of the key in order. Initialize the variable Q to be zero. Split the key into two pieces as follows, where L is the number of bytes in the key:
q
q
q
If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining bytes of the key. Then increase each piece in length by one byte by appending the one's complement of the first byte in the piece to it. If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by appending the one's complement of the first two bytes in the piece to it. If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by appending the one's complement of the first two bytes in the piece to it.
In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case, the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of the two pieces of the key are relatively prime, and uniquely identify the length of the original key. Each group of bytes is then used as the initial contents of a shift register, which operates as follows: The sum of the first and third bytes in the shift register is XORed with the secondlast byte in the shift register. The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all other bytes being moved to the next earlier place, the first byte being discarded. For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by carrying out the following instructions:
For each of the numbers 0 to 4, do the following:
q q
q q q
Add the contents of A1 to the number, modulo 256. Replace that number by its substitute in Sbox 5a (that is, the first half of Sbox 5, an Sbox with 8 bits of input as well as 8 bits of output, created by setting the MSB of the input to 0). Add the contents of A2 to the result, modulo 256. Replace that number by its substitute in Sbox 5b (the second half of Sbox 5). Add the contents of A3 to the result, modulo 256.
Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are cumulative.) Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above. Add Q to that byte. Put that byte through the following process:
q q q q q q q q q
Add the contents of B1 to the number, modulo 256. Replace that number by its substitute in Sbox 6a (the first half of Sbox 6). XOR the result with the contents of B2. Replace that number by its substitute in Sbox 6b (the second half of Sbox 6). Add the contents of B3 to the result, modulo 256. Replace that number by its substitute in Sbox 7a (the first half of Sbox 7). XOR the result with the contents of B4. Replace that number by its substitute in Sbox 7b (the second half of Sbox 7). Add the contents of B5 to the result, modulo 256.
The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the variable Q. One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through B5 have already been changed) as follows: increment A2. If A2 wraps around, being incremented from 255 to zero, increment A1. If A1 wraps around, increment A3. An initial value for S8, the keydependent Sbox is generated as follows:
q
Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure: r Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting where one has left off for subsequent permutations. r Each permutation is generated by the use of either 512, or, under some rare circumstances, only 256, bytes. Note that 8round Quadibloc II only has 320 bytes of subkey; (4 bytes times 9 subkeys times 8 rounds, plus 8 additional subkeys for the start and finish); and therefore additional bytes need to be generated for this version of Quadibloc II and other versions without a sufficiently large number of rounds. The SIGABAlike procedure used initially to extend the key is used for this, but with some modifications. In this case, A1 through B5 are filled with the last eight subkey bytes (the first eight contain the first eight bytes of the key, which were previously used to fill A1 through B5, which would cause the generation process here to partially repeat the operations of the earlier generation process), and the input byte to the process is obtained from a single shift register, similar in form to each of the two shift registers using pieces of the original key, which initially contains all of the subkeys, including the last eight bytes. r A permutation is generated as follows: s Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0 to 255 in order. The arrays must also be able to hold the value 1. The second and third arrays are filled with 1. s For each byte used: let the value of the byte be called N, and let I be a counter which starts
q
at 0 for the first byte, incrementing with each byte used, and ending at 255. Then, for each byte: s If element N of the first array is not 1, set element N of the first array to 1, and set element I of the second array to N. s Otherwise, store N in the first unused position (the first position containing 1) in the third array. s Once this has been done, if the third array contains any numbers other than 1, proceed as follows: s If there is only one filled (not equal to 1) element in the third array, then there is only one remaining element in the first array, and one element of the second array equal to 1, so fill the second array with the one available byte, and finish. s If there are only two filled elements in the third array, take the least significant bit of the first filled element. If it is zero, fill the 1 elements of the second array with the remaining elements of the first array in order; if it is one, do so in reverse order, and finish. s If there are less than 256 filled elements in the third array, repeat them over and over to fill the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of the third array. s Now, use the third array to complete the second array by doing the following for II from 0 to 255: s Let the value of element II of the third array be XX. s Swap elements II and XX of the first array. s Then, scan through the second array. When an element of the second array is 1, fill it with the corresponding element of the first array (if it is not also 1) and set that element of the first array to 1. s If there are any 1 elements left in the second array, fill them with the elements of the first array that are not 1 in order. The three permutations obtained in this manner are used to generate a key dependent Sbox as follows: r For N from 0 to 255: r Set A to be element N of the first permutation; set B to be element N of the second permutation, and set C to be element B of the third permutation. r Set element A of the Sbox to equal C.
s
The keydependent byte transpositions used at the beginning and end of the cipher are derived from the keydependent Sbox S8 as follows: the first permutation consists in taking bytes 0, 1, ... 16 to the bytes indicated by the least significant nibbles of the Sbox entries in S8 of the form 0x in hexadecimal, taken in the order they are found. Note that this builds up the permutation in "dispatch" form, while all the fixed permutations in this description of Quadibloc II are given in "fetch" form. The second permutation is built up from the bytes of the form 1x in hexadecimal. The third one, which takes place after the rounds are completed, is the inverse of the one built up from the bytes of the form 9x in hexadecimal, and the fourth one is the inverse of the one built up from the bytes of the form 8x in hexadecimal. Then, the actual key sequence used for encipherment is generated by the following procedure: Using the last 128bits of the key, if the key is 128 bits long or more, or the key repeated as many times as required to fill a 128bit block otherwise (starting from the beginning, not the end and working backwards) as the plaintext block, encipher it using the initial key schedule generated above, but with the following modifications. The intermediate results of all three ffunctions are saved. The following nine 32bit words are produced from each round of the encipherment process:
q q q q q
The first intermediate result of the first ffunction XOR the final value of the fourth subblock The second intermediate result of the first ffunction The first ffunction output The first intermediate result of the second ffunction XOR the initial value of the fourth subblock The second intermediate result of the second ffunction
q q q q
The second ffunction output The first intermediate result of the third ffunction The second intermediate result of the third ffunction The third ffunction output
Also, the degenerate rounds produce their ffunction outputs as well, so exactly one 32bit output is produced for every subkey. After each round of the encipherment process which is used to generate the final subkeys, the nine words above are XORed to nine subkeys. The four ffunction outputs of the degenerate rounds are also used, so the number of words used equals the number of subkeys; each set of four degenerate rounds is treated as a single round in that the four results are not applied to the subkeys until the set of four rounds has been performed completely. The sequence of subkeys to which they are applied is as follows (reading across): K80 K79 K78 K77 K76 K75 K74 K73 K72 K71 K70 K69 K68 K67 K66 K65 K64 K63 K62 K61 K60 K59 ... ... ... ... ... ... ... ... ... K49 K48 K47 K46 K45 K44 K43 K42 K41 K40 K39 K38 K37 K36 K35 K34 K33 K32 K31 K30 K29 K28 K27 K26 K25 K24 K23 K22 K21 K20 K19 K18 K17 K16 K15 K14 K13 K12 K11 K10 K9 K8 K7 K6 K5
K4 K3 K2 K1
thus, first the last subkey of each round is modified, then the secondlast subkey of each round, and so on. The subkeys are modified before the encipherment is completed, but only after each round is completed. The subkeys used in the degenerate rounds are placed in the sequence as well as possible. The intermediate values applied are taken from those generated by the subkeys in their numerical order. Once the subkeys have been modified in this manner, if the size of the key was greater than the total size of the subkeys, any remaining bytes in the key are to be XORed with the subkeys that are now present, using the same order as was used for initially filling the subkey space, K1 K2 K5 K8 ... et cetera. Allowing the key to be larger than the total size of the subkeys, of course, doesn't make sense after a point; but if the excess is small, the main result is to make it possible for the same set of subkeys to be accompanied by different values of the keydependent Sbox S8. Then, the same procedure used to generate the initial value of S8 from the initial subkeys is applied to the final subkeys. Since the subkeys may not have enough bytes in them to supply the permutationgenerating process, the SIGABAlike procedure of generating additional bytes is used again, as done previously for generating the initial value of S8. Once again, A1 through B5 are filled from the last eight subkey bytes, and the earlier subkey bytes are divided into two almost equal parts as was done with the key previously. The generated result, however, is not used as the final value of S8. Instead, each element of S8 is replaced by the value it points to in this result; that is, for N from 0 to 255, S8(N) becomes R(S8(N)). (Thus, S8 depends on both the old and new subkeys, and doesn't relate to the current subkeys in a simple way.) The new value of S8 is also used as the old value was above to provide the four keydependent byte transpositions which begin and end the cipher. K3 K4 K11 K6
K9
K12
K7
K10 K13
One may, if one wishes, see the view of the subkeys (other than those of the degenerate rounds) as belonging to a rectangular prism of 32bit words, accessed in three different directions, as evocative of Rijndael.
An Even More Secure Variation
If you have time to encipher your data with 40 rounds of Quadibloc II, I have a variation for you. A diagram giving an overview of this variation is provided. First, the tiny Feistel rounds, the keydependent byte permutation (derived from the 0x bytes), the initial degenerate foursubkey series of rounds, and another keydependent byte permutation (derived from the 1x bytes), then a second layer of tiny Feistel rounds, another keydependent byte permutation (derived from the 4x bytes), another series of four degenerate rounds, and another keydependent byte permutation (derived from the 5x bytes). Then, four rounds of Quadibloc II, with the byte interchange after the first three rounds following the pattern for a multiple of four rounds that is not a multiple of 16 rounds. Now, the whitening sequence is repeated, again first with a series of miniature Feistel rounds. Then, another key dependent byte permutation, derived from the elements of S8 in the form 2x. Another degenerate four rounds. Keydependent byte permutation, derived from the 3x elements in S8. Miniature Feistel rounds, permutation (6x), degenerate four rounds, permutation (7x). Thirtytwo rounds of Quadibloc II, but with the additional XORs of the second and third subblocks with the two intermediate values from the ffunction of the first subblock omitted. Byte interchange after the first 31 of these rounds is as for a multiple of 16 rounds. Keydependent byte permutation, the inverse of the one derived from the elements of S8 of the form Fx. Another degenerate four rounds. Inverse Ex from S8 byte transposition. Miniature Feistel rounds in inverse form. Keydependent byte permutation, the inverse of the one derived from the elements of S8 of the form Bx. Another degenerate four rounds. Inverse Ax from S8 byte transposition. Miniature Feistel rounds in inverse form.
Four rounds of Quadibloc II. The final threestep whitening sequence, plus the tiny Feistel rounds, and byte transpositions, all repeated twice. Byte transpositions are the inverses of those derived from the elements of S8 in the forms Dx, Cx, 9x, and 8x. By restricting the perhaps dangerous  but diffusionenhancing  XOR of intermediate results to the outer eight Quadibloc rounds, one has a diffusing outer part and a secure core. This, of course, comes even closer to the design of MARS. Note that for this variation, when the keys are initially filled, the thirtytwo subkeys for the four sets of degenerate rounds stand outside the sequence; sixteen at the start, and sixteen at the end, and when the keys are modified, the subkeys for the first four degenerate rounds are at the left of the top four rows, those for the last four at the right of the bottom two rows. Thus, the order for initially filling the keys is as follows: K1 K2 K3 K4 K5 K6 K7 K8 K9 K12 K15 K10 K13 K18 K21 K24 K19 K22 K27 K30 K33 K28 K31 K28 K39 K42 K37 K40 K45 K46 K47 K48 K49 K50 K51 K52 K53 K56 K59 K54 K57 ... K332 K335 K338 K333 K341 K342 K343 K344 K345 K346 K347 K348 K349 K352 K355 K350 ... K376 K379 K382 K377 K385 K386 K387 K388 K389 K390 K391 K392
K16 K25 K34 K43
K11 K20 K29 K38
K14 K23 K32 K41
K17 K26 K35 K44
K60
K55 K58 K61 K334 K337 K340
K336 K339
K353 K356 K380 K383
K351 K354 K357 K378 K381 K384
and the order for adjusting the keys from ffunction outputs and intermediate results is: K392 K391 K390 K389 K388 K387 K386 K385 K348 K347 K346 K345 K344 K343 K342 K341 K384 K383 K382 K381 K380 K379 K378 K377 K376 K375 K374 K373 K372 K371 K370 K369 K368 K367 K366 K365 K364 K363 K362 K361 K360 K359 K358 K357 K356 K355 K354 K353 K352 K351 K350 K349 K340 K339 K338 K337 K336 K335 K334 K333 K332 ... ... ... ... ... ... ... ... ... K26 K25 K24 K23 K22 K21 K20 K19 K18 K17 K16 K15 K14 K13 K12 K11 K10 K9
K52 K51 K50 K49
K48 K47 K46 K45
K8 K7 K6 K5
K4 K3 K2 K1
Other modifications to Quadibloc II are possible. The following illustration:
shows how the basic Quadibloc II round can be modified to double the size of the Sboxes in the ffunctions for the second and third subblocks; one Sbox, made from Sboxes 1 through 4 is used, so two extra nonlinearity bits are used as input. This function uses all 32 nonlinearity control bits produced as the output of the ffunction of the first subblock. Instead of using Sboxes S5 through S7 singly, they are used in pairs on the fourth subblock, and so the extra nonlinearity bits required here are doubled as well. An additional 32 nonlinearity control bits are created from the XOR of one intermediate result from the ffunction of the second subblock and the other intermediate result from the ffunction of the third subblock. As switching between addition and XOR for applying the ffunction outputs directly to the fourth subblock requires only one bit per byte, the remaining four bits are used to switch the addition operation to a subtraction operation. The other major modification in this extended variant of the basic round is to use S8 in the same method as used in the initial whitening phase to promote diffusion within the fourth subblock. However, I find the following variation on the basic Quadibloc II round even more interesting:
Here, two other intermediate values in the ffunction of the first subblock are used to form a 32bit value used for an ICEstyle interchange between the ffunctions of the second and third subblocks. The interchange takes place just before S8 is applied, thus ensuring it significantly alters the ffunction outputs applied to the fourth subblock. As well, a microFeistel layer is used, as in the doubled nonlinearity variant, but this time to modify the first subblock, so that all four subblocks are changed, and changed in a keydependent way by every round (the changes to the first three subblocks depend on the first subblock as well as the key, while those to the fourth subblock depend on all of the first three subblocks). To proceed further, we can also have the following type A round:
with its corresponding round of type B:
which adds some additional operations to the round structure. Not wishing to give up being endianneutral, instead of throwing in a PseudoHadamard Transform between the second and third subblocks, I used an XOR but used S8 to avoid it cancelling out. The intent is merely to have an alteration to those subblocks that is slightly more involved than a simple XOR of intermediate ffunction results from the first subblock, but a little bit of propagation between bytes is achieved by displacing bytes before the second XOR. Also added is an interaction, taken from the block cipher 3Way, between three of the subblocks. This places a very small (3 bits input and output) nonlinear Sbox in the cipher that operates on corresponding bits in the three subblocks. Since it either operates on all but the first subblock, or all but the fourth subblock, two round types were required to make the cipher equally secure against attacks from either direction. (The deciphering form of the round could also be used, but that of course creates the slim possibility of some rounds partly undoing the work of other rounds.) Since each bit of the output is the bit of the input XOR a function of the other two bits that is 1 most of the time, the identities of the bits are in a sense preserved; thus, it does not appear that the apparent danger of information leaking past the involved transformation of the fourth subblock is a genuine concern. In addition, the type A rounds are used at the beginning, and the type B rounds at the end, so that any leakage is towards the inside of
the block cipher rather than towards the outside. Since the first subblock is aloof from the values and changes in the other three subblocks, the interaction between the last three subblocks does not prevent the round from being invertible, even though it happens after the XOR of intermediate results from the ffunction of the first subblock. The interaction between the first three subblocks does not prevent the round from being invertible, because the operations taking place before it are all selfcontained. In analyzing Quadibloc II, it may be interesting to examine how it could be attacked if part of the internal key is known. If S8 is known, Quadibloc II becomes a more conventional block cipher. Is the conventional part of it still reasonably strong? If the conventional subkeys, but not S8, are known, but not the intermediate subkey values, can part of the generation of S8 still be retraced? With only a small part of the internal operations of the cipher controlled by the secret part of the key, can cryptanalysis trace enough to obtain information about S8?
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Quadibloc III
Quadibloc III is an extension of Quadibloc II which uses a different type of block cipher as its inner core. It too uses a 128bit block size. Unlike Quadibloc II, which, at least with only eight full rounds, is not too much slower than a typical AES candidate (although it isn't fully clear to me if eight rounds is enough for security), Quadibloc III, while secure, is clearly too slow and complicated to be useful for practical purposes. Its value is that it illustrates a number of concepts which may be useful in ciphers of a more practical size. Here is a diagram giving an overview of the structure of Quadibloc III, to accompany a description of its rounds: The steps in the cipher are symmetric, and they are as follows:
q
q
q
q
q
q
q
q q
Small Feistel rounds, using no subkeys, but using the keydependent Sbox S8 as their ffunction, transforming 16bit subkeys of the block. Keydependent permutation (derived from the 0x elements of S8) of the bytes in the block. Four simple rounds, using a singlelevel ffunction, that are aimed at obtaining high diffusion, and which use 32bit subkeys K1 through K4. Keydependent permutation (derived from the 1x elements of S8) of the bytes in the block. Eight normal Quadibloc II rounds, each of which uses nine subkeys, the first using subkeys K5 through K13, the last using subkeys K68 through K76. Keydependent permutation (derived from the 2x elements of S8) of the bytes in the block. Two rounds of a form of Mishmash, whose large quantity of subkeys is generated after the contents of S10 and S11, and by the same process. These rounds use fixed Quadibloc subkeys for one half of the block, the subkeys being K77 through K88 for the encipherment of that block, and K89 through K100 for the ffunctions applied to the intermediate ffunction results, for the first Mishmash round, and K101 through K124 for the second Mishmash round. Keydependent permutation (derived from the 3x elements of S8) of the bytes in the block. Sixteen rounds in which the block is enciphered as follows: r one 16bit subblock is enciphered by four Feistel rounds, using S8 as the ffunction, but this time preceded by the XOR of a subkey byte; r the results of the XOR are used as intermediate results, and are fed into the Sbox S9. r The four S9 outputs produce a 32bit result whose first 16 bits are the first four bits of each of their outputs, and whose last 16 bits are the last four bits of each of their outputs. r This result is then enciphered by means of four Feistel rounds, where the ffunction consists of first XORing in a 16bit half of a subkey, then using the two bytes of the result to index into two keydependent Sboxes, S10 and S11, which each take an 8bit input and give a 16bit output. The sum of the two outputs is XORed with the other half of the 32bit block. r The 32bit result of this process is used as a 32bit subkey was used initially to encipher a further
q
16 bits of the block, and this continues until the entire 128bit block has been enciphered in 16bit pieces. These sixteen rounds each use fifteen subkeys; the first one uses subkey K125 to supply the four bytes used for enciphering the first 16bit subblock, and then subkeys K126 through K139, two at a time, for enciphering the 32bit intermediate results from enciphering one subblock to produce the 32bit input to use to encipher the next one, and the last one uses subkeys K350 through K364. Then, the preceding steps are done in reverse order, with the keydependent byte permutations now being the inverses of the ones derived from the Bx, Ax, 9x, and 8x elements of S8, and with the two Mishmash rounds using subkeys K365 through K412, the eight normal Quadibloc II rounds using subkeys K413 through K484, and the set of four degenerate rounds using subkeys K485 through K488.
The Middle Rounds (GoodStuff)
The following diagram illustrates the method used for the middle 16 rounds of Quadibloc III:
Using four eightbit subkeys (derived from a single 32bit subkey, to remain within the overall structure derived from Quadibloc II), four Feistel rounds are used to encipher a 16bit subblock; in the first round, the right half is XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the ffunction alternates from right to left to left to right, and in the two outer rounds, the subkey is XORed and the ffunction output added, and in the two inner rounds, the subkey is added and the ffunction output XORed. The four intermediate results of the ffunctions, derived before S8 substitution, are used to index into the fixed Sbox S9. The Sbox outputs are used to form a 32bit word consisting of the first nibbles of the four substituted results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of the previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a lefttoright round of this cipher, by means of a twist upon entry and exit from the horizontal Feistel rounds.) The resulting 32bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses wide keydependent Sboxes in the ffunction. Here, four 16bit subkeys are used, and so they are derived from two 32bit regular subkeys. The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in inplace format, and the first round goes from right to left (or, in the diagram, top to bottom). If the first set of four Feistel rounds operating on a 16bit subblock is denoted by 1, the second by 2, and angle brackets are used to show how one round provides the subkey input for the next, the pattern of rounds used in this phase is as follows: 1 > 2 > 3 > 4 > 5 > 6 > 7 > 8 < 7 < 6 < 5 < 4 < 3 < 2 < 1 8 < > 8 1 > 2 > 3 > 4 > 5 > 6 > 7 > 8 < 7 < 6 < 5 < 4 < 3 < 2 < 1
> 7 > 8 1 > 2 > 3 > 4 > 5 > 6 > < 1 8 < 7 < 6 < 5 < 4 < 3 < 2 < > 6 > 7 > 8 1 > 2 > 3 > 4 > 5 > < 2 < 1 8 < 7 < 6 < 5 < 4 < 3 < > 5 > 6 > 7 > 8 1 > 2 > 3 > 4 > < 3 < 2 < 1 8 < 7 < 6 < 5 < 4 < > 4 > 5 > 6 > 7 > 8 1 > 2 > 3 > < 4 < 3 < 2 < 1 8 < 7 < 6 < 5 < > 3 > 4 > 5 > 6 > 7 > 8 1 > 2 > < 5 < 4 < 3 < 2 < 1 8 < 7 < 6 < > 2 > 3 > 4 > 5 > 6 > 7 > 8 1 > < 6 < 5 < 4 < 3 < 2 < 1 8 < 7 < The Sbox S9 is fixed, and is generated by continuing the process used for generating Sboxes 1 through 7 from Euler's constant to generate one more permutation of the numbers 0 through 255, therefore this Sbox is the one designated S11 on the page entitled Euler's Constant and the Quadibloc SBoxes.
The Next Innermost Layer (Mishmash)
The concept of a cipher called Mishmash is noted in the conclusions section of this chapter, to which reference may be required. The left half of the block (in the second round, the right half) is enciphered using four rounds of Quadibloc. The intermediate results, after XORing in the second of the three subkeys, of each of the four ffunction outputs are then subjected to the Quadibloc ffunction again, with another twelve subkeys, and the four 32bit outputs are XORed together. The 32bit result controls the encipherment of the right half of the block. The right half of the block is enciphered by cipher steps 1 through 5. The first 25 bits of the 32bit result is divided into five 5bit values, indicating for each of the five cipher steps, in order of their numeric labels, which of 32 sets of subkey material is used for them. The last 7 bits of the 32bit result indicates the order in which the five cipher steps take place. Values 0 through 119 of these seven bits give the 120 permutations of the numbers from 1 through 5 in numerical order, as shown in the following table: 0 1 2 3 4 5 6 7 8 9 10 11 12345 12354 12435 12453 12534 12543 13245 13254 13425 13452 13524 13542 24 25 26 27 28 29 30 31 32 33 34 35 21345 21354 21435 21453 21534 21543 23145 23154 23415 23451 23514 23541 48 49 50 51 52 53 54 55 56 57 58 59 31245 31254 31425 31452 31524 31542 32145 32154 32415 32451 32514 32541 72 73 74 75 76 77 78 79 80 81 82 83 41235 41253 41325 41352 41523 41532 42135 42153 42315 42351 42513 42531 96 97 98 99 100 101 102 103 104 105 106 107 51234 51243 51324 51342 51423 51432 52134 52143 52314 52341 52413 52431
12 13 14 15 16 17 18 19 20 21 22 23
14235 14253 14325 14352 14523 14532 15234 15243 15324 15342 15423 15432
36 37 38 39 40 41 42 43 44 45 46 47
24135 24153 24315 24351 24513 24531 25134 25143 25314 25341 25413 25431
60 61 62 63 64 65 66 67 68 69 70 71
34125 34152 34215 34251 34512 34521 35124 35142 35214 35241 35412 35421
84 85 86 87 88 89 90 91 92 93 94 95
43125 43152 43215 43251 43512 43521 45123 45132 45213 45231 45312 45321
108 109 110 111 112 113 114 115 116 117 118 119
53124 53142 53214 53241 53412 53421 54123 54132 54213 54231 54312 54321
and the remaining values give the following eight preferred orders once again: 120 121 122 123 124 125 126 127 31425 32415 51423 52413 31524 32514 41523 42513
Only one pool of 32 subkey values is used by all four Mishmash rounds in the cipher (which is different from the Mishmash concept described in the conclusions section), despite the danger that a subkey may be used more than once. The five cipher steps are: 1. 2. 3. 4. 5. Two rounds of DES. Two 48bit subkeys are the subkey material this uses. Two rounds of Quadibloc. Six 32bit subkeys are the subkey material this uses. Four rounds of SKIPJACK. Sixteen 8bit subkeys are the subkey material this uses. One round of SAFER. Two 64bit subkeys are the subkey material this uses. Two rounds of GoodStuff. This consists of two rounds, similar to the middle rounds of this cipher, but acting on only four 16bit subblocks each. The ordering of the operations is 1234 followed by 4321 (not 3214). This uses fourteen 32bit subkeys as subkey material.
In the Mishmash rounds, the final interchange is not omitted after the DES and Quadibloc rounds, since they are part of an ongoing block cipher. This is true also of the Mishmash concept, as can be seen from the diagrams, which show the ciphers in inplace form. The four Skipjack rounds are type A in the first two Mishmash rounds in the cipher, and type B in the last two. In addition, the SAFER rounds in the last two Mishmash rounds are rounds of SAFER decryption instead of SAFER encryption, for the same reason.
Subkey Generation
Subkey generation for Quadibloc III follows the same general scheme as for Quadibloc II; initial subkeys are generated using a method similar to the one used in Quadibloc II, but somewhat more elaborate. Fill A1, A2, and A3; B1, B2, B3, B4, and B5; and C1, C2, C3, C4, and C5 with the first thirteen bytes of the key in order. Initialize the variable Q to be zero.
Split the key into two pieces as follows, where L is the number of bytes in the key:
q
q
q
If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining bytes of the key. Then increase each piece in length by one byte by appending the one's complement of the first byte in the piece to it. If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by appending the one's complement of the first two bytes in the piece to it. If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by appending the one's complement of the first two bytes in the piece to it.
In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case, the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of the two pieces of the key are relatively prime, and uniquely identify the length of the original key. Each group of bytes is then used as the initial contents of a shift register, which operates as follows: The sum of the first and third bytes in the shift register is XORed with the secondlast byte in the shift register. The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all other bytes being moved to the next earlier place, the first byte being discarded. For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by carrying out the following instructions: For each of the numbers 0 to 4, do the following:
q q
q q q
Add the contents of A1 to the number, modulo 256. Replace that number by its substitute in Sbox 5a (that is, the first half of Sbox 5, an Sbox with 8 bits of input as well as 8 bits of output, created by setting the MSB of the input to 0). Add the contents of A2 to the result, modulo 256. Replace that number by its substitute in Sbox 5b (the second half of Sbox 5). Add the contents of A3 to the result, modulo 256.
Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are cumulative.) Once that has been done, using the modified values of B1 through B5, we once again use the numbers 0 to 4 in order as inputs as we do the following:
q q q q q q q q q
Add the contents of B1 to the number, modulo 256. Replace that number by its substitute in inverse Sbox 7b (the inverse of the second half of Sbox 7). XOR the result with the contents of B2. Replace that number by its substitute in inverse Sbox 5b (the inverse of the second half of Sbox 5). Add the contents of B3 to the result, modulo 256. Replace that number by its substitute in inverse Sbox 7a (the inverse of the first half of Sbox 7). XOR the result with the contents of B4. Replace that number by its substitute in inverse Sbox 5a (the inverse of the first half of Sbox 5). Add the contents of B5 to the result, modulo 256.
Modify the variables C1 through C5 by adding the results of this process for the numbers 0 to 4, respectively, to them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are cumulative.)
Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above. Add Q to that byte. Put that byte through the following process:
q q q q q q q q q
Add the contents of C1 to the number, modulo 256. Replace that number by its substitute in Sbox 6a (the first half of Sbox 6). XOR the result with the contents of C2. Replace that number by its substitute in Sbox 6b (the second half of Sbox 6). Add the contents of C3 to the result, modulo 256. Replace that number by its substitute in Sbox 7a (the first half of Sbox 7). XOR the result with the contents of C4. Replace that number by its substitute in Sbox 7b (the second half of Sbox 7). Add the contents of C5 to the result, modulo 256.
The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the variable Q. One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through B5 have already been changed) as follows: replace A1 with the former contents of A2; replace A2 with the former contents of A3; and replace A3 with the former contents of A3 XOR the current output byte (also stored in Q). After generating the first 440 regular 32bit subkeys, initial values of the remaining subkey material is generated in the following order:
q
q
q q q q q q q
first, initial subkeys K441 through K488 (which will later be used for subkeys with different numbers), (192 bytes) then the contents of keydependent Sbox S8, (from 1536 to 2304 bytes are used to produce this, since it is generated from three permutations which require either 512 or 768 bytes to produce) then the 256 16bit entries for each of S10 and S11; (1024 bytes) then the Mishmash subkeys; 32 sets of two 48bit subkeys for the DES rounds, (384 bytes) 32 sets of six 32bit subkeys for the Quadibloc rounds, (768 bytes) 32 sets of sixteen 8bit subkeys for the Skipjack rounds, (512 bytes) 32 sets of two 64bit subkeys for the SAFER rounds, (512 bytes) 32 sets of fourteen 32bit subkeys for the GoodStuff rounds. (1792 bytes) An additional 2304 bytes of subkey material to be used later. (2304 bytes)
All the subkey material thus generated, except the material used to produce Sbox S8, is retained in order in an array for later modification. An initial value for S8, the keydependent Sbox is generated as follows:
q
Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure: r Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting where one has left off for subsequent permutations. r Each permutation is generated by the use of either 512, or, under some rare circumstances, only 256, bytes. r A permutation is generated as follows: s Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0 to 255 in order. The arrays must also be able to hold the value 1. The second and third arrays are filled with 1. s For each byte used: let the value of the byte be called N, and let I be a counter which starts at 0 for the first byte, incrementing with each byte used, and ending at 255. s Then, for each byte: s If element N of the first array is not 1, set element N of the first array to 1, and set
q
element I of the second array to N. Otherwise, store N in the first unused position (the first position containing 1) in the third array. s Once this has been done, if the third array contains any numbers other than 1, proceed as follows: s If there is only one filled (not equal to 1) element in the third array, then there is only one remaining element in the first array, and one element of the second array equal to 1, so fill the second array with the one available byte, and finish. s If there are only two filled elements in the third array, take the least significant bit of the first filled element. If it is zero, fill the 1 elements of the second array with the remaining elements of the first array in order; if it is one, do so in reverse order, and finish. s If there are less than 256 filled elements in the third array, repeat them over and over to fill the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of the third array. s Now, use the third array to complete the second array by doing the following for II from 0 to 255: s Let the value of element II of the third array be XX. s Swap elements II and XX of the first array. s Then, scan through the second array. When an element of the second array is 1, fill it with the corresponding element of the first array (if it is not also 1) and set that element of the first array to 1. s If there are any 1 elements left in the second array, fill them with the elements of the first array that are not 1 in order. The three permutations obtained in this manner are used to generate a key dependent Sbox as follows: r For N from 0 to 255: r Set A to be element N of the first permutation; set B to be element N of the second permutation, and set C to be element B of the third permutation. r Set element A of the Sbox to equal C.
s
Only the first 440 subkeys, each 32bits long, which are the first subkey material generated by this method, are modified by the key augmentation technique of performing an initial encipherment, and XORing subkeys with intermediate results. Because some of the rounds do not produce intermediate results suitable for this use, the key augmentation step undergoes an important change. Instead of modifying the 440 subkeys by performing a normal Quadibloc III encipherment, and using its intermediate results, a modified encipherment, using only normal rounds found in Quadibloc II is used. The modified encipherment consists of one group of four degenerate rounds, fortyeight normal Quadibloc II rounds, and one more group of four degenerate rounds. This arrangement uses exactly 440 subkeys. Four keydependent byte permutations are used, from 0x, 1x, and inverse 9x and 8x; only one unkeyed whitening step, followed by the 0x permutation, begins the cipher; the 1x permutation follows the first group of four degenerate rounds, preceding the first conventional Quadibloc II round. The subkeys are initially filled in the following order, consistent with Quadibloc II practice: K1 K2 K3 K4 K5 K8 K11 K6 K9 K12 K7 K10 K13 K14 K17 K20 K15 K18 K21 K16 K19 K22 ... K428 K431 K434 K429 K432 K435 K430 K433 K436 K437 K438 K439 K440 and are modified during key enrichment in the following order (although the subkeys are aligned in columns to illustrate their pattern, the order used is that found by reading across): K440 K436 ... K22 K13
K439 K435 ... K21 K438 K434 ... K20 K437 K433 ... K19 K432 ... K18 K431 ... K17 K430 ... K16 K429 ... K15 K428 ... K14
K12 K11 K10 K9 K8 K7 K6 K5
K4 K3 K2 K1
Bytes for use in the 48 additional subkeys, S10 and S11, and in Mishmash, are generated during the initial part of subkey generation, even though these parts of the cipher aren't used in keyenrichment; then, during the keyenrichment phase, nine bytes of output from the same shift register process as was used to fill all the subkey material with its initial values, but modified in an analogous fashion to that used for Quadibloc II (the last 13 bytes of the 440 regular subkeys are used to fill A1 through C5, and one shift register, rather than two, is used, consisting of the rest of the subkey material), are used to modify eight bytes in this additional subkey material. This is done as follows: the first byte determines the use of the next eight bytes; if its most significant bit is a 1, the next byte is XORed to the previously generated byte, if its most significant bit is a 0, the next byte replaces the corresponding previously generated byte, and so on through the bits of the first byte and the bytes following. The additional subkey material being modified in this step consists of 7488 bytes. For the purpose of an additional operation to be performed concurrently with the XOR or replacement of these bytes in groups of eight using generated bytes in groups of nine, these bytes are to be considered as 20 blocks of 256 bytes each, plus 64 extra bytes. The additional manipulation to be performed consists of two steps. Only during the processing of the second through the 19th of the 20 complete blocks are both steps done; one is done during the processing of the first block. For each of the first 256 generated bytes of the 288 generated bytes required to modify the 256 bytes of the current block, the next block is modified as follows: Letting c be a counter, 0 for the first generated byte, and incremented by one as we change to use each additional generated byte, and letting n be the value of the current generated byte, we swap byte c and byte n of the next block. This only requires the existence of a following block, and is therefore done when the current block is any block from the first through the nineteenth. For each of the last 256 generated bytes of the 288 generated bytes we use in modifying the 256byte current block, immediately following the use of that same byte for modifying the next block during the period when both operations overlap, we modify the preceding block as follows: Letting c be a counter, 0 for the first generated byte used by this step, the 33rd of the 288 generated bytes for the current block, and letting n be the value of the current generated byte, we let p be the value of byte c of the next block, and let q be the value of byte n of the previous block. We then swap bytes p and q of the previous block. Letting k be the XOR of the values of the two bytes so swapped, byte n of the previous block is then modified by being XORed with byte k of the next block. This requires both a preceding and a following block, and is done for the second block through the nineteenth. Performing these transposition steps on the subkey material helps to destroy any pattern it might contain. As many of the last 2304 bytes of subkey material as required are used to generate a permutation following the
steps used for generating the initial value of S8. The generated result, however, is not used as the final value of S8. Instead, each element of S8 is replaced by the value it points to in this result; that is, for N from 0 to 255, S8 (N) becomes R(S8(N)). (Thus, S8 depends on both the old and new subkeys, and doesn't relate to the current subkeys in a simple way.) Then, the 488 subkeys required for Quadibloc III are produced from the 440 subkeys generated normally and the 48 additional ones by using the 48 additional subkeys in order as the ones for the ffunctions that are used to modify the ffunction results before being XORed together in the Mishmash rounds. Hence,
q q q q q q q q q
subkeys K1 through K88 retain their identity, subkeys K441 through K452 are moved to subkeys K89 through K100, subkeys K89 through K100 are moved to subkeys K101 through K112, subkeys K453 through K464 are moved to subkeys K113 through K124, subkeys K101 through K352 are moved to subkeys K125 through K376, subkeys K465 through K476 are moved to subkeys K377 through K388, subkeys K353 through K364 are moved to subkeys K389 through K400, subkeys K477 through K488 are moved to subkeys K401 through K412, and, finally, subkeys K365 through K440 are moved to subkeys K413 through K488.
Note that implementations need not actually move the subkeys around, but merely need to ensure that each encipherment step uses the correct subkeys from those stored in memory.
Variations of Quadibloc III
Specific named variations of Quadibloc III are provided here to broaden its range of applicability. The first variation is Quadibloc III SC (Short Cycle). This version retains the complexity of Quadibloc III, but eliminates the large number of rounds of the GoodStuff kind in the middle of the cipher. Instead, only two such rounds are retained, with the following arrangement: 1 > 2 > 3 > 4 > 5 > 6 > 7 > 8 8 < 7 < 6 < 5 < 4 < 3 < 2 < 1 This, by reducing the amount of required subkey material from 488 subkeys to 278, and hence the key augmentation phase of key generation is modified as follows: eight regular Quadibloc II rounds are used, the first 10 words of S10 are also modified, and there is no shifting of subkeys out of numerical order, as was required to exclude a particular 48 subkeys from key augmentation in the normal version. The unkeyed whitening step, and the initial and final byte transposes (0x and 8x) are also retained in the modified encipherment. The next variation is Quadibloc III MD (Maximum Dispersion). This version adds eight 64bit words of subkey material to what is used by the cipher. They are not used during the modified encipherment cycle performed for key augmentation, but they are generated initially, like other parts of the subkey material not then used. They are generated immediately after the 32 extra normal subkeys which are modified after, instead of during, key augmentation, and immediately before calculating Sbox S8. Otherwise, since the key schedule is only lengthened, key augmentation is not otherwise modified for this variation. These 64bit words are used to perform an ICEstyle interchange of the left and right halves of the block, immediately after the first four keydependent byte interchanges derived from Sbox S8 and immediately before the last four such byte interchanges. A 1 bit corresponds to a bit to be interchanged, and the words are used in order during encipherment. Finally, Quadibloc III SD (Short/Dispersive) combines the modifications in Quadibloc III SC and Quadibloc III MD. As it has 294 32bit words of normal subkey, the key augmentation phase of its key generation is based on a
modified encipherment involving a byte transpose based on the 0x row of S8, an unkeyed whitening step, a set of four degenerate rounds, a byte transpose based on the 1x row of S8, eight normal Quadibloc II rounds, the 9x transpose, four degenerate rounds, inverse whitening, and the 8x transpose. The first two words of S10 are also included in the key augmentation for this variation. A variation in the round structure, like those illustrated for Quadibloc II, will also be illustrated here, but in this case it is for the Mishmash portion of the cipher.
This diagram gives an overview of the Mishmash rounds as modified. Instead of placing the intermediate results of the four QUADIBLOC 96 rounds on the left side through an additional QUADIBLOC ffunction, these results are used to produce a 32bit result by means of the 32bit Feistel structure used within the GoodStuff portion of the cipher. This reduces the number of additional subkeys required for this part of the cipher to 8 from 48, but the strength of the modified cipher appears fully satisfactory. Another variation on Quadibloc III uses the modified Mishmash rounds described above, but in addition changes the order of the rounds in line with insights that have come out of looking at how some differential attacks, including the boomerang attack work. The idea is that parts of the cipher that are analytically simple are put on the outside, and parts that are harder to analyze, but possibly leaving room for new probing attacks, are put in the center. A diagram giving an overview of the variation, accompanied by its description, are below:
q
q
q
Small Feistel rounds, using no subkeys, but using the keydependent Sbox S8 as their ffunction, transforming 16bit subkeys of the block. Keydependent permutation (derived from the 0x elements of S8) of the bytes in the block. Four simple rounds, using a singlelevel f
q
q
q q
q q
q
function, that are aimed at obtaining high diffusion, and which use 32bit subkeys K1 through K4. Keydependent permutation (derived from the 1x elements of S8) of the bytes in the block. Two rounds in which the block is enciphered as follows: r one 16bit subblock is enciphered by four Feistel rounds, using S8 as the ffunction, but this time preceded by the XOR of a subkey byte; r the results of the XOR are used as intermediate results, and are fed into the Sbox S9. r The four S9 outputs produce a 32bit result whose first 16 bits are the first four bits of each of their outputs, and whose last 16 bits are the last four bits of each of their outputs. r This result is then enciphered by means of four Feistel rounds, where the ffunction consists of first XORing in a 16bit half of a subkey, then using the two bytes of the result to index into two keydependent Sboxes, S10 and S11, which each take an 8bit input and give a 16bit output. The sum of the two outputs is XORed with the other half of the 32bit block. r The 32bit result of this process is used as a 32bit subkey was used initially to encipher a further 16 bits of the block, and this continues until the entire 128bit block has been enciphered in 16bit pieces. These two rounds each use fifteen subkeys; the first one uses subkey K5 to supply the four bytes used for enciphering the first 16bit subblock, and then subkeys K6 through K19, two at a time, for enciphering the 32bit intermediate results from enciphering one subblock to produce the 32bit input to use to encipher the next one, and the second one uses subkeys K20 through K34. Keydependent permutation (derived from the 2x elements of S8) of the bytes in the block. Eight normal Quadibloc II rounds, each of which uses nine subkeys, the first using subkeys K35 through K43, the last using subkeys K98 through K106. Keydependent permutation (derived from the 3x elements of S8) of the bytes in the block. Four rounds of a form of Mishmash, whose large quantity of subkeys is generated after the contents of S10 and S11, and by the same process. These rounds use fixed Quadibloc subkeys for one half of the block, the subkeys being K107 through K118 for the encipherment of that block, and K119 through K120 for the Feistel rounds with a 32bit block using Sboxes S10 and S11 that modify its intermedate results, for the first Mishmash round, and the remaining Mishmash rounds use subkeys K121 through K162. Then, the preceding steps are done in reverse order, with the keydependent byte permutations now being the inverses of the ones derived from the Bx, Ax, 9x, and 8x elements of S8, and with the eight normal Quadibloc II rounds using subkeys K163 through K234, the two GoodStuff rounds using subkeys K235 through K264, and the set of four degenerate rounds using subkeys K265 through K268.
The 268 subkeys required, plus the first 20 32bit words of the Sbox S11, are modified after initial subkey generation by key augmentation through 32 normal Quadibloc II rounds with no degenerate rounds, (and two byte transposes, based on the 0x and 8x rows, instead of four, and two unkeyed whitening steps, as for the regular cipher) and there is no shifting of subkeys out of numerical order, as was required to exclude a particular
48 subkeys from key augmentation in the normal version.
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Quadibloc IV
Quadibloc IV is a block cipher with a 128bit blocksize with a simpler design than that of either Quadibloc III or even Quadibloc II. It has 32 rounds, numbered from 1 to 32, each using three 32bit subkeys. It uses the Sboxes S1, S2, and S3 (S3 is only used during key generation) derived from Euler's constant, as listed in the description of Quadibloc II. It attempts  despite the fact that A xor B and B xor A are the same thing  to use a strategy derived from hash functions to produce a secure ffunction; the quantity XORed to the first subblock in each round is the XOR of two ffunctions, one which uses a subblock as input, and two subkeys as keys, and one which uses a subkey as input, and two subblocks as keys.
The Rounds
A round of Quadibloc II proceeds as follows: The 128bit block is considered to be divided into four 32bit subblocks, B1 through B4. The leftmost subblock, B1, is the only one modified in a round. It has two quantities XORed to it:
q
q
An ffunction, using B2 as input, with the first two subkeys for the round as keys, using S1 as the Sbox. An ffunction, using the third subkey for the round as input, with B3 and B4 as keys, using S2 as the Sbox.
The ffunction is essentially the basic Quadibloc ffunction: XOR the input and the first key, substitute the bytes in the Sbox, and then perform the following regular permutation of the bits: 1 2 27 28 21 22 15 16 17 18 11 12 5 6 31 32 9 10 3 4 29 30 23 24 25 26 19 20 13 14 7 8
Then, XOR the input and the second key and again perform the S and P steps. In Quadibloc IV, no third key is used. The following diagram illustrates a typical round of Quadibloc IV:
The diagram illustrates the way in which the subblocks are interchanged after a typical round: 3 4 2 1 No interchange is performed after the last round, round 32. After round 4 and after round 28, the bytes of the 128bit block are interchanged in the following order: 1 14 11 8 5 2 15 12 9 6 3 16 13 10 7 4
After round 16, the four subblocks are interchanged in this order: 3 2 1 4 After the other rounds whose numbers are divisible by 4, the four subblocks are interchanged in this order: 3 1 4 2 Hence, if one numbers the subblocks on entry to round 5 as 1, 2, 3, and 4, the orders in which they appear from round 5 to round 28 are as follows:
1 1 1 1 1 1
2 4 3 4 2 3
3 2 4 3 4 2
4 3 2 2 3 4
3 2 4 3 4 2
4 3 2 2 3 4
2 4 3 4 2 3
1 1 1 1 1 1
2 4 3 4 2 3
1 1 1 1 1 1
4 3 2 2 3 4
3 2 4 3 4 2
4 3 2 2 3 4
3 2 4 3 4 2
1 1 1 1 1 1
2 4 3 4 2 3
thus going through all 24 possible orders exactly once. Because of the byte interchange after rounds 4 and 28, the first and last four rounds function as a whitening phase of the block cipher.
Key Generation
Two shift registers, one 64 bytes in length and one 65 bytes in length, are used to generate subkeys, and are loaded with the key, which can be from 2 to 63 bytes in length, as follows:
q
q
If the key is 256 bits (32 bytes) in length or shorter: r The 64byte shift register is loaded with the key, followed with the one's complement of the key, followed by as many repetitions of the key as are needed to fill it. r The 65byte shift register is loaded with the bytes of the key in reverse order, followed by the one's complement of the key (in normal order), followed by as many repetitions of the key as are needed to fill its first 64 bytes, followed by the one's complement of the first byte of the key. If the key is from 33 to 63 bytes in length: r The 64byte shift register is loaded with the first half of the key (including one more byte than the second half, if the number of key bytes is odd), followed by the one's complement of the first half of the key and as many repetitions of the first half of the key as are needed to fill it. r The 65byte shift register is loaded with the second half of the key, followed by the one's complement of the second half of the key, and as many repetitions of the second half as are needed to fill its first 64 bytes, followed by the one's complement of the first byte of the second half of the key.
