(Lecture Notes in Computer Science 330) Rainer A. Rueppel (auth.), D. Barstow, W. Brauer, P. Brinch Hansen, D. Gries, D. Luckham, C. Moler, A. Pnueli, G. Seegmüller, J. Stoer, N. Wirth, Christoph G. G.pdf

Lecture Notes in
Computer Science
Edited by G. Goos and J. Hartmanis
330
Christoph G. Gunther (Ed.)
Advances in Cryptology -
EUROCRYPT '88
Workshop on the Theory and Application
of Cryptographic Techniques
Davos, Switzerland, May 25-27, 1988
Proceedings
Springer-Verlag
Berlin Heidelbera New York London Paris Tokyo
Editorial Board
D. Barstow W. Brauer P: Brinch Hansen D. Gries D. Luckham
C. Moler A. Pnueli G. Seegrnuller J. Stoer N Wirth
Editor
Christoph G. Gunther
Asea Brown Boveri, Corporate Research
CH-5405 Baden. Switzerland
CR Subject Classification (1987): D.4.6, E.3, H.2.0
ISBN 3-540-50251-3 Springer-Verlag Berlin Heidelberg New York

ISBN 0-387-50251-3 Springer-Verlag New York Berlin Heidelberg
This work is subject to copyright All rights are reserved whether the whole or part of the material
IS concerned specifically the riglts of translation reprinting re use of illustrations recitation
broadcasting reproduction on microfilms or in other ways and storage in data banks Duplication
oi this publication or parts thereof IS only permitted under the provisions of the German Copyrtght
Law of September 9 1965 in its version of Junr 24 1985 and a copyright fee must always be
paid Violations fall under the prosecution act of the Germdn Copyright Law
S Springer Verlag Berlin Heidelberg 1988
PrintPd in Germdny
Printing and binding Druckhaus Beltz HemsbachIBergstr
2145/3140 5432 10
PREFACE
The International .4ssociation for Cryptologic Research (1.4CR) organizes tmo in-
ternational conferences every year, one in Europe and one in t h e 1-nited States.
EUROCRYI’T’88. held in the beautiful environment of t h e S \ ~ i s bmountains in
Davos, was t h e sixth European conference. T h e number of contributions and of
participants at t h e meeting has increased substantiall!.. which is an indication of
the high interest in cryptography and system security in general.
T h e interest has not only increased but has also further moved towards au-
thentication. signatures a nd other protocols. This is easy t o understand in view
of th e urgent needs for such protocols, in particular in connection with open in-
formation systems, and in view of t h e exciting problems in this area. The equally
fascinating classical field of secrecy, 2.e. the theory, design and analysis of stream
or block ciphers a n d of public key cryptosystems. was however also well represented
and several significant results mere communicated.
T h e present proceedings contain all contributions which were accepted for
presentation. T h e chapters correspond to the sessions at t h e conference.
I a m grateful t o all authors of these contributions for t h e careful preparation
and prompt submission of their papers. O n behalf of the General Chairman, it is
a pleasure t o t h a n k t he authors and the members of the Program Committee for
having made t h e conference such a n interesting a n d stimulating meeting. 1f-e a r e
indebted t o t h e sponsors for their generous donations a n d t o t h e members of the
Organization Committee, who have so perfectly organized the meeting.
Baden, J u n e 1988 C.G.G.

EUROCRYP T'88
was sponsored by t h e
lnternational Association for Cryptologic Research (IACR)
General Chairman: James L. Massej.. Swiss Federal Institute of .lechnology.

Zurich. Switzerland
Program Chairman: Ingemar Ingemarsson. Linkiiping Urii\.ersitJ.. Sweden
Organmng Commztttt: Program c'om nr a t t P t :

Josk Clarinval. Zurich Rolf Blom. Stockholm
Christoph G . Giinther, Baden Lennart Brynielsson, Stockholm
Kirk H. Kirchhofer. Zug Ivan Damgard. Aarhus
Ueli hlaurer. Zurich l-iveke Fak, Linktiping
Rainer .4. Kueppel, Zug Tor Helleseth. Bergen
Paul Schoebi, Regensdorf Rolf Johannesson. Lund
Thomas Siegenthaler, Zurich
Othmar Staffelbach. Kegensdorf
The conference was generously supported b y
Union Bank of Switzerland. Zurich

Springer-1-erlag. Heidelberg and Kew York
Amstein Walthert Kleiner -4G. Zurich. Switzerland
Asea Brown Boveri AG, Zurich, Switzerland
Ascom-Radiocom AG. Solothurn. Switzerland
Crypto AG. Zug, Switzerland
Gretag Ltd., Regensdorf, Switzerland
CONTENTS
SECTION I: KEY DISTRIBUTION
Key Agreements Based on Function Composition ........................... 3

Ruiner -4.Rueppel
Security of Improved Identity-Based Conference

Key Distribution Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Kenji Koyama, Kazuo Ohta
SECTION 11: AUTHENTICATION
Subliminal-Free Authentication and Signature ............................. 23

Yvo G. Desmedt
Zero-Knowledge Proofs of Identity and Veracity of Transaction Receipts . . . .35

Gustavus J . Simmons, George B. PuTdy
Authentication Codes with Multiple Arbiters .............................. 51

Ernest F. Brickell, Doug R . Stinson
Some Constructions for A4uthentication-SecrecyCodes .....................

c 3
3i
Marijke De Soete
Efficient Zero-Knowledge Identification Scheme

for Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-
i I
Thomas Beth
Vlll
SECTION 111: SIGNATURES
.4 Smart Card Implementatiorl of the

Fiat-Shamir Identification Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
H u n $ -Joachzm Knobloch
hlanipulations and Errors. Detection and Localitation . . . . . . . . . . . . . . . . . . . . . 97

Ph. Godleuiskl. P. Camzon
Privacy Protected Payments - Realization uf a I’rotocol

t h a t <;uaran tees P a > w .hon!.mi t y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .lo7
f J . Knapskng
S ~ izn
-4 Practical Zero-Knowledge l’rotocol Fitted t o Security llicroprocessor

hlinimizing Both Transmission and hlemor!. . . . . . . . . . . . . . . . . . . . . . . 123
Louzs c. (;ud1ou. J e a n - J a c y w s @LasqualtT
A Generalized Birthday Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

.flIarc Gzrau11, Robert Cohen. ,\fzrezlk Campanu
SECTION IV: PROTOCOLS
-4n Interactive Data Exchange Protocol Based on

Discrete Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
G. B . ilgnew. R . C. A f d l z n . S. A . I h n s t o n e
Anonymous a n d Terifiable Registration in Databases ..................... .167

J ~ r g e nBrandt. Iran B J ~ TDamgdrd,
T~ P e t e r Landrock
Elections with Unconditionally-Secret Ballots and Disruption

Equivalent t o Breaking RS.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Davnd C h a u m
Passports and l*isas Versus ID’S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

Georgt I . D a m d a , I-Tio G. DPsmedt
IX
SECTION V: COMPLEXITY AND NUMBER THEORY
The Probabilistic Theory of Linear Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Harald Nzederrtzter
A Probabilistic Primalit! Test Based on the Properties

of Certain Generalized Lucas Kumbers . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
ildzna Dz Porto, Pztro Falzpponz
On the Construction of Random Number Generators

and Random Function Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ,225
c. P. Schnorr
SECTION VI: NUMERICAL METHODS
Factorization of Large Integers on a hlassivdy Parallel Computer . . . . . . . . . 235

J a m e s A . Darzs. Diane R. Holdridge
A Fast Modular Arithmetic Algorithm Using a Residue Table . . . . . . . . . . . . , 2 3 5

Shan-achz Kawumura, Kyoko Hzrano
Fast Exponentiation in G F ( 2 “ ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

R. C. Alullzn, S. A . l a n s t o n t
G. B. AgntuilL’,
Fast RSA-Hardware: Dream or Reality? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ,237

Frank Hoornaert, hfarc DECTOOS.
Joos ?‘andeulalle, Re& Govaerts
X
SECTION VII: CRYPTANALYSIS

Properties of the Euler Totient Function Modulo 24
and Some of its Cryptographic Implications ...................... 267
Raouf N . Gorgui-Xaguib, Satnam S.Dlay
An Observation on the Security of McEliece's Public-Key Cryptosystem . . .275

P. J . Lee, E. F. Brzckell
How to Break Okamoto's Cryptosystern

by Reducing Lattice Bases ....................................... 281
Brzgitte I h l l e e , Marc Girault, Phzlzppe Tofin
Cryptanalysis of F. E. A . L. ............................................. .293

Bert Den Boer
Fast Correlation Attacks on Stream Ciphers .............................. 301

M-illi hleier, Othmar Staffelbach
SECTION VIII: RUNNING-KEY CIPHERS

A New Class of Nonlinear Functions for
Running-Key Generators ........................................ .317
Shu Tezuka
Windmill Generators: A Generalization and an Observation

of How Many There Are ......................................... .325
B. J . M . Smeets, 14'. G. Chambers
Lock-in Effect in Cascades of Clock-Controlled

Shift-Registers .................................................. .331
William G. Chambers, Dieter Gollmann
Proof of Massey's Conjectured Algorithm ................................ .345

Cunshe ng Ding
Linear Recurring m-Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351

Dongdai Lin? Mulan Liu
XI
SECTION IX: CIPHER THEORY AND THRESHOLD
Substantial Number of Cryptographic Keys and its Application

to Encryption Designs ........................................... .361
Eiji Okamoto
A Measure of Semiequivocation .......................................... .375

Andrea SgaTTO
Some New Classes of Geometric Threshold Schemes ...................... .389

Marzjke De Soete, Klaus Vedder
SECTION X: NEW CIPHERS

A Universal Algorithm for Homophonic Coding .......................... .405
Christoph G. Ginther
A New Probabilistic Encryption Scheme ................................. .415

He Jingmin, Lu Kaicheng
Public Quadratic Polynomial-Tuples for Efficient Signature-Verification

and Message-Encryption ......................................... 419
Tsutomu Matsumoto, Hideki Imai
Some Applications of Multiple Key Ciphers .............................. .455

Colin Boyd
Author Index ............................................................ 469
Keyword Index .......................................................... .471

KEY AGREEMENTS BASED ON FUNCTION COMPOSITION
Rainer A . Rueppel
Crypto AG
6312 Steinhausen
Switzerland
Abstract:
Two protocols are presented that accomplish t h e same goal as the

original Diffie-Hellman protocol, namely, to establish a common secret
key using only public messages. They are based on n-fold composition
of some suitable elementary function. The first protocol is shown to
fail always when the elementary function is chosen to be linear. This
does not preclude its use for a suitable nonlinear elementary
function. The second protocol is shown to be equivalent to the
Diffie-Hellman protocol when the elementary function is chosen to be
linear. Some examples are given to illustrate the use of both
protocols. It is still an open problem whether the presented approach
allows for an improvement in terms of speed and/or security over the
original DH-protocol.
Suppose we are given an autonomous finite-state machine with

next-state function F. After one time step an initial state SO will be
transferred to sl=F(so). After n time steps we have
sn= F ( F ( ...F ( S J ...))= F " ( S o )
where Fn stands f o r the n-fold application of F to its argument.

(Although we do not need the finite-state machine context to derive
some results, we use it to illustrate the approach). Now define two
functions g and h,
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 3-10, 1988.
0 Springer-Verlag Berlin Heidelberg 1988
4
g: y=Frn(x)
h: y = F " ( x )
These two functions f and g will commute, i.e..,
h ( g ( x ) )= g ( h ( x ) )
This commutativity is also the basic requirement in the DH-protocol.
Hence, using the number of steps an FSM has taken from a specific
starting point as the individual user's secret, we can implement a key
agreement as follows:
Kev Asreement Protocol 1:
A and B have agreed on a common FSM with next-state function F

and a common starting state S O .
(1) A randomly chooses a secret number n1 and steps its FSM,

loaded with SO, n1 times to obtain
s ( ' ) = S,! = F"'( so)
A sends s(l) to B.
B randomly chooses a secret number n2 and steps its FSM,

loaded with SO, n2 times to obtain
s ( 2 )= S"* = F"'( s o )
B sends s ( ~ to
) A.
(2) A loads the received state s ( 2 ) into its FSM and steps it nl
times to obtain
B loads the received state s(1) into its FSM and steps it "2
times to obtain
5
(3) Since every state has a unique successor the resulting states
. ( I 2 ) and ~ ( 2 must
~ ) be identical and could serve as a common
secret between A and B.
So far we did not impose any restriction on F. But, of course, in

order not to render the above protocol useless, the next-state
function F must possess the following properties:
(1) to compute sn=Fn(s0) must be tleasyll.
(2) to infer n from SO and sn must be "hard".
(3) to compute s ( I 2 ) from SO, s ( l ) , and s(2) must be l'hardll.
Example 1: Suppose we use a linear next-state function F(x) = ax (mod

p) and nonzero initial state s o . Then computing the nth state
directly is easy (using square and multiply),
Inferring n from .so and sn corresponds to taking the discrete log

(mod p). B u t computing s ( 1 2 ) from s o , s(1) , and s ( ~ )can be done
at almost no cost,
In fact, the combination of the above protocol with any linear FSM is
insecure. Let A be the state transition matrix, i.e.
?,+I 'A.5,
Now the following attack will recover ~ ( 1 2 )efficiently.
(1) compute
A n ' from and A
Determine A'' the same way.
(2) form the product

6
which gives away ~ ( 1 2 ) .
ExamDle 2 : Suppose we use F(x) = xe (mod p ) as'the next-state

function. Then the public messages s(1) and s ( ~ )to be
transmitted are
= n ' ( s o ) =( s o ) ' ' ( m o d p )

s ( ~ )F
A computes
which is identical to the outcome of B ' s computation and may

serve as the common secret.
If an attacker is able to efficiently compute discrete log's mod

p, he can also efficiently compute s(12),
Note that at this point the attacker has not yet succeeded in
deriving the individual secrets n1 and n2 of parties A and B. To
obtain, say "1, he will have to take discrete log's mod p-1,
whose factorization may be difficult to find.
ExamDle 3 : (due to
C . Thome and R. Schwarzenberger) Suppose we use a
nonlinear feedback shift register with next-state function
7
The nth state of this NLFSR will be
where Fn denotes the nth Fibonacci number. Consequently, the nth

state is efficiently computable: On the other hand, to break this
system cannot be harder than to take discrete log,s mod p, since
then we may express a, b, and the nth state relative to some
generator g,
a = g e ' (modp)
b = g e 2 (modp)
which, after 2 more log p operations, results in a system of

linear congruences which can efficiently be solved.
In a slightly more general approach, we may want to allow that the

next-state function of the FSM is changed during the execution of the
protocol. Let the two functions g and h be defined as above; then it
also holds
g"(x) = hZm(X)
Therefore, the above protocol could be modified as follows:
Kev Aureement Protocol 2:
A and B have agreed on a common FSM with next-state function F

and a common starting state s o .
(1) A randomly chooses a secret number n1 and computes the

description of the function
A sends the function description of g1 to B.
E acts correspondingly on its secret "2.

8
(2) A loads the received function description of 42 as next-state

function into its FSM and steps it n1 times, started at SO,
to obtain
B acts correspondingly on the received function description

of g1 in order to obtain s21.
(3) The resulting states s12 and s21 are identical and could
serve as a common secret between A and B.
Here the conditions on the next-state function F are slightly

different (as compared to protocol 1):
(1) to compute g = Fn from F and n must be t@easylv.
(2) to infer n from g and F must be "hard".
(3) to compute s(n1n2) from SO, F, 91, and 92 must be hard.
Example 4 : Let the next state function be F(x) = ax (mod p), and
suppose SO = 1. Then
g , ( x ) = F " ' ( x )= a n ' x= u , x ( m o d p )
g,(x) = f " ' ( x )= a n z x= u 2 x ( m o d p )
A sends the function description of gl, consisting of the

coefficient alr to B. B loads so = 1 and g1 as the next-state
function into its FSM, and steps it n2 times to arrive at
(a
s(I2)= n ' ) n (2m o d p )
A acts accordingly on the received 92. (Note that this is the

reformulation of the original Diffie-Hellman protocol [l]).
In general, let A be a linear operator on a finite-dimensional

vectorspace over a field F. Let g(x) be the minimal polynomial of A,
that is, the polynomial of least positive degree k such that g(A)=O.
The Cayley-Hamilton theorem states that g(x) must divide the
9
characteristic polynomial of A , and thus, that the degree of g(x) is

smaller than or equal to the dimension of the vectorspace A operates
on. Applying Euclid we may write
x"=q(x)g(x)+r(x)
where the degree of r(x) is smaller than k. Consequently,
A" = r(A)
since g ( A ) = O . Thus, any linear map A used in the second protocol leads
to the following problem: given two polynomials r(x) and g(x) over F.
Find the least positive exponent n such that
x n = r ( x ) mod g(x)
If g(x) is irreducible, this is the discrete log problem in an
extension field. Thus, when used with a linear elementary function F,
the second protocol is equivalent to the original Diffie-Hellman
protocol.
Examwle 5: Let the next-state function be F(x) = xe (mod p), with

l<so<p-l. Then
g , ( x ) = xen' = x e ' ( m o d p )
2 xe2 (modp)
g 2 ( x )= x e n =
A sends the function description of 91, consisting of the

exponent el, to B. B computes, based on g1 as next-state
function,
A acts accordingly on the received 92.
Note that the security of this system rests on the difficulty of

taking logarithms modulo p-1 whose factorization may be difficult
to find.
10
Summary:
There exist different protocol versions and different elementary

functions F that allow for a Diffie-Hellman type key agreement.
Protocol 1 (in this paper) is insecure with linear F, but reveals only
intermediate states. Protocol 2 , when used with linear.F, is
equivalent to t h e original Diffie-Hellman key agreement, and reveals
whole function descriptions Fn. It is still an open problem whether
the presented approach allows for an improvement in terms of speed
and/or security over the original DH-protocol.
Acknowledcrment:
I wish to thank Kjell-Ove Widman and Jim Massey for their helpful
comments.
References:
[l] W.Diffie, Martin E. Hellman, !#NewDirections in Cryptography",

IEEE Trans. on Information Theory, Vol. IT-22, Nov. 1976.
Security of Improved Identity-based
Conference Key Distribution Systems
Kenji Koyama Kazuo Ohta'
Basic Research Laboratories

Nippon Telegraph and Telephone Corporation
3-9-11, Midori-cho, Musashino-shi, Tokyo, 180 Japan
*Communications and Information Processing Laboratories
Nippon Telegraph and Telephone Corporation
1-2356, Take, Yokosuka-shi, Kanagawa, 238-03 Japan
Abstract
At Crypto-87 conference, we proposed identity-based key distribution systems

for generating a common secret conference key for two or more users. Proto-
cols were shown for three configurations: a ring, a complete graph, and a star.
Yacobi has made an impersonation attack on the protocols for the complete
graph and star networks. This paper proposes improved identity-based key
distribution protocols t o counter his attack.
1. Introduction
Identity-based cryptosystems can simplify key management in cryptosystems.

Shamir and Fiat proposed identity-based signature schemes [l,21, and Okamoto
proposed an identity-based scheme [3] for a public key distribution system [4].
In these schemes for two users, messages among users are authenticated using
each user's identification information. If two or more users want to hold a con-
ference, they must derive one common secret communication key for each link
in the network. This common key for rn (2 2) users is called a conference key.
Ingemarsson et al. [5] presented a conference key distribution system (CKDS)
with no authentication, where users are connected in a ring network. At the
Crypto-87 conference, we [6] proposed an identity-based system for generat-
ing a conference key with authentication, called aa identity-based conference
0 Spnnger-Verlag Berlin Heidelberg 1988
12
key distribution system (ICKDS). Protocols in ICKDS were shown for three
configurations: ring (Type-1), complete graph (Type-2), and star (Type-3).
Yacobi [7] has made a n impersonation attack on the Type-3. His attacking
method can be generalized to Type-2. This paper proposes improved identity-
based key distribution protocols to counter his attack. The previous protocol
can detec‘t a uni-directional attack and it cannot detect a bi-directional at-
tack. However, the new protocol can detect both the uni-directional attack
and the bi-directional attack. In Section 2, revised protocols of T y p e 2 and
Type-3 axe described, clarifying the difference between the previous and new
versions. In Section 3, Secllrity for these protocols is discussed. Details of the
attack by Yacobi are stated, and it is shown that our improvement resolves
the problem.
2. Improved ICKDSs
All ICKDSs are implemented in two phases: the first phase is carried out at
a trusted center, and the second phase at each user’s location. During the
first phase, the trusted center generates a secret system key, a public system
key, and secret user keys with users’ identification information. The secret
system key is known only t o the center. The public system key is common t o
all users. Each secret user key, which is transmitted through secure channel
such as smart card, is known only to each user and the center. Once the first
phase is carried out, the second phase can be repeated to generate a different
conference key. In the second phase, no further interaction with the center is
required either t o generate a key or to verify proofs of identity.
For simplicity, only improved protocols in a complete graph (Type-2) and
in a star (Type-3) are shown in Subsections 2.1 and 2.2, respectively.
During the first phase of Type-2 and Type-3, the center generates three
large primes p , q, and r, and the partial product n = p q . It determines
integers (el d ) in a way similar to that of the RSA cryptosystem [S]:
ed G 1 (mod L ) , L = lcm ( ( p - 1), ( g - l), ( r - l)), (2-1)
where e is a prime such that n r / 2 < e < nr. Note that every integer in [l, nr]
except e is coprime to e. The center also determines an integer g which is
a primitive element over GF(p), GF(q), and G F ( T ) . Note that g is easily
generated while the factors of ( p - 1), (4 - l), and ( r - 1) are known. For
user i whose identification information is I;,the center calculates integer S;:
Si = If mod nr. (2.2)
13
Note that Ii = Sf mod nr. As a result, the center generates a secret system-
key (p, q , d ) , a public system-key ( n , T , g , e), and a secret user-key Si for
user i.
2.1 Improved protocol in a complete graph (Type-2)
During the second phase of Type-2, the conference key is generated and si-
multaneously distributed among m users. Users are connected in a complete
graph network so that they always send messages to all other users. The key
generation algorithm is the same for each user. For convenience, the proce-
dure for two typical users, labeled i and j (1 5 i, j 5 m, i # j ) , can be
described as follows:
[Protocol]
step 1: User a' chooses a random number Pi that is coprime t o ( r - 1). He
computes P;:
Pipi E 1 (mod ( r - l)), (2.3)
and keeps P; and Fi secret. He then sends (Xi,x):

Xi = geP' mod nr, (2.4)
Y , = S;gxipi mod nr, (2-5)
to user j .
step 2: User j receives (Xi,Y;). He checks whether the following ( m - 1)
congruences hold:
v e
--
xx' -- Ii
xi (mod n r ) ,
If (2.6) holds, user j can verify that the message came from user z.
User j chooses a secret random number Rj. He then sends ( A j i , Bji):
Aji = X,eR' mod nr, (2.7)
to user i.
14
step 3: User i receives ( A j i , Bji). He checks whether the following (rn - 1)

congruences hold:
Bj"i
-A-. . - I.
3 (mod n r ) , (2-9)
Ajl8
If (2.9) holds, user i caa ver*
that the message came from user j .
He then computes conference key Ki:
K; = (n Ajj)'B mod Y. (2.10)
The value of Ki (1 <_ i 5 m) is the same for a l l users, because
Remarks:
(1) The exponent terms Xi in (2.5) and (2.6) and Aji in (2.8) and (2.9) in this
version were expressed by a constant c in the previous version [6].This
improvement makes Yacobi's attack on Type-2 and Type-3 ineffective.
Details will be discussed in Section 3.
(2) Since e is chosen such that nr/2 < e < nr, X i and Aji are coprime to e
with the probability l-l/nr (= 1). This property in the improved version
inherits from the previous version, where c is coprime to e. This property
has effect of countermeasure on some attacks other than Yacobi's attack.
(3) The previous protocol [S]contained check congruences such as Zij
X iU'. (mod n), Cij E A; (mod n),and related computations. The pur-
pose of such congruences was to detect a uni-directional impersonation
attack [6] other than Yacobi's attack. These check congruences and re-
lated computations are omitted in the new protocol because the new
protocol can detect such attack in addition to Yacobi's attack.
2.2 Improved protocol in a star (Type-3)
Type-2 can be simplified by restricting the process so that j = 1 and 2 5

i 5 rn. Therefore, users are connected in a star network so that messages are
transmitted between user 1 and user i (2 _< i 5 m).In this simplified scheme
called Type-3, we assume that user 1 collects and delivers messages. Without
15
loss of generality, this “center user” caa be arbitrarily selected horn among
m users.
The improved protocol during the second phase of Type-3 is similar to

that of Type-2. Note that user 1 can compute conference key K1 = g e l R 1 at
any time. User i (2 I. i 5 m) computes conference key Ki at step 3 by:
-
Ki = Al;P mod r. (2.12)
The values of K; (2 5 i 5 m) and K1 are the same for all users, because
Note that the value of conference key in Type3 is dependent on only user 1’s
secret key R1,while the value of conference key in Type-2 is equally dependent
on each user’s secret random number Ri.
3. Security
The security of the proposed systems is based on the difficulty of deriving

secret information such as (p, q, d, S;,P;, p;,R,, K;) in Type2 and
Type-3 from public keys, transmitted messages, and other user’s secret keys.
Secrecy of (p, q, d, Si) is based on the difEculty of factoring a large number
n. Secrecy of (Pi, F;, R,, K ; ) is based on the difficulty of computing discrete
logarithm over G F ( T ) . Considering the best known algorithms for factoring
n = pq [9] and computing the discrete logarithm over GF(r) [lo], a designer
can choose the size of p , q, and r . From the security viewpoint, the size of p
and q should be at least 256 bits long, and the size of r should be at least 512
bits long.
The secrecy of the above secret keys is believed to be ensured in the pre-
vious version and the new version. However, the authenticity of the previous
version has been partly broken by Yacobi’s impersonation attack because it
had weak points. The new version described in this paper realizes protocols
to detect his attack. In this section, a summary of his attacking method and
the effect of our countermeasures are shown.
16
3.1 Yacobi's bi-directional attack [7]
By extending our uni-directional attack [6],Yacobi [7]showed a bi-directional

real time attack between user i and user j in Type-3 (2 5 i 5 m,j = 1). Note
that his attacking method c m be generalized to Type-2 (1 5 i,j 5 m). Since
the attacker can hold both a correct key and a false key, this bi-directional
impersonation attack would be successful in the previous protocol.
We summarize the generalized Yacobi's attack on the previous version
where the constant term c was used instead of variable exponents X i and Aji-
An attacker cuts the link between user j (or "center user" in the star) and user
i. He mediates every communication between them. When communicating
with user j he pretends to be user i (denoted by T),
and when communicating
with user i he pretends to be user j (denoted by 7).
First, the attacker chooses
random PI, and computes its inverse ?s' modulo T - 1. He also computes the
inverse of e (denoted by E) modulo r - 1. For step 1, the attacker eavesdrops
the message ( X i ,x) from user i to user j . Using the Chinese remainder
theorem, he computes (zi,g ) modulo nr satisfying:
and sends the modiiied message (zi,$) to user j . For step 2, user j verifies
I
Yi"
- -= I ;
- (mod nr).
Xf
- -cR
B,, = S j X , ' mod nr.
and sends it to user i. The attacker intercepts this communication. He chooses
some random number E j . Using the Chinese remainder theorem, he computes
( i j i , Sjj) modulo TLT satisfying:
17
and sends the modified message (&, gjj)to user i. For step 3, user i verifies
Finally, user i creates session key:
Using kj (1 5 j 5 m), attacker I creates the session key:

- - - -
K~ = Se2(R1+&+...+Rm) mod T . (3.6)
Note that ki = kj. Therefore, this attack succeeds if the attacker mediates
every communication between user i and user j.
For Type-3, where user j ( = 1) is a center user, user i finally creates
session key:
- -yj.
-
K; = A,; mod T = geaR1mod T . (3.7)
Using &, attacker ‘icreates the session key:
- -
K1= gelR1mod T. (3.8)
User 1, who is center user, creates session key:
K1 = geZR1mod T . (3-9)
Using Fl, attacker creates the session key:
--Ti
K ; = Ali mod r = geZR1mod r. (3.10)
Note that ki = and K1 = K ; (2 5 i 5 m). This attack on Type-3 is more

realistic than that on Type-2 because it requires that the attacker manipulates
only one link from user i (2 5 i 5 rn) to user 1.
3.2 Improved protocol’s effect against t h e Yacobi’s a t t a c k
Note that the exponent terms X i and Aji in this improved protocol were
expressed by a constant c in the previous protocol [S]. This improvement
18
makes Yacobi's attack on Type-2 and Type3 ineffective. In the improved

protocol, if an attacker adopts Yacobi's attack, ID checks mod TIT in (2.6) and
(2.9) (or (3.2) and (3.4)) do not pass. Since the purpose and function of (2.6)
and (2.9) is the same, the case for (2.6) is described as a4 example. Consider
the congruence (2.6) modulo TZT by separating it 'into a congruence modulo
n and a congruence modulo T. A check congruence modulo n in (2.6) is not
satisfied because
(3.11)
Therefore, (3.11) results in
Ge
'i
I f Ii (mod nr). (3.12)
27
Note that a check congruence modulo r in (2.6) is satisfied because
- -
-y;-
--- - 1 =- Ii
( I i g X i e P ' Be
(mod r ) . (3.13)
Z? g X ; e P'
Similarly to (3.12), we have
(3.14)
Therefore, the Yacobi's bidirectional attack becomes detectable.
4. Conclusion
Security has been improved in the new protocol with the variable exponents.
That is, the improved protocol counters Yacobi's attack. The change of ex-
ponent terms has the same effect as the additional check congruences in the
previous version. By deleting such additional check congruences, transmis-
sion eEciency is also improved in the new protocols. This is a side effect of
improving security.
19
Acknowledgement
We would like t o thank Dr. Yacov Yacobi for his nice attack on our previous
version.
References
[l] SHAMIR, A. :“Identity-based cryptosystems and signature schemes”,
Proceedings of Crypto’84, Lecture Notes in Computer Science no. 196,
Springer-Verlag, 1985, pp.47-53.
[2] FIAT, A. and SHAMIR, A. :“How to prove yourself: Practical solutions
to identification and signature problems”, Proceedings of Crypto’86, Lec-
ture Notes in Computer Science no. 263, Springer-Verlag, 1987, pp.186-
194.
[3] OKAMOTO, E.:“Proposal for identity-based key distribution systems”,
Electron. Lett., 1986, 22, pp.1283-1284.
[4] DIFFIE, W., and HELLMAN, M. E. :“New directions in cryptography”,
IEEE Trans. 1976, IT-22,pp.644-654.
[5] INGEMARSSON, I, TANG, D. T. and WONG, C. K. :“A conference key
distribution system”, IEEE l h n s . 1982, IT-28, pp.714-720.
[6] KOYAMA, K. and OHTA, K. :“Identity-based conference key distribu-
tion systems”, Proceedings of Crypto’87, Lecture Notes in Computer
Science no. 293, Springer-Verlag, 1988, pp.175-184.
[7] YACOBI, Y. :“Attack on the Koyama-Ohta identity-based key distri-
bution scheme”, Proceedings of Crypto’87, (presented at the rump ses-
sion), Lecture Notes in Computer Science no. 293, Springer-Verlag, 1988,
pp.429-433.
[8] RIVEST, R. L., SHAMIR, A., and ADLEMAN, L.:“A method for obtain-
ing digital signatures and public-key cryptosystems” , Commun. ACM,
1978, 21, pp.120-126.
[9] LENSTRA, Jr. H. W. :“Factoring integers with elliptic curves”, preprint,
May 1986
[lo] COPPERSMITH, D., ODLYZKO, A. M. and SCHROEPPEL, R. :“Dis-
crete logarithms in GF(p)” Algorithmica 1986, 1, pp.1-15.
SUBLIMINALFREE AUTHENTICATION AND SIGNATURE
(Extended Abstract)
Yvo Desmedt
Dept. EE & CS, Univ. of Wisconsin - Milwaukee

P.O. Box 784, WI 53201 Milwaukee, U.S.A.
ABSTRACT
Simmons [17] introduced the notion of subliminal channel in 1983, by demonstrat-

ing how to “hide” secret information inside an authenticated message. In this
paper we propose a practical subliminal-free authentication system and extend
our results to subliminal-free signatures. The subliminal-freeness of our systems
can be proven. We discuss applications in the context of verification of treaty and
international bank communications.
I. INTRODUCTION
In the process of peace keeping, the verification of international treaty plays an

important role [l].Discussions of arms reductions include that each party is able
to have observation posts in the other country, which can send authenticated
(or even signed) messages. This introduces however a major security problem.
Indeed, will the observation post be used for spying activities? The problem of
message authentication without secrecy was initialized and investigated by Sim-
mons [16]. This problem was not solved until today, as a consequence of the
possibility of a subliminal channel. Five years ago Simmons discovered that a
secret message can be hidden inside the authenticator (for more details see [17]).
He called this “hidden” communication channel, the subliminal channel. Other
subliminal channels were introduced inside signature systems e.g., [18,19]. The
concept of subliminal channel can be formalized and generalized [4].
In our paper we come up with a practical authentication system which &mi-
nates d m o s t completely the possibility t o use a subliminal channel. This result is
explained in Section W., after having introduced the main ideas in Section 111..
We extend our results to subliminal-free signature systems (see Section V.). How-
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT ’88, LNCS 330, pp. 23-33, 1988.
24
ever the last system is less practical. The reader not familiar with the terminology
used in modern cryptology, will find a brief introduction to it in Section 11..
11. TERMINOLOGY IN MODERN CRYPTOLOGY
In this section we explain briefly:

0 subliminal channels,
0 the role of a warden,
0 message authentication without secrecy,
0 the Goldwasser-Mid-Rivest signature scheme,
0 commitment in modern cryptology.
To better understand the concept of subliminal channels, let us discuss Sim-

mons’ illustration [17]. Two prisoners are communicating authenticated messages
in full view of a warden. The warden is able to read the messages. The sublimi-
nal consists in hiding a message through the authentication scheme, such that the
warden cannot detect its use nor read the hidden part.
Solving the problem of subliminal channels is not s a c i e n t to obtain authen-
tication without secrecy, as is well known. Subliminal information can be sent
in an analog way through modulation, time jitter and so on. For a solution to
overcome this problem see [20, p. 651. The techniques we use here are digital.
By combining our results with [ZO, p. 651, the problem of message authentication
without secrecy c a n be completely solved.
Let us briefly explain the basic ideas used in the Goldwasser-Micali-Rivest
signature scheme [14,15]. Their scheme is based on:
0 claw-free permutation pairs,

0 prefix-free mapping,
0 an authentication tree.
Informally, claw-free permutation pairs are permutations fo and f i over a

common domain for which its is computationally infeasible to find a triple 2, y
and z such that f~(s) = fl(y) = z [14,p. 2901. If factoring numbers of a special
form are hard then such claw-free permutations exist [14, pp. 292-2933. These
numbers have the form:
1~ =p .q, p and Q primes such that: p 33 (mod 8) and QE 7 (mod 8).

25
Such numbers n are known as Williams integers, due to there first use in cryp-
tology by Williams [21] and are also known as Blum integers. The functions
fa,,, = x 2 (mod n ) and f ~=, 4x2 ~ (mod n) form permutations over the set of
quadratic residues modulo n and are claw-free [15] (remark that these functions
were slightly modified in [14]). It is essential to know that the Jacobi symbol
(217~)= -1 if n is a Williams (Blum) integer, so 2 is a quadratic nonresidue
modulo n. If there is no doubt about n we will shortly say fo instead of f ~ , ~
and f1 instead of fl,,,. For authenticity and signature one does not only need
claw-freeness for two permutations but a family of permutations which are pair-
wise claw-free. Hereto fi is defined as fi(z) = f i d ( f i d - - l ( . . . f i l ( f i 0 ( 2 ) ) - ..)), where
. ..
z = Zdzd-1.. .ilia in binary. We define lil = d+ 1. One has to read f;’ as (fi)-’ so
that fy‘(fi(z)) = x. In order to exclude that anyone else could compute fj-’(y)
from a given f;’(y) ( j # i) Goldwasser, Micali and Rivest use prefix-free map-
ping (.). A prefix-hee encoding satisfies the property that ( j ) is never a prefix of
(i) ( j # i). Finally, to avoid chosen text attacks and forgery, an authentication
tree is used [15]. Different authentication trees have been presented, but their
differences are not important in this context. We will not discuss these trees in
detail, because they are only partially important in order to understand this pa-
per. The motivation for an authentication tree is to make random “signatures”
that can be used later on t o sign real messages. In order to obtain the security
one uses f-claw-free permutations and g-claw-free permutations (for more details
see [9,14,15]).
Commitment originates from Blum’s ideas [2]. It allows A to randomly choose
a number R and t o commit herself to this number, e.g., to B. Hereto A encrypts
R and sends the result C = hk(R) to B. If a good encryption system, e.g., a
probabilistic encryption system as [12], has been used no information is revealed
about R. Later on A is able to reveal R, As a consequence of her commitment
A is unable to lie or pretend that her choice was R’ instead of R. B is able to
verify if R is correct when A reveals it together with k. A s&cient condition for
commitment is that:
h ~ ( z=) hp(y) implies 3: = y. (1)
Let us briefly discuss a practical commitment algorithm, which is however not

guaranteed secure. To commit herself to the bit 0, A sends ht(O,O, . . . ,0) where h
is the DES and key k is chosen randomly; to commit to 1, A sends h k ( l , l , . . . ,1).
26
111. MAIN IDEA
The &n idea to obtain subliminal-freeness is to use an active warden. We call

a warden active, if he does not only listen to catch up subliminal channel users,
but he also interucts in the communication in a special way to better enforce the
subliminal-freeness. Remember that a warden is allowed to send fake messages
trying to convince the receiver that they are authentic [17]. So the only trust in
the active warden consists in believing he will not help to set-up a subliminal-
channel.
The idea of an active warden is not 100% new. Simmons already used a
similar idea (without calling it active warden) to exclude the use of analog covert
channels [20, p. 651. Our active warden is however digital.
Let us now explain in more detail how to realize the subliminal-freeness. Let
us cad A the sender of the message M , B the receiver of M and W the active
warden. A first sends the message to W , who sends it to B. A then convinces B
that the message is indeed authentic, by answering (random) questions from B.
The warden’s role is to guarantee that these answers and questions can not be
abused to send secret information in an hidden way. Hereto he will modify the
questions and answers. Nevertheless the fact that these questions and answers
have been modified, B must be still convinciblethat indeed A has sent the message
and nobody else, the warden included.
Let us now present the technical results.
IV. SUBLIMINAL-FREE AUTHENTICATION

To simplify the presentation, we first reduce the task of the warden to guarantee
that A (the sender of the message M ) can not use a subliminal channel; however
B (the receiver of the message M ) is allowed to send information in a subliminal
way. At the end of this section we will also eliminate the possibility that B can
use subliminal channels.
The authentication mechanism we propose is a one-time-valid authentication
scheme [5, p. 1541. A one-time-valid authenticated message looses his validity
once the authenticity of the message has been checked by the legitimate receiver
of the message, or after a certain time. The concept of one-time-validity itself is
certainly not new. It can be obtained by adding the actual date and time to the
message. It can also be obtained using zero-knowledge 111,131. This approach is
now used.
Our system is partially based on the Goldwasser-Micali-Rivest signature
27
scheme, which was briefly explained in Section 11.. We also use some methods
which were developed in [7].From now on we assume that the message M and
i are encoded with a prefix-free encoding [15]. Remark that no authentication
tree is necessary, because the scheme is not a signature system and because our
protocol is zero-knowledge. The need to use two different claw-free pairs (f and
g ) also disappears. The authentication mainly consists in proving that A knows
fcl(R), where f is based on claw-free permutations, as explained in Section 11..
Let us explain the details of the protocol.
-
n = p q a Williams (Slum) integer together with R1, R2,. ..,R k form the
public key of the sender (A). The Rj are chosen randomly such that the Jacobi
symbol of (Rj I n) = 1. p and q are secret.
Before that A uses the system, W (the active warden) asks A to “prove” that
n is indeed the product of two primes, which satisfy the above conditions. This
can be done using a zero-knowledge protocol (see e.g., [lo]). This zero-knowledge
protocol has only to be used once, because W can store n and label it as being
verified.
To authenticate a message M our public key authentication system follows
the following protocol, where Steps 2-7 are repeated I times:
Step 1 A sends the message M to W , who sends it to B.

Step 2 A generates a t (not necessarily random) such that gcd(t, n ) = 1 and
squares it IMI times and multiplies it with (random) fl to obtain X =
ft(’lH’) (mod n) and sends X to W .
Step 3 W checks that the Jacobi symbol (X I n) = 1. If it is not, then W
stops the protocol, else W does similar as A did in Step 2 starting from
a truZy random t‘ to obtain X’ and sends a = X X i (mod n ) to B.
+
Step 4 B sends a (random) Boolean vector (El,.. . ,Ek) to A (through the

active warden).
Step 5 A sends Y = t . n fG’(fRj)
E;=l
(mod n ) to W , where +1 is used if Rj
is a quadratic residue, else -1 is used.
Step 6 W verifies (by squaring and multiplications) if Y is correct. If it is not,
then W halts the protocol, else W sends ,O = t’ Y (mod n) to B.
Step 7 B verifiesp by using square operations, multiplications,cr and A’s public
key. The last multiplication is by f l .
Remark that A would be able to send one bit of information (the fact that the
protocol could be halted) in Step 3 or in Step 6, however the warden is then able
28
to arrest A (if appropriated). The fact that this one bit of information, that A
could send, is detectable by the warden implies that it is not a subliminal bit.
Indeed subliminal as defined by Simmons implies undetectability by the warden.
If necessary the warden can ask A to sign all her messages, so that the warden
is able to prove later on that A tried to use a subliminal channel. However it
is also possible that the warden (or an active eavesdropper) has tried to inject a
fake message M and is unable to answer B’s questions, and therefore stops the
protocol. So B has no guarantee about the authenticity of this bit.
To discuss t h e security of the above protocol we need to remind what the
mafia fraud is [6]. Suppose that A proves statement S to B using zero-knowledge
for example, then A will answer questions from B. If C is able to claim to D
that she is proving S, using B as dishonest verifier of A’s proof, then the proof
system is not secure against the mafia fraud. Several zero-knowledge protocols
allow this fraud in real-time. Hereto B and C have to communicate questions and
answers respectively horn D to A and vice-versa. The mafia fraud is important to
evaluate the security of authentication, signature and identification. Let us now
discuss the security of our subliminal-free authentication system.
Theorem 1 If one ezcludes the mafia fraud, the real sender will convince the
prover and a fake prover will fail. This protocol is a zero-knowledge proof.
Proof (sketch): Consider that the warden is not active, so t‘ = X‘ = 1, then the
proof is similar as in [7, pp. 214-2151. 0
Theorem 2 Using the assumptions of [15], the protocol cannot be defrauded b y

the mafia fraud. To be more precise i f A authenticates M an active eavesdropper
can not modify the proof t o authenticate M‘, unless the Goldwasser-Micali-Rivest
system can be broken.
Proof (sketch): Drop the effect of the active warden. The effect of the mafia
fraud corresponds with an active eavesdropper who modifies M into M’ and tries
to convince B about the authenticity of M’. Hereto he can multiply X with
X”, exor Ej with and multiply Y with Y”,such that if B checks Y”, he is
convinced that A has sent M’. The proof consists in demonstrating that if the
active eavesdropper succeeds then he can break the Goldwasser-Micali-Rivest [15]
signature system. c7
Theorem 3 If n is of the appropriated form, then A is not able to send subliminal

information ( a more formal theorem will be given in the final paper).
Proof (sketch): The proof is based on perfect secrecy. 0
29
In the previous protocol, B is able to send a secret message to A , by letting

(El,. .. ,El;) correspond with a part of the hidden (encrypted) message. This can
be avoided by modifying Step 4 and Step 5 using the concept of commitment.
The modifications are:
Step 4.a W chooses a random Boolean vector (3'1). . . ,Fl;) and ran-
dom K and sends h ~ ( F 1 ,...,Fl;) to B , where h satisfies
condition (1).
Step 4.b B sends a (random) Boolean vector (El,,.. ,EL.)to W .
Step 4.c W sends (Gl,. . . ,Gl;) = (El 3 Fl,.. . ,Ek Fl;) to A, and
reveals (8'1). . . , Fl;) and K to B.
. ,Fl;) and the protocol continues if correct.
Step 4.d B verifies (Fly..
Step 5 A sends Y = t - n f ~ ( f R j ) (mod n ) to W , where $1 is used if Rj

Gj=1
is a quadratic residue, else -1 is used.
~- -
Remark that B will use the Gi at the moment that he checks p. The use of
the concept of commitment was extremely important to avoid that the warden
could cheat or that B could send subliminal information. The role of the active
warden differs from before. Indeed to avoid that A can use a subliminal channel,
the warden does not have to interact with A, he has to act similarly as an active
eavesdropper. So the warden could interact in such a way that A and B are not
conscious that he is intervening. However, to prevent B from sending siibliminal
information, the warden and B must contact each other. The proofs of security
of these protocols will be fully discussed in the final paper. To prove them a more
formal definition of subliminal-freeness will be given. Remark that if B is able to
break the security of the encryption E then B is able to cheat and the sublimind-
freeness disappears. When one wants stronger guarantees that the protocol is
subliminal-free the following adaptation can be used:
Step 4.a B chooses a (random) Boolean vector ( E l , .. . ,El;) and ran-

dom K and sends ~ K ( E ~.,&)
, . . to W , where h satisfies
condition (1).
Step 4.b W sends a random Boolean vector (Fl,.. . ,Fl;) to B .
Step 4.c B reveals ( E l , .. . ,&) and K to W .
Step 4.d first W verifies ( E l , .. .,El;) and if correct then Mi sends
(GI,. . . , G t ) = (El @ Fl, . . . ,El;3 8'k) to A and the protocol
continues.
30
However, if W is able to break the security of E this time, then W can im-
personate A by sending messages M and B will believe they originate fcom A.
So, depending of how the protocol is used, the assumption that E is secure has
Merent consequences.
The reader could correctly remark that A is able to send subliminal informa-
tion at the moment of publication of n, Rj (her public key) by choosing them
specially . However these keys are constant, so the subliminal information that
they can contain is strongly limited. In case the warden nevertheless worries
about it, he is able to eliminate this danger in a similar way as we proceed in
Section V. (for more details see [4]).
V. SUBLIMINAL-FREE SIGNATURES
The idea is to make the Goldwasser-Micali-Rest signature system subliminal-

free. We use the same notations as in [15].
To make the signature subliminal free the warden has to guarantee that aIZ
the Rj,which are used in [15], are truly random. This can be obtained using
the commitment idea. Before A starts to use her signature system, W has to be
convinced (using zero-knowledge) that n has the appropriated form. To sign the
jthmessage M, the following protocol is used:
Step 1 A chooses a (random) quadratic residue Rj(mod n) and random K and
sends ~ K ( asR commitment
~) to W , together with the message M .
Step 2 W chooses a truly random quadratic residue R; (mod n ) and sends it
to A.
Step 3 A calculates Rj = Rjx R; (mod n) and uses this Rj in the same way as
in [15]. Then A reveals her R'J. and K and sends the signature Qj and
the necessary authenticator ( L j ) to the warden.
Step 4 W (the warden) checks q,the authenticator(s) and the signature. He
also checks if the Jacobi symbols (a,1 n) = (Lj I n ) = 1. If one of these
does not correspond, then the warden halts the protocol, else he sends
(or publishes) M , the authenticator(s) multiplied by fl and the signa-
ture multiplied by fl. The warden stores the updated authentication
tree, with the fl that he used.
The same idea can be used to guarantee that &, which is a part of the public
key of A, is subliminal-free. A is still able to send subliminal information in her
public key n, by publishing a special n. It is theoretical possible to avoid this
problem, however the implementation is involved (see [4]).
31
VI. PRACTICAL ASPECTS
The first protocol discussed in Section IV. is easy to set-up. In case of verification
of treaty or international bank communications, the host country can be the
warden. The example of international bank communications is important from a
commercial point of view. Indeed several banking organizations with international
activities frequently face the problem that they are not allowed to use encryption
to protect the privacy of their messages. Subliminal-free authentication would
make their communications more secure without security objections from the
corresponding countries where the banks operate. Subliminal-free authentication
can be used in identification systems. By authenticating messages as: “I, A , a m
at the moment in Town, Street, House Number, Floor, .. .”, describing the exact
location of A and B, more secure identification systems can be made [5, pp. 154-
1551. Making authentication systems subliminal-free, makes the use of it for
identification more attractive. Many other applications exist.
It is easy to adapt the first protocol in order to work with two wardens, not
trusting each other. This d o w s the phone companies to act as warden in national
and in international communications. The other protocols can also be adapted to
have two wardens, but the protocols become then more involved.
The speed of the protocols can be compared with the speed of RSA, if several
tricks are used. Ideas as described in [9] can be used. Remark in this context that
the Rj are constants, so A can significantly speed up the calculations of f i l ( f R j ) ,
nevertheless that M is not constant. Hereto she has to store some values (more
details will be given in the h a l paper). A also can speed up the calculation of X
using her knowledge of + ( n ) .
Much faster subliminal-free authentication and signature systems can be made
partially based on [7,8].However these schemes have also disadvantages. F’ull
details will be given in find paper.
VII. CONCLUSION
The problem of making subliminal-free authentication and signature systems,

which was open for five years, is now solved. The applications of subliminal-free
authentication go from verification of treaty to international banking communi-
cations. One can expect that in the near future more practical subliminal-free
authentication and signature schemes will be presented using less interactions.
The impact that non-interactive zero-knowledge [3] can have on such improve-
ments has to be investigated.
32
REFERENCES
[l]J. A. Adam. Ways to verify the U.S.-Soviet arms pact. IEEE Spectrum,
pp. 30-34, February 1988.
[2] M. Blum. Coin a p p i n g by telephone - a protocol for solving impossible
problems. In digest of papers COMPCON82, pp. 133-137, IEEE Computer
Society, February 1982.
[3] M. Blum, P. Feldman, and S. Micali. Non-interactive zero-knowledge and its
applications. In Proceedings of the twentieth ACM Symp. Theory of Com-
puting, STOC, pp. 103 - 112, May 2-4, 1988.
[4] Y. Desmedt. Abuses in cryptography and how to fight them. August 1988.
To be presented at Crypto’88.
[5] Y. Desmedt. Major security problems with the “dorgeable” (Feige-)Fiat-
Shamir proofs of identity and how to overcome them. In Securicom 88, 6th
worldwide congress on computer and communications security and protection,
pp. 147-159, SEDEP Paris France, March 15-17, 1988.
[S]Y. Desmedt, C. Goutier, and S. Bengio. Special uses and abuses of the Fiat-
Shamir passport protocol. In C. Pomerance, editor, Advances in Cryptology,
Proc. of Crypto’87 (Lecture Notes in Computer Science 293), pp. 21-39,
Springer-Verlag, 1988. Santa Barbara, California, U.S.A., August 16-20.
[7] U. Feige, A. Fiat, and A. S h e . Zero knowledge proofs of identity. In
Proceedings of the Nineteenth ACM Symp. Theory of Computing, STOC,
pp. 210 - 217, May 25-27, 1987.
[8] A. Fiat and A. Sbamir. How to prove yourself: Practical solutions to identi-
fication and signature problems. In A. Odlyzko, editor, Advances in Cryptol-
ogy, PTOC.of Crypto’86 (Lecture Notes in Computer Science 263)) pp. 186-
194, Springer-Verlag, 1987. Santa Barbara, California, U. S. A., August
11-15.
[9] 0. Goldreich. Two remarks concerning the Goldwasser-Mid-Rivest sig-
nature scheme. In A. Odlyzko, editor, Advances in Cyptology, PTOC.of
Cypto’86 (Lecture Notes in Computer Science 263), pp. 104-110, Springer-
Verlag, 1987. Santa Barbara, California, U.S.A., August 11-15, 1986.
[lo] 0. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements
in zero-knowledge and a methodolgy of cryptographic protocol design. In A.
Odlyzko, editor, Advances in Cryptology, PTOC.of Cypto’86 (Lecture Notes
in Computer Science 2631, pp. 171-185, Springer-Verlag, 1987. Santa Bar-
bara, California, U. s. A., August 11-15.
[ll]0. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but
their validity and a methodology of cryptographic protocol design. In The
Computer Society of IEEE, 27th Annual Symp. on Foundations of Computer
Science (FOCS), pp. 174-187, IEEE Computer Society Press, 1986. Toronto,
Ontario, Canada, October 27-29, 1986.
[12] S. Goldwasser and S. Micah. Probabilistic encryption. Journal of Computer
and System Sciences, 28(2), pp. 270-299, April 1984.
33
[13] S. Goldwasser, S. Micali, and C. Rackoff. Knowledge complexity of interac-

tive proofs. In Proc. 17th STOC,pp. 291-304, 1985.
[14] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure
against adaptive chosen-message attacks. Siam J. Comput., 17(2), pp. 281-
308, April 1988.
[15] S. Goldwasser, S. Micali, and R. Rivest. A paradoxical solution to the sig-
nature problem. In Proceedings of 25th Symp. on Foundation of Computer
Science, pp. 441-448, 1984.
[16] G. J. Simmons. Message Authentication Without Secrecy, pp. 105-139.
AAAS Selected Symposia Series 69, Westview Press, 1982.
[17] G. J. Simmons. The prisoners’ problem and the subliminal channel. In
D. Chaum, editor, Advances in Cyptology. PTOC.of Crypto 83, pp. 51-67,
Plenum Press N.Y., 1984. Santa Barbara, California, August 1983.
[18] G. J. Simmons. The secure subliminal channel (?). In H. C. Williams, editor,
Advances in Cryptology. PTOC.of Crypto 85 (Lecture Notes in Computer
Science 218), pp. 33-41, Springer-Verlag, 1986. Santa Barbara, California,
August 18-22, 1985.
I191 G. J. Simmons. The subliminal channel and digital signatures. In T. Beth, N.
Cot, and I. hgemaxsson, editors, Advances in Cryptology. Proc. of Eurocrypt
84 (Lecture Notes in Computer Science 209), pp. 364-378, Springer-Verlag,
Berlin, 1985. Paris, France, April 9-11, 1984.
[20] G. J. Simmons. Verification of treaty compliance-revisited. In Proc. of the
1983 IEEE Symposium on Security and Privacy, pp. 61-66, IEEE Computer
Society Press, April 25-27 1983. Oakland, California.
[21] H. C. Williams. A modification of the RSA public-key encryption procedure.
IEEE Trans. Inform. Theory, 26(6), pp. 726 - 729, November 1980.
Gustavus J. Simmonsa) and George B. Purdyb'
a)Sandia National Laboratories

Albuquerque, NM 87185
b)Univer sity of c incinnat i

Department of Mathematics
Cincinnati, OH 45221
Abstract
There are two equally important, related, functions involved in the control of
assets and resources. One of these is the verification of a potential user's iden-
tity and authority to use or have access to those assets. The other is to provide a
record (receipt) of each access so that in the event of a later dispute as to
whether an illegitimate use was made of the assets, or of the extent of the liabil-
ity incurred in a Legitimate use, etc., the authenticity and specifics of the access
can be demonstrated in a logically compelling (and hence eventually legally binding)
manner to an impartial third party or arbiter. Elaborate, and legally accepted,
document based protocols to accomplish these functions are central to all commercial
and private transactions. When the resources are remotely accessible, however, as
in the case of computer data files, electronic funds transfers (EFT), automated bank
tellers, and even in many manned point-of-sale systems, no satisfactory counterpart
to the established document based protocols for verifying individual identity and/or
authority to use a resource have been found, nor has a fully satisfactory means been
devised to provide unforgeable transaction receipts. In this paper, we show how a
public authentication channel can be used to certify private (user unique) authen-
tication channels in a protocol that both "proves" a potential user's identity and
authority and also provides certified receipts for transactions whose legitimacy can
later be verified by impartial arbiters who did not have to be parties to the orig-
inal transaction.
We also introduce an authentication scheme to be used in this application based
on the legitimate originator of information being able to extract square roots
modulo n - pq, where p and q are primes of a special form. We show that these
protocols provide a zero-knowledge proof of identity and of veracity transaction
receipts, and that they are therefore very secure. We also show how the legitimate
owner of the authentication channel can give a zero-knovledge proof that the modulus
a) This author's work performed at Sandia National Laboratories supported by the

U. S. Department of Energy under contract no. DE-AC04-76DP00789.
36
n has the correct form, thereby eliminating the possibility of the existence of
several known subliminal channels.
Introduction
There are two parts to the problem of verifying the identity of an individual
whom we will refer to as the user, whether remotely or face-to-face. First, the
party or device making the identification (the verifier) must have identifying
information available to match or check against the information submitted to support
a claimed identity. Clearly, the confidence that the verifier has in any particular
identification can be no greater than his confidence in the integrity of the cor-
roborating information on which the identification is based. Consequently, the
first part of the identity verification problem is to devise means by which the
verifier can have access to identifying information whose integrity he can trust.
This information may either be intrinsic to the individual being identified, such as
physiognomy, fingerprints, voice prints, retinal prints, dynamics of a written
signature, etc., or else it may be extrinsic, i.e., a private (secret) piece of
information such as a computer access password, a telephone credit card number, a
personal identification number (PIN), etc., not intrinsically associated with the
individual, but whose possession is equated with the mer's identity. The second
part of the identity verification problem for extrinsic identification is to devise
means to protect this identifying information from forgery or fraudulent use,
especially to insure that as a consequence of someone eavesdropping on repeated uses
by the legitimate user that they cannot improve their chances of impersonating him.
Assuming that there are many users whom a verifier may have to identify, the file of
identifying information that he uses for this purpose may take the form of an actual
trusted directory, perhaps hidden behind a one-way function [8,12,20]to protect the
users against the verifier or his agents impersonating them to other verifiers, or
it may be an implicit directory in which the user produces trusted ( ? ) identifica-
tion credentials, such as drivers licenses, photo ID'S, major credit cards, etc., in
support of his access request at the time it is made. It should be pointed out that
in transactions where significant liability is involved, these user supplied creden-
tials are often themselves verified by querying a central file; telephone verifica-
tion of credit cards at the point of sale, etc. This defeats the main purpose of
having user-suppliedmeans of identification, i.e., to make identification a purely
local protocol, but is made necessary by the low level of confidence achievable in
conventional user-supplied means of identification. In either case, whether the
directory is actually in the possession of the verifier or is merely remotely
accessible by him, trust in the directory is derived from trust in the integrity of
the issuer of the directory.
In the first reported application of public key crypto techniques (fielded by
the Sandia National Laboratories in 1978). an authentication channel based on the
37
RSA cryptoalgorithm was used to create trusted credentials that users could carry
with them and present to the verifier at the time they requested access, in this
case to the very sensitive Zero Power Plutonium Reactor at Idaho Falls, Idaho
[7,16]. The public authentication channel (a publicly known RSA modulus n and
decryption exponent d) was used by the issuing office.of the Atomic Energy Commis-
sion to authenticate (certify) a text that included physical descriptors for the
individual being identified is well as the details of the nature, type, duration,
etc., of the access authorized. The object of this scheme was to make it possible
for each user to carry with him what would have effectively been his entry in the
verifier's trusted directory (a trusted credential in this case), that could be
authenticated by the verifier, but which would be of no assistance to anyone wishing
to produce a fraudulent credential. In this particular application, the identifica-
tion information was intrinsic to the user (hand geometry, body weight, etc.), how-
ever, in other applications [16] the same basic technique has been used with extrin-
sic information in a manner similar to the protocol to be described here.
The essential concept in the protocol to provide verifiable proof of identity
and unforgeable certified receipts is to use a public authentication channel to
create trusted credentials which users will keep in their possession which certify,
along with various identifying information, the public part of a user-unique
authentication channel: the private (secret) part of which is known only to the
legitimate user identified in the credential [19]. These credentials need not be
kept secret and consequently avoid the necessity of generating, distributing and
protecting local trusted directories or of establishing secure communications
(authentication) channels to permit access by the verifiers to centralized trusted
directories. At the time a user presents a credential (not necessarily his om) the
verifier can first establish locally, via the public authentication channel that the
credential is valid, i.e., that it was created by the issuer, and secondly, that the
user identified in the now authenticated credential knows the private part of an
authentication channel whose public part is described there. The applicant can then
"prove" (in probability) that he is the individual to whom that credential belongs
by demonstrating that he can authenticate challenge messages submitted by the veri-
fier whose authenticity the verifier can establish using the (certified) public part
of the authentication channel described in the credential.
The Protocol
The protocol described here presupposes the existence of an unconditionally

trusted issuer of validated (signed) identification credentials. This could be a
government agency, a credit card center or financial institution, a military command
center, a centralized computer facility, etc. The issuer first establishes a public
authentication channel to which he retains the secret authenticating function. A s
mentioned earlier, this could be any suitably secure authentication channel. The
38
one we will use to illustrate the protocol is based on the computational equivalence
(in probability) of extracting modular square roots and of factoring a composite
modulus. To set up such a channel, the issuer first chooses a pair of primes p and
q; p = 3 (mod 8) and q = 7 (mod 8). p and q must satisfy the same conditions
required to construct a "good" RSA modulus, i.e., p and.q must be chosen so that it
-
two reasons for requiring that p -
3 (mod 8) and q -
is computationally infeasible for anyone to factor the modulus n pq. There are
7 (mod 8). The first, which is
simple to explain, is to make it easy for anyone who knows the factors to extract
the modular square root of a square with respect to n.' The second reason is harder
to explain in detail, but basically it is to guarantee that there is a unique, but
publicly determinable, square associated with every message, u, that may need to be
authenticated. The explanation of why we want this to be true we will defer for the
moment. This restriction on the choice of p and q represents no significant
increase in the computational difficulty of finding suitable primes during the ini-
tial set up of the authentication channel. The issuer keeps the factorization of n
secret; in fact, the security of the system against fraudulent claims of validated
identity is no better than the lesser of
a) the quality o f protection provided p and q by the issuer
or,
b) the difficulty of factoring n.
The issuer must also have available a polyrandom function f that maps arbitrary
strings of symbols to the range [O,n). By polyrandom, we mean that f cannot be
distinguished from a truly random function by any polynomially bounded computation.
f will be a publicly known function, and need not change over the lifetime of the
identification protocol. Many strong, single-key cryptographic functions, such as
the DES when used with a fixed publicly known key in a block chain encryption mode,
appear to adequately approximate this condition. n and f are the public part of the
issuer's authentication channel. The private (secret) part of the channel, known
only to the issuer, is his knowledge of the factors p and q. Since taking modular
square roots is computationally equivalent (in probability) to factoring n, the
issuer can prove that h e is who he claims to be, i.e., prove that he knows the fac-
torization of n, by being able to produce square roots modulo n. The issuer cannot
simply authenticate arbitrary messages submitted to him by public receivers
1. Given a prime p and a quadratic residue, y. of p it is only an O(log p)

computational task to find a solution to the quadratic congruence
(i) x
2
- Y (mod P) ,
choice of the prime p, however if p

larly simple:
-
i.e., to extract a modular square root of y. This is true irrespective of the
3 (mod 4 ) the solution of (i) is particu-
(ii) x '')f
'"(y (mod p)
where the - indicates the complement (mod p). Exponentiation is only an O(1Og p)
computational task using the well-known square-and-multiply algorithm [ 6 1 .
39
(either users or verifiers), since each time he responded with a square root to a
square chosen by someone else he would potentially compromise the factorization of
n, and hence the capability to fraudulently authenticate messages in his stead, with
probability 1/2. Similarly, a receiver can't accept an arbitrary square and match-
ing square root as proof of the identity of the party possessing them, since anyone
could choose an arbitrary x and square'it to calculate a matching square with res-
pect to the issuer's publicly known modulus, n. Consequently, the squares that the
issuer will authenticate, i.e., whose square roots he will extract, must be indeter-
minate to both the issuer and the receiver in order for the public authentication
channel to be secure; both against the receiver being deceived as to the identity of
the originator of a message and to the issuer against having his identity usurped.
The primary purpose of the polyrandom function f is to provide this indeterminacy.
It's secondary purpose is to map strings of symbols (whose length may vary) into the
range [O,n), i.e., into the principal residues of n.
In the usual communications usage of an authentication channel, a transmitter
wishes to send a message, m , to public receivers and to "prove" to them that the
communication came from him and not from someone impersonating him, and also that a
message hasn't been altered after he signed it. To do this with the authentication
channel just described, the transmitter would, if necessary, introduce additional
redundant information, typically a field of the message filled with a publicly known
- -
symbol, say a terminal block of k zeros, to form an extended message, m. m will be
a square modulo n with probability 1/4, in which case the transmitter can extract a
square root, s, and send the couplet (m,s) as the authenticated (signed) message.
There are four square roots for m modulo n, one of which is chosen with a uniform
probability distribution. The computational algorithm (modular square root) takes
care of this random choice automatically. The transmitter need only communicate the
-
message, m, not the extended message, m , since the redundant information is publicly
known so that the receiver can construct m from m in the same way that the transmit-
ter did. The receiver(s) will accept (m,s) as an authentic communication from the
transmitter if and only if
(1)
-
m - s2 (mod n) .
With probability 3 / 4 . however, m will not be a square so that there is no s satisfy-

ing (1). In the case of a communications usage of the authentication channel, there
are a variety of simple procedures by which the transmitter can cause the extended
message m that he uses to be a square but, as we shall see, none of these are avail-
able in the present case since the transmitter must not be able to force the choice
of the square to a value of his choice. In the identification protocol, the issuer
would form the extended message m in exactly the same way the transmitter does in
the communications example. But he would then form u - f(m), depending on the poly-
random nature of f to protect himself from a compromise of the factorization of n
40
that could occur if m was chosen (or could be sufficiently influenced) by the
receiver and the receiver from deception by someone impersonating the issuer and
presenting an arbitrary pair m and s satisfying (l), etc. If log(u) >> k, i.e., if
the number of bits in u is much larger than k, then the probability of a randomly
selected u actually being the image of some extended Bessage with the proper k bits
of redundant information will be 2-k. The probability that u will be a square with
respect to n is 1/4 as mentioned earlier, in which case the issuer can sign u by
extracting the square root, etc. If u isn't a square, however, since f is a poly-
random function there is no evident way to manipulate m so as to catse u to become a
square. In fact, if there were any way to influence the quadratic residuosity of u
through f then f would not satisfy the definition of a polyrandom function, and the
authentication channel would not be cryptosecure. Therefore, since it is computa-
tionally infeasible for the issuer to cause u -
f(m) to be a square, and since being
able to extract modular square roots is the only means the issuer has of proving
that he knows the factorization of n and hence of authenticating messages, we need a
simple and publicly known, means of associating a unique, but publicly determinable
square with u, for all residues u.
At this point, we remind the reader of two simple facts from elementary number
theory: the product of either a pair of quadratic residues or of a pair of quad-
ratic nonresidues is a quadratic residue, while the product of a quadratic residue
with a quadratic nonresidue is a quadratic nonresidue. A quantity, u, (u,n) - 1, is
-
a quadratic residue with respect to a composite modulus n pq, if and only if it is
a quadratic residue with respect to both p and q individually.
We also need tvo further number theoretic results ( 2 1 :
a)
-
2 is a quadratic residue of all primes of the form P = 1 or 7 (mod 8 ) and
a quadratic nonresidue if P 3 or 5 (mod 8 ) .
b)
quadratic nonresidue if P -
-1 is a quadratic residue of all primes of the form P = 1 (mod 4 ) and
3 (mod 4 ) .
The important thing to note is that 2 is a quadratic residue of q but is a quadratic
This was why p and q were chosen to satisfy p -

3 (mod 8 ) and q -
nonresidue of p by (a) and that -1 is a quadratic nonresidue of both p and q by (b).
7 (mod 8 ) .
Williams [ 2 2 ] was apparently the first to construct RSA moduli using primes of this
special form which he exploited to resolve an ambigufty in the decryption of ciphers
in a variant to the RSA cryptoalgorithm proposed by Rabin [ 1 4 ] for which they proved
that decryption of (almost all) ciphers and of factoring the modulus were computa-
tionally equivalent.
-
Now consider an arbitrary residue u, (u,n) 1. u can be classified into one
of four classes according as to whether it is a quadratic residue or a quadratic
nonresidue with respect to p and with respect to q. We represent these four classes
as QR,QR; QR,NQR; NQR,QR and NQR,NQR; where the quadratic residuosity with respect
to p is indicated first and with respect to q second. Now consider the classifica-
tion of the four multipliers 1, - 2 , 2 , -1: these are QR,QR; QR,NQR; NQR,QR and
41
NQR,NQR, respectively. Consequently, there will be precisely one quadratic residue

(square) in the set of four residues
(2) (u. -2u. 2u, -u)
for any choice of a residue u, (u,n) - 1. The square residue is the product of u
with the multiplier having the same classification as u. It is easy for the issuer
to determine the class that u belongs to since he knows the factorization of n and
hence easy for him to determine which of u, -u, 2u or -2u is a quadratic residue
with respect to n. The issuer can therefore extract a (random) square root, s , of
the unique quadratic residue associated with u and sign u with s. In the protocol
described here, he also appends two additional bits b2b-l so that an authenticated
message is of the form
to inform whoever wishes to validate the authenticated message which one of the
residues u, -2u, 2u or -u, respectively, he should expect to recover from the quad-
ratic congruence,
(3)2 s2 = 7 (mod n) .
It isn’t essential that the issuer append the two bits that tell which of the four
cases to expect, since the verifier could compute t and then check to see whether t
is one of u, -2u, 2u or u. If it is, then m would be accepted as an authentic mes-
sage. It is simply computationally more efficient to append the two bits to the
authenticated message than to have the verifier make the four tests. No extra
information, i.e., no information not otherwise available, is conveyed by the
appended pair of bits. By the convention used here (in arranging the entries in the
-
array ( 2 ) ) . b2 1 says multiply u by 2 while b-l - 1 says to multiply by -1 to form
the expected residue.
2. The reader may recall a digital signature scheme proposed by Ong, Schnorr and
Shamir [9,10]which superficially resembles the scheme described here. In their
scheme, a composite modulus n and a residue k were made public. A signed
message, in, was any triple (x,y;m) such that
(i) x2 + ky2 = m (mod n)
x and y were easy to calculate if one knew the factorization of n, but thought
to be as hard as factoring otherwise. Pollard and Schnorr [ll] have shown this
not to be the case however. The problem is that in this signature scheme each
message m has on the order of n signatures, i.e., pairs of integers x and y
satisfying (i), hence it is computationally feasible to find some one out of
these many pairs. In the scheme described here there is a unique signature for
each message, s o that the cryptographic weakness arising from having multiple
signatures does not occur.
42
The probability that an opponent can find a u and s that satisfy (3) and have
the required redundant information present in the preimage of u under f without
knowing the factorization of n is 2-k as has already been pointed out.
In the protocol, user i's identity is completely specified in an identifier
(string of symbols), IF, consisting of such information as his social security num-
ber, his bank account or credit card number, his military ID, etc., which could also
include intrinsic physical descriptors, as well as any limitations on the authoriza-
tion conveyed in the signed identifier, such as credit limits, expiration date,
levels of access, etc. Host importantly, Ii must include the public part of the
modulus ni, where nI - pigi and pi = 3 (mod 8) and qi -

user's personal authentication channel consisting in the present example of an M A
setting up the issuer's public authentication channel; n < n.

7 (mod 8) as required in
In addition, since
i
anyone wishing to forge a credential could construct an identifier, I, to suit his
purposes, Ii must include sufficiently much publicly known redundant information,
such as message format, fixed fields of symbols common to all identifiers, Ii, etc,
to make a forward search type attack [15] infeasible. The issuer first calculates
(4)
and determines the classification of di according to its quadratic residuosity with

respect to p and q. He then calculates the (least positive) square root of the
unique quadratic residue associated with di. The authenticated (signed) credential
is given to user i. No part of this credential need be kept secret. However, the
user must keep secret his private authentication function: the factors pi and qi.
His security against impersonation is totally dependent on him protecting this
information, since his proof o f identity in the scheme is equated to knowing the
factorization of n
i-
The public part of the (issuer's) authentication channel is the issuer's modu-
lus n, the polyrandom function f and a knowledge of the redundant information
present in all of the Ii, which, as has been noted, must be sufficient to prevent a
foward search cryptanalytic attack [15] on the polyrandom function f. In other
words, the redundancy must be adequate to prevent someone wishing to fraudulently
validate an identity from simply calculating s2 -t for randomly chosen signatures
sj until he finds a match with an sJ - j
f ( 1 ) for some usable I - - this is the forward
search attack. By making I contain sufficient redundant information, the probabil-
ity of success of this sort of attack can be made as small as desired.
When user i wishes to prove his identity to a party A , say to gain access to a
restricted facility or to l o g on to a computer or to withdraw money from an A M .
43
etc., he initiates the exchange by identifying himself to A using his identification

credential and making h i s access request;
i Ii;si:(b b ) ):t A
2-1i 1 STEP 1
t is a string of symbols that describes or identifies the transaction user 1 is

j
requesting; t could be the date, the amount of the withdrawal, etc. A , who need
1
n o t have an identification credential issued by the trusted issuer first verifies
that the credential submitted to him is actually an authentic credential signed by
the issuer. He accepts the credential (and the information contained in Ii) as
genuine if and only if the quadratic congruence
(5) (mod n)
is satisfied. At this paint in the protocol, if the test in (5) has been satisfied,
A is confident that the credential was issued by the issuer and
that user i identified in Ii can authenticate messages using the private authentica-
tion channel described in Ii, in other words, for the example of an authentication
channel being used here, that user i knows the factorization of ni. The remaining
question to A is whether the applicant who submitted the credential [Ii;si:(bb )
P P i
is actually user i. This question can be answered by using the, now validated,
1
private authentication channel.
A replies to the access request with a string of symbols, T that describe the
1'
transaction from his standpoint: terminal ID, transaction number, confirmation of
withdrawal amount, etc.
i
LA STEP 2
Both user i and the verifier A form the concatenation of t. and T1, vj
J
- tj;Tj. and
calculate the polyrandom function f(v ) of the resulting string
1
Since v is the joint result of contributions by user 1 and A , it is indeterminate

j
t o both, hence no additional redundant information is needed to insure that z will
j
also be indeterminate to both of them.
Both i and A now know z (a residue mod ni) which may or may not be a quadratic
j
residue with respect to ni. Using the by now familiar procedure to associate a
unique quadratic residue with z user i calculates a square root, rj. and sends
j'
44
Note that z is being used effectively as a one-time key, indeterminate to both i

j
and A because of the polyrandom nature of f, to permit user i to give to A an
encrypted function of vj in a form that will allow A to'satisfy himself that whoever
he is in communication with had to know the factors of ni. This exchange does not
provide any information about the factors themselves because of the polyrandom
nature of f.
If the person seeking to be recognized as user i really is who he claims to be,
i.e., if he knows pi and qi, then
(mod n.)
will be satisfied. However, if he is not user i, so that he doesn't know the fac-
torization of ni, then in order for him to be able to impersonate i, he must find a
number x such that
(7) (mod n )
i
which is computationally as difficult as factoring ni. A knows the identity claimed

by the applicant from Ii, which he accepts as the proven identity of the applicant
if and only if equality (5) is satisfied:
[ i l J j I
A keeps the &-tuple (I ;s.):(v.;r ) as his certified receipt for the trans-
action. Anyone can later verify all aspects of the transaction: first by validat-
ing the credential (Ii;si) in exactly the same way that A did using the public part
of the issuer's authentication channel, and then by validating the receipt (vj,rj)
using the public part of user i's authentication channel. This proves, in probabil-
ity, that the complete description of the transaction, v. was endorsed by user i,
3'
or at least by someone knowing the factorization of ni. As has already been men-
tioned, the missing B2B-1 and (b b ) . can be (effectively) calculated when needed,
2 -1 1
and since the frequency of arbitration is expected to be very low compared with the
frequency of authentication and retention of receipts which must occur for every
transaction, it is more efficient to not store the bits indicating which of the four
test residues should be a quadratic residue.
If both communicants require a certified receipt the one-way protocol described
above can be easily modified into a two-way protocol between two parties, i and k,
both of whom must possess identification credentials validated by the issuer. The
exchange in this case is of the form
45
i I.;s '(b b ) -t. k STEP 1

1 i' 2 -1 i' 1 L
I.;s.:(b
1
b ) :T.
2 - 1 1 1 STEP 2
i' STEP 3
k' STEP 4
Lj 1
where user i would keep the 4-tuple (I.,s ):(v r ) as his certified receipt, etc.
j ' k
We will next prove that the protocol just described is secure. As a matter of
fact, we will prove rather substantially more. A number of authors [3,17,18]have
devised schemes for embedding a sublfminal channel into digital signature or iden-
tification schemes. Consequently, for some applications (such as treaty verifi-
cation) where a subliminal channel could be exploited by one of the parties to cheat
the other, it may be essential for a scheme to be acceptable that a means be avail-
able to prove that no subliminal channel has been concealed. In (41 van de Graaf
and Peralta present a scheme for proving that a modulus n is a B l u m integer, and
this provides some protection against subliminal channels in identification schemes
using B l u m integers. We present a zero-knowledge scheme for proving that a modulus
n is of the form used here. This will eliminate the possibility of those subliminal
- 2
channels arising from the modulus n being of either of the forms n p q, r n pqr-
- 2
or n p pqr. A great advantage of the identification scheme described here over
schemes based on B l u m integers is the avoidance of computing Jacobi symbols. Our
proof that a modulus n is of the correct form also avoids computing Jacobi symbols.
Since one of the authors is from Texas where the effete Alice and Bob of cryp-
tology fame haven't gained acceptance, and the other is an engineer accustomed to
using the notation Tx and R x to indicate the transmitter and receiver, respectively,
in a communications channel, the communicants here will be called Tex and Rex (pro-
nounced with a nasal Texas drawl). With this explanation of the change in notation,
we start by assuming that Tex wishes to establish his identity to Rex. A simplified
description of the protocol described above is:
1) Tex chooses a string of symbols x and sends it to Rex.
2) After receiving x , Rex chooses a string y and sends it to Tex.
3) -
They compute z f(v), where f is a polyrandom function, and v - x;y is
the concatenation of the strings x and y.
4) Tex determines which one of the four'numbers z , -2, 22, -22 is a square.
Let's say that uz is a square. Then Tex calculates and chooses at random
one out of the four possible square roots of uz, say s. He gives s to Rex
along with a two-bit suffix (b2b-1) indicating which of the four numbers
46
1, 2. -1, or - 2 must be used as a multiplier for u to make the product be

a square.
5) Rex accepts the communication as authentic if and only if the equality
is satisfied.
As pointed out earlier, there is a potentially troubling aspect to this scheme:
Every time that Tex uses it, Rex might conceivably learn something about n pq. If -
Tex identifies himself k times to Rex, or if k different people to whom Tex has
identified himself pool their knowledge, then Rex obtains 2k bits of information
about p and q which -- we might naively assume -- have required 22k guesses in order
for him to simulate for himself. That is, if we postulate that he had a procedure
for factoring the modulus which required these numbers, and he didn't have them,
then he would have had to run his algorithm qk times, once for each guess. Instead
the algorithm is a zero-knowledge proof, and contrary to intuition, Rex can, on his
own, come up with number triples (z,s,u), where z is random, u is in the set
S - [1,-1,2,-2},and s2 - uz. In other words, we show that he gains no information
by Tex's responses that he couldn't get for himself. Acting purely on his o m . with
no participation by Tex, Rex carries out the following sequence of steps.
1) Pick a random s,
pick u randomly in S, and
-
2)
3) define z by z u"s2 (mod n).
These steps can be carried out without knowing the factorization of the modulus n.
Rex can form as many such triples (z,s,u) as he wishes, and they come from the
same probability distribution as the ones he obtains from Tex. Hence they don't add
to his knowledge, and the protocol is a zero-knowledge proof. We required that the
square root s be chosen at random from among the four possible square roots o f UZ.
This is necessary in order that the zero-knowledge argument will hold. It does have
the one annoying feature that we must arrange that the probability that Tex chooses
the same x twice be negligibly small, since a repetition of z would enable Rex to
factor the modulus with probability 1/2.
n is of the form n
process requires two steps.
pq, p -
We next prove that the protocol permits a zero-knowledge proof that the modulus
- 3 (mod 8) and n .
I 7 (mod 8), as claimed. This proof
The first protocol proves that n is square-free by
'
demonstrating Tex's ability to take n-th roots. Simmons [18] has embedded a sub-
liminal channel into a digital signature scheme devised by Brickell and DeLaurentis
[l] using a modulus of the form n
2
-
p q, which shows that even a modulus with only
two distinct prime factors can be a problem.
The second protocol then establishes that the modulus n is indeed of the
claimed form: n - pq. This is needed, of course, to eliminate the first known
47
subliminal channel (due also to Simmons [17]) which requires a modulus that is the
product of three primes: either n -
pqr or n 2 -
p qr. At the same time, a new sub-
liminal channel based on n - pq, where p and q are not of the right form, is
eliminated also.
Protocol for Dre- free,

1) Tex chooses x and sends it to Rex.
2) After receiving x, Rex chooses y and sends it to Tax.
3) They both compute z -f(v), where v -
x;y is the concatenation of x and y.
4) Tex finds the n-th root s of z, and sends s to Rex.
5) They repeat steps 1-4 a total of k times.
The basic observation, as explained in [ 2 ] , is that if n is square free, then every
number will have an n-th root, whereas if n is divisible by p 2 , where p is a prime,
then at most l/p of the numbers will have n-th roots. Since n is presumably odd, SO
that p 2 3, there is a probability of at most 3-k that a modulus which is not
square free would survive the protocol.
It is important that Tex sends x to Rex before Rex chooses y. to prevent Tex
from using the following forward search [ll] technique:
1) Tex receives y from Rex.
2) Tex chooses x at random and computes z - f(v), where v - x;y.
3) Tex checks whether z has an n-th root. This will happen with probability
l/p if, e.g., n - 2
p q.
4) If z has a n n-th root s, then Tex sends x and then s to Rex.
5) If z does not have an n-th root, then go to step 2.
We remark that the choice of a prime p as small as p -
3 is not impossible, since
the malefactor may be willing to take risks in order to conceal a subliminal chan-
nel. Thus would give Tex’s forward search strategy a probability of 1 2/3)k of -
working within k tries. We could, of course, test n for divisibility by primes
3,5 ,...,pr and reduce this probability to 1 - (l-l/pr)k .
As explained in [13], the protocol doesn’t work if the primes are of a special
form. For our purposes, n -
pq, and the protocol will fail if p divides q-1
exactly, or if q divides p-1 exactly. In these cases not all numbers will have n-th
roots, and so n would appear to be a bad modulus even though it is not. This 1s not
a serious restriction.
The algorithm gives a zero-knowledge proof, since Rex could produce random
pairs (x,z), by choosing z at random and computing x -
zn (mod n). These pairs have
the same probability distribution as the pairs (x,z) occurring in the protocol.
Protocol for Drwine n is of the DroDer form, Using the following protocol,
Tex convinces Rex that n - pq, where p is a prime - 3 (mod 8) and q is a prime - 7
(mod 8 ) :
4a
1) Tex chooses x. Rex chooses y, they compute z -

f(x,y).
2) Tex finds the u in [1,-1,2,-2)such that uz is a square, and randomly
chooses s, one of the four square roots of uz.
3) Tex sends s and u to Rex.
4) Steps 1 to 3 are repeated k times.
We may assume that the n-th root algorithm has already been applied and hence that n
is square-free. If n has three or more prime factors, then at most n/8 of the num-
bers are squares, and the probability that one of the four numbers z , -2, 22, - 2 2 is
a square is at most 5 0 % . Hence the probability o f Tex fooling Rex after k steps is
at most zek.
How do we know that p - 3 (mod 8) and q - 7 (mod 8)? The answer is that if the
modulus isn't of the proper form, that for some choices of a residue u, that no mem-
ber of the set (u.-u,~u,-~u) will be a square so that Tex can't respond to the chal-
lenge value u. For example, p - 1 (mod 8 ) and q - 3 (mod 8), then 2 is a square mod
p and a nonsquare mod q, and -1 is a square mod p and a nonsquare mod q. This means
that 2 will be a square whenever -22 is, 0s that a 2 5 % probability exists that for
any particular z, none of the numbers z, - 2 , 22, - 2 2 are squares.
In such a case, the probability that Tex will fool Rex into accepting a modulus
which is not of the proper form is at most (3/4)k .
References
1. E. F. Brickell and J. M. DeLaurentis, "An Attack on a Signature Scheme Proposed

by Okamoto and Shiraishi," Crypto'85, Santa Barbara, CA, Aug. 19-22, 1985, in
Advances in Cn-ntoloev, Ed. by H. C. Willfams, Springer-Verlag,Berlin, 1986,
pp. 28-32.
2. David M. Burton, Elementam Number Theory, Allyn and Bacon, Inc., Bostvn, MA,
1976.
3. Y. Desmedt, C. Goutier and S. Bengio, "Special Uses and Abuses of the Fiat-
Shamir Passport Protocol," preprint obtained from authors.
4. J. van de Graaf and R. Peralta, "A Simple and Secure Way to Show the Validity
of your Public Key," Crypto'B7, Santa Barbara, CA, Aug. 16-20,1987, in
Advances in C m t o l o g y , Ed. By Carl Pomerance, Springer-Verlag,Berlin, 1988,
pp. 128-134.
5. D. E. Knuth, The Art of Comvuter Proaramming, Addison-Wesley,Reading, MA,
1969; 2nd ed., 1981.
6. D. H. Lehmer, "Computer Technology Applied to the Theory of Numbers," in PIAA
Studies in Mathematics, Vol. 6, Studies in Number Theory, W. J. LeVeque, ed.,
Prentice-Hall,NJ, 1969, pp. 117-151.
7. P. D. Merillat, "Secure Stand-Alone Posftive Personnel Identity Verification
System (SSA-PPIV)," Sandia National Laboratories Tech. Rpt. SAND79-0070,brch.
8. R. M. Needham and M. Schroeder, "Using Encryption for Authentication in Large
Networks of Computers," Comm. ACM, Vol. 21(12), Dec. 1978, pp. 993-999.
49
9. H. Ong, C. P. Schnorr and A. Shamir, " A n Efficient Signature Scheme Based on

Quadratic Equations." in Eroc. 16th S V ~ D .on the Theorv of ComDuting,
Washington, 1984, pp. 208-216.
10. H. Gng. C. P. Schnorr and A. Shamir, "Efficient Signature Schemes Based on
Polynomial Equations," in proc. Advances in Crwtoloev - - Cmto'84 (G. R.
Blakley and D. Chaum, Eds.), Lecture Notes in Computer Science 196. New York:
Springer-Verlag,1985, pp. 37-46.
xz + ky2 -
11. J. M. Pollard and C. P. Schnorr,
, --
m(mod n),"
pp. 702-709.
"An Efficient Solution of the Congruence
V. IT-33, No. 5, Sept. 1987,
12. G. P. Purdy, "A High Security Log-in Procedure," C u , Vol. 17(8), Aug.
1974, pp. 442-445.
13. G. P. Purdy, "A Zero-Knowledge Proof Scheme Showing that n - p q , " preprint.
14. M. 0. Rabin, "Digitized Signatures and Public-key Functions as Intractable as
Factorization," M.I.T. Lab. for Computer Science, Tech. Report LCS/TK-212,
1979.
15 G . J. Simmons and D. B. Holdridge, "Forward Search as a Cryptanalytic Tool
Against a public Key Privacy Channel," proc. of the IEEE Comuuter SOC. 1982
SYUID. on Securitv and PrivacY , Oakland, CA, April 26-28, 1982, pp. 117-128.
16. G . J. Simmons. "A System for Verifying User Identity and Authorization at the
Point-of-Saleor Access," CAT toloviil, Vol. 8(1), Jan. 1984, pp. 1-21.
17. G . J. Simmons, "The Subliminal Channel and Digital Signatures," Eurocrypt'84,
Paris, France, April 9-11,1984, in Advances in Cmtology, Ed. by T. Beth, et
al., Springer-Verlag,Berlin, 1985, pp. 364-378.
18. G . J. Simmons, "A Secure Subliminal Channel ( ? ) , " Crypto'85, Santa Barbara, CA,
Aug. 19-22, 1985, in Ldvances in Crmtoloq, Ed. by H. C. Williams, Springer-
Verlag, Berlin, 1986, pp. 33-41.
19. G. J. Simmons, "An Impersonation-ProofIdentity Verification Scheme," Proceed-
ings of Crypto'87, Santa Barbara, CA, August 16-20, 1987, in Advances in
Cmtolori, Ed. by Carl Pomerance, Springer-Verlag,Berlin, to appear.
20. J. Stein, "Computational Problems Associated with Racah Algebra," J. Como.
&I Vol. 1, 1967, pp. 397-405.
21. M. V. Wilkes, Time-Sharine ComDutinF Svstems, ElsevierflacDonald. New York,
1968; 3rd ed., 1975.
22. H. C. Williams, "A Modification of the RSA Public-Key Encryption Procedure,"

IEEE Trans. on Info. Theory, Vol. IT-26, No. 6 , Nov. 1980, pp. 726-729.
Authentication Codes with W t i p l e Arbiters
(Extended Abstract)
Ernest F. Brickell*
Sandia National Laboratories
Albuquerque, NM 87185
+&
Doug R. Stinson
Dept. of Computer Science
University of Manitoba
Winnipeg, Manitoba
Canada R3T 2N2
An authentication system provides a means for a transmitter to send a message to a

receiver so that the receiver is convinced that the message was sent by the transmitter
and not by an opponent. Authentication codes provide a design for authentication systems
which are unconditionally secure. Specifically, the codes provide a provable level of
security which depends on the parameters of the code but which does not depend on any
assumptions (for instance assumptions about the computational complexity of some problem).
In 1987, Simmons [Sill introduced authentication codes that permit arbitration.
These codes allow for an arbiter who can settle disputes between the transmitter and
receiver. The disputes that an arbiter can resolve are that the receiver might claim to
have received a certain message when in fact he didn't, or the transmitter might try to
disavow a message that he actually sent. The arbiter cannot resolve a dispute in which
the transmitter claims to have sent a message and the receiver claims that he did not
receive a message. These systems are also unconditionally secure. One drawback to the
system is that the transmitter and receiver must have complete trust in the arbiter,
because an arbiter has the potential to cheat in many ways.
In this paper, we show that by having multiple arbiters, the probability that any
individual arbiter can successfully cheat is greatly reduced.
The Model
We will be using the same terminology and the same model of authentication with
arbitration that was used by Simmons [Sill, [SiZ]. The system that will be used must be
known to all players, i.e., transmitter, receiver, opponent, and arbiter. This includes a
fixed set of source states that the transmitter might send to the receiver. The receiver
* "his work performed in part at Sandia National Laboratories supported by the U. S

Department of Energy under contract No. DE-AC04-76DP00789.
** This work partially supported by NSERC operating grant No. A9287.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCs 330. PP. 51-55, 198*.
52
and arbiter secretly agree on which messages the receiver will accept as authentic for
each source state. Then the arbiter gives the transmitter one message for each source
state that the receiver will accept as authentic, The arbiter will no longer be used
unless there is a dispute.
There are five types of cheating that this system is designed to protect against.
Opponent cheating:
Impersonation: Without waiting to see any communication, the opponent sends a
Oo
message to the receiver. He wins if it is accepted as authentic.
Substitution: The opponent intercepts a message and substitutes a different message.

Ol
He wins if his message is accepted as authentic .and the receiver is misled about the
state of the source.
Receiver cheating:
The receiver, without receiving any message from the transmitter, tries to convince
Ro
the arbiter that he did receive a message.
The receiver, after receiving a message from the transmitter, tries to convince the
R1
arbiter that he received a different message.
Transmitter cheating:
T The transmitter, after sending a message to the receiver that the receiver
authenticated, tries to deny that he sent a message.
The model does not attempt to protect against all types of cheating. For example,
the transmitter could claim that he sent a message that he did not send or the opponent
could disrupt communications between the transmitter and receiver. For cheating of type
X, let P be the probability that the cheating will be successful. Let PR
x - max[PR,’ p
R,
1
and P
0
- max
The problem presented here cannot be directly solved by the general multi-party
protocols of [CCD] and [BGW] because in those protocols, it is necessary for all parties
in the protocol (transmitter, receiver, and arbiters) to play an active part in acy
communication.
53
MultiDle A r b i t e r s
Simmons showed how t o c o n s t r u c t a u t h e n t i c a t i o n with a r b i t r a t i o n codes, which he
2
called A codes, f o r any q a prime power such t h a t the p r o b a b i l i t y of s u c c e s s f u l c h e a t i n g
is -1 f o r each of t h e five t y p e s of c h e a t i n g . He expressed concern, however, t h a t t h e s e

q
systems r e q u i r e d complete trust i n t h e a r b i t e r . A cheating a r b i t e r could a s s i s t t h e
opponent, r e c e i v e r , o r t r a n s m i t t e r and c h e a t i n any of the f i v e types. We now show t h a t
by having m u l t i p l e a r b i t e r s , the power of any i n d i v i d u a l a r b i t e r t o cheat i s g r e a t l y
reduced.
Suppose we have a r b i t e r s A l , . . . , A and f o r each a r b i t e r , we have an a u t h e n t i c a t i o n
n
with a r b i t r a t i o n code w i t h t h e p r o b a b i l i t y of deception of -1 f o r each of t h e f i v e types of

9
cheating. Each of the communications between t h e receiver and a n a r b i t e r o r t h e
t r a n s m i t t e r and an a r b i t e r w i l l be i n s e c r e t from a l l o f the o t h e r a r b i t e r s . These
communications w i l l be handled i n t h e same way a s i n t h e s i n g l e a r b i t e r c a s e . So f o r each
a r b i t e r , Ai, and each s o u r c e s t a t e , s j , t h e receiver w i l l give t h e a r b i t e r Ai a s e t of
messages, M i j , t h a t he will a c c e p t as a u t h e n t i c and t h e a r b i t e r Ai w i l l give t h e
t r a n s m i t t e r a s i n g l e message, m c M t h a t t h e a r b i t e r A. w i l l v a l i d a t e as an a u t h e n t i c
ij ij'
transmission o f s When t h e t r a n s m i t t e r wants t o send a source s t a t e , s t o the
j. j'
r e c e i v e r , he must send m.. f o r 1 I i I n . The r e c e i v e r u i l l only accept such a
1J
communication a s a u t h e n t i c if and o n l y i f m c M. f o r 11 i 5 n. I f a d i s p u t e a r i s e s , a
ij ij
judge w i l l accept a communication pl, . . . , p as an a u t h e n t i c transmission of s o u r c e s t a t e
n
s . i f and only i f a t l e a s t d of t h e a r b i t e r s claim t h e communication i s a u t h e n t i c , i . e . ,

3
f o r a t l e a s t d of t h e i's, 1 I i 5 n, a r b i t e r A. claims t h a t p
i mij. -
Let u s now examine t h e p r o b a b i l i t i e s of cheating given t h a t t a r b i t e r s a r e bad. To
simplify t h e d i s c u s s i o n , assume t h a t A l , . . . , A a r e bad. An opponent can c o l l u d e w i t h t h e
t
t bad a r b i t e r s and l e a r n ?4 for 1 5 i 5 t. To deceive the r e c e i v e r , he must c h e a t
ij
s u c c e s s f u l l y on each o f o t h e r n - t A2 codes. Since these a r e independent, h i s p r o b a b i l i t y
of success i s . Thus - pol

The r e c e i v e r can c o l l u d e w i t h t h e t bad a r b i t e r s and l e a r n m. for 1 Ii It. To
13
deceive t h e judge, he must c h e a t s u c c e s s f u l l y on a t l e a s t d - t of the o t h e r n - t A' codes.
His p r o b a b i l i t y of s u c c e s s i s
54
[r;t][ii[g-l]n-t-i - the probability of cheating successfully on exactly i of the

is
independent n-t 'A codes.

1
Assuming that the transmitter knows M.. for 1 5 i 5 t, his best strategy for success
1J
at deceit of type T is to send m!. E M. / m . . for 1 s i 5 t, m.. f o r t + 1 I i 5 d + t-1,
1J Ij 1 J LJ
and then try to cheat successfully on the n-(d+t-1) remaining A2 codes.
so PT - [<] 1 n-d-t+l
.
To achieve PR < 1 and P
T
< 1, we must have t < .; If t - Pi1],
- and if d -
then for fixed n, q can be chosen large enough to satisfy any desired level of confidence.
For example, If n - 2t+l and setting d - t+l we obtain P - -

Additional Comments
A bad arbiter could completely disrupt the communication by sending the transmitter
an m with m i, It is possible to protect against a few arbiters doing this by
ij Mrj.
2
allowing the receiver to accept a communication if it is authentic in "most" of the A
codes. However, this reduces the security against the opponent.
To be more precise, assume that the receiver will accepc a communication pl, . . . ,pn as
transmitting source state s . if p. E M for at least a of the i's, 1 I i 5 n. and that a

J 1 ij
judge will accept it as authentic if at least d of the arbiters claim it is authentic.
Assume that at most u arbitors will try to disrupt the communication and at most t
arbitors will try to help one of the other participants to cheat. This model allows for
the possibility that a particular arbitor might try to disrupt the communication but might
not help any participant to cheat.
The transmitter and receiver can successfully cheat only when the judge is deceived.
When computing PR, ,PR,, and PT, we will assume that no arbitors are disrupting (i.e., u-0)
since this assumption provides the worst case (i.e.,maximizes) P and P,. Since
R, ' 'R, '
the criterion for the judge's decision is unchanged from the previous model, PRO, PR, , an*
P are a l s o unchanged.
T
55
To compute Po, assume that the opponent knows M.. for 1 5 i 5 t. To deceive the
1J
transmitter, ?'iemust successfully cheat on at least a-t of the other n-t independent
A' codes. His probability of success is
Finally, the u arbitors can disrupt the communication if and only if
u > n-a or u 2 a. In the case -n2 -> u b a , the bad arbitors could deceive the transmitter
into sending a message that, according to protocol, the receiver would accept as
transmitting two different source states.
To achieve u I n-a and u < a , we must have u < 4. If u - - [y]

t , and if
d - -
Q p+], then for fixed n, q can be chosen large enough to satisfy any desired level
of confidence .
References
Michael Ben-Or,Shafi Goldwasser and Avi Wigderson. "Completeness Theorems for Non-
Cryptographic Fault-Tolerant Distributed Computation,"to appear in Proceedines of
the 20th ACM S m o s i u m on the Theorv of Comuut 1988. u,
David Chaum, Claude Crepeau and Ivan Damgard "Multiparty Unconditionally Secure
Protocols," to appear in Proceedines of the 20th ACM SGuosium on the Theory of
Comuutinv, 1988.
G. J. Simmons, "Message Authentication with Arbitration of Transmitter/Receiver

Disputes," to appear in Advances in Crvntoloey, Eurocrypt'87, Springer-Verlag.
1987.
G. J. Simmons. "A Cartesian Product Construction for Unconditionally Secure

Authentication Codes that Permit Arbitration," submitted to Journal of Crvutolozy.
SOME CONSTRUCTIONS FOR
AUTHENTICATION - SECRECY CODES
Marijke De Soete
Seminar of Geometry and Combinatorics

State University of Ghent
Krijgslaan, 281
B-9000 Ghent , Belgium
ABSTRACT
We deal with authentication / secrecy codes having unconditional secu-

rity. Besides some new results for a "spoofing attack of order L", we give
several constructions using finite incidence structures (designs, general-
ized quadrangles).
1 AUTHENTICATION-SECRECY
It is the aim to deal in this paper with codes having unconditional se-
curity, which means that the security is independent of the computing
power. Analogously to the theory of unconditional secrecy due to Shan-
non [12], Simmons developed a theory of unconditional authentication
~41-
Consider a transmitter who wants t o communicate a source to a re-

mote receiver by sending messages through an imperfect communication
channel. Then there are two fundamentally different ways in which the
receiver can be deceived. The channel may be noisy so that the symbols
in the transmitted message can be received in error, or the channel may
be under control of an opponent who can either deliberately modify legit-
imate messages or else introduce fraudulent ones. Simmons [14]showed
that both problems could be modeled in complete generality by replac-
ing the classical noisy communications channel of coding theory with a
0Spnnger-Verlag Berlin Heidelberg 1988
58
game - theoretic noiseless channel in which an intelligent opponent, who

knows the system and can observe the channel, plays so as to optimize his
chances of deceiving the receiver. To provide some degree of immunity to
deception (of the receiver), the transmitter also introduces redundancy in
this case, but does so in such a way that, for any message the transmitter
may send, the altered messages that the opponent would introduce using
his optimal strategy, are spread randomly. Authentication is concerned
with devising and analyzing schemes (codes) to achieve this "spreading".
In the model some simplifying assumptions are made. We suppose

that the transmitter and receiver trust each other completely and that
neither acts t o deceive the other. We also assume that only the receiver
need be convinced of the authenticity of a message, so there is no third
party (arbiter) involved here. In addition, we also agree that all successful
deceptions of the receiver are of equal value to the opponent. We have
to distinguish the authentication schemes in which the opponent knows
the state of source (message authentication without secrecy) from the
message authentication in situations in which the opponent is ignorant of
the information being communicated to the receiver by the transmitter.
2 A MATHEMATICAL AUTHENTICATION
MODEL
In this model (see [14], [15], [16], [17], [lS]) there are three participants:
a transmitter, a receiver and an opponent. The transmitter wants to
communicate some information t o the receiver. The opponent wanting
to deceive the receiver, can either impersonate the receiver, making him
accept a fraudulent message as authentic, or, modify a message which
has been sent by the transmitter.
Let S denote the set of k source states, n/r the set of ZI messages and E
the set of b encoding rules.
A source state s E S is the information that the transmitter wishes to
communicate to the receiver. The transnitter and receiver will have se-
cretly chosen an encoding ruZe e E E beforehand. An encoding rule will
59
be used t o determine the message e(s) to be sent to communicate any

source state s. In a model with splitting, several messages can be used to
determine a particular source state, However, in order for a receiver to be
able to uniquely determine the source state from. the message sent, there
can be at most one source state which is encoded by any given message
m E M , for a given encoding rule e E E (this means: e(s) $ e(s') if
s # s').
An opponent will play impersonation or substitution. When the oppo-

nent plays impersonation, he sends a message to the receiver, attempting
to have the receiver accept the message as authentic. When the opponent
plays substitution, he waits until a message m has been sent, and then
replaces m with another message m', so that the receiver is misled as
to the state of source. More generally, an opponent can observe i ( 2 0)
distinct messages being sent over the channel knowing that the same key
is used to transmit them, but ignoring this key. If we consider the code
as a secrecy system, then we make the assumption that the opponent can
only observe the messages being sent. Our goal is that the opponent be
unable to determine any information regarding the i source states from
the i messages he has observed.
The following scenario for authentication is investigated. After the

observation of i messages M' c M , the opponent sends a message m' to
the receiver, rn' 6 M ' , hoping t o have it accepted as authentic. This is
called a spoofing attack of order i [9], with the special cases i = 0 and
i = 1 corresponding respectively to the impersonation and substitution
game. The last games have been studied extensively by several authors
(see [41, PI,~ 3 1~, 4 1 1161).
,
For any i, there will be a probability on the set of i source states which
occur. We ignore the order in which the i source states occur, and assume
that no source state occurs more than once. Also, we assume that any
set of i source states has a non-zero probability of occurring. Given a set
of i source states, we define p ( S ) to be the probability that the source
60
states in S occur.
Given the probability distributions on the source states described

above, the receiver and transmitter will choose a probability distribu-
tion for E , called an encoding strategy. If splitting occurs, then they will
also determine a splitting strategy to determine m E M , given s E S and
e E E (this corresponds to non-deterministic encoding). The transmit-
ter/receiver will determine these strategies t o minimize the chance that
an opponent can deceive them.
Once the transmitter/receiver have chosen encoding and splitting strate-

gies, we can define for each i 2 0 a probability denoted P4,which is the
probability that the opponent can deceive the transmitter/receiver with
a spoofing attack of order i.
In this paper, we consider only codes without splitting. We shall use

the following notation. Given an encoding rule e, we define M ( e ) =
{e(s) I sE S}, i.e. the set of messages permitted by encoding rule
e. For a set M' of distinct messages, and an encoding rule e, define
f e ( M ' ) = {s 1 e(s) E M ' } , i.e. the set of source states which will
be encoded under encoding rule e by a message in M'. Define also
E ( M ' ) = {e E E I M' & M ( e ) } ,i.e. the set of encoding rules under
which all the messages in M' are permitted. It is useful t o think of a
code as being represented by a b x k matrix A , where the rows are in-
dexed by encoding rules, the columns are indexed by source states and
the entry in row e and column s is e(s). We cm also define a b x v
incidence matrix X in which the rows represent the encoding rules, the
columns the messages and the entry on row e and column m is 0 or 1
according m @ M ( e ) or m E M ( e ) .
Finally we denote by A C ( k ,v,b) an authentication system with k source
states, v messages and b encoding rules.
Example. Consider the following code on 2 source states using 4 encod-

ing rules given by:
61
A=
s2
s1
s4
s3
s 2 s4
s3
\
I
and X =
Y
1 0 0 1
0 1 1 0
This is the "best" authentication system possible for k = 2, b = 4, since
we have Pd,, = P d l = 112 = I/&.
3 BOUNDS O N Pd,
Many of the bounds on Pd depend on entropies of the various probability

distributions. For a probability distribution on a set X, we define the
entropy of X , H ( X ) as follows:
H(X) = - cP(4
2 EX
* klP(Z)*
As well, the conditional entropy H ( X / Y ) is defined t o be
Theorem 3.1 (Simmons [14]) I n an authentication system without split-

>
ting Pb klv.
An authentication system which satisfies the bound of this theorem with

equality is said t o be perfect.
In a perfect authentication code without splitting, the following proper-

ties hold (Brickell 141):
1. for all messages m, Pdo = C I ~ ~ ~

p ( e( ) ~=) k/v
)
2. for any message m, p ( s ) is constant for all s such that there is a n e
such that es = m.
The following bound is for substitution with secrecy.