Initial values of subkey bytes are generated from these two shift registers as follows: The first shift register is cycled as follows: Take the 49th byte, add the 33rd byte, and XOR the 64th byte. Find the substitute for
the result in Sbox S3. XOR the 3rd byte, and add the 1st byte. The result will be the new first byte of the shift register, the other bytes being advanced one place, and the old 64th byte being discarded. The second shift register is cycled as follows: Take the 23rd byte, add the 65th byte, and XOR the 11th byte. Find the substitute for the result in Sbox S3. Add the 50th byte, and XOR the 1st byte. The result will be the new 65th byte of the shift register, the other bytes being moved to the next earlier place, and the old 1st byte being discarded. The byte of the subkey generated from this step is the generated new first byte of the first shift register, replaced with its substitute from Sbox S3, XORed with the generated new 65th byte of the second shift register. Once all 96 subkeys have been filled with their initial values, key augmentation takes place. A normal encipherment cycle is performed, enciphering the 128bit block A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A but after each round, the four intermediate values generated in the round are applied as follows: The four intermediate values are: 1. The output of the SP operation following the use of the first subkey for the round; 2. The output of the SP operation following the use of the second subkey for the round; 3. The output of the SP operation following the use of the third subblock; 4. The output of the SP operation following the use of the fourth subblock; Intermediate values 1, 2, and 4 of each round are XORed to the subkeys after the round is over, and the order in which the subkeys is modified is: K1 K2 K3 K4 K5 K6 K7 K10 K13 ... K94 K8 K11 K14 ... K95 K9 K12 K15 ... K96
and then, intermediate value 3 from the round is added, using bytewide addition (as well as creating no endian confusion, this is sure to be implementable, even on systems
that support only 16bit arithmetic with no way to disable integer overflow exceptions) to the following subkeys in this order: K96 K93 K90 K87 K84 ... K3
Use as a Hash Function
As this block cipher was designed using design principles from hash functions, it seemed appropriate to specify a mode in which it could be used to generate a hash of a file. However, only the simplest mode is specified here, generating a 128bit hash, which is not considered adequately long to obtain collision resistance. One iteration of the cipher will be used to hash a block consisting of 32 32bit words, or 128 bytes. The string of bits to be hashed will be converted to a whole number of blocks by having a 1 appended to it, and then the result will be filled out with zeroes to fill the last block. The starting value to be "enciphered" by the block cipher will be: A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A as used for key augmentation. The subkeys for the encipherment will be supplied by the block to be hashed as follows: Both subkeys K3 K6 K9 K12 K15 ... K96
and subkeys K95 K92 K89 K86 K83 ... K2
will be supplied from the bytes of the block, taken in groups of four, in order. (The first byte is the leftmost byte of the word.) Subkeys K1 K4 K7 K10 K13 ... K94
will be the following:
K1: K13: K25: K37: K49: K61: K73: K85:
243F6A88 A4093822 452821E6 C0AC29B7 9216D5D9 2FFD72DB BA7C9045 0801F2E2
K4: K16: K28: K40: K52: K64: K76: K88:
85A308D3 299F31D0 38D01377 C97C50DD 8979FB1B D01ADFB7 F12C7F99 858EFC16
K7: K19: K31: K43: K55: K67: K79: K91:
13198A2E 082EFA98 BE5466CF 3F84D5B5 D1310BA6 B8E1AFED 24A19947 636920D8
K10: K22: K34: K46: K58: K70: K82: K94:
03707344 EC4E6C89 34E90C6C B5470917 98DFB5AC 6A267E96 B3916CF7 71574E69
which are the hexadecimal digits in the fractional portion of pi (also used as the starting value of the Sboxes and subkeys in Blowfish, although it uses 784 of them, not just 32 of them). After each block is hashed, the input to the encryption cycle is XORed with the output to produce the current value of the hash, which will be the input to the next encryption cycle.
A Variation of Quadibloc IV
In Quadibloc IV ER (Extra Resistance), after generating the initial values of the subkeys, an additional 1536 to 2304 bytes are generated to create S8 in the same fashion as the initial value of S8 was generated in Quadibloc II and Quadibloc III. This keydependent Sbox is not modified again after key augmentation, and it is used to perform a substitution on the four bytes of the two ffunction outputs after the second SP portion. This modification makes Quadibloc IV considerably more secure against differential and linear cryptanalysis.
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Skip to Next Section Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Quadibloc V
Quadibloc V is a straightforward and simple member of the Quadibloc family of ciphers. It operates on a 128bit block, and has a key which must consist of number of bytes that is a multiple of four and which is equal or greater than 8. It uses Sbox S1 derived from Euler's constant, as used in other ciphers of the Quadibloc series, and it uses one keydependent Sbox, called S2, which has 16 entries, each 64 bits long. It has four rounds, and each round uses 72 bytes of subkey material. The halves of the block are swapped after each of the first three rounds. As encipherment and decipherment are different, and as the ffunction only diffuses half of the information in the left half of the block, it might seem that there are opportunities for cryptanalysis. But what happens to the right half of the block, and the use of a keydependent Sbox, even if only a minimal one, appears to close any such opportunities. Also, the key schedule seems to be secure, although it too is greatly simplified over that of Quadibloc II or III.
The Rounds
The following diagram illustrates what happens during a round of Quadibloc V:
The bytes in the left half of the block are used in pairs to generate bytes the nybbles of which are then used to select two entries from Sbox S2. One copy of the second byte in the pair is XORed with a byte of subkey material; the next copy has the next byte of subkey material added to it. Then both copies are replaced by their corresponding entries in Sbox S1. The first byte in the pair first has the first copy of the other byte, as modified, added to it. This intermediate result is retained for later use. Then it is replaced by the entry it now selects in Sbox S1. Finally, the second copy of the other byte, as modified, is XORed to it. The first and second nybbles of this resulting byte are used to index to two elements of Sbox S2. The entry chosen by the second nybble of a byte then has its halves swapped. The intermediate result saved for later use is also split into two nybbles, each used to index an element from Sbox S2. The one chosen by the first nybble is rotated 16 bits left, and the one chosen by the second nybble is rotated 16 bits right. These elements of Sbox S2 are XORed with the right half of the block at various times. This portion of the cipher uses the first eight subkey bytes for the round. First, the bytes in the right half of the block are modified by going through tiny Feistel rounds, similar to permutation G of SKIPJACK, but here using Sbox S1 as the ffunction. First, each pair of bytes goes through two rounds of this, first the lefthand byte modifying the righthand byte, then the righthand byte modifying the lefthand byte. Two subkeys are used to perform these two rounds for one pair of bytes, then the next two subkeys are used for two rounds for the next pair of bytes, as is visible from the numbering in the diagram. Then, four S2 outputs,
q q
q
q
the one from the first nybble of the byte generated from the first pair of bytes in the left half of the block the one (with its halves swapped) from the last nybble of the byte generated from the last pair of bytes in the left half of the block the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the second pair of bytes in the left half of the block the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the third pair of bytes in the left half of the block
are XORed to the right half of the block as currently modified. Then, two more tiny Feistel rounds are applied to each pair of bytes in the right half, and then the bytes are interchanged as follows: 1 4 3 6 5 8 7 2
and then another two tiny Feistel rounds are applied. Note that this interchange, applied three times, ensures that each even byte is paired with each odd byte for four tiny Feistel rounds during this process. Now, four S2 outputs
q
the one from the first nybble of the byte generated from the second pair of bytes in the left half of the block
q
q
q
the one (with its halves swapped) from the last nybble of the byte generated from the third pair of bytes in the left half of the block the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the first pair of bytes in the left half of the block the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the last pair of bytes in the left half of the block
are XORed to the right half of the block in its present state. Then, another four tiny Feistel rounds with a byte interchange in the middle. Now, four S2 outputs
q q
q
q
the one from the first nybble of the byte generated from the third pair of bytes in the left half of the block the one (with its halves swapped) from the last nybble of the byte generated from the second pair of bytes in the left half of the block the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the last pair of bytes in the left half of the block the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the first pair of bytes in the left half of the block
are XORed to the right half of the block. Then, another four tiny Feistel rounds with a byte interchange in the middle. And then the following four S2 outputs
q q
q
q
the one from the first nybble of the byte generated from the last pair of bytes in the left half of the block the one (with its halves swapped) from the last nybble of the byte generated from the first pair of bytes in the left half of the block the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the third pair of bytes in the left half of the block the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the second pair of bytes in the left half of the block
are XORed with the right half. And now, two tiny Feistel rounds are applied to each pair of bytes in the right half of the block. Finally, the bytes are interchanged as follows: 1 3 5 7 2 4 6 8
This final interchange sorts the odd and even bytes into groups, so that pairs will later be made on a different basis.
The Key Schedule
The key material used during encipherment consists of a 512 byte keydependent Sbox S2, and 288 bytes of subkey material. Initially, this key material is loaded as follows:
q
q
The key is split into two parts, the first having one byte less than half the bytes in the key, and the second having the remaining bytes. Bytes of subkey material are alternately filled from each half of the key.
q
Each time one returns to the first byte of a part of the key, after using the last byte previously, one adds 1 to a constant (initially zero) which is added to each byte as it is taken.
Thus, if the key is initially: 200 160 001 100 080 020 140 120 it is split into the two parts 200 160 001 100 080 020 140 120 and the subkey material is initially filled as follows from it: 200 100 160 080 001 020 201 140 161 120 002 101 202 081 162 021 003 141... Using this initial subkey material, a block is enciphered consisting of the first sixteen bytes of the key, or, if the key is shorter than sixteen bytes, the key followed by the key with each byte XORed with 1, followed by the key XORed with 2 if necessary, all the bytes then replaced with their substitutes in Sbox S1. Each round of encipherment produces eight 64bit intermediate results: an intermediate result is obtained by taking the current value of the right half of the block after each pair of tiny Feistel rounds, except that in the case of those rounds followed by XORing in Sbox S2 entries, the intermediate value is taken after that XOR. After each round is completed, and five rounds are performed, rather than the four used for normal encipherment, the fifth using the same subkeys as the first, the intermediate results are used to modify the subkeys. The first 36 of the 40 intermediate results generated are XORed with the subkey material, in the following order: Result: 1 2 3 4 5 6 ... 36 Subkey bytes: K1 K73 K145 K217 K9 K81 K2 K74 K146 K218 K10 K82 ... ... ... ... ... ... K8 K80 K152 K224 K16 K88
K281 K282 ... K288
In addition, each byte of all but the first eight intermediate results (leaving the last 32 intermediate results, which amount to 256 bytes) is used to modify the 512byte Sbox S2, as follows:
q
q q
q q q
q
The Sbox S2 is to be considered as consisting of two halves, each 256 bytes in length, called H0 and H1. H0(n) is the (n+1)th byte of H0; that is, H0(0) is the first byte of H0. Let the byte being used to modify the Sbox have the value X. Let a counter, initially equal to 0, and increasing by 1 each time be noted by N. This counter will run from 0 to 255 as the process below takes place. Let W=N xor X. Let P=H0(W) xor X and Q=H1(W) xor X In all cases, first modify H1(P) by XORing it with H0(P) and with X, then modify H0(Q) by XORing it with H1(Q) and with X. Modify H0(X) by XORing it with Q and with W, and modify H1(X) by XORing it with P and with W.
q
If N and X are not equal, swap H0(N), H0(X), H1(N), and H1(X) as follows: H0(N) is replaced by H0(X), which is replaced by H1(N), which is replaced by H1(X), which is replaced by the former value of H0(N).
Variations
If one wishes to use Quadibloc V with eight rounds, then the key augmentation step of the key schedule is modified as follows: The encipherment step used to generate intermediate results now runs for nine rounds. All intermediate results are used to XOR with subkey bytes, and the order is similar to that for the fourround version: first, an XOR is done to the first eight bytes in each of the eight rounds, then the next eight bytes in each of the eight rounds. The ninth round uses the subkeys for the first round. The last 512 bytes so generated, which involve all but the first eight intermediate results, are used to carry out the modification of the Sbox S2, but this time twice. With sixteen rounds, the key augmentation step will involve encipherment with eighteen rounds, the last two using the subkeys of the first two rounds. Again, all intermediate results are used to XOR with subkey bytes. The last 1024 bytes generated, which exclude the first sixteen intermediate results (or those from the first two rounds) are used to modify Sbox S2 four times.
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Quadibloc VI
Quadibloc VI attempts to achieve the attractive characteristics of Quadibloc III, but with fewer rounds. The main intention in the design of Quadibloc VI is to make a block cipher that has the advantages of a stream cipher. A typical block cipher subjects each block of data it enciphers to a series of manipulations, with the only variation in these manipulations due to the variable and secret key being that the data, while being manipulated, occasionally has subkey material XORed to it. Perhaps addition will also be used. A stream cipher can resist analysis by applying different key material to the encipherment of each byte or block it encounters. Thus, the Mishmash encipherment method used within Quadibloc III imitates a stream cipher, by choosing subkeys from a pool to encipher one half of a block, the choice being determined by the other half of the block. This principle is employed here as well, but with a simpler structure. Quadibloc VI uses the same fixed Sboxes S1 and S2 derived from Euler's constant as QUADIBLOC and other ciphers in the Quadibloc series, whose contents have been listed in previous sections.
Description of Mixing/Whitening
The first step in encipherment, when a 128bit block is submitted to Quadibloc VI, is to ensure that every bit in the block affects, or potentially affects, every bit in every other block, through a short series of mixing and whitening transformations, as shown in the diagram below:
First, the bytes, by pairs, go through four miniFeistel rounds, using the keydependent Sbox S8 as the ffunction. Then, using 64bit subkey LK1, the two halves of the block have selected corresponding bits swapped, in the manner originated by the block cipher ICE. Then, to bring bytes that have not yet influenced each other into contact, the bytes are transposed so that after transposition, the bytes in order came from the following positions, from 1 to 16, as indicated by the numbers below: 1 13 2 14 3 15 4 16 5 9 6 10 7 11 8 12
Once this is done, another four miniFeistel rounds with the keydependent Sbox S8 used as the ffunction are performed on adjacent pairs of bytes. Then, once again bytes are moved to bring bytes that had not affected one another into contact. As a possible transposition to do so here is the one used previously, it is applied once again. Then, a completely unkeyed step is used for the final merging of bytes, a set of PseudoHadamard Transforms applied to pairs of bytes.
Finally, the bytes in the block are transposed according to a keydependent byte transposition derived from the contents of keydependent Sbox S8.
Description of Regular Rounds
In a regular round of Quadibloc VI, the leftmost six bytes of the block are enciphered by means of two rounds of the GoodStuff method, which proceeds as follows: Using four eightbit subkeys (derived from a single 32bit subkey), four Feistel rounds are used to encipher a 16bit subblock; in the first round, the right half is XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the ffunction alternates from right to left to left to right, and in the two outer rounds, the subkey is XORed and the ffunction output added, and in the two inner rounds, the subkey is added and the ffunction output XORed. The four intermediate results of the ffunctions, derived before S8 substitution, are used to index into the fixed Sbox S2. The Sbox outputs are used to form a 32bit word consisting of the first nibbles of the four substituted results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of the previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a lefttoright round of this cipher, by means of a twist upon entry and exit from the horizontal Feistel rounds.) The resulting 32bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses wide keydependent Sboxes in the ffunction. Here, four 16bit subkeys are used, and so they are derived from two 32bit regular subkeys. The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in inplace format, and the first round goes from right to left (or, in the diagram, top to bottom). The following diagram illustrates the operations that take place during a regular round of Quadibloc VI upon the leftmost eight bytes of the block:
The first six bytes are subjected to encipherment according to the GoodStuff algorithm, first in one direction, and then in another. The final ffunction outputs in the Feistel rounds applied to the 32 bit quantity that serves as subkeys for the 16bit Feistel rounds in each of the GoodStuff encipherments are XORed to the last two of the first eight bytes. Before, between, and after these XORs, those two bytes are modified using the same type of miniFeistel round as was used in the initial mixing/whitening phase. Note that the first and last ffunction (or Sbox S8) outputs are XORed together to produce one byte of output. This byte is used to control the encipherment of the other half of the block, which is enciphered using the modification of the original QUADIBLOC round used in Quadibloc S, to be described in the next section. A Quadibloc S round is illustrated below:
The single byte of output has 256 possible values. 7 times 6 times 5 is 210, which is less than 256, therefore this byte can be used to choose three distinct subkeys from a pool of seven subkeys to be used as the three subkeys for the Quadibloc S round. After the first three regular Quadibloc IV rounds in a group of four, the bytes are interchanged according to the following pattern, where each number denotes the position of a byte in the source to the permutation, the numbers being in the order of the bytes upon] output: 3 4 5 6 7 8 1 2 13 14 15 16 9 10 11 12
The intent of this is to have the two bytes in the first half which are enciphered differently take on four different values, while the halves of the second half are swapped each time.
After every group of four regular Quadibloc IV rounds except the last four, the halves of the block are swapped. It is assumed that a mere eight rounds of Quadibloc IV will suffice. At least sixteen rounds, however, would be absolutely required were it not for the initial mixing and whitening rounds. This is because four rounds are, in a sense, really only one round. Finally, using 64bit subkey LK2, the operations of the mixing/whitening rounds are performed in reverse order. The PseudoHadamard Transform is replaced by its inverse, and so are the two fixed byte permutations. But the groups of four miniFeistel rounds stay the same (instead of being inversed by having left and right bytes switched), and the ICEstyle swap is its own inverse. The steps involved in the final mixing/whitening step may be made clearer by this diagram:
The Key Schedule
Although, when compared with the method for generating the key schedule for Quadibloc II and Quadibloc III, many shortcuts are taken in the method used for Quadibloc VI, it will be seen that key generation for Quadibloc VI is still long and complicated.
Quadibloc VI with eight regular rounds uses the following subkey material:
q q
q q q q
Eighty 32bit subkeys, designated K1 through K80, ten of which are used for each regular round which contains two rounds of GoodStuff encipherment; Eight banks of seven 32bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1 through V56; The keydependent Sboxes S10 and S11, each of which contains 256 random 16bit entries; Two 64bit subkeys, LK1 and LK2; The keydependent Sbox S8, which contains the bytes 0 to 255 in random order; A keydependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the block.
For what follows, the first three items in the list above are to be considered to be stored in order contiguously in memory. First, initially fill the keydependent Sbox S11 as follows: <key> 1 <key> 1 2 <key> 1 2 3 <key> that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer. Then generate initial values for subkeys K1 through K80, pooled subkeys V1 through V56, and the contents of keydependent Sbox S10 (as well as an initial value for keydependent Sbox S8) by generating 1056 bytes ( (80*4) + (56*4) + (256*2) = 320 + 224 + 512 = 1056 ) through the following procedure: take a copy of the key, and appended to that copy, after its last byte, is a byte equal to the inverse, the bitwise negation, or one's complement, of the XOR of all the bytes of the original key. This ensures the key as expanded does not consist entirely of zeroes. Bytes are then generated from the key by chain addition. This means that a byte is generated as follows: the sum, modulo 256, of the first two bytes of the key is the generated result; and it is also appended to the end of the key, whose first byte is then removed. (Note that the cipher itself uses XOR only, and not addition modulo 256.) The method of producing subkey bytes is a degenerate form of the MacLarenMarsaglia generator. An array with 256 byte positions, called A(0) to A(255), is
filled by generating 256 bytes by means of chain addition. Then, a subkey byte is generated as follows: Generate two bytes by chain addition. Call these bytes p and q. The byte to be used in a subkey is the current value of A(q). Replace A(q) with p. The initial value for the keydependent Sbox S8 is generated concurrently with subkey generation by means of the use of two additional arrays, B(0) to B(255) and C(0) to C(255). These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also contains the 255 byte values in order as well. Then, each time a value is stored in a location of A, both the 256 initial values, and the value stored in A(q) each time a subkey byte is generated, the following procedure is performed: Let p be the value being stored in the array A, and let q be the index in A of where it is being stored. If B(q) equals p, then we are finished. Otherwise: Store the value of B(q) in v. Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.) Store the value of C(p) in w. Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed v, the former value of B(q), in B(w) which originally contained p). Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1, and ending with the last (least significant) byte of subkey 12, the contents of the array B are used as the keydependent Sbox.
Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for the Quadibloc S part of a round are still empty), we will encipher the contents of Sbox S11 as follows: Four entries in Sbox S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys: Subkey material used K1 to K10 K11 to K20 ... K71 to K80 V1 to V10 ... V41 to V50 V51 to V56, S10(0) to S10(7) S10(8) to S10(27) S10(28) to S10(47) ... S10(108) to S10(127) Entries in S11 enciphered S11(0) to S11(3) S11(4) to S11(7) S11(28) to S11(31) S11(32) to S11(35) S11(48) to S11(51) S11(52) to S11(55) S11(56) to S11(59) S11(60) to S11(63) S11(76) to S11(79)
After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated left by two bytes. Then, the first 80 (16bit) entries in S11 are swapped with the first 40 (32bit) subkeys for GoodStuff encipherment. Starting with the first byte in K41, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 40 GoodStuff subkeys is now modified as follows: New Byte(n) = Old Byte(n) XOR Byte(n1) XOR S8( Byte(n158) + Byte(n160) )
Next, the second 80 entries in S11 are enciphered, S11(80) through S11(159), two at a time, using the left half of a regular Quadibloc VI round as above, once again using the subkeys in the order above for the encipherment, starting with subkeys K1 through K10, and are swapped after encipherment with the second group of 40 subkeys for GoodStuff encipherment. Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated left by two bytes. Then, the last 112 entries in S11, S11(144) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V56. This time, the subkey material used will extend into the start of S11, as illustrated by the table below: Subkey material used K1 to K10 K11 to K20 ... K71 to K80 V1 to V10 ... V41 to V50 V51 to V56, S10(0) to S10(7) S10(8) to S10(27) S10(28) to S10(47) ... S10(108) to S10(127) ... S10(208) to S10(227) S10(228) to S10(247) S10(248) to S10(255), S11(0) to S11(11) S11(12) to S11(32) Entries in S11 enciphered S11(144) to S11(147) S11(148) to S11(151) S11(172) to S11(175) S11(176) to S11(179) S11(192) to S11(195) S11(106) to S11(199) S11(200) to S11(203) S11(204) to S11(207) S11(220) to S11(223) S11(240) to S11(243) S11(244) to S11(247) S11(248) to S11(251) S11(252) to S11(255)
And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated left by two bytes.
Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the formula: New Byte(n) = Old Byte(n) XOR Byte(n1) XOR S2( Byte(n542) + Byte(n544) ) where the values n542 and n544 begin, on the first pass, as pointing into K1 to K80, and then V1 to V56, but afterwards are confined to the area from the start of S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed Sbox S2 is now used. The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc Stype subkeys and of the final value of S8, and this process is repeated only as many times as these processes require input. First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order. Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shiftregister process above applied to the area from V1 to S11(255), utilizing the following procedure (as seen in Quadibloc II and Quadibloc III):
q q
Each permutation is generated by the use of either 512, or, under some rare circumstances, only 256, bytes. A permutation is generated as follows: r Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0 to 255 in order. The arrays must also be able to hold the value 1. The second and third arrays are filled with 1. r For each byte used: let the value of the byte be called N, and let I be a counter which starts at 0 for the first byte, incrementing with each byte used, and ending at 255. r Then, for each byte: s If element N of the first array is not 1, set element N of the first array to 1, and set element I of the second array to N. s Otherwise, store N in the first unused position (the first position containing 1) in the third array. r Once this has been done, if the third array contains any numbers other than 1, proceed as follows: r If there is only one filled (not equal to 1) element in the third array, then there is only one remaining element in the first array, and one element of the second array equal to 1, so fill the second array with the one available byte, and finish. r If there are only two filled elements in the third array, take the least significant bit of the first filled element. If it is zero, fill the 1 elements of the second array with the remaining elements of the first array in order; if it is one, do so in reverse order, and finish. r If there are less than 256 filled elements in the third array, repeat them over and over to fill the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of the third array. r Now, use the third array to complete the second array by doing the following for II from 0 to 255:
q
Let the value of element II of the third array be XX. Swap elements II and XX of the first array. r Then, scan through the second array. When an element of the second array is 1, fill it with the corresponding element of the first array (if it is not also 1) and set that element of the first array to 1. r If there are any 1 elements left in the second array, fill them with the elements of the first array that are not 1 in order. When this procedure is completed, the contents of the second array are the desired permutation.
s s
Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on the initial value of S8, with numbers from 0 to 209, 46 of them twice. These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group. The numbers from 0 to 34 will be considered to represent triples of distinct numbers in ascending order in numerical order: 0 1 2 3 4 5 6 1 1 1 1 1 1 1 2 2 2 2 2 3 3 3 4 5 6 7 4 5 7 8 9 10 11 12 13 1 1 1 1 1 1 1 3 3 4 4 4 5 5 6 7 5 6 7 6 7 14 15 16 17 18 19 20 1 2 2 2 2 2 2 6 3 3 3 3 4 4 7 4 5 6 7 5 6 21 22 23 24 25 26 27 2 2 2 2 3 3 3 4 5 5 6 4 4 4 7 6 7 7 5 6 7 28 29 30 31 32 33 34 3 3 3 4 4 4 5 5 5 6 5 5 6 6 6 7 7 6 7 7 7
and then this sequence is repeated but with the three elements in each of the other five of the six possible orders to make all 210 combinations: 0 35 70 105 140 175 1 1 2 2 3 3 2 3 1 3 1 2 3 2 3 1 2 1 1 36 71 106 141 176 1 1 2 2 4 4 2 4 1 4 1 2 4 2 4 1 2 1 ... ... ... ... ... ... 34 69 104 139 174 209 5 5 6 6 7 7 6 7 5 7 5 6 7 6 7 5 6 5
Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation. Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values taken will be LK1 and LK2.
The keydependent byte permutations used between the mixing/whitening rounds and the regular rounds are generated as follows: The one performed after the first mixing/whitening round is obtained by taking the bytes in the final form of Sbox S8 of the form 0x, and using their least significant nibbles to indicate which position each byte of the block will be moved to. This is the dispatch form of the permutation, which is the opposite of the one used to describe bit and byte transpositions in the description of the Quadibloc ciphers. The one performed after the regular rounds is generated from the bytes of the form 8x, but is in fetch form, the least significant nibble of each of these bytes indicating the source from which each byte of the result is obtained. Key generation is now complete.
Variations of Quadibloc VI
Although Quadibloc VI would absolutely need sixteen rounds if the mixing/whitening stages were absent, that does not mean that sixteen rounds are not a good idea in any case. With sixteen rounds, the required key material consists of:
q
q
q q q q
One hundred and sixty 32bit subkeys, designated K1 through K160, ten of which are used for each regular round which contains two rounds of GoodStuff encipherment; Sixteen banks of seven 32bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1 through V112; The keydependent Sboxes S10 and S11, each of which contains 256 random 16bit entries; Two 64bit subkeys, LK1 and LK2; The keydependent Sbox S8, which contains the bytes 0 to 255 in random order; A keydependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the block.
The key generation process closely parallels that for eight rounds, with small changes as follows: Once again, we begin by filling the keydependent Sbox S11 as follows: <key> 1 <key> 1 2 <key> 1 2 3 <key> that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer. Then generate initial values for subkeys K1 through K160, pooled subkeys V1 through V112, and the contents of keydependent Sbox S10 (as well as an initial
value for keydependent Sbox S8) by generating 1376 bytes ( (160*4) + (112*4) + (256*2) = 640 + 224 + 512 = 1376 ) through the degenerate MacLarenMarsaglia procedure from Quadibloc S, and the permutation generated as its side effect is the initial value for Sbox S8. Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for the Quadibloc S part of a round are still empty), we will encipher the contents of Sbox S11 as follows: Four entries in Sbox S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys: Subkey material used K1 to K10 K11 to K20 ... K151 to K160 V1 to V10 ... V101 to V110 V111 to V112, S10(0) to S10(15) S10(16) to S10(35) S10(36) to S10(55) ... S10(236) to S10(255) Entries in S11 enciphered S11(0) to S11(3) S11(4) to S11(7) S11(60) to S11(63) S11(64) to S11(67) S11(104) to S11(107) S11(108) to S11(111) S11(112) to S11(115) S11(116) to S11(119) S11(156) to S11(159)
After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated left by two bytes. Then, the first 160 (16bit) entries in S11 are swapped with the first 80 (32bit) subkeys for GoodStuff encipherment.
Starting with the first byte in K81, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 80 GoodStuff subkeys is now modified as follows: New Byte(n) = Old Byte(n) XOR Byte(n1) XOR S8( Byte(n318) + Byte(n320) ) Next, entries S11(80) through S11(240) in S11 are enciphered, two at a time, using the left half of a regular Quadibloc VI round as above, once again using the subkeys in the order above for the encipherment, starting with subkeys K1 through K10, and are swapped after encipherment with the second group of 80 subkeys for GoodStuff encipherment. Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated left by two bytes. Then, the last 224 entries in S11, S11(32) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V112. This time, the subkey material used will extend into the start of S11, as illustrated by the table below: Subkey material used K1 to K10 K11 to K20 ... K151 to K160 V1 to V10 ... V101 to V110 V111 to V112, S10(0) to S10(15) S10(16) to S10(35) S10(36) to S10(55) ... S10(216) to S10(235) S10(236) to S10(255) S11(0) to S11(19) Entries in S11 enciphered S11(32) to S11(35) S11(36) to S11(39) S11(92) to S11(95) S11(96) to S11(99) S11(136) to S11(139) S11(140) to S11(143) S11(144) to S11(147) S11(148) to S11(151) S11(184) to S11(187) S11(188) to S11(191) S11(192) to S11(195)
... S11(200) to S11(219)
S11(232) to S11(235)
At this point, the subkey material required has caught up with the bytes we are attempting to encipher, and so we return to the beginning of the available subkey material, as follows: Subkey material used K6 to K15 K16 to K25 ... K46 to K55 Entries in S11 enciphered S11(236) to S11(239) S11(240) to S11(244) S11(252) to S11(255)
And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated left by two bytes. Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the formula: New Byte(n) = Old Byte(n) XOR Byte(n1) XOR S2( Byte(n862) + Byte(n864) ) where the values n862 and n864 begin, on the first pass, as pointing into K1 to K160, and then V1 to V112, but afterwards are confined to the area from the start of S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed Sbox S2 is now used. The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc Stype subkeys and of the final value of S8, and this process is repeated only as many times as these processes require input. First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order. Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shiftregister process above applied to the area from V1 to S11(255), utilizing the procedure for generating permutations from Quadibloc II and Quadibloc III.
Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on the initial value of S8, with numbers from 0 to 209, 46 of them twice. These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group. Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation. Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values taken will be LK1 and LK2. And hence ends key generation for Quadibloc VI with sixteen rounds.
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Table of Contents Main Page Home Page
[Next] [Up] [Previous] [Index]
Quadibloc S
Quadibloc S is a block cipher with a 64bit block, based on the original QUADIBLOC, but including in its ffunction one feature from Quadibloc II, while omitting the use of Sbox S2 on the half of the block being modified. The version with four rounds is being specifically proposed here. Since each ffunction involves three table lookups, even this could be considered to be comparable, at least in the time taken, to 12round DES. That means that six rounds (comparable to 18) would be acceptably fast: but the four round version is being considered specifically to examine what sort of cryptanalytic attacks are possible. It may be that Quadibloc S with eight rounds, except for the fact of a 64bit block size, would be secure enough for actual use. Certainly, it should be secure with sixteen rounds, being comparable to original QUADIBLOC. Also, a key schedule is used that should be more secure than that of the original QUADIBLOC, but much less complicated than that of Quadibloc II.
The Rounds
Each round proceeds as follows: A copy of the right half, which will actually be unchanged by this round, is taken. This now describes the ffunction: The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for round 2, to subkey 10 for round 4). Then, each byte is replaced by its substitute in Sbox 1, whose contents are given in the section on Euler's Constant and the Quadibloc SBoxes. The bits of the result, considered to be numbered from 1 (most significant bit of the first, leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the pattern in DES, are to be transposed so that these bits are then in the order below, still labelled with their previous positions: 1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24 17 18 11 12 5 6 31 32 25 26 19 20 13 14 7 8 The result is then XORed with the second subkey for the round. Then, Sbox S1 and the bit
transposition are applied again, and the result of that is XORed with the third subkey for the round. Then, the four bytes of the result are replaced with their substitutes in a keydependent Sbox. This produces the final result, which is XORed with the left half of the block. This change to the value of the block is the end product of the round. Finally, in all rounds but the last one, the two halves of the block are swapped. The operation of a round of Quadibloc S is illustrated by this diagram:
The Key Schedule
The key consists of four or more bytes. The first step of key generation is this: appended to the key, after its last byte, is a byte equal to the inverse, the bitwise negation, or one's complement, of the XOR of all the bytes of the original key. This ensures the key as expanded does not consist entirely of zeroes. Bytes are then generated from the key by chain addition. This means that a byte is generated as follows: the sum, modulo 256, of the first two bytes of the key is the generated result; and it is also appended to the end of the key, whose first byte is then removed. (Note that the cipher itself uses XOR only, and not addition modulo 256.)
The method of producing subkey bytes is a degenerate form of the MacLarenMarsaglia generator. An array with 256 byte positions, called A(0) to A(255), is filled by generating 256 bytes by means of chain addition. Then, a subkey byte is generated as follows: Generate two bytes by chain addition. Call these bytes p and q. The byte to be used in a subkey is the current value of A(q). Replace A(q) with p. The keydependent Sbox is generated concurrently with subkey generation. Two additional arrays, B(0) to B(255) and C(0) to C(255), are used in this process. These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also contains the 255 byte values in order as well. Then, each time a value is stored in a location of A, both the 256 initial values, and the value stored in A(q) each time a subkey byte is generated, the following procedure is performed: Let p be the value being stored in the array A, and let q be the index in A of where it is being stored. If B(q) equals p, then we are finished. Otherwise: Store the value of B(q) in v. Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.) Store the value of C(p) in w. Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed v, the former value of B(q), in B(w) which originally contained p). Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1, and ending with the last (least significant) byte of subkey 12, the contents of the array B are used as the keydependent Sbox.
Test Vectors
The following is output from a short BASIC program which implements fourround Quadibloc S.
Keys and the block are shown as sequences of bytes, from first to last, represented as decimal numbers from 0 to 255, for simplicity in programming. Encipherment of an allzero block with a fourbyte allzero key. Subkeys for the given key are: 1 ) 98 96 250 128 2 ) 239 154 244 76 3 ) 131 160 14 28 4 ) 0 255 116 10 5 ) 215 163 226 153 6 ) 64 16 220 185 7 ) 239 162 182 164 8 ) 127 62 65 112 9 ) 102 221 47 175 10 ) 0 0 255 159 11 ) 21 0 136 184 12 ) 241 165 38 64 The keydependent Sbox contains: 255 63 67 102 181 6 238 9 231 139 89 59 13 253 208 134 66 250 230 254 241 22 246 118 75 170 236 240 200 234 195 148 46 7 74 114 131 50 68 152 92 78 100 202 117 247 227 90 73 141 218 130 164 104 201 179 15 91 228 105 84 190 43 160 21 18 26 232 58 251 83 166 169 226 199 119 177 115 244 77 111 162 137 204 8 248 189 154 38 159 187 225 132 71 39 161 165 198 217 125 110 194 41 155 11 153 51 35 86 25 184 72 252 135 101 211 235 85 23 203 167 242 5 168 120 133 172 124 31 213 107 109 223 140 149 147 122 47 245 49 20 69 237 150 210 174 196 197 138 145 193 54 206 82 99 81 17 129 126 30 188 29 171 96 144 1 128 37 123 176 14 10 143 151 219 3 142 79 16 60 45 221 182 209 76 183 34 94 27 93 70 175 121 65 61 156 19 186 173 28 214 205 103 229 2 192 52 88 56 215 108 220 157 55 243 136 44 207 42 113 180 116 249 32
33 98 106 158 212 222 163 146 185 178 112 53 4 36 62 95 57 12 87 233 239 97 127 40 216 80 224 64 24 0 48 191 Plaintext block is: 0 0 0 0 0 0 0
0
Right half after first subkey is: 98 96 250 128 Right half after first S/P stage: 42 72 142 117 Right half after second subkey is: 197 210 122 57 Right half after second S/P stage: 174 235 31 169 Right half after third subkey is: 45 75 17 181 ffunction output: 247 119 250 221 Block after round 1 is: 0 0 0 0 247 119 250 221 Right half after first subkey is: 247 136 142 215 Right half after first S/P stage: 250 22 190 199 Right half after second subkey is: 45 181 92 94 Right half after second S/P stage: 43 0 180 25 Right half after third subkey is: 107 16 104 160 ffunction output: 35 66 11 188 Block after round 2 is: 247 119 250 221 35 66 11 188 Right half after first subkey is: 204 224 189 24 Right half after first S/P stage: 55 146 122 31 Right half after second subkey is: 72 172 59 111 Right half after second S/P stage: 150 191 152 23 Right half after third subkey is: 240 98 183 184 ffunction output:
57 217 209 76 Block after round 3 is: 35 66 11 188 206 174
43
145
Right half after first subkey is: 206 174 212 14 Right half after first S/P stage: 32 81 143 194 Right half after second subkey is: 53 81 7 122 Right half after second S/P stage: 110 12 227 37 Right half after third subkey is: 159 169 197 101 ffunction output: 30 176 186 194 Enciphered block is: 61 242 177 126 206 174 43 145 Encipherment, with the same 32bit key of all zeroes, of the 64bit block 0000000000000000000000000000000000000000000000000000000000000001 Plaintext block is: 0 0 0 0 0 0 0
1
Right half after first subkey is: 98 96 250 129 Right half after first S/P stage: 26 64 140 245 Right half after second subkey is: 245 218 120 185 Right half after second S/P stage: 154 185 226 46 Right half after third subkey is: 25 25 236 50 ffunction output: 170 170 4 218 Block after round 1 is: 0 0 0 1 170 170 4 218 Right half after first subkey is: 170 85 112 208 Right half after first S/P stage: 52 64 47 151 Right half after second subkey is: 227 227 205 14 Right half after second S/P stage:
39 0 195 243 Right half after third subkey is: 103 16 31 74 ffunction output: 155 66 148 199 Block after round 2 is: 170 170 4 218 155 66 148 198 Right half after first subkey is: 116 224 34 98 Right half after first S/P stage: 79 157 125 61 Right half after second subkey is: 48 163 60 77 Right half after second S/P stage: 27 65 178 232 Right half after third subkey is: 125 156 157 71 ffunction output: 133 17 129 166 Block after round 3 is: 155 66 148 198 47 187 133 124 Right half after first subkey is: 47 187 122 227 Right half after first S/P stage: 140 227 55 41 Right half after second subkey is: 153 227 191 145 Right half after second S/P stage: 215 41 195 194 Right half after third subkey is: 38 140 229 130 ffunction output: 68 20 222 107 Enciphered block is: 223 86 74 173 47 187 133 124 Encipherment of an allzero block with the key 00000000000000000000000000000001 Subkeys for the given key are: 1 ) 113 110 181 254 2 ) 123 250 8 142 3 ) 80 161 177 11 4 ) 56 251 144 61 5 ) 73 225 29 205 6 ) 181 16 190 1
7 ) 123 179 56 142 8 ) 222 26 255 191 9 ) 67 237 3 76 10 ) 242 175 217 77 11 ) 0 27 125 190 12 ) 222 139 114 248 The keydependent Sbox contains: 15 5 43 125 188 7 209 68 60 63 193 19 221 102 40 2 175 150 159 85 70 146 184 251 151 246 232 104 26 87 157 34 233 243 215 203 95 162 59 56 136 211 164 208 52 0 16 244 35 4 140 99 69 235 30 107 90 138 72 122 117 212 36 83 88 191 49 134 121 183 42 75 222 169 39 163 119 135 62 132 155 128 67 118 80 82 130 247 3 120 139 194 133 160 105 181 1 97 223 57 214 170 110 17 6 154 248 114 38 230 24 237 148 255 54 89 166 147 53 115 204 20 200 219 64 210 152 71 224 182 174 93 185 220 201 250 149 37 179 171 143 186 156 41 58 73 196 234 161 131 213 86 92 245 207 11 231 81 45 153 189 98 126 55 218 195 27 238 112 44 65 111 100 48 18 167 12 10 29 124 47 91 101 226 46 216 252 253 78 206 198 187 144 22 127 173 108 199 14 165 229 239 61 141 9 76 28 225 113 142 84 177 241 197 94 236 137 116 217 66 109 31 190 129 254 106 240 79 202 25 180 178 50 33 205 13 228 21 176 51 74 249 123 227 242 172 145 168 96 192 77 23 8 32 158 103 Plaintext block is: 0 0 0 0 0 0 0 Right 113 Right 171 half 110 half 207
0
after first subkey is: 181 254 after first S/P stage: 58 116
Right half after second subkey is: 208 53 50 250 Right half after second S/P stage: 181 120 192 147 Right half after third subkey is: 229 217 113 152 ffunction output: 25 116 255 92 Block after round 1 is: 0 0 0 0 25 116 255 92 Right half after first subkey is: 33 143 111 97 Right half after first S/P stage: 109 240 44 94 Right half after second subkey is: 36 17 49 147 Right half after second S/P stage: 158 76 216 205 Right half after third subkey is: 43 92 102 204 ffunction output: 208 133 110 9 Block after round 2 is: 25 116 255 92 208 133 110 9 Right half after first subkey is: 171 54 86 135 Right half after first S/P stage: 238 34 203 94 Right half after second subkey is: 48 56 52 225 Right half after second S/P stage: 50 141 65 164 Right half after third subkey is: 113 96 66 232 ffunction output: 255 1 49 50 Block after round 3 is: 208 133 110 9 230 117 206 110 Right half after first subkey is: 20 218 23 35 Right half after first S/P stage: 130 158 232 13 Right half after second subkey is: 130 133 149 179 Right half after second S/P stage:
14 74 147 130 Right half after third subkey is: 208 193 225 122 ffunction output: 113 22 106 200 Enciphered block is: 161 147 4 193 230 117 206 110
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Section Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Quadibloc VII
Quadibloc VII is an attempt to embody the principles found in the LargeKey Brainstorm within the compass of a block cipher. The subkey material it uses consists of:
q
q
q
Two Sboxes, each containing 256 entries, each entry being 16 bits in length; (1024 bytes) Thirtytwo subkeys, four for each of eight rounds, each 16 bits in length; (64 bytes) Ninetysix subkey pools, each one containing 16 subkeys, each subkey being 16 bits in length, (3072 bytes)
for a total of 4,160 bytes of subkey material.
The Rounds
The first two rounds of Quadibloc VII look like this:
In Quadibloc VII, the 128bit block is divided into four quarters, of 32 bits each, each of which is further divided into two 16bit halves. Each round of Quadibloc VII consists of four Feistel rounds performed on each of these pairs of 16bit halves. The XOR of the two halves of the first 32bit quarter after two Feistel rounds is used to control, for each of the four Feistel rounds performed on the next quarter, which of sixteen possible subkeys are used. After every oddnumbered round, the eight 16bit subblocks are permuted to the following order (expressed in terms of a list of the sources of the subblocks after the permutation): 7 6 1 8 3 2 5 4 thus, the left halves move to the next later quarter, and the right halves move to the corresponding position in the other half of the entire block. After every evennumbered round except the last, the eight 16bit subblocks are permuted to the following order (expressed in terms of a list of the sources of the subblocks after the permutation): 7 4 1 6 3 8 5 2 thus, the left halves move to the next later quarter, and the right halves move to the next earlier quarter. This diagram illustrates, by colorcoding, how the pieces of the block move during the 8 rounds of Quadibloc VII:
and here is a table showing this in text form: (1) [2] 3 4 5 6 7 8
7 5 3 (1) 7 5 3
6 8 4 6 2 4 8
(1) 8 7 [2] 5 6 3 8 (1) 4 7 6 5 [2]
3 [2] (1) 4 7 8 5 [2] 3 6 (1) 8 7 4
5 4 3 6 (1) [2] 7 4 5 8 3 [2] (1) 6
The paths of the first left half and the first right half are indicated by brackets. Note that the first left half, 1, is enciphered: with right half 2 4 6 8 in 1, 3, 5, 7, rounds 4 6 8 2
thus ensuring that the blocks affect the other blocks by being enciphered with them in the small Feistel rounds, in addition to affecting them by modifying their encipherment through the use of the subkey pools. The ffunction is merely the XOR of the value in S10 indexed by the leftmost half of the input with the value in S11 indexed by the rightmost half of the input.
The Key Schedule
While the round structure of Quadibloc VII is impressive, as is to be expected given the large amount of subkey material it consumes, as there are only two Sboxes in the cipher, both of them keydependent, the cipher is still only as good as its key schedule. Initially, the subkeys will be filled in the following order: first the 96 subkey pools, then the two Sboxes (first S10, then S11, from entry 0 to entry 255 each), then the 32 fixed subkeys. And they will be initially filled by means of almost the same key generation method as used in Quadibloc S: The key consists of two or more bytes. The key is expanded to prevent a key that is long and of all zeroes in whole or in part from causing poor results as follows: a key of n bytes is expanded to one of 3n+1 bytes, the last byte of which is a byte equal to the inverse, the bitwise negation, or one's complement, of the XOR of all the bytes of the original n byte key. The first 3n bytes of the key alternate between a byte from each of the following sources:
q q
q
The n bytes of the original key, in order. One of the possible byte values, starting from 127, and incrementing by one each time. The bytes of the original key, in reverse order, inverted, and with 1, 2, 3, and so on added to them.
Thus, if the original key is 0 128 255, after expansion the key becomes 0 127 1 128 128 129 255 129 2 128. Bytes are then generated from the key by chain addition. This means that a byte is generated as follows: the sum, modulo 256, of the first two bytes of the key is the generated result; and it is also appended to the end of the key, whose first byte is then removed. (Note that the cipher itself uses XOR only, and not addition modulo 256.) The method of producing subkey bytes is a degenerate form of the MacLarenMarsaglia generator. An array with 256 byte positions, called A(0) to A(255), is filled by generating 256 bytes by means of chain addition. Then, a subkey byte is generated as follows: Generate two bytes by chain addition. Call these bytes p and q. The byte to be used in a subkey is the current value of A(q). Replace A(q) with p. Once all the subkeys have been filled by this method, the quantity 01F253A435C607F859AA3BCC0DFE5FA0 is to be enciphered with the temporary subkeys thus calculated, for the first four rounds of a normal Quadibloc VII encipherment. This output is now used as the key from which bytes are generated by chain addition. It is expanded, but not in the same fashion as the original key: it is only doubled in length, and the bytes of the key alternate with the bytes of the key in reverse order, inverted (but without anything added to them). Since 32 is not a number of the form 3n +1 (unlike 16, which is such a number), both keys are ensured to be different in length. Then, the degenerate MacLarenMarsaglia procedure is to be repeated, with the bytes produced by it XORed with the subkey bytes in order.
[Next] [Up] [Previous] [Index]
Next Start of Section Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Quadibloc VIII
Quadibloc VIII is a design reminiscent of Quadibloc II and Quadibloc III. With a simple and uniform round structure, it still attempts to make the algorithm itself, not just the subkeys applied, variable. Because of the variability in the algorithm, it is not suited to smart card applications, as it is not resistant to attacks based on timing or power consumption. Also, there could be weak keys, both because some keys might cause short sequences in the shift registers used for producing subkeys, and because some keys might lead to duplicate entries in S10 and S11. The byte interchange between rounds might be questioned. However, I am of the opinion that the same factors which seem to contribute these weaknesses also contribute more in strength than they remove, and that the design prevents potential weaknesses such as these from being exploitable. It may be noted that this design has drawn inspiration from many quarters. It uses the bit swap under mask of ICE, and the XOR with subkeys of the lefthand quarter of each half was inspired by LOKI97, as was the manner of minimally alternating between two Sboxes in the ffunction in the left half to avoid a rotational symmetry. The concept of having initial and final mixing and whitening phases, even though the phases themselves may not much resemble those of MARS, is due to that cipher, and the notion of placing the algorithm under the control of the key owes something to FROG. Using the initial mixing and whitening phases to vary where each bit goes in the algorithm is somewhat similar to the method used in FROG to achieve algorithmic variability. The basic regular round structure consists of two Feistel rounds, each one operating between two quarters of the block within one half of the block; RC6 has a similar basic round structure, but with one important difference: in RC6, the block, viewed as LRLR, modifies each R portion based on a function involving both its own L portion and the other one, so that each R portion depends on both L portions. In Quadibloc VIII, although the block also has an LRLR form, and the first L portion is transformed in an invertible manner that depends only on the key (instead of being left alone as in the original Feistel structure), the first R portion depends only on the first L portion, while the second R portion depends on both L portions, and even the second L portion is transformed in a way that depends on the first L portion.
Overview of Quadibloc VII
Quadibloc VIII consists of sixteen rounds, with a brief whitening and mixing phase at the beginning and end of the cipher.
For the purpose of a round, a block is divided into two halves, each half being further subdivided into two quarters. In each half, the left quarter is used as the input to an ffunction, basically the ffunction from Quadibloc S and Quadibloc II and others, and the output is XORed with the right quarter. Before and after being used as the input to the ffunction, the left quarter is put through one of two keyed transformations. The same is done with the right quarter before and after being XORed with the output from the ffunction. The left quarter only, at the beginning and end of the round, is XORed with subkey material. For the left half only, an extra output is derived from the calculation of the ffunction. This extra output supplies bits which have a nonlinear effect on transformations applied to the right quarter of the left half, and to both quarters of the right half.
q q q q
The Standard Rounds The Mixing and Whitening Phase The Key Schedule The Rationale of the Design
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Table of Contents Main Page
[Next] [Up/Previous] [Index]
The Standard Rounds
The basic round of Quadibloc VIII consists of two connected Feistel rounds, each performed on one half of the block. Every effort has been made to supply a complete description of the algorithm in the text, but reference to the illustrations may make it easier to understand. Also, if any ambiguity is left, it should be understood that this cipher was conceptualized according to bigendian conventions; in all cases, the leftmost bits of any byte or word correspond to its most significant bits when it is considered as a number.
The left half
The following diagram illustrates the part of a Quadibloc VIII round that acts on the left half of the block:
The left quarter of the left half
The left quarter of the left half of the block is first modified by being XORed with a 32bit subkey (in the case of the first round, this is subkey 49, and the number is advanced by 2 with each round). Then it is subjected to one of two possible transformations: either it is divided into four bytes, and each pair of bytes is enciphered through a two smallscale Feistel rounds, using keydependent Sbox S8 as the ffunction, or it is divided into two 16bit portions which are enciphered by two Feistel rounds. The result of that transformation is used as the input to the ffunction. Then, the other of the two possible transformations is performed on the left quarter of the left half of the block, and finally another 32bit subkey is XORed with it (subkey 50 in the first round, advanced by 2 for each succeeding round).
The two small transformations of a 32bit quarter of the block are, in detail, as follows:
In the first transformation, numbering the bytes from 1 to 4 from left to right, first byte 2 of the block is changed by being XORed with the byte of S8 indicated by byte 1 of the block XORed with byte 1 of the subkey, and at the same time byte 4 of the block is changed by being XORed with the byte of S8 indicated by byte 3 of the block XORed with byte 2 of the subkey. (These XORs, and those in the next paragraph, may be changed to modulo256 addition, under circumstances to be noted below.) Subsequently, byte 1 of the block is changed by being XORed with the byte of S8 indicated by byte 2 of the block (in its current modified state) XORed with subkey byte 3, and at the same time byte 3 of the block is changed by being XORed with the byte of S8 indicated by byte 4 of the block (in its current modified state) XORed with subkey byte 4. Thus, the block is divided into two halves; each half is subjected to two Feistel rounds in place, and the input to the ffunction comes first from the byte on the left, and then in the second round from the byte on the right. The keydependent Sbox provides the ffunction. In the second transformation, the 32bit block is split into two 16bit halves. Two Feistel rounds take place, with the left half initially supplying the input to the ffunction. The ffunction begins with the input being XORed to 16 bits of subkey (the left half in the first round, the right half in the second, of a 32bit subkey); then, the left half of the result is used to index into keydependent Sbox S10, and the right half of the result is used to index into keydependent Sbox S11. The two items found are then added (with the left byte being the most significant), and the result is the ffunction output. The round is completed by modifying the target half of the block by XORing it with the ffunction output.
Considering 32bit subkey 721 as being composed of bits numbered from 1 to 32 from left to right, bit 1, if it is a 1, changes all the XORs in the first transformation when it is applied to the left quarter of the left half of the 128bit block in the first round to additions, both those where the subkey is XORed to the index into S8, and where the output from S8 is XORed to a byte of the block. This is done by bits 2 through 16 in rounds 2 through 16. Bit 17, if it is a 1, causes the second of the two transformations, the one which acts on 16bit halves of the 32bit quarter, to take place first, in the first round. Bits 18 through 32 do this for rounds 2 through 16.
The ffunction
The ffunction used in Quadibloc VIII is essentially the same ffunction as seen in Quadibloc II and Quadibloc S, except with the use of different Sboxes and, in the case of the left half, an intermediate result is taken, which is not the same as the one taken in Quadibloc III, which also uses an otherwise similar ffunction. The ffunction consists of three general types of phase: S, for substitution, P, for bitpermutation, and X, for the XOR of subkey material. The ffunction used here is of the type XSPXSPXS. By having two full SP layers, changing a single bit of the input always affects the entire ffunction output, and therefore the avalanche property of Quadibloc S is considerably stronger than that of DES; in return for a slower ffunction, a single bit change in the input block propagates to the whole block after only four rounds instead of eight. The first S phase uses Sboxes 1, 1, 1, and 2 in order from left to right, and the second uses Sboxes 1, 2, 2, and 2 from left to right. S1 and S2 are as described in the description of previous ciphers in the Quadibloc series, having been generated from Euler's constant. The bit permutation used is a straightforwards one, where the first (leftmost) two bits of each byte remain in position, the next two bits are rotated one byte to the right, the third pair of bits rotated 16 bits, and the last
(rightmost) two bits of each byte are rotated one byte to the left. Again, this is given in the description of the original Quadibloc cipher. The third Sphase replaces all the bytes with their substitutes in keydependent Sbox S8. The subkeys XORed with the ffunction input are subkeys 1, 2, and 3 in the first round, and the subkey numbers are offset by 3 with each succeding round (thus, subkeys 4, 5, and 6 are used in round 2). An auxilliary result is also produced from the ffunction for the left half of the block. This result is the XOR of the current values in the ffunction after, of the complete ffunction, in the form XSPXSPXS, the parts from the beginning labelled XSP and the parts XSPXSP have been done. For the remaining three quarters of the block, the auxilliary result will be used to control the order of the two transformations applied to a single quarter, and whether, for the transformation of the first kind (which may be done first or second) XORs or singlebyte additions are used, in the fashion that subkey 721 controlled this for the first quarter. Other bits of the auxilliary result will be used to select subkeys for use in subsequent encipherment from a set of four possible values, and to select Sboxes from two possibilities for the ffunction used in the right half of the block.
The right quarter of the left half
First, the right quarter of the left half is subjected to one of the two available transformations. If the bits of the auxilliary output of the ffunction are numbered from 1 to 32 from left to right, bit 28, if it is 0, indicates that the transformation of the first type, using S8 as the ffunction, is done first; if it is 1, it indicates that the transformation with a 16bit wide ffunction is done first. Bit 27 indicates, if it is a 1, that the XORs in the transformation of the first type uses bytewise additions instead of XORs. Bits 9 and 10 indicate, as a two bit number, bit 9 being more significant, which of the subkeys 145, 289, 433, or 577 is used for the transformation of the first type (whether it is done first or second), and bits 11 and 12 similarly indicate whether subkey 146, 290, 434, or 578 is used for the transformation of the second type. (In the next round, and each time one progresses from one round to the next, the number of each subkey in each of these groups of four subkeys is advanced by 9.) After the first transformation is performed, the ffunction output is XORed with the right quarter of the left half of the block. Then, the second transformation is performed.
The right half
This diagram illustrates the part of a Quadibloc VIII round that acts on the right half of the block:
In the upper left corner of this diagram, the 32bit auxilliary output from the ffunction in the right half is shown. As can be seen from comparing the two diagrams, the operations that take place on the right half of the block are very similar to those which apply to the left half of the block. The main difference is that the 32bit auxilliary ffunction output came from the left half, and it is used extensively in modifying the encipherment of the right half (only six of its 32 bits were used to affect the transformations which applied to the right quarter of the left half).
The left quarter of the right half
Here, subkey 113 is first XORed with this quarter. This subkey number advances by 1 with each round, not by 2 as for the left half. Bit 30 of the auxilliary ffunction output from the left half controls whether the transformation of the first type (if 0) or of the second type (if 1) is done first, and bit 29, if 1, selects the use of bytewise addition in the transformation of the first type. Again, as before, the value between the two transformations is used as the ffunction input. Bits 13 and 14 of the auxilliary ffunction output select the subkey (from 147, 291, 435, and 579) to use for the transformation of the first type, and bits 15 and 16 select the subkey (from 148, 292, 436, and 580) to use for the transformation of the second type. After both transformations, subkey 129 is XORed with this quarter.
The ffunction
Again, the same XSPXSPXS structure is used. For the first two S stages, Sboxes 3 and 4 in the sequence generated from Euler's constant are used. Bits 1 through 8 of the auxilliary ffunction output from the left half determine (0=Sbox 3, 1=Sbox 4) which Sbox is used, for the four bytes of the ffunction input in order from left to right, first in the first stage and then in the second. The third S phase again just substitutes bytes from Sbox S8. The three subkeys used are selected (in the first round, and advanced by 9 for each succeeding round as previously noted) from subkeys 149, 293, 437, and 581 for the first XOR, guided by bits 21 and 22 of the
auxilliary ffunction output; from subkeys 150, 294, 438, and 582 (in the first round) for the second XOR by bits 23 and 24; from subkeys 151, 295, 439, and 583 (in the first round) for the third XOR by bits 25 and 26.
The right quarter of the right half
Again, here we have two transformations, with the XOR of the ffunction output in the middle. Bit 32 controls which transformation comes first, and bit 30 controls whether XOR or addition is used in the transformation of the first type. The transformation of the first type uses, in the first round, a subkey from subkeys 152, 296, 440, and 584, as selected by bits 17 and 18 of the auxilliary output of the ffunction in the left half, and the transformation of the second type uses a subkey from subkeys 153, 297, 441, and 585, as selected by bits 19 and 20 of the auxilliary output of the ffunction from the left half.
Byte Interchange
After each round of Quadibloc VIII, except round 16, the 16 bytes of the block are rearranged from being in the order 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
to being in the order: 16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9
[Next] [Up/Previous] [Index] Next Start of Section Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Mixing and Whitening
The mixing and whitening phase on entry to the cipher is illustrated below:
Since mixing consists of Feistel round operations on pairs of bytes, ICEstyle bit swapping is first applied to move half the bits from the left to the right side of that operation (and vice versa). Then, after two rounds of mixing, an ICEstyle swap moves half the bits from the left half of the block to the right half of the block (and vice versa), making it uncertain whether any bit is in the lefthand side simple Feistel round or in the righthand side controlled Feistel round to begin with. Finally, after two more rounds of mixing, and ICEstyle swap moves bits between the left and right quarters of each half, randomizing what side of the ffunction they start out on.
On exit from the cipher, the masks M4, M5, and M6 are applied in order, and the Feistel rounds applied to pairs of bytes still use the left byte as input to the ffunction first, as illustrated below:
The masks are produced by applying a 4 of 8 code to subkey material, guaranteeing that exactly four of the eight bits in any byte are swapped in each swapping step.
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Key Schedule
The key material used by Quadibloc VIII consists of:
q
q
q q
Six 64bit swap masks, M1 through M6, each produced from 48 bits of normal subkey material (specifically, the least significant 6 bits of each byte of 64 bits of normal subkey material) by the use of a 4 of 8 code; One keydependent Sbox, S8, consisting of a permutation of the numbers from 0 to 255; Two keydependent Sboxes, S10 and S11, each consisting of 256 16bit values; Seven hundred and twentyone 32bit subkeys, organized as follows: r 48 subkeys, from K1 through K48, used with the ffunction in the left half; r 32 subkeys, from K49 through K80, used to XOR with the left quarter of the left half of the block at the beginning and end of each round; r 16 subkeys, from K81 through K96, used as input to the transformation of the first type applied to the left quarter of the left half of the block; r 16 subkeys, from K97 through K112, used as input to the transformation of the second type applied to the left quarter of the left half of the block; r 16 subkeys, from K113 through K128, used to XOR with the left quarter of the right half of the block at the beginning of each round; r 16 subkeys, from K129 through K144, used to XOR with the left quarter of the right half of the block at the end of each round; r 144 subkeys, from K145 through K288, serving as the first of four entries in each of nine subkey pools per round; r 144 subkeys, from K289 through K432, serving as the second of four entries in each of nine subkey pools per round; r 144 subkeys, from K433 through K576, serving as the third of four entries in each of nine subkey pools per round; r 144 subkeys, from K577 through K720, serving as the fourth of four entries in each of nine subkey pools per round; r One subkey, K721, which determines the order of transformations, and the use of XOR or bytewide addition in the transformation of the first kind, for the left quarter of the left half of the block in each round.
The key, which must be a multiple of 32 bits in length, is expanded into four different strings of bytes as follows: 1. The first string consists of the key, with the one's complement of the modulo 256 sum of all the bytes in the key appended. 2. The second string consists of the bytes in the key in normal order, alternating with the one's complement of the bytes of the key in reverse order. 3. The third string consists of the bytes of the key in normal order, alternating with consecutive numbers starting with 1, and with the bytes of the key in reverse order,
except that the last byte this would produce (a copy of the first byte of the key) is omitted. 4. The fourth string consists of the bytes of the first half of the key, alternating with the one's complement of the bytes of the second half of the key, alternating with consecutive numbers starting with 128, alternating with the one's complement of the bytes in the first half of the key in reverse order, but with the last byte this would produce omitted. Thus, four strings of different length are produced, and the bytes of the key are distributed through these strings with different spacings. Also, no string can be all zeroes. For example, given a key consisting of eight bytes with the values 1 2 3 4 5 6 7 8, the four strings will be 1 2 3 4 5 6 7 8 219 5 251 6 2 4 8 6 252 4 8 5 7 253 8 254
1 247 1 5 1 5
2 248 8 4 2 6
3 249 2 6 7 3
4 250 3 7 3 7
1 251 128 250
2 252 129 249
3 253 130 248
4 254 131
Each of these four strings is used to produce bytes by chain addition. A cycle of chain addition proceeds as follows: The modulo256 sum of the first two bytes of the string is calculated. This value is the current output from the process. The string is modified by having its first byte removed, and the calculated sum appended to the end of the string. A source of subkey bytes is set up as follows:
q
q
q
256 bytes are produced by chain addition from the first string. These fill 256byte buffer 1. 256 bytes are produced by chain addition from the second string. These fill 256byte buffer 2. When bytes are produced, the four strings, from first to fourth, will be rotated between the designations of string A, B, C, and D in the following pattern, which repeats for each four bytes generated: r A: first, B: second, C: third, D: fourth r A: second, B: first, C: third, D: fourth r A: first, B: second, C: fourth, D: third r A: second, B: first, C: fourth, D: third To produce a byte of subkey material, string B is subjected to chain addition, and the value it produces is used as an index into buffer 1. The value in buffer 1 at that point is removed, and called output X. String A is subjected to chain addition, and the value it produces replaces the value removed from buffer 1. (This is, of course, the classic MacLarenMarsaglia technique.) Similarly, string D is subjected to chain addition, and the value it produces is used as an index into buffer 2. The value at this point is removed, and becomes output Y, and is replaced by the output from subjecting string
q
C to chain addition. The XOR of outputs X and Y is used as the desired byte of subkey material.
At this point, the bytes of subkey material are subjected to a further operation during key revision, to be described below. The required subkey material is produced from this byte generator as follows:
q q
q q
q
1024 bytes are generated, to form the contents of S10 and S11. A permutation of the bytes from 0 to 255 is produced from generator output, in a fashion to be described below, and this permutation will be called P. 2884 bytes are generated, forming the 721 32bit subkeys. Another permutation of the byte values from 0 to 255 is produced. This permutation is called Q. The Sbox S8 can now be calculated, and satisfies the equation Q(S8(x)) = P (x). Thus, it is produced by applying the inverse of Q to P. Six groups of eight bytes are calculated. The first two bits of these bytes are ignored; the last six bits are used to index into the 4 of 8 code used with Quadibloc, and thus the masks M1 through M6 are formed. (The original bytes used as input to the 4 of 8 code must be retained if a subsequent key revision phase is to be performed.)
The first byte generated is always used to fill the leftmost byte of a multibyte subkey. Here is the 4 of 8 code used for producing the masks: 55 35 4D 1D 56 36 4E 1E 59 39 71 2D 5A 3A 72 2E 65 C5 8D D1 66 C6 8E D2 69 C9 B1 E1 6A CA B2 E2 95 53 17 47 96 5C 1B 4B 99 63 27 74 9A 6C 2B 78 A5 93 D4 87 A6 9C D8 8B A9 A3 E4 B4 AA AC E8 B8
The basic procedure for generating a permutation, used to produce permutations P and Q from generator output, is, as used with Quadibloc II, the following:
q
q
q
q
q
Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0 to 255 in order. The arrays must also be able to hold the value 1. The second and third arrays are filled with 1. For each of 256 bytes produced by the generator: let the value of the byte be called N, and let I be a counter which starts at 0 for the first byte, incrementing with each byte used, and ending at 255. Then, for each byte: r If element N of the first array is not 1, set element N of the first array to 1, and set element I of the second array to N. r Otherwise, store N in the first unused position (the first position containing 1) in the third array. Once this has been done, if the third array contains any numbers other than 1, proceed as follows: If there is only one filled (not equal to 1) element in the third array, then there is only
q
q
q
q
q
one remaining element in the first array, and one element of the second array equal to 1, so fill the second array with the one available byte, and finish. If there are only two filled elements in the third array, take the least significant bit of the first filled element. If it is zero, fill the 1 elements of the second array with the remaining elements of the first array in order; if it is one, do so in reverse order, and finish. If there are less than 256 filled elements in the third array, repeat them over and over to fill the array. Then, generate an additional 256 bytes (thus, 512 bytes are used except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of the third array. Now, use the third array to complete the second array by doing the following for II from 0 to 255: r Let the value of element II of the third array be XX. r Swap elements II and XX of the first array. Then, scan through the second array. When an element of the second array is 1, fill it with the corresponding element of the first array (if it is not also 1) and set that element of the first array to 1. If there are any 1 elements left in the second array, fill them with the elements of the first array that are not 1 in order.
Whether the procedure finishes after 256 bytes, or after 512 bytes, from the generator are used, the contents of the second array when the procedure is concluded are the permutation produced.
Key Augmentation
There are ten intermediate results within a round that can be used for key augmentation. These are: 1. The left quarter of the left half of the block, after being subjected to the first of the two possible alternate operations, and as serves as the input to the ffunction; 2. The intermediate result of the left half ffunction after the first SP layer, and before the XOR of the second subkey input to the ffunction; 3. The intermediate result of the left half ffunction after the second SP layer, and before the XOR of the thirs subkey input to the ffunction; 4. The left half ffunction output; 5. The right quarter of the left half of the block, after being subjected to the first of the two possible alternate operations, and before being XORed with the ffunction output; 6. The left quarter of the right half of the block, after being subjected to the first of the two possible alternate operations, and as serves as the input to the ffunction; 7. The intermediate result of the right half ffunction after the first SP layer, and before the XOR of the second subkey input to the ffunction; 8. The intermediate result of the right half ffunction after the second SP layer, and before the XOR of the thirs subkey input to the ffunction; 9. The right half ffunction output; 10. The right quarter of the right half of the block, after being subjected to the first of the two possible alternate operations, and before being XORed with the ffunction output;
After a key is set up using the key schedule as previously described, the 721 32bit subkeys can be modified through key augmentation steps. A key augmentation step consists of the following: With the subkey array in whatever state is to be subjected to augmentation: Encrypt the 128bit block 00FF0F0F333355550123456789ABCDEF using Quadibloc VIII, normally, but during each round retain the ten intermediate results listed above. After the round is concluded, XOR the ten intermediate results, in the order given, with ten successive subkeys, starting with subkey K145 in the first round. Thus, the ten intermediate results from the first round are XORed with subkeys K145 through K154, the ten intermediate results from the second round are XORed with subkeys K155 through K164, and so on. After the block encryption is complete, move the subkeys backwards 160 positions in the list of subkeys. Thus, the former subkeys K1 through K160 become subkeys K562 through K721; the former subkeys K161 through K721 become subkeys K1 through K561. Although five key augmentation steps are required to modify all the subkeys, a single key augmentation step ensures that subkeys K1 through K144, as well as K721, are among the 160 subkeys modified by being XORed with intermediate results, these subkeys being the most critical, as they are the ones not contained in a group of four subkeys, any one of which may be used in a given encipherment. Quadibloc VIII with one key augmentation step is to be called Quadibloc VIII A1, and with five key augmentations steps, the other standard number, Quadibloc VIII A5.
Modified Key Augmentation
With 721 regular subkeys, including the 1024 bytes contained in the two keydependent Sboxes S10 and S11, which are the equivalent of 256 additional subkeys, in what is modified by key augmentation is not, in fact, impractical. A modified key augmentation step proceeds exactly as a regular key augmentation step, except that the buffer moved backwards by 160 subkeys now consists of the 721 subkeys K1 through K721 followed by the 256 entries in Sbox S10, where each consecutive pair of entries forms a subkey, the earliest entry being leftmost, followed by the 256 entries in Sbox S11 in the same form. Seven key augmentation steps are now required to modify all the subkey material now exposed to change, and this leads to the variant of Quadibloc VIII to be called Quadibloc
VIII M7. (Alternating regular and modified key augmentation rounds is possible; any pattern of the form aMMaaaaa where M is a modified key augmentation round, and a is either regular or modified key augmentation, will result in all the subkey material being fully modified.) Also, Quadibloc VIII M3 is sufficient to modify the fixed subkeys K1 through K144, the subkey K721, and all of S10 and S11. (Again, Quadibloc VII A M2 would suffice for this as well.)
Key Revision
Because modifying the other portions of subkey material is not simple enough to be done during a process such as key augmentation, a further process of subkey modification is provided, called key revision. A key revision step, which is optional, may only be performed immediately following a key augmentation step. The 128bit output from the block encipherment performed to provide a key, which is then used as input to a slightly modified version of the normal initial key generation process for Quadibloc VIII. The key used as input for the modified key generation process is the following:
q
q
q
q
q
For the first key revision step, the key is the 160bit quantity consisting of the 128bit block cipher output from the immediately preceding key augmentation step, followed by its first (leftmost) 32 bits repeated, unless the original key was 160 bits long, in which case the 128bit block cipher output is used without being lengthened; For the second key revision step, the key is the 192bit quantity consisting of the 128bit block cipher output from the immediately preceding key augmentation step, followed by its first (leftmost) 64 bits repeated, unless the original key was 192 bits long, in which case the 128bit block cipher output is used without being lengthened; For the third key revision step, the key is the 224bit quantity consisting of the 128bit block cipher output from the immediately preceding key augmentation step, followed by its first (leftmost) 96 bits repeated, unless the original key was 224 bits long, in which case the 128bit block cipher output is used without being lengthened; For the fourth key revision step, the key is the 256bit quantity consisting of two repetitions of the 128bit block cipher output from the immediately preceding key augmentation step, unless the original key was 256 bits long, in which case the 128bit block cipher output is used without being lengthened; For the fifth key revision step, the key is the 288bit quantity consisting of two repetitions of the 128bit block cipher output from the immediately preceding key augmentation step, followed by its first (leftmost) 32 bits repeated, unless the original key was 288 bits long, in which case the 128bit block cipher output is used without being lengthened;
and so on. This ensures that, if multiple key revision steps are performed, each key revision step uses a key which is different in length both from the original key and from the key used in all other key revision steps.
With this key, the procedure for initial Quadibloc VIII is followed, except for these changes: Since a value for the Sbox S8 now exists, the bytes generated by the subkey byte generator are additionally subjected to the following encipherment step before being used, and the bytes being used begin with that corresponding to the third byte of output from the original subkey byte generator: For each byte of output from the original subkey byte generator, the preceding two bytes of output are enciphered using a tworound Feistel cipher which uses S8 as the ffunction. First, a counter, initialized at 1 and incrementing by 1 is is XORed with the eldest byte, the result being used to index into S8, and the value found in S8 is XORed with the immediately preceding byte, modifying it. Then, a counter, initialized at 0 and incrementing by 1, except that the value 255 is skipped, is XORed with the immediately preceding byte, as modified, and the result is used to index into S8, and the value found in S8 is XORed with the eldest byte, modifying it. The current byte is then used to produce the byte to be used in subkey generation as follows:
q q q q q
It is replaced by its substitute from S8. The modified eldest byte is added to it, modulo 256. It is replaced by its substitute from S8. The modified immediately preceding byte is added to it, modulo 256. It is replaced by its substitute from S8.
This is as illustrated below:
Thus, the keystream is enciphered in essentially a simple form of CFB mode, except that the block cipher used is really a stream cipher, since its subkeys are continually changing. The subkey bytes thus generated are used to modify the existing key schedule, instead of to replace it, as follows:
q
The first 1024 bytes generated are XORed with the contents of S10 and S11.
q q q q
q
A permutation called P is again produced from generator output. The next 2884 bytes generated are XORed with the bytes of the 721 32bit subkeys. A permutation called Q is again produced from generator output. Six groups of eight bytes are calculated. These are XORed with the raw mask value, before 4 of 8 coding, left by either the original key schedule or by the previous key revision step, and then subjected to 4 of 8 coding to provide the six 64bit mask values M1 through M6. The permutations P and Q are then used to produce the new S8 permutation, S8'(x), from the previous one, S8(x), such that the following equation is true: S8'(Q(x))=S8(P (x)). This can be done as follows: for each byte x from 0 to 255, use x as an index into P; use the result as an index into S8; store the result in the location within S8' found by using x as an index into Q.
Quadibloc VIII with one key augmentation step, followed by one key revision step, is to be called Quadibloc VIII A1 R; Quadibloc VIII with seven modified key augmentation steps, the last of which is followed by a key revision step, is to be called Quadibloc VIII M7 R; Quadibloc VIII with seven modified key augmentation steps, each of which is followed by a key revision step, is to be called Quadibloc VIII MR7. Quadibloc VIII with five key augmentation steps, the last of which is followed by a key revision step, is to be called Quadibloc VIII A5 R; Quadibloc VIII with five key augmentation steps, each of which is followed by a key revision step, is to be called Quadibloc VIII AR5. The key schedule of Quadibloc VIII A1 R should be entirely satisfactory; the more lengthy variants should not be required for security, although Quadibloc VIII M7 R has, at least, the argument in its favor that its key schedule tends towards that of Blowfish (which, of course, however, used only the result of a complete encipherment to modify subkeys, rather than intermediate results within each round).
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Design Rationale
Quadibloc VIII was designed to be a strong cipher not only against attacks which are currently understood, but also to be likely to be resistant against attacks which might be discovered in the future. It has been designed very conservatively; a full 16 rounds have been used, despite the fact that each round is considerably more elaborate than a single round in more conventional block ciphers: thus, its security does not depend on the merit of the somewhat unconventional measures I have included in the algorithm in hopes of achieving a very high level of security. Such things as medical records, or other information related to the personal privacy of individuals, may be required to remain confidential for 50 or even 100 years. Because the speed and power of computers has been increasing at a fast pace for some time, it is very difficult to make a firm prediction of how powerful computers might be at such a distant time. Although some fundamental physical limits, as well as physical laws which even limit the performance of quantum computers, do appear to imply that one can specify a key size that will leave one's messages forever immune to bruteforce searching, it is even harder to predict what new and surprising discoveries may be made in the field of mathematics or in cryptanalysis that may allow attacks taking less time than a bruteforce search (trying every possible key). Hence, I felt that it was justified to attempt to design a cipher which, while remaining constrained to some extent to operate within limits at least comparable with those of more conventional designs, was still aimed at providing a very high level of security without attempting to justify the security aimed at as necessary. As with all the ciphers in the Quadibloc series, ease of implementation is another important consideration, and it is execution speed which has taken a back seat. The most important step taken in the design of Quadibloc VIII to achieve the apparent potential for very high security was to, in every round, subject the 32bit quarters of the block to two different transformations, making it variable which of those two transformations occurred first. As well, in one of those transformations, whether XOR or modulo256 addition is used is variable. This does create vulnerability to attacks based on monitoring the power consumption of a device carrying out this algorithm. Simultaneously (in hardware) or in a fixed order (in software) carrying out both possible operations, the one used and the one not used, is a measure that could be used to avoid this.
To achieve greater resistance to differential and linear cryptanalysis, keydependent Sboxes are used. With the contents of the Sboxes unknown, characteristics cannot be found for the ffunction in the normal manner used for simple differential cryptanalysis. This increases the amount of memory required to carry out the algorithm, again limiting its usefulness. The multistage nature of the ffunction, in addition to giving this cipher a strong avalanche characteristic, also improves resistance to differential and linear cryptanalysis. There are three basic possible ways in which weak keys could occur in the algorithm:
q
q
q
A key could cause one or more of the four chain addition sequences used to generate subkey material to have a short period; The keydependent Sbox S8, or either of the keydependent Sboxes S10 and S11, might, by accident, consist of bytes in an ordering that is, or that approaches, a linear or affine function of its input; The keydependent boxes S10 and S11 might contain duplicate entries.
But I tend to view the threat from at least the second and third of these as negligible. With 16 rounds, and an ffunction that has not one, but two SP stages based on fixed Sboxes, as well as the fact that there are two different groups of keydependent Sboxes, both of which act on the entire block in every round, it should not be possible for an attacker to effectively exploit, or detect, a weakness in any one keydependent Sbox should it occur. Some of the individual steps in the algorithm can also be further examined:
Algorithmic Variability
In each round, the algorithm can take one of 16 shapes by the interchange of two transformations applied to the 32bit quarters of the block. In addition, there are 16 possibilities of using either XOR or bytewise addition in one of those transformations. These 256 possibilities in each round are the product of four possibilities for the leftmost quarter of the block, which are keydependent, and 64 possibilities for the remaining three quarters of the block, which are datadependent. It might be suggested that more of the variability in the algorithm ought to be keydependent, since in this way, it could be said that only 2^32 different algorithms are used, and this number is susceptible to bruteforce search, if there were some rapid way to solve the rest of the cipher. However, datadependence does seem to be stronger than keydependence, so this does
not appear to be a strong objection. If one ignores the choice between four subkeys in various portions of the round, and the extra algorithmic variation caused by switching between addition or XOR, and only counts the sixteen possibilities in each round, for each of the four quarters of the block, of doing either of two 32bit transformations first, then the keydependent part of that involves only 2^16 possibilities. While it might be possible to simply ignore them, by trying an attack based each possibility, as there are 2^48 possibilities for the datadependent part of that, it would seem that a conventional differential attack (actually, that is a misnomer, as other aspects of the design would require some extension to the original techniques of differential cryptanalysis) would require one to compare known plaintextciphertext pairs where the same one of the 2^48 possible algorithms was used. Of course, as long as a characteristic is strong enough that its chance of occurring by accident is less than one in 2^48, even this is not totally impossible, and the identity of the pairs in which it is seen would then provide additional information.
Byte Interchange
As noted in the description of the algorithm, after each round of Quadibloc VIII, except round 16, the 16 bytes of the block are rearranged from being in the order 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
to being in the order: 16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9
This particular rearrangement was carefully designed. It has the following properties:
q
q
q
It is a cyclic permutation of the numbers from 1 to 16; hence, each byte of the block will be moved to each of the possible positions during the 16 rounds of the cipher. Each byte continuously alternates between being in the left and the right quarters of either half. That is, if a byte is in the left quarter of one half in one round, it will be in the right quarter of either the same half, or the other half, in the next round. The alternation between halves, if only odd numbered rounds or only even numbered rounds are considered, (or if only rounds where the byte is in the left quarter of its half, or only rounds where the byte is in the right quarter of its half are considered, which is equivalent from the preceding property) follows the pattern R L L R L R R L or a cyclic permutation thereof.
Since the main feature of the cipher is a Feistel round within each half of the block, parts of the block alternate regularly between being on the left and right sides of the ffunction as in any normal Feistel cipher. An irregular pattern of alternation between left and right halves of the block is used, so that for each round, bytes will be brought together in different combinations. Thus, let us consider byte 5, and where it appears in oddnumbered rounds only, when it is on the right quarter in its half, and thus on the recieving end of the ffunction. Let us depict, with the bytes identified by their positions in round 1, the input and output of the ffunction, but rotating both by corresponding amounts so that byte 5 appears first on the right quarter, so we see what it looks like from the viewpoint of byte 5. 1 12 12 4 3 10 1 4 2 3 4 10 9 1 1 10 3 1 3 10 2 1 4 12 1 9 12 3 10 10 3 1 5 6 7 8 5 16 14 15 5 6 15 16 5 8 6 16 5 6 8 7 5 14 15 16 5 15 16 6 5 6 8 16 Round 1: left half Round 3: left half Round 5: right half Round 7: left half Round 9: right half Round 11: right half Round 13: left half Round 15: right half
While this only brings the bytes together in four distinct possible configurations, although in different orders in each of the two times, that is still about as irregular as is possible given that the only device available in this uniform and consistent permutation between rounds to bring different bytes together is dispatching them to the other half of the block for differing periods of time. These are the positions of the bytes in the 16 rounds of Quadibloc VIII: 1 16 9 13 4 6 10 15 11 7 3 5 12 14 2 8 1 16 9 13 4 6 10 15 11 7 3 5 3 5 12 14 2 8 1 16 9 13 4 6 10 15 4 6 10 15 11 7 3 5 12 14 2 8 1 16 5 12 14 2 8 1 16 9 13 4 6 10 15 11 6 10 15 11 7 3 5 12 14 2 8 1 16 9 7 3 5 12 14 2 8 1 16 9 13 4 6 10 8 1 16 9 13 4 6 10 15 11 7 3 5 12 9 13 4 6 10 15 11 7 3 5 12 14 2 8 10 15 11 7 3 5 12 14 2 8 1 16 9 13 11 7 3 5 12 14 2 8 1 16 9 13 4 6 12 14 2 8 1 16 9 13 4 6 10 15 11 7 13 4 6 10 15 11 7 3 5 12 14 2 8 1 14 2 8 1 16 9 13 4 6 10 15 11 7 3 15 11 7 3 5 12 14 2 8 1 16 9 13 4 16 9 13 4 6 10 15 11 7 3 5 12 14 2
2 12 11 9 8 14 7 13
7 13 15 14 3 4 11 2
1 16
4 10 6 15
3 5
16 5 6 9 12 10
8 1
Mixing and Whitening
In addition to complicating analysis by swapping the two basic operations of a tworound Feistel cipher between 16bit subblocks and a pair of tworound Feistel ciphers between 8bit bytes, the mixing and whitening phase of the cipher is designed to ensure that without knowledge of the key, it is not possible to determine the path of a single bit through the cipher. But does this provide blanket protection against differential and linear cryptanalysis? No, I cannot claim that. But because differential and linear cryptanalysis attacks are often only small improvements on bruteforce cryptanalysis, even making them only slightly more difficult is worthwhile. The example given in David Kahn's book The Codebreakers of an amateur cipher that might be wrongly claimed unbreakable may indicate the danger here: it was a form of fractionation, where letters were translated to pairs of digits from 1 to 5 by a Polybius square, and then back to letters after a single digit of padding is added to the beginning. It might be thought impregnable, because nothing is left for the cryptanalyst to grasp. Yet, a Playfair cipher in its most common case consists of switching the column coordinates of a pair of letters, so it can be seen that this cipher is actually similar in difficulty. If we consider a block cipher with a strong differential characteristic, and then precede and follow it by ICEstyle bit swaps, but without the smallscale Feistel rounds also used in Quadibloc VIII, a differential cryptanalysis attack can still be mounted. If blocks that are identical, except for bit 21 being inverted, on input lead to a particular difference between output blocks that is more likely, then with bit swaps before and after, simply use pairs of blocks that differ only in one bit, but with all possible bits that could be swapped to position 21. The output result would also be jumbled, but the fact that a difference between pairs of output blocks would be the same, even if its shape could not be predicted, would show that the fact about the key indicated by the characteristic was likely to be true. And, of course, the way in which the characteristic was jumbled would give information about the swap used, which gives additional information about the subkeys. The use of a MacLarenMarsaglia construct as the basis for subkey generation, however, makes it difficult to use one or more subkeys as a basis to deduce information about other subkeys.
It should also be noted that the primary design goal of the mixing and whitening phase was to ensure uncertainty about which portion of the algorithm any particular bit would be subjected to, not to provide diffusion, since the conventional rounds provide strong diffusion themselves. After the first bit swap and miniFeistel layer, the 16 bytes of the block can be thought of as divided into the following eight independent groups: 1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 8 After the second bit swap and miniFeistel layer, the number of groups decreases to four: 1 1 2 2 3 3 4 4 1 1 2 2 3 3 4 4 and after the third layer, to two: 1 1 2 2 1 1 2 2 1 1 2 2 1 1 2 2 so two groups of 64 bits go through this phase without in any way affecting each other. Since the normal rounds deal with the block in four quarters, the last two bit swaps are sufficient to place an input bit in any part of the normal round; the first bit swap creates a corresponding uncertainty for the miniFeistel rounds in the mixing and whitening phase itself.
The Key Schedule
Because I aimed at a high level of security for Quadibloc VIII, I tried to ensure that the key schedule was strong. Yet, I still wanted to keep the process of key generation relatively simple. Thus, from the key, I first produced initial values for four simple shift registers of different lengths. Although there is no guarantee that chain addition will produce a maximal period, the amount of subkey material to be generated, while large, is still limited. As can be seen from the description of the key schedule, measures were taken to ensure that even with an allzero key, no shift register would start out with allzero contents, or contents uniform in other ways. By using the XOR of the output of two MacLarenMarsaglia generators, I hoped to make it difficult to use the subkeys to draw any useful conclusions about the shift register contents and hence other subkeys. Using four shift registers, and alternating
their roles, also helps to limit the consequences if, for some key, one of the shift registers begins producing a sequence of poor quality. However, the key augmentation and key revision phases were added to provide a key schedule that should be completely safe.
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Quadibloc IX
Quadibloc IX is a block cipher that obtains its security through the principle of indirection. It has only four rounds. However, each round involves performing a form of the basic Quadibloc ffunction ten times. Hence, the ffunction is represented in a schematic form:
a box, bearing on it the numbers of the two Sboxes used within it, from the standard Quadibloc set (note that they are used so to avoid a symmetry involving rotating each 32bit subblock by an integer number of bytes), has an input and an output, and in addition, three subkeys as input, and two intermediate results as output. Note also that the keydependent Sbox is noted here as S9, since the first eight of the standard Quadibloc Sboxes are used. This compact schematic notation allows the Quadibloc IX round to be illustrated in a compact fashion:
and the round, in essence, is composed of the following elements:
q
q
q
q
The first and second 32bit subblocks of the 128bit block are enciphered by means of two Feistel rounds involving the version of the Quadibloc ffunction used here. The four intermediate results produced during this encipherment are enciphered in two pairs by means of two Feistel rounds with the same ffunction. The result of this encipherment is used as the source of the subkeys for an encipherment of two subkeys as a 64bit block through two Feistel rounds. Additionally, two of the subkeys used are derived from intermediate results produced during this encipherment; this is shown in a dark green color in the diagram above. The following three items are used as the subkeys for each ffunction in an encipherment, by two Feistel rounds, of the third and fourth 32bit subblocks of the 128bit block. r The results of the previous encipherment; r as shown in a light blue color in the diagram above, so that the principal part of the round is more clearly visible, additional intermediate results from the encipherment which produced that encipherment's subkeys as well as intermediate results from the previous encipherment, combined by XOR; r one of two fixed subkeys.
After each round except the last, the 64bit halves of the block are swapped. Since each round contains two Feistel rounds for each half of the block, four such rounds involve only eight Feistel rounds, but the Ffunction is of the SPSPS type instead of the SP type. The number of rounds, therefore, might be barely enough to provide a degree of security even without considering the cipher's main feature. Because the intermediate results from the left half are first enciphered, and then used as subkeys for encipherment, it is difficult to work backwards from known plaintext and ciphertext for a single round to determine the subkeys for the round. The use of a keydependent Sbox further frustrates differential cryptanalysis and related techniques. The key material used in this cipher consists of 88 subkeys, each 32 bits long, and one Sbox containing the 256 bytes from 0 to 255 in a scrambled order. In the detailed description of the cipher which follows, should there be any appearance of ambibuity, please remember that I consistently use bigendian conventions; that is, the most significant bit or byte of a word is always the first one, the leftmost one, and the one with the lowest number.
The ffunction
The ffunction used here is essentially as illustrated with Quadibloc VIII.
q q
q
First, the 32bit input is XORed with the first 32bit subkey. Then, the first three bytes of the result are replaced by their equivalents in the first of the two Sboxes selected for this ffunction from among those described in the section Euler's Constant and the Quadibloc SBoxes which, for this cipher, may be either Sbox 1, 3, 5, or 7, and the fourth byte of the result is replaced by its equivalent in the subsequent Sbox from that selection. Then, the bits of the result of the substitution are transposed, from the order 1, 2, 3,... 32 to the order
1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24 17 18 11 12 5 6 31 32 25 26 19 20 13 14 7 8
q q q
The current value constitutes the first intermediate result generated by the ffunction. Now, the 32bit value is XORed with the second 32bit subkey. The four bytes of the result are replaced by their equivalents in the Sboxes used before, but this time only the first byte is replaced by its equivalent in the first of those Sboxes, and the last three bytes are replaced
q q q q
q
by their equivalents in the second Sbox. The bits undergo the same transposition as before. The current result is now the second intermediate result availible from this ffunction. The 32bit value is now XORed with the third 32bit subkey used with this ffunction. The four bytes of the result are replaced by their equivalents in the keydependent Sbox, which for Quadibloc IX is designated Sbox 9. The result is now the output from the ffunction.