62
Theorem 3.4 (SchZbi [ll], Stinson [17]) In an authentication sys-

t e m without splitting
k-i
Pd, 2 - (i 2 0).
u-i
Following Massey [9], an authentication system is L-fold secure against
spoofing if
k-i
Pd, = - .) f o r a l l i , O S i s L .
U--2
Remarks. An authentication code which is perfect (in the sense of 3.1)

is O-fold secure against spoofing (see [4]).
The first bound for P d l , found by Gilbert, MacWilliams and Sloane [6]
using an uniform source distribution, is given by
They called a system with this bound perfect. Examples of such a sys-
tems are included in [6], [2].
Afterwards this bound was proven under general conditions by Sim-

mons and Brickell. They obtained
UG = rnaxC(P4,pdl) 2 2-+H(E)
and if equality holds, then UG = 2H(E/M)-"(E) a d vG = 2a(s)-H('w) (in a

system without splitting). They called a system with this bound doubly
perfect. Hence doubly perfect implies perfect (in the sense defined in 3.2).
63
4 SECRECY
Considering the secrecy properties of a code, we desire that no informa-
tion be conveyed by the observation of the messages. A code has perfect
L-fold secrecy (Stinson [17]) if, for every set MI of at most L messages
observed in the channel, and for every set S1 of at most IMII source states,
we have p(SI/Ml) = p(S1). This means that observing a set of at most
L messages in the channel does not help the opponent to determine the
L source states.
On the other hand, a code is said to be Cartesian ([4],
[IS]) if any mes-
sage uniquely determines the source state, independent of the particular
encoding rule being used.
In terms of entropy, this is expressed by H ( S / M ) = 0. Hence in a Carte-
sian authentication code there is no secrecy (it has O-fold secrecy).
5 BOUNDS O N THE NUMBER O F KEYS b

The first example of an authentication code with P d l = l/& was given
by Gilbert, MacWilliams and Sloane [6] using a finite projective plane
PG(2,q). However it has the disadvantage that the number of keys q2 is
+
much larger then the number of source states q 1. Codes with k >> b
have more interest.
The number of keys is basically influenced by the following two aspects:
0 the distribution on the source states
0 the secrecy of the code.
To illustrate this we mention the following theorems.
Theorem 5.1 (Massey 191, Schijbi [ll]) For a n authenfication system

which i s L-fold secure against spoofing there holds
64
Theorem 5.2 (Stinson [17])If a code achieves perfect L-fold secrecy

and is ( L - 1)-fold secure against spoofing, then
b> (1).
Theorem 5.3 If a n authentication system without splitting achieves per-
< +
fect Lt-fold secrecy and i f it i s L-fold secwe against spoofing, L' L 1,
then
b> ( L L )
* ( ;[)-
(L:J
Proof. Let M I be a set of i 5 L messages which are permitted under
a particular encoding rule. Let 2 be any message not in MI. Let us
suppose there is no encoding rule under which all messages in MI U {z}
are valid. Then it follows from the proof of 3.4 in [17] that we would
obtain Pd,> (k - i ) / ( v- i), a contradiction. Hence, it follows that every
+
(L 1)-subset of messages is valid under at least one encoding rule.
Now pick any L'-subset M2, such that M2 C M I . In order to achieve

perfect L'-fold secrecy, the messages in M2 must encode every possible L'-
subset of source states. Hence every L'-subset M2 is a valid set of messages
under at least ( i,) encoding rules. We remark that the same L'-subset
k - L'
occurs in exactly (I,+ 1)-subsets. Hence counting L'-
subsets of messages we obtain:
65
or
We define an optimal (L',L)-code, 0 5 L' 5 L + 1, to be a code which

achieves perfect L'-fold secrecy and is L-fold secure against spoofing and
for which b meets the bound given in 5.3. According to Stinson [17], for
L' = L + 1, w e c a l l it an optimal ( L + 1)-code.
6 CONSTRUCTIONS O F AUTHENTICATION
CODES F O R AN ARBITRARY SOURCE DIS-
TRIBUTION
6.1 A u t h e n t i c a t i o n codes derived from generalized
quadrangles
A (finite) generalized quadrangle (GQ) is an incidence structure G =

( P ,0,Z) in which P and B are disjoint (nonempty) sets of objects called
points and lines resp., and for which I is a symmetric point-line incidence
relation satisfymg the following axioms:
1. Each point is incident with 1+t lines ( t 2 1) and two distinct points
are incident with at most one line.
2. Each line is incident with 1+ s points ( s 2 1) and two distinct lines

are incident with at most one point.
3. If z is a point and L a line not incident with 2 , then there is a unique

pair (y, M ) E P x B for which z I iM I y I L.
66
The integers s and t are the parameters of the GQ and G is said to

have order ( s , t ) . There is a point-line duality for GQ (of order ( s , t ) )
for which in any definition or theorem the words "point" and "Line" are
interchanged and the parameters s and t are interchanged. There holds
IPI = ( s + l ) ( s t + l ) , IBI = ( t + l ) ( s t + l ) and s f t divides s t ( s + l ) ( t + l ) .
Let x , y E P , we write x w y and say that x and y are collinear, pro-

vided that there is some line L for which 1: I L I y. And x $ y means
that x and y are not collinear. For x E P , put':1 = {y E P l y
and note that x E xL. For x, y E P , 1: f y ) the trace of the pair
z}, -
(z,y) is the set {z,y}' = z1 n y'. =l s 1 or t 1
We have I { ~ , y } ~ + +
according as x -
y or x +
y. The span of the pair (z,y) is the set
{x,y}" = E P ( u E z' Vz E {z,y}'}.
{U For z -+
y, th;s is the set of
points of the line xy, while for x $ y, l { ~ , y } ~_<~ /t 1.
A spread of a GQ G is a set R of lines of G such that each point of G is
incident with a unique line of R.Hence there holds = s t 1. In( +
Further information about GQ can be found in [ l o ] .
Let G be a G Q of order ( s , t ) , s , t > 1. Take an arbitrary point 2. Let

the sources be defined by the t + 1 lines which are incident with x, the
messages are the points of z'\{x} and the encoding rules are the points
of P\xl.
Theorem 6.1 If there exists a GQ of order ( s , t ) then there i s a Cartesian

+ +
AC(t 1,( t l ) s ,t s 2 ) which is 0-fold secwe against spoofing.
Proof. It is easy to verify that k = t + 1 , v = ( t + l ) s and b = ( s f l ) ( s t +

+
1 ) - ( t 1 ) s - 1 = s2t. We define an encoding rule in the following way.
Given a point y zl,we define for a source state L , z l L , the message
e,,(L) = z with t the unique point on L such that y z I L. We use each -
encoding rule with probability l / s 2 t . We verify that Pdo = k/v. For an
arbitrary message m, there exists s t encoding rules containing m. Hence
payoff(m), the probability that the message rn is accepted by the receiver
is given by
67
st 1 k
payoff(m) = C p(e) = - =
s2t
-
s
= -.
U
eEE(m)
We also remark that Pdl = 1/s > (k - l ) / ( u - 1).

Indeed, let rn, m’ be two distinct messages. We obtain
E{eEE(m,m’)} P ( s = fe(m’)) -
- -
-
1
-
C{eEE(mf)} P(S = f e ( m ’ ) ) st s’
since there are t encoding rules for which both m, m‘ occur. Hence
payoff(m, m‘)=I/s.
Remarks 1. Using the same set of source states and messages we can
define an
+ +
AC(t 1,( t l)s,ts2(t+ 1))with P4 = l/s, pd, = l/s, which is 0-fold
secure against spoofing and which has perfect 1-fold secrecy. From each
+
encoding rule of the preceding theorem we d e h e t 1 new encoding rules
in the following way. Let M(ey) = My = {zl,..., then we define
for each 0 5 i 5 t
e(My,i) = ( e j I 1 5 j 5 t + 1)where ej = zj+; (modt+l).
This illustrates the influence of the secrecy of the code on the number of
encoding rules b.
l t + 1, Vy E P ,
2. If the point z is regular, this means that I { ~ , y } ’ - ~=
y # z (see [lo]), the foregoing code can be improved to an AC(t +
+
1, ( t -t l ) s ,(t 1)s’) with Ph = l/s, pd, = l / s , which is 0-fold secure
against spoofing and which has perfect 1-fold secrecy. Therefore we take
+
M(ey)= {z,y}”, Vy E P , y 2. Since we have s2 different sets Me, the
number of encoding rules (using the same procedure as in 1.) now equals
s2(t + 1).
3. A complete description of the ”known” GQ of order (s,t) is given in

POI*
68
Consider again a GQ G of order (s,t ) which contains a spread

R={Ll,. . . ,&+I]. Define the source states as the lines of R (Ic = st+ 1)
+
and the messages as the points of G (v = ( s t l)(s 1)). Denote the+
+
points as ~ 1 , 1 , ~ 1 , 2.,..,zi,j7.. . , ~ , t + l , , + i , with zi,j I Li7 1 5 j 5 s 1,
1 5 i 5 s t + 1.
Then we define an encoding rule in the following way. We associate with
each point xivja n encoding rule
ezij (Lk)= Zi+k,lr7
with zi+k,It the unique point on the line Li+k which is collinear with X i , j
(where i + k is taken (mod s t f l ) ) . In this way we obtain b = ( l + s ) ( l + s t )
encoding rules.
Theorem 6.2 If there exists a GQ of order ( s , t ) containing a spread R,
t h e n there is a n optimal 1-code f o r s t + 1 sowce states and ( s t 1)(s +
1) +
messages.
Proof. We shall use each encoding rule with probability l / ( s + l ) ( s t 1). +

Let us first verify that Pk = k / v . Consider a message m. Then rn occurs
+
in s t 1 encoding rules (since there are s t points collinear with m, not
on the line of the spread incident with n).Hence payoff(m) is given by
=)
~a~off(m C p(e) =
st +1 --
k
1 - -.
eEE(M) (S+l)(St+l) s+l z1
So the system is 0-fold secure against spoofing. The code has perfect
1-fold secrecy since each message occurs exactly once in each column of
the b x Ic matrix. Since b = v , equality is valid in 5.2 and we have an
optimal 1-code.
Remark. For the known spreads in GQ of order (s,t ) we refer again to

[101.
Implementation of the optimal 1-code.
We implement the optimal 1-code derived from the GQ T . ( O )of order

(q - 1,q + l),q = 2h (see [lo]). Therefore we use the coordinatization of
69
this quadrangle given in [ 5 ] .
Consider an automorphism CY of GF(q), q = Z h , such that Oa = 0,

l a = 1 a n d { ( l , z , x a ) , x E GF(q)}~((O,O,1)}definesanovalinPG(Z,q).
m,k E GF(q).
The source states are the lines of the spread [[m,k]],
Denote them by L ' L + ~ .
The messages are the points ( m , g , k ) , m , g , k E GF(q), which will be
denoted by zk+mq,g.
The encoding rules are given by
ek+mq,g(Lj) = zk+kt+(m+m/)q,gt
with j = Ic' + m'q and g' =g + (k'n~'-l)~m.

Hereby is zk+kf+(m+mj)q,gt the unique point ( m+ m', g + (k'n~'-')~,k + k')
on the line Lk+p+(m+m/)q collinear with ( m ,g, k).
6.2 Authentication codes derived from Steiner systems
Consider a t-(v,Ic, A) design 23. For X = I, these are the so called Steiner
systems (see El],[3], [S]).
Theorem 6.3 A Steiner system2) defines an A C ( k , v , v ! ( k - t ) ! / ( v - t ) ! )

which has perfect t-fold secrecy and (t - 1)-fold security against spoofing.
Proof. In a t-(v,k,1) design D ,each element occurs in T = (v - 1)- - . (v -

+
t l ) / ( k - 1)- - . (k - t + 1) blocks and the total number of blocks is given
byv.(v-1) - - . ( ~ - t + l ) / k - ( k - l .). - ( k - t + l ) . Weconstruct k! encoding
rules from every block of D , since for each block A = (21,.. . ,xk} this is
the number of keys required to do a perfect enciphering on the k points.
Denote the keys, derived from the block A by e A l , .. . ,eAk!. Hence we
obtain
b=
+
21 * (v - 1) * - * (21 - t 1)
. k ! = v!(k- t)!
k . (k - 1 ) * * - ( - k t + 1) (v - t ) !
eqcoding rules, which we shall use with probability l / b .
We first verify that the code is ( t - 1)-fold secure against spoofing.
Let M' C M , IM'I = i , i 5 t - 1,rn E M\M', then we obtain:
70
since we use the uniform encoding strategy.

First we remark that the messages of M', resp. M' U {m}, occur in
+ l)/(k - i) . . . ( k - t + l), resp. Xh = (v - (i +
A' = (v - i) . ' . (v - t
1)). - (v - t + 1)/(k - (i + 1)) . - ( k - t + 1) blocks. For each such block
+ 1
there are exactly (k-i)! encoding rules e k such that M' C M(eA,), resp.
M ' U {m}C M ( e A ) and f e ( M ' ) = S' c S with JS'l= i.
There results
k-i
A,: - -.
P& = -
A' v-2
The authentication code has perfect t-fold secrecy since p(S'/M') = p(S'),
for every S' C S, M' cM with IS'\ = JM'J
=t . ~
Remark. The foregoing construction of an optimal t-code can be applied

to a more general structure, nl. a group-divisible t-design.
A group-divisible t-design G D ( k ,A, n,t ,v) is a triple (X, G, A ) satisfying:
1. X is a set of v elements called points
2. G is a partition of X into v/n subsets of .n points, called groups
3. A is a set of subsets of X (called blacks), each of size k , such that a

group and a block contain at most one common point
4. every t points of distinct groups occur in exactly X blocks.

Note that a G D ( k ,A, n,t , k . n) is equivalent with a transversal t-design
(see [71).
Applying the same construction as in 6.3 a GD(L,X,n,t,v) defines a n
X - v (v - n> . - (v - (t - 1)n)
f a
v7 k!)
k . (k - 1). . . (k - t + 1)
which has perfect t-fold secrecy and for which Pk = (k - i ) / ( v- i - n ) ,
for 0 5 i 5 t - 1.
Moreover the code is ( t - 1)-fold secure against spoofing if and only if
n = 1, in which case we have a t-(v,k,A) design.
71
7 AUTHENTICATION CODES FOR UNIFORM

SOURCE DISTRIBUTION
We consider the construction of authentication codes for uniform source
distributions ( p ( s ) = l / k , for any source state s). As before we are
dealing only with codes without splitting. We know that the best bound
is given by PA = ( k - i)/(v - i ) ,for a spoofing attack of order i.
Theorem 7.1 An authentication system is L-fold secure against spoofing

w.T.t. the uniform probability distribution on the souTce states i f and only
if, f o r every i , 0 5 i 5 L and for every &I' c M , IM'I = i 1, +
k k-1 k-i
c
eEE(M')
244 = ;*=---=*
P T O O ~Stinson
. [18] proved the theorem for L = 0 , l . We procede by
induction.
Suppose that the system is ( L - 1)-fold secure against spoofing, then for
every i, 0 5 i 5 I, - 1, and for every M' C M , IM'I = i 1, +
k k-1 k-i
c
eE E (M')
P(4 = ; * ~ * * * ~ ~
There holds PdL = (k - L ) / ( v - L ) if and only if, for every M" C M ,

IM"I = L , m E M\M", we have
Since the source distribution is uniform, this is equivalent to:

z{eEE(M"L'{m})) de>-
-
- L.
c{eE E ( M")} P(e) v-L
Taking account of the induction hypothesis,
k k-1 k-(L--l)
C p(e) 1 -.-...
eEE( M " ) ZI v-1 v-(L-l)'
and hence
k k-1 k-L
c +)
e E E (M " L J { ~ ; )
= -.-...-
v v-1 'U-L
*a
72
Remarks. In many authentication codes, the encoding strategy is to

choose every encoding rule with probability l/b. If we assume that this
encoding strategy is in fact optimal, then the properties of the foregoing
theorem are of purely combinatorial nature. We can formulate the fol-
lowing theorem.
Theorem 7.2 A n authentication s y s t e m is L-fold secure against spoofing

with respect to a u n i f o r m encoding strategy and a uniform probability
distribution o n the source states if and only .if the following property is
valid f o r every i, 0 5 i 5 L and every M‘ c M , IM‘I = i 1, +
k -k - i
IE(M’)(= b - - a
v v-i
Example. A t - ( v , k , X ) design (see 111,131, [S]) defines a n authentication

system f o r a uniform source distribution and a uniform encoding strategy
AC(k, v,b) which is ( t - 1)-fold secure against spoofing.
Indeed, let D be a t - ( v , k , X ) design. Then 2) is also a t ’ - ( v , k , & )

design, 0 5 t’ 5 t , with
(v - t’) (21 - t’ + 1)- - (21 - t + 1)
A:, = x - * *
* +
(k - t‘) (k - t‘ 1) - (k - t + 1 ) ’ * *
Since for a 2-design v . T = b . k and (k - 1) T = (v - 1) - A;, we obtain

v * T 21- (v - 1) - t + 1)
*-*(?I
b = - = A-
k k t + 1)‘
k - ( k - 1) * * * ( -
Using the uniform encoding strategy and uniform source probability, we
define a code, identifying blocks with keys and points with messages.
Any t’ messages occur in A’ blocks and hence for M’ C M , IM’I = t’,
1 5 t’ 5 t ,
/E(M‘)I = A;, = x * +
(v - t‘) * . (v - t 1) -
(k - t’) (k - t + 1)
*
* * *
k.(k-l)--*(k-t’+l)
b.
21 (v - 1).
1 (v - t’ 1)* * +
73
and theorem 7.2 is satisfied.
Using known families of t-(v,k,A) designs we can define many authen-

tication codes for uniform source distributions.'
Consider the symmetric Hadamard 2-(n-I,;n-1,:n-I) design and the

Hadamard 3-(n,in,in-l) design, derived from a Hadamard matrix of or-
der n. We remark that there exist Hadamard matrices for each power 2k,
k 2 2 (see PI,[31, [11).
Hence we can derive l-fold secure AC(2k-1- 1,2k - 1,2k - 1) and 2-fold
secure
AC(2k-1,2k,2 ( 2 k - 1))authentication systems.
A Hadamard matrix of order 4k2,k > 1, defines a symmetric 2-(4k2,2k2-
k,k2 - k) design and hence a l-fold secure AC(2k2 - k,4k2,4k2).
Note that it is a conjecture that Hadamard matrices exist for all n 0
(mod4), n > 0. (the smallest unsettled case at the present is n = 188).
We also want t o mention the following nice property of Hadamard ma-
trices. If there exist Hadamard matrices of order m, resp. n, then there
exists a Hadamard matrix of order m - n. This unables us to define new
authentication systems derived from those systems which are associated
with Hadamard designs.
Acknowledgement
We would like to thank D. Stinson and J. J. Quisquater for the in-

teresting suggestions and valuable discussions on the subject. We are
also mostly indebted t o the Philips Research Laboratory Brussels for the
facilities they offered during the preparation of this paper.
References
[l]T. Beth, D. Jungnickel, H. Lenz, Design Theory, Wissenschaftsverlag

Bibliografisches Institut Mannheim, 1985.
14
[2] A. Beutelspacher, Perfect and essentially perfect authentication

schemes, Extended abstract, Eurocrypt 1987, Amsterdam.
[3] P. J. Cameron, J. H. Van Lint, Graph The.ory, Coding T h e o r y and

Block Designs, Lond. Math. SOC.Lect. Notes 19, Camb. Univ. Press,
1975.
[4] E. F. Brickell, A f e w results in message authentication, Proc. of the

15th Southeastern Conf. on Combinatorics, Graph theory and Com-
puting, Boca Raton LA (1984), 141-154.
[5] M. De Soete, J. A. Thas, A coordinatization of the generalized quad-

+
rangles of order ( s , s 2), to appear in J. C. T. (A).
[6] E. N. Gilbert, F. J. MacWilliams, N. J. A. Sloane, Codes which detect

deception, Bell Sys. Techn. J., Vo1.53-3 (1974), 405-424.
[7] Hanani H., A CIass of Three-Designs. J.C.T.(A) 26 (1979)) 1-19.
[8] D. R. Hughes, F. C. Piper, Design theory, Cambridge University

Press, 1985.
[9] J. L. Massey, Cryptography - A Selective Survey, Proc. of 1985 Int.

Tirrenia Workshop on Digital Communications, Tirrenia, Italy, 1985,
Digital Communications, ed. E. Biglieri and G. Prati, Elsevier Sci-
ence Publ., 1986, 3-25.
[lo] S. E. Payne, J. A. Thas, Finite generalized quadrangles, Research

Notes in Math. # l l O , Pitman Publ. Inc. 1984.
[ll] P. Schobi, Perfect authentication systems for data sources w i t h arbi-

trary statistics, Eurocrypt 1986, Preprint.
[12] C. E. Shannon, C o m m u n i c a t i o n Theory of Secrecy Systems. Bell

Technical Journal, Vo1.28 (1949)) 656-715.
[13] G. J. Simmons, Message Authentication: A Game on Hypergraphs,

Proc. of the 15th Southeastern Conf. on Combinatorics, Graph The-
ory and Computing, Baton Rouge LA Mar 5-8 1984, Coiig. S u m .
45 (1984), 161- 192.
75
[14] G. J. Simmons, Authentication theory / Coding theory, Proc. of

Crypto’84, Santa Barbara, CA, Aug 19-22,1984, Advances in Cryp-
tology, ed. R. Blakley, Lect. Notes Comp. Science 196, Springer 1985,
41 1-432.
[15] G.J. Simmons, A natural taxonomy for digital information authen-

tication schemes, Proc. of Crypto ’87, Santa Barbara, CA, Aug 16-
20, 1987, t o appear in Advances in Cryptology, ed. C. Pomerance,
Springer-Verlag, Berlin.
[16] D. R. Stinson, Some constructions and bounds for authentication

codes, Crypto’86, Santa Barbara, CA, Aug 12-15,1986, Advances in
Cryptology, ed. A. M. Odlyzko, Springer-Verlag, Berlin, 1987, 418-
425.
[17] D. R. Stinson, A construction for authentication / secrecy codes from

certain combinatorial designs, Crypto ’87, Santa Barbara, CA, Aug
16-20, 1987, to appear in Journal of Cryptology.
[18] D. R. Stinson, S o m e constructions and bounds for authentication

codes, J. Cryptalogy, Vol.1 n r l (1988), 37-51.
EFFICIENT ZERO-KNOWLEDGE IDENTIFICATION SCHEME
FOR SMART CARDS
Thomas Beth
Universitat Karlsruhe
Fakultat fur lnformatik
lnstitut fur Algorithmen und Kognitive Systeme
Haid-und-Neu-Str. 7
Technologie-Fabrik
D-7500 Karlsruhe
ABSTRACT:
In this paper we present a Fiat-Sharnir like authentication protocol for the El-Gamal Scheme.
1. Introduction
The invention of the El-Gamal Scheme [ l ] has provided another

Public-Key-Cryptosystem besides the renowned RSA-System, for which in
addition to the Key-Exchange feature both Public-Key-Encryption and
Signature Schemes are available. The availability of fast exponentiation
hardware for the fields GF(2”), cf [ Z ] , [3] makes this algorithm very
attractive for implementation in high-speed-communications. The recent
invention of the Fiat-Shamir Authentication Protocol [4] has again
attracted wide attention to the RSA-Scheme.
The purpose of this note is to show that a similar type of authentication

protocol is available for the El-Gamal-Scheme based on the Diffie-
Hellman One-Way-Function, with complexity, and/or error-probability
considerably reduced as compared to the Fiat-Shamir-Scheme.
78
2. The Basic Protocol
Suppose Alice (A) wants to authenticate herself to Bob (B). For this
purpose A has visited a trusted authority, which for obvious reasons we
shall call the Secure Key Issuing Authority (SKIA).
Initiation Phase
The SKlA possesses secret logarithms x1 ,...,xm , whose exponentiated

values Yj = axj are public. Here a is a primitive element of GF(q) known
publicly. The SKIA also publishes the one-way-hashing function f.
Setting-up Phase
A goes to the SKIA, identifying herself by <name>.
name
A b SKIA
Then the SKlA produces m identification numbers ID1,. . ., D

I, for A by
using the public (random) one-way-function f.
ID, +- f (name,j)
The SKlA chooses a (secret) random logarithm k=kA and forms
r + ak.
The SKlA also determines rn signatures sj as solutions of
(ID) Xjr + ksj IDj mod(q-1) for j E [I :m].
Eventually the SKlA issues a card (with secure memory)' to A.
A 1 SKIA
*) see sect. 5
79
Authentication Phase (Protocol &g&j
A now approaches B identifying herself by her name and the parameter r.
name, r
A b B
B computes A's identification numbers and the values p1,..., Pm
For j E [l:m] : IDj f (name, 1)
and pj Yjr
The following procedure is iterated for i=l to h:
Do
A chooses a random element ti E q - 1 , forms
zi + r-ti
and sends it to B
'i
A e B
B chooses a random string hi = (bi,) E Rm and sends it to A, where

R = q - 1 is a suitably chosen subset
hi
A 4 B
A computes
ui + ti + bij sj mod (q-1)

i
and sends it to B
'i
A + B
6 computes vi + b.:I D.
IJ 1
i
80
B accepts the authenticity of A if for all i E [l : h] yi = 0 . In this case

we say that Protocol Auth ends successfully.
3. Analysis of the Protocol
3.1. Observation (Verification)
IfA and B are genuine, the Protocol Auth ends successfully.
m: For all i E [I :h]
can be computed by B based on B s knowledge.

From the definition we have
B can also compute r"i from Ui . Having received Zi, by

definition
3.2. Observation (Correctness)
Assume, that A cannot compute El-Gamal signatures in polynomial time: If

A is false, i.e. does not possess the signatures s,, then the protocol A u t h
ends successfully w'ith a false-right probability
Proof: As long as IRl is small enough as compared to qm (see

remarks), A would have to guess the challenge vectors hi in
advance, analogously to the method described in the proof of
lemma 2 by Fiat and Shamir [4].
81
3.3. Remark
The cheating method discussed in the proof of lemma 3.2 is only

interesting if the size of choice space Rm for the is small compared to
the complexity of forging El-Gamal signatures, which itself is at most as
hard as taking discrete logs, cf. sect. 4.
3.4. Lemma (Security)
For arbitrary q and h, with fixed m and IRI E O((1og q)w) for given w E N
the Protocol Auth is a Zero-Knowledge Protocol.
Proof: Following the papers by Berger/Kannan/Peralta [9] and Chaum,

Evertse, van de Graaf [5] it can be seen that the size of the choice
space Rm is the decisive parameter for the construction of a
poly-time-simulator S for a cheating B: to guarantee a probability
for S to "guess" the challenge hi correctly in poly-time, we have to
provide lRlm such that
prob ("badluck") = (1 - -) 1
PolY(log(q)) < c-los q
PIrn
for some constant c > 1.
4. Practical Security Considerations
The system (ID) gives m linear equations for (m+l) unknowns (w.r.t. the
assumption that the discrete log problem is unfeasible). As consequences
we note:
(i) Not even A can forge new signatures.

(ii) The requirement of storing the signatures s, in the secure memory of
the card is only needed as protection against copying the card.
( i i i ) This requirement could be dropped if the one-way-hash function f
(when stored on the card) could be employed by the card as a means
of testing the user's identity before the card is authenticated. For
this test several user features can be challenged, in each case
requiring an interface between user and card, however!
(iv) To bring the security of the signatures closer to the level of the
discrete log-problem it may be feasible to make the computation of
the lDj additionally dependent on the public random number r.
82
5 ~ Implementation Aspects
In view of the demand for low cost designs of security processors for chip
cards we suggest considering the following case for practical
implementation :
q = 2n,
where n should b e suitably chosen, roughly in the interval [z9:2' ' 1

depending on the required security. For these cases fast VLSl
exponentiators have been suggested (Beth/Cook/Gollmann [3], Vanstone/
Mullin [2],Massey/Omura/Wang [7]).
For q = 2n the Discrete Log Problem can be solved in
steps [6]. Therefore a suitable amount of security can be guaranteed.
5.1. Tuning the Protocol
Using the fact that squaring is a field automorphisrn in GF(2n) we suggest

to use the following refinements of the protocol in order to save on
computational effort and required storage area as well as on the length h
of the protocol:
*) Choose the random string only from binary words of weight less than
w, i.e. choose bij equally distributed in
R = {b E Zq-l I wgt (binary (b)) 5 w}
5.1.1 .Corollary
With these additional restrictions if A is false the protocol ends

successfully with probability
p <-
I - 1.rn.h
2
where
XX) Choosing the further simplification m = 1, the number of
computational steps especially in computing
is reduced considerably.
***) Combining ( * x ) and (*) for w = 1 the exponent of p being a power of

two requires a fast squaring operation only.
5.1.2. Technical Observation
With rn = 1 and h = 3 and log q >z9 the Protocol Auth allows an

authentication procedure at a residual false-right error probability
smaller than
10-8 for w =1
10-15 for w =2
10-22 for w = 3.
5.2. Conclusion
With one signature (m = 1) and a small number of iterations (I 2 3) this

protocol provides a security level appropriate to many smart card
applications. In comparison to Fiat-Shamir‘s protocol [4] the memory
consumption on the smart card is considerably reduced for the proposed
protocol, as the signature Sj and the number r only require approximately
64 Bytes each, and the representations of GF(2”-arithmetics can be
compressed to considerably less bits. If the application requires only to
authenticate the card through a trusted terminal, the public keys y need
not to be stored on the card. Otherwise, the same protocol of course would
be used by A to challenge B.
Note that an additional advantage to this protocol is provided by the fact,

that based on purpose-made-algorithms the GF(2n)-arithmetics can be
carried out at a higher speed than modular arithmetic required for the
Fiat-Shamir-Scheme.
84
In summary, the present scheme provides a user-friendly zero-knowledge

authentication and signature protocol that offers itself as a small, fast
and low cost verification tool for the use in token technology as it is
presented by smart cards, intelligent tokens and other identification
mechanisms.
Acknowledgement
The author is grateful to Dr. Ivan DamgArd for his helpful critical remarks.
6. References
El-Gamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete

Logarithms. IEEE-IT-31,469-472, 1985
Vanstone, Mullin: Communication 1986, Cryptech, Waterloo, Ontario, Canada
Beth, Cook, Gollmann: Architectures for Exponentiation in GF(2"), Proceedings of

Crypto 86, Santa Barbara, Springer WCS 263,302-310, 1987
Fiat, Shamir: How to prove yourself: Practical solutions to identification and signature
problems, Proceedings of Crypto 86, Santa Barbara, Springer LNCS 263, 186-194,
1987
Cham, Everts, van de Graaf: An unproved Protocol for Demonstrating Possession of

Discrete Logarithms and some Generalizations, Proceedings EUROCRYPT'87, Springer
LNCS 304,127-141.1988
Coppersmith: Fast Evaluation of Logarithms in Fields of Characteristic Two,

IEEE-IT-30,587-594.1984
Wang: Exponentiation in Finite Fields, Ph.D. dissertation , University of California, Los

Angeles, 1985
Goldwasser, S.: Micali, S.; Rackoff, C.: The Knowlege Complexity of Interactive Proof
Systems, Proc. 17th ACM Symp. on Theory of Computing, 1985
Berger, Kannan, Peralta: A Framework for the Study of Cryptographic Protocols, Proc.
CRYPT085 Springer LNCS 218,87-103
A Smart Card Implementation of the
Fiat-Shamir Identification Scheme
Hans-Joachim Knobloch
Institut fib Algorithmen und Kognirive Systeme

Universitat Karlsruhe (TH)
D-7500 Karlsruhe, FR Germany
Abstract
This paper describes results and experiences gained from the test implementation of an interactive
identificationscheme. It was intended to exploit the feasibility of an asymmetric crypt0 protocol for a state-
of-the-art smart card environment. For that reason the identification scheme proposed by Fiat and Shamir
was implemented between an actual smart card microprocessor and an industry standard personal computer
with a smart card interface. The limits of a current smart card processor in terms of volatile and nonvolatile
memory capacity and insmaion set turned out to be a rather smct linritation for the choice of the algorithm
used. The most time consuming task during the protocol is modular multiplication. Due to the processor
structure it is performed as separate multiplication and reduction, where reduction is I d back to integer
multiplication. The current implementation allows the authentication of a 120 byte idenaficadon smng at a
security level of 2-20 within an average time of about 6 seconds. The experiences gained during this
implementation led to a set of requirements for a future specidised prccessor for asymmetric cryptographic
protocols that will be needed to increase this performance by some orders of magnitude.
0a
I. Introduction
During the last years, with the forthcoming of the commercial use of smart cards, some cryptographic
protocols based on asymmetric ciphexs have been proposed to use smart cards for identification, signatures,
as elecnonic wallet etc. One may note that nearly all commercially available smart card systems use, if at dl,
only symmetric block ciphers, as asymmetric protocols are considered too complex for current smart card
processors.
The F i a t - S h a d identification scheme is one of the simplest of the above mentioned asymmemc
protocols as it does not need large amounts of stored data nor extensive communication or many protocol
steps and it is therefore one of the most suitable for a test implementation on a smart card system.
11. The Processor
The smart card used in OUT project has an 8-bit microprocessorwith 256 byte RAM and 2K byte E'PROM
(Electrically Erasable Programmable ROM) on chip for nonvolatile storage of data and program Therefore
the processor could be reprogrammed by the personal computer which was also its partner for the protocol.
Thus several algorithms could be tested without having to wait for the production of a new ROM mask
The I S 0 draft standard on identification cards [3] requires that all communication is done serially using
only one contact pin for both input and output. Since the processor doesn't have a serial UO unit the
communication had to be implemented in software and thus needed code space and computing time. The
mentioned draft standard includes a parity-generation-, parity-checking- and error-retry-protocol for the
bidirectional UO line. In order to save space for the protocol code and data, only a simple 9600 baud serial
communication without parity generation was implemented.
The chip card processor's instruction set is similar to that of any conventional 8-bit microprocessor.
Relevant details are an &Eimes-&to-l6-bit multiplication instruction, requiring about 5 times the execution
time of an 8-bit addition, whereas the instruction to program one byte into the E2PROM, requires about
3300 times the execution time of an 8-bit addition. To gain better performance the latter fact implies that
intermediateresults have to be stored in RAM, but not in E2PROM.
89
III. The Scheme
For a detailed discussion of the Fiat-Sharnir identification scheme the reader is referred to the original
publication [l], we will give a short review of this technique with emphasis on the particularities of the
implementation.
The center issueing the cards chooses a public modulus n as the product of two secret primes p and q.
For reasons explained below the implementation requires
2512 > n 2 2512 - 2256.
Now be
I a 960 bit (120 byte) ID-smng of a user applying for a card,
j E [0,216) and
ei the ith 48 bit unit vector.
The center forms for i = 1 , 2, ..48
ti = 2976ei + 2161 +j ,
ui = Lri / 25'21 (tj mod 2512)
(where @ means bitwise addition modulo 2),
Vi = Lui I 2256.! @ (ui mod 2256)and
wi = f ( v i )
(whereffk) means enciphering a fixed 512 bit plaintext with a block cipher with key k).
The term j is used to ensure that wj is a quadratic residue mod n for at least 20 distinct values of i. For
simplicity of notation from now on it will be assumed that these d u e s of i are 1, ... ,20.
For i = 1, ... , 2 0 the center computes a
square root sj of wj (mod n)
using the knowledge of p and q and applying the Chinese remainder theorem.
The card is personalized by storing
Si for i = 1, .__
, 20 and
20
P = 2976( C e i + 2 16 I + j
i = l
An identification device knows n and how to compute the wis from P.

90
The identification protocol between a smart card S and an identification device P c is:
1. S sends P to PC.
2. PC computes the wi's-
3. S picks a pseudo random number r' E [0,2256),sets r = 2 x 6 ~and sends x = rz mod n to Pc.
.. ,cu)).
4. PC sends to S a (pseudo) random binary vector c = (q,
5. S sends to PC:
y = r n s , modn.
ci = I
6. PC accepts P if and only if:
ci =1
If a forger guesses the vector c, he may send a value
ci = 1
instead of x in step 3 and r instead of the product in step 5. The probability that PC accepts P if S doesn't
know the Si'S is 2-z0 (assuming equidistribution probability for c), if S performs only polynomial time
computations and cannot compute in polynomial time a square root mod n of any product of some wi'S or
their reciprocals. The proof for this statement is almost identical to the proof in Fiat's and Shamir's
publication.
Remarks:
1. Since its inversion includes a known plaintext attack on the involved block cipher, the function used to
compute the wi's from the ID-smng I should be strong enough to prevent a potential attacker from
computing an ID-smng out of known square mots moddo n.
2. Fiat's and Shamir's o r i b a l protocol requires to use the multiplicative inverse of the sis on the smart
card side. The check on step 6 of the protocol would then be, if
x = y 2 n w i modn
c =I
91
Using the sis rather than si-1 makes it possible that PC performs only one modular multiplication at step 6
of the protocol instead of two. The other multiplication can be done while the smart card still computes y .
As the smart card will usually be the slower partner in the protocol, this fact slightly speeds up the overall
execution time. However, if the inverse sis have to be used on the card side for some other reasons, only
changes of the PC's program, not of the smart cards would be required
3. The original protocol also requires a full 512 bit pseudo random number r. But since r must be
stored somewhere in the card while it's squared modulo n, and since it cannot be stored in E2PROM for the
above mentioned reasons, the available amount of RAM only allows to use a 256 bit pseudo random value.
4. Fiat and Shamir allow r to be taken from the range [0, n). Obviously, if r might be 0, all 10 do for a
foreged identification were always to send x = 0 in step 3 of the protocol. The implemented pseudo random
generator also may produce r = 0 with 3 very small probability, but the PC program prevents a successful
identification with x = 0.
IV. The Algorithms
In addition to the virtually 'mvial' tasks like communication or managing the protocol itself there are two
subroutines in the protocol runtime programs that have to be carefully considered, namely the pseudo
random number generator and the modular multiplication.
The pseudo random number generator consists of 12 cascaded cyclic shift registers implemented in
software. Gollmann 121 p v e d that the linear complexity of the sequence generated by cascaded cyclic shift
registers grows exponentially with their number. The initial state of some of these registers is derived from
the uninitialized RAM immediately after power-on or from the value of a free running on chip timer. The
statistical properties and the possibility of physical manipulation of these physical or pseudo-physical
random processes are not yet further examined. However, the remaining pseudo random generator should
be strong enough to prevent tampering even if they could be made deterministic.
The modular multiplication is done as a full integer multiplication with successive reduction. Owing to
the shortage of RAM space, recursive multiplication algorithms like Toom-Karatsuba seem not 10 be
feasible. Thus a bytewise multiplication and addition using the processor's built-in multiplication instruction
92
is performed. As the architecture of the smart card processor enforces to use this algorithm, the optimization
of this arithmetic was a main goal. As a result some self-modifying code was developed, that must be
executed in RAM.However this code does not require as much space as the data of a recursive algorithm
would.
In a first version of the implementation the reduction was done bitwise. This solution had two major
disadvantages. Firstly, considering time, the bitwise reduction dominated over the bytewise multiplication.
Secondly, as the lack of RAM prevented the modulus being shifted bitwise during the reduction, it had to be
stored eight times, each time shifted by one bit, and so occupied space that c o u l d better be used for more
signature values Si. Although the protocol may be repeated several times to increase its security, every
repetidon has a considable communication and computation overhead. Thus it is desirable to store as much
signature values as possible to gain an acceptable security with only one protocol pass.
The final implementation uses a method to lead back reduction to multiplication published by Mohan and
Adiga [q.Let Qo be the value to be reduced modulo n, with
Qk = 2512zk iRk for k = 0, 1, ... and
Z k . R k E [o,2512).
Obviously for
&+I = Qk - 2512z k iZ512 zk - n zk

= Qk - Z5l2Zk + (Z512- n) Zk
= Rk + (2512 - zk
we have
Qk =- Qt+i (mod 4.
Hence all to be done is to multiply the "upper half' of Q k by d = Z512 - n and add the result to the
"lower half' of Qk.This is a rather straightforward extension of the widely known method for performing
reductions modulo 2m-1 (cf. [4] p. 272). Let #X denote the length of the binary representation of X in
bits. We get
#Qk+l 5 #d i#Zk if # z k 2 #Rk or #d 2 #Rk and
#Qk+l I m a x ( # d + # Z k + l , # R k + l ) if#Zk<#Rkand#d<#Rk,
what implies that if
#d 5 256
can be achieved, then

93
#Q2 S513.
This means that after two iterations of multiplication and addition there are at most two additions of d to
be done to obtain a result rwfuced to be less than 2512. The complete reduction eventually necessary may be
left to the superior computing capabilities of the PC. Due to the simple multiplication algorithm used, the
addition of d z k to Rk can be combined with the multiplication to have no extra cost in computing time.
The greatest advantage of this reduction algorithm is however that only one 256 bit value d instead of eight
512 bit values n have to be stored within the cards scarce memory.
Concerning the precomputation programs, the condition #d I 2 5 6 leads to the above mentioned
condition 2512> n 2 z5I2 - 2256.The remaining problem is to find p and q so that R satisfies this interval
condition. Mohan and Adiga propose to use a modulus that has not only two large but also some small
prime factors. During the implementation of the reduction it med out that enough prime pairs can be found
which satisfy this condition, so that no additional small primes are needed.
Trying to combine two primes out of a precomputed set of large primes could be shown to be
impractical. The simple but effective method implemented is to find a suitable prime p , perform a large
integer division to compute a factor q so that p q is within the desired range and to test whether 4 is also
prime. In detail:
Given
p < 2256, p prime and chosen at random
then
satisfies
2512 > p q 2 2512 - 2256
The prime number theorem tells us that randomly chosen value p of a magnitude of order 2256 is prime
with a probability of about 1 / In 2256 = 0.0056 (cf. [6] p. 64).Chosingp to be less than 2256ensures that
at least one multiple kp of p falls into the interval [2512-2256 , $'12) of length 2256. q is the least such k.
All integers within a small interval around q are slightly larger than 2256. Thus the probability for any of
them to be prime is slightly less than 1 / In 2256.

The probabilistic Rabin-Miller test ([4] p. 379), is fast enough to find a suitable prime pair within some
dozens of hours on a SUN-3.
94
V. The Implementation
The smart cards part of the scheme is implemented in its processor's assembly language. The complete
program including serial communication and programming of the data (xi, P,d)into E2PROM, excluding
this data itself, consists of less than 700 bytes of code. As the data programming routine is used only once,
it is transfered to and executed in RAM and reprograms itself with data. All 256 bytes RAM are needed for
data or code storage or as stack
The personal computer as the smart cards counterpart is programmed in C. Due to its greater
performance it can use the same modular multiplication algorithm as the card without effect on overall
execution time. The primality testing was done as background job on some SUN-3 computers.
The current implementation allows the authentication of a 120 byte identification string at a security level
of 2-;sowithin an average time of about 6 seconds from card initialisation to acceptance of the identification
string.
VI. The Conclusions
The goal of specialised processor architecture must be to implement the most time and space consuming
tasks in silicon. So a cryptographic protocol processor for asymmetric protocols should include:
- a 512 bit modulus register and at least two 512 bit registers
- instructions for loading and storing these registers and mcddar arithmetics
- a buffered serial VO unit, working independently from the CPU
- a physical random number generator or at least a hardware pseudo random number generator
- some general purpose registers and some RAM as return stack

- a reduced general purpose instruction set
- as much E2PROM as possible
95
VII. Acknowledgements
I would like to thank Dr.L Schaumiiller, W. Schlapak and H. Eilmsteiner (VOEST-ALPINE AG) as well
as Prof. Dr. Th.Beth, Dr.M. Clausen, Dr.D. Gollmann and H.-P. RieD (University of Karlsruhe) for the
support, ideas and discussions coniributing to this project.
VIII. Bibliography
[I1 A. Fiat, A. Shamir: How To Prove Yourself: Practical Solutions to Identification and
Signature. Problems, Roc. of CRYPT0 86, Springer LNCS 263, pp. 186 - 194,1987
PI D. Gollmann: Linear Recursions of Cascaded Sequences, Conmb. to General Algebra 3,

Proceedings of the Vienna Conference 1984, Holder-Pichler-Tempsky, 1985
131 ISO: Draft International Standard ISODIS 7816-3, Identification cards - Integrated
circuit(s) cards with contacts - Part 3: Electronic signals and exchange protocols, 1987
141 D. E. Knuth: The Art of Computer Programming, vol. 2: Seminumerical Algorithms,

Addison-Wesley, 2nd ed. 1981
151 S. B. Mohan, B. S. Adiga: Fast Algorithms for Implementing RSA Public Key
Cryptosystem, Electronics Letters Vol. 21 No. 15, p. 761, August 1985
[61 H. Riesel: Prime Numbers and Computer Methods for Factorization, Birkhauser 1985
MANIPULATIONS
AND ERRORS,
DETECTION AND LOCALIZATION
Ph. Godlewski (1) & P. Camion (2)
"'ENST d6p. RESeaux et CNRS UA 820, 75634 Paris, France

m,
B.P. 105,78153 Le Chesnay, France
ABSTRACT
We investigate the possibility of using error correcting codes in digital signatures.

A scheme combining one way functions and a MDS code is presented and analyzed.
We then study an attack upon this scheme and upon more general ones called
"random knapsack schemes" involving a linear combination Xi T(xi,i) of the
message elements x i .
I. INTRODUCTION
Digital signature schemes provide two kinds of authentication services : integrity of

messages and identification of users. This paper is concerned with integrity aspects of
digital signatures. Various terminologies and techniques are used in this context :
MAC, MDC; MIC, seal, cryptographic checksum, one way hash function,
compression, condensation ...([ 1],[2],[3]).The motivation is to prevent malicious
changes in a transmitted or stored message x . The basic process is the following :
associate with x a short "certificate" s(x) which is transmitted or stored in a secure
98
manner (i.e. with protection against active attack). We will restrict ourselves to
systems which do not require the sender and the receiver to share a secret key K .
The basic requirements are :

(i) s(.) is easily computable, s(x) is concise (e.g. from 8 up to 128 bytes),
(ii) s(.) is unforgeable : given y in the signature domain, it is computationally
unfeasible to calculate a quasi inverse +(y) of y.
To avoid small falsifications (e.g. change of a name, of an amount in a payment
message), we add an extra condition :
(iii) Two messages with the same length must differ from d symbols or blocks.
In the following we assume that the message x is composed of symbols xi
belonging to an alphabet X,then x = (xl, XZ, ... x k ) ,we set [k]={1,2,...,k}+
We distinguish two types of attacks :

(a) Given x find x' such that s(x')=s(x).
(b) Find two messages x and x' such that s(x')=s(x).
This two types have some similarities with the so called "known plaintext" and
"chosen plaintext" attacks in a classical cryptographic system for confidentiality.
A more realistic attack of type (a), productive for the intruder, is the following :
(a') Given a message x and y = s(x), a fraudulent message x' partially specified
in a subset I of symbol positions, find x ) f o r j E J =[k]V such that s(x)=s(x').
A similar attack (b') of type (b) can be defined.
In data networks, a reasonable goal should be to gather together different aspects

of integrity, in particular :
- error detection and correction
- manipulation detection and localization.
Merging these items brings some "technical" problems. One major difficulty comes
from the following fact : nearly all constructing methods for error-correcting codes
99
are based on linear computations which are well known for their cryptographic
weakness.
We studyseveral schemes which use linear combinations of the different elements

of the message.
II. RANDOM KNAPSACK SCHEMES
When designing an integrity signature scheme without secrete key, a basic need is
to dispose of a one-way function 6. In contrast with well known public key
algorithms such as RSA, there is no necessity here to invert $J with the help of some
hidden trap door information. Then we can consider purely random generated
knapsack :
Generate k random numbers a l , a2,...,ak bounded by M ;and calculate sfx) =

CiXi ai . In this paragraph, the alphabet X is binary, X = (0,1}.
When k is large enough, this scheme is deeply insecure against attack of type (b)
as shown by our next proposition.
Proposition 1 : Given k integers aI,a2,.... ak with a i I M , it is always possible

to find I , J E { 1,2 ,...,k }, I d , such that
C iEI ai = C j E l a,
in O(kZog(k)) operations when M I k WkJl4.
For instance if k =220 (message with 128 Kbyte) and M = 2loo, an attack needs
about 20.106 additions.
Proof : After sorting, we can assume ai-1 Iai for 1 < i Ik . We derive a new
sequence of length k : bl=al and bi =ai -ai-l for 1<i S k. There exists an element a;
100
in { bi } such that u', I M/k. If = bj , we then discard from the sequence {Ui 1,
the two elements uj and u,-l involved in u ) . Then we determine an other element u'2
such that u'2 I M / ( k - 2 ) . Iterating the process k'=k/4 times, we then obtain k'
elements a']. a'2. ...,u',,, such that a'i < M/(k-2i)I 2Mlk.
Assuming than k = 2 U ,M=2', we have at our disposal a new sequence {a'i 1 of
length k'=2"-' wjth elements bounded by M'=2-+'. We consider the recursion :
u('+') = uc!, - 9
vO+V = Vet) - -@) + 1, with uCOJ = and do) = v,
then we obtain :
u(')= u - 2t and
d')= v - tu + tz.
Note that vW reaches its minimum vmin for r=tdn=u/2, then vmin= v-u2/4 . If
v-4 all the elements of the sequence { ui(tmid } vanish. This occurs if v<u2/4 or M
Ik 1 0 d W . Each step of the algorithm requires kW2 = 2u(') -1 additions and a sorting,
that is O(kcrjZog(kct))) additions. Then the total complexity is less than k Zogk +
(2k/3)(k+Zogk) c 4 k Zog(k) additions ; that is O(k Zogk). The algorithm needs no
more than O(kZog(k)Zog(M)) binary operations.
Notice that this algorithm is not probabilistic : at each step, the worst case is
considered. To perform attack of type (a), algorithms which require more
computational effort exist. A probabilistic algorithm will appear as a consequence of
proposition 2.
III .ERROR-LOCALIZING CODES SCHEME
We present a scheme combining one way function and error correcting code :
Split the message x into blocks xi E Fi of length u (e.g. u = loo), x = (XIJZ,
... ,xk) , then use a one way injective function &(.) from F; to F' (e.g. IF'I =q =
101
212*).For instance @(xi) can be written as $;(xi)= $(i hi), where "I" stands for
concatenation. We therefore obtain k symbols n = $jjlxi) in F . Encode (yj,B, ... ,
yk) with a [n,k,d 1 error correcting code over F . The n-k (e.g. n-k = 4)
redundancy symbols %+I, %+2, ... , yi form the signature s.
Detection and correction

We consider codes over very large alphabet I? of cardinality q . Then n < q, and
we can restrict ourselves to MDS code. It is well known that most of the error
correcting codes are far from perfection. More precisely, the density A = 2-5 of the
packing is small ; A is the fraction of the space F nwhich lies inside the spheres Bt
of radius t centered on the code words. Therefore, most of space may be used for
detection. For a [n,k,d] code C, we have .t = [ ( & I ) /2] and A = ICI . lBtl / 1F"I. One
can consider than a part log IBJ of the redundancy (i.e. (n-k)log(q) bits) is used for
correction, the remaining part 6 = ( n - k ) l o g ( q )- log lBtl for detection. A
straightforward estimation gives :
S=log(q) [ n - k - t ( 1 + logqn -log,t) 3
n-k
For our application, we have t = [- 2 3 (cf. MDS codes), and possible order of
magnitude of the parameters is : 1 I t I10, n < 232, q > 2100 . Then, we have
t < n << q and S = Zog(q) [(n-k)/2]. Half of the signature symbols are used to
detect error or manipulation.
Localization or correction
Using Berlekamp-Massey algorithm, it is possible to localized errors in O(n.d)
operations over F. But, due to the presence of the one way functions &, the error
evaluation on the can not be exploited to correct errors on the xi. . However, for
some type of messages, errors can perhaps be corrected by try and error procedures
for instance, by exploiting natural redundancy of a language.
The error correction algorithm can be carried out only if it is possible to invert
each q5i for each position i in error using some (secret) trap door information.
102
Weakness of the scheme in low characteristic

It is important to select the field F with a high characteristic. For instance if the
characteristic of F' is 2, i.e. q = 2v, then it is possible to perform an attack of type
(a') by modifying U I=O((n-k)v) blocks of a arbitrary fraudulent message x' . In
this case the signature s is computed in FZ(n*' following the formula :
where n and HW are respectively lxv and vxv(n-k) binary matrices. The binary
image of the [n,k]MDS code over F is then a [nv,kv] code over F2 with parity
check matrix H = [ZW,...,IN].
Let J the set of position used to adapt the fraudulent message to the desired
signature, we consider the cheating procedure :
- For the legitimate message, compute y(iJ = for i.s [k]
and then a = Xi, ikl y(i) .
- For a fraudulent message x', choose randomly {x; ] forjgJ,
compute similar quantities, y'i = $i(x'i) ,y'(j) = y 'i ;
0' = E i E i k ] Y'(i) *
- Find { Ej ; E ~ EF2, j E J } such that U-U' = CjE, Ej (y(jj-y'(j,) ;
this is possible if the vectors (yo)-y'o)), j g J , generate F;(n-k),
which is true with high probability if IJI = 2 (n-k)v.