The Round in Detail
A round of Quadibloc IX encipherment consists of the following steps:
q
q
q
q
The first quarter of the block is used as input to an ffunction using Sboxes 1 and 2, with subkeys which are subkeys 1, 5, and 9 in the first round, and which increase in number by 1 in each subsequent round (as do all subkeys used in a round of Quadibloc IX). The two intermediate results produced shall be designated D and C. The output of the ffunction is XORed to the second quarter of the block, permanently modifying it. The second quarter of the block is used as input to an ffunction using Sboxes 1 and 2, with subkeys which are subkeys 13, 17, and 21 in the first round, and so on. The two intermediate results produced shall be designated B and A. The output of the ffunction is XORed to the first quarter of the block, permanently modifying it. Intermediate results B and C shall form one 64bit block, and intermediate results D and A shall form a second 64bit block, each of which shall be enciphered by means of two Feistel rounds, proceeding as follows: r B is used as input to an ffunction using Sboxes 3 and 4, with subkeys 37, 41, and 45 in the first round. The two intermediate results produced will be designated E and U. The output of the ffunction is XORed to C, permanently modifying it. r C is used as input to an ffunction using Sboxes 3 and 4, with subkeys 61, 65, and 69 in the first round. The two intermediate results produced will be designated G and W. The output of the ffunction is XORed to B, permanently modifying it. r The following two Feistel rounds proceed independently from the two previously described. r D is used as input to an ffunction using Sboxes 3 and 4, with subkeys 25, 29, and 33 in the first round. The two intermediate results produced will be designated F and V. The output of the ffunction is XORed to A, permanently modifying it. r A is used as input to an ffunction using Sboxes 3 and 4, with subkeys 49, 53, and 57 in the first round. The two intermediate results produced will be designated H and X. The output of the ffunction is XORed to D, permanently modifying it. Two subkeys, subkeys 73 and 77 in the first round, shall form one 64bit block, and this block will be enciphered by means of two Feistel rounds, as follows: r The left half of the block formed by the two subkeys shall be used as input to an ffunction using Sboxes 5 and 6. The subkeys used as input to this ffunction shall be, in order: s A, as modified by the preceding step in which A, B, C, and D were enciphered; s The XOR of intermediate results F and G from the preceding step; s C, as modified by the preceding step. r The two intermediate results produced will be designated P and R. The output of the ffunction will be XORed to the right half of the block formed by the two subkeys, permanently modifying it. (That is, the right half of the block is permanently modified for the remainder of the round computation in which it is used. The subkey itself is not modified for subsequent encipherments, as this is a block cipher, containing no state which is preserved between encipherments, other than that which is wholly dependent on the key alone.) r The right half of the block formed by the two subkeys shall be used as input to an ffunction using Sboxes 5 and 6. The subkeys used as input to this ffunction shall be, in order: s D, as modified by the preceding step; s The XOR of intermediate results E and H from the preceding step; s B, as modified by the preceding step. r The two intermediate results produced will be designated Q and S. The output of the ffunction
q
q
q
q
will be XORed to the left half of the block formed by the two subkeys, permanently modifying it. The third quarter of the block is used as input to an ffunction using Sboxes 7 and 8. The subkeys used as input to this ffunction shall be, in order: r The right half of the block formed from subkeys 73 and 77 as enciphered by the preceding step; r A 32bit subkey, which is subkey 81 in the first round; r The XOR of the following four intermediate results from the preceding step and the step which preceded it: X, U, P, S. The intermediate results are not used. The output of the ffunction is XORed to the fourth quarter of the block, permanently modifying it. The fourth quarter of the block is used as input to an ffunction using Sboxes 7 and 8. The subkeys used as input to this ffunction shall be, in order: r The left half of the block formed from subkeys 73 and 77 as enciphered by the preceding step; r A 32bit subkey, which is subkey 85 in the first round; r The XOR of the following four intermediate results from the preceding step and the step which preceded it: W, V, Q, R. The intermediate results are not used. The output of the ffunction is XORed to the third quarter of the block, permanently modifying it.
After each round, the halves of the block, the first half being composed of the first and second 32bit quarters of the block, and the second half being composed of the third and fourth 32bit quarters of the block, are swapped.
The Key Schedule
As noted, this block cipher uses 88 subkeys, each one 32 bits long, numbered from 1 to 88, and one 256byte key dependent Sbox designated S9. The key must be a multiple of 16 bits in length. Two strings of bytes will be produced from the key. If the length of the key is a multiple of 32 bits in length, then let that multiple be N, where the key is 4*N bytes in length. In that case, the first string shall be 14*N1 bytes in length, and the second string shall be 14*N+1 bytes in length. If the length of the key is an odd multiple of 16 bits in length, then let that multiple be M, where the key is 2*M bytes in length. In that case, the first string shall be 7*M2 bytes in length, and the second string will be 7*M bytes in length. In other words, the second string shall be initially three and one half times as long as the key, and the first string shall be initially one byte shorter than the second string, and if the number of bytes in the first string is even, it shall be shortened by one byte, but if instead the number of bytes in the second string is even, it shall be lengthened by one byte. The first string shall be filled with repetitions of the following material, up to its length: the key itself, followed by a single byte containing the one's complement of the XOR of all the bytes of the key together. The second string shall be filled with repetitions of the following material, up to its length: the one's complement of the key, followed by the bytes of the key in reverse order. The 88 subkeys, each one four bytes in length, shall be formed in order, one byte at a time, starting with the most significant and leftmost byte of the first subkey. Each string will be called upon to produce output bytes by the process of chain addition. A chain addition step consists of calculating the sum, modulo 256, of the last two bytes in the string. This sum shall be the output byte from the step. The string will then be modified as follows: the last byte of the string shall be removed, and the
output byte shall be appended to the string before the first byte, with the result that the bytes in the string shall advance one position. Each string has associated with it a 256byte buffer. Before beginning to generate subkey material, each string shall generate 256 bytes, and these bytes will be placed in the cells of this buffer, beginning with cell 0 and ending with cell 255. Producing a byte of subkey material proceeds as follows:
q q q
q q q
q
The first string will generate a byte, which shall be called A. The second string will generate a byte, which shall be called B. The contents of cell B of the buffer associated with the first string shall be called X, and then cell B of that buffer will have the value A stored in it. The first string will generate a byte, which shall be called C. The second string will generate a byte, which shall be called D. The contents of cell C of the buffer associated with the second string shall be called Y, and then cell C of that buffer will have the value D stored in it. The XOR of X and Y shall constitute the byte of subkey material generated.
An additional 256 bytes of subkey material shall be generated after all the required subkeys are generated. This subkey material, along with the buffers associated with the two strings, shall be used to generate the keydependent Sbox S9 as follows:
q
q
q
q
q
q q q
q
Let the extra 256 bytes of subkey material be kept in an array designated P, and the 256byte buffers associated with the first and second strings be designated Q and R respectively. In addition, initialize a 256byte buffer S with zeroes. A buffer designated T will also be used, which may contain the value 1 in its cells in addition to the numbers from 0 to 255. As well, there will be two buffers of unsigned 16bit quantities, called QQ and RR. For each number from 0 to 255 in order, called c (for counter): consider the element of P indicated by that number, and call it x; that is, set x to be P(c). If S(x) is zero, set S(x) to be 1, and set T(c) to be x. If S(x) is not zero, set T(c) to be 1. Count the elements of S that are equal to zero. If none are, then skip the next step. If one is, then exactly one element of T(c) will be 1; set that element to the index of the zero element of S, and skip the next step. Otherwise, continue. Scan the arrays S and T from beginning to end, independently. Look for zero elements in S, and the value 1 in T. When one of these is found in one array, wait for the corresponding item in the other array. Then replace the value 1 in T by the index of the zero element in S. Once this step is complete, the array T will contain one copy of every value from 0 to 255. Fill the array QQ with 16bit quantities consisting of the element of the array Q at the same index times 256, plus the index. Fill the array RR with 16bit quantities consisting of the element R at the same index times 256, plus the index. Sort arrays QQ and RR. AND each element of QQ and RR with 255, masking out all but the least significant byte of each element. For each number from 0 to 255 in order, called c, perform the following calculation: set element RR(c) of P to element QQ(c) of T; that is, P(RR(c))=T(QQ(c)). The contents of array P are to be used as Sbox S9.
Decipherment
To decipher a block encrypted in Quadibloc IX, it is necessary to modify the round, as well as to perform the four rounds in reverse order. The modified round for decryption involves performing the two Feistel rounds acting on the first and second quarters of the block, and the two Feistel rounds acting on the third and fourth quarters of the block, in reverse order in each case, while retaining all designations of subkeys used and intermediate values output.
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Section Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Quadibloc X
The block cipher Quadibloc X operates on a 128bit block divided into four 32bit subblocks. All four subblocks are modified in each round, and three different types of cipher step are used to modify the various subblocks.
Overview of the Quadibloc X Round
The leftmost subblock is modified directly in one piece, using a method somewhat reminiscent of SAFER. Two subrounds of this method are applied to it during each round of Quadibloc X. The intermediate value of that subblock between the two subrounds is used as a master nonlinear control input for the cipher steps applied to the remaining subblocks. Because the number of these rounds is even, an interchange of the two middle bytes of the subblock in a round does not interfere with the swap of 16bit subblock segments between Quadibloc X rounds. The two middle subblocks are modified by means of Feistel rounds using the Quadibloc ffunction. Three Feistel rounds are applied. Because the number of these rounds is odd, the swap of 16bit subblock segments between Quadibloc X rounds is simplified, since each Quadibloc X round can be treated as a single Feistel round. The rightmost subblock is modified through both XOR and addition of intermediate results of the Feistel rounds applied to the middle two subblocks. Between each application of an intermediate result, a substitution is performed of a type that leads to this modification of the subblock approximating decorellation. Four intermediate results are used, and the operations are, in order, XOR, bytewise addition modulo 256, bytewise addition modulo 256, and XOR. Between each pair of Quadibloc X rounds, the 128bit block is considered to be divided into eight 16bit subblock segments, and these are permuted from the order 1 2 3 4 5 6 7 8 to the order 7 4 1 6 3 8 5 2 so that the left halves of each subblock move to the next rightmost subblock between rounds, and the right halves of each subblock move to the next leftmost subblock between rounds.
The Leftmost Subround Type
The subround applied to the leftmost subblock twice in a Quadibloc X round is illustrated below:
q q
q
q
q
q
q
First, in the modification step, the subblock is XORed with a 32bit subkey. Then, in a substitution step, the bytes of the subblock are replaced with their equivalents in either Sbox S5 from the set generated from Euler's constant and used with other Quadibloc ciphers or Sbox S10, to be described in the section concerning the transformation applied to the rightmost subblock, and chosen to produce decorrelation. The Sboxes are used in the order S5, S10, S5, S10. Third, in another modification step, the individual bytes of another 32bit subkey are added to the individual bytes of the subblock modulo 256. Then, the four bytes of the block operate on each other in the unification step. r First, each two bytes enter into two miniFeistel rounds, using the keydependent Sbox S8 as the ffunction. The left byte is used as the index into S8, and the result is added to the right byte modulo 256. Then, the right byte is used as the index into S8, and the result is XORed with the left byte. r Then, of the four bytes, the two middle ones are swapped. r Third, each pair of bytes again goes through two miniFeistel rounds; this time, the operations used are first XOR and then subtraction modulo 256. Fifth, in another modification step, the individual bytes of another 32bit subkey are added to the individual bytes of the subblock modulo 256. Another substitution step is used, this time using Sblock S5 and Sblock S11 in the order S11, S11, S5, S5. Because of the byte swap in the middle of the unification step, bytes that went through S10 before now go through S5, and bytes that went through S5 before now go through S11, so each byte goes once through a 'random' Sbox and once through a 'decorrelative' Sbox. Finally, a 32bit subkey is XORed with the subblock in the last modification step.
Two such subrounds are performed on the leftmost subblock in each round of Quadibloc X, and the value of the leftmost subblock between those two subrounds is used as the nonlinear control word for the remaining part of the round.
The Central Feistel Rounds
The Feistel subround which operates on the central two 32bit subblocks of the 128bit block is illustrated below.
On the left is shown one byte from the 32bit nonlinear control word derived from the encipherment of the leftmost subblock. For the three Feistel subrounds performed in a Quadibloc X rounds, the first, second, and third bytes, from the left of that word, are used for the three rounds in order. The second subblock is used as the input to the Ffunction. The Ffunction proceeds as follows:
q q
q
q q q
q q q q
XOR one 32bit subkey with the input. Use the bytes of the result to index into either Sbox S1 or Sbox S2 of those generated from Euler's constant under the control of the bits of the first nybble of the control word byte used for this subround. (0 indicates S1, 1 indicates S2.) Permute the 32 bits of the result so that the first two bits of each byte remain in the same position with that byte, the next two advance to the next byte, the next two are swapped in those in the byte two places before or after, and the last two are moved to the preceding byte. This is the permutation used elsewhere with the standard Quadibloc Ffunction. At this point, we have the first intermediate result from this Ffunction. XOR a second 32bit subkey with the current value. Use the bytes of the result to index into Sboxes S3 or S4 under the control of bits of the second nybble of the byte of the control word in use. Perform the bit transposition again. The second intermediate result from this Ffunction is now available. XOR a third 32bit subkey with the current value. Replace each byte with its substitute in keydependent Sbox S8.
The Feistel round is then completed when the Ffunction output is XORed with the third subblock. Of the three subrounds performed, the the first intermediate result of each round will be known as IR5, IR6, and IR7, respectively, and the second intermediate result of each round will be known as IR1, IR2, and IR3, respectively. These intermediate results will be used in the modification of the rightmost subblock. After the first two of the three Feistel subrounds performed in a Quadibloc X round, the second and third subblocks of the 128bit block will be swapped, these being the right and left halves of the block on which those Feistel subrounds operate.
The Decorrelated Modification of the Rightmost Subblock
Finally, the last step in the Quadibloc X round is illustrated in the diagram below:
Four quantities, derived from the intermediate results produced from the three Feistel rounds applied to the middle two subblocks, are applied to the rightmost subblock. The quantities IR4A and IR4B are defined as follows: IR4A = IR5 xor IR6 xor IR7 IR4B = IR5 + IR6 + IR7 where + in the equations above refers to bytewise addition modulo 256. The assignment of intermediate results from the Feistel rounds to the four inputs to this modification step is determined by the last four bits of the last byte of the nonlinear control word according to the following table, which uses 16 of the 24 possible arrangements, when each intermediate result is only used once, and IR4B, created by addition, is always used as input to an XOR step, and IR4A, created by XOR, is always used as input to an additon step: IN1 IR4B IR4B IR4B IR4B IR2 IR3 IR3 IR1 IR1 IR3 IR2 IR1 IR1 IR2 IR3 IR2 IN2 IR1 IR2 IR3 IR2 IR4A IR4A IR4A IR4A IR2 IR1 IR1 IR3 IR2 IR3 IR2 IR1 IN3 IR2 IR3 IR2 IR1 IR3 IR1 IR2 IR3 IR4A IR4A IR4A IR4A IR3 IR1 IR1 IR3 IN4 IR3 IR1 IR1 IR3 IR1 IR2 IR1 IR2 IR3 IR2 IR3 IR2 IR4B IR4B IR4B IR4B
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
The Sboxes S10, S11, S6, and S7 used in this step are ones specifically designed to produce decorrelation. Since only addition modulo 256 is used, the decorellation is only approximate.
The Sbox S11 contains successive powers of 3, under Galois Field multiplication using the polynomial x^8 + x^6 + x^5 + x^3 + 1 (cancellation binary string 101101001) as used with Twofish, except that the last entry in the Sbox is 0. The Sbox S10 is the inverse of an Sbox containing successive powers of 3, under Galois Field multiplication using the polynomial x^8 + x^4 + x^3 + x + 1 (cancellation binary string 100011011) as used with Rijndael, except that the last entry in the Sbox being inverted is 0. Thus, these Sboxes (and their inverses, as required for deciphering) are as follows: Sbox S11: 1 3 5 104 184 161 2 6 10 208 25 43 4 12 20 201 50 86 8 24 40 251 100 172 16 48 80 159 200 49 32 96 160 87 249 98 64 192 41 174 155 196 128 233 82 53 95 225 105 187 164 106 190 171 210 31 33 212 21 63 205 62 66 193 42 126 243 124 132 235 84 252 143 248 97 191 168 145 119 153 194 23 57 75 238 91 237 46 114 150 181 182 179 92 228 69
15 138 30 125 60 250 120 157 240 83 137 166 123 37 246 74 133 148 99 65 198 130 229 109 163 218 47 221 94 211 188 207
17 247 34 135 68 103 136 206 121 245 242 131 141 111 115 222 230 213 165 195 35 239 70 183 140 7 113 14 226 28 173 56
51 112 102 224 204 169 241 59 139 118 127 236 254 177 149 11 67 22 134 44 101 88 202 176 253 9 147 18 79 36 158 72
85 144 170 73 61 146 122 77 244 154 129 93 107 186 214 29 197 58 227 116 175 232 55 185 110 27 220 54 209 108 203 216
255 217 151 219 71 223 142 215 117 199 234 231 189 167 19 39 38 78 76 156 152 81 89 162 178 45 13 90 26 180 52 0
The inverse of Sbox 255 0 16 1 32 48 205 18 125 33 64 4 221 119 34 49 25 231 206 236 80 146 20 164 237 50 98 169 26 157 65 74 41 5 247 252 217 142 61 35 96 155 162 133 36 253 30 123 218 151 66 175 114 75 185 173 183 223 225 248 81 194 90 147 57 8 128 136 102 238
S11: 2 17 215 220 153 141 126 19 107 135 207 232 120 222 38 161 250 180 62 143 6 42 94 227 165 21 187 198
204 3 216 145 127 211 182 154 39 229 88 121 44 108
13 51 112 52 14 167 82 201 189 9 97 73 24 254 29 174 67 193
212 68 86 83 202 209 10 45 109 190 168 40 230 15 122 113 53 89
233 54 171 11 46 78 191 22 199 110 210 181 144 203 228 87 84 43
116 99 92 69 213 105 195 138 242 129 156 246 235 31 150 184 176 56
158 177 178 196 139 159 130 58 239 243 106 37 152 214 249 93 70 186
71 27 131 100 117 59 148 244 240 103 134 160 140 219 179 226 76 197
77 170 149 55 234 245 91 104 241 137 163 60 118 124 132 224 115 101
208 85 28 192 23 72 111 166 188 200 79 251 63 47 95 172 12 7
The inverse of Sbox 1 3 5 15 17 26 46 114 150 161 95 225 56 72 216 247 2 6 10 30 229 52 92 228 55 106 190 217 112 144 83 245 4 12 20 79 209 104 184 211 76 212 103 169 224 98 166 241 8 24 131 158 185 208 107 129 152 179 206 73 181 196 87 249 16 11 29 39 105 187 254 25 43 125 135 47 113 147 174 233 251 22 58 78 210 93 231 50 86 250 195 94 226 61 71 91 237 44 116 156 159 186 213 100 172 130 157 188 223 122 155 182 193 88 232 234 37 111 177 200 252 31 33 99 165 27 45 119 153 176 69 207 74 222 121 168 227 62 66 198 18 54 90 238 41 143 138 133 148 167 57 75 221 124 132 28 36 108 180 199 Sbox S10: 255 0 25 1 75 199 27 104 100 4 224 14
S10: 51 85 248 19 115 149 34 102 89 235 171 230 60 68 110 178 59 77 40 120 189 220 219 118 48 80 214 97 146 173 32 96 109 183 21 63 201 64 191 218 239 42 142 137 35 101 67 197 244 7 203 70 139 134 81 243 123 141 242 13 151 162 82 246
255 53 164 170 38 49 204 205 215 136 127 154 240 163 236 160 194 65 192 117 126 128 175 84 9 202 145 14 140 23 253 0
50 2 26 198 51 238 223 3 52 141 129 239
76 125 77 101 18 150 19 102 179 126 58 43 78 175 79 44 89 127 216 204 59 151 188 83 20 68 180 103 13
113 194 228 47 240 143 92 221 37 110 107 121 212 88 174 215 203 12 67 187 82 178 149 57 42 17 124 74 99
8 29 166 138 130 219 210 253 226 72 40 10 172 168 233 117 95 246 31 62 161 135 207 132 158 146 184 237 140
200 181 114 5 69 189 241 48 152 195 84 21 229 80 213 122 176 111 45 90 108 144 205 60 93 217 38 222 128
248 249 154 33 53 54 64 191 34 163 250 155 243 244 231 235 156 23 164 251 170 97 55 65 86 35 119 197 192
105 185 201 15 147 208 70 6 136 182 133 159 115 234 230 22 169 196 118 96 85 190 63 162 242 32 153 49 247
28 39 9 225 218 206 131 139 145 30 61 94 167 214 173 11 81 73 123 177 41 220 91 109 211 46 227 254 112
193 106 120 36 142 148 56 98 16 66 186 202 87 116 232 245 160 236 183 134 157 252 209 71 171 137 165 24 7
The Sbox S6 contains successive powers of 19 in multiplication modulo 257, except that 256, when it occurs, is replaced with zero, and the Sbox S7 is the inverse of S6. Hence, the contents of these Sboxes are as follows: Sbox S6: 1 19 104 227 201 221 129 138 52 242 229 239 193 69 26 121 243 248 225 163 13 189 250 124 241 210 135 223 125 62 249 105 196 240 191 31 253 181 98 120 224 144 255 219 49 60 112 72 0 238 153 30 56 36 128 119 205 15 28 18 64 188 231 136 14 9 32 94 244
177 87 217 172 237 86 247 43 252 150 126 75 63 166 160 83 80 170 40 85 20 171 10
22 111 11 184 134 92 67 46 162 23 81 140 169 70 213 35 235 146 246 73 123 165 190
161 53 209 155 233 206 245 103 251 180 254 90 127 45 192 151 96 204 48 102 24 51 12
232 236 116 118 58 59 29 158 143 79 200 168 100 84 50 42 25 21 141 139 199 198 228
39 115 148 186 74 93 37 175 147 216 202 108 101 54 179 27 218 142 109 71 183 164 220
68 7 133 214 211 154 16 47 122 5 95 6 34 132 195 107 234 77 8 152 61 131 176 3 17 66 226 182 117 167 4 76 159 194 88 130 137 33 113 91 187 212 2 38 208 97 44 65 197 145 185 174 222 106 Sbox S7: 128 0 240 208 170 179 192 216 154 165 134 34 176 233 200 147 207 126 149 114 118 137 214 38 160 245 217 122 156 39 131 84 191 228 222 93 133 243 98 2 81 253 121 234 198 104 40 194 144 16 229 168 232 17 106 249 140 209 130 189 115 5 68 94 100 139 212 3 206 28 250 31 117 32 227 86 9 87 242 21 65 79 19 135 105 48 218 6 37 204 88 64 24 42 80 57
99 114 178 57 89 157 173 207 215
82 110 41 55 149 156 203 78 230
213 20 1 127 124 59 173 46 52 91 123 235 190 203 15 164 211 158 71 29 49 171 119 236 202 239 188 113 8 132 41 69
224 181 163 153 138 244 18 120 184 225 110 44 102 95 22 58 201 92 23 231 175 27 77 161 82 141 237 183 182 14 178 67
195 50 142 54 55 109 13 210 33 205 155 47 103 151 220 73 186 150 223 230 172 238 97 56 248 146 116 10 25 35 53 96
197 169 4 136 241 60 111 74 108 247 43 177 157 199 30 83 36 143 75 62 107 251 219 180 174 45 187 252 255 129 148 85
185 152 76 90 7 193 215 99 159 78 11 196 61 12 145 101 66 70 125 226 221 63 167 89 166 246 254 72 162 26 51 112
The Complete Round
Thus, the entire Quadibloc X round looks like this:
and, as previously noted, 16bit subblock halves are rotated after each round except the last from the order: 1 2 3 4 5 6 7 8 to the order 7 4 1 6 3 8 5 2 as illustrated in the diagram below:
which shows clearly that the left half of each subblock is rotated one place to the right, and the right half of each subblock is rotated one place to the left. Normally, ar least 8 rounds of Quadibloc X are used for encryption. Ideally, 12 or 16 rounds would be preferable. 32 rounds allow the four bits per round that alter the algorithm fundamentally (by changing the order in which the intermediate results of the three Feistel rounds are applied decorellatively to the fourth subblock) to total to 128 bits, thus the algorithm can no longer be bruteforce searched; this allows Quadibloc X to realize its full potential. One round is definitely insecure, since the first 32bit subblock is essentially subjected to a block cipher with a 32bit block size. Two rounds are already an interesting problem for the cryptanalyst, and four rounds might possibly be secure, but cannot be recommended.
The Key Schedule
Quadibloc X uses the following key material: 17 subkeys, each 32 bits long, per round, and one keydependent Sbox, S8, containing the bytes from 0 to 255 in a shuffled order. The subkeys used by the first round are K1 through K17, as shown in the diagram, and those used by the second round are K18 through K34, and so on. The key will be a multiple of four bytes in length. Subkey generation proceeds as follows:
Initialization
Three strings of bytes of different length are produced from the key. The first string consists of the key, followed by one byte containing the one's complement of the XOR of all the bytes of the key. The second string consists of the one's complements of the bytes of the key in reverse order, with three bytes appended containing the following three quantities:
q
q
q
The sum, modulo 255, of the bytes of the key, incremented by one by normal addition. (Thus, this produces a number from 1 to 255.) The XOR of all the bytes at odd numbered positions in the key, where the first byte in the key is considered to be byte 1, and odd. The one's complement of the XOR of all the bytes at even numbered positions in the key.
The third string consists of alternating bytes, taken from the bytes of the key in reverse order, and then from the bytes of the one's complement of the key, and then that string is followed by the one's complements of the first four bytes of the key. Thus, if the key is: 128 64 32 16 8 4 2 1 1 2 3 4 5 6 7 8
then the strings generated from it are as follows: First string: 128 64 32 16 1 2 3 4 8
8 5
4 6
2 7
1 8
Second string: 247 248 249 250 251 252 253 254 254 253 251 247 239 223 191 127 37 170 93 Third string: 8 127 7 191 4 247 3 251 1 254 2 253 16 250 32 249 127 191 223 239
6 2 4 64
223 5 253 1 252 8 248 128
239 254 251 247
Given that the length of the key is 4n, the lengths of the three strings are 4n+1, 4n+3, and 8n+4, and hence all three are relatively prime, since both 4n+1 and 4n+3 are odd, and 8n+4 is two times 4n+2. Two buffers are filled by generating bytes from the first and second strings by chain addition. Chain addition applied to a string is defined as follows: The sum, modulo 256, of the last two bytes in the string is calculated. This sum is the output of the chain addition step. Also, the last byte of the string is removed, and the sum is appended to the beginning of the string. Both buffers contain 256 bytes. The first buffer, called buffer A, is filled with 256 successive bytes generated from the second string by chain addition. The second buffer, called buffer B, is filled with 256 successive bytes generated from the first string by chain addition.
Subkey Byte Generation
Once the setup is complete, subkey material is generated one byte at a time, the first byte generated being the leftmost byte of subkey K1, and so on. A subkey byte is generated as follows:
q
A byte is generated from the first string by chain addition.
q q
q q q
q
The byte at the position in buffer A indicated by this value is taken, and called P. A byte is generated from the third string by chain addition. Its value is placed in buffer A, replacing the value taken. A byte is generated from the second string by chain addition. The byte at the position in buffer B indicated by this value is taken, and called Q. A byte is generated from the third string by chain addition. Its value is placed in buffer B, replacing the value taken. The subkey byte generated is the XOR of P and Q.
Note that this procedure, since it exercises the two strings used to select bytes, rather than the string used to generate values, results in a small change in the key resulting in large changes in the subkeys from the very beginning.
Permutation Generation
Once all the required 32bit subkey words are generated, the keydependent Sbox S8 must be generated. This is done as follows:
q
q q
q q
256 bytes are generated following the same procedure as for subkey byte generation, and these bytes are placed in a 256byte buffer called buffer C. A 256byte buffer called buffer D is filled with the numbers from 0 to 255 in order. For every i from 0 to 255, if element i of buffer C (hereinafter called C(i)) is not equal to i, swap elements i and C(i) of buffer D. For every i from 0 to 255, if B(i) is not equal to i, swap elements i and B(i) of buffer D. For every i from 0 to 255, if A(i) is not equal to i, swap elements i and A(i) of buffer D.
The resulting contents of buffer D are used as Sbox S8. Note that this is a much more straightforwards procedure than used previously to produce S8 in other ciphers in this series.
Advanced Key Schedule
With the complexity of the Quadibloc X round, its two kinds of subkeys, and the lack of unused intermediate values, it would be difficult to propose a key augmentation procedure for this cipher as used with some other block ciphers in the Quadibloc series. Instead, a different method of providing an improved key schedule, which makes use of the existing logic of Quadibloc X encipherment, is proposed. Two keys are required, a primary key and a secondary key. The primary key is used to create a key schedule, including a keydependent Sbox S8, for singleround Quadibloc X encipherment. Then, using buffers A and B as they stand (generating S8 does not change them), additional key bytes are generated by the same process as used for the subkeys to produce two more values: a 96bit seed value, and a 96bit initial counter value. Then the secondary key is used to generate the bytes to be used in the key schedule for the actual Quadibloc X encipherment desired. However, after each four bytes are generated, they are enciphered in an unusual stream cipher mode of singleround Quadibloc X, as illustrated below.
The first four bytes are enciphered as follows: The 128 bit value composed of the 96bit seed value and the 32bit group of four bytes generated by the MacLarenMarsagliabased technique used for subkey generation are encrypted in singleround Quadibloc X, using the key schedule derived from the primary key. The rightmost 32 bits of the result are the encrypted four keystream bytes. Successive groups of four bytes are encrypted by following these additional steps: The first 96 bits of the result are divided into six 16bit subblock halves, and they are permuted from: 1 2 3 4 5 6 to: 5 4 1 6 3 2 After being permuted, the counter value is added to them, and the result of that addition will be used as the new seed value for input along with the next 32 bits to be encrypted. The counter value is incremented by one. Note that when the final step of creating the keydependent Sbox S8 is taken, the contents of buffer C, being ordinary output, will have gone through this encryption step, but the contents of buffers A and B will not have.
Deciphering
In deciphering, it is necessary to replace Sboxes S10, S11, and S5 by their inverses, switch addition and subtraction modulo 256 as appropriate, and perform the steps within the round in reverse order as appropriate, leaving steps within ffunctions unaffected.
[Next] [Up] [Previous] [Index] Next Start of Section Skip to Next Chapter Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
Towards the 128bit Era: AES Candidates
Improvements in the speed and power of microprocessor chips have meant that the Data Encryption Standard with its 56bit key is subject to bruteforce attacks that can be carried out by organizations of moderate size. Although some branches of the Government of the United States, including its Chief Executive, have been pursuing policies such as export restrictions and the "Clipper chip" initiative, based on perceived dangers of the spread of strong encryption, the National Institute of Standards and Technology, another branch of the U. S. Government, has sought public submissions of an improved block cipher which would serve the specific purpose of protecting the unclassified communications of the U. S. Government, but which would also, no doubt, serve the public sector as well. The block cipher that is accepted will be called the AES, for Advanced Encryption Standard. Since this was written, on October 2, 2000, the cipher that will serve as the Advanced Encryption Standard has been announced, and that cipher is Rijndael, designed by Vincent Rijmen and Joan Daemen. Because block cipher modes give block ciphers the flexibility of also serving in applications which can make use of stream ciphers, a block cipher was sought. A block length of 128 bits, making dictionary attacks more difficult, is specified, and key lengths of 128, 192, and 256 bits are to be allowed for in the designs submitted.
A larger block length also increases the speed of encipherment, by allowing more text to be enciphered at once. Where a 56bit key does not provide enough security at present, it is possible to use TripleDES (enciphering in DES three times over, using either two or three different keys  and with the middle encipherment done in deciphering mode for compatibility reasons) and therefore one of the goals to be met by any submitted cipher is that it be faster than Triple DES. An idea that might occur upon first hearing about the AES effort: could a simple construction like the following, operating at speeds only slightly slower than those of single DES, provide adequate strength:  XOR <_ _ _ _ _ _ _ __ _ _ _ _ _ _ _ ________________   > + + <    DES   DES    > + + <   _ _ _ __ _ _ _ _ _ _ __ _ _ _ ________________  XOR < or, in graphical form:
one might ask. However, while it seems that the series of byte substitutions, followed by a PseudoHadamard Transform, mixes together the two halves of the block well enough, attacks are possible against this type of construction that make it not much stronger than normal DES, at least in theory. If the PseudoHadamard Transform, however, is replaced by something better, such as the maskdriven bit swap used in the cipher ICE, where a mask selects bits to be swapped between a pair of words, and we further enhance it by using a 4 of 8 code to ensure each byte includes both swapped and nonswapped bits, one might have something usable. The additional XOR whitening is applicable, if otherwise all sixteen bytes go through the same byte substitution. With a better initial mixing step, and a willingness to go to doubleDES speeds, though, this approach could lead to something adequate. As block ciphers like Blowfish demonstrate, it is possible to do better than DES at faster speeds, and DES is designed for hardware implementation, and is unnecessarily slow in software. Thus, something that is designed for fast software encryption, with the required security, will be more optimal if it comes from a fresh design process. Also, it should be noted that this illustration of how DES could be used as the basis of a 128bit block cipher is not terribly original with me; whitening has been proposed many times before, and the use of some sort of mixing before and after using DES to increase the block size is part of Terry Ritter's Fenced DES design.
This design is not perfect: since the expression for one of the outputs of a PHT has a factor of two in it, one can, using chosen plaintexts where only the least significant byte of one particular half is varied, uncover some facts about the Sboxes used, for example. This, among other weaknesses, was noted by Bryan G. Olson. Since keeping one block the same still changes the complete output, because the other DES encipherment is different, not 256 chosen plaintexts, but a larger number, are required, but an attack is still possible. All the AES candidate algorithms have been disclosed. I have written up descriptions of some of them in my own words, with diagrams, that may be helpful to some in understanding the algorithms. In some cases, my descriptions are not complete; for example, in several cases I omit a description of the key schedule. It may also be noted that links to the descriptions of the algorithms are available at the Block Cipher Lounge as well as at the official AES site. Since this page was originally developed, on August 9, 1999, five algorithms were announced as those chosen for consideration in Round 2 of the AES selection process. All five of those algorithms are among those described here, and they are indicated in the list below:
q q q q q q q q q q q q
The Advanced Encryption Standard (Rijndael) Twofish (finalist) Serpent (finalist) RC6 (finalist) DEAL MARS (finalist) SAFER+ FROG LOKI97 CAST256 Magenta DFC
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Skip to Next Chapter Table of Contents
Main Page
[Next] [Up/Previous] [Index]
The Advanced Encryption Standard (Rijndael)
The block cipher Rijndael is designed to use only simple wholebyte operations. Also, it provides extra flexibility over that required of an AES candidate, in that both the key size and the block size may be chosen to be any of 128, 192, or 256 bits. (During an early stage of the AES process, a draft version of the requirements would have required each algorithm to have three versions, with both the key and block sizes equal to each of 128, 192, and 256 bits. This was later changed to make the three required versions have those three key sizes, but only a block size of 128 bits, which is more easily accomodated by many types of block cipher design.) The original description of Rijndael is available at: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. However, the variations of Rijndael which act on larger block sizes apparently will not be included in the actual standard, on the basis that the cryptanalytic study of Rijndael during the standards process primarily focused on the version with the 128bit block size. Rijndael is a relatively simple cipher in many respects. Rijndael has a variable number of rounds. Not counting an extra round performed at the end of encipherment with one step omitted, the number of rounds in Rijndael is:
q
q
q
9 if both the block and the key are 128 bits long. 11 if either the block or the key is 192 bits long, and neither of them is longer than that. 13 if either the block or the key is 256 bits long.
To encipher a block of data in Rijndael, you first perform an Add Round Key step (XORing a subkey with the block) by itself, the regular rounds noted above, and as already noted, the final round with the Mix Column step, as described below, omitted.
The Rounds
Each regular round involves four steps. First is the Byte Sub step, where each byte of the block is replaced by its substitute in an Sbox.
The specification for Rijndael only provided an explanation of how the Sbox was calculated: the first step was to replace each byte with its reciprocal in the same GF(2^8) as used below in the Mix Column step, except that 0, which has no reciprocal, is replaced by itself (since it isn't anything's reciprocal either, it is the only value not used, so that makes sense) then a bitwise modulotwo matrix multiply was used, and finally the hexadecimal number 63 is XORed with the result. (Not C6, x7 is the MSB, if the diagram in the specification appears confusing.) The Sbox is: 99 48 202 173 183 52 4 7 9 82 83 106 208 69 81 188 205 196 96 70 224 194 231 108 186 232 112 97 225 155 140 65 124 1 130 212 253 165 199 18 131 59 209 203 239 249 163 182 12 167 129 238 50 211 200 86 120 221 62 53 248 30 161 153 119 103 201 162 147 229 35 128 44 214 0 190 170 2 64 218 19 126 79 184 58 172 55 244 37 116 181 87 152 135 137 45 123 43 125 175 38 241 195 226 26 179 237 57 251 127 143 33 236 61 220 20 10 98 109 234 46 31 102 185 17 233 13 15 242 254 250 156 54 113 24 235 27 41 32 74 67 80 146 16 95 100 34 222 73 145 141 101 28 75 72 134 105 206 191 176 107 215 89 164 63 216 150 39 110 227 252 76 77 60 157 255 151 93 42 94 6 149 213 122 166 189 3 193 217 85 230 84 111 171 71 114 247 49 5 178 90 47 177 88 51 159 56 243 68 25 144 11 36 228 78 174 180 139 246 29 142 40 66 187 197 118 240 192 204 21 154 117 160 132 91 207 133 168 245 210 23 115 136 219 92 121 169 8 198 138 14 158 148 223 104 22
Note that 63 in hexadecimal is 3 plus 6*16, or 36+60 or 96, and that is 99, as begins the table. Next is the Shift Row step. Considering the block to be made up of bytes 1 to 16, these bytes are arranged in a rectangle, and shifted as follows: from 1 5 9 13 2 6 10 14 to 1 5 9 13 6 10 14 2
3 4
7 11 15 8 12 16
11 15 16 4
3 7 8 12
Blocks that are 192 and 256 bits long are shifted like this: from 1 2 3 4 and from 1 2 3 4 to 5 9 13 17 6 10 14 18 7 11 15 19 8 12 16 20 21 22 23 24 1 5 9 13 17 21 6 10 14 18 22 2 11 15 19 23 3 7 16 20 24 4 8 12
to 5 9 13 17 6 10 14 18 7 11 15 19 8 12 16 20 21 22 23 24 25 26 27 28 29 30 31 32 1 5 9 13 17 21 25 29 6 10 14 18 22 26 30 2 15 19 23 27 31 3 7 11 20 24 28 32 4 8 12 16
Note that in the 256 bit case, the rows are shifted 1, 3, and 4 places to the left, instead of 1, 2, and 3 places as for the other two block sizes. Next comes the Mix Column step. Matrix multiplication is performed: each column, in the arrangement we have seen above, is multiplied by the matrix: 2 1 1 3 3 2 1 1 1 3 2 1 1 1 3 2
However, this multiplication is done over GF(2^8). This means that the bytes being multiplied are treated as polynomials rather than numbers. Thus, a byte "muliplied" by 3 is that byte XORed with that byte shifted one bit left. If the result has more than 8 bits, the extra bits are not simply discarded: instead, they're cancelled out by XORing the binary 9bit string 100011011 with the result (shifted right if necessary). This string stands for the generating polynomial of the particular version of GF(2^8) used; a similar technique is used in cyclic redundancy checks. The final step is Add Round Key. This simply XORs in the subkey for the current round. Although a threedimensional color diagram of the round has already appeared at the beginning of the page, the Rijndael round can also be illustrated in a more conventional manner:
The extra final round omits the Mix Column step, but is otherwise the same as a regular round. Thus, the sequence of steps in Rijndael is: ARK BSB SR MC ARK BSB SR MC ARK ... BSB SR MC ARK BSB SR ARK Because it begins and ends with an ARK (Add Round Key) step, there is no wasted unkeyed step at the beginning or end. The sequence of operations is important for facilitating decipherment, as well. Although the sequence is not symmetrical, the order of some of the steps in Rijndael could be changed without affecting the cipher. The Byte Sub step could just as easily be done after the Shift Row step as before it.
That would change A BSMA BSMA ... BSMA BSA to A SBMA SBMA ... SBMA SBA If, on the other hand, we reversed the original sequence, we would get ASB AMSB ... AMSB AMSB A Although these look similar, except for the different positions of the spaces, which just mark what are termed "rounds" in the algorithm, wherever the sequence "MA" appears in the modified, but equivalent, algorithm, the sequence "AM" appears in the reverse sequence, required for decryption. Of course, the steps also need to be reversed as well: ARK is an XOR, so that is its own inverse, but the matrix in the Mix Column step needs to be replaced with its inverse, and the Sbox in the Byte Sub step needs to be replaced with its inverse for decryption as well. What about the switch between "MA" and "AM", though? Do we need to change the order of operations for decryption? No; with matrix multiplication, the distributive property also applies, so the round keys involved in such a reversal merely need to be multiplied by the (inverse) Mix Column matrix, and then they can be XORed in at the same time (of course, in reverse order) as was used for encryption. (XOR corresponds to addition in GF(2^8), which is where the multiplications are performed.) The matrix for the inverse Mix Column step is: 14 11 13 9 9 14 11 13 13 9 14 11 11 13 9 14 as can quickly be verified by making use of its symmetry, and once the answer is known: 1110 1001 1101 1011 1011 1110 1001 1101 1101 1011 1110 1001 1001 1101 1011 1110 01 00 00 00 01 00 00 01 01 00 01 00 00 01 00 00 01 01 00 00 01 00 00 01 10 10 10 00 00 00 01 00 01 10 10 11
111 101 110 100 110 100 111 101 1100 1000 1110 1010 1011 1101 1000 1110 0 0 1 0
The Key Schedule
For keys 128 and 192 bits in length, the subkey material, which consists of all the round keys in order, consists of the original key, followed by stretches, each the length of the original key, consisting of fourbyte words such that each word is the XOR of the preceding fourbyte word and either the corresponding word in the previous stretch or a function of it. For the first word in a stretch, the word is first rotated one byte to the left, and then its bytes are transformed using the Sbox from the Byte Sub step, and then a rounddependent constant is XORed to its first byte. The round constants are: 1 2 4 8 16 32 64 128 27 54 108 216 171 77 154 47 94 188 99 198 151 53 106 212 179 125 250 239 197 145 57 114 228 211 189 97... which are, in binary: 00000001 00011011 01011110 10110011 11100100 00000010 00110110 10111100 01111101 11010011 00000100 01101100 01100011 11111010 10111101 00001000 00010000 11011000 10101011 11000110 10010111 11101111 11000101 01100001... 00100000 01001101 00110101 10010001 01000000 10011010 01101010 00111001 10000000 00101111 11010100 01110010
the successive powers of 2 in the representation of GF(2^8) used. Successive powers of 3, unlike 2, include all the values from 1 to 255, and thus several implementations of Rijndael use tables of the powers of 3, and the inverse table giving the discrete logarithm in that field, to facilitate calculations, but the round constants are still the powers of 2. (I'm not entirely sure why one needs log and antilog tables when all one is doing is muliplying by 2 and by 3, but doubtless there is a nonobvious way to implement Rijndael with greater efficiency that makes use of them. The inverse of the matrix used in the Mix Column step has the values 9, 11, 13, and 14 as its coefficients, however, so this could simply serve to limit the number of tables needed for both enciphering and deciphering, replacing six tables by two.) For keys 256 bits in length, in addition, the Sbox from the Byte Sub step alone is applied to the word from the preceding stretch for the fifth word in a stretch in addition.
Attacks on Rijndael
Although this page (and the preceding one) already have several diagrams of Rijndael, I've included yet another one, one even more simplified than the one appearing on the previous page, to make it easier to "see the forest for the trees", and see both that the Mix Column step indeed only mixes columns, and is the only place where that happens, and how the Shift Row step works with the Mix Column step to ensure that all parts of the block impinge on each other. The standard techniques of differential and linear cryptanalysis can be adapted to be used against Rijndael. Because of the way matrix
multiplication works, and because in GF(2^8), all the coefficients of the Mix Column matrix (as indeed all numbers from 1 to 255) have reciprocals, a specific attack, originally developed for use against its predecessor Square, called the "Square attack", can be used as well. If one uses 256 blocks of chosen plaintext, where every byte but one is held constant, and that one is given all 256 possible values, then after one round of Rijndael, four bytes will go through all 256 possible values, and the rest of the bytes will remain constant. After a second round, sixteen bytes will each go through all 256 possible values, without a single duplicate, in the encipherment of the 256 blocks of chosen plaintext. (For a 128bit block, this is every byte; for larger blocks, the rest of the bytes will remain constant.) This interesting property, although not trivial to exploit, can be used to impose certain conditions on the key when one additional round, before or after the two rounds involved, is present. The possibility of this attack was first noted by the developers of Square and Rijndael themselves, and was noted in the paper that initially described Square.
Comments
The availability of different block sizes with Rijndael permits a cute variant of the "bricklaying" mode proposed for TripleDES to be used with it:
Here, each vertical line represents 32 bits, and the three layers use the 128, 192, and 256 bit block sizes in order. Despite the fact that Rijndael has a very different structure from that of DES, and in some ways could be said to more closely resemble SAFER, because the Byte Sub step directly alters the bytes to be encrypted, and the Mix Column step causes every byte in a column to affect every other byte there, somewhat as the PHT stage in SAFER involves the whole block, it is still possible to relate the fundamental steps in Rijndael to parts of DES based on the function they perform in contributing to the step of the overall cipher. The Add Round Key step clearly corresponds to the XOR of subkey material with the input to the ffunction. The Mix Column step is where the different bytes interact with each other, so it corresponds to the XOR of the ffunction output with the left half of the block in DES. The Byte Sub step contributes the nonlinearity in Rijndael, and so it corresponds to the ffunction itself.