- Let x:= EjXj+ ( I - E j ) x ) be the values of the final message x' in the positions
jEJ.
The complexity of this procedure resides essentially in the computation of

O((n-k)v) additional one-way functions @,i(x)). It is possible to specify similar
procedures with smaller IJ I and for code defined on other fields with low
characteristic. For such fields, the proposed scheme is therefore very weak.
In the following paragraph, we present an attack adapted for high characteristic.
103
Iv . AN ATTACK UPON SCHEMES BASED ON LINEAR COMPUTATIONS
We consider a generalization proposed by Gaston Gonnet, Waterloo of the binary

knapsack scheme for signature. To precise this scheme it is sufficient to present an
attack of type (a') which consists in solving the following problem :
Problem A :
Given a finite set of indices J , an integer a<M, and a function T(.,.) from X X J
into 2, fiid a sequence in Xm, X = ( X , ) , ~ J which satisfies
EjEl T(xj,j) = a (1)
Remark : Notice that solving problem A reduces to solving the following knapsack :
z(xj, J f l &,j) T(xjj) = a
subject to
v k.j7, &,j, E {O,1}
Vj, xx E X { ( x , j ) = 1.
When we exhibit a sequence x for a set of indices J which verifies (l), we say that
set J is a support for a . The goal is to find an algorithm to resolve the problem for
small or medium support size V 1.
In [4], this kind of problem has been studied in a algebraic structure different
from the additive group (Z,+) of integers. The considered structure G is the group
of invertible 2x2 matrices with entries in the field Fp . The algorithm proposed in
[4] supposes the existence of a chain of subgroups Hi,G I,Hp-l 2 H p - z z ! ... a HI
such that the indexes [ H , :H,-1] are not too large. The method can be applied to
commutative groups with small prime exponent. When G contains a (cyclic)
subgroup Z l P Z with large prime P , a similar method can be used embedding Z l P Z
in Z and using the Chinese remainder theorem.
104
A probabilistic algorithm to solve Problem A

Let M be an upper bound for the possible values of a . We choose M as a
product of coprime numbers M = I I r E w ] P, where P r z P , P <2P. We assume that
IJI=2p b. It will appear that Wl> 2P.
Setting J = 4’’
and by successive dichotomies over J, we obtain :
J”’
s
-
- f-1’
2s-1
f-1’
2s where f-f) J”-”=
2s In 2s
0, d:)l = 2r-1 b
We thus get p partitions of J for r+l = p, p-l,...,2,l :
J = v 4).
SE [ul-.]
The algorithm has p steps. The principle is to determine for each step I and each
set J’ = .(’,
s E [2’-7, a set of K ( P , ~ )solutions to the equation
C j E r T(xi,i) = a 61 (s) modulo Plr)’= I I i E [ r ] P i ,

where 131 (s) =1 if s = 1, and 0 otherwise. Grossly, we choose K(P,r)=O(P).
Basic procedure : It consists in determining from 2 sets V1 et V2, each with O(P)
elements of the form (T(xil, il), ..., T(xi,, it,)), t = 2‘-’b, for r 1 1, a set V’, VI XV2 2
V’, and IV’I = O ( P ) in which every 2%-tuple’s components add up to 0 (or a )
modulo P i , i <r. If a l l the numbers are specified modulo P , this procedure requires
essentially a sorting and then O(PlogP) additions. Indeed V I (resp. V2) is sorted
according to the value of the component’s sum of its elements modulo P,. After the
two sortings are performed, then selecting the matching couples needs O ( P )
comparisons. More precisely, if IVI I = alp and IV2 I = a2P , finding out all
+az)P
matching couples need (a] comparisons since two elements have been
compared, the smallest is dropped.
For a fixed step r of the algorithm, this procedure is applied 2C1-7 times for
determining 9 - r sets Each set V‘I’, SE[D-r],contains O(P) elements with
105
support J y .
Algorithm complexity :
The basic procedure is applied W-1+2@+ ...+20 = 3 times. If we assume that the
complexity of computing one value T(xjj) is O(l), the overall complexity is K = 2P
P log(P)p = p2 D + p for a number U I=%b of symbols used to adapt the signature.
If, we set K I=2a, M =2m, P =D,we then get : m =pp, & =2p.
For a = 1, we obtain b = 2p = 2 m / p , K = ~ J J + ~ (/ m
P /p)2 which reaches its
minimum for p - 6 , we then have K = 2 2 G m and = U 1=2&+1 G&.
If we consider larger blocks (e.g. a =loo) we can choose b =I, and we obtain the
same type of result : @ 2 2 G m and = UI = 2 G .
Proposition 2 : Using a probabilistic algorithm, it is possible to solve problem A in

O ( 2 2 G ) operations modifying only U 1=2G+1 4% symbols (U 1=2& if 1x1 >
Application : M = 2100, in the binary case (cf. paragraph 2) , it is possible to forge a

(fraudulent) message with the same signature by adapting U I = 2* 2 = 20
OOO bits, the process needs about 106 operations.
If the signature domain is sufficiently large (say m=1000 bits) this attack is
clearly ineffective. The security of the scheme proposed in 9 III remains an
open problem when the field F is Z/qZ where q is a prime such that Zog(q) = 128,
and C is a [n,k]code with n-k =8, leading to a signature which is m = (n-k)log(q)
= 128.8=210 bits long.
106
REFERENCES
[l] D.W. Davies and W.L. Price, "Security for computer Networks", John Wiley and
Sons, Chichester 1984.
[2] R.R. Jueneman, "A High Speed Manipulation Detection Codes", Proceeding of
crypt0 86, Springer-Verlag 1987, pp.327-346.
[3] M. Campana and M. Girault, "How to Use Compressed Encoding Mechanisms in
Data Protection", Securicom 88, March 15-17, pp.91-110.
[4] P. Camion, "Can a Fast signature Scheme Without Secret Key be Secure?", in
AAECC, Lecture Notes in Computer Science, n"228, Springer-Verlag.
PRIVACY PROTECTED PAYMENTS - REALIZATION OF A PROTOCOL
THAT GUARANTEES PAYER ANONYMITY
Svein J-Knapskog
Division of Computer Systems and Telematics,
University of Trondheim, The Norwegian Institute of Technology
N-7034 Trondheim
Introduction
There is a growing consern that the total traceability of users in

a conventional electronic card based payment system may become a
major argument against these new, more convenient and more cost
effective systems. To circumvent this problem, electronic card
(smart card) based systems can still be used, but in connection
with new data communication protocols involving banks, shops and
customers (of banks and shops). Some new ideas regarding use of
"electronic coins" will have to be accepted, also.
The basic idea for this new way of using known systems and assets
is first presented by David Chaum at CWI, Amsterdam (1). It is
based upon the usage of home terminals (personal computers) and POS
- terminals in the different shops, much in the same way as we
already are exposed to and getting familiar with in our everyday
life today. This new concept, however, will be dependent upon a
smart card with an order of magnitude more memory available on it
than todays technology permits, and in addition it will rely
heavily upon online data communication between shops and banks. The
remaining prerequisite is that banks, shops and customers can agree
upon a public key algorithm that is considered safe and
operationally acceptable to carry out the necessary mathematical
operations underlying the new protocol. Banks must also build and
maintain the necessary data bases to support the system. With these
assumptions accepted, it will be demonstrated that a practical,
smoothly operating system is feasible.
108
The Crypto - algorithm
The most common public key crypto-algorithm today is the RSA-

algorithm. Given a message M, the encrypted version C is obtained
by raising M to the power of e, the publicly known part of the
key :
C = MeMod m
Decryption involves the secret part of the key, d:
M = C%od m
All operations are performed on a closed set of integer numbers,

less than or equal to the modulus m. The security of- the RSA-
algorithm rests upon the fact that factoring large numbers are a
mathematical difficult (hard) problem.
The RSA-algorithm has one vital property:
(Md)e = M
This property is exploited when users of the system want to

authenticate themselves. Authentic users will be another necessity
in the system to avoid fraud.
The "Electronic coins" - concept
Money (coins and banknotes) are virtually untraceable. To keep

track of an individual note by its number would be an almost
impossible task. Therefore, the basic idea in the consept of
"electronic coins", is to keep the benefit of untraceability of
traditional money, and add the benefits of electronically stored
and transmitted data representing specific value. This we can
obtain by creating electronic coins and storing them in a smart
card. When these coins are used, no one would be able to trace the
coin itself, neither the user of the coin. An electronic coin is
created by:
1a9
M = SeC
where S is a random number designated 'seed" and ec is the

public part of a RSA-key of which "no one" knows the secret part,
so that exponentiation with ec is a true oneway function.
Before sending this coin to the bank to get it signed (approved) by

the bank, it must be covered by an envelope:
< 1>=Mire
where r is another random number and e is the public part of the

RSA-key f o r the bank.
The bank signs the coin still covered by its envelope:
The signed coin is returned to the customer, and at the same time
the customers account is debited f o r the amount of money that the
coin represent. The customer is now able to remove the envelope and
check if the transmission and the banks routines have worked
properly :
(2)"r-l = * r) r-1 = Md
( d e = M ?
M )
Equality tells that the coin is ready f o r use.
Use of electronic coins
The coins created are valid for use in shops which are customers of
the same bank as that of the payer, or another bank that has direct
data communications with the payers bank. Generally, the latter is
the case. When a payer presents his money (electronic coins) in the
shop, the shop sends to the bank:
110
The bank searches the database to check if the money has already
been used. I f not, it request the seed, S, from the shop (stored in
the customers smart card and read by the shops terminal). S is used
to check the validity of the money:
Sec = (Md)e ?
If equal, the shop's account is credited the correct amount, and

the database for used money in the bank is updated.
Giving change to electronic coins
The motivation f o r implementing new payment systems has up till now

been strongest f o r the banks and possibly large shops or chains of
shops. The new systems, based on plastic cards of different kinds
has raised the effectivity and lowered the risk involved with
physically handling large amounts of money. The protocols suggested
by D. Chaum, further elaborated by our work, have also taken into
account the need f o r protection of individuals, and in that respect
this payment system should be more acceptable to the general
public. However, the protocols as described till now are too simple
to be seen as equal to or better than existing systems from the
users point of view. One facility that quite obviously must be
taken care of, is how to give change in the system. A s long as the
user (payer) has a positivly balanced bankaccount, he (or she) must
be able to use his card for whatever amount of money necessary. An
extension of the protocol, showed in the following, sketches a non-
trivial solution to this trivial problem.
The smart card must be able to perform some mathematical

calculations, namely encryption of an envelope r with a publicly
known key for that specific date and coin type, and multiply the
unsigned coins with it:
The bank performs checking of the coins in the previously described

way, and returns them to the card via the shop. The card must then
strip off the envelope:
111
The money generated as change is stored in the card and can later
be used in the same way as the ordinary money in the card.
The protocols
In the following paragraph is given a description of the protocols

used for the data communication between the customers, shops and
banks. Six different sequence diagrams pictures the messages
between the communicating parties for different cases. Sequence no.
1 shows how the card is filled with money for the first time.
Sequence no.2 shows an ordinary transaction without complications.
The last four sequences picture events where some check or other
fails, and how the systems deals with this kind of anomalies.
Sequence 1.
a) the card is empty (new) and is filled with money for the
first time.
b) A used card is refilled with "fresh" money, discarding
earlier loaded coins that are getting old o r
having impractical values. These coins will be returned
to the bank and the account balanced accordingly.
Sequence 2.
This is the protocol for the normal use of the card. The
transaction is completed without any malfunction or error.
Two different banks may be involved in the data-
communication, and change will be given if appropriate.
Sequence 3 .
In a real world system there will always be users that are

tempted to take advantage of any weakness that can be
exploited. Some user could for instance try to obtain goods
or services even if he knows that there isn't enough money
in his card to pay for this.( An absent minded person could
112
also trigger this sequence without any harm intended.) The

money is checked (as always) against a "used money"-list in
the customers bank, and this time the check gives a
positive answer. A s the card doesn't contain valid money to
pay for the goods or services requested,.the transaction is
terminated and an "unable-to-pay'' -message issued to the
customer.
Sequence 4 .
One can imagine that the check for used money could give a
positive answer even if there where no intention of fraud
from the user, for instance some kind of off-line
transaction that has taken place without properly updating
the card. In this case, there will probably also be valid
money in the card that can be correctly used after the
first attempt has failed.
Sequence 5 .
In addition to the check for used money, the money offered

as payment are always tested f o r validness by requesting
the seed used in creating the particular coins offered for
the payment. If the test fails, no attempt is made to
discover what are the reason f o r the failing test. The bank
is simply stating the fact that this money is not valid,
and the offered money is returned to the customer. If the
card does not contain any other money, the transaction is
terminated with the "unable-to-pay"response. It will be
the customers own responsibility to clear this discreapancy
with his bank, so that money that doesn't comply with the
"valid-seed" - check is removed from the card.
Sequence 6.
In many cases it will be appropriate to try other coins

from the same card if the "seed-check'' is negative. This is
shown in the last protocol sequence.
113
Protocol operations
In the sequence diagrams, the following notation is used:
e - encryption key f o r a particular class of coins

d - decryption key for a particular class of coins
eC - public encryption key for seed
S - seed
M - unsigned coin
r - envelope
r - r -
inverse defined f o r the particular class of coins
and its modulus
The operations that the actors in the protocol will be executing,

are the following:
A1 - The user activates his home terminal and decides what amount
of money he wants in his card by typing it on his terminal. If
the card already contains money, he will have to give his PIN
- code to get access to the card.
A2 - The user is notified that his card is filled and ready for
use.
A3 - The customer types his secret number on the shop’s terminal.
A4 - The customer is notified whether the payment was successful or

not.
B1 - Reading the PIN-code.
B2 - Information about sum total to be paid, and transfer of

encryption keys for all classes of coins for that particular
day.
B3 - Transfer of signed coins and unsigned change from shop to

bank.
114
B4 - Negative respons on the "used-money" - check and request for

seed from shop to card.
B5 - Transfer of seed from shop to bank.
B6 - Transfer of change from shop to card.
B7 - Change acknowledgement, payment session terminated.
B8 - Status of used coins from shop to card. Request for money

needed to fulfill the payment.
B9 - Break signal from shop to bank. "Unable-to-pay" to customer.
B10- Status of false/unvalid coins from shop to card.
B11- Transfer of unsigned coins to shop's bank.
C1 - PIN - code check.
C2 - Transfer of old/unvalid coins from card.
C3 - Transfer of seed.
C4 - Storing signed and unsigned coins In the card.
C5 - Payment with signed coins. If change i s needed, also unsigned

coins must be transferred to the shop.
C6 - Storage of signed change. The card generates r-l f o r each

envelope and modulus.
C? - Termination of payment session due to low balance.
C8 - Transfer of more coins after alarm due to "money-not-valid".
D1 - Generating new coins.
D2 - Check of PIN - code.
D3 - Request for clearing the card f o r old or impractical coins.

115
D4 - Transfer of old or impractical coins from home terminal to

bank.
D5 - Request f o r seed.
D6 - Transfer of seed to bank.
D7 - Removal of envelope and signature check. Seed and unsigned

coins to fill the card's memory are generated after loading
with signed coins.
D8 - Acknowledgement of filling session.
S1 - Transfer of coins from shop's bank to customer's bank.
S2 - "valid-money''.
S3 - Transfer of seed.
S4 - Transfer of change for signing. Account updating.
SS - Receiving signed change.
S6 - Information transfer regarding used coins.
S7 - Payment session terminated.
S8 - Information transfer regarding false/unvalid coins.
T1 - Check f o r used coins.
T2 - Check for "money-valid''
T3 - Signing coins. Balancing account. Transfer of signed coins.
T4 - Signing of change. Balancing account.
T5 - Request for terminating checking session.

116
Implementation
The protocols described in this paper have been developed during a

diploma thesis work by Audun Josang <2>. They are implemented on a
small Token Ring network at the premises of University of
Trondheim,Norwegian Institute of Technology, using IBM -AT personal
computers as home terminal, POS - terminal and banks. The personal
computers have extra cards installed for the Token Ring
communication and for the aritmetic functions needed to do the RSA-
calculations with reasonable speed. All programs are written in the
C programming 1anguage.The implementation has shown, allthough in a
small scale, that it is quite feasible to realize this kind of
payment system with todays technology. The only assumption resting
upon further development, i s that the smart card will have more
memory and. the ability to do some straigtforward arithmetic
operations. This assumption is believed to be met in the near
future .
<1> David Chaum: Privacy Protected Payments. Unconditional payer

and/or payer untraceability.
Offprint.
<2> Audun Josang: Transaksjonssystemer som skjuler identitet.

NTH Diploma thesis 1987. (in norwegian)
117
L
I
a) c
b, c
r
L-J
I
Fig. 1. a) Filling an empty card b) Refilling a used card

118
I I 1 61
I
-
chcbc
r
Fig. 2 . O r d i n a r y payment ( w i t h change)

119
Fiq. 3 . A t t e m F t e d payment with f a l s e o r u n v a l i d money

120
]-IL CPRD
I
c
F i g . 4 . Noneyr u s e d . Card able to ~ a v

121
SEOP =
L
JSHOP ' S
Ll
USER'S
Fiq. 5 . False or unvalid coins.Transaction terminated.

I II II
i -r
paying-finished
A PRACTICAL ZERO-KNOWLEDGE
PROTOCOL FITTED T O
SECURITY MICROPROCESSOR MINIMIZING
BOTH TRANSMISSION AND MEMORY
Louis C. Guillou and Jean-Jacques Quisquater 2,
'1 Centre Commun d'Etudes de TClddifFusion et TCltkommunications

CCETT, BP 59
F-35 512 Cesson-Sevignd CCdex, France
2, Philips Research Laboratory Brussels
Avenue Van Becelaere, 2
B-1 170 Brussels, Belgium
E-mail: jjq@prlb2.uucp
ABSTRACT
Zero-knowledge interactive proofs are very promising for the problems

related to the verification of identity. After their (mainly theoretical)
introduction by S. Goldwasser, S. Micali and C. Rackoff (1985), A. Fiat
and A. Shamir (1986) proposed a first practical solution: the scheme of
Fiat-Shamir is a trade-off between the number of authentication numbers
stored in each security microprocessor and the number of witness numbers
to be checked at each verification.
This paper proposes a new scheme which requires the storage of only
one authentication number in each security microprocessor and the check
of only one witness number. The needed computations are only 2 or 3
more than for the scheme of Fiat-Shamir.
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 123-128, 1988
124
1 INTRODUCTION
Interactive proofs and zero-knowledge protocols were recently introduced

(Goldwasser, Micali and Rackoff, 1985). These concepts are very inter-
esting but, at the moment, it is not possible to imagine such protocols
in very small components (security microprocessor, tamperfree devices,
smart c a d s , etc).
A new method based on these concepts was found by Fiat and Shamir
(1986) and is very promising. But the main problems are the number
of iterations (interaction between the prover and the verifier) and/or the
memory needed by the prover. We propose an optimization of this pro-
tocol where we attain very few steps (3 steps, that is, one iteration) and
low memory. The price to pay is longer computations.
Before explaining the new protocol, we need some definitions. We
recall also the basic protocol of Fiat-Shamir.
2 DEFINITIONS: SHADOWS AND IMPRINTS FOR (RSA-

BASED) SIGNATURES
0 Shadow: One fist completes a short message (half the length of the
public modulus n) with a similar-sized redundancy, named shadow,
then extracts the dh root of this element in the chosen ring based
on the composite integer n. The composition of these two consec-
utive operations is the secret operation S. The dhpower of a ran-
dom element has a negligible probability of being shadowed. This
method with shadow produces credentials, the most compact signa-
tures. Due t o multiplicative properties of RSA, the shadow must
not be expressed multiplicatively in terms of the message.
0 Imprint: Rather than signing long messages as chained blocks, one
first uses a hash function to compute an imprint (shorter than n>of
message M , then extracts as appendix H the vth root of this imprint
h. The composition of these two consecutive operations now is the
secret operation S. The hash function must be one-way, such that
it is infeasible to construct collisions of equivalent messages.
125
3 THE BASIC PROTOCOL OF FIAT AND SHAMIR
Let us remember that one must use factorization of n in order to extract

efficiently a dh root (such as a credential A = X'/"mod n ) in the ring
of integers modulo n. The verification of such a credential reveals an
element X carrying some identification data reflected by a redundant
shadow. Let us name 2, the identification data, and X, the resulting
shadowed identity.
Suppose there exist a security device able to pick values at random
and to multiply numbers modulo n (with about 512 bits) in a fast way.
Each device receives from some trusted authority an authentication value
A related to x using the method just described.
To authenticate such a processor claiming identification data z, the
verifier negotiates a transaction with this device by repeating 20 to 30
times the elementary sequence described in the following paragraph. The
number of iterations is a security parameter which exponentially limits
the chances of a cheater.
The elementary sequence is (here = 3):
0 The processor picks at random an element in the ring
(1 < T < n - l), raises it to the cube ( T mod

~ n ) , and
sends this cube to the verifier as a test T with the
identity z.
0 The verifier tosses a coin and transmits the outcome
as a question q: head or t a i l .
The processor transmits as witness t: either element T
for head, or product T - A mod n for t a i l . The veri-
fier raises this witness t to the cube modn in order t o
reveal, according to head or t a i l , either test T , or its
product modn by shadowed identity X.
Each successful exchange increases verifier's confidence, because the
value of credential A is needed to produce simultaneously the two values
of witness t , while the first error reveals an unlucky cheater. Provers and
verifiers make use of similar computing resources; they are both using the
same composite number n. This method may, as well, be reversed. This
method may use any exponent in place of the cube, with some caution
for the square.
This was a first version of the method; various optimizations are pos-
sible, and some are already published. The ne.xt section will show a very
126
interesting new version.

This zero-knowledge interactive procedure of demonstration leads to
the emergence of new methods of signature, by replacing the random role
of the verifier by a deterministic function, accepted by everybody, and
difficult t o invert, that is to say a one-way fuction. This is a summary
of a method, due t o A& Shamir (for security reasons, k, the equivalent
number of elementary iterations, is now about 60 so as to avoid forgery
of signed messages). Our new method is also possible for this scheme of
signature (see forthcoming paper: same authors).
4 THE NEW PROTOCOL: A DEEP VERSION
In this version, each security device with identity I receives an authenti-

cation value B (the inverse of A modulo n) computed by some authority
from
A = J1/”mod n
where J is the shadowed identity I; the factorization of n is only known
by the authority.
The composite integer TZ (ala RSA) is distributed to everybody.
Here is the complete protocol for one verification:
0 The processor picks at random an element T in the ring
(1 < T < n - l), computes (T’ modn), and sends the

result t o the verifier as a test T (or at least a part of
the result) with the identity I.
0 The verifier “tosses” a “deep” coin with integer values
between 0 and - 1 and transmits the outcome as a
question d.
0 The processor transmits as witness t :
T - B d mod n
0 The verifier computes
J d . tv mod n
and compares with the given bits of T .
In this version, there are only one exchange between the prover and
the verifier (after the sending of the witness) and only one authentication
127
value needed in the security device!

By definition, a cheater does not know B . Let us precisely evaluate
the possibilities of a cheater.
0 If a cheater guesses the question d, he can pick at random any new

witness number t and then deduce the corresponding test number
T by computing exactly as the verifier will do. There is an evident
winning strategy for any lucky guesser.
0 When the test number T has been transmitted to the verifier, let
us evaluate the situation of a cheater which would be able to pro-
pose two witness numbers t' and t" for two different questions d' and
d". The following short technical demonstration proves that such a
cheater should no more be a cheater because he should easily de-
duce authentication number B from any pair (t', t " ) of such witness
numb ers .
Proof of security
By hypothesis, 0 5 d" < d' 5 v - 1
Let us write the equation:
Jd' . trUmod n = Jd" - t"' mod n,

which may transformed into:
Let us notice that d' - d" is a positive integer, smaller than v , and
prime with v (because v is prime). So, there exists a unique pair of
positive integers k and m, in the range from 1 to 21 - 1, currently named
Bezout coefficients of v and d' - d", easily computed by the Euclidean
algorithm, such that
m - v - k . (d' - d") = &I.

Let us raise the last equation to the power k and substitute: thus,
Q.E.D.
At each use of the procedure, a cheater has exactly one chance on v to
fool the verifier. The verifier has exactly 21 - 1 chances on v to defeat a
cheater. After the procedure, the verifier has essentially learned nothing
about the authentication value B because he cannot distinguish between
an honest user and a very very lucky cheater.
128
No repetition of the procedure is needed as long as the size of the

exponent v is sufficient t o reach directly the level of security requested
by the application. It is easy to specify: ten to sixteen bits for a local
authentication, twenty to thirty bits for a remote authentication, and at
least sixty bits for signature schemes based upon non-interactive zero-
knowledge techniques.
The complete paper will give more explanations about the number of
operations which related t o the size of v.
A paper by Shamir (1984) uses a similar function but in a very different
context.
REFERENCES
1. Gilles Brassard, David Chaum and Claude CrCpreau, LMinirnumdis-

closure p ro o h of howledge, July 1987.
2. Amos Fiat and Adi Shamir, How to prove yourself: practical so-
lutions to identification and signature problems. Springer-Verlag,
Lecture notes in computer science, No 263, Advances in cryptology,
Proceedings of CRYPTO '86, pp. 186-194, 1987.
3. Shafi Goldwasser, S. Micali and C. Rackoff, The knowledge of inter-
active proof systems, 17th ACM symposium on theory of computing,
1985, pp. 291-304.
4. Oded Goldreich, Silvio Micali and Avi Wigderson, Proofs that yields
nothing but the validity of the proof, Workshop on probabilistic
algorithms, Marseille, March 1986.
5. Adi Shamir, Identity-based cryptosystems and signatures schemes,
Springer-Verlag, Lecture notes in computer science, No 196, Ad-
vances in cryptology, Proceedings of CRYPTO '84, pp. 47-53, 1985.
GENERALIZED BIRTHDAY ATTACK
Marc Giraultl) Robert Cohen2) Mireille Campana2)
SEPT )
42 rue des Coutures

BP 6243, 14066 Caen-Cedex, France
CNET Paris-A
TIM
38-40 rue du G6n6ral Leclerc
92131 Issy-Les-Moulineaux, Paris, France
ABSTRACT
We generalize the birthday attack presented by Coppersmith at

Crypto'8S which defrauded a Davies-Price message authentication
scheme. We first study the birthday paradox and a variant f o r
which some convergence results and related bounds are provided.
Secondly, we generalize the Davies-Price scheme and show how
the Coppersmith attack can be extended to this case. AS a
consequence, the case p=4 with DES (important when RSA with a
512-bit modulus is used €or signature) appears not to be secure
enough.
130
INTRODUCTION
The public-key algorithms, which appeared in 1976 [l], permit

among other things the attachment of digital signatures to
messages. These signatures are generally produced in two steps.
Firstly, the message is condensed (or hashed) into a short
value: the imprint. Secondly, the secret function of a
public-key digital signature scheme (for example RSA [ Z ] or its
variants) is applied to the imprint. This method of producing
Signatures is particularly convenient when the messages are
long, because it would take too much time to apply the secret
function to the entire message.
The main problem is to design hash-functions which are both

efficient to compute and cryptographically secure. The first
point can be achieved by using (properly) a secret-key
block-cipher algorithm f o r which fast chips already exist (for
example DES [ 3 ] ) . The second point requires the hash-function
to be collision-free, i.e. it must be computationally
infeasible to find distinct messages which hash to the same
value. For if such messages were found, then a fraudor could,
in an undetected manner, replace a properly signed message with
another bogus one which has the same imprint (and hence the
same signature).
Some general attacks on hash-functions have been described

in the cryptanalytic literature [ 4 ] . Some of them (Yuval's
attack [ 5 ] , meet-in-the-middle attack [ 6 ] ) are closely related
to the famous "birthday paradox" and its variants. This paradox
can be stated as follows: let r be the number of the pupils in
a classroom and let q(r) be the probability that at least two
pupils of this classroom have the same birthday: what is the
minimal value of r such that q(r) 2 -21 ? The answer is 23, much
smaller than the value usually suggested by intuition (at least
ours).
A variant of the birthday paradox is as follows: let r be

the number of the pupils in two different classrooms and let
p(r) be the probability that at least two pupils belonging to
131
different classrooms have the samebirthday; what is the

1
minimal value of r such that p(r) 2 - ? The answer is now 17,
2
but is somewhat more complicated to calculate, due to the fact
that each classroom may itself contain some "twins".
In [ 7 ] , Rabin introduced an efficient hash-function based

on DES. However it was later shown that this scheme was subject
to a meet-in-the-middle attack. In order to thwart such an
attack, Davies & Price have proposed an improvement to the
Rabin scheme, which consists of repeating the message twice [ 8 ]
-or, by extension, using two initializing values and passing
the message twice- but the new schemes were broken by
Coppersmith [ 61, using a "triple birthday attack".
This paper aims at extending the Coppersmith attack to a

general scheme using p initializing values and passing the
message p times. It is organized in two main and almost
independent parts: we first present a rigorous approach of the
birthday paradox and its variant. We show in particular that,
in both cases and under particular assumptions, the probability
distribution of the number of "coincidences" converges towards
a Poisson distribution, and we provide bounds for the error
committed when using this limit to approximate a probability or
a frequency distribution.
Secondly, we use these approximations to prove by induction

that the Coppersmith attack can be extended to break the
general scheme and we provide the number of "constrained"
message blocks and the running time a s a function of the number
of initializing values.
AS a consequence, the 4-pass Davies-Price scheme with DES

appears not to be secure enough (Coppersmith already claimed it
f o r the 3-pass scheme but without details). This result is
particularly important when the imprint is obtained by
concatenating the initializing values and the end-values. For,
in that case, p=4 is the maximum number of possible passes if
the modulus length of the signer is equal to 512 bits (a very
usual length),
132
PART I: THE BIRTHDAY PARADOX
This part provides a rigorous analysis of the birthday

paradox and its variant, as stated in the introduction. After
having defined some symbols and recalled some classical results
(section l), we calculate (section 2 ) the exact probability to
find i “coincidences“ in:
a) a sample of size r drawn from a set of n elements with
replacements (initial birthday problem):
b) in t w o samples of sizes r and s drawn from a set of n
elements without replacements: and finally,
C) in t w o samples of sizes r and s drawn from a set of n
elements with replacements (variant of birthday problem).
(The calculation of the last probability is a combination of
the two previous ones.)
The asymptotical behaviour of these probabilities is then

r2 s2
examined (section 3 ) in a particular but important case: - -
2n’ 2n
rs
and - have finite limits when r,s and n -.
) +a; f o r each
n
problem, the limit-distribution is shown to be a Poisson
distribution, and this convergence is illustrated by some
numerical results (section 4 ) . Moreover, we provide very Small
bounds for the difference between a probability (or a frequency
distribution) and its limit. This permits us to give some
precise results (section 5) which will be used in the
cryptanalysis of part II.
1.1 SYMBOLS AND DEFINITIONS
Let us define some symbols :
- El is the symbol €or a sample of size r (drawn with or

without replacements)
- IEl denotes the number of elements of the set E
133
- (9 is the notation for the binomial coefficient:

n!
(n-k)! k!
- let Q(x,y) be a quantity depending on x and y. Let L be a set
of limit conditions on x and y. We denote by L-lim Q(x,y) the
limit of Q ( x , y ) when the conditions of L are satisfied
- the probability of the occurrence of the natural integer k in
a Poisson distribution with parameter X is equal to:
Fh(k) = e-’ -
Xk
k!
- the frequency distribution at OL of a Poisson distribution
with parameter X is equal to:
U
9ih(a)= C
k=O
A”
e-’ -
k!
Let us recall that in the discrete case, anc when a1 the

possible events are equally probable, the probability P(E) of
an event E is given by the ratio of the number of favorable
events N(E) to the number of possible events N :
“El
P(E) = -
N
When drawings are made with replacements from a population

Of Size n, we define the number of coincidences as the
difference between the number of drawings and the number of
distinct elements that have been drawn.
1 . 2 CALCULATION OF PROBABILITY
The meet-in-the-middle attack is related to the following

problem, a variant of the birthday problem:
The drawing with replacements of r elements from a
population of size n yields a first sample E,. The drawing with
replacements of s elements from the same population of size n
yields a second sample Es. What is the probability that exactly
i elements belong to the two samples?
The probability P(IE,n EsI=i) that there are i distinct

134
elements in the intersection of the two samples is denoted by

P(n,r,s,i) and is equal to:
r - i s-i
P(n,r,s,i) = P(u
k=O 1=0
u
{IErl=r-k, IE,I=s-l, IErn E,I=i})
r-i s-i
=cc p( I E r n Ee I =i/ I Er I =r-k,I Es I =s-1) IP( I Er I =r-k,I E, I =s-l)
k=O 1=0
r-i s-i
-c
-
k=O 1=0
I?( lErn Es I=i/lErI=r-k, IE, I = s - 1 ) P ( IErI=r-k) IP( IES I = s - 1 )
(the last equality stands since the drawings are independent).

Hence,
r - i s-i
P(n,r,s,i) = ck=O c1=0Q(n,r,k) H(n,r-k,s-1,i)Q(n,s,l)
where :
- Q(n,r,k) = P(IErl=r-k) denotes the probability that k
coincidences occur in the sample with replacements of r
drawings from a population of size n,
- H(n,r-k,s-1,i) = P ( IErn Es I=i / I E r I=r-k Ti IE, I=s-l) is the
probability that exactly i distinct elements have been drawn in
the two (independent) samples (drawn with replacements, of
respective sizes r and s ) with respectively r-k and s-1
distinct elements: in other words, H(n,r-k,s-1,i) is the
probability that the intersection of two independent samples
drawn without replacement of respective sizes r - k and s-1 is
made up of exactly i distinct elements.
1.2.1 EVALUATION OF PROBABILITY H
We first evaluate H(n,r,s,i). The problem can be stated as

follows:
The drawing without replacement of r elements f r o m a
population of size n yields a first sample Er The drawing .
without replacement of s elements from the same population of
135
size n yields a second sample Es. What is the probability that

the intersection of the two samples is made up by exactly i
elements?
The first sample yields r distinct elements drawn from n

elements. Thus, i elements are drawn from among the r elements
of the first sample and s-i among the n-r elements that have
not been drawn. The probability distribution is the
hypergeometric distribution:
1.2.2 EVALUATION OF PROBABILITY Q
We now evaluate Q(n,r,c), related to the birthday problem.

The drawing with replacements of r elements from a
population of size n yields a sample Er . What is the
probability Q(n,r,c) that c coincidences occur in the sample?
The probability Q(n,r,c) is equal to the ratio of the

number of favorable events to the number of possible events. If
rln and c<r-n then Q(n,r,c) = 0. If rln, or if r 2 n and c2r-n,
then:
- the number of samples with replacements of size r drawn from
a set of size n is equal to nr,
- the r-c distinct elements drawn from among the n elements can
be chosen in (mc) ways,
- the c coincidences are drawn from among the r-c elements. We
choose from among the r drawings of the sample a1 ones which
correspond to the element n"1, then z2 ones from among the
remaining r-al which correspond to the element n"2, etc. up to
the r-c distinct elements of the sample. There are
136
(r-c)-vector of the set %={(a,, ...,

a,-,), with c+l L a j 2 1 for
all j, having a sum equal to r}. The product of these binomial
r!
coefficients can be simplified as:
a, !. . .a,-=!
The number of favorable events is obtained by taking the

sum over the set %. Therefore the probability is:
Remarks :
a) By direct computation, the probability that r distinct

elements are drawn is also equal to the ratio of the
n(n-1). ..(n-r+l) favorable events to the nr possible events.
n!
Hence: Q(n,r,O) = .
For the "birthday paradox", this
(n-r)! nr
formula yields the number r: for n=365, r=23 is the lowest
integer such that: Q(365,r,0) < 0 . 5 .
b) Using, as in [ 9 1 , the Poincari! formula, one obtains a

formula which is easier to program. Let A, denote the event
"the element k is not drawn". Then the event "r-c elements in
the sample E r " can be written as:
n
{IE, I = r-c} =
- ..
Ci, , ,inF9'r-c
where F'=-, is the set, having (rye) elements, of partitions of

{I, ...,n} in sets of r-c, and n-r+c elements. Using the
relation P(MB) = P ( A / B ) P(B), it follows:
137
The second term is easy to compute; for the first one we

can use the Poincare formula, since: (P(ACnB C ) = 1 - P ( A U B).
Since the probability does not depend on the partition of

{1,...,n), it follows that:
This formula differs from the one of [9] because the

definitions of the coincidences are not the same.
1.3 ASYMPTOTICAL BEHAVIOUR
We now study the asymptotical behaviour of P(n,r,s,i) when

r2
-
2n
-t A,
SZ
-
2n
rs
P, -
n
- -
v , r,s,n + +-. We show that Q(n,r,c)
converges towards a Poisson distribution with parameter A .

Combining this result with the well-known convergence of the
hypergeometric distribution of parameters n,r,s towards a
Poisson distribution with parameter A , we finally prove that
P(n,r,s,i) converges also towards this distribution. In other
words, the number of elements belonging to both Er and E, is
only slightly dependent on the fact that the samples have been
drawn with or without replacements. This is due to the fact
that we expect a very small number (about A ) of coincidences
inside each sample.
Before starting, we recall that f o r any natural integer I

and when N,K -.+ +OO :
--K2 --KZ
If - K3
N2
---+ 0 then - N!
(N-K) !
-NKe 2N and N!
(N-K+I ) !
N K - I e 2N
138
K
More precisely, one can prove that, for - < -1*
N 2’
KZ K
-- + - - - K3
e 2N 2N 3N2 2 N
1.3.1 THE CONVERGENCE OF H
rs
If {n + u , r,s,n -+ +m), it is well known [9] that the
limit distribution of H(n,r,s,.) is a Poisson distribution:
rs
Wi fixed, if -
n
-+ “ for r,s,n + +m, then H(n,r,s,i) -+ F’,(i)
In particular, H(n,r,s,O) + e-”.
Remark :
In order to obtain bounds on the error for the probability

P(n,r,s,i) with respect to the Poisson distribution with
rs
parameter u = -, we first need to compute bounds relatively to
n
H(n,r,s,i). Using the inequality (l), we obtain:
Therefore the error on the frequency distribution function

5 , related to H, with respect to the frequency distribution
function F., related to the Poisson distribution with parameter
rs
v = - is:
n
I f f ( a )- F,(a)l -
I(r+s1 a2
rs
-
+ 3(r+s) a
n
+
sr2+rs2
n2
Example: If n= Z 6 4 , r=s= 2 3 6 , then l f f ( 2 5 6 ) - F , , , ( 2 5 6 ) 1 5

139
1.3.2 THE CONVERGENCE OF Q
We study here the asymptotical behaviour of Q(n,r,c) if

r2 /2n --. X when r,n
~ +=. -
The most important part of Q(n,r,c) comes from event "there
are only pairs of coincidences". We wish to evaluate the
contribution of every configuration of coincidences. Remember
that:
We are going to divide ft into some interesting subsets.In

an event a of 3, only at most c components are not equal to 1
(if there are exactly c such components, then a j = 2 for every
index and the others are equal to 1).
Let o! be an (r-c)-vector of 3 with k components which are
not equal to 1. A s the product a , ! ..a,- ! is invariant by.
permutation, then the ratio r!/al will appear
times in the sum. So
k
where 5$ = { ( al , . ..,ak) E { 2, . . . ,c+l
Jk ;c
j= 1
a .=c+k, and a , 5. .<a,
J
. 1-
For c fixed, and k<c,

r!
(r-c-k)!
- r c l k , when r + +8. Hence:
- n! 2= c
nr ( n-r-c)! 2c c!
with
140
( Yc= 2-', for the c-vector defined by orj = 2, j = l , . ..,c is the

only element of Tic ) .
Finally, using obvious notation:
Q(n,r,c) - nr
n!
(n-r+c)t. -
r2
2c c! (1 + Z)
Hence the convergence:
I
r2
Wc fixed, if -
2n
-+ X for r , n -+ +w, then Q(n,r,c) + F,(c)
The limit is a Poisson distribution with parameter

r2
X = lim -
r,n++w 2n'
Remarks :
a) The probability of event "at least a coincidence is not

a pair" can be dominated by the probability of event "an
element is drawn at least three times", that is . so:
n! r! Y
- 5 -
r3
c=l nr(n-r-c)! (r-2c)! 2'c! 6nZ
b) Using the inequality (l), we obtain the inequality on

Q(n,r,c) related to the Poisson distribution Fk with parameter
141
W e c a n e v a l u a t e t h e p r e c i s i o n of approximation of f r e q u e n c y
distribution F of the Q distribution by the frequency
distribution FA of the Poisson d i s t r i b u t i o n with parameter
IF(&) - F , , ( ~ r ) lI
5
-
r
a2+ -
3r
n
a+-
r3
3n2
Example: If n = Z6', r = Z 3 6 , t h e n lF(256) - F128(Z56)lITi'
1.3.3 THE CONVERGENCE O F P ( n , r , s , i )
Let L be the set of conditions

r2
cz;; A, -
S2
-+ F, r - +-,
-.
-+
2n
s -. +m, n +a>. We s t u d y t h e L - l i m i t of:
r-i s-i
P(n,r,s,i) = c c
k=O 120
Q(n,r,k) H(n,r-k,s-l,i) Q(n,s,l)
1 ) Using ( 1 ) we o b t a i n t h e f o l l o w i n g bounds f o r H ( n , r - k , s - 1 , i ) :
H(n,r,s,i) 'pi ( n , r , s , i , k , l ) I H(n,r-k,s-1, i ) ,

-~k+ 1
with p i ( n , r , s , i , k , l ) = *(r,i,k;s,i,l) q(n,r,k;n,s,l) e n-r-s
- -k - -k2 - -1 - -1 2
where * ( r , i , k ; s , j , l ) = e r-i (1 - $)k e '-j (1 - $',
and :
H(n,r-k,s-l,i) I H(n,r,s,i) v=(n,r,s,i,k,l),

( k + l) 2 r+s
- +2(k+l)-
with p s ( n , r , s , i , k , l ) = T ( n , r , i , k ) ?!(n,s,i,l) en-r-s n
k2
- k
+ - +k -
where ? ( n , r , i , k ) = er-i r-i n-r.
142
For k and 1 f i x e d , we have:
L-lim 'pi ( n,r,s,i,k,l) = L - l i m 9, ( n , r , s , i , k , l ) = 1.
2 ) S i n c e t h e terms o f t h e sum a r e p o s i t i v e , for a and P f i x e d :
P(n,r,s,i) 2 c c
k=O 1=0
Q(n,r,k) H(n,r-k,s-1,i) Q ( n , s , l )
a P
1 H(n,r,s,i) vi(n,r,s,i,a,P) 1
k=O
Q(n,r,k)
1=0
Q(n,s,l)
Taking t h e L - l i m i t :
L - l i r n P ( n , r , s , i ) 2 L - l i r n H ( n , r , s , i ) F A ( = )F + ( P )
3) The double sum is broken into f o u r p a r t s , and we o v e r

estimate H(n,r-k,s-1,i) by 1 ( i t i s a p r o b a b i l i t y ) for kzz or
12P, and by a f u n c t i o n of H ( n , r , s , i ) for t h e l a s t d o u b l e sum.
T h e r e f o r e , P ( n , r , s , i ) i s bounded by:
a P
H(n,r,s,i) (P, (n,r,s,i,a,P) Q(n,r,k) Q(n,s,l)
k=O 1=0
By t a k i n g t h e L - l i m i t , we g e t :
143
4) If Q and f3 tend to + m, the frequency distributions tend to

1 and the probabilities of drawings with or without replacement
are identical:
I:-lim P(n,r,s,i) = L-lim H(n,r,s,i)
rs
If we add to I: the condition -
n
- v of I .3.1, we get:
r2 S2 rs
tli fixed, if - A, - w, --+ v for r,s,n + fa
2n 2n n
-+ -+
I
I
then:
P(n,r,s,i) -+ 9,(i)
I
I
The limit is a Poisson distribution of parameter

rs
v =1im - . In particular for r=s=k\r;;, we get a Poisson
r,s,n++ao
distribution with parameter k2.
Remark:
Using the bounds on H, together with the previous

inequalities, we obtain that the lower bound f o r P(n,r,s,i) is:
and the upper bound is:
where here Fr is the frequency distribution of the Q(n,r,.)

distribution, and for arbitrary o! and P .
144
1.4. NUMERICAL RESULTS
Some values of Q(n,r,c) and P(n,r,s,i) have been computed using

the formulas of 91.2 (the formula used for Q was taken from
remark b of 91.2.2). The numerical results illustrate the
convergences when r = s = fi .
The corresponding values of the
Poisson distribution with parameter 0.5 and 1 are given for
comparison.
C Q( 100,10,c) Q(256,16,c) Q(625,25,c) To, (C)
c = o 0.628 0.619 0.611 0.607

c = l 0.310 0.308 0.307 0.303
c = 2 0.056 0.064 0.068 0.076
c = 3 0.004 0.007 0.009 0.013
c = 4 0.000 0.000 0.000 0.002
c = 5 0.000 0.000 0.000 0.000
P( 100,10,10,i) P(256,16,16,i)P(625,25,25,i) F1 (i)
0.366 0.367 0.365 0.368

i = l 0.405 0.391 0.379 0.368
i = 2 0.179 0.182 0.182 0.184
i = 3 0.041 0.049 0.053 0.061
i = 4 0.005 0.008 0.010 0.015
i = 5 0.000 0.001 0.001 0.003
i = 6 0.000 0.000 0.000 0.001
i = 7 0.000 0.000 0.000 0.000
145
1.5 SOME USEFUL RESULTS FOR PART It
In the next part, some cryptanalytic attacks are exposed,

based on the paradoxes we just have studied in previous
sections. The probability of success of these attacks is
calculated according to the numerical results we provide in
this section.
We define the number nx of twins between the samples

..
Er=(xl,. ,xr) and E, =(y, , . . . .,ys) as the number of pairs (i,j)
.
such that xi = yj Since nc 2 I E r n E, I , we have:
P(nc 2 i) 2 [P( l E r n Es12i)
In the particular case i=l, the two probabilities are equal.
SO, the meet-in-the-middle attack exposed in section II.1

has a probability of success S equal to ff( l E r n E, 121) with
rs
r = s a 3 ' and n=264 (hence u = - =1) and :
n
S = 1 - P(n,r,s,O) = 1 - 9,(0) + E = 1 - e-l+ E 2 0 . 6 3 2
(because the bounds provided in sections 1.2 and 1.3 allow us
to show that I & 1110- ) .
If we now want the probability of success S to be 1 1-10-4,
by changing only r and s (but preserving r=s both powers of 2 ) ,
we can choose r=s=234because u = 1 6 and:
S = 1 - F I 6 ( O ) + E ' = 1 - .-I6+ E ' 2 1-10-4
(because I € ' lS10-5) .
The attack provided in section It.3 also needs an integer x

and two other integers r and s , equal, powers of two, as small
as possible and such that x4 2 r and P(nc 2 x) 2 1 - The .
minimal choice €or r (and s ) is 237 and we can take x = 6 0 9 (the
smallest integer whose 4-th power is greater than 2 3 7 ) since:
f'(nc 2 6 0 9 ) 1 [P( lE,n Es 11609) = 1-F,,24(608)+E".
Now, an easy lemma shows that lnFv (i) I [i-u+i(lnu -1ni)1, SO
that F l O z 4( 6 0 8 ) I and I &" I can be shown to be smaller
than . Hence, we can conclude that: P(nc 2 6 0 9 ) 2 1 -
146
PART 11: THE BIRTHDAY ATTACK
This part provides a generalization of Coppersmith’s attack

to a general scheme using p initializing values and passing the
message p times. We first present the Rabin scheme and its
evolutions (section l), then present our main result (section
2) and its proof (section 3).
II.1 THE RABIN SCHEME AND ITS EVOLUTIONS
For continuity, we use (almost) the same notations (and

sometimes the same expressions!) as Coppersmith did in 161. In
particular, E K ( X ) denotes throughout the paper the DES
encipherment of the cleartext x under the key K and D , ( Y )
denotes the decipherment of the ciphertext Y under the key K.
In the Rabin scheme, the message JI is divided into n 56-bit

blocks Mj , used as keys f o r the iterated encipherment of some
initial value H, . The final encipherment, along with the
initial value, forms the hash value:
!
H, = random
H.
J = EM . -
(Hj 1 l l j l n
3
RSA-Sign( H, ,Hn )
This scheme is subject to a so-called “meet-in-the-middle

attack”, whose invention is attributed to Merkle by Winternitz
and which works as shown below. F o r convenience, if M is a
message made up of message blocks M I , ....,M,, we will use the
following notation:
147
The meet-in-the-middle attack allows the opponent, given a

message Jl and its hash value (Ho,Hn) , to construct a bogus
message N' without affecting the hash value. The opponent can
then replace Jl with Jl' without being detected, since the
signatures of both messages are identical.
In order to achieve this, the opponent generates 232

messages A, and M, of arbitrary length (the shorter they are,
the faster the attack is). He may for example create a few ( 3 2 )
variations of a unique message and combine these variations
together. F o r each message A, (respectively A r ) , he computes:
H, = EN, (Ho) (respectively Hr = DJ.~, ( Hn ) ) , sorts and Stores
these values.
If E is supposed to have good "random" properties, then the

set of all the H, and the set of a l l the H, can be considered
as two "random" and "independent" samples of Z3 drawings with
replacements from a population of size 2 " . Therefore, as shown
in Part I, the probability is greater than -2I (about 1-e-') that
a coincidence exists (i.e. : 31,r such that H, = Hr 1. This
coincidence will appear while sorting the values.
Let now Jl be the concatenation of A, and Jlr for these

particular values of 1 and r. Then:
We say that H, and Hn have been "linked up" or "joined up"

by A. In this way, the opponent succeeds in constructing a
bogus message Jl'.
This attack is plausible because the total number of

Operations is not too large, considering today's technology:
for example, if the attacker chooses single-block messages 4,
and Hr (in order to speed up the computation), he will have to
perform 2.232 = 233 = 1O1O encipherments. To that must be added
the time taken to sort values H, and H,, which can be evaluated
to about 2 3 8 = 3.1011 operations. No doubt the high-speed and
large-memory computers available today can achieve this (and
148
even more).
/
H, = random
H, = E,. ( H j v l 1 l l j l n
J
<
Hn+j = EMj(Hn+j-1) l l j l n
RSA-Sign( H, ,H, )
\
A variant of this scheme consists of choosing two

initializing values and also passing the message twice:
H, ,HA = random
H. = EH ( H j - l )
J
<
Hi - (HJ-l)
J
RSA-Sign( H, ,Hn ,HA , H i )

\
Of course, the Davies-Price scheme is easier to break than

the last one (it suffices for the enemy to choose H i = Hn 1. At
Crypto'85 [ 6 ] , Coppersmith showed that a "triple birthday
attack" permits the attacker to construct bogus messages in
both above schemes, with not much larger computational
requirements than f o r the Rabin scheme. He also claimed that
the Davies-Price scheme remained insecure with three passes
instead of two, but without providing details.
In the next section, by generalizing Coppersmith's attack,

we show rigorously that the Davies-Price scheme and its
extension are insecure even if the message is passed four
times, provided the enemy can accept a number of encipherments
in the magnitude range of 2 4 6 and messages of length 14 Kbytes.
149
II.2 THE GENERALIZED SCHEME
We now consider the following general scheme, with p

initializing values:
Hi ,Hi, . ..,Ht; random

Hf = E M .(Hi-,)
J
RSA-Sign( Ht ,HA, . . .,Ht;,
For p=l, it becomes the Rabin scheme: for p=2, it becomes

the Davies-Price scheme ( o r , rather, its strong variant). The
question is: does Coppersmith's attack extend to p greater than
2? The answer is yes. More precisely, we claim the following
result:
A message of 2.10p-1 blocks joining the Ht and the HA for

each i i n [l,p] can be found using less than 233.lop
encipherments with probability very close t o 1.
Before providing the proof in the following section, we

first give a few comments about this result:
a) The above values result from a trade-off between four

different parameters: the degree of significance placed on the
message obtained, the length of this message, the number of
encipherments and the probability of success. Of course, it is
possible to improve some of them but at the detriment of the
others. For example, the enemy can get a "more meaningful"
message, which will necessarily becomes longer. Or he can get a
shorter message but the number of encipherrnents will increase
etc.
b) The number of blocks indicated is only, other things

being equal, a minimum: these are "constrained blocks"
generated by the attack, on which the attacker has no (or very
little) control. But he can design his attack in such a way
150
that the final message will also contain an arbitrary number of

othgr blocks completely selected by him. The proportion of
bogus blocks can, in that way, be made as small as wanted
(hence less visible!).
c) Though it is highly unlikely, it could theoretically

occur that the attack as described below might not succeed. In
practice, it suffices to (slightly) increase the number of
trials at the step where the attack fails in order to render it
effective.
d) Of course, the time of sorting must be added to the time

of enciphering in order to get the total computation time. But
a close look at the proof shows that the time of sorting grows
much slower than the number of encipherments (the ratio of the
geometric progression is only 3 ) .
e) if E is replaced with a block-cipher algorithm whose

block-length is L, the number of encipherments becomes
L
-+ 1
22 .l o p .
n.3 THE CRYPTANALYSIS
We come now to the proof of our result. In fact, we will prove

the more precise following theorem:
Theorem: Let p be an integer 2 1, let ( A 1 , .. . , A p ) be distinct

64-bit values and let ( B 1 ,...,B p ) be distinct 64-bit values.
1) A message M of up blocks can be found using tp encipherments

(or less) with probability Q,, which is such that :
EM ( A i ) = Bi l l i l p
where :
151
up = 2.1op-1
for p = 1
236 (3p-2+ 4 . 1 0 ~ - 2
Q, 2 1 -- 3p
2.104
2) 609 distinct messages M of up blocks can be found using ti

encipherments (or less) with probability Qp such that :
where :
3p
Q i Z l - -
2.104
Comments :
a) The result claimed in the previous section is clearly a

consequence of the part 1 of this theorem (that t, is less than
233.10p is very easy and figures in the proof).
b) The apparition of the integer 609 (somewhat mysterious!)

has been explained in section 1.5.
c) The proof below implicitly assumes (as always in

birthday attack literature) that good encipherment algorithms
have good random properties. In particular, f o r any given
distinct inputs X and Y, the values taken by E , ( X ) and E , ( Y ) ,
when K runs through the key space, should be independent
events.
152
d) if E is replaced with a block-cipher algorithm whose

block-length is L, the proof remains almost unchanged and the
part 1 of the theorem is still valid after having replaced 235
L L
-+3 -+ 4
with 22 , and 236 with 22 in t, .
Proof: by induction on p .
The meet-in-the-middle-attack,exposed in section E.1, permits

the enemy to find (as already shown in section 1 . 5 ) :
1) at least one two-block junction between A, and B, (i.e. a

message Jl such that E&(A,) = B 1 ) using 2.234 encipherments with
probability Q12 l-10-4.
2) at least 609 two-block junctions between A, and B, using

2.237 encipherments with probability Q; 2 l-10-4.
so :
u1 = 2
t, = 235 t; = 238
Q, 2 1-10-4 Q; I 1-10-4
assumed to be true at rank p
Let (A1,....,Ap+,) be p+l distinct values.

Let (B, , . .. ., B p ,)
+ be p+l distinct values.
We now have to make Ai and Bi meet, f o r each i in [l,p+l]

with the same message $ + l . This can be done in three steps:
Step 1: Choose arbitrarily Z,, ....,Z p p distinct values. Then

find a set & of 609 up-block messages Nj which link up the Zi
to themselves for each i:
153
(Z, ) = Zi for all i and all j.

EJYI~
From the induction hypothesis, the set E can be found using

ti encipherments with probability Qi
(note that this step,
called "precomputation" by Coppersmith, needs only to be done
once and can be used for any Ai and B, ) .
Step 2: Find a u,-block message J1., such that A, and Zi meet f o r
each i and let C, = E% ( A p + ) . This message can be found Using
t,encipherments with probability Q,.
Find also a up-block message A, such that Z, and 3i meet

for each i and let C, = D A , ( B p + , ) .
Step 3.1: (It remains now to link up C and D while "preSerVing"

each Z, )
Perform a meet-in-the-middle attack between C and D using

only elements of €. More precisely:
let .MI = (Ml,$,A3 ,A, 1 E E4 and H, = E J . (C,
~~ )
let M, = (M5,.M6,.M7,.M8) E E4 and Hr = DNr (Cf).
As there are ( 6 0 9 ) 4 > 234 elements in E 4 , we can obtain two

random and independent samples of 234 H, and 2 3 4 Hr We will .
therefore find a coincidence between the two samples with a
probability of Q , .
In other words, we can find one junction J.1 between C, and

C, preserving each Z , , constituted of 8up blocks and using
4 . 2 . 23 upencipherments.
Thus, the message J t p + l which is equal to the concatenation

of A,, A and JI, links up A, to Bi f o r each i in [l,p+l].
The total number of blocks of J$,+l is:

up + 1
- up + 8uP+ up = 10 up
The number of encipherments is:
t, + 1 = ti + 2tp + 237up
154
The probability of success is :

Q,,, = Qi Qi 8,
S t e p 3.2: In step 3.1, we do not need ali the elements of E4 to

find a coincidence, since 234 (at each side) will probably
suffice. If we now use all the (609)4 2 237 elements of e 4 , we
will find (at least) 609 junctions with probability Q;.
The number of encipherments is:

t i c 1 = t;, + zt, + 240up
The probability of success is:
Q,,, = Qi Qi Q;
It remains now to solve the recurrence relations in

up, t,, ti, Q, and Qi -
The sequence (up) is geometric and we have immediately :
u p = U , . ~ O P - ~ = Z.lOP-l for any p 2 1
Let (ap) be the sequence equal to ti + 2tp- We have:

a p + 1-- t,+1
+ 2tPtl=3aP+ 240up+ 23aUp= 3 a p + 23810,
F o r p = 0 this equation becomes:

236
el = 3a, + 2 3 8 , so we put: a, = -
3
So for p 2 2 :
t,= P - 1 + 237up-l
= 236
[
3 p - 2 + 4 . 1 o p - 2
[1+-:” [1-[&3)p-1]))
155
Now let q = 1 - We have:
Q, 2 q * Q2 2 q4 * Q3 2 q13...
-
3” -1
More generally : Qp 2 q 2 > I - -3P-1 10-4 2 1 - -.3 p
2 2.104
Note that Q, 2 0.995 f o r p = 4.
CONCLUSION
This paper generalizes the birthday attack presented by

Coppersmith at Crypto’85.
In the first part, we analyse the mathematical aspects of

the birthday problem, f o r which exact and asymptotical results
(with bounds) are provided. In particular, under some natural
hypothesis, the underlying distributions are proved to converge
towards Poisson distributions.
In the second part, the Coppersmith attack is generalized

to schemes which cycle through the message blocks p times
(instead of twice). A lower bound for the probability of
success of the attack is given. F o r example, if DES is used and
if p = 4 , a bogus message of 14 Kbytes can be forged with (almost
Surely) less than 2 4 7 encipherments. A s a consequence, the
4-pass Davies-Price scheme appears not to be secure enough.
This last result is of importance when the signature is

obtained by signing the initializing values and the end-values.
156
For, in that case, p=4 is the maximum number of possible passes

if the modulus length of the signer is equal to 512 bits (a
very usual length).
REFERENCES
[I] W. Diffie and M. Hellman, "New directions in cryptography",

IEEE Transactions on Information Theory, Vol. IT-22, Nov. 1976,
pp. 644-654.
[2] R.L. Rivest, A . Shamir and L. Adleman, " A method for

obtaining digital signatures and public-key cryptosystems",
CACM, Vol. 21, n"2, Feb. 1978, pp. 120-126.
[ 3 ] Data Encryption Standard, FIPS Pub 4 6 , N . B . S . , U.S. Dep. Of

Comm., Jan. 1977.
[41 M. Campana and M. Girault, "Comment utiliser les fonctions

de condensation dans la protection des donn&es", SECURICOM
1988, pp. 91-110.
[5] G. Yuval, "How to swindle Rabin", Cryptologia, Vol. 3 , N03,

Ju1.1979, p p . 187-189.
161 D. Coppersmith, "Another birthday attack", Advances in

Cryptology, Proc. of Crypto'85, LNCS, voi. 218, Springer-
Verlag, 1986, pp. 14-17.
[ 71 M. Rabin, "Digital signatures", Foundations of Secure

Computation, Academic Press, New York, 1978.
[8] D.W.Davies and W.L. Price, "The application of digital

signatures based on public key cryptosystems", Proc. of the 5th
Int. Conf. on Computer Communications, Atlanta, Georgia, Oct.
1980, pp. 525-530.
[9] W . Feller, "An Introduction to Probability theory and its

Applications", Volume 1, Wiley, 1968.
An Interactive Data Exchange Protocol
Based on Discrete Exponentiation
G. Agnew, R. Mullin, S. Vanstone

University of Waterloo
Waterloo, Ontario, Canada
Introduction
In the following paper, we propose a protocol for interactive data exchange.
An interactive data exchange session can be divided into three phases as shown in
Fig. 1:
i)a Session Key Exchange/User Authentication phase
ii)a Data Exchange Phase, and
iii)a Resynchronization phase (for error recovery).
The cryptographic system proposed for this system is based on discrete exponen-
tiation, that is, all operations (though not shown) involve reduction modulo p for
a large prime p. T h e security of the system is based on the difficulty of determin-
ing logarithms in a finite field GF(p) [l]. We also assume the existence of a
trusted Public Key Notary (PKN). The PKN provides a certification service for
each of the users' "public" keys and is not required to be on line.
Key Exchange Phase

In this phase, a session key is passed between two users. This exchange pro-
vides mutual authentication of the users involved the session and is resistant to
spoofing by impersonation. The sequence begins with each user in possession of
its secret exponent value ( a for user A), the common modulus p , the common
primitive element Q and the "well-known" public key of the PIiN a P KJV .
The P K N produces entries of the form [a-' , S'],for each of the network
users where a-* is user 2's "public" key and S, is a s i g n d version o l that key.
The certificale, S, is the pair (w,x) formed such 111il.t x is solved for the
congruency
a-* = p k n * a m + w2'
for a random vaIue w (pkn is the private information of the P K N ) . This
160
procedure and the key exchange protocol are described by ElGamal [Z]. This is
shown in Fig. 2. The procedure begins when user A initiates a call t o user B
(initiator/respondent respectively). The protocol proceeds as follows:
i)User A generates a random injtial key I<, and a random value r.
ii)User A obtains the pair [~2-~,,5~) in a .public manner (e.g., from a
public key directory, from B or by other means).

iii)User A verifies user B's public key by computing
iv)If the verification passes, user A applies the ElGamal protocol to form
the message
[d, [a-bl' * I<]
This is forwarded t o user B along with a request for setting up a session.

v)Upon receipt, B recovers the initial session key from the message by
using its secret exponent 6
At this point, data communications could proceed, but no authentication of User

A has been performed.
vi)For mutual authentication, user B obtains [a-. , S,) by public means
and verifies the key (as before)
vii)The actual session key is now formed as
It can be seen that user A can also form this key from its secret and authenti-
cated data. This completes the Key Exchange phase of the protocol. In the next
section, we examine a "conventional" cryptographic system based on discrete
exponentiation.
Data Exchange Phase

The Key Exchange phase established a common, mutually authenticated key
KO between users A and B. From KO,two sub-session keys I<: and K t are
derived one for each direction of data exchange (session initiator, session
161
respondent respectively).
Before any data is exchanged, each user verifies the correct exchange of the
initial keys. To do this, user A calculates the pattern
and forwards this t o B. Similarly, user B calculates the pattern,
and forwards this t o A. Each end verifies that the correct image has been
received from the other user (see Fig. 3).
Once verification has been performed, the actuaI data exchange may begin.
Ciphertext blocks are formed as
where j = I or Ir' depending on the direction of data flow, and i indicates the
message block number. The key, I{; used for each block is unique and is derived
from the appropriate sub-session key as
(this can be done in many ways). Using this technique, plus some error detection
bits added t o the plaintext, will allow for the detection of inserted, deleted or
modified blocks.
Rendezvous Phase
The data exchange protocol will now proceed until the end of the session or
until an error occurs. If an error cannot be corrected by simple retransmission, or
if synchronization is lost, then a "Rendezvous" must be executed (see Fig.1). In
this phase, the receiving user (B in Fig. 4) must notify the sending user that syn-
chronization has been lost. The sender then determines the last correctly
received message block (we assume that a communication protocol is present on
the link to provide acknowledgments for correctly received blocks). The sender
then increments t h e state of the key by a value n such that
where 1 is the last correctly received block. The sender then calculates the image
162
and sends this t o the receiving user. The receiving user increments its key state
K;
by an amount n--q and calculates successive values of LY until the pattern is
matched (note: since synchronization has been lost, the state of either end is unk-
nown, thus the "hunt" process must cover a sufficiently large number of
exponents as to make resynchronization highly probable). Once resynchroniza-
tion has been established, the data exchange phase may proceed once again.
As shown in Fig. 1 and 4, a provision has been made to try the rendezvous
procedure only two times, if resynchronization is not established in this time, then
the session is considered unusable and a key exchange phase is started once again.
(It is also possible that the key exchange phase may fail a number of times,
though not indicated, and provisions must be included to limit the number of
tries for key exchange. If this occurs, then the channel must be deemed unus-
able.)
Conclusions
In this paper, we have described a protocol for interactive data exchange
which provides strong mutual authentication of the users and data integrity. The
protocols used are baaed on a cryptographic system using discrete exponentiation
for public key exchange and conventional data exchange. The protocol is robust
to data/protocol errors and active attacks. While it has been shown as an
interactive protocol, a one-way data exchange protocol (for email or file transfer)
can easily be derived from this protocol.
References
1. W. Diffie, M. Hellman, "New directions in cryptography", IEEE Trans. on Info.
Theory, Vol. IT-22, pp.472-492, 1976.
2. T . ElGamal, "A public key cryptosystem and a signature scheme based on

discrete logarithms", IEEE Trans. on Info. Theory, Vol. IT-31, pp.469-472,
1985.
163
Figure 1 - INTERACTIVE PROTOCOL
PROTOCOL
EXCHANGE
PHASE
DATA
E XC HA NGE
PHASE
PHASE
; MANY TRIES
Figure 2 - KEY EXCHANGE PHASE
USER A PUBLIC K E Y USER 8
Ibl
t K= (~z')~.(a-~
) ~-K
Kb
*\K
KZJ
165
Figure 3 - DATA EXCHANGE PHASE
USER A USER 8
KR
Q O
I
/
0
0
0 I
/ QKO
166
Figure 4 - RESY NCHRONIZATION PHASE
USER A USER 8
[ S Y N C LOSS]
AC-. LAST STATE

LAST CORRECT =h
STATE = t x = h+(n-q)
[oK!]
ly
RESYNC
ESTABLISH ED
ANONYMOUS AND VERIFIABLE
REGISTRATION IN DATABASES
Jorgen Brundt
Ivan Bjerre Dumgdrd'
Peter Lundrock
Dept. of Mathematics and Computer Science, Aarhus University
Ny Munkegade,
DK 8000 Aarhus C ,
Denmark.
Abstract
Methods are given by which personal data about a large number of individuals
can be registered in a large central database without having to trust this register not to
give away information linked to a given individual. Personal information arriving
from many different sources can be placed correctly in the register. The registration is
done in a verifiable way: Each individual can be given access to the register to check
that his information is correct, and can even, if he chooses to do so, prove to anyone
that he is or is not identical to a given person in the register. This can all be done
without compromising the anonymity of any other individual.
1. Introduction
Consider a set of institutions D . . . ,D,, which collect information on a large
number of individuals. Examples could be tax authorities, banks, hospitals etc. The
institutions would like to set up a large common register C , which is to contain all
information from all institutions. There may be numerous reasons for this, C may be
convenient for economical or practical reasons, or it may be just a temporary register
which is set up for statistical purposes.
This raises of course some security problems: the individuals may be willing to
trust each of the D i,but unwilhg to accept a new central register, since
1) Outsiders can now get access to a complete set of personal data about anyone, just
by breaking into one database; and
2) The D i's, who have legal access to C may now read data about any individual,
including those that they have had no contact with before.
'This research was supported by the Danish Natunl Science Research Counnl.
168
How can we make C secure against unwanted use of the information? It is well
h o w n that preventing access, physical or otherwise, to a database is very hard and
expensive. A cryptographic solution, however, can make the information useless to
intruders, and therefore seems a better alternative.
Recall that in this case the personal information itself is not secret, the
confidential part is the linking of names to particular records in the register. What we
need is therefore a system by which the D i’s can send information to C in such a way
that data arriving from M e r e n t places concerning the same person can be identified as
such, but without this giving away the true identity of the individual involved. In other
words, we want the registration to be anonymous: given an individual and a person
registered in C , it should be hard to tell whether they are identical. Moreover, it is
desirable that the system is verifiable, i.e. an individual i can be given access to C to
check that his data are correct, and even more important: if needed, i can produce a
proof that he is or is not identical to a given person registered in C. Of course, this
must all be done without compromising the anonymity of anybody else.
2. Related Work
Other researchers, in particular Chaum [Ch], have designed systems to prevent the
linking of a large amount of personal data. Cham’s system is based on each indivi-
dual having different pseudonyms with each organisation they talk to. This makes the
infomation unconditionally unlinkable. On the other hand, data which is to be
exchanged between organisations must travel through the individual they apply to.
With a nationwide database, this may not be a practical solution. In our system the
individuals are known by their real name in the institutions we have to begin with
(D1, . . . , O n ) . This means of course that the individuals must trust the Di’s and that
we loose the unconditional unlinkability. On the other hand, information can now be
sent to the new register directly, and since our system is identity based, it can be
verifiable. This is much harder to acheve with a system where individuals choose
their own pseudonyms at random: how can person i prove that he did or did not
choose this particular random number?
3. Our Solution
We assume that each person is known to each D, by some unique piece of mfor-
mation, like name, address, ect. For person j this wlll be called ID (j). Consider now
a solution where data will be sent to C such that information about the individual j is
accompanied by an “encryption” of ID (j), i.e. the image of ID (j) under some suit-
able function F . We let J denote the set of all possible individuals. We assume that
this set is very large, so that the set of individuals registered in C at any given time is
of negligible size compared to I J I .
169
We can now formulate the properties we need a little more precisely:

Anonymity: given F (ID 0’))and the unordered pair (ID (j)JD(j’)),
it is hard to
decide whether ID 0’)or ID 0’) is the preimage of F (ID 0’)).
Verifiability: for each ID ti), there exists a witness, w (ID (j))with the property
that ID 0’)and F (ID 0’))are easily computable from w (ID (j)),
Independence: The anonymity condition still holds, even when one is also given a
set of pairs {(ID(i),w (ID (i))) I i + j , where the i ’s are chosen at random
,;I)
from J.
The independence condition is meant to protect against the case where an enemy
knows the identity of some registered individuals. The condition says that this does
not help him to find other identities. Note, however, that since we assume that the
given identities are randomly distributed in J , the condition does not cover the case
where an enemy can choose freely individuals for which he would like to see
corresponding F-values (c.f. known plaintext versus chosen plaintext attacks on a
crypto system).
The verifiability condition assigns to each individual a unique wimess, which can
thought of as a certificate of the connection between corresponding ID and F -values.
This allows an individual to prove to anyone that he is or is not identical to a given
person registered in C . More details can be found in Section 5.
The anonymity condition is as restrictive as possible: it says that even when given
that an unhown person registered in C is identical to one out of two individuals, it is
still hard to tell w h c h one. This and the independence condition means that some of
the more obvious solutions will not work:
Consider for example using as F a publicly known one way function. This means
at least that one cannot compute j from F (ID 0’)). But since it is mvial to test from
ID (j’) and F (ID0’)) whether j = j ’ , the anonymity condition is violated. One way to
repah this could be to use a function depending on some secret parameter, like a
pseudo random function [GGM] or a conventional cipher, i.e. setting F = f K , where K
is secret. This may satisfy the anonymity condition, but the only way we can get
verifiability is by setting w (ID (j))= K for all j , which clearly violates the indepen-
dence condition.
The solution we suggest can be informally described as follows: Select a trapdoor
one way permutation f and a one way function g with the same domain as f . By
redefining ID , we make sure that ID (j) E domain cf ) for all j .
We describe one way of doing this in the following: To be specific, let ID 0’) con-
sist of a number of fields, such as firstname (j), secondname (j), srreef (j), city 0’),
etc., where Prstnarne 0 ) beIongs to some set FIRS7iVAMES , and similarly for the
other fields. This makes ID (j) an element of
170
J = FIRSTNAMES x SECONDNAMES x STREET x .

considered as a concatenation of ASCII characters. The set J has a certain redun-
dancy, and using an ideal encoding rule c :J + ( 0 ,I ) k , which is nearly a bijection
for
k = lOg2( I FIRSTNAMES I ) + logz( I SECONDNAMES I ) + . * *
we may represent the set of possible ID ‘s as binary strings of length k. The parameter
k should be chosen such that domain cf ) = (0,l } k. In practice, k will be a security
parameter, and the number of fields in ID must be chosen accordingly. Also, we must
of course admit that the cardinality of domain c f ) will not in general be an exact 2-
power, so we have to content ourselves with approximations in practice.
With this scheme, choosing a random person in J and applying c produces an
(almost) uniformly distributed element in dumain (f ). Moreover, it is a reasonable
assumption that choosing a random set of strings corresponding to persons registered
in the data base gives a good approximation to a uniform choice from all of J , where
“good” is defined relative to the behavior of polynomial time algorithms using the
strings as input. More specifically, we are assuming that no feasible algorithm is able
to exploit the fact that the individuals in C are not really uniformly chosen, but are
selected by some specific (incredibly complicated) random process.
Wethenset F(IDG))=gCf-’(ZDCi)))andw(IDO’))=f-’(ID0’)).
Actually this definition is a bit too restrictive. It is clearly sufficient that both
ID 0’)and F (ID0’)) are easily computable from w (ID (j)),and with some choices of
f and g ,there are other ways to meet this condition.
Theorem 3.1
With F , w and ID defined as above, the verifiability and independence conditions are
satisfied.
Proof.
Given w (ID G)), one can directly compute F (ID0’))= g (w (ID (j))). Thus the
verifiability condition is satisfied. With the definition of ID given above, we may
assume that selection of a random individual i will produce an element ID (i) uni-
formly distributed in the domain of f . Therefore a randomly chosen set
[(ZD(i),w(ID (i))} can always be produced without knowing the identity of any indi-
vidual, just by starting with a set of randomly chosen wimesses and computing f on
each of them. Therefore an algorithm which would break the anonymity condition
given a set of corresponding identities and witnesses can easily be modified to do
without ttus just by producing the required set from schratch as above.
171
It is much harder to say something conclusive about the anonymity condition. It

is clearly a necessary condition that it is hard to compute x from F ( x ) and vice versa.
But it is not necessarily true that in order to solve the resn’ng problem, i.e. find out
whether x = x ’ given x and F ( x ’ ) , one must be able to actually compute F or F - l . For
example, it is proved below that if both f and g are independently selected trapdoor
permutations, then F is in fact hard to compute “both ways”. Suppose now that there
exists a large class of trapdoor one way permutations which commute for all choices of
trapdoor, which sounds, if not likely, then at least conceivable. Then iff and g are
chosen from this class, ir is trivial to see that testing is always easy. Another trivial
necessary condition is therefore that f and g do not commute.
One could of course try to prove that testing is equivalent to computing function
values for all functions. But there is little hope of this:in [BoLa] it is proved that this
is equivalent to a long standing, and hard problem about separation of complexity
classes. Indeed if the problem was settled such that testing was equivalent to comput-
ing for ALL functions, then functions like discrete log and squaring modulo a compo-
site would not be one way!
Thus, for the concrete constructions we propose, all we can say is that the neces-
sary conditions are satisfied, and that independent choice off and g does seem to be
sufficient to ensure anonymity in those cases.
It remains an open problem, however, to formulate precisely what kind of
“independence” one needs betweenf and g to get anonymity in general.
As a final observation about the anonymity condition, consider the obvious attack
starting with a randomly chosen witness w and computing f (w), which will be ID 0’)
for some j , and g (w), which is equal to F (ID0)). If j happens to be registered in C ,
we have broken the anonymity of j . This attack will not work, however, because we
have assumed that the number of individuals actually registered is negligible compared
to the number of possible individuals in J . Thus there is only a negligible probability
that this attack will result in a known identity for any “useful” individual. This does
not exclude that there could be some way to cleverly choose w in a way that would
ensure that f (w) was in fact ID of somebody in C , corresponding to what one mes to
do in an attack on a signature scheme with redundancy build into the messages. Note,
however, that when such redundancy schemes can be cracked, it is always because
there exists some simple algebraic description of rhe set of valid messages. This
description, together with for example the multiplicative property of RSA, can then be
used to breake the system. It seems extremely unlikely, though, that such a description
would exist for the set of individuals registered in C at some random point of t h e .
Unfortunately, for precisely the same reason, it seem to be very hard to actually prove
something about this question!
But at least, we can prove that with right choice off and g , F is hard to compute
in “both directions”:
172
Theorem 3.2
Suppose F is constructed using randomly and independently chosen trapdoor permuta-
tions f and g . Suppose also that it is infeasible to compute f -1 and g-' for more than
a negligible fraction of the possible choices o f f and g . Then both F =gf-' and
F-' =fg-' are infeasible to compute for more than a negligible fraction of the possible
choices of pairs (f ,g )-
Proof.
Suppose we have an eficient algorithm for computing F. Then this algorithm can be
used to compute f-' for a randomly chosen f with &own trapdoor as follows:
select a g with known trapdoor at random, and run the algorithm on F constructed
from f and g . By assumption, the algorithm can compute F -images with nonnegligi-
ble probability, and €or each x for which it tells us what F (x) is, we can use the trap-
door forg to computef-'(x) = g-'F ( x ) . The case with F-' is symmetric. 0
There is a price to pay in order to be able to prove that F and F-' have the
claimed properties, namely the assumption that g is trapdoor, which introduces the
risk of having the trapdoor revealed to an enemy. One can do away with this by
developing systems, where g , and therefore F is a one way function with no (known)
trapdoor. This would mean that even organisations with maximal information on the
system would be unable to "decrypt" randomly chosen identities in C , although
knowledge of the trapdoor for f would enable them to test given identities against F -
values. This would be of little use to an enemy, however, if C was only willing to
release data on an individual to Di, if D ihad previously provided data on that indivi-
dual. This could be implemented by including a protocol by which any D i could
indent* itself to C before getting access to any data.
One way to implement the system in practice is to assume a trusted center which
selects f and g together with the trapdoor information for f ,computes and sends
secretly f -'(ZD Cj)) to each j , then forgets the trapdoor information and stops func-
tioning. Alternatively the center can be made permanent if new persons have to enter
the system later. The individuals can venfy that they have correct information from
the center, can compute their own F -value, and later convince each D jthat this value
>>
is correct. This can be done simply by showing w (ID (j to Di . In any case, no w -
values have to remembered by the D i' s . This solution protects optimally against the
D j's reading data they should not have access to: each Di can find data about indivi-
dual j , precisely if j has given F (100') to)Dj.For all other individuals, Di is in
exactly the same position as an outside enemy, by the independence condition.
Another way is to make the trapdoor for f known to all Di ' s , but not to C . Then
the D;'s can have their information stored in clear, and compute F -values as needed
when they communicate with C . This removes the need for a trusted center, but on
173
the other hand all Di' s are now faced with the security problem of safeguarding the
trapdoor of f . Also the protection against the Di's themselves is reduced: since
knowledge of the trapdoor for f implies abihty to compute F-values, the D j * s can
check if a given individual is identical to a person registered in C ,but they are not able
to find the identity of a randomly chosen person in C ,by the one way property of g .
At this point we must address the ultimate disaster for the proposed model: the
disclosure of both trapdoors to an enemy. Obviously, the enemy may then calculate
ID 0') from F (ID 0')) and vice versa, and the entire database is seriously comprom-
ised. It therefore seems natural to introduce some messure that would make this
impossible. One scheme is to apply a one-way funtion h to ID 0 ) and then use the
above model on h (ID 0')).If h is uuely one-way this makes it impossible for anyone
to get from F ( h (ID 0'))) to ID u) except by exhaustive search which, by the very
nature of the problem, we can never prevent if the trapdoors are revealed. There are
many choices for practical implementations of h . It could be a hash function from a
set of long ID'S to a much smaller set of binary strings. Here one should take care to
ensure injectivity on the set of actual ID'S.
4. Concrete Constructions
1) F ( x ) = (G mod n ) 3 mod n'.
The function F can be constructed from
f ( x ) = x 2 mod n and g (x) = x 3 mod n I,
where n and n ' are products of two large and strong primes, chosen independently of
each other. Moreover n and n ' must be of compatible size (to prevent F ( x ) = x !).
Also f in only injective on the elements of odd order in Z,*, which, as mentioned ear-
lier is compensated for through the definition of ID.
Obviously, f and g do not commute and Theorem 3.2 indicates that F and F-'
are infeasible to compute for a non vanishing fraction of choices of n and n '. Note
that if the factorization of n ' is known, mod n and hence probably x can be com-
puted from F ( x ) . But as mentioned earlier, the trapdoor for g is never used in an
application, so the factorization of n ' can be deleted immediately after choosing n I.
Note that using squaring for both f and g will not work: given a consistent pair
(ID ,F (ID )), the witness can be computed using the Chinese Remainder Theorem and
without knowledge of the factorizations! The generalization of this attack by Hastad
[Ha] does not seem to work with our choice of exponents, since there is o d y 2 equa-
tions involving the witness, and this is insufficient to make the attack work. The
number of equations needed to compute the wimess becomes much larger, when the
exponents get large, and therefore better security may be achieved by choosing random
RSA-exponents in stead of 2 and 3.
174
2) F (x) = aG mod n ’.
F can also be constructed from
f ( x ) = x 2 mod n and g ( x ) = CS mod n ’
where n is chosen as above. n ’ can be chosen as n or as a large prime, it is important
that a is chosen such that it generates a large subgroup of Z,**, whence discrete log’s
base a is (presumably) hard to compute. The same remarks as those relevant to case
1) applies here, except the fact that g is not trapdoor in this case. This means that
Theorem 3.2 does not apply, on the other hand there is no risk of accidental release of
a trapdoor for g .
For convenience, it might even be reasonable to choose n = n ‘, except for the fact
that f and g will then not be independently chosen.
3 ) F ( x ) = x IC;rnodn modn.
Here, it is not so transparent how to choose f and g . However if we set
f ( x ) = x x mod n and g ( x ) = x 2 mod n
then
r
F(x)=x mod n = G2(” n , mod n = gfg-’(x).
So F is conjugate to f under the action of the symmetric group on the elements of odd
order in Z,* - on which g is a bijection.
The function{ is not one to one. In fact it has some of the properties one would
expect from a “typical” random function from 2: to 2:. Indeed, as is well known:
Lemma 4.1
Consider the set of functions from a set A into itself, where A has cardinality n . Then
the average size of Zm (f ) is
(1 - e-’)n = 0.63n 0
From practical experiments, this seems to hold for f. Consequently, it is reason-

able to assume that f is one to one on very small subsets of its domain - l k e the set of
existing ID ’s, for example. We then define
f =sf-‘
to obtain F ( x ) = g f - ’ ( x ) . In this setup, however, we cannot define w ( x ) = f - ‘ ( x ) as
in the previous section, since x would then not be computable from w ( x ) . In stead we
simply define w ( x ) = 6 mod n , from which both x and F (x) can be easily com-
puted, as required in the verifiability condition.
175
5. A Solution Using Bit Commitments

A bit commitment scheme is a method by which A can “encrypt” a bit in such a
way that
(1) No one else can guess from the encryption which bit it encrypts.
(2) After releasing the encryption, A is committed to her choice of the bit, i.e. she can
convince everyboby about her original choice - typically by releasing some more
information - but she cannot change her mind about the choice.
The encryption is computed using a random input which is also chosen by A . For
a bit string s ,we will let BC (s , r ) denote a string of encryptions, one for each bit in s ,
computed using the binary string T as random input. We wdl talk about this as a bit
commitment to s .
Such bit commitment schemes exist relative to many of the widely accepted
intractability assumptions, such as the hardness of factoring, discrete log, graph iso-
morphism, etc. More details about bit commitments can be found in [Da] or [BrCr].
A very simple idea to solve our basic problem is now to let
F ( I D ( i ) ) = B C ( I D ( j ) , r ) andput
, w(ID(j))=r.
F (ID0’)) can be computed by j himself, and j can prove the correctness of F (ID0))
to Di , Simply by showing w (ID(i)) to Di .
By property 1 above, this solution satisfies both the anonymity condition and the
independence condition, even in a strict information theoretic sense, if the bit commit-
ment scheme is chosen correctly. Property 2 prevents cheating by individuals, such as
having several identities represented by the same F -value. Unfortunately, there is still
one problem left: the verifiability condition is not satisfied, because the witness is not a
function of the identity, but is independently chosen, and therefore ID (j) is not com-
putable from w (ID(‘j )).
To see what this means in practice, consider the diEerence to the earlier described
solutions: there, it is possible for j to prove that ID (j) is NOT connected to F (ID (j’))
without having to reveal F (ID(i)), i.e. give up his own anonymity. This can be done
by setting up a boolean circuit doing the following computation: it takes as input
w(ID u)), and is given ID 0’) and F (ID(j’)) as constants. It checks w(ID 0’)) by
computing ID 0’)from it, then computes F (ID 0 ) )and compares with F (ID 0’)). The
output is two bits,
b 1, which is 1 precisely if the witness is correct, and
b2, which is 1 precisely if F (ID u))= F (ID 0’‘)).
Using this circuit, j can convince anyone in minimum knowledge that he knows
how to choose input for it that gives output b = 1 and b 2 = 0. This is clearly
equivalent to proving that he is not identical to the individual registered under
176
F (ID (’j I)). The proof can be executed using for example the general protocol from
[BrChCr].
With the solution from this section, the above protocol does not work, simply
because it is not possible to check the correctness of a witness, and without this check,
the protocol does not prove anydung.
The only way to repair this is to ensure that j is committed, also to his choice of
w (ID 0’)). This can be done by introducing a public directory, containing entries for
all individuals. For person j , the entry is BC (w (ID(j)),r3. This entry can be com-
puted and proven correct by j himself initially, We can now make the above protocol
work once again, since a witness can now be checked by testing whether the appropn-
ate entry in the public file contains a commitment to the witness in question.
Thus this solution is of theoretical interest because it shows the existence of sys-
tems that provably satisfy the anonymity condition, but it is not of great practical
importance, because we must introduce additional complications to get a complete
solution.
Conclusion.
We have shown a practical solution to anonymous and verifiable registration in
databases, and we have pointed out 3 basic conditions that such a solution should
satisfy. We have also shown the existence of solutions that satisfy all 3 conditions.
References.
G.Brassard, D.Chaum and CCrepeau: “Minimum Disclosure Proofs of
Knowledge”, tech. report PM-R87 10, C W , Amsterdam 1987.
G.Brassard and C.Crepeau: ‘ “on-Transitive Transfer of Confidence: a
perjfect zero-knowledge Protocol for SAT and beyond”, Proc. of FOCS
86, pp.188-195.
D.Chaum: “Security Without Identification: Transaction Systems to make
Big Brother Obsolete”, CACM, vol28, 1985.
I. Damghd: “The Application of Clawfree Functions in Cryptography;
Unconditional Protection in Cryptographic Protocols”, Ph.D-thesis,
Aarhus University, 1988.
J.Hastad: “On Using RSA with Low Exponent in a Public Key Net-
work”, Proceedings of Crypto 85, Springer.
M.Boppana and L.Lagarias: “One Way Functions and Circuit Complex-
ity’’, Information and Computation, vol74, pp.226-240, 1987.
Elections with Unconditionally-SecretBallots
and Disruption Equivalent to Breaking RSA
David Chaum
Centre for Mathematics and Computer Science
Kruislaan 413 1098 SJ Amsterdam
introduction
An election protocol is presented that has the following properties:

0 A voter's privacy can be violated only by cooperation of all other voters.
0 Voters can ensure that their ballots can be counted.
Voters wishing to disrupt an election can cause only a M t e d delay before being
disenfranchised, unless RSA is broken.
It is assumed, for simplicity, that a single organization z is empowered to decide who can
register and that z acts faithfully to complete elections. (T~Bassumption is relaxed
somewhat in the final section.) Nevertheless, even if z were endowed with infinite
computational power, z could not learn who votes which way or falsely convince voters
that their votes are counted.
The remaining sections may be summarized as follows: (1) previous work on voting
protocols and some related protocols underlying the present proposal are surveyed; (2)
the ballot issuing protocol and its properties are presented separately, being the heart of
the present contribution; (3) the model and overall voting protocol are presented based
on the ballot issuing protocol; (4) some simple ways to apply the techniques to payment
and credential systems are mentioned; and ( 5 ) the assumptions and several further points
related to the protocols are discussed.
1. Relation to Previous Work
The first multi-party secure election protocol in the literature [Chaum 811 could not
prevent someone able to break RSA from tracing ballots back to particular voters,
although some properties about it could be proved under reasonable assumptions [Merritt
831. A subsequent proposal did not at all protect the confidentiality of ballots from those
conducting elections [Cohen & Fischer 851. An extension [Cohen 861, similar in nature to
the original [Chaum 811 proposal, divides the “government” into parts, in such a way that
all parts must cooperate to violate participants’ privacy. Using such a protocol to obtain
the optimal privacy protection obtained here, however, would allow any single participant
to disrupt the entire election. Also, it has security against cheating that is only linear in
the effort required of each participant, in contrast to the.exponentia1security proved here.
The present work draws on two previous basic results. One is a “sender
untraceability” system detailed in [Chaum 88b]. It provides unconditional security
against tracing the senders of messages and limits the disruption that can be caused by
participants. The second is the notion of “blind signatures,” which serves as a basis for
untraceable payments and credentials, as introduced in [Chaum 851 and detailed in
[Chaum 88c] and [Chaum & Evertse 871.
2.Ballot Issuing Protocol
The protocol defined in this section in essence allows an applicant y to gve very
high certainty to z that the ballot provided byy is of a form that allowsy only to cast a
single vote.
Consider the following protocol between an applicant y and organization z :
(1) Once, and for all applicants, z broadcasts: a small integer security parameter s; a
second integer parameter n; an RSA modulus N ; a prime d > N ; and n distinct
random units of the ring of residue classes modulo N (called units modulo N for
short), denoted v j , where j E { 1, ..., n } throughout. (In ths protocol “random” is
used to mean uniformly distributed and independent of everythmg else.)
(2) y-t: (read ‘) sends to 2”) M=(mi,,), mi,, -vfl,(;)r& (mod N ) , where i E { 1, ..., s},
with q random permutations of { 1, ..., n } , and with ri,, random units modulo N .
(3) z-y: C, a random nonempty proper subset of { 1, ..., s}.
(4) y-z: k ~ { l ..., , ~FC;
, SI-C; ~ = ( p i , ; ) , p , , , = ~j ~) ,( for i E C ; p i , j = r L 1 ( r l ( j ) jfor
Q=(qi,j), qi,, Eri,, (mod N ) , for i E C; and qi., ~ r k . ~ ; l ( ~ , ( , ) )(mod r G * N ) , for i 9 C.
d
(5) t verifies that every row of P is a permutation of { 1, ..., n } ; that mi,; G vp;,, ql,;
(mod N ) , for i E C; and that qf, = mkg,,,mG1 (mod X ) , for i $ZC.
Theorem: For y following the protocol, Tk is statistical@ independent of the messages
transmitted.
Pro08 (sketch) Without loss of generality, fix k. The tuple ( P , Q,M j defines the
messages transmitted in an instance of the protocol. and A denotes the set of all possible
such tuples. Similarly, B is the set of all possible tuples (q,
ri,,) with l f k , 1CiGs and
179
1 G j G n . It follows easily from the protocol that each ITk defines a one-to-one
correspondence between A and B. Moreover, by the mutual independence and uniformity
of all the IT; and r,,,, the conditional probability distribution of B given ITk is uniform for
each instance of the protocol. Therefore the conditional probability distribution of A
given ?rk is always uniform and hence independent of ITk. 0
Theorem Assuming y cannot form dth roots of random units modulo N,then when z reveals
dth roots modulo N of h distinct mk,j, with k j x e d and 1<j<n, the probability of allowing y
to learn dth roots of other than exact4 h of the vi does not exceed 1 / (2s - 2).
Proof (Sketch) It is sufficient to show that, with probability 2 1 - 1 / (2s- 2), there exists
exactly one permutation 7~ such that for each j , l<j<n.y knows an rj such that
mkJ = v 4 ) r f . With probability 2 1 / (2s- 2) there exists at least one permutation d such
thaty can express each entry M k J as mk,j 'vnr(iy;d (mod N ) , since otherwise only one c
allowsy to succeed. (Notice that for y to successfully cheat, the mi,,'s must be properly
constructed for each i E C and improperly constructed for each i C. But this implies
that only one C allowsy to cheat.) It remains to be shown that there cannot be two
permutations IT' and ?r" such that y knows r'k,, and r"+ with mk,, = vdvy'i,, =
v,qf'jf,,(mod N ) for j E { 1, ..., n } . If there were two such permutations, theny would
have been able to learn the dth root of a quotient v ~ u ~ v ; ' z for
. ~ some j with d(j)#ta'(j).
But it is easy to see that the ability to compute roots on random quotients is polynomial
time reducible to the abilty to compute roots on random units.U
3. Overall Voting Protocol
Elections are in three phases:

Preliminary: In the preliminary phase, z broadcasts those thlngs mentioned in the
first step of the ballot issuing protocol above. This is done only once for the entire
election. Additionally, z broadcasts an assignment of an outcome to each vi, thus
partitioning the vi into fixed, disjoint equivalence classes, such that each class corresponds
with a distinct outcome. For example, assuming the election allows each voter to cast a
single vote (as is assumed throughout) for at most one of two candidates, then the vj are
partitioned into two outcome classes, one for each candidate.
Registration: During the registration phase, each applicant communicates with z . If
z agrees to allow a particular applicant to register, then the applicant and t conduct an
instance of the ballot issuing protocol of the previous section. The result of this is a tuple
of n elements, mk,,, one element of which is selected by the applicant. This selected
element is denoted 61 for the lth registered voter. (It is now assumed that n>>m). The
final result of the registration phase, which is broadcast by z, is the set of bl, for 1GI =Zm,
where m is the number of registered voters. It will stdl be possible for disputes regarding
180
the b’s to be resolved at this point without revealing anything about the votes.
Voting: The voting phase is begun by z broadcasting the dth roots of all of the bl.
(Naturally, if this is not carried out properly, everyone w i l l know.) Then, the I t h voter
recovers the dth root on a vi, simply by dividing the dth root of bl by the corresponding
rh,j. Each voter then broadcasts, under the sender untraceability protocol mentioned
above, the root of the single v i recovered. Finally, each voter can venfy that the root of
the vi sent by that voter was in fact available from the broadcast channel. The number of
votes for a particular outcome is just the number of distinct dth roots of vi’s
corresponding to that outcome.
4. Payments and Credentials
The election protocol can be used to directly realize untraceable payments: each vi
stands for, say, one dollar; registration is withdrawal from a bank account; payment is
made by providing a shop with a dth rood on a vi that has not yet been accepted for
deposit by the bank.
A variation on the election protocol can also be used to implement a “credential
mechanism” [Chaum 85 and C h a m & Evertse 871. The vi serve as unique personal
identifiers, one selected by each individual. Let di be distinct primes, with dkld and
(dk,@((N))= 1, for suitably many k’s. Each individual participates in an instance of the
election protocol with each organization, using a dk unique to that organization. (see
[Shamir 831 for why such use of the d, is secure.) If not all m votes are cast in any
organization’s “election,” at least one participant is cheating. In this case, people reveal
all their rk,, and 7rk, and those who are unable to show that their b1 corresponds to a Vj
that was broadcast are revealed as cheaters and excluded from the protocol. This is
repeated with different vi until no cheating is detected.
The remaining unused k‘s each correspond to a type of credential. An organization
issues the kth credential to a person by providing the dk th root of the person’s selected
element, br; then and only then can the dkth root of the person’s selected element with
any other organization be shown.
5. Discussion
It has been assumed that n was large enough to make the possibility of the same Vi
being chosen accidentally by two voters acceptably small. This might require something
like n =loom2, which might be impractical for large m. Another approach allows n =m.
It is based on the idea that voters will be able to reserve vi’s anonymously. One way to
do this by is using the “slot reservation” protocol of [Chaum 84a], which has been
181
improved by [den Boer 871. A simple variation allows reservations to be made and
confbmed one at a time, using any sender untraceability system. (Reducing from 2m to
m could be accomplished by elections using one dk for each type of vote.)
If less than m disjoint roots of vi are broadcast, z could form and broadcast extra
votes. Thus people who register and do not vote, in effect, allow t to steal their vote.
Someone might entrap z, however, by allowing a vote to be stolen and latter broadcasting
the real (different) vote, possibly untraceably.
The essential requirements of the communication channel are that z must not be
able to provide inconsistent or incomplete messages to different voters, and that voters
must be able to broadcast the messages required to untraceably submit votes. The lint
property could be achieved in some cases simply by z making digital signatures on all
messages including some kind of hash or (even all previous messages) and a time stamp,
since if inconsistent messages become known, z would be incriminated.
The requirement that d be prime and > N ensures that (d,NN))= 1. To get
certainty that a small d has this property seem diE6cult in general. It is easy, however, to
modify the protocol presented to give exponential certainty that (d,+(N))= 1 using the
idea that y and t can “fip coins by telephone’’ [Blum 821 to develop t mutually trusted
random units, after which z is required to reveal their dth roots. The probability that t
can cheat is then t2-‘, assuming that z cannot cheat during the coin tlipping. This can
be ensured if, for example, z provides the modulus used in coin flipping and is then
required to reveal its factorization afterwards.
A natural extension is to divide among several entities various functions of t , such
as: creating the random vi’s; making the registration (withdrawal) decision; and signing
the hi's.
Summary and Conclusion
Election protocols embodying robustness, verifiability of returns by voters, and

unconditional security for voters’ privacy have been presented. The techniques also allow
untraceable payments and credentials.
182
References
Blum, M., “Coin flipping by telephone,” Proceedings of IEEE Compcon, 1982, pp.
133-137.
Boer, B. den, private communication.
Chaum, D., “Untraceable electronic mail, return addresses and digital
pseudonyms,” Comm ACM 24, 2 (February 1981), pp. 84-88.
Chaum, D., “Security without identification: transaction systems to make big
brother obsolete,” Comm. ACM 28, 10 (October 1985), pp. 1030-1044.
Cham, D., Evertse, J.-H., “A secure and privacy-protecting protocol for
transmitting personal information between organizations,” Advances in Cryprology:
Proceedings of C R Y P T 0 86, A.M. Odlyzko, Ed., Springer-Verlag,pp. 118-167, 1987.
Chaum, D., “Blinding for unanticipated signatures,” Advances in Cryptology:
Proceedings of Ewocrypt 87, D. Chaum and W.L. Price, Eds., Springer-Verlag, pp.
227-233, 1988a
C h a w D., ‘The dining cryptographers problem: unconditional sender and
recipient untraceability,” Journal of Cryprolog, Vol. 1 No. 1, pp. 65-75, 1988b.
Chaum, D., “Privacy protected payments: unconditional payer and / or payee
untraceability,” to appear in Smart Curd 2000, North-Holland, 1988c.
Cohen, J. and Fischer, M., “A robust and verifiable cryptographically secure
election scheme,” Proceedings 26th FOCS, 1985, pp. 372-382.
Cohen, J.D., “Improving Privacy in Cryptograhpic Elections,” Yale University
Computer Science Department Technical Report YALEU / DCS / TR-454,
February 1986.
Merritt, M., Gyptographic Protocols, Ph.D. Thesis, Georgia Institute of Technology,
GIT-ICS-83 / 06, 1983.
Shamir, A., “On the generation of cryptographcally strong pseudorandom
sequences,” ACM Transactions on Computer Systems, Vol. 1 No. 1. pp. 31-44.
February 1983.
PASSPORTS AND VISAS VERSUS IDS
(Extended Abstract)
George I. Davida Yvo G. Desmedt
Dept. of EE & CS,

Univ. of Wisconsin - Milwaukee
P.O. Box 784,
Milwaukee, WI 53201, U.S.-i.
ABSTRACT
Most of the proposed cryptographic based electronic IDS are not adequate when
used in international identification protocols. In this paper we extend the concept
of a cryptographic electronic ID to a system of electronic passports and visas that
surpass existing paper versions.
I. INTRODUCTION
The need to identify oneself arises in z a n y situations: cashing a check, using a

credit card, checking into hotels, etc. Some employers require the employees to
wear badges for identification and/or access privileges to certain areas of the place
of employment.
Identifications schemes have become an increasingly important subject in
cryptology. The use of cryptography in identification was first proposed by Diffie
and Hellman [5] who suggested that identification corresponded to authenticating
a message of the type “I a m User X”. Simmons suggested the use of the phys-
ical description of a person signed by a trusted center [8]. Recently Fiat and
Shamir (and later Feige, Fiat and Shamir [S]) have proposed that identification
corresponds with proving that one has knowledge of a secret without divulging
the secret itself using zero-knowledge proofs [7]. These schemes have problems
if the testing of the physical description of a person cannot be adequately done.
Furthermore if the testing of physical description is adequately done, then the
security of the Fiat-Shamir and Feige-Fiat-Shamir schemes need not depend on
zero-knowledge proofs (see [3] and [4]).
184
The very definition of what a digital identification is, needs to be studied.

The most recent definition given in [2], which is an adaptation of the definition
given in [7, p. 1861 is:
In a secure identification system at least one trusted center knows

which unique individual corresponds with a certain public ID. Based
on his ID A is able to convince B that he is A, but B can not convince
others that he is A .
Proposed solutions to the problem of identification have to be studied more

thoroughly and new methods need to be investigated. In [l]new methods are
proposed in the context of classification of the fundamental techniques of identi-
fication namely:
1. Methods that rely on the “complete” physical description.

2. Methods that use the “complete” natural knowledge of the individual.
3. Methods that use artificial knowledge.
In the next section it will become clear that a normal ID can not be used for
international purposes. An electronic version of passports and visas is necessary
to have higher security than existing systems (see Section 111.).
11. PASSPORTS AND VISAS
Fiat and Shamir considered a passport as an example of an ID [7, p. 1861. We

will see that making secure passports requires more than what is necessary for
having a simple (secure) ID-card.
In an international environment there will be many centers that issue IDS.
The above definition works only if one trusts the center that issues an ID. It
is however clear that many countries do not necessarily trust each other. So
the assvmptions on which the security of ID-cards is based are inadequate in an
international environment. Electronic passports are a better solution. However
passports are much mow than just IDS. So extra requirements, beside those
involving trust, are necessary.
Paper passports allow another country to stamp the passport at entry or upon
leaving a country. These stamps are mostly date stamps and contain the name of
the country which stamps, and other information such as the maximum allowed
length of stay. The fact that this information is stamped inside a passport allows
anyone who inspects a passport to read this information, particularly the center
1as
that issued the passport. Sometimes access to a country is denied because of a

lengthy stay in another non-friendly country. The center that issues the passport
can also decide to issue a new passport such that a part of your record of visits
is hidden from outsiders, while retaining this information at the center.
The above stamps should not be confused with visa stamps, which are an-
other issue, because these stamps are delivered before one visits a foreign country.
Visas serve to add to the passport host country controls. These controls may
be multiple. Their purposes are to better control foreign visitors. Visas are
also used to implement controls by differentiating between temporary work-visas,
permanent-work-visas, tourist-visas, etc. Visas also allow the host country to keep
information about a person, by numbering the visas and by transferring the visas
from one’s old passport to a new one. Finally the visas allow the host country to
become an issuing center that does not have to rely on trusting the passport issu-
ing country. Indeed the passport issuing country can carry out many deceptions.
They can for example issue different persons the same passport and even use the
same name. The visa issuing country can detect such a fraud if it keeps track of
the visitors and their physical description. The visa issuing country can also use
more advanced techniques to check the physical description of the persons than
the passport issuing country does. It is clear that such a need for control exists,
in particular when a citizen of a terrorist sponsoring country applies for a visa.
There are many other needs for visas.
The security of the actual passports, stamps and visas is very low. They
rely on the myth that tamperproof paper and/or plastic documents and ink-
stamps would exist. False passports are well known and are used by criminals,
terrorist and spies. So there is a need for a secure version of passports and visas
which satisfy the same functionalities as actual passports and visas. Waiting too
long to implement electronic passports would create the bizarre situation where
cryptographic based ID-cards are issued for local use, but on an international
level paper documents would still be acceptable. However many more deceptions
are possible in international activities than in national ones, so better techniques
are necessary.
The reader familiar with the modern cryptographic techniques for identifica-
tion understands easily that the techniques of ID-cards themselves can not fulfill
the needs of passports. We now discuss our solution in the next section.
186
111. ELECTRONIC PASSPORTS AND VISAS
From now on we assume that a secure simple identification system exists. We will
use such identification system to come up with the passport, but it will be clear
that more is necessary.
The main idea behind electronic passports is the use of a tamperproof de-
vice which uses an ID-card technology which additionally contains a n area (spe-
cial memory) where data can be appended and read by everybody. This special
memory, which we call an Append and Read Only Memory (AROM), is mainly
intended for stamping activities (see Section 11. for a description of stamps). The
stamp can contain information other than the date, such as a sequence number,
and may include the entire history of visits by the passport holder. The stamp
itself can be signed by the host country. It is the discretion of the host country
to make entries and to determine which data it wishes to append in this area.
Appending data to the AROM can be controlled to prevent the abuse of
the passport by other organizations which may want to write information that
is not relevant to the proper use of a passport. This can be accomplished by
encapsulating in the passport a list of public keys of organizations authorized
to write into the electronic passport card. The passport card first checks to
determine if the candidate writer is allowed to write. If so, the writer presents
a signed message. The passport-card checks the signature before appending the
data. If finally there is no room left over for new stamps, the carrier of the
passport goes back to his country issuing center and asks for a new passport.
The center can then read and record all this information, if it wishes, and deliver
a new passport. The issuing country can compress the data and leave it in the
original passport or issue a new one.
The tamperfreeness of the passport-card is necessary to guarantee the AROM
properties. Because tamperfreeness is used, identification systems that are simple
to implement can be used [4].
Let us now discuss how visas are included in the system. Because tamper-
freeness and trustworthiness of the passport are a function of the issuing country
and its technology, a visa being created as a separate ID device by the host coun-
try is better than (the current paper system of) placing visas in issuing countries
passports. We therefore propose physically separate visa devices, which are is-
sued by the host country. The visa is a special crypto ID-card, using the host
country preferred identification system. The information written in such a visa
can depend on all the passport data of relevance, on a sequence number, history
of the carrier related to previous visits and other visas and even on the carrier
physical description. The idea of including in the visa-card information about the
I a7
passport (e.g., number, name, country) increases dramatically the security of the
whole system. Indeed the rental problem of crypto ID cards, due to inadequacy
of checking the physical description [3], can then be significantly reduced. Other-
wise, use of passports independent of visas, can lead to the possibility of two users
simultaneously presenting the “same” passport at different locations. Advantages
of renting passports are discussed in [3]. Additional methods to dramatically re-
duce the risk that IDS can be rented are discussed in [l].It is important t o point
out that the separation that we propose is physical and not logical The idea of
logical link between IDScan be generalized. Evidently all this information caa be
signed by the host country.
The visa proposed here is not to be considered a stamp, which is appended to
the above AROM. If the host country wishes to leave a trace in the passport, then
it can create the visa, give it a sequence number and append the following message
to the AROM in the passport: “The carrier of this passport possesses a visa with:
number, type, issuing date, location and issuing country”. However such a trace
is not necessary. In fact in some cases it is even recommended not to use such a
trace. Indeed, because these passports are electronic and tamperfree the passport
issuing country may b e able t o restrict its citizens hom visiting certain countries.
If, however, a citizen obtains a visa for such a country, the passport could destroy
itself before the carrier reaches the host country. This, for example, would prevent
the carrier from asking for political asylum. A visa issuing country that wants
to cooperate with the carrier could choose to not leave a trace of the visa in the
passport. This, however, still leaves the visa issuing country free to use passport
information in the visa itself. Therefore the proposed scheme again contributes to
improvement of functionality of passports and visas. Again, the tamperfieeness
of the visa device is important in this scheme.
We finally remark that our system is compatible with actual passports and
visas. Visa issuing centers can, independently from the passport issuing centers,
decide t o use electronic visas, while the passport can still be a paper document.
To allow countries that do not have adequate technological means to use electronic
systems, a paper version is attached to the electronic one.
IV. CONCLUSION
Recent crypto based ID schemes do not have the functionality necessary for in-
ternational use. Ln this paper a new scheme for electronic passports and visas is
presented that is as functional as current schemes but more secure.
188
REFERENCES
[l]G. Davida and Y. Desmedt. “Complete” Identification Systems. Tech. Re-

port TR-CS-8s-15, Dept. of EE & CS, Univ. of Wisconsin - Milwaukee, May
1988.
[2] Y. Desmedt. Major security problems with the “unforgeable” (Feige-)Fiat-
Shamir proofs of identity and how to overcome them. In Securicom 88, 6th
worldwide congress on computer and communications security and protection,
pp. 147-159, SEDEP Paris France, March 15-17, 1988.
[3] Y. Desmedt, C. Goutier, and S. Bengio. Special uses and abuses of the Fiat-
Shamir passport protocol. In C. Pomerance, editor, Advances in CryptoI-
ogy, Proc. of Crypto’87 (Lecture Notes in Computer Science 293), pp. 21-39,
Springer-Verlag, 1988. Santa Barbara, California, U.S.A., August 16-20.
[4] Y. Desmedt and J.-J. Quisquater. Public key systems based on the difficulty of
tampering (Is there a difference between DES and MA?). In A. Odlyzko, ed-
itor, Advances in Cryptology, Proc. of Crypto ’86 (Lecture Notes in Computer
Science 2631, pp. 111-1 17, Springer-Verlag, 1987. Santa Barbara, California,
U.S.A., August 11-15.
[5] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans.
Inform. Theory, IT-22(6), pp. 644-654, November 1976.
[6] U. Feige, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. In Pro-
ceedings of the Nineteenth ACM Symp. Theory of Computing, STOC, pp. 210
- 217, May 25-27, 1987.
[7] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identifica-
tion and signature problems. In A. Odlyzko, editor, Advances in CryptoZogy,
Proc. of Crypto’86 (Lecture Notes in Compvter Science 263), pp. 186-194,
Springer-Verlag, 1987. Santa Barbara, California, U. S. A., August 11-15.
[8] G. J. Simmons. A system for verifying user identity and authorization at the
point-of sale or access. Cryptologia, 8(1), pp. 1-21, January 1984.
THE PROBABILISTIC THEORY OF LINEAR COHPLEXITY
Harald Niederreiter
Mathematical Institute, Austrian Academy of Sciences

Dr.-Ignaz-Seipel-Platz 2
A-1010 Vienna, Austria
1. INTRODUCTION
Linear complexity is a widely accepted measure for unpredictability and randomness

of keystream sequences in the context of stream ciphers (see Rueppel [ l o ] , [ll, Ch.
41). In this paper we develop a detailed probabilistic theory of linear complexity
and linear complexity profiles for sequences of elements of a finite field. The bas-
ic t o o l s are the connection between linear complexity and continued fractions for
formal Laurent series established in Niederreiter [8] as well as techniques from
probability theory and the theory of dynamical systems.
In practice, keystream sequences are sequences of bits, and we identify bits
with elements of the binary field However, the methods of this paper work for
F2.
arbitrary finite fields. We denote by F the finite field with q elements, where
q
q is an arbitrary prime power. A sequence s1,s2, ...
of elements of F is called
9
a kth-order (linear feedback) shift register sequence if there exist constant coeffi-
cients ak,. .. ,ao E F 9 with ak f 0 such that
ak s ~ ++ ...~ + a si+l + .a si = 0 for i = 1,2,. .. . (1)
The zero sequence O,O, ... is viewed as a shift regrscer sequence of order 0. A
kth-order shift register sequence is uniquely determined by the recursion (1) and by
the initial values s1,s2, ...,s k'
Definition 1. Let S be an arbitrary sequence s1,s2, ... of elements 3f F
4
and
let n be a positive integer. Then the linear complexity L (S) is defined as the
least k such tharr st,s2, ...,s form the first n terms of a kth-order shift
reg ist e r sequence.
Definition 2. With :he notation of Definition 1, the sequence L1(Sf,L2(S) ,... is

called the linear complexity profile of S.
It is clear that 0 6 L ( S ) l n and L n ( S ) I LnCl(S) for all n and S.