The Shift Row step ensures that the different bytes of each row do not only interact with the corresponding byte in other rows. Thus, it corresponds to permutation P within DES. In drawing an analogy between Rijndael and DES, it is very easy, based on a superficial glance at Rijndael, and the appearance of the Shift Row step, to view it as corresponding to the swapping of halves of the block within DES. In fact, Rijndael does not require a step with this function, because the Mix Column step in Rijndael causes every byte in a column to alter every other byte in the column, so no step is needed that swaps rows. This subtle point is actually quite important. The number of regular rounds in Rijndael is always an odd number; without a Mix Column step, the last round involves no interaction between bytes, so it makes sense not to count it as a "real" round. Thus, it is not a multiple of the number of columns, which is 4, 6, or 8, depending on the size of the block. Differential cryptanalysis attacks on DES become quite a bit easier for variants of DES with an odd number of rounds. Thus, if the Shift Row step in Rijndael had corresponded to swapping halves of the block, this would have possibly been an important weakness in Rijndael. It may still be a slight flaw, but existing cryptanalytic results against Rijndael do not seem to exhibit a pattern indicating this. The key schedule for Rijndael can be carried out equally well with keys that are 160 or 224 bits long, since it only requires that the key size be a multiple of 32 bits. Even block sizes of 160 and 224 bits are possible as well. A revised version of the Rijndael specification includes these as extensions, and the rule for the number of rounds to use is based on the larger of the block size and the key size, with 10 regular rounds (11 rounds in total) corresponding to 160 bits, and 12 regular rounds (13 rounds in total) corresponding to 224 bits. Thus, one can obtain 12 regular rounds, which I view as desirable for the 128bit and 192bit block sizes, by specifying a key of 224 bits. As a nice bonus, the number of 32bit words in 224 bits is seven, which is relatively prime to either four or six, which appears, at least from a naïve point of view, as if it might improve the key schedule at least slightly as well. This chart, showing the number of rounds for different block sizes and key sizes, also indicates when these apparently desirable properties are obtained: * : number of regular rounds is a multiple of the number of 32bit words in a block + : number of 32bit words in the key is relatively prime to the number of 32bit words in a block Key 128 Block 128 160 192 224 256 10 11 12 13 14 + * + 11 + 192 12 + 224 13 13 13 + * + + * 11 12 13 14 * + + + 12 12 + 13 + 14 13 14 6 is relatively prime to 5 and 7 12 is a multiple of 4 and 6 7 is relatively prime to 4, 5, 6, and 8
10 is a multiple of 5 4 is relatively prime to 5 and 7 10 is a multiple of 5 5 is relatively prime to 4, 6, 7, and 8
160
256
14 +
14
14 +
14
14 8 is relatively prime to 5 and 7 14 is a multiple of 7 9 is relatively prime to 4, 5, 7, and 8 15 is a multiple of 5 10 is relatively prime to 7 16 is a multiple of 4 and 8 11 is relatively prime to 4, 5, 6, 7, and 8
288 + 320
15 + 16
15
15
15 15 + * + 16 + 16
16 *
16
352
17 17 17 17 17 + * + + + + *
Thus, there is at least one "ideal" key size for every possible block size: Block size 128 160 192 224 256
Ideal key sizes 224 352 128 224 288 352
once again, I reiterate, this is only significant if these essentially minor concerns, as seen from a naïve point of view, have any validity. Incidentally, for a block size of 224 bits, the Shift Row step is again altered, but not in quite the same way as for a 256bit block. Only the last row, not the last two rows, is shifted by an extra byte position. Also, the additional Byte Sub step noted for 256bit keys is added to the key schedule for all key sizes greater than 192 bits, so it applies to the 224bit key as well as to all key sizes greater than 256 bits. That the design of the Sbox involves the same GF(2^8) as the Mix Column step might also appear to be a concern. However, the Rijndael Sbox is nearly ideal in resistance to differential cryptanalysis, and is also excellent in avoiding any approximations in GF(2^8) usable in the GF(2^8) equivalent of linear cryptanalysis. The choice of Rijndael over the other finalist algorithms, also believed to be highly secure, was based primarily on its efficiency and low memory requirements; this, coupled with the fact that existing cryptanalyses of Rijndael are based on reducedround variants somewhat close to the actual cipher (although the results close to the actual number of rounds are quite impractical to exploit) means that some controversy, even if not the intense controversy surrounding DES, may haunt the new AES as well. Rijndael was preceded by the block cipher Square, which was somewhat similar. However, instead of a Shift Row step, a transpose of the square matrix of bytes was used; in effect, this meant that diffusion over the whole block was obtained by alternating Mix Column steps with Mix Row steps. Specific attacks were found against Square, against which Rijndael was strengthened. Finally, I will propose a minor variation to Rijndael that might make cryptanalysis more difficult. Instead of subjecting all the columns of the block to the same operation in the Mix Column step, every second column, instead of being subjected to a matrix multiplication, could instead be subjected to a scaleddown version of the PHT stage in SAFER. Since only four bytes are involved, this would mean
two stages of PHT operations, and the bytes in the second and third rows would be swapped between the stages. To avoid major changes to the shift row step, the pattern of operations should be MPMP for two rounds, and then PMPM for two rounds; also, the bytes in the second and third rows should be swapped back after the second PHT stage (or the PHT operations would be performed "in place", which is equivalent). By using two completely unrelated operations, but both of which completely mix all the bytes in a column, resistance to analysis should be improved. However, although this is a different form of mixing, and will thus block the Square attack, it is also a weaker form of mixing, and thus would need to be combined with an increase in the number of rounds.
[Next] [Up/Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Twofish
Developed by Bruce Schneier as a successor to his 64bit Blowfish block cipher, the Twofish specification has been released, and is available at http://www.counterpane.com//twofish.html in both Adobe Postscript format and Adobe Acrobat .PDF format.
How Twofish Works
Twofish uses 40 32bit subkeys. The first eight are used for whitening, four at the beginning and four at the end are XORed with the entire block. Each round uses two of the remaining 32 subkeys, and so Twofish has sixteen rounds. The division of the 128bit block into four 32bit quarters is done using the "littleendian" convention, which presumably means the leftmost quarter is the earliest one, but the least significant numerically. I will denote the quarters as Q0 through Q3.
The Twofish Round
A round of Twofish proceeds as follows: Q3 is rotated one bit left. Q0, and Q1 rotated left 8 bits, are each submitted to four keydependent Sboxes with 8bit inputs and outputs. These keydependent Sboxes are equivalent to the use of fixed Sboxes with 8bit inputs and outputs alternating with the XOR of subkey material, and the fixed Sboxes are themselves constructed from smaller Sboxes with fourbit inputs and outputs. Then, the bytes in each are combined by means of matrix multiplication with the following matrix (called the MDS matrix): 01 5B EF EF EF EF 5B 01 5B EF 01 EF 5B 01 EF 5B
(needless to say, the entries are in hexadecimal notation) over the Galois Field of 2^8 with the modular polynomial x^8 + x^6 + x^5 + x^3 + 1. This means that when a byte is multiplied by an element of the matrix, instead of actual multiplication being performed, which can be thought of as shifting the input byte, and adding it to the total whenever its last bit is over a 1 bit of the number in the matrix, a similar operation is performed, but an XOR instead of addition is performed. Thus, in effect, one is multiplying polynomials (one cannot carry, since one doesn't know what x is) with coefficients that are either 0 and 1, handled according to modulo2 arithmetic. The result of this "multiplication" is a 16bit number. It is then reduced to an 8bit number as follows: the modular polynomial, considered to be the binary string 101101001, is shifted left until its first bit coincides with the first 1 bit of the result. It is then XORed with the number, and shifted right until its first bit coincides with the first remaining 1 bit, and this is repeated until the number is 8 bits long or less. Finally, the two resulting 32bit quantities are mixed with each other through a PseudoHadamard Transform; the
one formed from Q1 is added to the one formed from Q0, then the one formed from Q0 is added to the one formed from Q1. Then, the first subkey for the round is added to the one formed from Q0, and the result is XORed to Q2. The second subkey for the round is added to the one formed from Q1, and the result is XORed to Q3. Finally, Q2 is rotated one bit right, and the two halves of the block are swapped (Q0 is swapped with Q2, and Q1 is swapped with Q3). As in DES, the halves are not swapped after the last round. Note that the matrix multiplication, since it involves an XOR (rather than addition) of the individual products, can be precomputed, making the Sbox entries 32 bits wide rather than 8.
The Key Schedule
This description of the key schedule is not quite detailed enough to permit implementation at this time, but it outlines all the required steps, and should help in understanding the original documentation. Key generation begins by deriving three key vectors each half the length of the original key. The first two are formed by splitting the key into 32bit parts. Numbering these parts starting from zero, the evennumbered ones become M(e), and the oddnumbered ones become M(o). The third one is formed by dividing the key into 64bit parts, and producing one 32bit part of the key vector by multiplying each 64bit part by this matrix (called the RS matrix): 01 A4 02 A4 A4 56 A1 55 55 82 FC 87 87 F3 C1 5A 5A 1E 47 58 58 C6 AE DB DB 68 3D 9E 9E E5 19 03
over the Galois Field GF(2^8) with the modular polynomial x^8 + x^6 + x^3 + x^2 + 1, which means that after an XORmultiplication the bit pattern 101001101 is used to fit the result back into eight bits this time. The reason that both fields are referred to simply as "GF(2^8)" is because, except that the same roles will now be performed by different numbers from 0 to 255, no matter which modular polynomial is used, there is really only one Galois Field for any prime power. Changing the modular polynomial changes which number does what, which is an isomorphism, but it does not change the underlying mathematical structure of the field. However, that doesn't mean that changing the modular polynomial serves no purpose here: it is essentially a way to get an Sbox for free. The resulting 32bit words are then placed in reverse order into the key vector called S. The fixed Sboxes with eight bit inputs and outputs, called q(0) and q(1), are each constructed from four Sboxes with four bit inputs and outputs. For q(0), the Sboxes are: Input T0 T1 T2 T3 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 8 1 7 13 6 15 3 2 0 11 5 9 14 12 10 4 14 12 11 8 1 2 3 5 15 4 10 6 7 0 9 13 11 10 5 14 6 13 9 0 12 8 15 3 2 4 7 1 13 7 15 4 1 2 6 14 9 11 3 0 8 5 12 10
And, for q(1), the Sboxes, again given the same designations, are:
Input T0 T1 T2 T3
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 2 8 11 13 15 7 6 14 3 1 9 4 0 10 12 5 1 14 2 11 4 12 3 7 6 13 10 5 15 9 0 8 4 12 7 5 1 6 9 10 0 14 13 8 2 11 3 15 11 9 5 1 12 3 13 14 6 4 7 15 2 0 8 10
Each Sbox is formed as follows:
q q q
q q q
q q
The input byte is split into its most significant and least significant halves, A and B. The new value of A is the XOR of the old values of A and B. The new value of B is the XOR of the old value of A, B rotated right one bit, and 8 if the old value of A was odd. A and B are then replaced by their substitutes in the 16bit Sboxes T0 and T1 respectively. The new value of A is the XOR of the old values of A and B. The new value of B is the XOR of the old value of A, B rotated right one bit, and 8 if the old value of A was odd. A and B are then replaced by their substitutes in the 16bit Sboxes T2 and T3 respectively. A and B are then combined in reverse order to form the result byte.
The four keydependent Sboxes are formed from the 32bit elements of the key vector S as follows: If the key is 256 bits long, the key vector S has four 32bit elements, S(0), S(1), S(2), and S(3). In that case, the four keydependent Sboxes are equivalent to performing the operations: output = q(0)(S(0,0) (input)))) output = q(1)(S(0,1) (input)))) output = q(0)(S(0,2) (input)))) output = q(1)(S(0,3) (input)))) xor q(1)(S(1,0) xor q(1)(S(2,0) xor q(0)(S(3,0) xor q(1) xor q(1)(S(1,1) xor q(0)(S(2,1) xor q(0)(S(3,1) xor q(0) xor q(0)(S(1,2) xor q(1)(S(2,2) xor q(1)(S(3,2) xor q(0) xor q(0)(S(1,3) xor q(0)(S(2,3) xor q(1)(S(3,3) xor q(1)
where S(2,1) means byte 1 of word 2 in the key vector S. When the key is 192 bits long, the Sbox definitions are simplified to: output output output output = = = = q(0)(S(0,0) q(1)(S(0,1) q(0)(S(0,2) q(1)(S(0,3) xor xor xor xor q(1)(S(1,0) q(1)(S(1,1) q(0)(S(1,2) q(0)(S(1,3) xor xor xor xor q(1)(S(2,0) q(0)(S(2,1) q(1)(S(2,2) q(0)(S(2,3) xor xor xor xor q(0)(input))) q(0)(input))) q(1)(input))) q(1)(input)))
and when the key is only 128 bits long, the Sbox definitions are simplified to: output output output output = = = = q(0)(S(0,0) q(1)(S(0,1) q(0)(S(0,2) q(1)(S(0,3) xor xor xor xor q(1)(S(1,0) q(1)(S(1,1) q(0)(S(1,2) q(0)(S(1,3) xor xor xor xor q(1)(input)) q(0)(input)) q(1)(input)) q(0)(input))
The subkeys which are actually added to the function outputs before they are XORed to another quarter of the block are produced by a process very similar to a Twofish round, but with keydependent Sboxes derived from the key vectors M(e) and M(o) instead of from the key vector S. The inputs are the round number times 2, plus 1 on one side, in all four bytes of a word, and the rotate left step takes place after the function instead of before: an 8bit rotate left before the PHT, and a 9bit rotate left after.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
SERPENT
Developed by Eli Biham, the originator of differential cryptanalysis, SERPENT is a blockcipher algorithm which, like SAFER, is a "straightthrough" algorithm, rather than using Feistel rounds. The original form of its description is available at http://www.cs.technion.ac.il/~biham/Reports/ Serpent/. It is simple in appearance, using plain 4bitwide Sboxes without additional inputs (like GOST) and standard computer logic operations. It also includes an initial permutation and an inverse initial permutation, so that the Sboxes can be implemented with logic operations instead of table lookups; this is possible because the eight Sboxes used by the algorithm are used in sequence rather than in parallel. Considering the 128 bit block as consisting of bits 0 to 127, from left to right, but with bit 0 the least significant, the first operation performed is the initial permutation. The sources of the bits resulting from that permutation are, in order, as follows: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ... ... ... ... 124 125 126 127
SERPENT has 32 rounds. The last one has a slightly different sequence of operations than the other rounds. In a normal round, the first step is to XOR the current round's subkey with the 128bitwide block. Then, the entire block is transformed, nybble by nybble, according to the current Sbox for the round. The Sboxes are numbered from S0 to S8, and are used in order repeatedly; S0 for rounds 1, 9, 17, and 25; S1 for rounds 2, 10, 18, and 26; and so on. Then, the block goes through a series of mixing operations so that the different nybbles of the block interact. The process consists of ten steps, which can be thought of as being organized into five phases. This process proceeds, in bitslice mode, as follows; for the normal mode described here, this series of steps must be preceded by the inverse of the initial permutation and followed by the initial permutation to be correct: Considering the block as being divided into four 32bit quarters, Q0, Q1, Q2, and Q3, from left to right, the operations are: Rotate Q0 13 bits left, and rotate Q2 3 bits left. Modify Q1 by XORing Q0 and Q2 to it. Modify Q3 by XORing Q0 shifted left 3 bits, and Q2 (left alone) to it.
Rotate Q1 1 bit left, and rotate Q3 7 bits left. Modify Q0 by XORing Q1 and Q3 to it. Modify Q2 by XORing Q1 shifted left 7 bits, and Q3 (left alone) to it. Rotate Q0 5 bits left, and rotate Q3 22 bits left. In the final round, the mixing operations are omitted. After the 32nd round, the bits are subjected to what is called in SERPENT the final permutation, which is the inverse of the initial permutation, and the sources of the bits resulting from it are as follows: 0 4 8 12 ... 28 32 36 40 44 60 64 96 68 100 72 104 76 108 92 124 1 5 9 13 29 33 37 41 45 61 65 97 69 101 73 105 77 109 93 125 2 6 10 14 30 34 38 42 46 62 66 98 70 102 74 106 78 110 94 126 3 7 11 15 31 35 39 43 47 63 67 99 71 103 75 107 79 111 95 127
The following diagram may be of some help in understanding Serpent, although it doesn't show either the full width of the cipher or all its details.
The Key Schedule
128 and 192 bit keys are first transformed to 256 bit keys. All short keys are padded to 256 bits by having 000...001 appended to them at the most significant end, which is apparently on the right as things are defined here. A 256 bit key is handled as follows: it is divided into eight 32bit words. The first one is considered the oldest, and new words are generated as follows: Word(n) = Word(n1) XOR Word(n5) XOR Word(n8) XOR X'9E3779B9' XOR n where the first generated word is considered to be word zero  so the 256 bit key consists of words 8 through 1. 128 words are generated. Then, these words are taken in groups of four to produce the round subkeys, by being put through the Sboxes. A different Sbox is used, though, than the one which will be used during that round; the Sboxes are used in the sequence S3, S2, S1, S0, S7, S6, S5, S4, repeated four times.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
RC6
Devised by Dr. Ronald C. Rivest, of RSA fame, RC6 is based on Feistel rounds; but not Feistel rounds operating between the two halves of the block. Instead, the Feistel rounds operate between pairs of quarters of the block, and they are interlocked by the exchange of some data. Circular shifts the extent of which is controlled by data, and a quadratic function applied to 32bit integers are the nonlinear elements which provide the security of this block cipher. The design of the block cipher is such that the number of rounds, the size of the key, and the size of the block, are all flexible. It is based on the previous RC5 block cipher, which is patented by RSA Laboratories, but instead of being RC5 expanded to a larger block size, it is designed to limit the width of registers required to handle large blocks. It will be described here only with the specific number of rounds and blocksize proposed for the AES, and I am not yet including a description of the key schedule. The original description of RC6 is available at http://theory.lcs.mit.edu/~rivest/ publications.html. RC6 uses 44 subkeys, numbered S0 to S43, each one 32 bits long. The block to be enciphered is divided into four 32bit integers, A, B, C, and D. The first four bytes enciphered form A, and the convention is littleendian; the first byte enciphered becomes the least significant byte of A. RC6 begins with an initial whitening step; B is XORed with S0, and D is XORed with S1. Each round of RC6 uses two subkeys; the first one uses S2 and S3, and successive rounds use successive subkeys. A round of RC6 proceeds as follows: The result of subjecting B to function f, which is defined as f(x) = x(2x+1), is rotated left 5 bits, and then XORed to A. The result of subjecting D to function f, which is defined as f(x) = x(2x+1), is rotated left 5 bits, and then XORed to C. The least significant 5 bits of the quantity XORed to A (function f of B circular left
shifted 5 bits) specifies the extent to which C is circular left shifted. The least significant 5 bits of the quantity XORed to C (function f of D circular left shifted 5 bits) specifies the extent to which A is circular left shifted. Since all this leaves B and D unchanged, it is invertible. Then the first subkey for the round is XORed to A, and the second subkey for the round is XORed to C. Then, the four quarters of the block are rotated as follows: the value of A is placed in D, the value of B is placed in A, the value of C is placed in B, and the (original) value of D is placed in C. After the 20th round is complete, an additional whitening step takes place: A is XORed with S42, and C is XORed with S43.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
DEAL
Designed by Richard Outerbridge, who developed a construction for using a block cipher with one block size to create a new one with a larger block size, DEAL is a Feistel round cipher with a small number of rounds that uses DES as its ffunction. Its description is available at http://www.ii.uib.no/~larsr/newblock.html The block is divided into two 64bit halves. In each round, the right half of the block is XORed with the left half of the block after encryption under DES with the current 64bit round key with parity bits (the least significant bit of each byte) ignored as the key. Eight rounds are recommended for use with a 256bit key; with a 128bit key or a 192bit key, six rounds are used, which gives DEAL essentially exactly the same speed as TripleDES. The halves of the block are swapped after every round, including the last one.
The key schedule
For all key generation, the encryption or convolution step used is encryption with DES, using the constant key X'0123456789ABCDEF'. For a 128bit key, keys are generated as follows: The 128bit key is considered to consist of two 64bit blocks, K1 and K2. The first round key is K1 encrypted. The second round key is (K2 xor the first round key), encrypted. The third round key is (K1 xor the second round key xor X'8000000000000000'), encrypted. The fourth round key is (K2 xor the third round key xor X'4000000000000000'), encrypted. The fifth round key is (K1 xor the fourth round key xor X'1000000000000000'), encrypted.
The sixth round key is (K2 xor the fifth round key xor X'0100000000000000'), encrypted. For a 192bit key, keys are generated as follows: The first round key is K1 encrypted. The second round key is (K2 xor the first round key), encrypted. The third round key is (K3 xor the second round key), encrypted. The fourth round key is (K1 xor the third round key xor X'8000000000000000'), encrypted. The fifth round key is (K2 xor the fourth round key xor X'4000000000000000'), encrypted. The sixth round key is (K3 xor the fifth round key xor X'1000000000000000'), encrypted. For a 256bit key, keys are generated as follows: The first round key is K1 encrypted. The second round key is (K2 xor the first round key), encrypted. The third round key is (K3 xor the second round key), encrypted. The fourth round key is (K4 xor the third round key), encrypted. The fifth round key is (K1 xor the fourth round key xor X'8000000000000000'), encrypted. The sixth round key is (K2 xor the fifth round key xor X'4000000000000000'), encrypted. The seventh round key is (K3 xor the sixth round key xor X'1000000000000000'), encrypted. The eighth round key is (K4 xor the seventh round key xor X'0100000000000000'), encrypted.
[Next] [Up] [Previous] [Index] Next Skip to Next Section Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
MARS
MARS is the IBM's entrant into the AES competition. As IBM is the company that designed DES, this alone makes this entry of particular interest. Note, incidentally, that as the AES process only requires companies to allow free use of the proposed algorithm if it is selected as the successful candidate, some AES candidates are protected by patents, both to retain control of the cipher itself if it is not selected, and to control the basic technology on which the cipher is based, so that licensing would still be required for larger variants of the cipher, for example. Among the entrants I have examined so far, this applies to RC6 and it had also applied to MARS, but IBM later made MARS available for licensing free of charge. The document describing MARS, accessible at http://www.research.ibm.com/security/mars.html, notes that "littleendian" conventions, with the "first" byte of a 32bit word being its least significant byte, are used in the cipher. Unlike the documentation of some of the other littleendian designs, the MARS documentation makes it completely clear and unambiguous which byte goes where. As the littleendian case is difficult to describe, I am going to use bigendian conventions consistently in my description of MARS. Essentially, this means that the very first thing one does when starting MARS as I describe it is divide the 128bit block of plaintext into four words of four bytes, and reverse the order of the four bytes in each word. The same has to be done on exit.
Overview
The overall structure of MARS is as follows: First, key material is XORed with the whole block. Then, eight rounds of a transformation similar to DES are applied, but that transformation is fixed, and without any part that is affected by a key. (Note that if not for the initial XOR of key material, this transformation would be a waste of time.) Then, there are sixteen rounds (the last eight are called "reverse" rounds, with a rationale somewhat like the one seen in Skipjack) which constitute the "cryptographic core" of the cipher. One 32bit word is used to modify the other three, by being split into three copies of itself, and subjected to various manipulations, including one multiplication by key material, one Sbox lookup, and two datadependent rotations. Then we have another unkeyed transformation, and another XOR of key material. There are 40 32bit words of subkeys, which are generated by a kind of shiftregister method from the key. As its documentation points out, the design of MARS is oriented around having structures that are secure, but which can also be analyzed, so that it is possible to be confident of
the security the cipher posesses. Hardtoanalyze structures that might offer more security, but which would be hard to be certain of, were specifically avoided. The unkeyed rounds of mixing at the start and end of the cipher were, in a way, an exception to that rule; this is why they were left unkeyed (although that may well seem bizarre and wasteful), to ensure that they didn't form, in some sense, a "real" exception to that rule. (It would seem to me that if the key schedule of MARS were very strong, i.e., like that of Blowfish, or if the key used for the outer rounds, presumably to XOR with the inputs to the Sboxes, were independent of the key for the rest of the cipher, there would also be no concern to prevent doing this. And the encrypting speed of MARS would not be affected significantly, either.)
Detailed Structure of MARS
The diagrams I will use here show the words of the block with the first word on the left, and with the most significant byte of each word on the left. Thus, before starting, and after finishing, the bytes of the block being enciphered must be transposed to the following order, if considered as numbered from 0 to 15: 3 2 1 14 13 12 0 7 6 5 4 11 10 9 8 15
to convert between littleendian to bigendian. With this conversion applied, the procedure I am describing in bigendian form will be correct. The first step in MARS encipherment is to XOR the first four subkey words, K0 to K3, with the four words of the block. (Of course this can be thought of as the 128bit XOR of a single 128bit subkey, but this keeps the notation for subkeys consistent.) The four bytes of the first word in the block, W0, are used as inputs to the two fixed Sboxes used by this cipher with eight bits of input and 32 bits of output. The second word is XORed with the word in S0 chosen by the least significant byte of the first word and then the word in S1 chosen by the third, or second least significant, byte of the first word is added to it. The word in S0 chosen by the second byte of the first word is added to the third word. The fourth word is XORed with the word in S1 chosen by the first byte of the first word. In the first and fifth round of this, the fourth word is added to the first word, and in the second and sixth round of this, the second word is added to the first word. This additional complication is intended to protect against differential cryptanalysis. Then the words are rotated, so that the old first word becomes
the new fourth word, and the other words are moved to the position immediately preceding their old position. This is shown clearly in the diagram of MARS that has been on the right side of this page above, which outlines the general structure of MARS. Also on this diagram are the next sixteen rounds, which constitute the "cryptographic core" of MARS. The E function produces three 32bit outputs from the first word of the block and two 32bit subkeys. The 13bit circular left shift shown as being applied to the first word would be duplicated inside the Efunction if it really recieved only one input; that oversimplication is avoided in the following diagram,
which shows one of the forward core rounds (which I have chosen to label as type D in the first diagram for ease of reference) in detail. The final eight rounds of MARS are the inverse, in the sense of the operations performed, of the first eight rounds of unkeyed mixing; subtraction replaces each addition, and the rounds are performed in reverse order. However, the direction in which the four words are rotated after each round is not reversed, so these rounds are not an exact inverse of the first four rounds in an overall sense. S(0,1) in the diagram stands for an Sbox with nine input bits and 32 output bits which is merely the concatenation of S0 and S1.
The Sboxes in MARS are as follows (no, I didn't type them in myself; I must gratefully acknowledge the C implementation of MARS by Brian Gladman as my source): Sbox 0: 09D0C479 28C8FFE0 84AA6C39 9DAD7287 7DFF9BE3 D4268361 C96DA1D4 7974CC93 85D0582E 2A4B5705 1CA16A62 C3BD279D 0F1F25E5 5160372F C695C1FB
4D7FF1E4 AE5F6BF4 7F4BF8AC 83631F83 C6986A26 28F4E826 9C9EF086 80F6E831 E21FB253 AE136749 23DB5C1E 46CAE1D6 2D0DCC4A A4CCAE59 0F5407FB 6167D9A8 02682215 8F376CD5 A02E926C FAE527E5 9C61BA44 5DED0AB8 00E050DF FC5D6166 F60B21AE 95E8EB8D CD6D4365 E5393514 1587ED55 3AFD7D3E 024ACAC7 59A744C1 ACCEA063 C33E92B5 50820371 41811896 EB6FF41B D7C9CD7A 487BA9B1 A64FC9C6 B8495294 CE9F8E99 92CC1F98 5915EA51 5941792D FA90C1F8 B203231A F966C7D9 07128DC0 B984737D F579DD52
0D72EE46 FF23DE8A B1CF8E83 F14902E2 3E981E42 8BF53EB6 25970205 76AFE784 3A7931D4 4F846450 5C64C3F6 210A5F18 3A60A81C D340A664 7EA820C4 526687C5 7EDDD12B 32A11D1D AB6F04AD 56FB9B53 8B2E095C B68556AE D2250B0D 294A7721 E82AAE86 93365104 99404A66 78A784DC B69BA84B 04046793 2FE28134 5A223942 1863CD5B C190C6E3 07DFB846 6EB88816
3798670D CBFA9493 4F481D45 EAFC8CA8 DB1129D6 B0449E20 D1F45763 4DAA96C3 3BEC5958 ABABA014 B6CCD201 38D6279F 092C237E BFC56593 32889D2C 854B3E95 05BB9B43 7DCD5DCD 36A1C330 3412E1AE F257F462 3C4F1D71 30A2E809 68E5F551 75CE09C8 9654F93E 698C0CCA 243CB3E4 2B062B97 0F3B8D9E E35F9288 C079550D 0591AEE8 8E531E74 75FE3578 2F6D829A 6699486B 901D7D9B FD6D6E31 1090ACEF E0670DD8 DAB2E692 3AF345F0 6241FC4D 460DA3A3 7BCF3729 8BF1D1E0 14AAC070
D2F29E01 29A9D1F6 EFB10C53 CF3B870F B414935C 664465ED 1D2936A7 DC580AA6 CF574CA8 040A7A10 6CD81807 8A98BE4C D1E0E03D B322517E 2092BD13 386B2C4A 52E8DD58 58656DFB E337EF7E D39FB119 C97F0DF6 68FEA01B A150A6E5 55258962 A619CD9E BCF09576 2672C073 F003FB3C 4AB7A50B 1484126A F6957D49 38B06A75 DD805FCD 63D094CF F51C999E 1AA4D343 BFFCD770 C7C275CC 378453A7 7B21BE33 397F41BD 4E94D131 99F861B7 C9980A88 1D74FD5F B0A495F8 614DEED0 B5778EEA
33F824B4 C4965372 3FF6D550 4CA5FEC0 8630E964 5B3FBBD6 7DA26A48 04297514 2D639306 2EB13149 16A45272 532459A0 8E5F4872 0D44DB62 AFC8D52D 06316131 D838E7CE 1BC41D00 3A2E8C0F EA83837E 13BA4891 C4F8B949 A6D6ACB3 A215CDCE 8359838B 6BD1AA31
21B93F93 DFEA32AA C6DE01F8 8D421FC0 551A7CCA 1A9A5F08
F5176781 187DFDDE E94AEB76 2B38FD54 431DE1DA AB394825 9AD3048F 659473E3 623F7863 F3346C59 AB3AB685 3346A90B 6B56443E 9B0ED10C 88F1A1E9 54C1F029 7DEAD57B 8D7BA426 4CF5178A FCD651B9 25605182 E11FC6C3 B6FD9676 337B3027 B7C8EB14 9E5FD030
Sbox 1: 6B57E354 0824A734 E1797A8B E9DF2B03 E8A5B6C8 863B5EA3 D17B978B 933AC568 8894B022 3A2FEC10 F4562420 B3C35047 611DFEE3 07ADF158 7796943C 2F057D9F 690624F8 74AC7D05 010E65C4 096EDC33 21916A7B 358A68FD 0F9B9D3C 06C9F246 419CF1AD 1E4E6C9E 000399BD 8BDB446B 108F8FA4 B3D88ABA F8B2C3AF CE092EE5 01E87DA6 4E03BB47 183C198E 59726C72 81B66760 44B1BDE6 054356DC 8E77CB68 63E1D6B8 DCD9433E AD913CF7 7E16688D 58872A69 2C2FC7DF E389CCC6 30738DF1 A4A8D57B 5B5D193B C8A8309B 73F9A978 73398D32 0F59573E 848D0704 98DF93C2 720A1DC3 684F259A 943BA848 A6370152 6D9B58EF 0A700DD4 A73D36BF 8E6A0829 8695BC14 E35B3447 2F511C27 DDFBCC3C 006662B6 117C83FE 4E12B414 C2BCA766 55792E2A 46F5D857 CEDA25CE C3601D3B 6C00AB46 EFAC9C28 257C3207 FDD58482 3B14D84F 23BECB64 A075F3A3 088F8EAD FACABF3D C09730CD F7679969 DA44E9ED 2C854C12 35935FA3
1CB0BAFD 7B0DBDC6 810F23BB FA929A1A 6D969A17 6742979B 86A3D963 F907B5A0 D0042BD3 158D7D03 287A8255 BBA8366F 77B56B86 951622F9 A6C5E650 8CEA17D1 CD8C62BC A3D63433 D6AA295B FE33384A C000738E CD67EB2F E2EB6DC2 97338B02 2B83C045 3723F18A CB5B3089 160BEAD7 5D494656 35F8A74B 67466880 B4174831 ACF423B2 CA815AB3 5A6395E7 302A67C5 10223EDA 92B8B48B 7F38D0EE AB2701D4 0262D415 AF224A30 DAF7EF70 CC97D3B7 E9614B6C 2BAEBFF4 70F687CF 386C9156
6CE91E6A BB7BCC84 C7922C20 9D3B71FD 060E41C6 D7590F15 63EEB240 2DDBF49A 6D5CBA54 923750AF F9E14236 7838162B BB2926C1 48A0CE0D A6C0496D AD43507B 718D496A 9DF057AF DE7CED35 D51A138B 62088CC9 35830311 C96EFCA2 686F86EC C80F9778 79C491FD 1B4C67F2 72698D7D 5E368C31 F7D95E2E A1D3493F 896F1552 4BC4CA7A A6D1BAF4 A5A96DCC 0BEF8B46 A169FDA7
74DF40B7 4E208804 9A756607 038E87C8 20211E44 8B7AD4BF C6403F35 1848E36D 80BDB038 1E62891C 643D2107 BF04D6F8 21092C8C F644F389 0778404E 7B78ADB8 A2C52D53 42157ABE DA8D9336 BF447469 2D37B185 49DC9A63 71E08558 3C5CFCAA 4B3FBB85 692F2F08 7DC57FD6 1E760F16 0DBEB469 ABB96061 DF4FC26B 159CF22A A2253E2E 7BF3F4AE 80F594F9 953194E7 77EB92ED B3816930 F26D9483 EE6FAED5 71371235 DE425F73 B4E59F43 7DBE2D4E 98C39D98 1301C9A2 389B1BBF 0C18588D A421C1BA 7AA3865C 7D239CA4 0297D9DD D7DC2830 4B37802B 7428AB54 AEEE0347 134E578E 36D9E0BF AE8B5FCF EDB93ECF 2B27248E 170EB1EF B1136601 864E1B9B D7EA7319 3AB871BD CFA4D76F E31BD782 5370F85D FFB07E37 DA30D0FB EBC977B6 0B98B40F 3A4D0FE6 C298D6E2 2B78EF6A 61A94AC0 AB561187 14EEA0F0 DF0D4164 19AF70EE
The Key Schedule
The key for MARS may be from 4 to 39 words in length. These words are considered to be littleendian in format, so the first byte of the key is the least significant byte of the first word. To generate the key, we use an array of words which is considered to have subscripts ranging from 7 to 39. The first seven words of this array, numbered from 7 to 1, are filled with the first seven words in the Sbox (or the first seven words in Sbox zero). Then, words 0 to 38 of the array are initialized in order with the following quantity: The XOR of the following four items:
q q q q
The word in the position of the array seven places earlier The word in the position of the array two places earlier, shifted three bits left A word of the key (starting with the first word, and using the words of the key in rotation) The number of the array word being calculated (from 0 to 39)
Word 39 of the array is loaded with the number of words in the external key. At this point, we forget words 7 through 1 of the array, and treat the array as containing only words 0 through 39. Then, seven times over, starting from word 1 of the array, add to each word of the array the Sbox entry indicated by the most significant nine bytes of the preceding element of the array. Note that word 39 is considered as preceding word 0, the last word to be modified by this loop. Finally, word i of this temporary array, for i from 0 to 39, becomes subkey (7 * i) modulo 40.
A proposed change to the definition of MARS is to replace this key generation procedure, which generates 40 subkey words in one step, with four instances of the following, each of which generates 10 subkey words: To generate the key, we use an array of words which is considered to have subscripts ranging from 0 to 14. The key is placed in the array starting with word 0, the word in the array immediately following the last word of the key is filled with the number of words in the key, and the remainder of the array is filled with zeroes. What follows is done four times, each time producing 10 words of subkey. Then, words 0 to 14 of the array are initialized in order with the following quantity: The XOR of the following five items:
q q
q q q
The word at the current position of the array. The word in the position of the array seven places earlier (modulo 15, so that word 8 is seven places earlier than word 0) The word in the position of the array two places earlier (again modulo 15), shifted three bits left The number of the array word being calculated (from 0 to 9) shifted two bits left The number, from 0 to 3, of the instance of this procedure. (That is, 0 when we are generating the first 10 subkey words, 1 when we are generating the second group of 10 subkey words.)
Then, four times over, starting from word 1 of the array, add to each word of the array the Sbox entry indicated by the most significant nine bits of the preceding element of the array. Note that word 14 is considered as preceding word 0, the last word to be modified by this loop. Finally, word (4 * i) modulo 15 of this temporary array, for i from 0 to 9, becomes subkey i plus 10 times the iteration number (in the first iteration, considered iteration number zero, we generate subkeys 0 through 9, in the second iteration we generate subkeys 10 through 19, and so on). Subkeys 5, 7, 9, 11, ... to 35 are used to multiply the first word of the block within the E function. These subkey values are modified if necessary to ensure that they are good values for multiplication. The method of correcting these subkeys is somewhat involved, and goes as follows: Call the original value of the subkey SR. Let SM be SR or 3. Let IX be SR and 3. Create MA such that only those bits in MA corresponding to a run of ten or more bits in SM are ones, excluding the first and last bit of each run. (If MA is zero, SR does not need to be altered, so you can quit.) Originally, the reference code implementing this procedure left the first bit of MA equal to one if the first bit of SM was zero. A proposed modification to MARS is to change this to conform to the written description. Let MA be MA and FFFFFFFC  that is, set its last two bits to zero.
Use IX to select an element from this array (containing four values from the Sboxes): 0: 1: 2: 3: A4A8D57B 5B5D193B C8A8309B 73F9A978
then rotate the value right by the amount indicated by the element three places ahead The proposed modification changes this to one place back. (Since only oddnumbered subkey words are modified, this will always lead to a word in the same group of 10 words as the one being modified.) in the array of words of internal key, and then modify the current key word by XORing it with that result ANDed with MA.
Comments
As noted above, the unkeyed mixing rounds of MARS seemed to me to be somewhat wasteful. However, I was one of what seemed to be only a few people who liked MARS, thinking it one of the likeliest candidates to remain secure for a considerable time to come. Originally, I could not think of a good way to modify the key schedule to produce keys for the mixing rounds. Once the key schedule was modified, however, I saw a natural way to do this, which I described in a comment to Round 2 of the AES process. However, a second comment in which I made a correction to that proposal got garbled. My proposal, as corrected, is: Using the new key schedule, after generating subkeys 30 to 39, the process that is applied to the array of 15 words to generate a batch of 10 subkeys is to be performed once again. Once this is done, the contents of that array, the elements of which are known as T[0] through T[14], are to be modified as follows: T[0] = T[0] xor subkey 6 T[1] = T[1] xor subkey 8 T[2] = T[2] xor subkey 10 T[3] = T[3] xor subkey 12 T[4] = T[4] xor subkey 14 ... T[10] = T[10] xor subkey 26 T[11] = T[11] xor subkey 28 T[12] = T[12] xor subkey 1 T[13] = T[13] xor subkey 2 T[14] = T[14] xor subkey 3 The intent of this is to cause the contents of the array T to be a noninvertible function of the key. This is done by XORing the contents of T after an iteration of the invertible transformation function with values generated from it previous to that iteration. The values chosen are all values used as subkey values, so that additional memory is not required to retain other information to be used for this purpose. For that reason, the subkeys that were modified in order to be used for the multiplication portion of the E function in the cryptographic core rounds of MARS are also avoided.
Then, two additional iterations of the process previously used to generate a set of 10 subkey words are performed, but from each of them only eight subkeys are now taken. Each subkey is used to provide four bytes to XOR to the values used to index into the MARS Sboxes in one of the mixing rounds. Because there are now seven, rather than four, instances of the procedure to modify the contents of the array T, the number of the array word being calculated, when XORed with the contents of that word, should be shifted three bits left instead of two bits left. In my proposal, I did not specify how to take eight subkeys from each of the last two key generation phases. I now suggest that, instead of choosing the subkeys based on (7 * i) mod 15, for each of these last two phases, the eight subkeys taken should simply be from words T[8], T[9], ... T[14], T[0], thus always using the last ones modified, and being different from the scheme used for the rest of MARS. However, if the subkeys used for the first group of mixing rounds are subkeys 40 to 47 in order, and for the second group 48 to 55 in order, the words taken from these rounds should be allocated to the subkeys as follows: T[8] 48 47 T[9] T[10] T[11] T[12] T[13] T[14] 46 50 44 52 42 54 49 45 51 43 53 41 T[0] 40 55
Iteration 6 Iteration 7
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
SAFER+
SAFER+ is the proposal of Cylink Corporation for the Advanced Encryption Standard, and its description is available at http://www.cylink.com/internet/library.nsf/pages/ SAFER/. It is very similar to the original 64bit block cipher SAFER. The following diagram shows one round of SAFER+:
it uses the same Sboxes as SAFER in the same way. Instead of the regular "butterfly" formation of PseudoHadamard Transforms used in the original SAFER, a slightly irregular arrangement is used, so that the net result of the operations, given in the document as the matrix M (it stated that that matrix could be realized by a fourlayer PHT network similar to the threelayer one in SAFER, but did not give the network; thus this diagram rectifies the omission) has certain desirable properties. One other improvement in SAFER+ over SAFER is that after matrix M is applied in the last round, one extra subkey is applied to the block, using the same sequence of
alternating XORs and additions as is used for the first subkey in a round. This means that the final application of matrix M is not a waste of time in terms of cryptographic security. For a key length of 128 bits, 8 rounds are used; for 192 bits, 12 rounds; and for a 256bit key, SAFER+ has 16 rounds.
The Key Schedule
The key schedule of SAFER+ is quite simple. The key, whatever its length, has one byte appended to it, equal to the XOR of all the bytes in the key. The first subkey consists of the first 16 bytes of the key. For each remaining subkey, first rotate the expanded key left 11 bits, then take the first 16 bytes of the result, and use them after XORing them with a constant. I am not reproducing the constants here; the paper describing SAFER+ gives them, but in decimal form.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
FROG
FROG is another block cipher which is based on wholebyte operations. In structure, it has a slight resemblance to NewDES. The original description of it is available at http:// www.tecapro.com/aesfrog.htm. A weakness has been uncovered in it, but a minor modification would correct that: of its eight rounds, the last four could be performed in deciphering mode. (An appropriate rearrangement of bytes between the first four rounds and the last four would ensure against the possibility of a key existing that would cause the last four rounds to undo the work of the first four.) It does, however, require a considerable amount of RAM to store an unusually large amount of subkey material. Each round consists of sixteen steps, one for each byte of the block. Each round has the following subkey material:
q q q
16 bytes of conventional subkey. One keydependent invertible Sbox with 8 inputs and 8 outputs. A sequence of the numbers 0 through 15 having certain properties.
In each step, one does the following:
q q q
q
XOR that byte with one subkey byte. Take the result, and replace it by its substitute in the current round's Sbox. Take that result, and (in addition to using it as the new value of that byte; the previous two steps modify the byte, and are not an ffunction) XOR it with the next byte in the block (cyclically, of course, so byte 0 comes after byte 15). Also take that result, and XOR it with one other byte in the block, as indicated by the sequence of numbers from 0 to 15.
The sequence of numbers from 0 to 15 is generated so that it is a permutation of the numbers from 0 to 15 with a single cycle. This ensures that no number is its own substitute. Then, if any number has itself plus 1 as its substitute, that number is incremented (modulo 16) to avoid cancelling the fixed XOR.
[Next] [Up] [Previous] [Index]
Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
LOKI97
Designed by Dr. Lawrie Brown, of the Australian Defence Force Academy with assistance from Dr. Josef Pieprzyk (who designed the Sboxes) and Dr. Jeniffer Seberry, and named after the Norse god of trickery and cunning, LOKI97 is a successor to the 64bit block ciphers LOKI89 and LOKI91. (Fittingly enough, Dr. Brown spent part of the sabbatical year during which he designed it at a University in Norway!) A paper (in Adobe Postscript format) describing LOKI97 is available at http://www.adfa.oz.au/~lpb/research/loki97/ but a full description is also presented here, for the convenience of those without a convenient means to view or print items in Postscript form. LOKI97 is an iterative block cipher with 16 modified Feistel rounds. In each round, two 64bit subkeys are added (yes, using normal 64bit addition including carries) to the right half of the 128bit block. Its value, after the first subkey is added, but before the second subkey is added, is used as the input to the ffunction for that round. This is a nicely symmetrical way of both modifying the input to the ffunction and modifying the right half of the block as well. A third 64bit subkey is used as an input to the ffunction; it is not directly added or XORed to the right half of the block or a transformed version of it, but instead controls the ffunction's nonlinearity. For purposes of the key schedule, this 64bit subkey is the second one; the two added to the right half are the first and third, respectively. The output of the ffunction is, as in DES, XORed to the left half of the block.
The ffunction
Unlike the ffunction in DES, which includes the step of XORing the 48bit subkey with the right half of the block after the expansion permutation, the addition of subkeys to the right half of the block is, in LOKI97, performed outside the ffunction, as we have seen. The first step in the ffunction involves applying the least significant and rightmost (numbered from 31 to 0 in the convention used in the paper describing LOKI97) 32 bits of the subkey input (the entire 64bit subkey input is called input B to the ffunction) to the current value of the right half of the block (after one of the two additions, as noted above, and which is called input A to the ffunction) as follows: a 1 bit in the 32 bits of subkey input used indicates that corresponding bits of the two halves of the right half of the block are to be swapped. A bit swap of this nature can be easily implemented by means of AND and OR instructions, and was earlier used in the ICE block cipher.
LOKI has two distinct Sboxes; S1 contains 8192 values from 0 to 255, and S2 contains 2048 values from 0 to 255. After the expansion permutation which is the next step, these Sboxes will be used in the order: S1, S2, S1, S2, S2, S1, S2, S1 to produce a 64bit output. So the expansion permutation will produce groups of 13, 11, 13, 11, 11, 13, 11, and 13 bits corresponding to each byte output from the bitswapping step. This is done by appending to the beginning of each byte either 5 or 3 bits, as needed, from the least significant part of the preceding byte (going around the circle to append the least significant 5 bits of the last byte to the front of the first one). This is simpler than the expansion permutation of DES, which augmented each nybble of the input with one bit taken from each of the two adjacent nybbles. The output of the expansion permutation is then input to the Sboxes. The output of the Sboxes, considered as consisting of bits 63 to 56 from the first Sbox, bits 55 to 48 from the second Sbox, and so on, is then permuted by the following permutation P: 7, 15, 23, 31, 39, 5, 13, 21, 29, 37, 3, 11, 20, 27, 35, 1, 9, 18, 25, 33, 47, 45, 43, 41, 55, 53, 51, 49, 63, 61, 59, 57, 6, 14, 22, 30, 38, 4, 12, 20, 28, 36, 2, 10, 18, 26, 34, 0, 8, 16, 24, 32, 46, 44, 42, 40, 54, 52, 50, 48, 62, 60, 58, 56
where this listing is of the output bits, each number showing from which input bit that output was obtained. (Remember, the input bits are numbered from 63 down to 0 here.) Finally, the 32bit result is again submitted to the Sboxes, but this time in the following order: S2, S2, S1, S1, S2, S2, S1, S1 with the additional five or three more significant bits of input required for each Sbox supplied by the leftmost or most significant half of the subkey input to the ffunction. (One starts from the left, and takes the leftmost bits of the subkey input for this purpose.)