Therefore :he linear complexity profile is a nondecreasing sequence of nonnegative
integers. Rueppe? ZlS:, [ll, Ch. 4 j proposed the linear complexity profile as a test
0Springer-Verlag Berlin Heidelberg 1988
192
for randomness and set up the following stochastic model. Let n be fixed and con-
sider L ( S ) for random sequences of bits. Since L ( S ) just depends on the first
n terms of S, it suffices to consider the linear complexity for all choices of
s1,s2, ...,s from F2. Then the linear complexity can be viewed as a random vari-
able on F;, where each string s1,s2, ..., s is equiprobable. It turns out that the
expected value of this random variable is 22 + cn with O & c n L -
5
18
and its vari-
ance is roughly -.
86
81
This suggests that Ln(S) should be close to
n
7 for a random
sequence of bits.
To arrive at a statistically meaningful use of the linear complexity profile,
the following question has to be answered: for a randomly chosen and then fixed se-
quence S, what is the behavior of Ln(S) as n varies? We settle this question
for sequences S of elements of F and also discuss related questions. The nec-
9
essary background and basic results on continued fractions and dynamical systems are
established in Sections 2 and 3 . These results yield, first of all, the probabilis-
tic limit theorems for continued fractions in Section 4 . Exploiting the connection
between continudfractions and linear complexity, we deduce the probabilistic limit
theorems for linear complexity in Section 5. These limit theorems describe the as-
ymptotic behavior of Ln(S) as n 3 m and the deviations from the asymptotic be-
havior for random S. In Section 6 we scudy frequency distributions associated with
the linear complexity for random S. The detailed information on the behavior of
L (S) S is used in Section 7 to set up new types of randomness tests
for random
f o r keystream sequences.
2 . CONTINUED FRACTIONS
We use the approach in Niederreiter [8] which is based on identifying a sequence S
of elements s1,s2, ... 9

of F
with its generating function S
i=l
si x - ~ . As in =x m
[81 we view S as an element of the field G = F ((x-')) of formal Laurent series

-1 9
in x over F For SE G let Pol(S) be its polynomial part and Fr(S) =
9'
S - Pol(S) its fractional part. Thus Fr(S) is the part of S containing the neg-
ative powers of x. We introduce the valuarion v on G which extends the degree
function on the polynomial ring Fq[x] as follows. For SEG, S 4 0, we put
00
v(S) = - r if S =>s.
. l
x - ~ and s f 0.
i=r
For S = 0 we put v(S) = -w. We have the Eollowing properties for S1,S2E C:
V(S1SZ) = V(S,) + V(S,),
v(S1 + s2) L max(v(Sl),v(S2)),
v(S1 + S2) = max(v(Sl),v(S2)) if v(s,) # v(s2).
193
For P ~ , P ~ E F ~ [ X I .f P0~, we have v(p 1 /p 2 ) = deg(pl) - deg(p2).

Let H be the set of all generating functions, thus H = { S E G : v(S) < 0).
Every S L H has a unique continued fraction expansion of the form
S = 0 + l/(A1(S) + 1/(A2(S) + ...) ) = :[A1(S),A2(S) ,...1,
where Aj(S)E Fq[x] and deg(A.(S)) 2 1 for j 1 1. This expansion is finite for
J
rational S and infinite for irrational S. The polynomials A.(S) are obtained
1
recursively by the following algorithm:
AO(S) = 0, BO(S) = S
A. ( S ) = Pol(B.(S)-l), B . ( S ) = Fr(B.(S)-') for j A O ,
J+l J J+1 1
which can be continued as long a s B.(S) f 0. If the continued fraction expansion
J
is broken off after the term A.(S), we get the rational convergent P.(S)/Qj(S).
J J
The polynomials P.(S) and Q.(S) can be calculated recursively by
J J
P (s) = 1, P ( s ) = 0 , P . ( s ) = A.(S)P. ( s ) + P . ( s ) for j 2 1,
-1 0 3 1 1-1 J-2
Q-,(S) = 0 , Q,(S) = 1, Q.(S) = A.(S)Q. ( S ) + Qj-2(S) for j 2 1.
J J J-1
We have then
j
deg(Q.(S)) = deg(Am(S)) for j 1. (2)
1 m=l
For rational S we interpret deg(A.(S)) = deg(Q.(S)) = M whenever A.(S) and
J J J
Q.(S) do not exist. From [8] we note the formula
3
v(Q.(S)S
J
- P J. ( S ) ) = - v(Q~+~(S)) for j 2 0. (3)
For S E H we write Ln(S) for the Linear complexity of the sequence which corre-
sponds to the generating function S. The following is a special case of a result
in [a].
Lemma 1. For any n1 1 and S E H we have Ln(S) = deg(Q.(S)), where j20 is

J
uniquely determined by the condition
deg(Q. ( S ) ) + deg(Q.(S)) & n < deg(Q.(S)) + deg(Qjcl(S)).
J-1 J 1
V(S1 - S 2 )
With the metric d(S1.S2) = 2 for Sl,S2EH, the set H is a compact
ultrametric space. Since H is also an additive subgroup of G and addition is a
continuous operation in this metric topology, i t follows that H is a compact abe-
lian group. Let !B be the 6-algebra of Bore1 sets in H. Then there exists a
unique Haar measure h on H, i.e. a translation-invariant probability measure de-
fined on B. If D(SO;r): ={SEH: v(S -
S o ) < - r), S o E H , r = 0,1,..., is a disk,
then the translation invariance of h implies that
h(D(So;r)) = cj-r. (4)
We write P for the set of polynomials over F of positive degree.
q
Lemma 2. For A1 ,...,%E P let R(A1, ...,\ ) ={S EH: A.(S)

J
= A.
J
for 1 & j L .)k
194
Then
-Z(deg(A1) + ... + deg(Ak))
h(R(A lr...,%)) = q
Proof. For any S € R(A l,...,A we have the same value of Pk(S) = Pk and Qk(S) =
k)
Qk, thus
v(S - k-)=
'
- 2v(Qk) -
vCA,+,(S)) < - 2v(Qk)
k'
by ( 3 ) . Conversely, if v(S - Pk/Qk) < - 2v(Qk), then v(Qk S - Pk)<
by [a, Lemma 31 we get Q, = CQn(S) and Pk = CPn ( S ) € o r some n2 1
so from the uniqueness of the continued fraction expansion we obtain n = k and

A.(S) = A. for 1 & j & k. Thus we have shown R(A l,...,%) = D(Pk/Qk;2v(Q,)), and
1 1
the desired result follows from (2) and ( 4 ) .
3 . DYNAMICAL SYSTEMS
We recall that a dynamical system is a probability space together with a measure-

preserving transformation acting on it. We consider now the transformation T on
(H,a,h) defined by T(S) = Fr(S-l) for S f 0 and T(0) = 0.
Lemma 3 . T is measure preserving with respect to h.
Proof. We have to prove h(T-l(B)) = h(B) for all BE&, where T-'(B) is :he in-
verse image of B under T. By [l, Theorem 1-11 i t suffices to show this for every
disk D = D(S 0 ;r). For X f 0 we have X E T-l(D) if and only if v(X-l - So - p)<- r
1
€ o r some PEP. The latter condition can only be satisfied if v(X- = v(So + p),
1
and from this we see that for fixed p~ P we have v(X- - So - p)< - r if and on-
ly if X€D((SO + p)-';r + Zv(p)). If D(Wil;r + 2v(p1))nD(Wj1;r + 2v(p2)) f 0
with W 1 = S0 + PI' ,J2 = so + p2, and p1 f p2 in P , then v(W 1 ) = V(~~),~JI'J~) =
v(p2), and
v(~,l - wil) < - r - 2 min(v(Wl),v(W2)).
On the other hand,
v(w-'
1
- w-'2) = v (
2
-
~ w1) - V(W
1
) - v(w2)2 - 2 nin(v(vl),v(W2)),
where the last inequality is seen by distinguishing the cases v(Wl) f v(W2) and
v(W = v(FIz). This conrradiction shows that the disks D((So + p ) - ' ; r 2v(p)) are +
1
-r-2v(p)
pairwise disjoint as p ranges over P. Since such a disk has h-measure q
by ( 4 ) and since for fixed d2 1 there are exactly (q - l)qd polynomials pE P
195
with v(p) = d, we obtain

M
h(T-l(o)) => = ( q - l)q- Cd= q
-r
= h(D).
PEP d=1
Lemma 3 shows that (H,B,h,T) is a dynamical syscem. A second dynamical sys-

tem is obtained as follows. Let p be the probability measilre defined on the power
set 6 of P and determined by ,u(p) = q -2 deg(p) for p~ P. We consider the
m
Cartesian product POo= Pn with P = P for all n and the corresponding pro-
n= 1
duct probability space (Pa, P m , p w ) . On this space the transformation TI is de-
fined b y
T1(p1.p2,..-) = (p2,p3,... ) for (p1,p2 ,...)EPm.
Then (P", [Pm,pm,T1) is a dynamical system, called rhe one-sided (or unilateral)
Bernoulli shift on Pm. See Krengel [ 3 , Sec. 1.41 € o r general idormation on
Bernoulli shifts. We use the following concept of isomorphism f o r dynamical systems
from Billingsley [I, p . 531.
Definition 3. The dynamical systems

- h _
(fl,F,m,~) and ( n , F , E , f ) are said to be iso-
-
+
morphic if there exist sets R0 in 3 and n o in 3 of measure 1 and a bijec-
tion 4 of no onto 'R, with the following properties:
(i) If A & no and = @(A), then A C T if and only if a€!?, in which case
m(A) = m"(l);
(ii) 't(no)G no and ? ( ? i , ) C a,;
(iii) @ ( ~ ( w ) =
) 5($(0)) for all ~ E R
0'
Theorem 1. The dynamical system (H,B,h,T) is isomorphic t o the one-sided Bernoulli

shift on Pa.
-
n -
Proo€. We use Definirion 3 with (fl,F,m,T) = (Pm,6(D,~"D,T1)and (fl,F,S,?) =
(H,Q,h,T). We take n o= P m and no = I, the set of irrationals in H. Since
there are just countably many rationals in H, we have h(I) = 1. The mapping @
from P m onto I is defined by
@(p1,p 2,...) = !p1,p2 ,... ] E X for (p1,p2 ,... )EP.
It follows from the uniqueness of the continued fraction expansion chat 4 is a bi-
ject ion.
To prove ( i ) in Definition 3 , we first show thaE if AEG'~, then
,.,
A€@% and pm(A)
= h(z). It suffices to prove this for cylinder s e t s A =( (pl,p2,...)EPm: p. = A.
1 1
for I L j k], where k 1 and A1 ,...,% E P are fixed. But then
..,%) . ,%)
= R(Al,.
is a disk, we get
f l
-
I, and since we have shown in the p r o o f of Lemma 2 that R(A1,.
A€@. Furthermore by Lemma 2 ,
*
196
pw(A)=
k
j=1
p(Aj) =
k
q
-2 deg(A.)
' = h(R(A1, ...,% ) ) =
N
h(A).
j=l
Now we have to show that if
u
A C_ I and x€@, then A = $-'(x)Ep*. It Suf-
fices to prove this for sets that are intersections of I with a disk. We first
consider the special case where
%
A = { S 6 I: v(S - So) 4- v(Qk(S0)) - v(Q~+~(S~)))

with k 2 0 and SO€ I. If S E X : , then
by ( 3 ) , and s o S has the continued fraction expansion

S = [A1(So), -..~ q C ( S o ) ~ ~ + l ( S ) ~ - * - I
by an argument in the proof of Lemma 2. Now
and Qk(s) = Qk(So) imply v(A~+~(S))& v(A~+~(S~))=: n. Conversely, if S has a

continued fraction expansion as above with v ( A ~ + ~ ( S ) )2 n, then it is seen immedi-
ately that SEX. Thus
v(AkCl k n
hence r$-'(T) = ((pl,p *,...)6 POo: p.

J
= A.(S
1 0
) for 1 jL k and V ( P ~ + ~2
) n) is
a countable union of cylinder sets and so in p m . Now we consider the general case
where = DnI with a disk D = {SEH: v ( S - So) L - r), SO€ H, r 2 0 . Since any
element of D can serve as the center of D (H is ultrametric!), we can assume
*
that So is irrational. For every UEA and every integer k 2 0 with
v(Qk(U)) t v(Q~+~(U)) 2 r we define
Dk(U) =<SEH: v(S - U) & - v(Qk(U)) - V(Q~+~(U))).
Every disk Dk(U) is contained in D. We claim that the family of all Dk(U) COV-
ers D. For this it suffices to show that every rarional SED lies in some Dk(U).
Let S = [A1(S),A2(S) ,...,At(S)] and SED (if S = 0, p u t t = 0 and Q0 ( S ) = 1
in the following). If v(Qt(S)) 2 ri2, put
u = [A1(S),A~(S),.-.,At(S),x,x ,... 1.
Then
Pt (U)
v ( S - U) = v(- Qt(U) - U) = - v(Q,(U)) - v(Q,+,(L'))
and v(Qt(U)) + V(Q,+~(U))> 2v(Qt(S)) A r, thus SCDt(U) and U€S. If

v(QtfS)) < r / 2 , put
u = [A1(S),A2(S),. ..,A,(S),At+,(S,),x,x, ... !.
197
We have
and SO A.(SO) = A.(S) for 14 j L t by an argument in the proof of Lemma 2. It

1 3
hence SEDt(U) and VEX;. Thus we have shown that the closed (and also open) disks
Dk(U) form an open cover of the compact set D , and so finitely many of the sets
Dk(U), say El, ...,Eb, already cover D. Therefore
b b
Each E.nI is of the special form considered earlier, thus );('-l#C =
ub
i=l
1
@-'(EiflI)€ Prn as a finite union of elements of 6". Property (ii) in Defini-
tion 3 is trivially satisfied and (iii) follows from an easy calculation using the
algorithm €or the A.(S) and B.(S) in Section 2 . n
J J
4. LIMIT THEOREMS FOR CONTINUED FRACTIONS
It follows from Theorem 1 that (H,&h,T) inherits all dynamical properties of the
one-sided Bernoulli shift on Pa (compare with [ l , Ch. 2 1 ) . In particular, since
every one-sided Bernoulli shift is ergodic (see [ 3 , Sec. 1.41, [ 4 , p . 183]), we ob-
tain that T is ergodic with respect to h, i.e. T-'(B) = B for some B€& im-
plies that h(B) = 0 or 1. The individual ergodic theorem, in the form given in
[ 4 , p . 1831, yields the following result. Here and in the following we say that a
stated property holds h-almost everywhere (h-a.e.) i F che property holds for a set
of SE H of h-measure 1.
Theorem 2 . For any h-integrable function f on H we have
lim
n-m
'> n- 1
n j.= O
f(TJ(S)) = ,( fdh h-a.e.
H
We note that since Tj denotes the jth iterate of T (w'ith To the identity
mapping), we have TJ(S) = B.(S) for all j 2 0 and SEI. Rational S can be
J
ignored since they form a set of h-measure 0.
198
Theorem 3 . For any function g on
Proof. We apply Theorem 2 with f(S) = g(Pol(S-')) for S 6 O,f(O) = 0. For S€I
we have then f(TJ(S)) = f(B.(S)) = g(A. (S)) for all j5 0 . In particular
J J+1
f(S) = g(A1(S)), hence
by Lemma 2 . The condition on g guarantees that f is h-integrable on H.0
Corollary 1. lim 1 deg(Q,(S)) = h-a.e.

n+m q - 1
Proof. This follows from Theorem 3 with g(p) = deg(p) for P E P . We also use ( 2 )
a,
and the identity dzd = z(l - z ) -2 with z = q -1 .0
d= 1
Corollary 2 . We have h-a.e.

-2(deg(A1) + ... + deg(\))
lim -1 1{# & j 4 n: A. .
J+l-1 ( S ) = Ai for 1 L i & k)= q
n+Co
f o r all k1 1 and all Al, ...,\ E P .
Proof. We apply Theorem 2 with f being the characteristic function of the set
R(A1, ...,\ ) and use Lemma 2. Since there are just countably many choices for
A1 ,...,\, the result follows.
For k = 1 Corollary 2 gives the distribution of the partial quotients A.(S)

J
in the continued fraction expansion of a random generating function S.
Lemma 4 . Let g be an arbitrary real-valued funccion on P. If X . ( S ) = g(A.(S))

J 3
for j 1 1 , then X1,X2, ... i s a sequence of independent and identically distributed
random variables on (H,E&,h).
Proof. Strictly speaking, X . i s only defined on I, but we may define X. arbi-

J 3
trarily o n the set of h-measure 0 formed by the rationals. For SEI and any
j1 1 we have
Xj(S) = g(Pol(3. i(S)-l)) = g ( A (B ( S ) ) ) = Xl(Bj-l(S)) = X1(TJ-'(S)),
J- 1 j-1
hence Lemma 3 implies chat the X . are identically distributed. To prove that
J
199
X1, ...,% are independent, it suffices to show that the events A1(S) = A1,...,%(S) =
4, are independent for any A1, ...,Ak E P , and this follows from Lemma 2. n
Theorem 4 (Law of the Iterated Logarithm for Continued Fractions). Let g be a non-
constant real-valued function on P with ~ ( p q-2
) ~ deg(p) < m. Put
PEP
Then h-a.e.
PKOO€. Let the random variables X. be as in Lemma L. Then E is the expected Val-
3
ue and G the standard deviation of X., and the conditions on g guarantee that
J
the second moment of X . exists and 6 >O. The result Follows then from the
J
Hartman-Wintner law of the iterated logarithm in the f o n given in Bingham [2]. 3
Corollary 3 . We have h-a.e.

-
1 im
q - 1
(deg(Qn(S)) - = 1,
n+c4 (2qn log log n ) 1/2 q - 1
Proof. We apply Theorem 4 with g(p) = deg(p) for PEP. Then E = q/(q - 1) by the
00 -3
identity in the proof of Corollary 1. The identity d2 zd = ( z 2 + z)(l - 2)
-1 d= 1
with z = q yields
62 = q 2 + q
(9 - l)*
-*=
- 1)
(q
2
( 9 - 1)
+-
Together with (2) the result follows. n
Theorem 5 (Central Lixit Theorem for Continued Fractions). Let g,E,b be as in

Theorem 4. Then for any a <b (where we can have a = -to or b =w),
lim h({SEH:
n+ m
a 6 G L
n
j=1
g(A.(S)) - nE
.I
L bG&/;;j.) = -1
fi
1a
e-t2i2 dt.
Proof. We proceed as in the p r o o f of Theorem 4 and use the central limit theorem for
200
independent and identically distributed random variables (see [9, pp. 22-23] ). 0
Theorem 6. Let f be a nonnegative function on the positive integers. If

m
q-€(J)< M, then h-a.e. we have deg(A.(S)) & f(j) for all sufficiently large
j=1 J
j- If T q - f ( j ) = m , then h-a.e. we have deg(A.(S))> f(j) for infinitely many

j=1 J
j.
Proof. The events deg(A.(S))>

J
f(j) for j = 1,2, ... are independent by Lemma 4 .
If k(j) is the least integer 7 f ( j ) , then these events are identical with the
events deg(A,(S))& k(j). For each j we have .
by Lemma 2 . Since
m
ql-k(J) converges (resp. diverges) if and only if
9 q - f ( j)
j=1 j=1
converges (resp. diverges), the theorem follows from the Bore1 zero-one law (see [ 6 ,
p. 2281). 0.
5 . LIMIT THEOREMS FOR LINEAR COMPLEXITY
Because of the connection between continued fractions and linear complexity expressed
in Lemma 1, the results in Section 4 have implications for the linear complexity
Ln(S).
Ln(S)
Theorem 7. lim -- - h-a.e
n+w
Proof. If n and j are related as in Lemma 1 , then from this result we get
20 1
Corollary 1 yields
hence the desired result follows.
n
The deviation of Ln(S) from its asymptotic expected value is described
more precisely by the following results.
Theorem 8. Let f be a nonnegative nondecreasing function on the positive integers

m
with q-f(n)<m. Then h-a.e.
all sufficiently large n.
Proof. Theorem 6 shows that h-a e. we have deg(A.(S))L f(j) for all sufficiently
J
large j. For such an S we deduce from ( 5 ) that
n 1
)s(,LI - ?IL f(j + 1) for all sufficiently large n.
Now n 2 deg(Qj-l ( S ) ) + deg(Q.(S)) 11 2j - 12 j + 1 for all j 2 2 , and SO

J
f(j + 1) L f(n). u
Theorem 9. Let f be a nonnegative nondecreasing function on the positive integers

00
with q-f(n) =OD. Then h-a.e.
n=l
L,(s) 4 + 71 f(n)
> for infinitely many n,
L~(s)< 4 - -jf(n)
1
for infinitely many n.
Proof. From the conditions on f we get q-f(5n) = m . Thus Theorem 6 implies

n= 1
that h-a.e. we have deg(Aj(S)) > f(5j) for infinitely many j. For such s and j
we take n = deg(Q. (S)) + deg(Q.(S)), then
J-1 J
Ln(S) - 5= deg(A.(S))>
J
1
7 f(5j)
by Lemma 1. By Corollary 1 we can assume that S satisfies lim deg(Q.(S))/j =
j+ 00 J
q/(q - 1). Then
-1 deg(Q.(S)) 4 75 for all sufficiently large j.

j 1
Thus for infinitely many j we have n = deg(Q.
J-1
(S)) + deg(Q.(S))
J
< 2 deg(Qj(S)) < 5-i~
hence
L,(s) - 2 > -21 f(5j) 2 12. f(n)
for infinitely many n. The second part is shown similarly, using that h-a.e. we
202
have deg(A. (S)) > f(5j + 5 ) + 1 for infinitely many j and taking
J+1
n = deg(Q.(S))
J
+ deg(Q. (S)) - 1.
J+1
n
Theorem 10 (Law O F the Logarithm for Linear Complexity),. We have h-a.e.
-
1im
Ln(S) - (n/2) - - 1
*m log " - 2 log q'
Proof. We use Theorem 8 with f(n) = (1 +€)(log n)/log q for arbitrary E 7 0 and
Theorem 9 with f ( n ) = ( l o g n)/log q. U
6. FREQUENCY DISTRIBUTIONS FOR LINEAR COMPLEXITY
For any integers c and N with N 11 let Z(N;c;S) be the number of n,

1 L n L N, with L (S) = (n + c)/2. We note that the cases c = 0 and c = 1 COT-
respond to perfect linear complexity (compare with [a], [lo], [ll]).
Theorem 11. We have h-a.e.
1im Z(N;c;S) -
- q - 1 for all integers c.
N - (1/2)1 + ( 1 1 2 )
N+ m 2ql
Proof. From Corollary 1 we get
1im i -- sll h-a.e.

jjm deg(Qj-l(S)) + deg(Q.(S)) 2q
J
Let j(N,S) be the largest index j with deg(Qj-l(S)) + deg(Q.(S))& N. Then with
J
j'= j(N,S) we have
deg(QjLl(S)) + deg(Q.,(S)) N < deg(Q.,(S)) + deg(Q., (S)),
1 J JA1
and so
Now let c 2 1. Whenever deg(Q. (S)) + deg(Q.(S))& n <deg(Q.(S)) + deg(QjAl(S)),

J-1 J J
then Lemma 1 shows that L ( S ) = (n c)/2 if and only if n = 2 deg(Q.(S)) - C
J
with j 2 1. This value of n lies i n the indicated range if and only if
deg(Qj-l(S)) + deg(Q.(S)) L 2 deg(Q.(S)) - c, which is equivalent to deg(A.(S)) 2 C.
J J J
Therefore
Z(N;c;S) = B(j(N,S);c;S) - E(N;c;S),
203
where B(r;c;S) denotes the number of j, 1 & j L r , with deg(A.(S)) c and

J
where E ( N ; . c ; S ) = 0 or 1. Let g be the function on P defined by g(p) = 1 if
deg(p) 2 c and g(p) = 0 otherwise. Then Theorem 3 yields
It follows from (6) that h-a.e.
For c L 0 the result is shown similarly. 0
For c = 0 and c = 1 we define Y:')(S),n = 1,2,..,, by YAc)(S) = 1 if

L2n-c(S) = n and YLc)(S) = 0 if L2n-c(S) # n.
Lemma 5. If c = 0 or c = 1, then Y~c),Y~c),... is a sequence of independent and

identically distributed random variables on (H,O,h).
Proof. It follows from Lemma 1 that L2n-c(S) = n if and only if deg(Q.(S)) = n.

y(o) = Yn(1) ,
for some j 1. Since the last condition is independent of c, we have
and we write Yn for YL'). We have
n
h({SEH: Y,(S) = ))1 = h({SEH: deg(Q.(S)) =.
)n
j=1 J
For fixed j, 1 & j & n, we obtain from (2) and Lemma 2:
h({SEH: deg(Q.(S))
3
= n) = ->
dl,...,d.hl
h({SE H: deg(Am(S)) = dm for 1 L m & j])
3
.
dl+. .+d .=n
3
d. -2(dl + ... + d.)
= 7
..
dl,. ,d 2 1
(q - l)q dl ...(q - 1)q 3 9 3
J
dl+...+d.=n
J
= (q - l)J q-" ->...

dl, ,d .21
1 = (q - 1)J q-" '7:).
J
dl+ ... td.=n
3
Thus
which shows in particular that the Yn are identically distributed. To prove that
Y1, ...,Yk are independent, we choose E1,...,EkE{O,l) arbitrarily and let
1 L rl 4 r2 < . .. < rt L k be exactly those indices for which
'ri
= 1. By the
204
remark at the beginning of the proof we have Y ( S ) = El,...,Y (S) = Ek if and

1 k
only if rlr...,r appear as values of deg(Q.(S)) for some j 2 1 and the other
J
elements of {1,2, ...,k] do not. This condition is equivalent to deg(Q1(S)) =
rl, ...,deg(Qt(S)) = rt,deg(Qt+l(S)) > k , which is in turn equivalent to deg(A1(S)) =
rl,deg(A2(S)) = r2 - rl, ...,deg(At(S)) = rt - rt-l,deg(At+l(S))> k - rt, where we
put ro = 0 if t = 0. Therefore Lemma 2 yields
h({SEH: Y (S) = El,

1
...,Yk ( S ) =Ek)) =
m=k-r + l
t
= ( q - 1)
t+l -r t -k
=k-r +1
t
On the other hand, it follows from ( 7 ) that
and so Y1,...,Yk are independent. 0
Theorem 12 (Law of the Iterated Logarithm for Perfect Linear Complexity, First Ver-
sion). For c = 0 and c = 1 we have h-a.e.
Proof. By ( 7 ) the expected value of Yn is ( q - l)/q and the variance of Yn is
g2 2
Y
(
= dh - (*)2 = & - (fi)2
= fi.
9 q 2
H q q
It follows from Lemma 5 and the Hartman-Wintner law of the iterated logarithm that
Putting n = L(N + c)/2J, where LtJ denotes the greatest integer L t, and using
for c = 0 and c = 1, we obtain the the0rem.O
Theorem 13 (Law of the Iterated Logarithm for Perfect Linear Complexity, Second Ver-
sion). If W(N;S) is the number of n, 1I n & N, with L ( S ) = or 7,
nsl then
2
205
h-a.e.
Proof. We p u t n = LN/zJ i n ( 8 ) and u s e
with e(N;S) = 0 or 1, a s f o l l o w s from ( 9 ) .
Theorem 1 4 ( C e n t r a l L i m i t Theorem f o r P e r f e c t L i n e a r Complexity, F i r s t V e r s i o n ) . For

c = 0 and c = 1 ve have f o r any a < b (where we can have a = -00 or b =m),
P r o o f . The e x p e c t e d v a l u e and t h e v a r i a n c e of have been c a l c u l a t e d i n t h e proof

Yn
of Theorem 12. From Lemma 5 and t h e c e n t r a l l i m i t theorem we o b t a i n
Applying t h i s w i t h n = L(N + c)/2_1 and u s i n g ( 9 ) we g e t
lim h(BN(a,b,c)) = dt,

W m
where
For g i v e n E >0 ve have % ( a , b , c ) C BN(a - ~ , +b E , c ) for a l l sufficiently large

N , hence
-
lim
Wm
h(%(a,b,c)) & i%
N+ m
h(BN(a - & , b + E , c ) ) = -
v%
I
b+E
a-E
e -t " dt.
With E +O+ we o b t a i n
-
lim h(%(a,b,c)) L -
w m fi
Using B (a
N
+ E,b - E,c) & AN(a,b,c) f o r a l l s u f f i c i e n t l y large N, we g e t s i m i l a r l y
206
and t h e d e s i r e d r e s u l t follows. 0
Theorem 15 ( C e n t r a l L i m i t T heorem f o r P e r f e c t L i n e a r Comple xity, Second V e r s i o n ) . If

W(N;S) is a s i n Th e o r e m 13, t h e n w e h a v e f o r a n y a <b (w he re we c a n h a v e a = -to
or b =OD),
P r o o f . We a p p l y (11) w i t h n = !N/~J, u s e (101, and p r o c e e d a s i n t h e p r o o f o f

Theorem 14. 0
Theorem 16. We h a v e h - a .e .
for all integers C.
Proof. For c = 0 and c = 1 t h i s f o l l o w s from Theorem 12. Now l e t c 1 2 . From

t h e p r o o f o f Theorem 11 w e o b t a i n
Z(N;c;S) & B ( j ( N , S ) ; c ; S ) (12)

r
with B(r;c;S) = g(Aj(S)), where g i s t h e f u n c t i o n on P d e f i n e d by g(p) = 1

j=1
if deg(p) 2 c and g ( p ) = 0 otherwise. By Theorem 4 we ha ve
-
1i m
1
1/2 (B(r;c;S) - r q 1-c ) = 1 h-a.e.,
r+oo 6(2r l o g l o g r)
whe re
62 = g ( p ) 2 q-2 deg(p) - q2-2c

= q
1-c
- q
2-2c
= q
1-2c
(qC-q)
PEP
For a n SE H w i t h t h e p r o p e r t y above and f o r a g i v e n 0 < E <1 we t h e r e f o r e g e t
B(j(N,S);c;S) - j(N,S)q
1-c L (1 + E ) 6 ( 2 j ( N , S ) l o g l o g J ( N , S ) ) 112 (13)
for a l l sufficiently large N. 9 y C o r o l l a r y 3 w e c a n assume t h a t t h e SEH under
consideration s a t i s f i e s
deg(Q,(S))& - Ice (2qn l o g l o g n ) 112

q - L q - 1
207
for all sufficiently large n. By the definition of j(N,S) in the proof of
for all sufficiently large N. Put

F(j) = - ( 2 q j log log j)112.
q - 1 q - 1
Then F(j) is an increasing function of j for sufficiently large j and it is
easily checked that
( -
1)N + 1 * 2E ( ( q - l)N log l o g N)'") > N
F( 2q q
for all sufficiently large N. It follows that
1/2
j(N,S) 4 ('
2q
- + 1+2
4
E ((9 - l)N log log N ) (14)
for all sufficiently large N. In particular, we have j ( N , S ) & (1 + E)2(q - 1)N/(2q)

for all sufficiently large N. Now (12), (13), and ( 1 4 ) yield
Z(N;c;S) - (q - 1)N L_
2qC
& B(j(N,S);c;S) - j(N,S)q

1-c
+ (j(N,S) -
( -2q l)N ) 9 1-c
((q - 1)N log log N )
If2
4 (1 + N l o g log N)1'2 +
qc
L ( 1 + 3E) (qc - q)1'2+1 ( q - 1)'/* (N log log N ) 1 1 2

qc
f o r all sufficiently large N, and so the first part of the theorem is shown for
c 2 2. The 'remaining cases are proved similarly. 0
7. CONTINUED FRACTICN TESTS
From Lemma 1 we see that a linear complexity pro€ite always has t h e following form:
0 , ...,O,dl,,.., dl,dl + d2, d l + d2, ..., (15) ...,
with 0 repeated d ? - 1- times and z
i=l
.I
di repeated d. + d.
J J+I
times for all
j 2 1, where dl,d2, ...

are positive integers given by d J. = deg(A.(S)).
J Therefore,
prescribing a linear complexity profite is equivalent to prescribing dl,d2,--. If .
an arbitrary sequence dl,d2,... of positive integers is given, then the following
algorithm in Niederreiter [ 8 ] generates a sequence s1,s2,,.. of elements Of Fq
1
whose linear complexity profile is as in ( 1 5 ) . We put q . = i d i for j 2 1. We re-

J i=l
call that the polyncsrial ak x
k
+ ... + a x + .a
1
associated with the linear recursion
208
(1) is called the characteristic polynomial of the linear recursion.
Algorithm
Initialization: Q, = 1 (considered as a polynomial over F ).
q
Step 1: Choose a polynomial A1 over F with deg(A l ) = dl and let Q, = A l -
9
Calculate the terms s. with 1 L- i & q + q2 - 1 by the linear recursion with
characteristic polynomia 1 Q, and initial values s . = 0 for 1& i L 91 - 1,
-1
si = c for i = q , where c is the leading coefficient of Q,.
1
Step j (for j 2 2): Suppose the polynomials Q,,...,Qj-l and the terms s. with
14 i L q. + q . - 1 have already been calculated. Choose a polynomial A. over
J-1 1 J
F with deg(A.1 = d. and let Q . = A . Q . + Qj-2. Calculate the terms si with
J - ~
q J J
qj-l + qj & i & q. + q . - 1 from the previously calculated terms by the linear re-
J J-1
cursion with characteristic polynomial Q..
J
If this procedure is continued indefinitely, it yields a nonperiodic sequence

with the prescribed linear complexity profile. If the procedure is broken off after
finitely many steps, then a minor modification in the last step is needed (see [ 8 1 ) .
Let S be an arbitrary sequence of elements of A.(S),j = 1,2,.--, F and let
J 9
as usual be the polynomials appearing in the continued fraction expansion of the gen-
erating function S. If we put d.(S) = deg(A.(S)), then each d . can be viewed as
J J J
a random variable on the probability space (H,&,h) and the values of d are pOS-
j
itive integers. By L e m a 4 the random variables dl,d2,.,. are independent and
identically distributed. For every positive integer m, the probability that d. = m
J
is equal to (q - 1)q-O by Lemma 2 . Thus, in a statistical sense we can say that
the linear complexity profile of a random sequence of elements of F has the form
9
( 1 5 ) , where dld2, ... are independent and identically distributed with the proba-
-m
bility distribution Prob(d. = m) = ( q - l)q for all positive integers m. We
J
note that each d.
J
has expected value q/(q - 1) and variance q/(q - l)’, as shown
in the proof of Corollary 3 . In particular, in (15) we can expect an average step
height of q/(q - 1) and an average step length of 2q/(q - 1). For q = 2 this
agrees with a result of Rueppel [ll, p. 451 that was proved by a different method.
This description of the linear complexity pro€ile of a random sequence of ele-
ments of F can ser-Je as the basis for new types of randomness tests. For a con-
9
cretely given sequence S, we can calculate d . = d . ( S ) by the Berlekamp-Massey a l -
J J
gorithm (see [ 5 , Ch. 61, [7]). The sequence dl,d2, ... is then subjected to con-
ventional statistical tests for randomness, the null hypothesis being that dl,d2, ...
are independent and identically distributed with the probability distribution given
above. More generally, we can calculate the A.(S) by the continued fraction algo-
J
rithm or the Berlekamp-Massey algorithm, take an arbitrary real-valued function g
on P, and use the independent and identically distributed random variables X. in
J
209
Lemma 4 as the basis for a randomness test. These types of randomness tests may be
called continued fraction tests.
Other types of randomness tests may be based on the independent and identically
distributed random variables Y = )
'
(
Y in Lemma 5 for which the probability dis-
n n
tribution is given by Prob(Yn = 0) = l/q,Prob(Yn = 1) = (q - l)/q according to ( 7 ) .
REFERENCES
P. Billingsley: Ergodic Theory and Information, Wiley, New York, 1965.

N. H. Bingham: Variants on the law of the iterated logarithm, Bull. London Math.
SOC. 18, 433-467 ( 1 9 8 6 ) .
U. Krengel: Ergodic Theorems, de Gruyter, Berlin, 1985.
L. Kuipers and H. Niederreiter: Uniform Distribution of Sequences, Wiley, New
York, 1974.
R. Lid1 and H. Niederreiter: Introduction to Finite Fields and Their Applica-
tions, Cambridge Univ. Press, Cambridge, 1986.
M. Loeve: Probability Theory, 3rd ed., Van Nostrand, New York, 1963.
J . L. Massey: Shift-register synthesis and BCH decoding, IEEE Trans. Informa-
tion Theory 15, 122-127 (1969).
H. Niederreiter: Sequences with almost perfect linear complexity profile, Ad-
vances in Cryptology - EUROCRYPT '87 (D. Chaum and W. L. Price, eds.), Lecture
Notes in Computer Science, Vol. 3 0 4 , pp. 3 7 - 5 1 , Springer, Berlin, 1988.
M. Rosenblatt: Random Processes, 2nd ed., Springer, New York, 1974.
R. A. Rueppel: Linear complexity and random sequences, Advances in Cryptology -
EUROCRYPT ' 8 5 (F. Pichler, ed.), Lecture Notes in Computer Science, Vol. 219,
pp. 167-188, Springer, Berlin, 1986.
R. A. Rueppel: Analysis and Design of Stream Ciphers, Springer, Berlin, 1986.
The author gratefully acknowledges support for this research project by the Austrian
Ministry for Science and Research.
A PROBABILISTIC PRIMALITY TEST BASED ON THE
PROPERTIES OF CERTAIN GENERALIZED LUCAS
NUMBERS
Adina Di Port0 and Piero Filipponi

Fondazione Ugo Bordoni
140142 Ronia, Italy
Abstract
After defining a class of generalized Fibonacci numbers and Lucas numbers, we

characterize the Fibonacci pseudoprimes of the mth kind.
In virtue of the apparent paucity of the composite numbers which are Fibonacci
pseudoprimes of the mth kind for distinct values o f the integral parameter m , a
method, which we believe to be new, for finding large probable primes is proposed. An
efficient computational algorithm is outlined.
1. Introduction and generalities
In this paper, after defining the generalized Fibonacci numbers V , and the generalized
Lucas numbers V , (Set-1), the Fibonacci Pseudoprimes of the m th kind are
characterized (Sec.2).
In virtue of the scarceness of the pseudoprimes which are simultaneously of the m*
kind for distinct values of m , a method for finding probable primes is proposed in
Sec.3 (for a definition of probable primes see [ 11).
In Sec.4 some theoretical aspects concerning the above said pseudoprimes are
considered.
Let m be an arbitrary natural number. The generalized Fibonacci numbers U,(m)
(or simply U, , if there is no fear of confusion) and the generalized Lucas numbers
V,(m ) (or simply V , ) are defined (e.g., see [2])by the second order recurrence
relations
Work carried out in the framework of the Agreement between the

Italian PT Administration and the Fondazioiie "Ugo Bordorii".
212
Un+2= + U, ; UO= 0, Ul = 1
and
Vn+2=,mV,+1 + V , ; Vo = 2, Vl = m ,
respectively. These numbers can also be expressed [2] by means of the closed forms
(Binet forms)
where
A =(m2+4)ln
a=(m+A)/2 (1 - 5 )
p =(m-A)/2.
The notations %,&, and A, will be employed whenever the meaning of a,p and A
can be misunderstood (e.g., see Lemma 2). By (1.5) it can be seen that a/3 = -1 and
a+ p = m . Moreover, it can be noted that, letting m = 1 in (1.1) and (1.2), the usual
Fibonacci numbers F, and Lucas numbers L, turn out, respectively.
A further interesting expression for V , is [3]
In121
where
Rewriting (1.6) as
[n / 21
V, = mn+ n C
i= 1
noting that, if n is a prime then C,t, / n is ;in integer and using Fermat's little
theorem, the following fundmenial propcriy of [lie numbers V , is established
Vn(m) = m (mod n ) Y m ( if n is ;I prime) . (1.9)

213
2. The Fibonacci pseudoprimes of the mth kind : definition and

numerical aspects
Observing (1.9), the following question arises spontaneously: "Do odd composites exist
which satisfy this congruence?" The answer is affirmative..
We define as Fibonacci Pseudoprimes of the m th kind ( m-F.Psps.) all odd
composite integers n for which Vn(m) = m (mod n ) and denote them by sk(m) ( k
= 1, 2, ...). The corresponding sets will be denoted by S , , while the sets of all
m-F.Psps. not exceeding a given n will be denoted by Sm,n . For example, we found
) 169 = 132 and ~ i ( 3=) 33 = 3 * 11 .
that ~ l ( 1=) 705 = 3 * 5 * 47, ~ l ( 2 =
The numbers sk(1) have been analyzed in previous papers [4], [5]. In particular,
we found that all composite integers belonging to Sl, (for n = 108) are square-free
and most of them are congruent to 1 both modulo 4 (82.3 S)and modulo 10 (63.2 %).
Moreover, we noted that this behavior seems to become more marked as n increases,
but we were not able to find any justification of these facts.
Now, another question arises:"Do odd composite integers exist which are
m-F.Psps. for distinct values of m ?" Once again, the answer is affirmative. For
example, the number 34,561 = I7 - 19 . 107 is the smallest number belonging to both
S1 and S2 .
A computer experiment was carried out essentially to determine the cardinality of
the intersections
Namely, we found that, for n = l o g ,
The fact that Gn, 3 and Gn, have the same cardinality will be justified by Theor.6
(Sec.4). The numbers (below 108) belonging to these two sets are
~89(l)= 1,034,881 = 41 * 43 * 587
~ ( 1 ) = 13 - 197.853
~ ~ ~= 2,184,533
~ 3 ~ ( = 1 )15,485,185= 5 . 7 9 . 1 9 7 * 199
s561(l) = 39,002,041 = 13 .19 * 269 .5S7
~ 8 0 2 ( l )= 87,318,001 = 17 * 71 . 73 .991
of which the latter belongs also to Gn,,besides being a Carmichael number [I I .
Let o,(n) = I §m, I be the rn-F.Psp.-counting function. The behavior of ol(n)
vs. n is shown in fig.1, while the behavior of I Gn I is shown in table 1.
214
1200
1000
800
600
400
200
0
0 20 40 60 80 100
n (millions) +
Fig.1- Behavior of ol(n) vs n .
Table 1
107 18 6*107 39
2.107 27 7.107 41
3*107 30 8*107 44
4*107 36 9*107 45
5*107 38 108 48
Numerically,q(n) seems asymptotically related to the prime-counting function

z (n).The inspection of fig.1 suggests the following
is
CONJECTURE I : “There exists a positive constant c not exceeding 1 such that cT~(n)
asymptotic to c ~ ( . l n ) . ~ ~
3. A possible probabilistic prirniility test
The numerical evidence that turns out from the experimental results suggests a
method for obtaining probable primes .
Let c a >b denote the remainder of a divided by b. For given integers n (odd)
and M ( n > M ), let us calculate
215
r, = < V,(rn) >, for rn = 1,2, ... ,M . (3.1)
If r, f m for some value of m , then n is composite. If n passes M consecutive

tests, that is if r, = m for all values of m (1 I m 5 M ) , then n is a probable prime
(with probability P, ). A thorough investigation of the properties of the m-F.Psps.
could suggest a suitable value for M depending on the order of magnitude of n .This
will be the aim of a future work.
It must be noted that, if Conj.1 were proved, a sufficiently large n which passes
the first test ( m = 1) would be prime with probability
P,=1-2c/dn. (3.2)
Due to the apparent extreme scarceness of the composites n E , 5 ( m = 1,2, ... ,M 1,

the probability PM seems to rapidly increase as M increases, The choice of the most
suitable set of tests to which submit n is still an open problem.
By suitably modifying the algorithm for obtaining r1 = < L, >, [4], an efficient
calculation of V , reduced modulo n can be performed. The so-obtained algorithm
finds r , after [log, n ] recursive calculations. For example, ascertaining that the
81-digit composite
110,221,474,294,665,636,794,O 16,854,99 1,608,758,669,691,745,119,
008,792,721,304,656,075,481,680,733,031,679
belongs to S, required a calculation time of about 25 seconds on a VAX 11 / 750
computer.
4. Some properties of the m-F.Psps.
In this section several properties of the m-F.Psps. are demonstrated . We hope that
they can lead to the discovery of further properties of these numbers. In particular, a
formula which gives the minimum value of M ( or an upper bound for this value)
for which I G,, I = 0, once n is given, would be greatly appreciated.
First, let us state some theorems concerning the case rn = 1.
THEOREMI : If n is an odd integer not divisible by 3 and L, = 1 (mod n ), then

L = 1 (mod L , ) .
=?I
Proof: Since it is known [6] that L, is odd, we can write

L n = 4 h + 1 = l ( m o d n ) ( h E N = { 0 , 1 , 2,...I).
216
We have 2h = 0 (mod n ), whence [7]
F2h 0 (mod L, ) .
From the identities available in [8, p.951, we can write
whence, by (4.1),
L - l = 5 - 0 . F u t + l =O(modL,).
Ln
Case2: L n = 4 h - 1 = 1 ( m o d n )
We have 2h - 1= 0 (mod n ), whence [7]
Again from [8, p.951, we can write
whence, by (4.3),
L - I = ~h-O'o(mOdL,). Q.E.D.
4
From Theor.l we can derive the following corollaries.
COROLLARY I : If p 2 5 is a prime and Lp is composite, then Lp E $1 .
COROLLARY 2 : If n is not divisible by 3 and belongs to S , , then L, E S1.
Proof:
( i ) From Theor.1 we have L =1 (mod L, ).

=n
( ii ) By hypothesis n = s t , with s and t odd integers not divisible by 3. Hence
L, is odd and composite [7].This completes the proof. It can be noted that also L, is
not divisible by 3, as n is odd [6]. Q.E.D.
21 7
If n is not divisible by 3 and belongs to S,, then the number L , fulfils the same
conditions. Therefore, we can claim that
and such a statement can be iterated ad infinitum ,so that

LL E s, .
Consequently, since there exists at least a number sk( 1) not divisible by 3 (the smallest
among them is ~ ~ ( =12,465)
) the following proposition can be stated
PROPOSi77ON I (Conj. 3 in [4]): There exist infinitely many I -F.Psps.
THEOREM2 : For k E N,
Proof :The statement holds clearly for k = 0,l. In fact, we have L1 = 1 (mod 1) and L3
= 1 (mod 3). Hence, let us consider k 2 2. It is known [ 9 ] that
b k + 1 = 0 (mod 2k ), (4.5)
so, b k can be rewritten as
In order to satisfy the congruence
L - 1 =O(modL;?k) (4.8)
L2k
it suffices that the left factor on the right-hand side of (4.7) is divisible by Gk,
that is, it
218
suffices [7] that h2k-1 is an odd multiple of 2k. Equivalently, we can say that the
fulfilment of the equality h = 2(21 + 1 ) ( t E N ), that is of the equality (see (4.6))
L2k+ 1 = ( 2 t + 1)2k+1 ( I E N ), (4.9)
is a sufficient condition for the congruence (4.8) to be satisfied.

To establish the general validity of (4.9) we shall use induction on k and the
identity I,, [lo] which allows us to write
The equality (4.9) holds for k = 2. In fact, we have L, + 1 = 8 = (2 - 0 + l)z3 . k t us

suppose that (4.9) holds up to a certain k > 2. For the inductive step k + k + 1, from
(4.10) and (4.9)we can write
COROLLARY 3 : If L2k is composite, then L2k E Sl.
To prove the next theorem we need the following
LEMMA1 : If L , = 0 (mod n ), then L, 5 0 (mod 3n ).
Proof: The congruence L, E 0 (mod n ) implies (8, Theor. F, p.721 that
n =6(2k+l)=2*3'+'(6hfl) (k,r,h EN). (4.1 1)
Therefore, it suffices to prove that
L, = &.3r+1(6M1) 5 0 (mod 3r+2). (4.12)
Let us invoke induction on r . The congruence (4.12) holds for r = 0. In fact,

considering the sequence ( L, ) reduced modulo 9 [6],it is readily seen that L6(,9&1)
I 0 (mod 9). Let us suppose that (4.12) holds up to a certain r > 0. For the inductive
step r + r + 1, using the identity L,+l = LAf- L,, ( r even) [lo], we write
219
It is known [6] that L4.3'+1(6Ml) = 1 (mod 3). Then, by (4.13) and hypothesis we
obtain the congruence 4 . 3 r + 2 ( 6 f i l )= 0 (mod 3'+3 ). Q.E.D.
THEOREM.? : If L, = 0 (mod n ), then

L
Ln-1
= 1 (mod L, - 1).
Proof: Since we have necessarily (see (4.11)) n = 6(2h + 1) and, therefore [6]
L, = 4k + 2 ( k E N ), from Lemnia 1 we have Ln = 4k + 2 = 0 (mod 18(2h + 1))
( h E N), that is
2k + 1 = 0 (mod 9(2h + 1)). (4.14)
From [8, p.951 we can write
Ln - = L4(3h+1)+2- = F3[2(3h+l)+l]/ F 2 ( 3 h + l ) + l (4.15)
whence
(4.16)
(4.17)
Since, by (4.16) and (4.14). we see that L , - 1 IF9(2h+l)and [71 F,(,h+,) I Fzk+l,
from (4.17) we obtain
L -1=SF2-O=O(mod L,-1). Q.E.D.