The Sbox contents
Each entry in the two Sboxes is equal to the cube of the one's complement of that entry's position, modulo a polynomial in the Galois fields GF(2^13) for S1 and GF(2^11) for S2.This technique is more familiar from calculating cyclic redundancy checks; a binary number, such as 1101, is considered to be a polynomial:
1 * x^3 + 1 * x^2 + 0 * x + 1 in this case, the coefficients of which are modulo 2 numbers that can only be either 0 or 1. For S1, the polynomial is 10100100010001, and for S2 the polynomial is 101010100111. In each case, the polynomial is one bit wider than the Sbox inputs, so it can be used, shifted to the right if necessary, to XOR away every bit by which the cube extends past the width of the Sbox input. After that is done, only the last 8 bits of the result are used as the Sbox entry, but the reduction from either 13 or 11 bits to 8 is done by simple chopping.
Subkey generation
Subkeys for LOKI97 are generated by a modified version of the cipher itself. The input to the subkey is considered to be composed of four 64bit pieces, called K4, K3,K2, and K1. When a 256bit key is used, its first 64 bits become K4, its second K3, and so on. A 192bit key is converted to a 256 bit key as follows: the given key becomes the first 192 bits of the 256bit key to be used, and the last 64 bits are calculated by using the LOKI97 ffunction, with the first 64 bits acting as input A (the "righthalf" input) and the second 64 bits acting as input B (the "subkey" input). A 128bit key is converted to a 256 bit key as follows: the given key becomes the first 128 bits of the 256bit key to be used, the third group of 64 bits (K2) is the ffunction of the second 64 bits submitted as input A and the first 64 bits submitted as input B, and the fourth group of 64 bits (K1) is the ffunction calculated with the first 64 bits submitted as input A and the second 64 bits as input B, exactly as in the 192bit case. Once the input key is in 256bit form, as K4, K3, K2, and K1, the 48 subkeys used are calculated as follows: The LOKI97 ffunction is calculated with the following inputs: the A input is K1 plus K3 plus the hexadecimal constant 9E3779B97F4A7C15 multiplied by the number of the subkey generation round (from 1 to 48), and the B input is K2. K4 is XORed with this result, and the result of this XOR is the subkey generated as well. Then, before the next ffunction calculation, the subkeys are rearranged: the old K1 value becomes the new K2 value, K2 goes to K3, K3 goes to K4, and K4, after the XOR (the same as the subkey value) goes to K1. For round 1, subkey 1 is what is first added to the right half of the block; subkey 2 is the B input to the ffunction, and subkey 3 is what is added secondly to the right half of the block. This pattern continues with the remaining subkeys for theremaining rounds. For decryption, subkey 1 becomes the additive inverse of subkey 48, subkey 2 becomes
subkey 47, subkey 3 becomes the additive inverse of subkey 46, and this repeats for each group of three subkeys.
Analysis
LOKI97 was the first submission to the Advanced Encryption Standard process to be publicly disclosed by its authors. Unfortunately, it was also the first one to be found to have flaws. The fixed Sboxes, which took 11 or 13 bits of input, consisting of three or five supplemental bits "borrowed" from the previous byte, plus the eight bits of the byte for which they provided a substitute, simply consisted of apparently random bits. While their contents were designed to have some good properties, the fact that the Sboxes did not contain eight or thirtytwo successive permutations of the numbers from 0 to 255 meant that the Sbox output was biased. An attack was found by Vincent Rijmen and Lars Knudsen that exploited this. (Note that a keydependent Sbox, like that of Blowfish, does not need to be composed of bijections. Wide fixed Sboxes, as used in CAST128 and MARS, also don't appear to face that constraint.) The structure of the Sboxes was only a problem because in the second Sbox stage, the extra bits of input to the Sboxes came only from the subkeys, so the biases in the Sboxes would tend to leak those subkey bits. In DES, additional efficiency can be gained by storing a table of the Sbox values after they have gone through permutation P. Here, the same Sbox goes into the one fixed permutation, after the first Sbox stage, at different places, and then the second Sbox stage is not followed by a permutation. This complicates implementation, and loses the additional diffusion an extra permutation layer (which would be available "for free", if identical) would provide.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Table of Contents Main Page
[Next] [Up] [Previous] [Index]
CAST256
CAST256 is the Canadian entry in the competition for the new Advanced Encryption Standard. It takes its name from the original CAST cipher, designed by Carlisle Adams and Stafford Tavares; they and others worked on the design of CAST256. The original paper describing the cipher is at this location: http://www.entrust.com/resources/pdf/cast256.pdf Unless it is chosen as the AES, licensing is likely to be required to use this submission as well as some others. It uses an ffunction that produces a 32bit output from a 32bit input, and each round consists of modifying one 32bit quarter of the block by XORing it with the ffunction of another 32bit quarter of the block. There are 48 rounds in CAST256. The rounds are organized in groups of four, called quadrounds. CAST256 begins with six forwards quadrounds, and then continues with six reversed quadrounds, which are reversed exactly as would be required for decipherment. Thus, to perform CAST256 decipherment, it is only necessary to change the order in which the subkeys are used. Each round uses two subkeys, a "mashing" subkey 32 bits in length, and a rotation subkey 5 bits in length. A reverse quadround is reversed to the extent that the four rounds within it actually use their subkeys in reverse order; thus, the rounds of CAST256 use their subkeys in this order: 0 1 2 3 ... 22 23 27 26 25 24 31 30 29 28 35 34 33 32 39 38 37 36 43 42 41 40 47 46 45 44 The ffunction in CAST256 comes in three different flavors, with the positions in which the operations of addition, XOR, and subtraction are used changed. In the first type of ffunction, the input first has the current mashing key added to it. Then, the result is given a circular left shift the extent of which is given by the current rotation key. Then, each of the four bytes of the result are used to select entries from one of the four Sboxes. The entries in the Sboxes are 32 bits wide. The entry in S1, selected by the first byte, first has the S2 entry selected by the second byte XORed to it, then the S3 entry selected by the third byte subtracted from it, then the S4 entry selected by the fourth byte added to it.
In the f2 function, the mashing key is XORed, the S2 entry is subtracted, the S3 entry is added, and the S4 entry is XORed. In the f3 function, the mashing key is subtracted, the S2 entry is added, the S3 entry is XORed, and the S4 entry is subtracted. The following diagram illustrates the operation of a forwards quadround:
The block is divided into four 32bit segments. First, an f1 ffunction of the fourth segment is XORed to the third segment, then an f2 ffunction of the third segment is XORed to the second segment, then an f3 ffunction of the second segment is XORed to the first segment, and finally an f1 ffunction of the first segment is XORed to the fourth segment.
The Key Schedule
An operation called an "octave" is used to generate the CAST256 key schedule. An octave is just like a forwards quadround, except it operates on a 256bit block, and comprises eight rounds; first, an f1 ffunction of the eighth segment is XORed to the seventh segment, and so on until an f2 ffunction of the first segment is XORed to the eighth segment at the end. CAST256 may have a key that is 128, 160, 192, 224 or 256 bits long, providing two additional key lengths besides those required for an AES candidate. The 256bit input to the first octave consists of the key padded with zero 32bit words in the rightwards, later positions. The subkeys used for the octaves are as follows: the first mashing subkey is 5A827999 in hexadecimal, and the first rotation subkey is 19 in hexadecimal. Subsequent subkeys are formed by adding 6ED9EBA1 to the previous round's mashing subkey, and adding 17 (again, hexadecimal) to the previous round's rotation subkey. Needless to say, the two additions are modulo 2^32 and 2^5, respectively. The value of the block after each octave supplies enough subkey material for one quadround of the cipher. The eight 32bit segments of the 256bit block supply KR0, KM3, KR1, KM2, KR2, KM1, KR3, and KM0 in order: that is, the first segment supplies the first rotation key for the quadround (all but the last five bits are ignored), the second segment supplies the last mashing key for the quadround, and one proceeds onwards, forwards through the rotation keys and backwards through the mashing keys. Since CAST256 has 48 rounds in 12 quadrounds, twelve octaves are required to produce all the subkey material needed.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Magenta
Magenta is a block cipher with a complex and deeply nested design. However, the Sbox has a simple structure, and there are also weaknesses in the key schedule. This led to cryptanalytic results being obtained against it shortly after it was disclosed. Although it has been claimed that there are other weaknesses in the design, it still seems to me that the design contains some useful principles. The Sbox used in Magenta is the following: 1 202 230 195 71 75 167 254 126 245 46 212 45 239 98 207 171 18 39 117 165 15 215 22 160 66 6 118 158 2 241 169 227 142 150 43 153 252 143 92 205 90 187 196 251 51 36 78 234 47 30 203 44 37 132 12 236 89 4 135 55 163 121 73 86 87 157 123 184 255 180 19 237 147 102 72 156 177 94 60 243 88 74 109 24 189 178 8 107 110 35 242 146 172 174 95 246 21 155 13 38 191 67 204 144 93 7 188 120 131 176 148 218 48 31 0 16 214 220 70 129 65 61 57 190 137 42 83 26 76 27 134 253 69 186 14 29 240 99 5 77 209 96 62 32 201 221 140 103 130 122 114 25 119 84 166 52 152 54 105 159 138 17 28 58 133 198 10 154 199 192 124 64 247 223 125 206 97 244 228 50 238 168 41 104 85 108 210 91 113 34 56 116 111 233 20 81 235 229 248 128 139 219 250 249 194 141 173 100 185 53 82 208 170 216 193 182 226 68 112 232 222 183 40 162 179 175 149 101 115 211 145 151 225 127 63 200 23 106 164 197 49 213 231 9 161 136 224 181 217 11 80 33 3 59 79
Start with 1, and shift one position left to obtain the next entry: when 1 is shifted out, XOR the contents with 101. This obtains the first 255 entries of the table; use 0 as the last entry. In the Magenta documentation, f(x) is defined as entry x in this Sbox. On that basis, other functions are defined in a step by step manner: A(x,y) = f(x xor f(y)) [x and y are both bytes] PE(x,y) = (A(x,y),A(y,x)) [that is, PE(x,y) is A(x,y) catenated with A(y,x)] pi(x(0), x(1), ... x(15)) = ( PE(x(0),x(8)), PE(x(1),x(9)), PE(x(2),x(10)), ... PE(x(7),x (15)) ) To help keep track of where we are so far, this diagram illustrates how pi(X) operates on a 16byte bit string:
T(w) = pi(pi(pi(pi(w)))) [where w is a 16byte vector] S(x(0),x(1),x(2),...x(15)) = (x(0),x(2),x(4),...x(14),x(1),x(3),x(5),...x(15)) Our last preparatory definition is that of C(n,w), where n is a number, and w a 16bit vector, as the following: C(1,w) = T(w) C(n+1,w) = T(w xor S(C(n,w))) Note that n is not a piece of the key or of the block being encrypted; it is a parameter giving the depth of recursion used. Finally, with all these definitions, Magenta is a Feistel cipher.
Each Feistel round is expressed as taking (X(1),X(2)), where each X is half the block, 64 bits in length, and replacing it with (X(2),X(1) xor F(X(2),SK(n))), where n is the round number, and SK(n) the nth subkey. The F function equals the first eight bytes of S(C(3,(X(2),SK(n)))). Thus, a round of Magenta may be pictured as follows:
The key schedule is as follows:
q
q q
for a 128bit key, the key is divided into parts, K1, K2, and the subkeys for the six rounds in order are K1, K1, K2, K2, K1, K1. for a 192bit key, K1, K2, K3, K3, K2, K1. for a 256bit key, K1, K2, K3, K4, K4, K3, K2, K1.
It appears that, except for swapping halves, Magenta is reciprocal. The first paper giving a cryptanalysis of Magenta incorrectly gave the key schedule as K1 K2 K1 K1 K2 K1, it appears. Originally, the F function was going to be the first eight bytes of S(C(7,(X(2),SK(n)))), but the number of rounds inside the ffunction was reduced because of a possible weakness. Even so, Magenta is deeply nested with complexity.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Decorrelated Fast Cipher
The Decorrelated Fast Cipher is an eightround Feistel cipher with a somewhat different ffunction. It uses one Sbox, with bits taken from the expansion of e, having 64 entries, each 32 bits long. The original version of its specification is available on its designer Serge Vaudenay's web site. The arrangement of the Feistel rounds is like that of DES, with halves swapped after all rounds but the last one. The ffunction has two steps. First, two 64bit subkeys (considered as two halves of a single 128bit round subkey) are applied to the right half of the block by multiplication and addition, modulo 2^64 +13. Then the last 64 bits of the result are used. Then, the right and left halves of the 64bit result are swapped. The new left half has an Sbox entry, chosen by the rightmost 6 bits of the new right half, XORed to it. The new right half is only XORed with a constant. Finally, the 64bit result has a 64bit constant added to it. Although this description is short and simple, using multiplication with an odd modulus in the ffunction ensures that every bit of the ffunction output depends on every bit of its input. More importantly, the use of both multiplication and addition has an important property, which explains the meaning of the word 'decorrelation' in the name of this cipher, and which also is connected with the use of Galois field multiplication in some other ciphers in this section, such as Rijndael and Twofish. Because of the distributive property involving both multiplication and addition, that a*x + a*y = a*(x+y), thus multiplication distributes over addition, the following is true: Let us suppose the input p produces the output q, and r produces the output s, after being first multiplied by a and then having b added to it. If you change a, and then change b so that p still produces q, r can produce anything, because the difference
between q and s is proportional to the multiplier a. This also works when Galois field multiplication is used, with XOR taking on the role of addition. This subject is more extensively discussed in a section entitled A Note on the Importance of the Galois Field. In the case of multiplication modulo 2^64+13, followed by truncation to 64 bits, the property is only followed approximately, and with Galois field multiplication, one cannot include zero as a multiplier. Using two additions, separated by an Sbox corresponding to a permutation corresponding to wiring a rotor by the interval method seems like it might work, since a somewhat similar property is involved. But the property is not the same, since it involves adding something to one of the two values considered instead of to both. However, note that multiplication under a prime modulus is isomorphic to addition, so there are Sboxes that would approximate this property for two additions.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Home Page
[Next] [Up] [Previous] [Index]
Block Cipher Modes
At the same time that DES was brought to public attention, a number of ways of using DES were recommended. The obvious way of using DES is simply to apply it directly to plaintext, transforming each 64bit block of plaintext. This is called ECB, or Electronic CodeBook mode. There are two reasons this mode might not be found satisfactory. If the same message is sent twice, with the same key, its enciphered form will also be identical. Also, one needs to have eight bytes of plaintext available before performing encipherment. Thus, other ways of using DES were proposed. None of them strengthened the basic cipher, or added to the size of the key.
Cipher Block Chaining (CBC)
CBC, for Cipher Block Chaining, is one of the most popular modes. It addresses the first of the two problems with ECB mode. Each plaintext block, before being encrypted normally by DES (as in ECB mode) is XORed with the previous ciphertext block. The first plaintext block is XORed with a random 64bit block, called the initialization vector, which is transmitted in the clear. This mode looks like this: Plaintext   >XOR >XOR      DES    DES             Ciphertext The useful properties of CBC mode can be illustrated by means of the following short demonstration: Let's imagine a block cipher that operates on threeletter groups, and uses Vigenere instead of XOR... Plain: Previous cipher: BIL ZQT AYE === ZQT MNM LNE MNM XAQ === VTI EDS VTI ZWA === UTU MON UTU GHI === LKE EYX LKE  Vigenere step PIB === Block cipher step MRV
Cipher:
Now, if we change the message at the beginning, everything changes all the way through, because information indeed keeps getting propagated: Plain: Previous cipher: MIK ENE EDS MON EYX ZQT RJY QEI RMQ LVI      Vigenere step
Cipher:
LYD VWC UHA DAD PTF === === === === === Block cipher step ZQT RJY QEI RMQ LVI SZR
But if, instead, it is the original message that is sent, and a transmission error takes place, so that instead of recieving ZQT MNM VTI UTU LKE MRV the reciever gets ZQT MKM VTI UTU LKE MRV then only two blocks are destroyed. Since each ciphertext block was a function of the plaintext block and the previous ciphertext block, each plaintext block is a function of the ciphertext block and the previous ciphertext block. As long as those two ciphertext blocks are right, the rest of the message is irrelevant. Cipher: ZQT MKM === PQK Previous cipher: ZQT Plaintext: QAR VTI === XAQ MKM LPE UTU === ZWA VTI EDS LKE === GHI UTU MON MRV === PIB LKE EYX
Inverse block cipher step (1) (2) Inverse Vigenere ((1)(2))
In this decipherment example, the first plaintext block is totally garbled, because the erroneous ciphertext block is the input into the block cipher; the second plaintext block only has an error which matches that of the plaintext block, because the erroneous block is used in a Vigenere calculation after the block cipher. Thus, someone could even note that ...EDSMONEY is probably NEEDSMONEY, and work out that LPE should become LNE. That would allow MKM to be corrected to MNM, and the message recovered.
Propagating Cipher Block Chaining (PCBC)
A mode somewhat similar to CBC, called PCBC, for Propagating Cipher Block Chaining, XORs each plaintext block, before being encrypted normally by DES, with both the previous ciphertext block and the previous plaintext block. Since on decipherment, the DES decryption is done first with both XORs taking place afterwards, if two ciphertext blocks are swapped, while they will decrypt incorrectly, succeeding blocks will again decrypt normally. As this mode was intended to take the place of the use of a checksum for guaranteeing message integrity, this characteristic was considered a flaw, and led to this mode's being abandoned in favor of ordinary CBC when Kerberos, the one wellknown place where it was used, went from version 4 to version 5.
Output Feed Back (OFB)
OFB, for Output FeedBack, addresses both the first and second problems noted earlier that exist with ECB mode. An initialization vector is again sent in the clear. It is repeatedly encrypted by DES, and the result of doing so is XORed with the successive blocks of the plaintext. This mode has two problems of its own. The plaintext itself is only subjected to an XOR. This means that if the plaintext is known, another plaintext can be substituted by inverting the same bits of the ciphertext as one would need to invert of the plaintext to do so. This is called a bitflipping attack. And there is always the possibility, admittedly a slim one, that one might choose a key and an initialization vector such that the successive blocks generated might repeat in a short loop.
Cipher Feed Back (CFB)
A mode which seems to avoid most of the problems so far encountered is CFB, for Cipher FeedBack. Here, a plaintext block is enciphered by being XORed to the DES encryption of the previous ciphertext block. For the first plaintext block, an initialization vector again takes the role of the first plaintext block. This mode can be illustrated as follows: Plaintext     >XOR  >XOR        D     E   S          Ciphertext A bitflipping attack will garble subsequent blocks, and so if one takes care that messages have checksums, straddle more than one block, and so on, that is prevented despite the fact that the plaintext is only subjected to an XOR at the time of being enciphered. Since the plaintext modifies what is used to XOR later parts, there is no problem of a generator falling into a short loop. This mode limits the propagation of transmission errors to the same extent as CBC mode. Once again, this can be illustrated using an alphabetic cipher as an example. To simplify matters, the same block cipher key and the same plaintext are used as in the previous example, and this will show that these two modes are very closely related. Previous cipher: QXD === Enciphered previous: ZQT Plain: BIL Cipher: QXD AYE AYE === MNM LNE XAQ XAQ === VTI EDS ZWA ZWA === UTU MON GHI GHI === Block cipher step LKE EYX  Vigenere step PIB
Now, if we change the message at the beginning, everything changes all the way through, because information indeed keeps getting propagated: QXD === Enciphered previous: ZQT Plain: MIK Cipher: QXD LYD LYD === RJY ENE VWC VWC === QEI EDS UHA UHA === RMQ MON DAD DAD === Block cipher step LVI EYX  Vigenere step PTF
But if, instead, it is the original message that is sent, and a transmission error takes place, so that instead of recieving QXD AYE XAQ ZWA GHI PTB the reciever gets QXD AYE XCQ ZWA GHI PTB then only two blocks are destroyed. Since each ciphertext block was a function of the plaintext block and the previous ciphertext block, each plaintext block is a function of the ciphertext block and the previous ciphertext
block. As long as those two ciphertext blocks are right, the rest of the message is irrelevant. Previous cipher: QXD === Enciphered previous: ZQT Cipher: QXD AYE Plaintext: BIL AYE === MNM XCQ LPE XCQ === JRP ZWA QFL ZWA === UTU GHI MON GHI === LKE PTB EYX
Block cipher step (1) (2) Inverse Vigenere ((2)(1))
In this decipherment example, the first plaintext block only has an error which matches that of the plaintext block, but the second block is totally garbled, because the erroneous ciphertext block went through the block cipher before being applied to the plaintext. This mode has variants that involve performing DES encryptions more often, such as once for each bit or byte. Some problems have been claimed with these variants, and they require more computation without increasing security.
TripleDES
A common way to increase the security of DES is to apply DES to a block three times. Using DES twice is avoided, because of the possibility of an attack which reduces the security of doubleDES almost to the level of singleDES; this attack, called the meetinthemiddle attack, requires a very large quantity of memory. Usually, TripleDES is done by encrypting with one key, decrypting with another, and then encrypting again with either the first key or a third one. This way, if all three phases are done with the same key, interoperability with regular single DES is possible. This is called EDE mode, for EncryptDecryptEncrypt. If one is going to use DES three times, one can be more elaborate. If one is going to use TripleDES, one can also increase the effective block size of DES through something called an Outerbridge construction. The image below illustrates a generalization of that construction to quadruple, rather than merely double, the block size, and to increase the effective key size as well. The 64bit blocks are considered to be divided into four 16bit parts, which are distributed between DES operations.
And here is the same diagram in ASCII graphics format:
 K1   K2   K3   K4                         \  /             \  /  \  /    \ \ \   \ \   /   \ \  \/  /   \  / \  \ /\  /      \ \   \ / /   \/  \/ \/  \/ \/ \/   /\  /\ /\  /\ /\ /\      / /   / \ \   /  \ /  / \/  \   / /  /\  \   / / /   / /   \        /  \  /  \          /  \                        K5   K5   K5   K5                         \  /             \  /  \  /    \ \ \   \ \   /   \ \  \/  /   \  / \  \ /\  /      \ \   \ / /   \/  \/ \/  \/ \/ \/   /\  /\ /\  /\ /\ /\      / /   / \ \   /  \ /  / \/  \   / /  /\  \   / / /   / /   \        /  \  /  \          /  \                        K1   K2   K3   K4  If only the keys for the four middle operations were different, a meetinthemiddle attack could reduce the security of this to that of ordinary TripleDES, but varying the keys on the outside genuinely lengthens the key. (However, varying them on the inside may be a good idea too, as there may be other types of attack possible.) Another suggestion for modifying TripleDES to encipher a large block of text was made by Carl Ellison. What was suggested was the following: in addition to enciphering an input text by means of ECB mode three times, twice, between each pair of DES encryptions, the bytes of the entire message would be transposed. The transposition would not depend on any secret key, but instead the number of times each possible byte value from 0 to 255 occured in the text being transposed (which, of course, is not changed by transposition) would provide the "key" for the transposition. But a chosenplaintext attack on this scheme was found by Paul Crowley. The attack works like this: encipher a message consisting of the same block repeated over and over.
After the first DES encryption, the result will also consist of a single block repeated over and over. So, after the first unkeyed transposition, the result will be a message consisting of at most eight different byte values in scrambled order. If the message is long enough, it will be very likely that the result of the first unkeyed transposition will include two identical blocks, while this would still be very unlikely in any other case. This will result in two identical blocks being found in the output of the second DES encryption. Now, it becomes possible, using the actual ciphertext produced by encrypting the chosen plaintext, to perform a bruteforce search on the key of the third DES encryption stage only. After decrypting the ciphertext by a trial key, one can then reverse the second unkeyed transposition stage. This obtains a possible intermediate text which will, or will not, include a repeated block in it. By using more than one chosen plaintext of repeated identical blocks, one can check if such a possible key is correct. Then, a bruteforce search on the key for the first DES stage is possible, because different keys would, by producing different inputs to the first unkeyed transposition stage, result in repeated blocks at different locations in the message. Finally, with both the first and third DES keys known, the inputs and outputs to the second DES stage are known, and so that key can be searched for independently. Clearly, it is easy to frustrate this specific attack. The second DES stage could use a chaining mode of encryption, which would completely conceal any repeated blocks which it recieved as input. As well, if a system using such a cipher were vulnerable to a chosenplaintext attack, it could be constructed so as to use a separate session key for each message, with only the random session key being enciphered by a permanent key that could be used to read other messages. If the transposition stages used a large secret key, in addition to being varied by the byte frequencies, then the search for the key for the third DES stage would become much more difficult, although it is possible that transposed bytes of a message with repeated blocks would still be distinguishable, particularly if a sufficiently large number of chosen plaintexts is used. However, this result is still relevant, because it illustrates how easily a measure which one might think would make tripleDES more secure, by mixing the bytes of a message together in an unknown way, would actually reduce security by allowing the keys of the three DES layers to be searched for independently of one another.
Other Modes
Also, another way in which to get more mileage out of a block cipher would be to use it as the heart of a sort of nonlinear shiftregister. Instead of using a shift register whose cells contain bits, however, the cells of the shift register would contain entire 64bit (or larger) blocks. An example of what such a mode might be like is shown in the diagram below: Plaintext   DES   XOR<ADD<ADD<        DES     
           >                      DES   Ciphertext Three layers of DES are shown; the first and the last are in ECB mode, and serve to keep the contents of the shift register hidden. The middle layer of DES is the one operating in an unusual mode. Its output is saved in a shift register. The output blocks produced 2, 4, and 7 blocks previously are added together (with normal arithmetic addition, including carries, so that the shift register actually contains 64bit quantities, instead of merely being effectively 64 singlebit wide shift registers in parallel), and the result is XORed with the input to the middle DES operation. This is essentially a variation on cipher block chaining (CBC) mode. A mode like this: Plaintext   >XOR >XOR      DES 1    DES 1      >XOR  >XOR   D      E     S       2      Ciphertext based on a different mode devised by Matt Blaze of AT&T, illustrates how additional security may be achieved by using DES twice for each block encrypted. (Unlike Matt Blaze, though, I got things at least slightly wrong: with 2^32 known plaintexts, which may be hard to obtain under many circumstances, a birthday attack can provide the necessary information for permitting a meetinthemiddle attack on the mode shown here.) Just encrypting each block twice in a row is usually not done; instead, if that type of mode is desired, encryption is performed three times in a row. This is because, with a stretch of both plaintext and ciphertext known, it is possible to try each possible key on the plaintext and ciphertext separately, and then look for matches. This approach, called the meetinthemiddle attack, does require a large amount of memory. However, even if that attack is more theoretical than real, the fact that one theoretical weakness exists indicates the possibility of other, more exploitable, weaknesses that may also exist even if they are not known at present. Ron Rivest, one of the inventors of the RSA publickey algorithm, noted that because of the desirable properties of DES, it is possible to obtain a genuine increase in its key size simply by XORing the input to DES, and the output from DES, each by an additional 64 bits of key material. This form of enhanced DES is called DESX.
Other enciphering modes that provide a genuine improvement in the security of DES are possible. For example, here is a singleDES mode with variable whitening: Plaintext    SS1>XOR SS1>XOR SS1>XOR          >         >         >                  SS2>XOR  SS2>XOR  SS2>XOR         >XOR >XOR >XOR            >XOR  >XOR           DES      DES      DES                             SS3>XOR SS3>XOR SS3>XOR          >         >         >                  SS4>XOR SS4>XOR SS4>XOR    Ciphertext The DES layer in the middle uses CBC mode, so as to provide an additional source of random variation. Before and after DES encryption, a 64bit value is used to choose one of four whitening quantities to XOR with the message, four times, and is used twice to choose one of eight invertible substitutions for each byte of the block. Thus, this consumes 4+24+4+4+24+4 bits. Since each side is "guarded" by only a 32 bit unknown quantity, the XOR of the input to DES for the previous block and the output from DES for the block before is used. This 64 bit quantity could also be the output of another DES encryption, perhaps one operating in OFB or counter mode, or the DES encryption of the previous ciphertext block as in CFB. Similar concepts are explored in the section on the LargeKey Branstorm.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Cryptanalytic Methods for Modern Ciphers
Block ciphers like DES are intended to be very hard to break, and they are largely successful in achieving this. Having even copious quantities of corresponding plaintext and ciphertext, it is intended that the fastest way to discover the key, so as to be able to decrypt other messages, would be a bruteforce search, that is, trying every possible key until the right one is found. Many block ciphers appear to meet this condition. Two cryptanalytic methods that can do slightly better with some of the earlier block ciphers, such as DES and LUCIFER, are differential cryptanalysis and linear cryptanalysis. Other techniques, which are of interest against weaker ciphers, and which partially account for the fact that DES has sixteen rounds, instead of eight, such as hillclimbing techniques and genetic algorithms, are discussed in the next section. In the book The Hut Six Story, Gordon Welchman first revealed one of the innovations used with the Bombe in connection with the cryptanalysis of the German Enigma. He also noted that it embodied a general principle which made presentday ciphers weaker than they might be expected to be.
q
q q
Differential and Linear Cryptanalysis r Extensions of Differential Cryptanalysis r The Boomerang Attack Cryptanalysis, Almost by Aimlessly Thrashing About Hidden Markov Methods
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Home Page
[Next] [Up/Previous] [Index]
Differential and Linear Cryptanalysis
Multiround ciphers such as DES are clearly very difficult to crack. One property they have is that even if one has some corresponding plaintext and ciphertext, it is not at all easy to determine what key has been used.
Differential Cryptanalysis
However, if one is fortunate enough to have a large quantity of corresponding plaintext and ciphertext blocks for a particular unknown key, a technique called differential cryptanalysis, developed by Eli Biham and Adi Shamir, is available to obtain clues about some bits of the key, thereby shortening an exhaustive search. After two rounds of DES, knowing both the input and output, it is trivial to determine the two subkeys used, since the outputs of both ffunctions are known. For each Sbox, there are four possible inputs to produce the known output. Since each subkey is 48 bits long, but the key is only 56 bits long, finding which of the four possibilities is true for each group of six bits in the subkeys is a bit like solving a crossword puzzle. Once the number of rounds increases to four, the problem becomes much harder. However, it is still true that the output depends on the input and the key. For a limited number of rounds, it is inevitable, without the need for any flaws in the Sboxes, that there will be some cases where a bit or a combination of bits in the output will have some correlation with a simple combination of some input bits and some key bits. Ideally, that correlation should be absolute with respect to the key bits, since there is only one key to solve for, but it can be probabilistic with respect to the input and output bits, since there need to be many pairs to test. As the number of rounds increases, though, the simple correlations disappear. Differential cryptanalysis represents an approach to finding more subtle correlations. Instead of saying "if this bit is 1 in the input, then that bit will be 0 (or 1) in the output", we say "changing this bit in the input changes (or does not change) that bit in the output". In fact, however, a complete pattern of which bits change and do not change in the input and in the output is the subject of differential cryptanalysis. The basic principle of differential cryptanalysis, in its classic form, is this: the cipher being attacked has a 'characteristic' if there exists a constant X such that given many pairs of plaintexts A,
B, such that B = A xor X, if a certain statement is true about the key, E(B,k) = E(A,k) xor Y for some constant Y will be true with a probability somewhat above that given by random chance.
Linear Cryptanalysis
Linear cryptanalysis, invented by Mitsuru Matsui, is a different, but related technique. Instead of looking for isolated points at which a block cipher behaves like something simpler, it involves trying to create a simpler approximation to the block cipher as a whole. For a great many plaintextciphertext pairs, the key that would produce that pair from the simplified cipher is found, and key bits which tend to be favored are likely to have the value of the corresponding bit of the key for the real cipher. The principle is a bit like the summation of many onedimensional scans to produce a twodimensional slice through an object in computerassisted tomography.
q q
Extensions of Differential Cryptanalysis The Boomerang Attack
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Main Page
[Next] [Up/Previous] [Index]
Extensions to Differential Cryptanalysis
Several powerful methods of cryptanalysis have been developed that start from differential cryptanalysis, and deal with block ciphers that, while resistant to conventional differential cryptanalysis as originally conceived, can still be attacked using more subtle developments from that principle.
Truncated differentials
It is of course possible that some of the bits of E(A,k) xor E(B,k) will be more likely to match those of Y than others. If one can, in addition, ignore some of the bits of A and B, one has a truncated differential for the cipher being attacked, and this technique, due to Lars R. Knudsen, has been found to be very powerful. (Being able to ignore some bits of A and B may allow two or more truncated differentials to be used together, and this is why it is important.)
Higherorder Differentials
Another important addition to the available techniques deriving from differential cryptanalysis is the use of higherorder differentials, which first appeared in a paper by Xuejia Lai. A differential characteristic of the type described above, where for a large number of different values of A, B equals A xor X, and the encrypted versions of A and B for a given key, k, are expected to have the relation E(A,k) = E(B,k) xor Y, if a target statement about the key k is true, can be made analogous to a derivative in calculus, and then it is termed that Y is the first derivative of the cipher E at the point X. A secondorder derivative would then be one involving a second quantity, W, such that E(A,k) xor E(B,k) = E(C,k) xor E(D,k) xor Z is expected to be true more often than would be true due to chance, where not only is B = A xor X, but C = A xor W and D = B xor W. In that case, Z is the second derivative of the cipher E at the point X,W. Since xor performs the function of addition and subtraction, the four items encrypted for any A are just lumped together in this case, but if differential cryptanalysis were being performed over another field where the distinction is significant, then Y=E(A+X,k)E (A,k) and Z=(E(A+X+W,k)E(A+W,k))(E(A+X,k)E(A,k)) would be the appropriate equations to use. This technique is important because a second order derivative can exist at a point for the first coordinate of which no first order derivative exists, or is probable enough to be useful.
And similarly, a third order derivative is derived from the difference of two second order derivatives, based on another constant difference, and so on.
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Boomerang Attack
Recently, a means of improving the flexibility of differential cryptanalysis was discovered by David A. Wagner. Called the boomerang attack, it allows the use of two unrelated characteristics for attacking two halves of a block cipher.
This diagram shows how the attack might work if everything goes perfectly for a particular initial block. The numbered points in the diagram show the steps involved in the attack. 1. Start with a random block of plaintext. Based on the characteristic known for the first half of the cipher, if we XOR a certain vector with it, called d1 (equal
to 00100000 in the diagram), the result after halfenciphering the two plaintext blocks, before and after the XOR, will differ by c1 (equal to 00110110 in the diagram), if what we wish to learn about the key happens to be true. 2. Since the characteristic applies only to the first half of the cipher, the results after the whole block cipher won't be related. Take those two results, and XOR each one with d2 (equal to 01001011 in the diagram), which is the vector corresponding to the characteristic for the second half of the cipher. In each case, XORing d2 with a ciphertext block is expected to change the result after deciphering halfway by c2 (equal to 00010000 in the diagram), again, if something is true of the key. 3. With two intermediate results that differ by c1, if each one has c2 XORed to it, the two results of the XOR will still differ by c1. Since this difference now relates to the first half characteristic, it can be seen in the final output, thus indicating the truth or otherwise of two hypotheses about the key. This increases the potential effectiveness of differential cryptanalysis, because one can make use of characteristics that do not propagate through the complete cipher. Also, certain kinds of added complexities, such as a bit transpose in the middle of the cipher, do not serve as a barrier to this method, since two values differing by an XOR with some value merely differ by an XOR with some other value after a bit transpose. However, it has its limitations. It only produces a result if both characteristics are present; it does not allow testing for each characteristic independently. Even so, it seems to double the number of rounds a cipher needs to be considered secure. Since at one end of a sequence of rounds, the precise difference between blocks that is required for the characteristic must be input, it isn't possible directly to cascade this method to break a block cipher into four or more pieces. Note that any single Feistel round has a large family of "characteristics" that is 100% probable, but which tells nothing about the key, since any pattern that involves leaving the half that is input to the Ffunction unchanged, but involves an XOR to the half that is XORed with the output of the Ffunction applies, so one of the things this method can do is allow the use of attacks against the first or last 15 rounds of DES against 16round DES. Hence, if by some other trick a block cipher with 16 rounds could be broken into 16 pieces like this, one could test for an informative characteristic which applied to any single round.
The Boomerang Amplifier Attack
A technique called the boomerang amplifier attack works like this: instead of considering the pairs of inputs, differing by the XOR required for the characteristic of the first few rounds, as completely independent, one could note that it would be quite likely that somehow, taking two such pairs at a time, one could obtain any desired
XOR difference between two such pairs by the birthday paradox. This allows a boomerang attack to be mounted with only chosen plaintext, instead of adaptive chosen ciphertext as well. I wondered if one could use the boomerang amplifier technique noted above to allow breaking a block cipher up into three pieces instead of two. First, you start by enciphering a large number of chosen plaintext pairs, differing by the XOR amount required for the characteristic of the first piece. By the birthday paradox, there will be a good chance of some pair of two of those pairs, somewhere among that number, which differ by the right amount to engage the differential characteristic of the middle piece.
I then take all the outputs of this process, and XOR them by the quantity required to engage, upon decipherment, the characteristic of the third piece.
Doing so ensures that the corresponding two pairs of blocks also has the XOR amount for the characteristic of the middle piece, this time in the reverse direction, as can be seen more clearly when we look at the following diagram of the upwards journey by itself.
Unfortunately, though, the thing about a differential characteristic is that it only refers to the XOR between two blocks, and not the values of the blocks. If a characteristic implies that A xor B equals X xor Y, and equals the characteristic, then it is true that A xor X and B xor Y are equal, but the value to which both of them are equal could have any value. Hence, we have not preserved any structure that implies that we will have the correct differential for the first piece, during decipherment.
Well, we can still apply the differential for the first piece, and then continue in the reverse order again.
But we run into the same problem; we have no characteristic preserved on output. So it appears that breaking a block cipher into three parts is hopeless. But then we notice that, by iterating in this fashion over our large number of input pairs, we can indefinitely preserve the characteristic in the middle. This would only work if the characteristics involved had probability one, or very nearly one. Assuming that somehow this could be overcome, though, since one has produced a large number of pairs, in the same spot within our large number of pairs, that have the middle differential activated, if one of the elements of each of two pairs differs from the same element in another cycle by the right amount for the top differential, then the
one connected with it by the middle differential will also match, not the other member of the same pair, and this is how the two pairs involved with the middle differential can finally be distinguished. But because the birthday paradox just says that, to find two matching values for a block having N values, you only need a number of blocks proportional to the square root of N. Using the birthday paradox twice means that the complexity of this attack is proportional to the square root of N times itself, in other words, to N, and so this attack, even if it were possible, has a complexity equivalent to that of the codebook attack: just use as chosen plaintext every possible input block, and record the result.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Cryptanalysis, Almost by Aimlessly Thrashing About
Cryptanalysis is hard work, requiring a willingness to endure many false starts, and a painstaking attention to detail. It requires intelligence to see subtle patterns in incomprehensible ciphertext. Automated aids to cryptanalysis come in many forms. Some collected statistical information about ciphertexts, thus removing one bit of drudgery from human shoulders. Others, such as the Bombe used in attacking the German Enigma, or the DES cracker built by the Electronic Frontier Foundation, or the converted unit record equipment (punched card machines) which compared Japanese code messages to one another at various displacements to find messages with overlapping superencipherment groups, work by trying thousands, or millions, of possibilities, one after another. Neither of these techniques is adequate to deal with many cipher systems, particularly modern ones. A welldesigned cipher will not offer a simple opportunity to try different possibilities to find partial information about the key, and will have a key large enough to make trying every possible key hopeless. Nor is ordinary statistical information about the frequencies and contacts of bytes in the ciphertext likely to be much use. Thus, approaches taken from the field of AI (artificial intelligence) have been tried. In these approaches, it is attempted to combine the speed of the computer with steps that at least slightly move towards the skill and judgement of a human cryptanalyst.
Hillclimbing
Because the individual bits of the subkeys in DES are actual bits taken from the 56bit DES key, an approach like the following to recover a DES key must have occurred to many people. Given a block of known plaintext, and its corresponding ciphertext, starting with a random 56bit possible key, do the following:
q
q q
Encipher the known plaintext with that key, and with every one of the 56 other keys obtained by inverting one bit of that key. Compare the resulting ciphertext to the actual ciphertext. In those of the 56 cases where the flipped bit results in the ciphertext produced differing in fewer bits from the actual ciphertext than that produced by the
original trial key, invert that bit of the trial key to obtain the next trial key. This is a simple example of a hillclimbing algorithm, where the number of bits by which a trial encipherment differs from the actual ciphertext are a measure of one's (lack of) altitude. It would, however, never work against DES. That is because of the avalanche property of DES; changing a single bit in a DES key results in every bit of the block being enciphered being changed randomly after only a few rounds. Thus, even attempting to improve the hill climbing algorithm above by, for each trial, enciphering the known plaintext for eight rounds with the trial key, and deciphering the actual ciphertext for eight rounds with the trial key, and then determining the number of bits by which these two results differed would not be enough to help. Another idea would be to choose two rounds of DES, and by determining the input to those rounds by enciphering the known plaintext by the previous rounds, and the required output from those rounds by deciphering the actual ciphertext by the following rounds, examine the two 48bit subkeys for the rounds, and, by examining the four possibilities for each group of 6 bits in those subkeys to produce the required change in each half of the block, find those which are consistent with the origin of those two subkeys from the original 56bit key, and then try the resulting new 56bit key or keys on the basis that it or they might be improvements over the preceding trial key.
Genetic Programming
A thesis by A. J. Bagnall described the ciphertextonly solution of some simple rotor machines by means of the technique of genetic programming. Genetic programming is a method by which a computer produces an answer to a question, or even a computer program to perform a task, by mimicing the process of natural selection. As noted in the thesis, and in the book Artificial Life by Stephen Levy, this technique was originated by John Holland in the mid1960s, and his student David Goldberg was one of the first to refine the technique so that it could be used in practice with real problems of importance. It can be thought of as a special case of the hillclimbing algorithm, in that a quantitative measure of how "warm" the computer is in approaching the desired solution is required. Programs or answers must be in the form of a chain of discrete elements, such that there is at least a reasonable likelihood that a chain formed by taking one chain, and replacing a span of elements within it by the corresponding elements from another
chain, will "make sense". (This may be noted as the second major use of sex for the purpose of obtaining the codes of foreign powers.) Random mutations are also usually used, although genetic crossover has been found to be much more important. Starting with a random selection of solutions, those that work best are retained, and used as the parents of the next generation of solutions to be tried. Often, this retention is also randomized, so that better solutions have a higher probability of being retained. One type of mutation that happens in real life has not, to my knowledge, been used for genetic programming yet. Occasionally, plants and animals will increase the size of their genetic inheritance by duplicating part of it. Thus, a finite state machine could mutate by becoming a machine with twice as many states. It might be useful to make provision for this where a problem might be more complex to solve than initially realized.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents Home Page
[Next] [Up] [Previous] [Index]
Hidden Markov Models
The use of hidden Markov models is a powerful modern statistical technique that has been applied to many subject areas, from predicting political crises to the reconstruction of DNA and the recognition of speech. It has been claimed that this technique is of some relevance to cryptanalysis, and this may very well be true, considering its nature. The September 1964 issue of Scientific American illustrated a Markov chain by showing two containers with numbered balls in them. Numbered slips of paper were drawn repeatedly, with replacement, from a third container, and each time, the ball whose number was drawn was transferred to the one of the first two containers other than the one it was in. The number of balls in the first container, which initially contained all of them, would typically decline in a fashion that resembled exponential decay to containing only half of the balls. This modelled the physical process of allowing two chambers, containing a gas at different levels of pressure, previously separated, to be connected. This illustrated the basic feature of a Markov process. It involves probability. But in addition to a random event, the final result, in this case the number of balls in the first container, also depended on the 'memory' of the system. This particular example, however, involves a system with a large number of states, although all the states with the same number of balls in the first container can be considered equivalent due to symmetry. In the formulation of hidden Markov models, each state is referred to individually, and thus illustrative examples of these models have a small number of states. In a hidden Markov model, then, a system has a number of states, S(1) to S(n). The probability that the system, if it was in state i on one turn, will be in state j in the next turn, is called P(i,j). The states of the system are not known, but the system does have one observable value on output, which has m possible values from 1 to m. For the system in state i, the probability that output value v will be produced is called O(i,v). Note that the transition probabilities depend only on the state, not the output. The following example involves a state which depends on the output: Someone with two dice, one red and one blue, the red die marked with H on two faces,
and T on the other four, and the blue die marked with H on four faces, and T on the other two, is providing you with a sequence of H and T produced by the dice, based on the rule that whenever H comes up, the red die is thrown next time, and whenever T comes up, the blue die is thrown next time. This produces a sequence of heads and tails that has each output equally often, but which favors alternations over repetitions. Such models can be transformed into models which depend only on the state by including the previous output in the following state. This example, though, can't form part of a hidden Markov model, since the previous output completely specifies the following state. But it can form the basis of a somewhat more elaborate example.
A Hidden Markov Model Example
Let us think of five dice, with colors and faces as follows: orange htTTTT red HhtTTT green purple HHHHht blue HHHhtT HHhtTT
where the lowercase letters indicate circled uppercase letters on the faces of the dice, as illustrated below:
and the exact rules for using these dice will be given below.