Ln-1
COROLLARY 4 : If L, = 0 (mod n ) and L, - 1 (necessarily odd) is composite, then

L,-1 E s , .
COROLLARY 5 (see [ 111): If L2.3k -1 ( k 2 1) is composite, then L2.3k -1 E S1 .
THEOREM 4 : If n = p l p2 * - p k ,with p i = 5hi i 1 (1 5 i I k ) is a Carmichael

number, then n E S1 .
220
Proof: Let Pi be a repetition period (not necessarily the shortest period) of the Lucas
sequence reduced modulo the prime pi and let A = l.c.m.(PI, P 2 ... Qk ).
A sufficient condition for n to belong to Sl is that
M+l=n ( h N).
~ (4.18)
In fact, the fulfilment of this condition implies that LhA+l 5 L, = 1 (modpl p2 ...pk ).
On the other hand, it is known [6] tliat if pi = 5hi k 1, tlicn Pi = pi - 1. Therefore, it is
immediately seen that A equals the Caniiichael A function [l]. Since ,by hypothesis,
A I n - 1, from (4.18) the theorem is proved. Q.E.D.
The smallest Carmichael number of the above type which is also a l-F.Psp. is
s44(l) = 252,601 = 4Z - 61 - ZOI, while the absolutely smallest Carmichael number
which is also a 1-F.Psp. is s2( 1) = 2,465 = 5 . I 7 * 29.
Now, let us state some theorems concerning the case m 2 1.
THEOREM5 : If p 2 5 is a prime such that A2 is not divisible by p ,then

V m (mod U p ) .
UP
Proof: On the basis of the periodicity of the sequence ( U,,) reduced modulo 4 [ 6 ] ,it
can be readily proved that, if p 2 5 , then Up has the form 4h + 1 ( h E M ). Since we
have [121 Up = +1 (modp ) (except for the case A2 = 0 (modp ) which implies Up 3
0 (modp )), we can write Up = 4h + 1 E 51 (mod p ).
CaseI : Up=4h+ 1 = 1 (modp)
We have 2h = 0 (mod p ) and, since [ 121 Un I U, ,
U2h = 0 (mod Up ) (4.19)
By using the identity
(4.20)
easily obtainable with the aid of (1.3) and (1,4), we have
V - m = V&+1 - m = A2U2,CT2,1+1 (4.21)

UP
whence, by (4.19)
221
V -m I Az.0-U2h+l=O(rnodUp).
UP
Cme2: Up = 4 h + 1 r-1 (rnodp)
The proof is analogous to that of Case 1 and is omitted for brevity. Q.E.D.
It must be noted that, for m = 1 and p = 5 . the statement of Theor.5 is true even
though A2 = 5 = 0 (mod 5). In fact, we have
LFs = L5 = 11 3 1 (mod F ).
5
COROLLARY 6: If p 2 5 is a prime, A2 is not divisible by p and Up (necessarily odd)

is composite, then Up E Sm .
COROLLARY 7 : If p is a prime and Fp is composite, then Fp E S1 .
In order to prove the last theorem, we need to prove the following two lemmata.
(4.22)
Using (1.4), (4.22) becomes
2k+ 1 2k+l
= {% + p:k+'+ (a,,2k+' -pm2k+')} /2 =% . (4.23)
Analogously, it is seen that
(4.24)
The statement of the lemma follows directly from (4.23),(4.24) and (1.4). Q.E.D.
222
LEMMA3:If h E N and n E Sm,,then V h ( m ) = Vh(m)(mod n 1.
Proof: Let us rewrite the result established in [13,Cor. 71 as
(4.25)
By hypothesis, (4.25)and (1.6),we can write
THEOREM6: If an odd composite n passes the m thtest, then it passes also the
Va+l(m)thtests ( k = 1,2,...).
As particular cases, we see that

- if n passes the 1st test ( m = l), then it passes also the tests for m = 4,11,29,76,
199,521,1364,_..
- if n passes the 2ndtest ( m = 2), then it passes also for m = 14,232,478,2786, ...
- if n passes thed'3 test ( m = 3), then it passes also for m = 36,393,4287,46764, ...
- if n passes the 4* test ( m = 4), then it passes also for rn = 76,1364,.__ (cf. the
tests passed for m = 1) .
5. Conclusion
Public-key cryptosystems make use of primes having approximately 100 digits, so we

wish to conclude this paper with two questions.
Pessimist's question : "Do odd composites n I1O*mexist which are m-F.Psps. for
all values of m I n - 1 ?"
If such numbers exist, they will never reveal their compositeness under our test.
Optimist's question : "Let M' be the maximum number of consecutive tests (m = 1,
2,... ,M") passed by any odd composite n I Is M' comparatively small (say M'
I50)?
If the answer is in affirmative, then the method proposed in Sec.3 can readily find
primes for cryptographic purposes. The calculation time is slightly less than that
223
required by the method proposed by Solovay & Strassen [ 141 for finding numbers that
are prime with probability greater than or equal to 1 - 1/ 2M' .
The authors offer a prize of 50,000 Italian Lire to the first person who
communicates to them an odd composite (below lo1(@)which is an rn-F.Psp. for m =
1, 2, ... , 8. Of course, at least one of its factors is also requested. A decuple pnze is
offered to the first person who sends to them a proof that no such number exists.
A table of l-F.Psps to 10s was compiled by the authors. It will be sent, free of
charges, upon request.
References
[l] H.Riese1, Prime Numbers and Computer Methods for Factorization . Boston:
BirWuser Inc., 1985.
[2] M.Bicknell, "A Primer on the Pel1 Sequence and Related Sequences", The
Fibonacci Quurteriy , vo1.13, pp. 345-349, no.4,1975.
[3] O.Brugia, P.Filipponi, "Waring Formulae and Certain Combinatonal Identities",
Fondaz. Ugo Bordoni Techn. Rep. 3B5986, Oct. 1986.
[4] A.Di Porto, P.Filipponi, "More on the Fibonacci Pseudoprimes", Fondaz-Ugo
Bordoni Techn. Rep. 3t0687, May 1987. The Fibonacci Quarterly (to appear).
[5] A.Di Porto, P-Filipponi, "Un Metodo di Prova di Primalit3 Basato sulle Propnet3
dei Numeri di Lucas Generalizzati", Proc. of the Prim0 Simposio Nazionale su:
Stato e Prospertive della Ricerca Crittograjica in Italia , Roma, Oct. 1987, pp.
141- 146.
[a Bro. A.Brousseau, A n Introduction to Fibonacci Discovery . Santa Clara (Cal.):
The Fibonacci Association, 1965.
[A L.Carlitz, "A Note on Fibonacci Numbers", The Fibonacci Quarterly, vol. 2, pp.
15-28, no.1, 1964.
[81 D.Jarden, Recurring Sequences, 3rd ed., Jerusalem : Riveon Lematematika, 1973.
[9] V.E.Hoggatt, Jr., M.Bicknel1, "Some Congruences of the Fibonacci Numbers
Modulo a Prime P ", Math. Magazine ,vol. 47, pp. 210-214,no.3, 1974.
[ 101 V.E.Hoggatt, Jr., Fibonacci and Lucas Numbers, Boston: Houghton Mifflin Co.,
1969.
[ 111 V.E.Hoggatt, Jr., G.E.Bergum, "Divisibility and Congruence Relations", The
Fibonacci Quarterly ,vol. 12, pp. 189-195,no. 2, 1974.
[ 121 P.Filipponi:"On the Divisibility of Certain Generalized Fibonacci Numbers by
Their Subscripts", Proc. XIII Congresso Unione Matematica Ztaliana, Torino,
Sept. 1987, Sezione VII-18.
[13] Jin-Zai Lee, Jia-Sheng Lee, "Some Properties of the Sequence (W,(a, b ;p , q )I",
The Fibonacci Quarterly , vol. 25, pp. 268-278,283, no. 3, 1987.
[ 141 RSolovay, V.Strassen, "A Fast Monte-Carlo Test for Primality", SIAM Journal
on Comput., vol. 6, pp. 84-85, no.1, 1977.
O N T H E C O N S T R U C T I O N O F RANDOM NUMBER GENERATORS
A N D R A N D O M FUNCTION GENERATORS
C. P. S c h n o r r
U n i v ersi tE t F r a n k f u r t
Fachbereich Mathematik/Informatik
6 0 0 0 F r a n k f u r t , West G e r m a n y
Abstract. B l u m , M i c a l i (1982), Y a o (1982). Goldreich, G o l d w a s s a r a n d M i c a l i

(1984). a n d L u b y , R a c k o f f (1986) h a v e constructed r a n d o m n u m b e r g e n e r a t o r s ,
r a n d o m f u n c t i o n g e n e r a t o r s a n d r a n d o m p e r m u t a t i o n generators t h a t a r e p e r f e c t i f
c e r t a i n c o m p l e x i t y a s s u m p t i o n s hold. We propose random n u m b e r g e n e r a t o r s t h a t
pass a l l s t a t i s t i c a l t e s t s t h a t d e p e n d on a small f r a c t i o n of t h e b i t s t r i n g . T h i s does
not r e l y on a n y unproven h y p o t h e s i s . We propose improved random function
generators with short function names and which minimize the number of
pseudo-random bits that are necessary for the evaluation of pseudo-random
f u n c t i o n s . We a n n o u n c e a n e w v e r y e f f i c i e n t p e r f e c t r a n d o m n u m b e r g e n e r a t o r .
1. R a n d o m g e n e r a t o r s without unproven assumptions
I
Let I, = (0,l)". H, = 1; = " t h e set of a l l f u n c t i o n s f : I, -, I,". A random function
g e n e r a t o r i s a n e f f i c i e n t a l g o r i t h m F t h a t generates f r o m n a m e s x E I, a function
Fm,x E Hk(,) f o r s o m e f u n c t i o n k(m); when given f o r i n p u t m,x.y the algorithm
c o m p u t e s F m , J y ) . W e a s s o c i a t e w i t h f E H, a f u n c t i o n F,,f E H2, d e f i n e d b y
Fn,f(l,r) = (r,l @ f(r)) f o r a l l I,r E I , . (1)
T h e f u n c t i o n F,,f r o u g h l y c o r r e s p o n d s to a l a y e r i n the D E S - a l g o r i t h m . We c o n s i d e r
$1 = Fn,f F,,f Fn,f as a r a n d o m f u n c t i o n g e n e r a t o r f o r the f u n c t i o n s Fg1 i n H z n a n d
with names f E H,. T h e f u n c t i o n s F g i a r e permutations, a n d F g l i s c a l l e d a r a n d o m
permutation generator. L u b y a n d Rackoff h a v e considered t h e r a n d o m f u n c t i o n
g e n e r a t o r F n , f g F n , f 2F n , f l w h e r e i n d e p e n d e n t r a n d o m f u n c t i o n s f l , f 2 , f s E H, a r e used
a t e a c h stage. We o b s e r v e t h a t t h e a n a l y s i s of L u b y a n d R a c k o f f r e m a i n s v a l i d f o r
the case t h a t f l = f 2 = f s . T h i s y i e l d s t h e following version o f t h e m a i n t h e o r e m i n
L u b y , R a c k o f f (1986).
Theorem 1. ( L u b y , R a c k o f f (1986)) For random / E H n t h e f u n c t i o n F t , i = Fn,f F n , f
226
F,,f p a s s e s a l l s t a t i s t i c a l f u n c t i o n t e s t s that are r e s t r i c t e d t o 2 ° ( n ) o r a c l e q u e r i e s .
The concept of statistical function test has been introduced by Goldreich,

Goldwasser;, M i c a l i (1984). A test T is a p r o b a b i l i s t i c a l g o r i t h m w i t h O,l-outPut,
which is endowed w i t h a n oracle 0 , f o r evaluating the function g at i n p u t s Y
c o m p u t e d b y t h e test T; t h e v a l u e g ( y ) is c o m p u t e d by a single s t e p u s i n g t h e o r a c l e .
One a s s o c i a t e s t h e f o l l o w i n g p r o b a b i l i t i e s to a s t a t i s t i c a l test T a n d a r a n d o m
f u n c t i o n g e n e r a t o r F. L e t p," ( p f , resp.) be the p r o b a b i l i t y t h a t T w i t h o r a c l e 0 ,
gives o u t p u t 1 w h e n g E H, i s c h o s e n a t r a n d o m w i t h u n i f o r m p r o b a b i l i t y ( g E Hn i s
chosen a t r a n d o m f r o m F, resp.). T h e p r o b a b i l i t y space is the set of a l l i n t e r n a l c o i n
tosses of T a n d o f a l l c h o i c e s f o r g. I n t h e proof of Theorem 1 L u b y a n d R a c k o f f
h a v e s h o w n t h a t t h e a b o v e g e n e r a t o r FZ] s a t i s f i e s
f o r e v e r y s t a t i s t i c a l f u n c t i o n test T t h a t is l i m i t e d t o a t most m o r a c l e q u e r i e s .
One d e f i n e s t h a t a f u n c t i o n g e n e r a t o r F passes t h e f u n c t i o n test T i f
A r a n d o m f u n c t i o n g e n e r a t o r i s c a l l e d p e r f e c t if i t passes a i l s t a t i s t i c a l f u n c t i o n
tests w i t h p o l y n o m i a l t i m e b o u n d no(11. T h e f u n c t i o n s g e n e r a t e d b y a perfect
random f u n c t i o n g e n e r a t o r a r e called pseudo-random.
T h e o r e m 1 i s s t r o n g i n t h e sense t h a t t h e r e is no t i m e bound f o r t h e s t a t i s t i c a l tests

a n d t h e b o u n d 2"") on t h e n u m b e r of o r a c l e q u e r i e s is s u p e r p o l y n o m i a l i n n. O n t h e
o t h e r h a n d t h e n a m e f E H, f o r t h e f u n c t i o n FZ1 E H,, is n2" b i t s long w h e r e a s
G o l d r e i c h , G o l d w a s s e r , M i c a l i (1984) c o n s t r u c t pseudo-random f u n c t i o n s i n H, w i t h
names i n I,. T h e p r o o f o f T h e o r e m 1 f o l l o w s f r o m t h e a n a l y s i s of t h e L u b y , R a c k o f f
(1986) r a n d o m p e r m u t a t i o n g e n e r a t o r . T h e t e c h n i c a l proof is q u i t e i n v o l v e d .
A r a n d o m number g e n e r a t o r is a n e f f i c i e n t a l g o r i t h m w h i c h t r a n s f o r m s s h o r t r a n d o m
seeds i n t o long p s e u d o - r a n d o m s t r i n g s . E v e r y random f u n c t i o n g e n e r a t o r g i v e s rise
to a c o r r e s p o n d i n g r a n d o m n u m b e r g e n e r a t o r a n d vice-versa. T h e r e is a n a t u r a l
b i j e c t i o n 0, : H, + InZn w h i c h m a p s f u n c t i o n s f E H, i n t o the c o n c a t e n a t i o n @,(f) =
f ( x ) w h e r e x r a n g e s o v e r a l l s t r i n g s x E I, in a l p h a b e t i c a l o r d e r . B Y t h i s
XEI,
b i j e c t i o n t h e a b o v e f u n c t i o n FCI y i e l d s a f u n c t i o n
We g i v e a m o r e c o n c r e t e d e s c r i p t i o n of t h e r a n d o m n u m b e r g e n e r a t o r
227
We w r i t e t h e i n p u t s t r i n g x E I n a s c o n c a t e n a t i o n of 2n s t r i n g s i n I,, a n d we
n2
e n u m e r a t e these 2n s u b s t r i n g s o f x u s i n g i n d i c e s i n I,:
We l i k e w i s e p a r t i t i o n t h e o u t p u t s t r i n g y E I an :
ant
F o r e v e r y s t r i n g y E I z n let L ( y ) , R ( y ) b e t h e l e f t a n d r i g h t h a l f s t r i n g i n I,:
Ian 3 Y = L(Y) R ( Y ) €(In)' .
Algorithm f o r G n
input X = n K i .
iEI,
0
1. yi := i f o r all i E 12, .
2. F o r j = 0,1,2 do
yi+' := R ( y i ) ( L ( y i ) @ XR(,,:)) .
output ys = y;
iE12,
E a c h i t e r a t i o n s t e p s w i t c h e s t h e l e f t a n d r i g h t p a r t of y E I z n a n d a d d s t o t h e n e w
r i g h t p a r t t h e s u b s t r i n g X R ( ~ )o f t h e i n p u t x; h e r e @ i s t h e v e c t o r a d d i t i o n m o d u l o 2.
A c c o r d i n g t o t h e b i j e c t i o n s 4,,.@za T h e o r e m 1 t r a n s l a t e s i n t o T h e o r e m 2.
Theorem 2 . The r a n d o m n u m b e r g e n e r a t o r ( G n ) n ~ G,
~ , : I
n2
n - Izn2zn, passes all
s t a t i s t i c a l number t e s t s t h a t d e p e n d o n at most 2"") b i t s of G n ( x ) .
A statistical number t e s t T is a p r o b a b i l i s t i c a l g o r i t h m w h i c h t a k e s f o r i n p u t a
binary string, a n d gives a 0,l-output ( Y a o , 1982). O n e associates w i t h T a n d a
r a n d o m n u m b e r g e n e r a t o r G t h e f o l l o w i n g p r o b a b i l i t i e s . L e t pkI ( p kG , resp.) b e t h e
probability that T o u t p u t s 1 when given for input a random string x E Ik with
u n i f o r m d i s t r i b u t i o n (a s t r i n g y E Ik chosen a t random f r o m G , resp.). T h e n u m b e r
g e n e r a t o r G passes t h e t e s t i f
l p i - pFl = O ( k - t ) f o r a l l t > 0 .
A r a n d o m n u m b e r g e n e r a t o r i s called p e r f e c t i f i t passes a l l p o l y n o m i a l t i m e
statistical number t e s t s . T h e b i t s t r i n g s generated by a p e r f e c t r a n d o m n u m b e r
generator a r e called pseudo-random.
T h e o r e m 2 m e a n s t h a t e v e r y s e l e c t i o n of a t most m = 2"(") bits f r o m G,(x) passes a l l

s t a t i s t i c a l n u m b e r t e s t s T ( e y e n tests w i t h a r b i t r a r y t i m e bounds) p r o v i d e d t h a t x E
Inan i s r a n d o m w i t h u n i f o r m p r o b a b i l i t y . T h e b i t strings G,(x) a r e , f o r r a n d o m seed
x E Inan, c o m p l e t e l y randomized locally. Every statistical number test that
d i s t i n g u i s h e s t h e d i s t r i b u t i o n o f G n ( x ) E I a n Z a n f r o m the u n i f o r m d i s t r i b u t i o n on
228
Iznzan d e p e n d s o n a t l e a s t a p o l y n o m i a l f r a c t i o n of the b i t s t r i n g G,(x).
So f a r we h a v e seen t h a t t h e a b o v e number generator G, i s based on a p o w e r f u l

c o n s t r u c t i o n p r i n c i p l e f o r local r a n d o m i z a t i o n . I t is a n i m p o r t a n t q u e s t i o n w h e t h e r
t h i s c o n s t r u c t i o n p r i n c i p l e also y i e l d s good global random properties. We n e x t p r o v e
t h a t a l l s t r i n g s t h a t a r e l o c a l l y r a n d o m i z e d s a t i s f y t h e law of large numbers.
Theorem 3 L e t (€,),EN b e a r a n d o m number generator c, : I, -., Ian s u c h t h a t

-
G,(x), for r a n d o m x E I, p a s s e s a l l s t a t i s t i c a l t e s t that d e p e n d o n a t most 2 ° ( n ) bits
of G n ( x ) . T h e n t h e f r e q u e n c y of o n e s and z e r e e x in G,(x) is a p p r o x i m a t e l y I / 2 .
Proof. C o n s i d e r t h e s t a t i s t i c a l test t h a t selects m = 2"(,) i n d e p e n d e n t r a n d o m b i t s

y1, ...,y m from the bit string E,(x) a n d computes # I ( y ) = " t h e n u m b e r o f o n e s i n
these bits". These b i t s t r i n g s y pass a l l s t a t i s t i c a l tests. B y Chebyshev's i n e q u a l i t y
this i m p l i e s
prob[ ( # t ( y ) / m - 1 11 t E] _i l/(eam) + O(m-t) for all E > 0 and all t > 0 .
The p r o b a b i l i t y s p a c e i s t h e set of a l l seeds x E I, a n d of a l l possible s e l e c t i o n s of

s u b s t r i n g s y . Note t h a t t h e e x p e c t e d v a l u e of #I(y)/m a n d of # l ( ~ , ( x ) ) / 2 " c o i n c i d e .
T h e r e f o r e we o b t a i n f o r E - (l/m)'" a n d m = 2"""' '
We n e x t show t h a t t h e u p p e r b o u n d 2'("), l i m i t i n g the number of oracle q u e r i e s . i n

Theorem 1 is s h a r p . We a s s o c i a t e to f E H, t h e f u n c t i o n generator
F g ) = F,,f F,,f .... Fn,f v-times.
Theorem 4 . T h e r e i s a s t a t i s t i c a l f u n c t i o n t e s t that r e j e c t s the f u n c t i o n g e n e r a t o r s

f o r a l l u E W, u s i n g 0(2") oracle queries.
Proof. We h a v e f o r a l l r , 1 E I, :
Fn,dLr) - (r,l @ f(r))
Fi:f(l,r) = ( r @ f(l),l) .
This i m p l i e s t h a t f o r a l l Y t 1
F&)(l,r) = Ftf" ( r @ f ( l ) , 1) ,
and t h u s
L Fgl(1.r) = R F g ) (r @ f(l), I) . (2)
A s t a t i s t i c a l test f o r v e r i f y i n g t h e r e l a t i o n ( 2 ) f i x e s r a n d I a n d tries f o r f(1) E In
all b i t s t r i n g s y E I,. O n c e f(1) has been f o u n d the relation ( 2 ) holds f o r a l l r. T h e
229
s t a t i s t i c a l test r e q u i r e s a t most O(2") oracle queries i n o r d e r t o f i n d f(1); i t

e v a l u a t e s F g ) ( l , r ) and F t ) ( r 0 y , I ) f o r a l l strings y E In . 0
The a b o v e s t a t i s t i c a l t e s t d o e s n o t r e j e c t f u n c t i o n generators
Fn,fS Fa,fZ Fn,r1
where d i s t i n c t f u n c t i o n s f l . f 2 , f S a r e used a t each stage.
2 . Improved random f u n c t i o n generators
g e n e r a t o r (G,),EIN,
function generator
: I,
-
-
G o l d r e i c h , G o l d w a s s e r a n d M i c a l i (1984) show t h a t every p e r f e c t r a n d o m n u m b e r
c, Izn, can be transformed i n t o a p e r f e c t r a n d o m
(F,),SN, F n a xE H, w i t h x E I,, such t h a t f u n c t i o n s F,,x E H n
have n a m e s x o f l e n g t h n a n d c a n be evaluated using O(n2) p s e u d o - r a n d o m b i t s
generated by Gn. We i m p r o v e t h i s construction via the Luby, R a c k o f f p e r m u t a t i o n
generator.
Theorem 5 . For e v e r y e > 0 e v e r y p e r f e c t r a n d o m number g e n e r u t o r (G,),EN, with

G, : I, -+ Ian, c a n b e t r a n s f o r m e d i n t o a p e r f e c t r a n d o m function g e n e r a t o r (Fn),~IN
such t h a t
(1) F n , x E Hn has n u m e s x o f I e n g t h (log n)'".
( 2 ) e v a l u a t i o n of F,, c a n b e d o n e using O(n(1og n)"') pseudo-random bits generated
from C,.
Sketch o f proof. By t h e c o n s t r u c t i o n of Goldreich, Goldwasser, M i c a l i (1984) w e

g e n e r a t e , f r o m p s e u d o - r a n d o m b i t s o b t a i n e d f r o m G,(X), a pseudo-random f u n c t i o n
f E H m ( c ) , m(e) = (log n)'+', t h a t passes a l l f u n c t i o n tests w i t h t i m e b o u n d n 00),
2+2r
These f u n c t i o n s f E Hm(.) h a v e names i n Irn(*) a n d can be e v a l u a t e d using ( l o g n )
pseudo-random b i t s . I t f o l l o w s f r o m Theorem 1 a n d since n t = 2°("0g n)l+r) f o r all t
> 0 and all e > 0 , t h a t t h e f u n c t i o n s Fc),),f E Hzm(.) pass a l l s t a t i s t i c a l f u n c t i o n

tests t h a t h a v e t i m e b o u n d no(').
In a way s i m i l a r t o (1) we a s s o c i a t e w i t h f E Hrn(.) a f u n c t i o n p,,r E H, d e f i n e d by
f o r a l l B1, ...,Bk E I m( s) w i t h k = n/m(E). B y the same argument t h a t p r o v e s T h e o r e m

1, we c a n show t h a t
230
passes a l l s t a t i s t i c a l f u n c t i o n t e s t s w i t h t i m e b o u n d no(*’. 0
3 . New e f f i c i e n t a n d p e r f e c t p s e u d o - r a n d o m number g e n e r a t o r s
S. M i c a l i a n d C.P. S c h n o r r (1988) i n t r o d u c e new r a n d o m n u m b e r g e n e r a t o r s ( R N G )

that are perfect u n d e r a reasonable complexity assumption a n d t h a t a r e nearly as
efficient as the p o p u l a r linear congruential generator which is k n o w n to be
imperfect.
A R N G is perfect if it passes all polynomial t i m e s t a t i s t i c a l tests, i.e. the

distribution of output sequences cannot be distinguished, by probabilistic
p o l y n o m i a l t i m e a l g o r i t h m s , f r o m t h e u n i f o r m d i s t r i b u t i o n of sequences of t h e s a m e
length. So f a r t h e p r o o f s o f p e r f e c t n e s s a r e a l l based on u n p r o v e n c o m p l e x i t y
assumptions. T h i s is b e c a u s e w e c a n n o t p r o v e s u p e r p o l y n o m i a l c o m p l e x i t y lower
bounds.
P e r f e c t r a n d o m n u m b e r g e n e r a t o r s h a v e been established f o r e x a m p l e b a s e d o n t h e
d i s c r e t e l o g a r i t h m b y B l u m , M i c a l i (1982), based o n q u a d r a t i c r e s i d u o s i t y b y B l u m ,
Blum, S h u b (19861, b a s e d o n o n e w a y f u n c t i o n s by Yao (1982), b a s e d o n RSA
e n c r y p t i o n a n d f a c t o r i n g b y A l e x i , C h o r , G o l d r e i c h a n d S c h n o r r (1984). A l l these
RNG’s are less efficient than the linear congruential generator. The
RSA/RABIN-generator is t h e most e f f i c i e n t of these generators. It successively
g e n e r a t e s log n p s e u d o - r a n d o m b i t s b y o n e m o d u l a r m u l t i p l i c a t i o n w i t h a m o d u l u s N
t h a t i s n b i t s long.
The RSA-generator can be extended and accelerated in various ways. A new

p o w e r f u l c o m p l e x i t y a s s u m p t i o n s y i e l d s more e f f i c i e n t generators. L e t N = p q be
p r o d u c t o f t w o l a r g e r a n d o m p r i m e s p a n d q a n d let d be a n a t u r a l n u m b e r t h a t is
relatively prime to p(N) = (p-l)(q-I). It is conjectured that the following
d i s t r i b u t i o n s a r e i n d i s t i n g u i s h a b l e b y e f f i c i e n t s t a t i s t i c a l tests:
t h e d i s t r i b u t i o n o f x d ( m o d N ) f o r r a n d o m x E [I,NZ’dJ.
the u n i f o r m d i s t r i b u t i o n o n [1,N].
T h i s h y p o t h e s i s is c l o s e l y r e l a t e d t o t h e s e c u r i t y of t h e RSA-scheme. U n d e r t h i s
hypothesis the t r a n s f o r m a t i o n
[l,N”d] 3 x - x d ( m o d N ) E [1,N]
231
d
stretches s h o r t r a n d o m s e e d s x E [ l , N a l d ] i n t o pseudo-random n u m b e r s x ( m o d N ) in
the i n t e r v a l [l,N]. Various random number generators can be built on this
t r a n s f o r m a t i o n . T h e s e q u e n t i a l p o l y n o m i a l g e n e r a t o r generates f r o m r a n d o m s e e d x E
2/d
[1,N ] a sequence of n u m b e r s x = x l , x z ,..., x, ,... E [l,N"']. The n(l-2/d) least
s i g n i f i c a n t b i t s of t h e b i n a r y r e p r e s e n t a t i o n of x!(mod N ) a r e t h e o u t p u t of xi a n d
t h e 2 n / d most s i g n i f i c a n t b i t s f o r m t h e successor x i + l of x i .
I t f o l l o w s f r o m a g e n e r a l a r g u m e n t of G o l d r e i c h , Goldwasser, M i c a l i (1984) a n d t h e
a b o v e h y p o t h e s i s t h a t a l l t h e s e g e n e r a t o r s a r e p e r f e c t , i.e. t h e d i s t r i b u t i o n of o u t p u t
s t r i n g s is i n d i s t i n g u i s h a b l e , b y p o l y n o m i a l t i m e s t a t i s t i c a l tests, f r o m t h e u n i f o r m
d i s t r i b u t i o n of b i n a r y s t r i n g s o f t h e s a m e length. T h e s e q u e n t i a l g e n e r a t o r i s n e a r l y
as e f f i c i e n t a s t h e l i n e a r c o n g r u e n t i a l g e n e r a t o r . U s i n g a modulus N , t h a t i s n b i t
long, i t Outputs n ( l - 2 / d ) pseudo-random b i t s p e r i t e r a t i o n step. T h e costs o f a n
i t e r a t i o n Step x - x d ( m o d N ) w i t h x E [1,N2'd] corresponds to t h e costs of a b o u t o n e
f u l l m u l t i p l i c a t i o n m o d u l o N. T h i s is because t h e e v a l u a t i o n of x d ( m o d N ) o v e r
n u m b e r s x 5 N21d c o n s i s t s a l m o s t e n t i r e l y of m u l t i p l i c a t i o n s w i t h small n u m b e r s t h a t
d o not require modular reduction.
Micali a n d Schnorr extend the sequential polynomial generator to a parallel

p o l y n o m i a l g e n e r a t o r ( P P G ) . T h e P P G g e n e r a t e s f r o m random seed x E [l,N"dl a
tree. T h e n o d e s o f t h i s i t e r a t i o n t r e e a r e pseudo-random n u m b e r s i n [1,N2ld] w i t h
o u t d e g r e e a t most d / 2 . To c o m p u t e t h e successor nodes y(l), ...,y( s) a n d t h e o u t p u t
s t r i n g of n o d e y one s t r e t c h e s y i n t o a p s e u d o - r a n d o m n u m b e r yd(mod N ) t h a t is n
b i t s long. T h e n t h e successors y ( l ) , ...,y( s) o f y a r e o b t a i n e d by p a r t i t i o n i n g t h e most
s i g n i f i c a n t b i t s o f y d ( m o d N ) i n t o s -< d j 2 b i t s t r i n g s of length L 2 n / d J . T h e o u t p u t
of n o d e y consists o f t h e r e m a i n i n g least s i g n i f i c a n t bits of y d ( m o d N). A n y
collection of s u b t r e e s o f t h e i t e r a t i o n t r e e c a n b e i n d e p e n d e n t l y processed i n p a r a l l e l
once t h e c o r r e s p o n d i n g r o o t s a r e g i v e n . I n t h i s w a y m parallel processors c a n s p e e d
t h e g e n e r a t i o n of p s e u d o - r a n d o m b i t s b y a f a c t o r m. These p a r a l l e l processors n e e d
n o t to c o m m u n i c a t e ; t h e y a r e g i v e n p s e u d o - i n d e p e n d e n t i n p u t s t r i n g s a n d t h e i r
o u t p u t s t r i n g s a r e s i m p l y c o n c a t e n a t e d . T h e c o n c a t e n a t e d o u t p u t of a l l n o d e s Of t h e
iteration tree is pseudo-random, i.e. t h e p a r a l l e l generator is p e r f e c t . T h e PPG
enables f a s t r e t r i e v a l of s u b s t r i n g s of t h e pseudo-random o u t p u t . T o access a n o d e
of the i t e r a t i o n t r e e w e f o l l o w t h e p a t h f r o m t h e root to this node. A f t e r r e t r i e v i n g
a b i t t h e s u b s e q u e n t b i t s i n t h e o u t p u t c a n b e g e n e r a t e d a t f u l l speed. I t e r a t i o n trees
of depth at mast 60 are sufficient for practical purposes; they generate
pseudo-random s t r i n g s o f l e n g t h l o 2 * ( f o r o u t d e g r e e 2 ) such t h a t i n d i v i d u a l b i t s c a n
be r e t r i e v e d w i t h i n a f e w s e c o n d s .
T h e p a r a l l e l g e n e r a t o r i s b a s e d o n a m e t h o d t h a t has been i n v e n t e d by G o l d r e i c h ,
232
Goldwasser a n d M i c a i i ( 1 9 8 4 ) f o r t h e construction of random f u n c t i o n s . M i c a l i a n d

Schnorr observe t h a t t h i s c o n s t r u c t i o n can be applied to speed e v e r y p e r f e c t r a n d o m
number g e n e r a t o r by a f a c t o r m using m parallel processors. Using t h i s p r i n c i p l e a n d
s u f f i c i e n t l y m a n y p a r a l l e l processors we can generate pseudo-random bits with
almost a n y speed. T h i s i m p o r t a n t method of parallekization a p p l i e s t o a l l P e r f e c t
random n u m b e r g e n e r a t o r s b u t t h e RSA-generator i s p a r t i c u l a r l y s u i t e d f o r t h i s
method. T h e m e t h o d of p a r a l l e l i z a t i o n does not apply to i m p e r f e c t r a n d o m n u m b e r
generators l i k e t h e l i n e a r c o n g r u e n t i a l generator since this method c a n f u r t h e r
d e t o r i a t e a weak g e n e r a t o r .
References
Alexi, W., C h o r , B., G o l d r e i c h , O., a n d S c h n o r r , C.P.: RSA a n d R a b i n F u n c t i o n s :

c e r t a i n p a r t s a r e a s h a r d a s t h e whole. Proceeding of t h e 25th S y m p o s i u m on
F o u n d a t i o n s of C o m p u t e r S c i e n c e , 198, p p . 4 4 9 - 4 5 7 ; also: Siam J o u r n a l on Comput.,
(1988).
B l u m , L., B l u m , M. a n d S h u b , M.: A simple unpredictable pseudo-random number

generator. S i a m J. on C o m p u t i n g ( 1 9 8 6 , pp. 3 6 4 - 3 8 3 .
B l u m , M. a n d Micali, S.: How to g e n e r a t e cryptographically strong s e q u e n c e s of

pseudo-random bits. P r o c e e d i n g s of t h e 25th IEEE Symposium on F o u n d a t i o n s Of
C o m p u t e r Science, IEEE, New Y o r k (1982); also Siam J. Comput. 13 ( 1 9 8 4 ) PP.
850-864.
Goldreich, O., G o l d w a s s e r , S., Micali, S.: How to Construct R a n d o m F u n c t i o n s .

Proceedings of t h e 2 5 t h I E E E Symposium on Foundations of C o m p u t e r Science,
IEEE, New York. (1984); also J o u r n a l ACM 33,4 (1986) pp. 7 9 2 - 8 0 7 .
Luby, M. and Rackoff, Ch.: Pseudo-random permutation generators and

c r y p t o g r a p h i c c o m p o s i t i o n . P r o c e e d i n g s of the 18th ACM Symposium on t h e T h e o r y
of C o m p u t i n g , ACM, New Y o r k ( 1 9 8 6 ) p p . 356-363.
hficali, S. a n d S c h n o r r , C.P.: E f f i c i e n t , p e r f e c t random number generators. u r e u r i n t

MIT, U n i v e r s i t a t F r a n k f u r t 1 9 8 8 .
Y a o , A.C.: T h e o r y a n d a p p l i c a t i o n s of t r a p d o o r functions. Proceedings of t h e 25th

IEEE Symposium on F o u n d a t i o n s of Computer Science, IEEE, New Y o r k (1982). PP-
80-91.
FACTORIZATION OF LARGE INTEGERS ON A MRBBIVELY PARALLEL COMPUTER*
James A . Davis and Diane B. Holdridge

Sandia National Laboratories
Albuquerque, New Mexico ' U S A
I. INTRODUCTION
Our interest in integer factorization at Sandia National Laboratories is

motivated by cryptographic applications and in particular the security of
the RSA encryption-decryption algorithm. We have implemented our version
of the quadratic sieve procedure on the NCUBE computer with 1024 processors
(nodes). The new code is significantly different in all important aspects
from the program used to factor numbers of order 1070 on a single processor
CRAY Computer. Capabilities of parallel processing and limitation of small
local memory necessitated this entirely new implementation. This effort
involved several restarts as realizations of program structures that seemed
appealing bogged down due to inter-processor communications. We are
presently working with integers of magnitude about 1070 in tuning this code
to the novel hardware.
11. NCUBE COMPUTER
The basic element of the NCUBE computer is a 32-bit VLSI processor of the
super-minicomputer range (106 integer operations per second). These
processors are interconnected in the configuration of an N-dimensional
cube. That is, an NCUBE of order k has 2k nodes, k = 0,1,2 and one of ...
order k + 1 is formed by connecting two cubes of order k at corresponding
nodes. There is no common memory shared among the processors: each has
one-half megabyte of local memory. Each node operates on its own stored
program and data. They achieve cooperation by passing messages to one
another. A very slow host board controls input-output and subcube
allocation.
*This Work was performed at Sandia National Laboratories and supported by

the U.S. Department of Energy under contract number DE-AC04-76DP00789.
236
order confiuuration
0 a
Figure 1 NCUBES of Small Order
111. THE QUADRATIC 81- ALGORITHM
The quadratic sieve factorization procedure is one of several methods of

decomposing positive integers based on the difference-of-squares identity.
If N is a composite integer and I,J are integers such that I2 = J2 mod N
with I+ 2 J mod N , then GCD (I + J,N) is a non-trivial factor of N . The
difference between the various algorithms is in the means by which the
quadratic conqruence is generated.
237
In the quadratic sieve, as originally proposed by Dr. Carl Pomerance

of the University of Georgia and inplemented at Sandia National
Laboratories on a CRAY 1s computer, many relatively small quadratic
residues for N are generated by the polynomial X2 - N (X near J N ). One
attempts to factor a sufficient number of these residues into a set of
powers of "small1*primes, B, called the prime base. Gaussian elimination
is then employed to determine a binary dependency: that is, a set S of
factored residues such that
T x , 2
X'ES
-
ll-Pj2=j mod N.
PjcB
If Tx,
+ 5 T p A a j
PjiB '
x; is
we have factorization; otherwise another
quadratic congruence is formed and we try again.
The procedure is called a sieve because of its similarity to the prime

number Sieve (sieve of Eratosthenes). That is, if a prime p divides
Xp2 -N then it divides residues at the entire arithmetic progression of
arguments Xp + kp, k = 0, f 1, f 2 ... So once a residue divisible by p is
identified, the prime may be divided out of the functional values defined
by arguments in this progression. This operation is done very efficiently,
particularly on a vector computer such as the c R A Y . When one is dealing
with large integers the frequency with which the residues factor completely
is Small, S O we merely identify these successes by operating on the
residues with single-precision logarithms, rather than multiple-precision
division. After the array of residues has been sieved with each member of
the prime base, B, the remainders are compared with a threshold value which
indicates factorization. When enough of the factorable residues are
identified (approximately the number of distinct primes in the base, B) the
sieving portion of the algorithm is terminated.
The sieving and searching described above constitutes the lion's share
of the computation. After the set of residues that factor is identified,
the actual functional values are calculated in multiple-precision and
decomposed into the primes by division. The final step is to determine a
binary dependency by Gaussian elimination.
238
IV. MODIFICATIONS TO BASIC ALGORITHM
As one increases the size of the integers to be factored the size of the
prime base must grow in order to have significant probability of factoring
residues. Thus a larger number of factored residues is needed; hence a
larger interval must be sieved. The functional values of X2 - N increase
almost linearly as the distance between X and J N , and as the magnitudes
increase the frequency of factorization decreases. At Sandia we were able
to factor integers of size about 1055 with the basic algorithm, but for
larger numbers computing time was becoming intolerable.
We were able to modify the algorithm such that the size of the
residues to be sieved was periodically reduced and hence our factorization
success rate remained relatively constant. The means by which we obtained
these sequences of smaller residues was by identifying large primes which
divide a residue, then sieving on the subsequences guaranteed divisible by
the primes. That is if q I X2 - N, then q I (X + kq)2 - N for all integer
k. If more than one factorization is obtained in the subsequence, the
large prime can be eliminated and we have quadratic residues factored
entirely into the prime base, B.
Independently, Peter Montgomery [MI suggested a somewhat different

procedure by which polynomials may be selected such that they generate
quadratic residues and the coefficients adjusted to minimize magnitudes.
Also, with some modification, the sieving procedure still applies. RobePt
Silverman [S] has enjoyed great success using these polynomials with his
parallel implementation of the quadratic sieve. Our latest code uses
further variations of this idea.
Several other additions and modifications to the basic algorithm have

enhanced its capability. The "large prime" variation locates prime
divisors of residues beyond the prime base and uses these to generate
completely factored residues. Also, one can use a multiplier with the
number to be factored to enrich the prime base with small primes; hence
making residue factorization more likely.
V. FALSE STARTS
Having no experience with parallel processing and because of limited local

239
memory, we were initially tempted to rely heavily on interprocessor

communications and the use of different units to perform very different
tasks. Each of these attempts bogged down because of overloading of the
channels that enable the processors to talk to one another.
Because generation of polynomials, as suggested by Peter Montgomery,

requires considerable multiple-precision arithmetic, we asked certain
processors to generate these polynomials and initialization parameters, and
to distribute this information to other nodes which could then do the
sieving without multiple-precision. This idea seemed good in several
respects. It frees up storage to be used for efficient sieving, and load
balancing could be achieved by varying the number of nodes supplied by one
polynomial generator. There is, of course, considerable information needed
by a processor in order to begin the sieving, and apparently this was more
than the lines could handle: communication time became prohibitive.
Another approach that was implemented was to apportion the prime base
among a ring of processors, all sieving the same polynomial. Each
processor in the ring would sieve with the set of primes it was given, then
pass these to a neighbor. When each prime had visited each member of the
ring, the sieving would be complete. After searching for and saving
successful factorizations, a new polynomial would be started.
The above and other plans that would have used memory efficiently at
the expense of increased interprocessor communication were programmed, but
stymied by the traffic.
VI. CURRENT I M P L ~ A T I O I
We used quadratic polynomials of the form A2 X2 + 2 B x + C to generate the

residues to be factored. It must be the case that B2 - -
A2 C = 0 mod N;
hence we take B2 -
A2C = k N , a small multiple of N (k is the multiplier
used to enrich the set of small primes which divide residues). In order to
minimize the amount of multiple-precision necessary, we choose our leading
coefficient to be "small". We take A from a set of primes just larger than
those in the base. This enables much of the computation of sieving
parameters to be done in single precision. Montgomery and Silverman choose
their coefficients much larger in order that roots of the quadratic are
Sufficiently close together that a sieving interval may contain both. Our
240
choice of much smaller coefficients forces the roots to be very far apart;
hence we sieve over a pair of disjoint intervals each about a root of the
polynomial. The magnitudes of the residues to be factored are not affected
by this choice.
(X + [JN])’ - N
Silverman Montgomery Interval
Sondia Interval
Figure 2 . Sieving Intervals

24 1
As described earlier, communication overhead is an extreme problem

with the NCUBE, hence for the major portion of the computation (sieving) we
are asking each processor to do the same program with different parameter
sets. It is efficient to sieve a long contiguous block in memory so the
need to minimize stored program and data in each.processor is pressing. In
order to save memory for a large sieve array, we have eliminated as much
multiprecision code as possible and actually recompute some values that
could be stored. After the sieving is done with each prime power in the
base, the array is searched for residues which are completely factored and
those that factor except for one prime somewhat larger than those in the
base (large prime variation). Identifiers of these residues are saved in
order that the polynomials may be reconstructed and factored by division.
In addition to the sieving operation, the above-mentioned search and
multiple-precision division were identified as major consumers of computing
time. A rewrite of the division package achieved a 13-fold speed-up. The
sieve and search routine are particularly expensive for the NCUBE because
it does not vectorize. When these were written in assembly code however, a
great reduction in overhead was realized.
The final stages of the algorithm are the set-up and solution of the
matrix used in the Gaussian elimination. Because of the very large matrix
that must be processed, we must use memory more efficiently. Each
processor is allocated identifiers f o r a certain set of the factored
residues and a certain portion of the factor base. The functional values
are calculated at each node and the available set of primes divided out.
Results are then transferred to a neighboring node which operates on the
residues with its assigned primes. When the residues have passed through
all nodes, factorization is simultaneously completed. Each residue that
Completely factors forms a row, as does each large prime which repeats in
another factorization. The abundance of large prime factorizations and
hardware limitations on array size introduce complications into the
matching algorithm. These we overcome by asymptotic estimation of the
frequency of occurrence of large primes of various sizes and assigning a
large Prime to a given block according to its magnitude. Then, the
matching algorithm needs only operate within a bin without crossing
boundaries.
At this point, the matrix is ready for processing by Gaussian

elimination. TO deal with a large prime base, we must use available memory
efficiently. Each node is assigned an equal number of rows corresponding
to factored residues. Each bit of a row represents the parity of the
242
exponent to which the corresponding prime in B is raised in this factored

residue. At this point we apply a Gaussian elimination procedure [PN]
which is particularly memory efficient and suited to parallel processing.
This yields the binary dependency which is then evaluated, and if non-
trivial, we have factorization.
VII. Results
As stated earlier, we are still adapting this procedure to the hardware.

A s we attack larger integers, additional complications arise and changes
are necessary. In terms of the numbers we have factored for comparison, we
have been able to remain well below the computing times achieved on the
CRAY. Below we list some of the integers we have factored with both of our
codes for comparison. The figures in parentheses refer to the CRAY code,
and designation refers to the Cunningham Tables [BLSTW].
Designation I ~[2,193-1 I c[5,79-1 I v 471* I ~[2,211-1

I I I I
Magnitude I 9.1 x 1050 t 4.1 x 10 54 I 2.5 x 1056 I 2.2 x 1059
I I I I
Primes in I 999 I 1278 I 1366 I 2036
Base I (6514) I (6800) I (5000) I (6671)
I I I I
I I I I
Number of I 6518 I 1648 I 899 I 4042

Polynomials I
I
(188) I
I
(81) I
I
(1000) I
I
(27)
I
Sieve Time I .043 I .044 I .047 I I 193

In Hours I (.425) I (.66) I (.22) I (22.0)
FIGURE 3 Comparison of Factorization
*A Fibonacci number suggested by Peter Montgomery.

243
References
[BLSTW] J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman, S. S.
Wagstaff, Jr., Factorization of bn k 1 up to Hish Powers, American
Math. SOC., 1983.
[DHl] J. A . Davis, D. B. Holdridge, Factorization Usinu the Ouadratic

Sieve Aluorithm, Sandia National Laboratories Report, SAND 83-
1346, Dec., 1983
[DH2] J. A. Davis, D. B. Holdridge, 8 8

Quadratic Sieve, Sandia National Laboratories Report, SAND 84-
1658, A U ~ ,
. 1984
[MI P. Montgomery, Personal Communications, 19 Feb. 1984

[PWI D. Parkinson, M. C. Wunderlich, " A Memory Efficient Algorithm for
Gaussian Elimination over GF( 2) on Parallel Computers", Personal
Communication, Feb., 1983.
[Sl R. D. Silverman, "The Multiple Polynomial Quadratic Sieve"; Math.
Comp. V. 48 No. 177, Jan., 1987.
A Bast Modular Arithmetic Algorithm Using a Residue Table
(EXTENDED ABSTRACT)
Shin-ichi KAWAMURA and Kyoko HIRANO
TOSHIBA CORPORATION
RESEARCH AND DEVELOPMENT CENTER
-
1. INTRODUCTION
Many public key cryptosystems and key distribution systems
have been developed making use of a one-way (trap door) function

X e
XI--> y such that y=a mod p or y=x mod n. Modular
multiplication is indispensable for computing these functions. In
other words, fast multiple precision modular arithmetic will

become increasingly useful for realizing an efficient security
system using a public-key cryptosystem, like RSACl], Rabin's

scheme[2], and so on.
Several methods using a pre-computed residue table have

been proposed for the efficient computation of A*B modulo a large
integer N. In these methods, the size of the number to be

processed is successively reduced in each stage of the
computation by using a congruent relation over the modulo N. The
method proposed in this paper is also included in this category.
It achieves further table size reduction by recursively applying

the same table to different digits of the number to be processed.
---
2. BASIC RULES
The basic idea for table lookup is very simple. If one wants
to know the value of X mod N for a fixed N frequently for various
X, then it is helpful for him to compute and store the value Of X

mod N f o r many X in advance. However, the pre-computed residue
table must be reduced to a reasonable size because a full-scale
exhaustive pre-computation is impossible in principle. ( Note

246
that the security of the RSA scheme is based on this fact.) SO
the following rules are applied for the table reduction. Bold
printing represents pre-computed terms.
U u *'
(1) ( A * 2 +B) mod N f (A.2 mod N) + B (mod N)
b b
(2) (A1*2 + A 2 ) mod N z (A1*2 mod N) + (A2 mod N) (mod N)
U U
(3) (A*2 + B) mod N f (A mod N)*2 + B (mod N )
Rule ( 1 ) means that in making the table, one may ignore the
lower portion of X which is less than N. Rule (2) means that the
b
table should be divided into some segments. The table for ( A 1 * 2
+ A21 mod N is always greater than the summation of the two

b
tables, ( A l * 2 mod N) and ( A 2 mod N) . The self-evident rule ( 3 ) ,
which is introduced in this paper, enables the repeated use of
one table to any digit. The method in [3)-[5] is derived by
applying the above two rules, ( 1 ) and ( 2 ) . The next section
describes our method based on the additional rule (3).
-
3. TABLE-LOOK-UP
In order to formulate the problem, it is assumed that X j ,
the number to be processed in the j-th stage, is divided into 1j
blocks and that each block consists of b bits. Then
Now, Xj+l should be so defined that it satisfies the following
reduction ,condition;
247
Two alternative definitions for X j + l are derived;

Definition 1:
Eq. ( 4 )
where k is an integer which satisfies
and Definition 2:
&-I
2'1
where u is the number of b i t s of modulo N.

Definition 1 can be called a parallel table lookup method
and Def. 2 is named a recursive table
lookup method. The
b
underlined terms in the above equations have 2 values each. They
can be pre-computed and stored in memory if b is a modest value.
A s a result, modular arithmetic is executed not by division, but
by table-lookup and addition. Definition 1 appears in some of the
former papers. A s described in section 2, the main idea of this
method is that the memory s i z e is reduced by dividing the number

into blocks. Definition 2 is our proposal. The table in this
method is independent of the block number (i) . The same table is

applied to any portion of the number to be processed.
Accordingly, the size of the table is reduced by a large factor.
Furthermore, Def. 1's idea that the table size is reduced by
block division is also applicable to Def. 2. The underlined

portion of the Def. 2 can be divided into small segments, each of
which consists of s bits. Thus a third definition is derived.
Definition 3:
This method can be called a recursive parallel table lookup
method, which includes two system description parameters b and s.
These parameters can be determined from the trade-off between

execution time and memory reduction.
-
4. NUMBER OF ITERATIONS
It is important to evaluate the number of iterations
required in reducing the initial value X to a number less than

U 0
2 . In order to evaluate the most critical case, let us consider
the model depicted in F i g . 1. S is the number to be processed
which is divided into two portions A and 2 . A, the higher block,

U
is greater than or equal to 2 . Z, the lower block, is less than
U
2 . If A is greater than 1, another table look up will result in
the next value SO=ZO + RO which is a u+l bits number at most. In

other words, Al, the higher block of SO, equals 0 or 1. In the
case of 0, no further reduction can be achieved by table look up.
If A 1 equals 1, the next residue from the table is almost always

U u- 1
R1=2 - N except when N is 2 .
As a result, the k-th summation
Sk is represented as
U
Sk = 2 + (20 - k*N).
At the moment Sk becomes less than u bits in length, the
procedure stops. Considering the range of ZO and N, K is 2 at
most .
249
According to the above discussion, we can get the upper

bound of the iteration by the procedure listed in Fig. 2. The
input f o r this program is b and s, and the output is SS. Assuming
PROCEDURE( 1
JJ
read b ,s :
ReSlW
Tabla j Rn
I
B <- b ; 5.
S ~‘Zn
I +Rn
Fig.1 SIMPLE TABLE LOOKUP MODEL
0
0
500
1 KEY LENGTH = 512 bits
b.4
be6
: lb.6
4
ss <- ss + 2; E
0
ss <- SS*(u/s): p:
W
m
write SS: z
3 I I I I
2 100 IK IOK lOOK 1M
1 TABLE SIZE (bytes)

Fig.2 ITERATION EVALUATION Fig.3 ADDITION VS. MEMORY
-
5 . DISCUSSION
Let A*B and N be 1024 and 512 bits in length, respectively.

The total memory capacity Mt is evaluated as follows:
S
Mt(brS) = 2 *(b/S)*U Eq. (9)
Reduction of both the number o f additions and the memory
size can be achieved by choosing appropriate parameters(see Fig.

250
3). For example, the parameter set (b,s)=(4,4) can reduce the
memory size by a factor of 1/64 compared with the ( 5 1 2 , 4 ) set,
which corresponds to the former method, Eq. (4), in spite of the
fact that the t w o cases require about the same processing time.
6.CONCLUSION
This paper proposes a fast modular arithmetic which can
reduce the table size. It also implies the reduction of prc-

computation time.
[References]
[lIR.L.Rivest, A. Shamir, L. Ad1eman:"A method of obtaining

digital signatures and public key cryptosystern",Comm. of ACM,
pp.120-126(Feb.1978).
[2]M.Rabin:"Digitalized signatures and public-key cryptosystems",

MIT/LCS/TR-212,Technical Report MIT (1979)
[d]N.Torii, €4. Azuma, R. Akiyama:"A study on RSA parallel

processing method"(in Japanese),Proc. of Workshop on cryptography
and information security, pp.15-17(Aug.1986).
(4lY.Nagai,T.Takaragi,F.Nakagawa,R.Sasaki:'iDevelopment of trial
production for electronic contract authentication system"(in
Japanese),Proc. of Workshop on cryptography and information
security, pp.109-121(Ju1.1987).
[51Y.Kano,N.Matsu~aki,M.Tatebayashi:~'A modulo exponentiation L S I

using high-order modified Booth's algorithm"(in Japanese),Proc.
of workshop on cryptography and information security, pp.133-142.
Fast Exponentiation in GF( 2 ")
G.B. Agnew R.C. Mullin S.A. Vanstone

University of Waterloo
Waterloo, Ontario, Canada
1. I n t r o d u c t i o n
In this article we will be concerned with arithmetic operations in the finite
field GF(2"). In particular, we examine methods of exploiting parallelism to
improve the speed of exponentiation.
We can think of t h e elements in GF(2") as being n-tuples which form an TL
dimensional vector space over G F ( 2 ) . If
P,P2,pQ, * - j
/32--1
is a basis for this space then we call it a normal basis and we call p a generator of
the normal basis. It is well known ([I]) that GF(2") contains a normal basis for
every n 2 1. For a E GF(2") let (u,,lall...,an~l) be the coordinate vector of u
relative to the ordered normal basis N generated by p. It follows that a2 then has
coordinate vector (un-l,a0,ul,...,an-2), so squaring is simply a cyclic shift of the
vector representation of a. In a hardware implementation squaring an element
takes one clock cycle and so is negligible. For the remainder of this article we will
assume that squaring an element is "free".
2. Discrete e x p o n e n t i a t i o n
Suppose that we want t o compute ae E GF(2'")where
n-I .
e = CU~Z', ai E {O11},
i=o
Then
"-1 a,2'
ae= n a
1 4
n-1
and this requires A = ( C a , ) - I multiplications. 011average for randomly chosen
1 4
n n
e, A will be about - and so we require - multiplications to do the exponentia-
2 2
tion. We now examine ways of doing better.
252
Select a positive integer k and rewrite the exponent e as
r+1
e = c c c ~2'' ,w ,~c ~E {0,1)

, ~
or
e = ( 210+28+24) ( 1 + ( 0 ) 2 ) + 2 ~ ( 0 ( 1 )+2)+(z6+z0)(1+2)
r p
If we let X(w) = C Ci,w 2ki then
i d
n
On average X(w) will have - nonzero terms in it and, hence, will require
k 2k
n
-- 1 multiplications t o evaluate. Since w is represented by a binary I;-tuple, w
k2k
k k
will have on average - non-zero terms and require --1 multiplications t o evalu-
2 2
k
ate p". u ' need t =
Therefore, t o evaluate a x ( w )we [$+T-Z] niultiplications.
Finally, t o compute ae we need t multiplications for each r0 E Zk\{O} and then

2"2 multiplications t o multiply t h e results together. In total we require
M ( k ) = (2"l) [$ ; 1+--2 +2x'--2

253
multiplications.
If we use 2'-1 processors in parallel to evaluate each simultaneously
then the number of multiplications is on average
n k
T ( k ) = -+ - + 2 k - 4
k2k 2
Example 2. For n = 2" and various values of k w e compute M ( k ) and T ( k ) .
6 293
5 244 37
4 254 30
3 315 4I3
ill (k) is minimized by I; = 5 an d T (I ; ) b y k = 4.
Example 3. For n = 216 an d various values of k we compute Ill(&) and T ( k ) .