But it will be easier to understand those rules if we think of this set of dice having been gradually built up starting from just the red and blue dice, using simpler rules. The red die favors T, and the blue die favors H. One way to produce a sequence of H and T with the dice would be to always throw a die that favors the symbol opposite to the one previously thrown. Then we add a second set of dice, orange and purple. As with the red and blue dice, the orange die favors T, and the purple die favors H. But with this pair of dice, the favoritism is stronger. So, now, we add some rules. When throwing the red or the blue die, if we get the result that is not favored, thus throwing a second H or T in a row, we switch on the next turn to the pair of dice with stronger favoritism. When throwing the orange or the purple die, if we get the result that is favored, we relax, and switch to the less biased red and blue dice. With the additional dice, a throw of H always implies we use one of the dice that favor T, but now either the red die or the orange die is possible, and similarly for the blue and purple dice and a throw of T. Then we extend the model to bring in a green die, that is 'below' the red and blue dice in the same way that the orange and purple dice are 'above' the red and blue dice. Now, a favored result with the red and blue dice moves down to the green die. Results on the green die are always treated as if they were not favored, resulting in a move to increased bias with the red and blue dice. But to allow some variation in how the model moves from state to state, even given the previous state as well as whether an H or a T was thrown, I then added the circled H and T, which cause one to stay with the dice having the current level of bias. Thus, the exact rules are:
q
q
q
q
q
On each turn, one die is thrown. The output from that turn will be either H, if H or h is thrown, or T, if T or t is thrown. When H (or h) is thrown, the die thrown next turn will be one of (orange, red, green); when T (or t) is thrown, the die thrown next turn will be one of (purple, blue, green). When either h or t is thrown, the die used on the next throw will belong to the same rank as the die used on the previous throw, where the ranks are (orange, purple), (red, blue), and (green). When the less probable value, for the particular die thrown, of H or T is the result (not h or t: the consequences of those results has already been dealt with, and is not described in what follows) of a throw of the (red, blue) die, the next throw will be of (orange, purple). When the only available value, for the particular die thrown, among the two
q
q
alternatives of H or T is the result of a throw of (orange, purple) dice, (red, blue) dice will be used on the next turn. When the more probable value, for among the two alternatives of H or T is the result of a throw of the (red, blue) die, the green die will be used on the next turn. If either H or T (not h or t) thrown with the green die, the next throw will be of (red, blue).
This does not have the proper form for a hidden Markov model as it stands, because the next state depends on the output from a state as well as the previous state. If we take the probability of the next state, interpreted as the color of the die being thrown, and the probability of the two outputs H and T from each state, these probabilities are not independent. In order to consider this situation with a hidden Markov model, we need to do two things. The first thing is to shift the outputs in time: to consider that the output from throwing the red die is always H, based on the face that turned up in the previous throw of the dice. This lets the random event of the die throw show up once only, in the state transition, and not in two separate places where it is not independent. The second thing is to divide the state of throwing the green die into two states, HG and TG, indicating whether H (or h) or T (or t) was face up on the previous throw, so that this forwards assignment of the output can work. This can be analyzed as a hidden Markov model by thinking of six states: O, P, R, B, and HG and TG, as follows: Next State, Face O P R B HG 1h 1t 4T 1h 1t 4H 1H 1h 1t 1T 1h 1t 3H 2H 2T 1h 2H 2T 1h Showing TG
State O P R B HG TG
Output H T H T H T
3T 1t 1t
The numbers in the state transition matrix are chances out of six.
From Model to Behavior
Knowing the details of the model, we can ask the question of how it will behave. This is essentially a trivial question, because it can be solved by what is almost simple arithmetic, and what is standard algebra.
One must find a set of probabilities for the states such that, when these probabilities are fed into the state transition matrix, the same probabilities will come out. Since probabilities must add up to 1, this problem is equivalent to finding the eigenvectors of a matrix (vectors, that when multiplied by a matrix, produce the same vector, possibly multiplied by a constant). Here, it is obvious that each of O, R, and HG will have the same probability as its counterpart P, B, and TG, and we can just consider the scaleddown matrix OP RB 2 4 1 2 4 G 3 2
OP RB G
giving the three equations a' = 1/3 a + 1/6 b b' = 2/3 a + 1/3 b + 2/3 c c' = 1/2 b + 1/3 c in which we can promptly replace a', b', and c' by a, b, and c. (If a is the probability of OP at time t, a' stands for its probability at time t+1, but we are looking for solutions where the probability is constant.) Thus, these equations simplify to: 2/3 a = 1/6 b 2/3 b = 2/3 a + 2/3 c 2/3 c = 1/2 b and the first and third equations are enough to tell us that 4a = b 4c = 3b so a, b, and c are in the proportions 1:4:3, making the equilibrium probabilities that each color of die will be used: orange purple red blue green 1/16 1/16 1/4 1/4 3/8
Incidentally, without circled letters, except that the lone H on the orange die, and the lone T on the purple die would still behave as if circled, the steady state probabilities would instead work out to: orange purple red blue green 3/31 3/31 15/62 15/62 10/31
from the simplified matrix OP RB 1 5 2 6 G 4
OP RB G
Calculating the probability of an individual sequence of outputs from such a model can be performed by straightforward arithmetic. Knowing the initial state, let us say that we began by throwing the green die, what is the probability of throwing HTH? On the first throw, the chance of throwing H or h is 1/2. On the second throw, our chance of using the green die again (having thrown h) is 1/3, and the chance of throwing T or t with it is 1/2. Our chance of using the red die (having thrown H) is 2/3, and our chance of throwing T or t with it is 2/3. So our total chance of throwing T or t is 1/6 + 4/9, or 11/18. On the third throw, our chance of using the green die is equal to the sum of 1/3 (our chance of having used the green die on the last turn) times 1/3 (our chance of throwing t with it, given that we threw T or t) and 2/3 (our chance of having used the red die on the last turn) times 3/4 (our chance of throwing T with it, given that we threw T or t). Using the green die, our chance of throwing H or h is 1/2. Our chance of using the blue die, similarly, is equal to the sum of 1/3 times 2/3 and 2/3 times 1/4. Using the blue die, our chance of throwing H or h is 2/3. Calculating these probabilities in a naive fashion, however, leads to a large amount of multiplication due to the constantly expanding tree of probabilities. The method known as the forward calculation avoids this: what must be done is to remember to keep adding together all the probabilities of using a particular color of die in a given step, instead of each time multiplying them all out from the beginning.
From Output to States
A more advanced problem is this: given a particular sequence of outputs, can we determine the set of internal states that most likely gave rise to it? The method used for solving this problem is called the Viterbi algorithm. (You may have already heard this name in connection with the patented technique of Viterbi decoding applied to errorcorrecting codes.) We could assume that the color of die used for the first throw is selected according to the equilibrium probabilities calculated above; but a Markov process does not need to start at equilibrium, as our other example showed. So let us assume that the first throw is of the green die. If the sequence of outputs is as follows: HTHHTTHTHTHHTT, then for a particular sequence of colors of dice, we can, as Viterbi proved, simply assign a weighting value to that sequence based on multiplying together the individual probabilities of each state transition, and each output given the assumed state. So the sequence with the highest weight is the most probable. In this example, though, each state produces a specific output with probability 1. Having circled letters on the dice does mean at least that the (following) output and the state do not together strictly determine the following state. Because of this, to allow the Viterbi algorithm to be more properly illustrated, I will complicate the model slightly more, by adding a white die with five blank faces, and one marked with an X. If the face marked with an X turns up, the output will be inverted, so that it will be H in the next turn when either T or t turns up in the current turn, and T in the next turn when either H or h is thrown on the die. Thus, if for the sequence of outputs H TG T R TG H R H O T B T P H T R TG H T R TG H R H O T B T
is assumed as the sequence of states, the weighting for that particular sequence of states would be calculated like this: Given state TG, the probability of state R on the next turn is 1/3 overall, but given that we know we will have an output of H, the weight of this particular sequence is 1/3 * 5/6, the overall probability of state R times the probability it will be associated with an output of H in our more complicated model.
Note that when the white die is thrown doesn't really matter, again, in a sense we're throwing it a turn early. Then, given state R, the overall probability of state TG on the next turn is 1/2. The probability that this state will be associated with an output of T is once again 5/6. It is clear that for any sequence of outputs and states, a weighting can be calculated. But for a given long sequence of outputs, there is an immense number of possible sequences of states to choose from in order to find the most probable. This is what the Viterbi algorithm helps to deal with. If we consider the possibilities for the first n states, we retain not just the set of states with the highest weight, but also the set of states with the highest weight for all other possibilities for the state at time n in addition to the one in the set of states with overall highest weight. Then, to obtain the set of states with overall highest weight for the first n+1 states, and also the set of states with highest weight for any possible state at time n+1, we only need to consider possibilities involving the sets of states from time 1 to time n that we previously retained.
From Output to Model
This is the most complicated of the problems. Here, we assume that the model has one or more variable parameters in its description, and we are looking for the values of those parameters which would make an observed sequence of outputs the most likely. Two major methods are used. One, the segmental Kmeans method is used for obtaining an initial approximation to the model, and involves assuming that a particular set of states accompanies the known outputs. The BaumWelch estimation algorithm is then used to obtain the best fit of the model to the output sequence considering all possible sequences of states that could have produced the known output. One of the statistical concepts used in carrying out these methods is the KullbackLeibler distance measure, used to compare two probability distributions. And yes, that is Solomon Kullback, from among the team of cryptanalysts who solved PURPLE.
[Next] [Up] [Previous] [Index] Next Chapter Start Table of Contents
Home Page
[Next] [Up] [Previous] [Index]
Stream Ciphers
Two methods of generating pseudorandom bits, both in themselves very weak from a cryptographic point of view, because they are based on recurrence relations of a linear nature, are still at the root of most stream ciphers. The same simple mathematical properties that make them vulnerable to cryptanalysis at least ensure that they will generate sequences with a long period. One is the linear feedback shift register, most often used in hardware designs. Another is the mixed congruential pseudorandom number generator, usually used in software. The first section following will deal with stream ciphers based strictly on singlebit shift registers; the second section will deal not only with linear congruential pseudorandom number generators, but with other techniques, including a bytewide shift register. Although one usually thinks of pseudorandom number or bit generation when one thinks of stream ciphers, the cipher produced by a rotor machine, which is a changing substitution (as opposed to a changing displacement, as produced by a Hagelin lug and pin machine) is still classed as a stream cipher. Also, even if the plaintext is modified by a simple XOR, the value used, instead of being generated by a process that feeds back only on itself, or which produces a function of a counter value, could be produced by a function of the last few bytes of plaintext or ciphertext, thus giving a cipher of the autokey type. In general, autokey ciphers have poor errorpropagation characteristics. However, a stream cipher which uses the last few ciphertext bytes only to determine how the next plaintext byte is to be enciphered is called a selfsynchronizing stream cipher, because it can recover after an error, even if the error is a sufficiently long burst that even the count of the number of bytes recieved is lost. The Cipher Feedback (CFB) mode of DES is an example of this class of cipher, although in that case one would need to know the boundary between 8byte blocks to recover. Another, more elaborate, example would work like this:
  Plaintext  (sub)  > XOR    (sub)   > XOR    (sub)   > XOR     (sub)     D > XOR     E (sub)       S > XOR         (sub)     > XOR      (sub)     > XOR      (sub)     > XOR    (sub)                                      
Ciphertext
___ in which the preceding eight bytes of ciphertext are fed back into DES encryption, and then the eight output bytes from the DES encryption are XORed to the plaintext byte, between eight bytesubstitution stages (each one using a keydependent permutation of the 256 values from 0 to 255). This produces a highly secure cipher, but takes eight times as long as conventional DES encryption.
q
q
q
ShiftRegister Stream Ciphers r An Illustrative Example r Other Constructions r More Realistic Examples Other Stream Ciphers r Panama A Note on the Importance of Galois Fields
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Section Skip to Next Chapter Table of Contents Home Page
[Next] [Up/Previous] [Index]
ShiftRegister Stream Ciphers
The linear feedback shift register, most often used in hardware designs, is the basis of the stream ciphers we will examine here. A string of bits is stored in a string of memory cells, and a clock pulse can advance the bits one space in that string. The XOR of certain positions in the string is used to produce the new bit in the string for each clock pulse. It is possible to choose the positions in the string to XOR so that, as long as the memory cells are not initially loaded with all zero bits, the period of the sequence of bits produced by that XOR is 2^n1, where n is the number of cells in the string. The following diagram illustrates an LFSR associated with the polynomial x^10 + x^6 + 1
           > x  x^2  x^3  x^4  x^5  x^6  x^7  x^8  x^9  x^10                  XORThe x^10 and x^6 terms in the polynomial correspond to the two tapped cells in the shift register shown; the 1 in the polynomial does not correspond to a tap. If the polynomial to which an LFSR corresponds is primitive, which means that in addition to being irreducible (a property similar to the property of being prime for an integer) it satisfies some additional mathematical conditions, the LFSR will have its maximum possible period, which is (2^n)1 where n is the length of the shift register in cells. Because an LFSR works by taking the XOR of selected bits in its internal state, any LFSR containing all zero bits will never move to any other state, and so that one possible state must be excluded from any cycle of more than one state. An LFSR with maximum period always has an even number of taps. Also, the cell with the oldest bit in the shift register is always tapped. This rule is very general, and applies even to nonlinear shift registers, for a simple reason that can be seen in the following diagram:
the sequence produced from a shift register whose last few cells are not tapped is identical to that produced by a shift register otherwise identical from which those cells are omitted, except for a delay.
(Note that some popular references on cryptography erroneously show the x^n term in an LFSR's characteristic polynomial, which is always present, as corresponding to the cell with the newest bits, and show the x term, which is not always present, as corresponding to the cell with the oldest bits, which in fact must always be tapped. This is a result of diagrams that show the bits in the LFSR as moving in the wrong way.) It should be noted, however, that primitive polynomials have a reversal property that does allow an alternative way of matching the terms in a polynomial to the possible taps in a shift register, as illustrated below:
but in the reverse case, the cell with the oldest bits corresponds to the alwayspresent 1 term (thus, the equivalents only go up to x^(n1), and x^n does not correspond to a possible tap), not to the x term, which need not be present in the polynomial. The reversal property is this: the polynomial x^n + x^p + x^q + x^r + ... + 1 is primitive if and only if the polynomial x^n + ... + x^(nr) + x^(nq) + x^(np) + 1 is also primitive.
Wellknown Polynomials
Incidentally, just as it is unwise to use a very wellknown word or phrase as a key, some primitive polynomials modulo 2 are also "wellknown", since they have been used in common systems. Some examples are: Used in Cyclic Redundancy Check codes: 12 CRC12: x 16 CRC16: x 16 CCITT: x 32 AUTODIN II: x +x +x 26 +x +x 12 +x 15 11 3 +x +x+1 2 +x +1 5 +x +1 23 +x 22 +x 16 +x 12 +x 11 +x 10 8 7 5 4 2 +x +x +x +x +x +x+1
Permitted (under regulations which are now out of date) for use in generating spreadspectrum sequences by radio amateurs: 7 x +x+1
7bit:
13 13bit: x 19 19bit: x
4 3 +x +x +x+1 5 2 +x +x +x+1
Originally alleged as used in the A5 European cellular telephone algorithm: 19 x 22 x 23 x +x 5 2 +x +x+1
9 5 +x +x +x+1 4 3 +x +x +x+1
Actually used in the A5 cellular telephone algorithm, according to more recent information: 19 x 22 x 23 x 17 x +x +x 5 +1 +x+1 15 +x 2 +x+1 +x 5 2 +x +x+1
Used by GPS satellites: 10 x 10 x 3 +x +1 9 8 6 3 2 +x +x +x +x +x +1
Note that the A5 polynomials (in the older version, at least) are used with the x^n1 to 1 convention, and feedback is concentrated on the older bits in the shift register. (This, and not the x^n to x convention, going the other way, may well be the usual one.) Also, while all LFSRs, used directly, are insecure, LFSRs with many taps (not having "sparse" feedback polynomials) produce a sequence that seems more random, and when used in a system that combines several LFSRs, combined in a way that achieves cryptosecurity, they are better. Presumably, that feature is also useful when LFSRs are used in performing CRCs; note especially the AUTODIN II (AUTODIN is a U.S. military communications system) polynomial above.
The Galois Configuration
In addition to the conventional configuration, where each new bit input to the shift register is the XOR of several bits in the register, a shift register may also be implemented in Galois configuration, where the single bit shifted out of the register is XORed with several bits in the shift register.
The following diagram illustrates the relation between the conventional configuration and the Galois configuration of a shift register:
In the conventional configuration, the bits moving through the shift register are also bits in the sequence it generates as output. Hence, each new bit entered into the register is the XOR of several previous bits in the sequence. In the Galois configuration, generated bits are also the XOR of previous bits in the sequence, but in this case as the oldest bit included in that XOR moves through the shift register, it is XORed one at a time with the other bits as it reaches the appropriate positions in the shift register.
The Galois Field
Speaking of Evariste Galois, the reason that primitive polynomials modulo 2 are important is that by using them as the modular polynomial in polynomial multiplication, one can create a Galois Field of order 2^n with a polynomial beginning with x^n. A field is an algebra with both addition and multiplication, the elements of which form a group under the addition operation, and in which the multiplication operation, over all the elements of the field except zero, also creates a group. Thus, addition and multiplication modulo a prime create a finite field. The term Galois Field is used to refer to finite fields, because Galois proved that the only finite fields were either those whose order was a prime, and were of the type described above, or those whose order was a power of a prime, and whose elements were treated as polynomials, the coefficients of which were modulo that prime, the polynomials themselves being modulo a modular polynomial which was not merely irreducible (not factorable into smaller polynomials) but also primitive; the kind of polynomial that can produce a shift register. Here is one representation of the Galois Field of order 8 (or 2^3): + 0 1 2 3 4 5 6 7 0  0 1 2 3 4 5 6 7 1  1 0 3 2 5 4 7 6 * 0 1 2 3 4 5 6 7 0  0 0 0 0 0 0 0 0 1  0 1 2 3 4 5 6 7
2 3 4 5 6 7
     
2 3 4 5 6 7
3 2 5 4 7 6
0 1 6 7 4 5
1 0 7 6 5 4
6 7 0 1 2 3
7 6 1 0 3 2
4 5 2 3 0 1
5 4 3 2 1 0
2 3 4 5 6 7
     
0 0 0 0 0 0
2 3 4 5 6 7
4 6 3 1 7 5
6 5 7 4 1 2
3 7 6 2 5 1
1 4 2 7 3 6
7 1 5 3 2 4
5 2 1 6 4 3
This particular representation of that field is the one which uses x^3+x+1 as the modular polynomial. Thus, the bits in the binary representation of the numbers in these tables are treated as the coefficients of polynomials. Since polynomial addition deals with each coefficient independently, and it is done here modulo 2, the addition table should look familiar: it is the table for the bitwise XOR operation. The field illustrated can be denoted as GF(2^3) or GF(8). The group which multiplication, exclusive of zero, forms is isomorphic to addition modulo 7; that is, it is the cyclic group of order 7. In general, this is true for any Galois field; for GF(n), the multiplicative group is the cyclic group of order n1. While the table looks different, this means that it can be made identical to that for addition modulo 7 by replacing each of the numbers from 1 to 7 by another number from 0 to 6. There is further discussion of Galois Fields in the description of the Decorrelated Fast Cipher, the description of Rijndael, and on a page specifically about that topic.
Finding MaximumPeriod LFSRs
We have seen above how to construct a shift register from its corresponding polynomial. And it is noted that the polynomial must be primitive for the shift register to have maximum period. How does one construct primitive polynomials? One way is to construct arbitrary polynomials which correspond to the properties of the shift register sought, in length and in number of taps, and test them. This, at least, can be done fairly simply. If the polynomial is of the form x^n + ... + 1, that is, of degree n, then (for a polynomial whose coefficients are modulo 2) the condition that must be met is that x^(2^n1) must be equal to 1 modulo the polynomial, but x^ (2^n1)/p for any prime p which divides 2^n1 must not be equal to 1 modulo the polynomial. If the coefficients of the polynomial were modulo 3, we would use 3^n1, and so on. Let us take the polynomial x^7+x+1. This corresponds to the binary string 10000011. 2^71 is 127, and is the maximum period of a shift register built from a polynomial of degree 7. x^127 modulo x^7+x+1 is what the binary string consisting of a 1 followed by 127 zeroes would become, after being XORed with 10000011 shifted as far left as necessary to zero out its first digit, repeated until one obtains a 7bit string. Doing that is exactly equivalent to running the shift register in the Galois configuration, and so the reason for the condition is now obvious: if the shift register has maximum period, the 0000001 state will recur at the end of that period; and if it does so recur, this recurrence mustn't be a repeated occurrence. The only possibilities to eliminate to exclude that are the periods of which the maximum period is a multiple, and dividing the maximum period by its prime factors alone eliminates them all: the state 0000001 might recur more often, but it won't miss having one of those numbers as a multiple of the period. Of course, applying 10000011 to 1 followed by 127 zeroes would be somewhat slow, and for a much longer shift register, 2^n1 would be an enormous number. However, finding x^n by polynomial multiplication can be done by repeated squaring, just as that technique can be used to speed up taking numbers to powers, it can be used for exponentiation in other domains as well. When n is composite, 2^n1 has some obvious factors. That's because 111111 is equal to 111 times 1001, and it's also equal to 11 times 10101. That's as true in binary notation as in decimal notation. This doesn't mean that
there aren't other factors of 2^n1, though. Thus, when n is prime, 2^n1 is not always prime. Sometimes it is, though, and then 2^n1 is called a Mersenne prime. If the degree of the polynomial to be tested is a value of n for which 2^n1 is a Mersenne prime, it is simpler to test if the shift register polynomial is primitive. However, doing the extra tests is not too great a problem; it's factoring 2^n1 which, in general, might be the difficult step.
Using LFSRs to Build Secure Ciphers
The output from an LFSR is often strengthened by using another LFSR to control how often it is stepped. This technique can be applied in the same ways that were used with pinwheels in the chapter on telecipher devices. Another technique, the Geffe generator, uses three LFSRs with different periods. One is used to choose which of the two other ones has its output used. Although a simple Geffe generator is still not secure, more elaborate constructions using that principle may be effective. Here is a diagram showing one such construction: LFSR 1   LFSR 2       LFSR 3           LFSR 4         \ \ / /   LFSR 5>    / / \ \     \ \ / /  >   / / \ \      >(XOR)   output The generator pictured uses five LFSRs. One is used to choose which of two other LFSRs is used for two purposes (each one is used for one of those purposes, the bit only swaps them):
q q
choosing which of two other LFSRs is used to contribute to the output, and being XORed with the output of the chosen LFSR.
If only four shift registers are used, so that we XOR the output of one shift register with the output of a Geffe generator, then we still have the same weakness that the Geffe generator alone had. That is because the XOR of two LFSRs, by itself, is a linear construct, and thus is as vulnerable to attack as an LFSR of the length of the two combined. So, since the one Geffe generator means that the first LFSR is XORed to one of two others, we have two alternating possibilities, both weak, which the output bitstream matches 75% of the time.
The design as given, however, provides the XOR of two shift registers, both of which can be either of two possibilities. So would the XOR of the outputs of two Geffe generators. The design above has the advantage of requiring one fewer input. Is it secure? As noted above, the XOR of two LFSRs is no more secure than the output of a single longer LFSR. The output of this construct will agree with the XOR of LFSR 1 and LFSR 4, for example, 75% of 75% of the time, which is 56.25%: for each of the two inputs to the final XOR, as for a Geffe generator, 50% of the time the correct LFSR is used, and 25% of the time, the wrong LFSR agrees with the right one. So there is still an output bit stream which is biased towards matching an easily solved bit stream, but at least the bias is fairly weak.
As a nonlinear function of the bits in an LFSR can produce any series of output bits produced by any other device with the same period (proof: use all the bits in the LFSR's state as an address to find a bit in a ROM containing the desired sequence in a suitable order), and an LFSR has a maximum period of 2^n1, which is only one less than that of any other device with n bits of internal state, it seems it is not necessary to pursue developing the theory of nonlinear feedback shift registers with known period. Thus, one way of using a shift register to create a series of pseudorandom bits is to take some of its bits, and use circuitry to produce a nonlinear function of them, as illustrated at right.
q q q
An Illustrative Example Other Constructions More Realistic Examples
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Main Page
[Next] [Up/Previous] [Index]
An Illustrative Example
The following diagram:
Symbols used:
illustrates various ways in which shift registers can be used to produce pseudorandom bits, combining them in an elaborate construction. The device is based primarily on the Kinetic Protection Device, a stream cipher device produced by a defense contractor which has been openly described. But I have modified it significantly; in some ways to improve security, in others to reduce the number of components to fit into a reasonably sized diagram. And I have added sections illustrating other stream cipher principles, one based on a claimed cellular telephone cipher algorithm. The output bitstream of the main portion of the device is XORed to a bitstream produced by a combination of two different constructs. The first of these, illustrated in section E of the diagram, is based mainly on the A5 cellular telephone algorithm, but made simpler to draw by replacing its selfclocking principle by that of the T52. The second, in section F illustrates the use of JK flipflops to combine shift registers nonlinearly.
The Kinetic Protection Device generated an 8bit output each time the shift register in it was clocked. A shift register of 61 stages was used, and the feedback polynomial applied was selected from a set of 1024 such polynomials stored in ROM. Eight different nonlinear functions, each taking six bits of input from six stages of the shift register, were used to produce the eight bits of output. The design pictured here uses a 44 stage shift register, with a ROM having only 256 feedback polynomials in it. The main part of this circuit is section A of the diagram. The modified Geffe generator, here found in section D, shown earlier on this page in ASCII graphics, takes five inputs from five stages of the shift register; the newest bit in the shift register is then XORed to the result. While there is only one nonlinear function, the five inputs to the modified Geffe generator can each be chosen from eight sources in the shift register, and this is determined by bits from three other shift registers in section C. The output of these three shift registers is XORed with signals produced in other parts of the device for some extra difficulty in analyzing its output. Thus, the design produces only one bit of output, not eight bits, each time the shift registers in it are stepped.
Instead of the feedback polynomial of the main shift register being set once as part of the key, it varies during encipherment. The eightbit input to the feedback polynomial ROM is produced by selected bits from two shift registers moving in opposite directions, XORed together in section B. These shift registers are clocked by the AND of three bits from a third shift register, so that the feedback polynomial only changes at intervals. Since all the feedback polynomials in the ROM are maximal period ones, as long as the initial state of the LFSR stages is nonzero, it will remain nonzero. That arrangement does have the weakness that all eight output bits are parts of the same sequence of bits, although at widely separated intervals: the bits produced by XORing the output of the two shift registers with different periods. (That may not be strictly true if the periods of the two generators is not relatively prime.) This weakness is reduced by using the OR of two other bits of the clocking shift register to AND one of the clock signals, so that the two main shift registers will not be perfectly in step. The result is, however, still the same sequence of bits being produced on each line, but a different sequence with a longer period is appearing there, at least. This shows the merit of the original Kinetic Protection Device design, since, unlike my efforts here, it does avoid that; however, this circuit is at an earlier position. Thus, we can choose to stop at any point, as otherwise we get infinite regress, or what one book on computer graphic displays has called the "wheel of reincarnation".
This output is XORed with the output of a JK flipflop, which has as inputs the bitstreams produced in sections E and F of the diagram. A JK flipflop is a good way to combine two bitstreams for reasons which are explained below, in the description of the section of the device which illustrates their use. The first bitstream used is produced by three shift registers which clock each other, in section E of the diagram. Each one is clocked by the OR of two bits (one inverted) from each of the other two shift registers. Since each shift register supplies one bit and the negation of that same bit to the clocks of the two other shift registers, it is never possible for all three shift registers to stop moving at the same time. Just as the main part of the schematic is inspired by the Kinetic Protection Device, this part is inspired by the A5 algorithm used with GSM cellular telephones. The second bitstream comes from a circuit which includes one element that is very likely to have been part of the electronic cipher machines of the early 1970s, the JK flipflop. This is section F of the diagram. In the book Basic Methods of Cryptography, by Jan C. A. van der Lubbe is noted something I really should have recalled from learning about digital circuitry as an undergraduate: a JK flipflop, in addition to being set if a signal is sent on J alone when it is clocked, or being reset by K alone, is unaffected if neither is present, and is toggled when both are present. This makes it as unbiased as an XOR for combining two bitstreams, but its memory makes it nicely
nonlinear. The circuit supplying the second bitstream consists of four shift registers. Two of them are used as inputs to both a JK flipflop and an XOR gate. Then, the two output bitstreams resulting are selected by the output of a third shift register. One is used as an input to another JK flipflop, along with the output of a fourth shift register, and the other output bitstream resulting from the first two shift registers is XORed with the result.
The following table, showing for two inputs the outputs of a JK flipflop and an XOR gate, J K JK flipflop J xor K 0 0  P  0 0 1  0  1 1 0  1  1 1 1  ~P  0 illustrates the property of the JK flipflop used here: not only is its output a random stream if it has two random streams as input, but this output is uncorrelated with the output of an XOR gate with the same two inputs. So, having a third input choose between the two modes of combining the first two inputs produces an output hard to relate to the raw outputs of any of the shift registers involved. The circuit used in section F of the diagram, as we have seen, begins by using that principle. In addition to the bits initially loaded into the shift registers of the device, another possible keying element for such a device is the order in which the shift registers of different lengths are connected to the different areas which take input from a shift register. Only those shift registers that are used in a plain fashion, with no values taken from within the shift register and with no special clocking are shown as being switchable via plugboard terminals. In practice, a plugboard would not be used; some circuit with switches would be used instead. The idea of continuously varying the connections with a rotor machine hardly bears thinking about. Note that I have generally neglected to show the clock pulses explicitly; essentially, all the JK flip flops and shift register stages are clocked by one master clock pulse, with the exceptions of the shift register gating the clock for the two shift registers used to address the feedback polynomial ROM, and of an implicit 1/2 clock pulse delay for the signals by which the three shift registers in section E of the diagram clock each other. Also, the reason for my use of nonstandard logic symbols here and in other diagrams is to provide legibility in a small number of pixels (the standard symbols for AND and
OR, for example, look alike).
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Main Page
[Next] [Previous] [Up] [Index]
Other Constructions
One construction suggested for making use of the properties of the JK flipflop is due to Pless: four pairs of shift registers feed into four JK flipflops, and their outputs are used in rotation. This eliminates direct information about the raw shift register sequences, which can be obtained from two consecutive bits of their output some of the time. While attacks on that device have been shown to exist, in practice it would be elaborated upon, and as a starting point it is not a bad idea. The following diagram:
illustrates a possible elaboration. Instead of four groups of two shift registers, we have four groups of seven shift registers. Five are grouped in the fashion we saw in the greenbackground area of the large diagram above; two feed both a JK flipflop and an XOR gate, and these two outputs, together with the outputs of three other shift registers, are applied to the extended Geffe generator circuit described earlier. Two additional shift registers are used to control swapping of the outputs from two pairs of shift registers. Instead of using the outputs of the four segments in sequence, two shift registers select a segment at random; and that segment is omitted, the outputs of the other three being XORed to produce the final result.
An interesting, secure, and simple shiftregister based design is illustrated within the Highbandwidth Digital Content Protection System specification developed by Intel:
The XOR of the outputs of four shift registers generate a sequence of bits with a long period. The XOR of four other taps, one from each shift register, produce another part of that sequence of bits: since these taps are not all at the same distance from the outputs, that XOR produces a distant part of the same sequence. Another set of four taps from these shift registers controls four switchable delay or memory cells: each cell stores two previous inputs, and the control signal determines which of those two values is output. The new input replaces the value output, but the two values remaining are then also swapped. Since what this does is buffer the sequence of bits from the four earlier taps, allowing them to be output after an irregular number of cycles, it is similar to what the MacLarenMarsaglia random number generator does. Each bit input to these four cells can take many different numbers of cycles before being output, and so there is no one sequence of bits similar to those of a shift register which is particularly likely to match the actual output. However, it is still true that there is an average amount of time that the bits from the delayed sequence will take to go through the four delay cells, and so it has been claimed that this might be sufficient to provide for a correlation attack, such as that used against the Geffe generator. The following diagram:
indicates two simple ways in which this design can be improved to make it considerably more resistant to such an attack. The first change is that between each pair of delay cells, another output from the shift registers is XORed with the bits as they progress. This means that different cases of individual amounts of delay in the four cells which add up to the same total delay are no longer equivalent. The second change is that another shift register is used to store several successive outputs from this generator, and the actual output used is the XOR of four of these outputs. Now, a bit of output will belong to the 'most likely' case sought by a correlation attack only if the four output bits of the previous part of the generator all belong to that case. However, that last bit of the generator, while it does prevent a direct correlation attack, doesn't really add any security, since the input to that stage can be derived from its output by a very simple process of deconvolution. So it is not enough to use multiple bits of the output, they must be chosen unpredictably. A valid design using this principle might look like this:
where three of the old bits are combined by a nonlinear function, and the other one goes through another variable delay cell. Now, an actual, although modest, gain in security against a correlation attack is obtained. However, a simple idea allows the very large gain in security against a correlation attack aimed at by the first of the extended versions of this design to be achieved. In the following diagram:
the outputs of the main generator are directed alternately to one of two shift registers. The one that recieves the output is the one that is stepped, and the one from which the XOR of four bits is used. In this way, the four outputs of the main generator which are used vary over a large number of possibilities. Since the decorrelator circuit added at the end of the device seems to be so powerful, perhaps we could go back to taking only the original number of taps from the shift registers:
but replace the variable delay cells of the original design with decorrelator circuits. In this way, the final output is formed from any of a huge number of possible combinations of the shift register outputs. Incidentally, it may have occurred to you from viewing the diagrams above that a decorrelator circuit could as easily be built using the principle of selective recycling used in the delay cells in the original design, as shown here:
as by using the principle of selective clocking. The XOR of other bits besides the one clocked out could even include bits from the shift register row not used, as well. Hence, even if the design shown is not considered perfect, minor changes can strengthen it considerably.
[Next] [Previous] [Up] [Index] Next Chapter Start Skip to Next Chapter Table of Contents
Main Page
[Next] [Previous] [Up] [Index]
More Realistic Examples
Since many of the early electronic cipher machines were used as telecipher machines, it is possible they were designed around generating five bits in a single cycle in parallel. A possible very simple design of that type is illustrated below:
Here, five Geffe generators produce five bits. But the five unused shift register outputs, instead of being discarded, are used to control swapping the five Geffe generator outputs. Note that the unused bit from one Geffe generator is always used to swap the two outputs of two other Geffe generators (at least if no preceding swaps take place). Since electronic circuitry is much faster than the mechanical components of teletypewriters, however, a design like the above will not be considered for long before the idea of running it five times faster, and producing a serial bitstream from its output, is considered:
Since the circuit that takes five bits of input, and produces one bit of output, involves some swaps of adjacent input bits, and the device producing those five bits also swapped adjacent bits, the order of the bits has been shuffled before the last combining circuit, so that swaps of bits not previously subject to exchange will take place instead. When the signal from a teletypewriter is in serial form, it is accompanied by stop and start bits; the idea might occur to a cipher machine designer to use this as an opportunity for an extra complication; another shift register could control whether, during the stop and start bits, when the machine's output is not XORed with the communications signal, the device is clocked. Since the start and stop bits take as much time as two and a half data bits, 0, 1, or 2 clock ticks could take place without any increase of speed. Double the speed of the device (and, of course, a tenfold discrepancy between electronic and electromechanical devices is far from unreasonable), and the opportunity arrives to have either 1 or 2 clock pulses between the data bits in a single character as well. When this fairly simple stratagem of designing a cipher machine around the characteristics of 5level code signals is illustrated by a timing diagram,
along with a block diagram, illustrating the use of each of the timing signals,
(the box with three shift registers in it represents the apparatus with five Geffe generators whose output is combined to produce a single output bit shown above) it looks quite complicated. Other constructs, instead of Geffe generators, could be used to generate the bitstreams the device starts with, more than one extra clock pulse for optional clocks could be used per baud, and, perhaps most important, instead of clocking, or not clocking, all fifteen shift registers in the cipher assembly during an optional clock pulse, one could instead use more than one tap, or more than one shift register, to control the clocking of the various shift registers independently during the extra time periods. Various references have noted that the early electronic cipher machines were often of a selfsynchronizing nature. Also, the SKIPJACK block cipher design was described in the document revealing its design as a kind of shift register, suggesting how a shift register could be used for a simplified form of block encipherment. Taking these ideas together, one arrives at the following illustrative diagram:
This diagram is scaled down. On the right, the basic characteristics of a selfsynchronizing cipher are shown: a shift register without feedback stores the last several ciphertext bits. A nonlinear function of these bits, which can be varied by a plugboard, is used as the keystream which is XORed to the plaintext to become the ciphertext. Such a design, in itself, would have to be made extremely elaborate, with a very large number of logic gates, to offer any security. On the right half of the diagram is shown how, with a limited number of gates, using a shift register to do block encipherment, more security might have been obtained. The area enclosed by dotted lines is clocked differently from the rest of the diagram. It produces a bit to be XORed with the plaintext by a
process that has to be described; it can't be easily shown in the diagram. An attempt has been made, though, with arrows showing the order in which the paths shown in the diagram are used. First, the bits of old ciphertext are loaded into the feedback shift register inside the dotted lines; the entire register is filled from the outside. This takes place during cycle 1, as indicated by the first arrow. Then, the feedback shift register is cycled several times through its entire length. This register is shown as being stepped 40 times, during cycles 2 to 41; since the shift register contains 16 cells, the bits in it cycle more than twice through its whole length. The final state of the register is then used to produce the output bit used to XOR with the plaintext, by means of another nonlinear function. This output is taken at the last, during cycle 42. Note that the state transition function of the feedback shift register is invertible; the oldest bit of it is XORed to a nonlinear function of five other bits before being recycled. This is invertible for the same reason that a Feistel round is invertible; the five inputs to that function are only moved, not changed. This doesn't guarantee a long period, but it does mean that after any fixed number of cycles, each different initial state will result in a different final state. This means that there is no possibility, despite the fact that the shift register has nonlinear feedback, and therefore many of its properties are hard to understand, that after some large number of cycles a large number of different initial states will lead to the generator winding up in the allzero state (or some other degenerate condition) and getting stuck there. In other words, the state space is incompressible under the state transition function provided by a nonlinear shift register with the property that the eldest bit is not altered, and is XORed with the output in the last stage of calculating the output. (The usefulness of setting up a nonlinear shift register in this way was in fact briefly noted in Applied Cryptography, where it is stated that the danger of its sequence dying out to all zeroes can be "easily cured".) The nonlinear function applied to the final state includes the newest bit in the shift register as one of its inputs, so that none of the cycles the shift register went through to produce that state is wasted. The arrangement of the two plugboards in the diagram is one part of the key; in practice, something less messy than plugboards would have been used, but not worrying about such details leaves the diagram simple. Another place where key material is used may be during the stepping of the fast feedback shift register, which may be fed one character of a 40character key during that stepping. With known plaintext, if the first shift register, the one without feedback that simply stores old ciphertext bits, is short, a codebook attack on the cipher is possible as a direct consequence of its selfsynchronizing nature. That is, one could make a table of the possible values of the preceding N ciphertext bits, for increasing N until N reaches the length of that shift register, and find that for each entry, whether the current
plaintext bit is inverted or not is consistent. It may be noted that this arrangement, although it is greatly simplified, is essentially a scaled down version of operating a block cipher in Cipher FeedBack mode, with the addition that the "block cipher" output is further condensed by a nonlinear function of several of its bits. Although the correlation attack is primarily a problem for designs based on linearfeedback shiftregister outputs, the decorrelation circuit met on the previous page can be combined with this form of design as well. Thus, the blockcipher like stage can generate two bits of output, one which is decorrelated, and one which controls the decorrelation. It should be noted, of course, that it takes a number of cycles for this type of decorrelator to be filled with output bits, particularly as the random control of which shift register is filled can mean the time required is variable. Special circuitry to enable an initial fill mode is possible, just as in the MacLarenMarsaglia random number scheme, the buffer is initially filled with a number of consecutive PRNG outputs. More elaborate constructs are also possible, like the one below:
Here, 30 bits of previous ciphertext are cycled three times through one nonlinear shift register with an incompressible state space, and three
bits of output are produced. One bit is fed into a decorrelator, the second controls the decorrelation, and the third is used for another decorrelator later in the circuit. The decorrelated output is again fed into another blockcipher like nonlinear shift register, this time one which acts on a 16bit block, as in the previous example. The output of that stage is decorrelated under the control of the third bit used earlier. Here, however, instead of the decorrelator simply XORing together multiple old output bits, a nonlinear function of old output bits is XORed with the one being shifted out of the shift register being clocked, making this a nonlinear decorrelator. The fiveinput nonlinear circuit that I have used throughout these examples is expanded by making one of its inputs the OR of two ANDs, and another the AND of two ORs; thus, the significance of the bit that chooses between these two somewhat biased values is increased. This rather daunting diagram changes to the following
when drawn with standard logic symbols. Of course, since I wished to avoid increasing the size of the diagram, the shiftregister flipflops are
not drawn explicitly. The arrangement involving the shift registers shown as clocked by phase 3 and phase 7 is somewhat involved, and so an inset for the one clocked by phase 3 shows what is actually going on for each flipflop in the shift registers. Essentially, phase 2 clocks loading the entire register from outside, and phase 3 steps the register. Type D flipflops are shown as being used to build the shift registers for simplicitly, even if in practice type SR flipflops would be used for economy. Also, in this diagram, it is necessary to make explicit the timing signals used; the following chart:
shows what those signals are. The leading edge of the phase 1 signal must occur at some time when the previous ciphertext bit is valid; after the trailing edge of the phase 8 signal, the output of the ciruit is valid, so the new ciphertext bit will be valid when the new plaintext bit is valid. Until such time as the cipher machines of the 1970s become declassified, these imaginative reconstructions of mine may perhaps prove useful to spy novelists wanting to insert authenticlooking cipher machine plans into their works. When the real thing is revealed, of course, it will be far more secure than my careless effort. I think my first diagram, the one based on the Kinetic Protection Device, is likely to be rather more elaborate and complicated than anything actually used, while the first of the two designs shown on this page, showing five Geffe generators, is probably more straightforwards and simple than anything actually used. As the second one is based on various public comments concerning the electronic cipher machines of the U.S. during that period, although it is scaled down, it may illustrate a principle that had actually been used, or, of course, one that we are intended to think was used. In that case, the "real thing"
would have had longer shift registers, and more complicated nonlinear functions (and three different ones) than my simple improved Geffe generator which I used three times in the diagram. Also, there may have been an attempt to encipher the five bits of a teleprinter character in parallel. It should also be noted that, for purposes of the illustrative diagrams on these pages, I have not troubled to ensure that all the shift register polynomials used are actually of maximal period, which would be required in practice.
[Next] [Previous] [Up] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Home Page
[Next] [Up] [Previous] [Index]
Other Stream Ciphers
The mixed congruential pseudorandom number generator, usually used in software, is one of the basic techniques of producing apparently random bits that we will examine here. This is the technique used to produce the numbers given by the RND() function in most dialects of BASIC. Modulo a constant, replace x by a times x plus b, where a and b are both constants. If a and b are large enough, the behavior of x, particularly its most significant bits, will seem random. For the maximum period, which is the same as the modulus, b must be relatively prime to the modulus. So must a, but if the modulus is a multiple of 4, a must also be equal to 1, not 3, modulo 4. The most common method used for strengthening a mixed congruential generator is to use it as part of a MacLarenMarsaglia random number generator. Let us suppose that random binary bits are desired. Then, one uses one generator modulo two to some power, so that one is starting with numbers with a uniform distribution. Since the most significant bits of the output from such a generator have the longest period, one might take only the 4 or 8 most significant bits of the output. A buffer, perhaps with 37 entries, containing 37 bytes or nibbles produced by that generator is used. Each time some bits are to be produced, a second mixedcongruential generator, operating modulo 37^n for some n, is used to pick one element from that buffer, which is used as the output of the full MacLarenMarsaglia generator. Then the other mixedcongruential generator is used to supply a replacement value for the buffer element used. Again, a simple MacLarenMarsaglia generator is still not secure, although the paper in which one was cracked used one where all the bits of the binary MC generator were used and none were discarded. If only the first few bits are used, and a long binary MC generator, perhaps one requiring multiprecision arithmetic, is used, there is already a greater level of security present. But more elaborate constructs are again possible. But there are many other techniques that can be applied to bytes or words, rather than bits, to produce a keystream to XOR with plaintext. Gifford's cipher used only eight bytes of internal state, but produced a cipher that was only shown to have weaknesses after some very involved analysis. It actually was a kind of shiftregister cipher, but with the shifting being done by byte. The shift register was eight bytes long. Feedback involved taking three bytes from the
register, and obtaining the new byte by XORing together one of the bytes, the arithmetic right shift of another byte, and the logical left shift of the third. The output from the generator is produced by taking four bytes from the register, forming two 16bit integers from them, and taking the second leastsignificant byte of their product. This output is what is XORed to the plaintext to produce ciphertext. This diagram illustrates Gifford's cipher:
A stream cipher is any cipher which, like Vigenere, or that produced by a rotor machine, changes how it behaves during a message. Thus, most block cipher modes, other than Electronic Codebook Mode, produce stream ciphers. A stream cipher which does produce pseudorandom bits to XOR with plaintext can be improved merely by substituting new values for the bytes of the plaintext from a secret table, both before and after the XOR. Another way of using the output of a pseudorandom bit generator was developed by Terry Ritter, which he called Dynamic Substitution.
The principle is very simple. A secret table, with a random sequence of the 256 possible byte values, is used. A message byte is replaced by its substitute in that table in order to encrypt it. Then, a byte from the pseudorandom bit generator is taken. The two table entries corresponding to that byte, and the plaintext message byte, are swapped. In the event both the plaintext byte and the psudorandom byte are the same, nothing is done. This is a simple, but secure technique. Every time a table entry is used, it is relocated somewhere else at random. So, since each table entry is used once and once only, no useful information about the table seems to be made available. If one knows some corresponding plaintext and ciphertext, it is true that since you know that the table entry you encountered when one byte was enciphered was sent to the byte the PRNG sent it to at that time, and may stay there for a while, if that same byte turns up shortly after, you can conclude that the PRNG byte in the past is the same as the plaintext byte when the byte value turned up again. However, one cannot expect a simple method of applying a keystream to plaintext to be perfect; this small weakness doesn't contradict the fact that this is a great improvement over simply XORing the keystream to the plaintext. The main reason this technique may not become popular even after its patent expires is because it is an autokey method; the encipherment of plaintext bytes depends in part on the values of previous plaintext bytes. This is not good for errorpropagation, which need not be a consideration (since once text is encrypted, it can be sent along with extensive errorcorrection; and encrypted texts are often compressed, which already results in wide propagation of any errors) but it is usually considered to be a problem. The idea of shuffling elements in a table of the 256 different byte values can also be used to generate pseudorandom bytes. One very popular stream cipher has been alleged to function as follows: Using two variables that store one byte each, in addition to the table, generate bytes as follows: Start with A and B equal to zero. Each iteration proceeds in this way:
q q q
q
Increment A (modulo 256). Add the Ath element of the table to B (modulo 256). Use as the output byte the element of the table specified by the modulo256 sum of the Ath element and the Bth element of the table. Exchange the Ath element and the Bth element of the table with each other.
The initial arrangement of the 256byte table is created by a procedure involving a second 256byte table. The table to be used in generating pseudorandom bytes is initialized to the numbers from 0 to 255 in order. The other table is filled with the bytes of the key repeated over and over until it is full. Start again with A and B equal to zero. Repeat the following steps 256 times:
q q q
Replace B with the sum of B and the Ath element of both tables. Increment A. Swap the Ath element and the Bth element of the table to be used later, leaving the one containing the key alone.
One other stream cipher of interest is given its own section.
q
Panama
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Chapter Skip to Next Section Table of Contents Home Page
[Next] [Up/Previous] [Index]
Panama
Panama is billed as a "cryptographic primitive". Designed by Joan Daemen, also responsible for 3Way, and one of the collaborators in the design of Rijndael, Panama is essentially a stream cipher engine with a large state. It is, however, equally usable as a hash function. The structure of a Panama iteration is illustrated by the following diagram:
Panama contains two main elements. A shift register, with 32 cells, each containing a vector with eight 32bit words, and a recirculating mixing function, resembling the ffunction in a block cipher, which operates on a "state" consisting of seventeen 32bit words. (While it has been noted that SHA1 inspired Panama, I do not find the resemblance obvious.) There are three fundamental operations that form part of Panama.
q q
Panama is reset by setting both the 17word state and the contents of the shift register to all zeroes. A vector of eight 32bit words is fed to Panama through a Push operation. Operations unique to the Push function are shown by the light dotted lines in the diagram. In a Push operation, the incoming vector is used as one of the inputs to the state transition function (the other input is the contents of one of the cells in the shift register), and is also used to XOR with the recirculating values in the shift register.
q
A vector of eight 32bit words is recieved from Panama by means of a Pull operation. The line of alternating dots and dashes shows the operations unique to the Pull function in the diagram. In a Pull operation, the 32bit words numbered 9 through 16 in the state are used as the output, and words 1 through 8 are XORed with the recirculating values in the shift register. The inputs to the state transition function both come from stages in the shift register, one not used for any special purpose in the Push operation replacing the input, absent from a Pull operation.
When Panama is used as a stream cipher, first the key is input by one Push operation, and then an initialization vector is input by a second Push operation. Then, 32 Pull operations are performed, discarding their output, to allow the internal state of Panama to be fully mixed. When Panama is used as a hash function, the message to be hashed, followed by a 1 bit and as many zeroes as are needed to cause the message to occupy an integer number of 256bit blocks, is input to Panama through a series of Push operations. Then, after a number of Pull operations with their output discarded, so that the effects of even the last block of the message are fully diffused, the output from a final Pull operation constitutes the hash. The state transition function of Panama operates on 17 32bit words, numbered 0 through 16. Its steps are visible in the diagram, and are, in order:
q
q
q
q
Nonlinearity: each word is XORed with the OR of the previous values of the next word and the complement of the word after, going around the circle from word 0 to 16 and back to 0. Bit Dispersion: first, the words are transposed (by a simple decimation with interval 4), then the words undergo circular left shifts of different sizes. Diffusion: each word is XORed with both the previous values of the next word and the word four positions ahead, again going around the circle. Buffer Injection: Word 0 is XORed with 1; words 1 through 8 are XORed with the first input to the function, and words 9 through 16 are XORed with the second input to the function.
The huge size of the internal state of Panama makes it look very impressive. Of course, one might want to add an extra XOR here or there, such as using the state function output during Push cycles. But Panama has been designed to be very efficient on internally parallel microprocessors, and thus throwing in extra operations would interfere with that.
However, a closer look at first creates the impression that Panama might be weak instead of strong. The problem for the cryptanalyst is to discover the internal state of the cipher, both the 17word state and the shift register contents. But the state is used as the output of the cipher, and the state transition function has only a single round. Thus, knowing two successive 17word states, one can easily discover the two 8word inputs to the state transition function. The only thing that prevents this from happening is that only eight of the seventeen words of the state are used as the output of Panama. At one point, having mistakenly thought that the first eight words of the state, words 0 through 7, were the output block, I worked out a simple way to find the value, with 75% probability, of one of the words in the buffer, but Panama does not in fact allow such a simple attack. Thus, the cryptographic strength of Panama seems to equal that of a tworound version of the state transition function, since just under half the state is used. However, that attack involves reconstructing the internal state of Panama from known plaintext, which means that, knowing part of a message, one can find the rest of that message. What about attacking other messages with the same key, but a different initialization vector? Unfortunately, this too is possible. The nonlinearity stage of the state transition function of Panama, resembling as it does the small SBox of 3Way, can be inverted (unlike the nonlinear part of the ffunction of DES), so it is possible to run Panama backwards if one had a full knowledge of its internal state, and obtain the original 8word key.
Tracing the path of information through the state transition function of Panama shows that a trivial application of differential cryptanalysis principles does not suffice to obtain some bits of the buffer by means of a known plaintext attack on Panama when used as a stream cipher. The following diagram illustrates what happens when an attack is attempted:
With known plaintext, one knows the value of the output bits from Panama. If one has two successive output blocks from Panama, tracing through the state transition function leads to the following results: Initially, words 9 through 16 of the state are known. After the nonlinearity step, words 9 through 14 of the state are still known for certain. The bits of word 15 which correspond to 1 bits in the former value of word 16 are known as well, but the other bits of word 6 are unknown. The bits of word 16 are, with a probability of 75%, the inverses of their former values. After the bit dispersion step, the words known with certainty are words 2, 4, 9, 11, 14, and 16, and the words about which partial information is available are words 7 and 12. The right words in the right places are not available to allow a known or partly known word to exit the diffusion step for comparison with a word known from the current output block, by which means some buffer contents could be found. Even so, the fact that it comes this close to solution makes one wary of the danger of a differential attack. Panama is an impressive and promising design, but because of the superficial appearance that it is close to being susceptible to a differential attack, I have taken the liberty of proposing variant with a few modifications (so don't blame Joan Daemen if, instead of making it more secure, I've ruined it) which is illustrated in the conclusions section of this chapter.
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents
Main Page
[Next] [Up] [Previous] [Index]
A Note on the Importance of Galois Fields
In the descriptions of the block ciphers Rijndael and Twofish, we have encountered the operation of multiplication in a Galois Field. Looking at other cipher designs, and their effective use of more familiar operations, such as addition, exclusiveOR, conventional and modular multiplication, and table lookup in Sboxes, one might be forgiven for wondering if the use of such exotic and advanced mathematics is really necessary in a symmetrickey cipher. However, in attempting to answer a question about the simplest way to fully correct a flaw in a particular type of stream cipher, one can see that Galois fields do have an important property which is useful in cryptography. Some stream ciphers operate merely by generating a pseudorandom output, treated as a keystream, which is merely XORed with the plaintext. Others behave more like rotor machines, and instead of simply displacing the plaintext a varying amount through a fixed alphabet, provide a substitution which is different in arrangement for each symbol enciphered. In the former case, if one knows the exact plaintext of a message being sent, one could, by inverting the same bits of the ciphertext as one wishes to invert of the plaintext, alter a message in any way one likes without knowing any part of the keystream. This weakness, known as vulnerability to the "bitflipping" attack, can, of course, be dealt with by using some form of authentication method. However, I still found it interesting to investigate the question of what would be the minimal enhancement to the basic PRNG (pseudorandom number generator) with XOR stream cipher to obtain a varying alphabet. More specifically, I sought a combiner (which could be used alone as a variation on the onetimepad) with the following properties:
q
q
Input plaintext symbols from an alphabet of N characters are taken to output ciphertext symbols from the same alphabet, for some N>2; The number of possible keystream symbols is some multiple of N, and if all keystream symbols are equally probable, then for a given plaintext symbol p, all ciphertext symbols are equally likely to correspond to it, and conversely, for a
q
given ciphertext symbol q, all plaintext symbols are equally likely to correspond to it; The number of possible keystream symbols is some multiple of N1, and if, due to the existence of known plaintext, an adversary is aware that at one point in the text, plaintext symbol p corresponds to ciphertext symbol q, then, if those keystream symbols which could produce that result remain equally probable, altering ciphertext symbol q to any other symbol, q', which is different from q could produce, upon decipherment, any of the N1 possible plaintext symbols which differ from p as the result with equal probability.
The addition table for a simple cipher with these properties, where N=3, is as follows: Key  A B C D E F P 0  0 1 2 0 1 2 L 1  1 2 0 2 0 1 N 2  2 0 1 1 2 0 Cipher To scramble plaintext in the fashion of a onetimepad, it is sufficient to use either the keystream symbols (A,B,C) or (D,E,F) with equal probability. Because the vertical columns in the ciphertext run backwards in the second half of the table, for a given plaintextciphertext pair, if the two keystream symbols that could have caused it in the two halves of the six possibilities are equally probable, changing the ciphertext is equally likely to give either of the two different plaintexts. Note that what is happening here is that the onetimepad effect is produced by adding 0, 1, or 2 to the plaintext to produce the cipher output, while the resistance to the equivalent of a bitflipping attack is produced by previously multiplying the plaintext either by 1 or 1 (equivalent to 2 in modulo3 arithmetic). This can also be done for binary data; the minimal way to do so would be to take two bits at a time, as in the following table. Key A B C D E F G H I J K L 00  00 01 10 11 00 01 10 11 00 01 10 11 01  01 00 11 10 10 11 00 01 11 10 01 00 10  10 11 00 01 11 10 01 00 01 00 11 10 11  11 10 01 00 01 00 11 10 10 11 00 01 Cipher
P l a i n
In the first four columns of the table, using one of keystream symbols {A,B,C,D} is equivalent to performing an XOR of the plaintext symbol with the respective element of {00, 01, 10, 11}. It can be verified by inspection that this table does have the property I am looking for. Note that keystream symbols {E,F,G,H} and {I,J,K,L} also perform XORs with the plaintext symbols, after a substitution is performed on them, the substitutions being the ones in the columns labelled E and I. The following table: A E I 00 01 10 11 00  00 00 00 00 01  00 01 10 11 10  00 10 11 01 11  00 11 01 10 shows the three substitutions in use, along with an extra column to make the table symmetric. Since any operation involving 00 produces 00, this resembles a multiplication table. And, indeed, it is the multiplication table for the representation of GF(2^2) with modular polynomial x^2+x+1. So, just as with base 3, we obtained the desired property by performing first a multiplication and an addition, here we performed a Galois Field multiplication, followed by an XOR, which is the operation corresponding to addition in such a Galois Field. (Doing the XOR first and the multiplication afterwards, of course, would also work.) Is this a general method for obtaining a substitution which has this desired property? Yes; this is a direct consequence of the distributive property. Multiplication over the Galois Field, and XOR, behave like multiplication and addition do in ordinary arithmetic, and thus they will be denoted by * and + respectively below. Given that (p*B)+A=q and (p*B')+A'=q, if B is not equal to B', then for q' not equal to q, we wish to prove that (p'*B)+A=q' and (p''*B')+A'=q' implies p' cannot equal p''. This follows from the distributive property, and a few other basic properties of a field.
If p' did equal p'', but not p, then for p' not equal to p, the difference between (p'*B) and (p'*B') cannot equal the difference between (p*B) and (p*B'), since the one is p'*(B +B') and the other is p*(B+B'), and B is not equal to B'. (Here, + is equivalent to , because XOR performs both roles.) However, the difference between A and A' hasn't changed, and so a contradiction results. Thus, when two operations behave like addition and multiplication, they complement each other as well as two operations can, and thus using them together provides a result which, in the particular respect examined here, resembles the result of having a completely indeterminate permutation. And to obtain two such operations for symbols that are made up of two or more bits each, the only choice is Galois Field multiplication along with XOR. If, instead, a set of symbols with a prime number of elements is used, one can use ordinary modular multiplication and addition. Thus, this property can be approximated by using, for example, addition modulo 2^n and multiplication modulo (2^n)+1, with the advantage that the inputs to both steps can have all 2^n possible values. This technique is illustrated here as giving the benefit of preventing anything resembling 'bitflipping' in a stream cipher, including the onetimepad. But it is also useful in the design of block ciphers, where it provides what is referred to as decorrelation, and thus this point is also referred to in the section on the Decorrelated Fast Cipher. Twofish and Rijndael use two different representations of GF(2^8). For 5levelcode characters, as used in telecipher devices, x^5+x^2+1 is a suitable modular polynomial. Since GF(2^5) multiplication has the distributive property with respect to XOR, the following abbreviated multiplication table is sufficient:  00001 00010 00100 01000 10000 00001  00001 00010 00100 01000 10000 00010  00010 00100 01000 10000 00101 00100  00100 01000 10000 00101 01010 01000  01000 10000 00101 01010 10100 10000  10000 00101 01010 10100 01101 In the age before inexpensive computers, and ciphers like DES, and hash functions like MD5, this is a technique, as it involves math that was known quite a long time ago, and requires circuitry of moderate complexity even if discrete components are used, which could have been used to protect secure teleprinter links years ago, by using one onetimetape in the conventional manner, but also using a second onetimetape, not including the allzero code, for a multiplication operation. (Actually, of course, it
would make more sense to use a special 10channel onetimetape.) While it would not have been as direct a solution as a hash function, but it would not have the failure mode of a human in the link ignoring a bad checksum and accepting a fraudulent message. It does not appear that this was used for the MoscowWashington hot line, but it is not impossible that it was at least considered. Also, perhaps such a technique might have something to do with the Soviet cipher device described as applying a 15channel onetimetape to 5levelcode characters.
[Next] [Up] [Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Home Page
[Next] [Up] [Previous] [Index]
Conclusions for Chapter 4
The ciphers in this chapter are intricate, and yet they still seem to be lacking something compared to those we met in Chapter 2 on rotor machines. In DES, the basic cipher operation is in essence a degenerate form of the autokey. Each half of the block modifies the other half alternately with several repetitions. Yet, the number of the repetitions alone at least seems to have the effect of concealing the key. Also, the standard modes proposed for using DES all seem to be designed to avoid increasing its security, except for the removal of trivial vulnerabilities. It would seem that combining DES with some form of stream cipher, even a fairly poor one, would also remove those vulnerabilities at little cost, with additional benefits in security. Also, it is time to note something about fashions in ciphers, adopted for reasons other than security. Although the reasons are not really quite so whimsical as the term fashion implies, as they are instead connected to the practicalities of using the ciphers in the real world. Stream ciphers are usually viewed as sources of bits which appear random to be XORed with the plaintext. They are very poor relations to block ciphers at present. Transposing the bytes of a message, perhaps between two encryptions in DES in ECB mode, would probably produce a highly secure cipher, especially if the transposition is both controlled by a secret key, and yet varies with each message. But this is an option seldom considered. This is because for many applications it is important that occasional communications errors, even if they corrupt somewhat larger areas in a message because of the use of encryption, not totally obliterate the entire message. So, only those encryption modes and methods that have a limited level of error propagation are considered. Some of the techniques we have seen in this chapter will now be explored in a number of conceptual designs, some of them perhaps a bit overelaborate.
q q
Modified Panama Mishmash
q q q q
Combining Two Unrelated Block Ciphers A Base Conversion Block Cipher and Other Concepts The LargeKey Brainstorm The Inner Structure of the Feistel Round
[Next] [Up] [Previous] [Index] Next Chapter Chapter Start Table of Contents Home Page
[Next] [Up/Previous] [Index]
Modified Panama
Having noted that in the cryptographic primitive Panama, it looks as if a differential attack only just misses being possible, I have taken the liberty of proposing variant with a few modifications (so don't blame Joan Daemen if, instead of making it more secure, I've ruined it) which is illustrated below:
The state transition function is modified: the first thing I propose to do is to XOR words 0 through 7 of the state with words 9 through 16 of the state. I also use the least significant three bits of word 8 of the state to determine which of words 9 through 16 is XORed with word 0 (the remaining ones proceed in succession) to produce what I call "deep nonlinearity".
in Push cycles only, the word of the state that was XORed with word 9 of the state is also XORed with word 8 of the state. This makes the state transition function not invertible. This is not appropriate for Pull cycles, since it may lead to short cycling of the state transition function; but Push cycles are limited in number. This prevents recovery of the key from the state. Then, one proceeds with the normal nonlinearity and bit dispersion steps. An extra buffer injection step is added. This also makes it even more difficult to trace words through the state transition function. Then, the regular diffusion and buffer injection steps take place. The output from the state transition function is modified. During Pull cycles, the first eight words of the state are XORed into the buffer at the start, as before. During Push cycles, words 9 through 16 are also used; this does not seem to be excessively revealing of the state, and increases the speed of diffusion in the buffer. During Pull cycles, the output is now only one word, and that word is the XOR of two words in the state, chosen by other bits of word 8. Limiting the output to one word changes the basic security of Panama from that of two rounds of the state transition function to that of sixteen rounds. Outputing the XOR of two unknown words further reduces the usefulness of the output for determining the internal state of the buffer. Because of the enhanced diffusion and the noninvertibility of the Push cycle, instead of using 32 blank Pull cycles, I propose replacing the blank Pull with a blank Push  where an allzero block is Pushed into the system.
[Next] [Up/Previous] [Index] Next Chapter Start Skip to Next Chapter Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Mishmash
In thinking about ways to give a block cipher the kind of deep nonlinearity found in the rotor machine SIGABA, one idea I had is the kind of block cipher one round of which (for obvious reasons, I proposed only four rounds be used in it) is illustrated by the diagram below, and which I chose (also for reasons to become obvious) to call Mishmash:
The cipher operates on a 128bit block, and has a Feistellike structure of sorts. The right half of the block is enciphered by four rounds of some block cipher with a 64bit block and Feistel rounds, perhaps DES. The four ffunction outputs of that process are also take, put through another ffunction (otherwise, their XOR would be equivalent to the XOR of the two inputs and the two outputs), and XORed together to produce a 32bit word that controls the encipherment of the left half of the block.
In a very schematic form, the left half of the diagram illustrates five operations to which the left half of the block will be subjected:
q q q q
q
Four rounds of Skipjack Two rounds of DES One round of SAFER Two rounds of some other cipher, perhaps Blowfish or QUADIBLOC, with Feistel rounds Tworound IDEA
Since IDEA is protected by patents, one will have to use both Blowfish and QUADIBLOC, or some other cipher instead for now; IDEA is shown because it has a unique basic structure. Since 5! is 120, seven bits of the 32 bit word are sufficient to indicate the order in which the five operations are to be applied. 25 bits remain; 5 of them can be assigned to each of the 5 operations to choose one of 32 subkeys for each (there would be four separate sets of 32 subkeys for each for each of the four rounds of this block cipher as a whole).
[Next] [Up] [Previous] [Index] Next Next Chapter Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
Combining Two Unrelated Block Ciphers
Another way of making use of the strength that can be obtained by using two block ciphers of a completely different type is illustrated below:
Essentially, each round of encryption consists of applying four rounds of DES to the left half of the block, and two rounds of SAFER to the right half of the block. Six rounds of encryption are used, alternating with seven stages in which the left and right halves of the block are combined. (Even four rounds of encryption may be adequate.) These fencing stages consist of applying a keydependent Sbox (whose inverse will be
required for decryption) to the bytes of the block, and then swapping bits between halves by using a mask to indicate which bits are to be swapped with their corresponding bits in the other halves. This method was pioneered in the block cipher ICE. To ensure that each bit being encrypted is evenly divided between the two halves of the block by each fencing stage, a 48bit subkey, expanded by the use of a 4 of 8 code (as seen in the definition of QUADIBLOC) is used, so that exactly four bits of each byte are swapped. An additional ICEstyle swap is used at the beginning of the cipher, so that the use of byte substitution for whitening is not reduced in effectiveness by the use of the Sbox at the start of the cipher. This swap uses a plain 64bit subkey for maximum randomness, since equal division between halves does not serve a purpose in that position. The intent of this design is, of course, that since two completely different ciphers are intimately mixed, analysis to find a weakness is essentially impossible. For generating the key schedule, both the 48bit keys for the fencing stages and the 48bit DES subkeys are most easily generated in units six bits long; thus, if a source of bytes is used to produce the subkeys, it might be quickest to take only the least significant bits of eight bytes to form one of those 48bit keys.
[Next] [Up] [Previous] [Index] Next Next Chapter Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
A Base Conversion Block Cipher and Other Concepts
Block Cipher with Base Conversions
Another interesting idea for a block cipher happens to lead to one with an 80bit block size, which has the advantage of being a multiple of five bits as well as eight, for use with characters in older systems using 5level code. Most block ciphers involve using Sboxes that operate on groups of bits, alternating with transpositions of individual bits, and XORs of subkey material. Some involve other binary operations. But if one converts to other number bases from binary, one can shuffle around fractions of a bit, thus adding another kind of complexity to the design. The fact that 33 is both 3 times 11 and one more than 32 is used, along with the fact that 9 is close to 8, and 121 is close to 128. Keydependent Sboxes (since fixed ones would introduce bias, which could be exploited) operating in both directions are used, for example, both one with 33 entries consisting of all 32 5bit combinations plus one duplicate, and one with 32 entries containing all but one of the 33 combinations of one 3symbol and one 11symbol. The following are the steps that would comprise an ffunction for a block cipher based on this construct: 1) XOR subkey K1 with the 40 bit input. 2) Take the bits of the input, 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 and so on, in groups of five, and using eight keydependent Sboxes, turn each one into a 3symbol and an 11symbol, the 3symbols being called a, b, c, d, e, f, g, and h respectively, and the 11symbols being called S, T, U, V, W, X, Y, and Z. 3) Using four keydependent Sboxes that produce three output bits from two 3symbols, and another four keydependent Sboxes that produce seven output bits from two 11symbols, use the following symbol pairs as input: (a,b) (S,W) (c,d) (T,X) (e,f) (U,Y) (g,h) (V,Z) 4) The binary result of the above step is to recieve an additional bit permutation, as follows: 11 22 33 14 25 36 7 18 29 40 31 2 13 34 5 16 27 38 9 20 21 32 3 24 35 6 17 28 39 10 1 12 23 4 15 26 37 8 19 30
5) Subkey K2 is XORed to the result. 6) Using keydependent Sboxes that operate in the reverse direction, producing two 3symbols from three bits (thus having eight entries with one combination omitted) and two 11symbols from seven bits, produce S' T' a' b' U' V' c' d' W' X' e' f' Y' Z' g' h' from the current result. 7) Group the symbols into the following pairs to produce, from eight keydependent Sboxes, eight groups of five bits: (a',Z') (b',V') (c',Y') (d',U') (e',X') (f',T') (g',W') (h',S') 8) Apply the following bit permutation to the Sbox outputs (numbers represent sources of bits, and are in the positions of result bits, as in the DES standard): 6 17 23 29 40 26 37 3 9 20 35 11 22 28 34 5 31 2 8 14 25 16 27 33 39 10 36 7 13 19 30 21 32 38 4 15 1 12 18 24
9) XOR subkey K3 to the result. and the following diagram illustrates this ffunction:
If an expansion permutation is desired as part of the ffunction, to improve nonlinearity and to reduce the danger of bias, one logical place to put one would be before the XOR of the first subkey, making the first set of Sboxes, containing pairs of one 3symbol and one 11symbol as entries, 256 entries in size. This means that the first subkey increases in length, to become 64 bits long. In generating these Sboxes in this form, it would make sense to first select eight different symbol pairs to omit in each of the eight permutations of 32 symbol pairs of which such a box should be composed. An appropriate expansion permutation might have the form: 40 23 6 1 2 3 4 5 10 33 16 11 12 13 14 15 20 3 26 21 22 23 24 25 30 13 36 31 32 33 34 35 5 28 11 6 7 8 9 10 15 38 21 16 17 18 19 20 25 8 31 26 27 28 29 30 35 18 1 36 37 38 39 40
and a revised diagram with the expansion permutation added
looks like the above.
Fractal Feistel
Another bright idea I had toyed with I discarded as excessively inefficient and probably insecure; but when the release of Skipjack indicated that the microFeistel rounds I used as the basis of this might actually be secure, I drew the following diagram to illustrate it:
The basic idea behind this has been used before by others, for example in the MISTY block cipher developed by Mitsuru Matsui of Mitsubishi, and in the block cipher DEAL proposed by Richard Outerbridge as an AES candidate, that is: using a block cipher with Feistel rounds as the ffunction for a larger block cipher with twice the block size. However, the diagram illustrates taking this to extremes.
The innermost function operates on a 16 bit block with four rounds, using a 256byte lookup table as the ffunction; this is the same as the "G permutation" in Skipjack. That function is used as the ffunction for four rounds within a block cipher acting on 32 bit blocks, which is, in turn, used for four rounds as the ffunction of a block cipher operating on 64bit blocks. The diagram only includes one instance of this cipher  acting as the ffunction for the actual block cipher, which operates on a 128bit block. Essentially, the Feistel round structure is replicated inside itself repeatedly, creating a block cipher with a fractal structure. This design may have serious security flaws, but it is at least interesting to look at.
Another Sketch
The following diagram:
illustrates the rounds of a type of cipher that may well be secure even though it tries to be efficient and though it is limited to operations that are efficient on generalpurpose computers. Feistel rounds using a keydependent Sbox (called "S8" in the diagram, due to Quadibloc II) but no subkeys are combined with an ICEstyle interchange between block halves and a fixed interchange of bytes designed to cause diffusion different from that provided by the cipher's other components to form four rounds, consisting of two batches of four miniFeistel rounds and one ICEstyle interchange, with three fixed byte interchanges between them.
[Next] [Up] [Previous] [Index] Next Next Chapter Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The LargeKey Brainstorm
If one hearkens back to the schemes of previous chapters, such as the Hagelin machine, or the Vernam twotape system, and allows the use of more key than is needed to achieve a given level of security, one can use the constructs we have met in this chapter to achieve, I believe, a fairly high level of security.
The diagram above is illustrative of the concept involved.
q q q
q
Plaintext is encrypted, or ciphertext decrypted, using a block cipher with independent subkeys. A separate list of subkey values is used to supply each subkey. With each block enciphered, one advances through each of these lists  sometimes by one step, sometimes by two, three, or four steps. Another block cipher with a fixed key, operating in a combination of output feedback and counter modes (the output is fed back, but XORed with the value in a counter) supplies the bits which determine stepping through the list of subkeys.
The diagram shows, however, a scaleddown version of the cipher. A more specific description rests on the following principle: the number of bits used to control the stepping of all the lists must equal or exceed the number of bits in a block. In this way, the stepping alone is enough, or at least nearly enough, to cause any plaintext block to become any possible ciphertext block, making it hard to obtain information about the subkeys in the lists. (In turn, the randomness and secrecy of the list contents make it hard to obtain information about the stepping sequence.) A specific construction would run like this:
q
q
DES, but with 32 rounds as well as with independent subkeys, is used as the main block cipher here. In this way, there are 32 lists, the advance of each of which is controlled by two bits, thus meeting the important criterion noted above. A block cipher with a 128bit block is used to generate the stepping bits; it operates once for every two 64bit blocks enciphered, its output being used a half at a time. This ensures a very long period for the stepping sequence. As that cipher is not exposed to view, even one with weaknesses with respect to differential cryptanalysis could be used, such as the original LUCIFER cipher.
With a large key, key management is a problem. The key comes in four main parts:
q q q q
The bytes in all the lists of subkey values. Also, the lengths of these lists can be part of the key. The key for the block cipher used to generate stepping values. The initial value, and the counter value, for the generation of stepping bits. The starting positions within each of the lists of subkey values.
The last item on the list is only needed as part of the key if one is going to start up the encipherment operation several times with the same lists of subkeys, but it is reasonable to do so, since that part of the key is very large and difficult to set up. The first two items can be regarded as semipermanent, while the last two should be changed with every message. However, the last two must be kept secret, not sent in the clear, otherwise attacks on the contents of the lists of subkey values can become possible if there is enough traffic for the same values of the first two items in the key. With a key too large to send inside a publickey block, and such a high level of security as to be wasted by any practical method of key distribution, perhaps I have only solved the problem of cryptanalysis for the case when another solution to that problem already exists! However, one could use a onetimepad to encipher the key distribution keys, and use this cipher with those keys for key distribution. That would avoid too great a loss of security. The longterm portions of the key need to be couriered, of course, combined with encrypting them by some other, weaker, method. Sending two different couriers, by two different routes, with an XORsplit key may be appropriate here. Although the design above already provides far more security than required for any practical purpose, against the kind of computing power that exists today, the possibility that a practical quantum computer might be constructed might be felt to be worthy of consideration. If the obstacles to constructing a quantum computer can be overcome, such a computer could essentially try all the possible keys to a block cipher at once, in a circuit the size of the conventional circuit used to apply a single key, and output the value of the key for the one case where some known plaintext is matched. To protect against a threat like that, one would like a design that requires an inordinate amount of known plaintext before any facts about the key can be derived with certainty. A design like what we've just seen is perhaps a step towards that kind of cipher. This design can certainly be elaborated further, with yet another level of indirection, where a second block cipher produces the 64 bits that control the subkeys of the block cipher used to encipher plaintext. Further on, a diagram will show that type of design, but instead of the final block cipher enciphering plaintext, it will be used to encipher previous ciphertext to produce a 64bit output used to encipher a single byte of plaintext. Perhaps the second block cipher might be 32round Blowfish, or even a modified Blowfish changed to use 48bit subkeys and an expansion permutation along these lines: 23 32 9 18 1 2 3 4 5 6 7 8 7 16 25 2 17 18 19 20 21 22 23 24 31 8 17 26 9 10 11 12 13 14 15 16 15 24 1 10 25 26 27 28 29 30 31 32
so that the four Sboxes can each have 4,096 entries. To keep the time required to generate the Sboxes within some semblance of reason, though, I propose to use just 4round Blowfish, rather than 32round or 16round Blowfish, for filling them. Since I am going to extremes, instead of LUCIFER, let's let the 128bit block cipher be the 40round variation of Quadibloc II, using one of the more complicated variant round types. The stream cipher can consist of the XOR of the output of an expanded version of Gifford's cipher with the output of an elaborate MacLarenMarsaglia construct.
Another preventive measure would be to use an enciphered random initialization vector that modifies the key in use for the next block of the message with message blocks that are always shorter than the size of the key, so that there is never enough known plaintext to attack any one key. Of course, the relationship between different message blocks and their initialization vectors can still be attacked; this device has been tried with simple ciphers and has not made them invincible. Applied to a sufficiently complex cipher, the gain in difficulty by using that trick, however, may, just possibly, be enough to provide some resistance to quantum computer attack. This can be taken still further in the direction of wretched excess, in order to obtain increased security on the principle of an elephant giving birth to a gnat, by making use of the cipherfeedback principle of stream cipher design:
Here, we do not gain the advantages of limited errorpropagation that a pure cipherfeedback design can offer; in fact, we not only have a large internal state, but previous ciphertext even influences that state, for the messy worst case of the autokey. To encipher a single byte of the plaintext, we use the preceding twentyfour bytes of the ciphertext as input to the process. Sixteen bytes are XORed to the output of the initial stream cipher, which might as well be something elaborate, such as Panama or my modification of it; this is recirculated through a 128bit block cipher. Half of the result controls the subkeys for a 64bit block cipher which enciphers the other half of the result. The output of that cipher then controls the subkeys for another 64bit block cipher which operates on the remaining eight bytes of preceding ciphertext.
And finally, that eightbyte output is applied to the one byte of plaintext being enciphered, being alternately added and XORed to it a byte at a time through eight layers of substitution. Here we are: a truly secure symmetrickey cipher! And so it is, but it is outrageously excessive and wasteful. But perhaps the schematic diagram above will brighten a cubicle at the NSA and give some of the people there a chuckle. Unless, of course, somebody actually implements this, and they would have liked to decrypt his traffic. But, as noted, even the fact that this design is likely to produce (once the details are filled in) a genuinely secure cipher is not, in itself sufficient to mean it is suitable for practical use: a rough estimate of the time enciphering a message would take by this method is 64 times as long as it would take to encipher it with DES. Presumably, genuine security can be obtained at a somewhat lesser cost in computational resources. Although wildly impractical in the specific form shown, before abandoning this design completely, some things should be noted:
q
q
q
A scaleddown version of this type of design, not using fullscale block ciphers as its components, and not involving the somewhat gratuitous use of previous ciphertext (sixteen bytes, in the diagram above) to affect the very beginning of the encipherment process, and thus to affect large portions of the internal state, with the attendant consequences for error propagation, not only could be practical, but may even have been actually used. Also, assuming that a cipher of this kind did not evade the scrutiny of a quantum computer due to its sheer size, it is true that trivially some initial states, and consequently some keys, would produce the same ciphertext from the same plaintext, since some portions of the subkey pools for the various block cipher stages might be unused. However, such trivial duplicate keys will not foil quantum computer attack, since the program could be modified to say "don't think you're the right answer and collapse the wave function unless all unused parts of the key are zero", hence restoring uniqueness. By enciphering only a single byte at a time, however, some possibility of nontrivial duplicate keys is created. And certainly the difficulty of obtaining analytical insights that allow a reduction of effort over that of a bruteforce search is increased. Finally, it should also be noted that despite the complexity of this kind of cipher, one limitation was retained. Although each block cipher stage is supplied with a subkey from a pool, at each step only four of the elements in that pool can be used. Ideally, one would like to use any possible subkey, and to prevent using the same one twice, use the principle behind the MacLarenMarsaglia random number generator, and produce a replacement for each subkey after it is used once. However, that means that if the final block cipher has 16 rounds and 16 subkeys in each pool (each one, say, 32 bits wide) then the previous stage, instead of producing 64 bits each time to support a 32round block cipher, must produce 64 bits to select subkeys, and 512 bits for use in replacement subkeys.
The Aryabharata Cipher, and TwoTiming Pads
An article in Cryptologia entitled The Aryabharata Cipher discussed the following idea for a cipher: To encipher a message, generate a random series of letters as long as the message. Encipher the message with that series of letters by means of Vigenere. Then, send the random series of letters in enciphered form, and also send the enciphered message, again enciphered as well. Since both the pad and the message are sent, the absolute security of the onetimepad is not obtained. But the pad and the message can each be enciphered in different ways, and because both are random, the cryptanalyst can only make progress by working on both together. Perhaps doing so would be more difficult than cracking a simple double encryption, using the two ciphers applied to the two pieces of the message as expanded in sequence on the message instead. And perhaps not; it is
hard for me to say for certain. But it does seem as though forcing the cryptanalyst to relate different messages to crack a cipher creates a problem, although this happens anyways with modern ciphers of any difficulty. Thus, the scheme is of interest even if there is some question about whether this is the method referred to in the Indian classic. Thus, I came up with the following scheme, which prevents progress from being made through attacking a single message in a different way, which also shows an alternate way of making effective use of a large key. The following is a schematic diagram of how the scheme operates:
The steps involved in the encryption are described below:
q q
q q
Two parties wishing to communicate share a secret key which is 12,000 bytes long. When sending a message, they use a publickey block to establish 2,048 bits of key, which provides up to four session keys of 512 bits each. Messages consist of message segments, which are limited to a maximum of 4,096 bytes in length. To encipher a message segment: r First, one operates on the 12,000 byte secret key to obtain key material for use with that message segment: s The 12,000 byte secret key is subjected to a transposition, governed by 128 bits of the session key. s It is then enciphered in some fashion that results in propagation of the encryption, such as a block cipher in CBC mode, using another 128 bits of the session key. s The last few bytes of the result could then be used as a key to perform additional encryption. One possibility is another transposition; since quite a bit of key is potentially available, one could even perform a transposition, then a propagating encryption, then another transposition. Ending with a transposition seems to have nice properties. A specific possibility is as follows: s The enciphered secret key is divided into two parts, 10,240 bytes to be further scrambled, and 1,760 bytes to be used as the key for that scrambling. s First, all 10,240 bytes of the first part are transposed. s Then, they are subjected to a block cipher in CBC mode. s Then, the first 9,216 bytes of the first part are transposed, leaving the last 1,024 bytes not affected. (This will result in the keys used to encipher the 128bit keys used for plaintext encipherment including the most propagated part of the scrambled
r
r
secret key in the XOR that produced them.) The output of that encryption is then divided into two halves, which are XORed together. This ensures that it is difficult to derive any part of the long secret key from the bits to be used later. s The result of the XOR is divided into a part that is 4,096 bits long, and two small parts that will be used as keys. The two small parts of the scrambled long secret key are each used to encrypt one 128 bit portion of the session key, to produce two encrypted keys to be used in encrypting the message segment. Then, one encrypts the message segment itself as follows: s First, the message segment is encrypted in ECB mode with a block cipher, using the first encrypted 128 bit part of the session key. s Then, the message is XORed with the 4,096 bit part of the scrambled long secret key. s Finally, the message segment is encrypted in CFB mode with a block cipher, using the second encrypted 128 bit part of the session key.
s
The specific possibility for the additional encryption noted in the steps above is shown explicitly in this expanded version of the diagram:
and although it is based on a different principle, the same concept that it is more difficult for a cryptanalyst to correlate multiple messages than to directly solve a single one is used as was used in the Aryabharata cipher. Of course, the possibility of still performing such correlations is exactly what allows modern ciphers to be attacked, through such things as differential cryptanalysis. As I propose using block ciphers currently considered secure in this, I hope it at least compounds the problem they create. Note, too, that the message segment itself is encrypted first in ECB mode, to ensure that it goes through the block cipher, then by being XORed with bits that are a function of part of the session key and of the long secret key, then in CFB mode. So good errorpropagation characteristics are still retained for the message segment.
In addition to errorpropagation, the modes used mean that, since the encryption of the large shared secret key can be performed ahead of time, as long as a time lag between session keys and their use is present, and sufficient processing power is available, this method is not limited to offline uses such as Email, but could be used on a continuous basis, even for a digital voice transmission or a similar application, since the plaintext need only be delayed by the simple operations directly performed on it. Some additional discussion of ideas suggested by the "Aryabharata" cipher is on this page. This cipher could be developed further. Instead of performing a transposition based on the session key first, before that, a simple stream cipher could be applied to the shared secret key. This way, a shared secret key with repeated bytes in it would not be weaker. Also, a larger shared secret key could be used, so that the result of the encipherment operations performed on it could be used as input to a cipher like the largekey example which began this page. If a onetimepad is not available for transmitting session keys, perhaps something involving a large shared secret key could be worked out for that. With some further thought, it might be possible to develop a cipher that, while not posessing true informationtheoretic security, might posess some degree of resistance even to attacks from quantum computers.
[Next] [Up] [Previous] [Index] Next Skip to Next Chapter Chapter Start Table of Contents Main Page
[Next] [Up] [Previous] [Index]
The Inner Structure of the Feistel Round
Many block ciphers are built upon a structure called the Feistel round, named after Horst Feistel of IBM, who originated this structure for the block cipher LUCIFER. The block of data to be enciphered is divided into two halves, and in a Feistel round, only one half is changed, by being XORed with a function of the other half. Since the other half isn't changed, it is still available after the round is over; thus, even if the function of that half used to XOR with the half that is changed is not invertible, the round is still invertible. Thus, one could make some horrible programming error in implementing the ffunction in a Feistel cipher, and the result would still "work" for sending and receiving messages, even if the resulting cipher was not secure. This is not necessarily a good thing. It also means that the direct data path from plaintext to cipher only includes XORs, instead of actually going *through* an Sbox whose inverse is then needed for decryption. Just on general principles, this tended to make some people nervous, at least in the early days of DES. For an extremely scaleddown version of a Feistel cipher, I have produced a complete table of what it does for every possible key. But first, let us examine for comparison the tableaux for some simpler operations. For modulo16 addition, we get what resembles a Vigenère tableau: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 1 2 3 4 5 6 7 8 9 A B C D E F 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 3 4 5 6 7 8 9 A B C D E F 0 1 3 4 5 6 7 8 9 A B C D E F 0 1 2 4 5 6 7 8 9 A B C D E F 0 1 2 3 5 6 7 8 9 A B C D E F 0 1 2 3 4 6 7 8 9 A B C D E F 0 1 2 3 4 5 7 8 9 A B C D E F 0 1 2 3 4 5 6 8 9 A B C D E F 0 1 2 3 4 5 6 7 9 A B C D E F 0 1 2 3 4 5 6 7 8 A B C D E F 0 1 2 3 4 5 6 7 8 9 B C D E F 0 1 2 3 4 5 6 7 8 9 A C D E F 0 1 2 3 4 5 6 7 8 9 A B D E F 0 1 2 3 4 5 6 7 8 9 A B C E F 0 1 2 3 4 5 6 7 8 9 A B C D F 0 1 2 3 4 5 6 7 8 9 A B C D E
0 1 2 3 4 5 6 7 8 9 A B C D E F
               
And here is the table for the XOR operation. 0 1 2 3 4 5 6 7 8 9 A B C D E F
0 1 2 3 4 5 6 7 8 9 A B C D E F
               
0 1 2 3 4 5 6 7 8 9 A B C D E F 1 0 3 2 5 4 7 6 9 8 B A D C F E 2 3 0 1 6 7 4 5 A B 8 9 E F C D 3 2 1 0 7 6 5 4 B A 9 8 F E D C 4 5 6 7 0 1 2 3 C D E F 8 9 A B 5 4 7 6 1 0 3 2 D C F E 9 8 B A 6 7 4 5 2 3 0 1 E F C D A B 8 9 7 6 5 4 3 2 1 0 F E D C B A 9 8 8 9 A B C D E F 0 1 2 3 4 5 6 7 9 8 B A D C F E 1 0 3 2 5 4 7 6 A B 8 9 E F C D 2 3 0 1 6 7 4 5 B A 9 8 F E D C 3 2 1 0 7 6 5 4 C D E F 8 9 A B 4 5 6 7 0 1 2 3 D C F E 9 8 B A 5 4 7 6 1 0 3 2 E F C D A B 8 9 6 7 4 5 2 3 0 1 F E D C B A 9 8 7 6 5 4 3 2 1 0
Here is the table for the permutations produced by the successive positions of a 16contact rotor wired by the interval method. As the rows represent the successive positions of the rotor, their number is first subtracted from the input, then the rotor substitution is performed, and then that number is added to the result. Hence, the diagonals running down from left to right show the normal sequence (0, 1, 2, 3, 4, ... D, E, F) with some starting point. 0 1 2 3 4 5 6 7 8 9 A B C D E F 1 C 7 F B 8 6 4 E 0 3 D A 5 2 9 A 2 D 8 0 C 9 7 5 F 1 4 E B 6 3 4 B 3 E 9 1 D A 8 6 0 2 5 F C 7 8 5 C 4 F A 2 E B 9 7 1 3 6 0 D E 9 6 D 5 0 B 3 F C A 8 2 4 7 1 2 F A 7 E 6 1 C 4 0 D B 9 3 5 8 9 3 0 B 8 F 7 2 D 5 1 E C A 4 6 7 A 4 1 C 9 0 8 3 E 6 2 F D B 5 6 8 B 5 2 D A 1 9 4 F 7 3 0 E C D 7 9 C 6 3 E B 2 A 5 0 8 4 1 F 0 E 8 A D 7 4 F C 3 B 6 1 9 5 2 3 1 F 9 B E 8 5 0 D 4 C 7 2 A 6 7 4 2 0 A C F 9 6 1 E 5 D 8 3 B C 8 5 3 1 B D 0 A 7 2 F 6 E 9 4 5 D 9 6 4 2 C E 1 B 8 3 0 7 F A B 6 E A 7 5 3 D F 2 C 9 4 1 8 0
0 1 2 3 4 5 6 7 8 9 A B C D E F
               
Such a tableau is referred to as a Friedman square. From the property of its diagonals, a method analogous to symmetry of position can be derived for use in the late stages of cracking a rotor cipher. Since the position, and value, of corresponding equivalents in different rows changes with each row, however, this only works if one knows the displacement between the two alphabets being compared, which is unlike the case for conventional symmetry of position. Since in rotor machines, rotors usually move one step at a time, and in the same direction, this condition can be met. And here is the tableau for a Feistel round, which, for this example, is two rounds of a cipher that operates on four bit values with the Sbox (3,1,0,2) as the ffunction. In this table, the columns represent
the plaintext input, and the rows represent the fourbit value which is the concatenation of the two twobit subkeys for the two rounds (which are XORed with the input to the Sbox, following DES). I am using inplace Feistel rounds, and the first round uses the left half of the block as the input to the ffunction. 0 1 2 3 4 5 6 7 8 9 A B C D E F B 2 5 C 1 8 F 6 4 D A 3 E 7 0 9 3 A D 4 9 0 7 E C 5 2 B 6 F 8 1 7 E 9 0 D 4 3 A 8 1 6 F 2 B C 5 F 6 1 8 5 C B 2 0 9 E 7 A 3 4 D 5 C B 2 F 6 1 8 A 3 4 D 0 9 E 7 D 4 3 A 7 E 9 0 2 B C 5 8 1 6 F 9 0 7 E 3 A D 4 6 F 8 1 C 5 2 B 1 8 F 6 B 2 5 C E 7 0 9 4 D A 3 C 5 2 B 6 F 8 1 3 A D 4 9 0 7 E 4 D A 3 E 7 0 9 B 2 5 C 1 8 F 6 0 9 E 7 A 3 4 D F 6 1 8 5 C B 2 8 1 6 F 2 B C 5 7 E 9 0 D 4 3 A 2 B C 5 8 1 6 F D 4 3 A 7 E 9 0 A 3 4 D 0 9 E 7 5 C B 2 F 6 1 8 E 7 0 9 4 D A 3 1 8 F 6 B 2 5 C 6 F 8 1 C 5 2 B 9 0 7 E 3 A D 4
0 1 2 3 4 5 6 7 8 9 A B C D E F
               
Because only two rounds are performed, the last two bits are only changed by being XORed, for any key, with a fixed function of