-
k M(k) T(k)
-
11 15165 2052
10 10638 11!31
9 9055 527
8 8924 :m
7 9605 201
6 10877 234
M ( k ) is minimized by k = 8 an d T ( k ) by k = 7
254
A more extensive tabulation of the functions M ( k ) and T ( k ) is given in the

appendix. It appears at least for small values of n that M ( k ) and T ( k ) are
minimized for k about log,dfi.
Summary
In this paper, we have examined techiques for exponentiating in GF(Zn).
These techniques take advantage of parallelism in exponentiation and use
processor/time tradeoffs t o greatly improve the speed. A more complete study of
this problem and other techniques for exploiting parallelism in operation in
G F ( 2 R )is presented in [2].
References
[l] 0. Ore, On a special class of polynomials, Trans. A7n.e~.Math. SOC.35
(1933) 559-584.
[2] G.B. Agnew, R.C. Mullin, S.A. Vanstone, Arithmetic Operations in GF(Zn),
Submitted t o the Journal of Cryptology
255
Appendix
Table 1 below lists t h e values of k which minimize M ( k ) and T ( k ) for vari-
ous values of n. where n. is a power of 2. Table 2 below is similar for values of TI
in increment of 100.
k for Min Min value
n &I( k) A,I( k) W )
64 21 a
128 39 10
256 74 16
512 134 22
1024 243 30
2048 442 43
4096 797 56
8 192 1469 a1
Table 1
k for Min Min value

ll!! (k)
n M(k) TP) - T(k)
100 3 3 31 9
200 3 3 60 13
300 4 3 84 18
400 4 4 107 20
500 4 4 131 21
600 4 4 154 23
700 4 4 178 24
800 5 4 200 26
900 5 4 2 19 28
1000 5 4 239 29
1100 5 4 258 31
1200 5 4 278 32
1300 5 4 297 34
1400 5 4 316 35
1500 5 4 336 37
lG00 5 4 355 39
1700 5 4 374 40
1800 5 5 394 41
1900 5 5 413 42
2000 5 5 433 43
:able 2
FAST RSA-HARDWARE : DREAM OR REALITY ?
Frank Hoornaertl Marc Decroos' Joos Vandewde' Renb Govaerts'
CRYPTECH NV/SA
Av. Lloyd George '7
1050 Brussels, Belgium
ESAT K.U.LEUVEN
K. Mercierlaan 94
3030 Heverlee Belgium
ABSTRACT
This paper describes a successful hardware implementation of the RSA al-

gorithm. It is implemented as an 120-bit bit-slice processor, which may be
interconnected without additional circuitry to obtain arbitrary word lengths.
With 512-bit operands, exponentiation takes less than 30 milliseconds.
I. INTRODUCTION
The actual explosion of electronic data communication and manipulation cre-

ates a still growing need for cryptography. This need exists as well for secret-
key systems (using e.g. DES [l])as for public-key systems (using e.g. RSA
[2]). While DES can be efficiently implemented in software and hardware, the
implementation of RSA is a lot more difficult in order to obtain a reasonable
speed, especially for a software implementation. This drawback is certainly
the main reason why up to now the RSA system has not been used more
frequently, in spite of its very interesting cryptographic properties. (e.g. au-
thentication, electronic signature, key management, etc . . .). Although a few
RSA implementations already exist or have been announced [4,5,6,7], a real
breaktrough has not been achieved yet, niainly due to practical or economical
reasons.
258
In this context, CRYPTECH has started a project in cooperation with

the K.U.Leuven to study and build an RSA implementation. These chips
should be used in a first pilot project, which is the BISTEL system of the
Belgian government [8]. The system requirements were the following :
0 fast enough t o allow on line encryption.
0 making use of secure key lengths (e.g. 512 bit).
0 compact enough t o allow integration in existing equipment.
0 it must be in conformity with cryptographical principles.
0 low cost to make an RSA solution economical.
0 available for commercial applications.
Now the project is finished and a hardware implementation using ASIC’s
(Application Specific Integrated Circuit) has been designed and built with
success. The tests of the prototypes show RSA calculations at 9600 bit/sec
and faster using 672 bit (= 200 digit) modulus and exponent.
11. ALGORITHMS
During the first development phase, different calculation methods were anal-
ysed. Very soon it appeared that hardware knowledge had to be integrated
in the algorithmic study in order to obtain an optimal calculation scheme.
Therefore, cooperation with IMEC [3] was set up to get necessary input from
hardware engineers. The result was that an arithmetically simple calculation
scheme evolved into an arithmetically complex calculation scheme in order to
allow faster and more compact hardware implementation.
The original simple calculation scheme partitions the exponentiation with
the well-known square-and-multiply algorithm [9] into subsequent multiplica-
tions. Then these multiplications are divided by the shift-and-add algorithm
in subsequent additions and shifts. The additions are done according to the
carry-save principle so that the addit,ion is not delayed by the length of the
numbers. The entire exponentiation must be calculated modulo n and this is
performed by doing after each shift-and-add operation a reduction modulo n.
The basic principle of that reduction is summarised in following algorithm.
259
Reduction algorithm.
Given modulus n, multiplicand A , multiplier B , intermediate result
R, intermediate quotient q.
repeat for all bits b of B (starting with msb)

begin
R := 2 * R + b * A ;
q :=I
R/nI ;
R := R - q * n ;
end.
However, a direct implementation of this reduction algorithm is very in-
efficient because three of the operations require a lot of time and/or hardware
due to the length of the numbers, namely
0 division R/n
0 multiplication q * n.
0 subtraction R - q * n.
Therefore some modifications are applied in order to simplify and speed
up the hardware implementation :
1. The subtraction is replaced by an addition combined with the subtraction
of all the overflow bits appearing after the addition. This gives the correct
result only if the added value equals the value of the overflow bits minus
the intented value to subtract.
Example : (supposing 2 digit arithmetic)

(xx - 33) is equivalent to (xx + 37) only if the overflow equals
“100”. (e.g. xx = 75 is OK, but xx = 16 is not OK.)
2. The number of possible quotients will be limited to the values 0,1,2 and 3
so that the multiplication can be replaced by a small table of precomputed
values [lo].
3. The values in the table are not the values to subtract, but are the values
to add corresponding the above described modification. This implies
that with every table entry (= possible quotient) a needed overflow is
associated.
260
4. The division is replaced by a sub-estimation of the quotient which uses

only a very small part of the bits of R and n. This estimation function
must at the same time take care of following problems :
0 In spite of all the imposed limitations on'the quotient q, the estima-
tion has t o remain accurate enough t o avoid a systematic increase of
R which would create a divergence.
0 For every intermediate result R, the quotient q may only take those
values which guarantee that the condition of the correct overflow
after the addition of the table value will be fulfilled. This problem
can be solved thanks to the limited carry propagation of the carry-
save addition.
It is clear that these modifications result in an arithmetically more com-
plex algorithm. The hardware mapping of the algorithm however is more
optimal because only two additions on long numbers are needed every cycle.
The subtraction of the overflow is performed by wiping out some bits and the
subestimation of the quotient can be done by a small and fast combinatorial
circuit ( < 20 nsec.)
111. IMPLEMENTATION
The chip architecture is a direct mapping of the algorithm. A first adder

stage performs the conditional addition of the multiplicand and a second adder
stage performs the modulo reduction. The result is stored and simultaneously
the decision is made about the most optimal quotient for the next modulo
reduction.
Each chip contains a datapath for 120 bits and chips can be hardware
concatenated to arbitrary datapath lengths. (e.g. 720 bit or longer). In any
case, the datapath must be at least as long as the used modulus. Even after
concatenating a fixed number of chips, the used keylength can still be changed
arbitrarily between 32 bit and the mxcimum value imposed by the hardware.
Besides the arithmetic part, the general structure and behaviour has also
been optimised in order to get a universally useful module. For instance :
261
- -
- RESET
CLK - vcc
INAC
-
UCS
....
R W
6E-1
-I
__I
PQR6-
- GND
MODULE
ADDRESS BUS (13)
Figure 1: Architecture of the communciation.
1. Powerful tasks can be done without external aid. E.g. a complete RSA
calculation.
2. A self-kill instruction destroys all internally stored keys in case of detec-
tion of an intruder.
3. Keys can be entered and during this process, the keys can be read out
in order to check proper hardware functioning. After the entering is
completed, the key can never again be read out or can’t even be changed
partially.
4. Up to 16 complete keys (e and n ) can be memorised by the module.
5. The external interface of the module is very similar to the interface of a
standard RAM. Therefore it can be coupled with almost every micropro-
cessor bus (fig. 1).
262
IV. PERFORMANCE
The following table gives-an overview of the datarates which have been achieved
with the RSA hardware. The speed is linearly dependent on the exponent
length, so that the use of very short exponents (e.g. 3, 65537) can boot
up the speed [9,11]. By putting modules in parallel, a supplementary speed
gain factor up to 10 is possible. The module is completely built in the latest
CMOS technology (1.5pm) and consumes about 400 mA at maximum speed.
A total of about 200,000 transistors are incorporated in a 6 chips module
(maximum 712 bit modulus) which has the size of an actual pocketcalculator
(13.9 x 6.4cm2) (fig. 2 ) .
I modulus length 1 256 bit 512 bit 672 bit

rexponent = 65537 i 512 Kb/s 512 Kb/s 512 Kb/s
exponentlength =
35 Kb/s 17 Kb/s 13 Kb/s
moduluslength
Table 1: Speed of a single module (14 MHz clock).
V. CONCLUSIONS
In the paper it is shown that a compact and fast (17 Kb/s for 512 bit) gate ar-
ray chip design is feasible. The actual chip development is in the commercial
phase. Testsamples are already tested and fully approved. Mass production
quantities of the chips are available and the first RSA security systems using
these production chips are actually under test (BISTEL [8]). An evaluation
package including a 712-bit module, an interface card for the IBM PC, sources
of driver software (C-language) and Hot-line problem support, is now avail-
able.
Future actions are on one hand the support of these RSA chips and de-
rived products (PC-encryptors, key generators, high-speed encryptors, . . . ).
On the other hand the availability of fast RSA implementations should stim-
ulate the research and development of public key cryptography, which was
forced too long in the past to proceed without actual fast hardware.
263
Figure 2: Photograph of the RSA module for keys up to 712 bit.

264
References
[I] National Bureau of Standards, Data Encryption Standard, U.S. Depart-

ment of Commerce, FIPS Pub. no. 46, January 1977.
[2] R.L.Rivest, A.Shamir and L.Adleman, “A Method for Obtaining Digital
Signatures and Public-Key Cryptosystems”, Cornrnun. ACM, vol. 21, pp.
120-126, February 1978.
[3] IMEC (Interuniversitair Micro Electronica Centrum), Kapeldreef 75, B-
3030 Heverlee Belgium, Tel. 32-(0)16-281211.
[4] R.L. Rivest, “A Description of a Single Chip Implementation of the RSA
Cipher”, LAMBDA Magazine, Vol. 1, No.3 (Fourth Quarter 1980), pp.14-
18.
[5] M. Kochanski, “Split Key” , Systems International, October 1986.
[6] S. Miyaguchi, “Fast encryption algorithm for the RSA cryptographic sys-
tem”, Proceedings COMPCON 1982 - Twenty-fifth IEEE Computer So-
ciety International Conference, September 1982.
[7] J.C.Pailles and M.Girault, “The Security Processor CRIPT”, Pre-prints
of the Fourth IFIP Conference on Information System Security, Monte-
Carlo, December 1986.
[8] J.VandewaJle, R. Govaerts, W. De Becker and MDecroos, “Implementa-
tion study of public key cryptography protection in an existing electronic
mail and document handling system”, Advances in Cryptology, Proc. of
E UR OCRYP T ’85 (Lecture Notes in Computer Science ;219), F. Pichler,
Ed., Springer-Verlag, Berlin, 1986, pp. 43-49.
[9] D.E.Knuth, The art of computer programming. Vol. 2 : Seminumerical
algorithms, Addison-Wesley, Reading, MA, 1981.
[lo] E.F. Brickell,“A Fast Modular Multiplication Algorithm with Application
to Two Key Cryptography”, Advances in Cryptology, Proc. of CRYPT0
’82, D. Chaum. R.L. Rivest and A.T. Sherman, Eds., Plenum, New- York,
1983, pp. 51-60.
[ll]H. Sedlak, “The RSA Cryptography Processor“, Advances in Cryptology,
Proc. of E U R O C R Y P T ’87 (Lecture Notes in Computer Science ; 304),
D. Chaum and W.L.Price, Eds.. Springer-Verlag. Berlin, 1988, pp. 95-105.
PROPERTIES OF THE EULER TOTIENT FUNCTION
MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC
IMPLICATIONS
Raouf N. Gorgui-Naguib and Satnam S. Dlay
Cryptology Research Group

Department of Electrical and Electronic Engineering
University of Newcastle upon Tyne
Newcastle upon Tyne NE1 7RU, England
ABSTRACT
The work reported in this paper is directed towards the mathematical proof of the
existence of a consistent structure for the Euler totient function +(n)given n. This
structure is extremely simple and follows from the exploitation of some of the very
interesting properties relating t o the integer 24 as demonstrated in the proofs.
This result is of particular concern to cryptologists who are either attempting
to break the RSA or ascertain its cryptographic viability. Furthermore, it is
stipulated t h a t t h e methods and properties relating to the integer 24, taken as
a modulo, may have strong implications on the different attempts t o solve the
factorisation problem.
I . INTRODUCTION
Rivest et. al. [l](RSA) have presented a method for public-key cryptosystems,
whose security depends predominantly on being able to factorise large numbers.
This has stimulated research on the factorisation problem which would ultimately
threaten the security of the RSA and has resulted in numerous papers being
published on this work, such as Williams' overview of factoring procedures [2].
However, the validity of the different cryptanalytic attacks of the RSA has always
been contested [3,4] and a fast algorithm for factorising large numbers has not
yet appeared.
This paper does not set out to break the RSA, but approaches the factorisation
problem from a n original viewpoint and consequently raises some doubts about
its security. T h e approach taken is the development of a mathematical proof of
268
the existence of a structure for the Euler totient function d(n) in terms of the
argument n. This structure could enable the computation of the decryption key,
which is secret in the RSA cryptosystem, from a knowledge of the encryption key
and the parameter n which both reside in the public directory. The derivation
of the structure for t h e Euler totient function and its interesting implications is
based on the extremely simple, but powerful, number theoretical properties of
the integer 24.
1 1 . NUMBER THEORETIC PROPERTIES OF THE INTEGER 24
In this section, we prove the existence of some extremely interesting properties re-
lating t o the integer 24. T h e most important of these properties may be expressed
in terms of the following theorem:
Theorem 1 For any prime p , p > 3,

p2 =1 (mod 24)
Proof The congruence given i n (1) can be expressed in the form of the Diophan-
tine equation:
p 2 - 1 = 24k (2)
for a particular value of k .
Hence,
( p - l)(p + 1) = 24k
= 4!k
where ”!” denotes t h e factorial operation. The proof for (1) then consists in
+
proving that ( p - l ) ( p 1) is divisible by 4, 3 and 2.
Since p is a prime? then its negative and positive differences about 1 c a n be
expressed in the form:
( p - 1) = 2m,
(p + 1) = 3 m + 2
where m is any positive integer.
Hence,
(p- l)(p + 1) = 2m(2m + 2)
= 4m(m + 1)
269
If rn is even, then rn = 2m’. Conversely, if it is odd then (rn + 1) = 2m’, so t h a t

+
the product m(m 1) is always a n even integer of the form 2rn”. Thus
( p - l)(p + 1) = 4.2711,’‘
which establishes t h e fact t h a t 2 and 4 are indeed factors of p 2 - 1.
To prove t h a t t h e last factor 3 is also a factor of p 2 - 1, we present t h e following

development.
Any three consecutive numbers about p will be of the form
and since 3 y p ( p is a prime), then,
either 3 I ( p - 1)
or 3 I ( P + 1)
In either case, t h e product ( p - l)(p + 1) will consist of a factor of 3. This

completes the proof.
111. DEDUCTION OF A STRUCTURE FOR THE EULER TOTIENT

FUNCTION - CRYPTANALYSIS OF THE RSA MODULO 24
In this section, we present a stepwise mathematical deduction of the Euler totient

function, $(n),from a knowledge of n. This deduction is based on t h e theorem
reported in the previous section.
In the case of the RSA [l],
n = PQ
where p and q a r e the two primes involved in the encryption process.
The security of t h e RSA is based on the fact that a knowledge of, b o t h , n and
the encryption key. e (chosen at random from the interval [2, + ( n )- 11 such that,
gcd(e, $(n))= l ) ) ,does not allow the straightforward deduction of the decryption
key, d, where d is t h e multiplicative inverse of e modulo d ( n ) :
ed 1 (mod d ( n ) )
since, due to t h e factorisation problem and the nature of p and q , it is impossible
t o compute the value of d(n) given n.
270
For two primes p a n d q , such t h a t p , q > 3:

p2 =1 (mod 24)
q2 = 1 (mod 24)
Then, for n = p q ,
n2 = p2q2 =1 (mod 24) (3)
Also, since +(pa) = p*-'(p - I), [5],then
4b') = P(P - 1)
2
= P -P
or,
4(p2) = 1- p (mod 24) (4)
Consequently, since gcd(p2,q') = 1, then

d b 2 ) = 4b2)+(!12)
G (1- p ) ( l - q ) (mod 24)
= + +
1 p q - ( p q) (mod 24)
However,
44 = ( P - l)(q - 1)
From (5) and (6) we can then establish that
=
$ ( n 2 ) +(n) (mod 24) (7)
Also, since d ( p ' ) = p ( p - l ) ,then congruence (5) can be interpreted as follows:
d(n2)= + ( p 2 ) 4 ( q L )
= P(P - 1) q ( q - 1)
= P d P - l ) ( q - 1)
Thus,
4 ( n 2 )= n 4 ( 4
271
On the other hand, congruence (7) may be written in its Diophantine equation
form:
(b(n2)= 242 + 4(n) ; z = 1,2, ... (9)
Now, equating the RHS of equations (8) and (9) yields

= 242
nq!~(n) + 4(n)
Hence
Equation (10) shows t h a t there exists a definite structure for the Euler totient
function in terms of its argument. In what concerns the RSA, such a structure
is of particular importance since, for decryption purposes, b(n) is the crucial
secret number in t h e system. T h e ability to compute $(n) given n renders the
system vulnerable t o cryptanalytic attacks and, although the practical evaluation
of the factor z may still be complicated, it is thought that, in theory at least,
the existence of such a structure may lead the way towards developing a fast
algorithm for the evaluation of 4(n).This is currently being investigated.
IV . FURTHER PROPERTIES MODULO 24 AND AN ALGORITHM

FOR EVALUATING +(n)
The primes p and q involved in the RSA can be shown to have specific properties
in terms of the integer 24, namely,
Theorem 2
p + q = 2i (mod 24) ; i = 0,1, ..., 11 (11)
The proof of this theorem is rather simple and shall not be presented here.
Conjecture 1 T h e residue of n = p q is always 1 or a n odd prime, taken modulo

24. In general, we can write
n z p (mod 24) (12)
where p = 1 or a p r i m e E [3,23].
Conjecture 2 T h e residue of x in equation (10) i3 always a n even integer, mod-

ulo 24:
z = 2 j (mod 24) (13)
where j is a n even or odd integer.
272
The development of t h e following algorithm depends on the two conjectures given

above. From (12) a n d (13), we can write
z -n 3 2j -p (mod 24)
or, that
z G n + 2j - p (mod 24) (14)
In congruence (14), n is given and p can be simply evaluated. Hence, t h e only

missing parameter is j . Consequently, from this congruence, we may write
z = 24y + (n+ 2 j - p) (15)

for a particular value of y. Replacing 5 in equation (10) by its corresponding
expression in (15), we obtain
$(n>=
24(24y + (n + 2 j - p)]
n-1
- 24(n - p)
- + 24(24y + 2j)
n-1
+
However, (24y 2 j ) will always yield an even value which may be expressed as
22 for any integer i. Hence,
24(n - p) 24.21 +
d(n) = n-1
- 24(n - p) + 48i
-
n-1
As a result, the following algorithm may be developed based on equation (16)

which searches for possible values of $(n):
Step 1: C o m p u t e p = n (mod 24)

Step 2: $ ( n ) is O ( n - 1);
hence t h e numerator in equation (16) is O ( ( n - 1 ) 2 .
Set numerator= ( n - I)'
Step 3: Calculate a starting value of z , such that
z = [[(n - 1)2 - 24(n - p)]/48]
Step 4: Check if (n - 1) I numerator in equation (16):
Yes --+ possible value for d(n) obtained, then
check equation (16), else
No -+ decrement i, and
repeat Step 4.
273
The above algorithm is by no means optimal. It suffers from two drawbacks:

first, the magnitude of (n - 1)’ and, second, decrementing i by 1 results in a
slow process. It is thought t h a t a better approach may be to test for values of 5,
directly, in equation (10). This is currently being investigated and attempts to
increase the multiplier of 5 from 24 to other larger integers, while maintaining a
constant structure for d ( n ) ,are also being studied.
V . CONCLUSIONS
In this paper we have presented a stepwise mathematical deduction of t h e Euler
totient function #(n) from a knowledge of n. This deduction is based on some
interesting number theoretic properties relating to the integer 24. These prop-
erties, together with their proofs were presented in detail. An algorithm for the
final evaluation of 4(n)was also given. However, it must be stressed t h a t the aim
of the paper was mainly directed towards proving the existence of a consistent
structure for d ( n ) in terms of n and the integer 24. It is believed t h a t it may
also have strong implications on the different attempts to solve the factorisation
problem.
VI . ACKNOWLEDGEMENTS
The authors are grateful t o their colleagues and postgraduate students in the
Cryptology Research Group of the Department of Electrical and Electronic Engi-
neering, the University of Newcastle upon Tyne, for many interesting discussions
and comments on this work. They are particularly indebted to Jalil Tabatabaian
for providing the simple proof of Theorem 1.
References
[l]R.L. Rivest, A . Shamir and L. Adleman, ” A Method for Obtaining

Digital Signature and Public-Key Cryptosystems” , Communica-
tions of the ACM, vol. 21, No. 2, Feb. 1978, pp. 120-126.
[2] H.C. Williams, ” A n Overview of Factoring“, Proceedings of
CRYPT0’83, pp. 71-80.
[3] R.L. Rivest, “Remarks on a Proposed Cryptanalytic Attack on
the M.I.T. Public-Key Cryptosystem”, Cryptologia, vol. 2, No. 1,
Jan. 1978, pp. 62-65.
274
[4] ibid, ”Critical Remarks on ’Critical Remarks on Some Public-Key

Cryptosystems’ by T. Herlestam”, BIT, vol. 19, 1979, pp. 274-275.
[S] G.H. Hardy and E.M. Wright, A n Int~odvctionto the Theory of
Numbers, Oxford University Press, 1981.
An Observation on the Security
of McEliece's Public-Key Cryptosystem
P. J. Lee and E. F. Brickell '

Bell Communications Research
Morristown, N. J., W%O U. S . A.
Abstract
The best known cryptanalytic attack on McEliece's public-key cryptosystem

based on algebraic coding theory is to repeatedly select k bits at random from an
n-bit ciphertext vector, which is corrupted by at most f errors, in hope that none
of the selected k bits are in error until the cryptanalyst recovers the correct
message. The method of determining whether the recovered message is the
correct one has not been throughly investigated. In this paper, we suggest a
systematic method of checking, and describe a generalized version of the
cryptanalytic attack which reduces the work factor sigdicantly (factor of 211 for
the commonly used example of n=1024 Goppa code case). Some more
improvements are also given. We also note that these cryptanalytic algorithms
can be viewed as generalized probabilistic decoding algorithms for any linear error
correcting codes.
I. Introduction
McEliece [l] introduced a public-key cryptosystem based on algebraic coding

theory. Specifically, a n ( n , k ) binary Goppa code [2] was chosen for this purpose since
the error correction capability grows linearly with its dimension for a given code rate k / n .
The correctable number of errors f for an ( n , k ) Goppa code with n = 2' is given by :
f 2 (n-k) /I. (1)
' E. F. Brickell is now with Sandia National Laboratories, Albuquerque, NM

A
87183 U.S.A.
276
The vectors, matrices and operations in the following discussion are all binary.
The next section describes McEliece’s cryptosystem and the following section
explains the best known cryptanalytic attack. After describing a systematic method of
checking whether the recovered message is correct or not, we will suggest a generalization
of the attack. Our analysis will show that the factor of improvement will be significant.
Further improvements will also be discussed and conclusions and other discussions will
follow.
II. Description of McEliece’s Public-Key Cryptosystem
McEliece’s system works as follows: The system user (receiver) secretly constructs
a linear t e r r o r correcting Goppa code with k X n code generator matrix G , a kXk
scrambler matrix S that has an inverse over GF(2), and an nXn permutation matrix P .
Then he computes
G = S G P (2)
which is also a linear code (but supposedly hard-to-decode) with the same rate and error
correction capability as the original code generated by G . He publishes G as his public
encryption key. The sender encrypts a k-bit message vector m into an n-bit ciphertext
vector c as
c=mG+e (3)
where e is a random n -bit error vector of weight less than or equal to t . The receiver
computes c P-’ = (m S) G + e P-’ and uses the decoding algorithm for the original
code with G to get rid of e P-‘. Finally to get m he descrambles m S by multiplying
s-l.
III. The Best Known Cryptanalytic Attack
There have been several methods proposed for attacking McEliece’s system, El],
[3], [4], etc. Among them, the best attack with least complexity is to repeatedly select k
bits at random from the n-bit ciphertext vector c to form ck in hope that none of the
selected k bits are in error. If there is no error in them, then ck GL1 is equal to m
where Gk is the kXk matrix obtained by choosing k columns of G according to the same
selection of ck .
277
The work factor for the matrix inversion is O(k') for some 7 between 2 and 3.
However, ail of the known algorithms for 7 < 2.7 have enormous constants that make
them infeasible for matrices of a reasonable size. Perhaps the Winograd algorithm ([5],p.
481) with 7 =: 2.8 might be the best for these matrices of size between 500 and 1oOO.
However, for the following analysis, we will use as in [4] the elementary algorithm with
7 = 3 and small constant a.
The probability that there is no error in randomly selected k bits, among n bits
with r errors, is (nk')/ (E). Therefore, the total expected work factor for this attack is ;
[31,[41
w =a k3 (E) /)',"( . (4)
Originally, in [l],the values of Z=10 and t=50 (or n=1024,k=524 ) were suggested,
which result in the work factor of approximately 280.7(with a = 1). More recently, in [4],
the optimum value of t that maximizes the work factor for n=1024 was shown t o be 37
(or equivalently, k 4 5 4 ) providing W = 284.'.
Iv. Systematic Method of Checking ck Gpl
Notice that the work factors for checking whether the obtained ck Gclis really m
was not discussed in [l] and [4]. While, [3] just suggested that the validity of ck Gc' may
be determined by the redundancy in m , which might not be practical.
Here, we provide a systematic and practical method of checking whether the

obtained ck Gcl is rn o r not. Since G is also a code generator matrix having
minimum distance larger than 2 , if ck crl is not the true m , then m G + Ck GF1G
must have weight at least 2 t . Hence if c + ck crl G has weight less than or equal to t ,
then the cryptanalyst can claim that ck cr' = m .
V. Generalization of the Above Attack
The above cryptanalysis can be generalized by allowing a very small number of

errors in the selected ck . The following describes the algorithm :
Algorithm j :
Step 1) Randomly choose k bits from an n-bit ciphertext c (denoted as c k ) . Let Gk

be the k x k matrix obtained by choosing the corresponding columns of G.
Calculate GL' G and c + ck (GL' G).
Step 2) Choose an unused k-bit error pattern ek with less than or equal to j ones. If
(C -I-Ck Gr' G ) 4- e k (GL' G) has weight I or less, then stop (rn =ck GLl).
Step 3) If there are no more unused k-bit error patterns with less than or equal to i
ones, go to Step (1). Otherwise, go to Step (2).
Notice that Algorithm 0 is the attack discussed in Section I11 including our
systematic checking of ck GL'.
Let Qi be the probability that there are exactly i errors among the randomly
chosen k-bit vector c k . It can be shown that
t n-f
.
Qi = (i> (k-i) / (5)
Hence, the probability that the algorithm completes successfully is CiLoQi.
Therefore,
the expected number of executions of Step l), T j , is
Tj = 1 / CiLoQj. (6)
Let N , be the number of k-bit error patterns with less than or equal to j ones.
Then,
k
Nj = Cji,(i). (7)
Hence, N j is the number of executions of Step 2 ) for a given choice of ck with more than
j errors in it.
The work factor involved in Step 1) is approximately a k 3 with small Q when

k>n/2. The work factor involved in Step 2 ) is approximately p k with small p since
we can just update the vector ek (G;' G ) for each choice of f?k which differs in at
most two positions from the previous choice of e k . Therefore, the average overall work
factor for Algorithm j , W, , is
Wj = T ; ( a k 3 + N ; p k ) . (8)
279
Notice that W = Wo. Also notice that for any reasonable value of Q and ,8, Wj
decreases and then increases as j increases. With CY = 0,we can show that the optimum
j which minimizes the work factor is 2 for all values of useful code parameters. With
CY =8
, = 1, the minimum work factor W , 273.4 for the case of n = 1024 and t = 37,
which is a factor of 2'l reduction as compared to W,. For n = 1024 case, the value of 1
which maximizes W2 is 38 (k=644), for which W 2 is also approximately 273.4.
VI. Further Improvements
Instead of calculating the vector (c + ck G r l G )+ e k (Gcl G ) ( =e ) first

and then checking whether F has weight t or less in Step 2), one can calculate one bit
by one bit of the vector if and check the accumulated weight until it exceeds t. When
we assume that the vector F has average weight n/2 for incorrect cases, we can expect
that the number of bits to be tested in this improved Step 2)' is 2t in average. Hence,
the work factor for Step 2)' is less than that of Step 2) by a factor of k / 2 t in average.
For the previous example, this is a factor of 10 improvement.
For each Step 1) the new ck is selected randomly. However, one can just
randomly update only one bit of ck each time. The work factor in this Step 1)' is then
reduced to a' k 2 for updating (GL' G). In this case, however, we could n a t find the
expected number of excutions of Step 1)' before success, T i ' . If one assumes that Ti' is
the same as T j , it can be shown that the optimum j which minimizes Wj'is 1 when
CY'= p (with Step 2) ). And for the previous example of I = 10, the value of t that
maximize the W,' is also 38 resulting W,' = 269.6. And, together with Step 2 ) ' , we can
improve another factor of 10.
W.Conclusions and Discussion
In conclusion, we have described a systematic method of checking the validity of

the recovered cleartext. And we suggested an improved crytanalytic attack which is a
factor of 211 more efficient than the previously known best attack. We also suggested
some more improvements over the new attack.
280
In [6],it was shown that the syndrome decoding of general linear algebraic code is
an NP-complete problem and the running time for the syndrome decoding is an
exponential function of its input dimension k , and it is claimed that the discovery of an
algorithm which runs significantly faster than this would be an important achievement.
The cryptanalytic attack of [l] described in Section I11 and our generalizations are
general probabilistic decoding algorithms for any general linear error correction code
which can run more efficiently (although still in exponential time) than the syndrome
decoding of a general code when the number of errors in a code word seldom exceeds its
error correcting capability.
References
[l] R. J. McEliece, "A public-key cryptosystem based on algebraic coding theory," CA,
May 1978.
[Z] E. R. Berlekamp, "Goppa codes," ZEEE Trans. Info. Theory, Vol. IT-19, pp. 590-
592, Sept. 1913.
[3] T.R.N. Rao and K.-H. Nam, "Private-key algebraic-coded cryptosystems," Proc.
Crypt0 '86, pp- 35-48, Aug. 1986
[4] C. M. Adams and H. Meijer, "Security-related comments regarding McEliece's
public-key cryptosystem," to appear in Roc. CTpto '87, Aug. 1987
[5] D. E. Knuth, The Art of Computer Programming, Vol. 2. Seminumerical Algorithms,
Addison-Wesley, 1981
[6] E. R. Berlekamp, et al., "On the inherent intactability of certain coding problems,"
IEEE Trans. Info. Theory, Vol. IT-22, pp. 644 - 654, May 1978.
HOW T O B R E A K OKAMOTO’S CRYPTOSYSTEM
BY REDUCING LATTICE BASES
Brigitte V.4LLEE1) pvlarc GIRAULT2) Philippe TOFFINI)
Dkpar tement de Mat hCmatiques

Universitk 14032 Caen Cedex, France
2)Service d’Etudes communes des Postes et TdCcommunications
BP 6243 14066 Caen Cedex. France
ABSTRACT
The security of several signature schemes and cryptosystems, essentially
proposed by Oliamoto, is based on the difficulty of solving polynomial
equations or inequations modulo n. The encryption and the decryption
of these schemes are very simple when the factorisation of the modulus,
a large composite number, is known.
We show here that we can, for any odd n,solve, in polynomial proba-
bilistic time, quadratic equations modulo n,even if the factorisation of n
is hidden, provided we are given a sufficiently good approximation of the
solutions. We thus deduce how to break Okamoto’s second degree cryp-
tosystem and we extend, in this way, Brickell’s and Shamir’s previous
attacks.
Our main tool is lattices that we use after a linearisation of the problem,
and the success of our method depends on the geometrical regularity of
a particular kind of lattices.
Our paper is organized a s follows:
First we recall the problems already posed, their partial solutions and
describe how OUT results solve extensions of these problems. We then
introduce our main tool, lattices and show how their geometrical pro-
perties fit in our subject. Finally, we deduce our results. These methods
can be generalized to higher dimensions.
This work was supported in part by PRC Math6rnatiques et Informatique

and in part by a convention between SEPT and University of Caen.
262
I. INTRODUCTION
In this section, after some definitions, we describe the problems posed

by the security of Okamoto schemes, and the partial solutions given by
Brickell and Shamir. Then, we state our main results and show how they
extend the previous ones.
1.1. Definitions and notations
For an odd integer n, Z ( n ) denotes the ring of the integers modulo n

which is identified with [0, n - 11.
We will use approximations of a number z0 in Z(n). So, we adopt the
following definitions and notations:
IuI denotes, for u E Z ( n ) ,the minimum of ZL and n - u,
I(a,xo) denotes the set of 2 E Z ( n ) such that 2 = 20 +u, Iu[Ina,
J ( a , z o ) denotes the set of 2 E Z ( n ) such that
The subsets I ( a , z o ) -resp J ( a ,~ 0 ) - and I(b,yo) are said compatibk if

there exists x in I ( a , Q) -resp J ( u ,~ 0 ) - and y in I(b,yo) such that y z
x2 [n].
1.2. Okamoto’s cryptographic proposals and questions
In this section, the modulus n is particular: n = p 2 q where p and Q are

distinct primes ( p < q). An element $0 of Z ( n ) is called easy when it is
smaller than (1/2)- modulo pq.
The following cryptographic schemes are based on the difficulty of ex-
tracting square roots modulo n, when the factors of n are unknown:
Cryptosystems
In [6],Okamoto proposed a first public key cryptosystem:
The public key is the pair ( n , x o ) ,where zo is an easy element of Z ( n ) .
From a message u,which is small compared to n, the cipher text y is
built as follows:
y = ( 2 0 + uy [n]
283
As quoted in [7], Shamir [8]has two attacks to break this system: the first
one works for any pair (n,zo)while the second one uses the particular
form of the public key.
Okamoto [7] then proposed a new cryptosystem: 50 is the known quotient

modulo n of two secret easy numbers of Z(n). A message (211, u2), where
the u;’s are s m a l l compared to n, gives a cipher text y such that
y = ( U I X O + u 2 ) 2. I . [
Okamoto stated as a n open question the breaking of this second system.
We show here that we can break this new cryptosystem without using
the particular form of the public key ( n ,Q).
Signature Scheme
In [5], Okamoto and Shiraishi proposed a signature scheme:
Given a ‘one-way’ function h , a signature x is considered as valid for a
message u if
h(u) 5 (x2 mod YZ)5 h(u) + O ( ~ Z ’ / ~with

) 1x1 not ‘too small’.
Brickell [2] broke this scheme, without using the particular form of n.
Now, we state and solve problems which are natural extensions of all the
questions that we described above.
1.3. T w o Problems
Problem 1.
Given a square yo and a subset I ( a , s o ) (resp J ( a , z o ) ) which is known
to contain a square root x of yo, find x.
Problem 2.
Given I(b,yo) a subset of Z ( n ) ,find s such that z2 belongs to I ( b , yo).
Solving the first problem with the intervals I breaks the first version of
Okamoto’s cryptosystem, while the second version of Okamoto’s cryp-
tosystem is attacked by solving this problem with the subsets J . The
second problem is linked with improvements of Brickell’s results.
284
1.4. Our main results: Three theorems
We state here OUT main results which solve generalisations of each of the
problems. On the one hand, Theorem 1 and Theorem Ibis, which are
uniqueness results, allow us to break the second version of Okamoto’s
cryptosystems, but also to make precise some points of Shamir’s attack
on the first version. On the other hand, Theorem 2, which is an existence
result, improves Brickell’s previous attack of the signature scheme.
THEOREM 1.
> 0,a and b reals in [0,1] satisfying
For a n y n , ~
2a + b = 1 - 3~ and b 2 a,
there exists an exceptional subset T ( E )of Z ( n ) such that the following is
true:
i) Card T ( E )5 nl-‘
ii) For anyzo, not in T ( E )and any yo in Z ( n ) :intervals J ( a , zo) and
I(b, yo) have a t most two compatible pairs, say (2,y) and ( n- x,y).
Moreover, there exists a probabilistic polynomial algorithm A which pro-
vides one of the following three answem:
‘exceptional case’ if xo is in T ( E )
‘no compatible couple’
(5, y) and ( n - z, y) are the two compatible pairs.
THEOREM 1 BIS.
For any n, E > 0, a and b reals in [0,1] satisfymg
a + b = 1 - 2~ and b 2 2a,
there exists an exceptional subset T’(E)of Z ( n ) such that the following

is true:
5 nl-€
i) Card T‘(E)
ii) For any XO, not in T’(E)and any yo in Z ( n ) ,intervals I ( a , 20) and
I ( b , yo), have at most one compatible pair.
Moreover, there exists a probabilistic polynomial algorithm B which pro-
vides one of the following three answers:
285
‘exceptional case’ if ro is in T ’ ( E )
‘no compatible couple’
(2, y) is the only compatible pair.
THEOREM 2.
For any n , E > 0, a and b reals in [0, I] satisfying
a + b = 1+ 2~ and b 2 2a,
there exists a n exceptional subset T ’ ( Eof) Z ( n ) ,such that the following
is true:
5 nl-‘
i) Card T’(E)
ii) For any ZO, not in T ” ( Eand
) for any yo in Z ( n ) , intervals I ( a , z o )
and I(b,yo) a r e compatible.
Moreover, there exists a probabilistic polynomial algorithm C which pro-
vides one of the following answers:
‘exceptional case’ if zo is in T” ( E )
a compatible pair (z,y) otherwise.
We give now the proofs of our results, mainly for Theorem 1, in the case
of subsets J , and see how our methods work for the intervals I , in the
proof of theorems lbis and 2. The main tool is lattices for which there
are two basic facts:
a) There is a high proportion of lattices with given determinant ha-
ving their smallest vector not too small.
b) Given a lattice and a point m in the space, one can find -using
an algorithm based on LLL reduction algorithm [4]-one point t which
belongs to the Iattice and which is close to rn.
11. THE BREAKING O F OKAMOTO’S CRYPTOSYSTEM:

proof of Theorem 1
Given n, X O ,yo, a,b, we must find u1 and u2 that satisfy

I u l / -< n a / 2 , luzl 5 n a / 2 , lul 5 nb
and that are solutions of the equation
+
( ~ 1 x 0 u2)’ = yo + v fn]
286
11.1. How lattices are involved

We must solve
2 2
ulzo + 2 x 0 ~ 1 ~+2ZG: - TI = yo En] (2)
Replacing us, 7.41~2, - u$ by independent variables, we consider a first

lattice:
L(z0) := {w = (wo,wl, w 2 )E z3 ; ziwo + 2x0wl - w2 = o [n]}
L(z0) is spanned by the three column vectors of the matrix:
(
x: 2x0
:)
n
which has determinant n.
1.1 are small, we have to look for w in L(x0) with the

Since lull, Iuzl,
following approximations:
two1 5 na, lwil 5 n a , 1 ~ -2y o [ I 2nb (a I b)

These approximations are not of the same order, and since we will work
with the norm sup, it is natural to consider a second lattice M ( z 0 ) .
If l o , k l , k2 are three positive rationals, whose product is equal to 1, we
define
M(zo) := { t E Q3 ; t ; = kiwi, 0 5 i 5 2 and w E L(z0) }.

M ( z 0 ) has then for matrix
(? k0l
which has still determinant n.
kzx: 2k2xo k2n
With a suitable choice of (ko,kl,k ~ ) ,we get the same approximation

order on each component. So, we have to find a point t in M ( s 0 ) which
is close to the point m = (O,O, k2yo) for the norm sup.
Now, we are lead to some important questions:
1) How to get, in a given lattice M of Q3 a point t close to a given
point m ?
2) How to be sure that such a point will be unique ?
We answer now these two questions.
207
11.2. The ClosePoint Algorithm

We get a reduced basis Q = (QO, q ,( ~ 2 o) f M by using the LLL algorithm
+ +
[4].We express m in the basis a: rn = r n o c ~ o mlal m 2 ~ (rn; 2 E Q)
+ +
and finally take t = t o a o t l q t 2 a 2 where t; is the closest integer to
ti. This algorithm gives the point t nearest to m within a factor K which
is analysed in [l]. If n is sufficiently large compared to 1 / ~this
, factor
will be of order n'I3.
11.3. The uniqueness problem

Here come up some geometrical facts about lattices M which have their
shortest vector A1 ( M ) not too small, namely
If we define p1 = p o / K , we then have the following facts for any euclidean

ball B(m,T ) :
i) If < p o / 2 , then B ( m , r ) contains at most one point of M.
T
ii) Moreover, if T < p l , the ClosePoint algorithm outputs 'empty' if no

point of &I is in B(m,T ) , and t if t is the only point of n/r in B ( m ,T ) .
So, in a such a lattice, we can get our uniqueness result.
11.4. The analysis of the lattices M(z0)
Are there many lattices M ( z 0 ) which have their shortest vector not too
long ? We have the following answer ([3], [9])
For any n,E > 0 , for any triple k = (ko,kl,k2) of product 1, there exists
an exceptional subset T(E)o f Z ( n ) such that the following is true:
i) Card T ( E )5 nl-'
ii) For anyzo, not in T ( E )the
, shortest vector Xl(i%f(zo))o f the lattice
M(z0) satisfies
p l ( M ( z o ) ) ~ ~2 m
n(1-2c)'3 (3)
We deduce that we can apply the facts described in 2.3 to most of lattices
iLf(z0) provided we choose
po = 72(1-2')/3 and also p1 = n1/3--c.
We know also that we can decide whether we are in T ( E ) .

288
11.5. The end of the proof
If (z,y) is a compatible pair in J ( a , z o ) x I ( b , y o ) , we want to find it.

+
This pair (2,y) gives a point w = ( u f ,u1u2,yo v - u;)of L(zo),then a
point t = (kouf, k12llu2, k2(yO +
v - u;))of M(z0).
We now choose the triple k so that all the approximations be bounded
by : if we let ko = Icl = rncl , we require
2a + b = 1 - 3~ and c = ( b - a ) / 3 (4)
Let m = ( O , O , k ~ y o ) then
; t is in the ball B(m,p1). The ClosePoint
algorithm h d s a point t’ in B ( m , p l ) . As this ball contains only one
point belonging to M ( z o ) , we must then have t = t‘. From t’, it is then
easy to get u1 by ordinary square root extraction, and then 212 and v; we
then verify if 211, u2, v satisfy (1). This ends the proof of Theorem 1.
We remark that the optimal choice for the pair ( a , b) is
u = b = 1/3 - E .
11.6. Back to the breaking of Okamoto’s cryptosystem

Okamoto’s second cryptosystem hypotheses are a particular case of ours.
He takes a = 2 / 9 , v = 0; we remark that our results indeed allow to
decrypt the message y, because most of the 50’s used -here, the quotients
of two easy numbers- are outside the exceptional set. Furthermore, our
algorithm works even if
i) the 1/3 of the least sigmficant bits of y are lost
ii) the pair (n,zo)has no particular form.
111. PROOFS OF THEOREM lBIS AND THEOREM 2
Given n , 2 0 ,yo, a,b, we must find u,u , that satisfy
and that are solutions of the equation

289
As before, replacing u by 200 and v - u2 by wl,we then have the lattice

L(z0) which has for matrix:
with determinant n. We also use a second lattice M ( z o ) , with a suitable

choice of (ko,kl) and the point rn is now (0, kl(yo - zi)).
111.1. Outline of the proof of T h e o r e m Ibis; precisions a b o u t

Shamir’s attack
The proof of Theorem lbis is similar to the proof of Theorem 1: The

condition (3) of lattice regularity is just replaced by
This result allows to make precise some points of Shamir’s first attack:
The underlying framework of this attack is the one of Theorem Ibis.
Why is it so often successful? We remark that the exceptional set T ( E )
associated to the value of E defined by the equality
does not contain any easy point zo provided that n‘ > 2. Shamir’s attack
almost always succeeds !
This attack also works even if the 2/3 least significant bits of the message
are lost or erroneous
111.2. P r o o f o f Theorem 2; an improvement of Brickell’s result

There are two facts for this proof
1) Once we get w = (wo, wl)of L ( z o )close to the point rn, it is very
easy to get u and v satisfying ( 5 ) ; we have
u = w o , ~ ~ v = w2~ + u ,
there are no compatibility conditions as in Theorem 1.

2) We have one more property of lattices M(z0) satisfying (3bis),
which has to do with existence and not with uniqueness:
If p-2 = nl/’+‘, the ball B(m,p 2 ) contains at least one point of the lattice.
290
Taking ko = rnCl and kl = l/ko, one then must have:
1
u+c=b-c= -fE,
2
so we then take c = ( b - u ) / 2 . The proof ends then as in Theorem 1.
Theorem 2 gives a n improvement of Brickell’s breaking of the signature

scheme: If one looks for an z such that x 2 is in I(b,yo), one finds x in
almost any prescribed I ( u , zo) as soon as a > 1/3.
111.3. Extensions t o higher degrees

Most of our uniqueness results can be generalized : a s is shown in [9],
we can recover, in polynomial probabilistic time, roots of polynomial
equations of higher degree provided that we are given a suf3ciently good
approximation of these roots.
IV. BIBLIOGRAPHIC REFERENCES
[l] L. Babai: On Lovasz’s lattice reduction and the nearest lattice point
problem, Combinatorica 6 (1986)) pp 1-14..
[2] E. Brickell, J. Delaurentis: An attack on a signature scheme proposed

by Okamoto and Shiraishi, Proc. of Crypto’85,pp 10-14.
[3] A. Frieze, J. Hastad, R. Kannan, J.C. Lagarias, A. Shamir: Recon-

struc ting truncated variables satisfying linear congruences, to appear
in SIAM Journal o f Computing.
[4]A.K. Lenstra, H.W. Lenstra, L. Lovasz : Factoring polynomials with

integer coefficients, Mathematische Annalen, 261, (1982) pp 513-534.
[5] T. Okamoto, A. Shiraishi: A fast signature scheme based on quadratic

inequalities, Proc. of the 1985 Symposium on Security and Privacy,
April 1985, Oakland, CA.
[6] T. Okamoto: Fast public-key cryptosystem using congruent polyno-

mial equations, Electronics Letters, 1986, 22, pp 581-582.
[7] T. Okamoto: Modification of a public-key cryptosystem, Electronics

Letters, 1987, 23, pp 814-815.
291
[8] A. Shamir: Private communications to Okamoto, quoted in [7],Au-

gust and October 1986.
[9]B. Vallke, M. Girault, P. Toffin: How to guess P t h roots modulo n

by reducing lattices bases, preprint of Universit6 de Caen, to appear
in Proceedings of First International Joint Conference of ISSAC-88
and AAECC-6 (July 88).
Cryptanalysis of F.E.A.L.
BERT DEN BOER
C e m efor mathematics and computerscience (*)
Kruislaan 413
1098 SJ AMSTERDAM, The NETHERLANDS
Summary
At Eurocrypt 87 the blockcipher F.E.A.L. was presented [2]. Earlier
algorithms called F.E.A.L-1 and F.E.A.L-2 had been submitted to standarization
organizations but this was presumably the final version. It is a Feistel cipher, but
in contrast to D.E.S., a software implementation does not require a table look-up.
The intention was a fast software implementation and also an avoidance of
discussions about random tables. As Walter Fumy indicated at Crypto 87 [11 a
certain transformation on 32 bits used by the cipher was not complete in contrast
to a remark made during the presentation of F.E.A.L. at Eurocrypt 87.
Furthermore, the transformation is too close to a quadratic function on the input.
I am informed that after my informal expose at Crypto 87 about certain
vulnerabilities of F.E.A.L, its designers have created F.E.A.L.4 with twice as
many rounds.Later on again versions were renamed. The (definite?) version in
the abstracts [2] without a serial number got version number 1.OO and F.E.A.L.4
got version number 2.00 in the proceedings of Eurocrypt '87 [3]. In this paper we
shall show that F.E.A.L. as presented at Eurocrypt 87 is vulnerable for a chosen
plaintext attack which requires at most ten thousand plaintexts.
Encryption Algorithm
For convenience and definiteness we first reformulate the encipherment
algorithm. The FEAL-algorithm is a blockcipher acting on 64 bits of plaintext to
produce a 64 bit ciphertext controlled by a 64 bit key.
One of the buildingblocks of the cipher is a transformation S from F28 *
Fzg * F;? to F28 defined by
S(x,y,a)=Rot((x+y+a)mod256)
"This research was supporred by the Netherlands Organizationfor Advancement of Pure
Research
C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 293-299, 1988
294
i.e. the 8 bit numbers x and y are considered as residues mod 256, a is the residue
class of 0 or 1 and Rot cyclicly rotates the bits of its input 2 places such that the 6
least significant bits become the 6 most significant bits. Another building
block is the exclusive-or on two bytes denoted by El. The Same notation will be
used for the exclusive-or sums of four byte strings. We define a fk-box as
follows: fk transforms 2 smngs of 4 bytes L and R into a four byte string 0 as
follows: (In shorthand fk(L,R)=O.)
denote the input by L(0) up to L(3) and R(0) up to R(3) and the output by O(0) up
to O(3) then:
h~lp=L(2)@ L(3)
0(1?=S((L(O) @ L(l),Olulp tB R(0)),1)
o ( o ) = s ~ L ( o ) , ( o (@~ R(2)),0)
)
0(2)=S(O(1) @ R( l),hulp,O)
0(3)=S((W) @ R(3)),L(3),1)
The function G transforms one string of four bytes into one string of four bytes as
follows:(In shorthand G(I)=O.) denote the input by I(0) up to 1(3) and the
output by 0(1) up to O(3) ,then:
h~lp=I(2)@ 1(3)
O(I)=S(I(O) @ I(l),hUlp,l)
0(2)=S(O(I),hulp,O)
0(3)=S(0(2),1(3),1)
O(O)=S(O(1),O(O),O).
The blockcipher consists of a key schedule and a data randomizer. The
keyschedule operates as follows: The eight byte input is considered as two strings
A0 and Bo of four bytes each. Further a four byte string Co with all 32 bits zero
is introduced. Iteratively Ai,Bi,Ci,i=l, ...,6 are defined by
Bi+l= fk(Ai,(ci @ Bi?)
Ci+l=Ai
Ai+l=Bi.
Further we need two simple functions PL and PR transforming four byte strings
as follows:
295
PL(u,v,w,x)=(0,u,v,0)
PR(u,v,w,x)=(O,W,X,O).
The strings B1, ...,I36 of the keyschedule are transformed into 6 strings Mi,
i=O, ...,5 as follows:
%=B3 @ PR(B1)
M1=B3 @ B4 @ PL(B1)
M2=PL(B1) @ PL(B2)
M3=PR(B1) @ PR(B2,
M4=B5 @ Bg @ PR(B1)
M5=B5 @ PL(B1).
The datarandomizer operates as follows ( see fig 2): The 64 bit input is viewed as
two strings Po and Pi of four bytes. Now we define
DFPO @ Mo
%=Po @ P i @ Mi
D1=b
E ~ = D o@ G(E0)
D2=E1
E2=D1 @ G(E1)
D3=E2
E3=D2 @ G(E2 @ M2)
D4=D3 @ G(E3 @ M3) @ M5
E4=E3 @ M4
%=D4
C1=D4 @ E4
Finally the two strings Co and C1 of four bytes each are concatenated to form the
64-bit ciphertext.
Cryptanalysis
To determine the key we use a chosen plaintext attack. The choice of the
plaintext depends on results derived from previous plaintext and ciphertext. We
are going to determine the 160 unknown bits in the Mi's as though there is no
relation between them. Once they are determined we can decipher any ciphertext
but we also can use the keyschedule from the bottom to determine the 64-bit
296
key.This process will not require more than tenthousand plaintexts.

Observe the value G3 C1.It is equal to
Po @ @ Mo CB G(Q) @ G(E0 @ M2 @ G(G(E0) @ Mo @ Po).
Assume that Po @ P1 is a constant, then Eo and G(E0) are constants too. Define
%=GPO) G3 Mo
KI=EO @ M2
K2=M4 @ Mo @ G(E0).
CP=cO@C~ @Po
then:
(1) CP=K2 @ G(K1 @ G(K0 @ PO).
Formule (1) is the crucial formule.By keeping the exclusive-or sum of Po and P1
constant it is possible to determine the constants KO up to K2 with at most say 300
choices of Po.
Define
Ko=(xO,X' ,x2,x3)
K1=(yo,yl ,x2,x3)
K2=(zo,z1,z2,z3)
Pg=(aO,al,a2,a3)
CP=(P,fl,f2,f3).
See figure 1 w ..ere internal bytes bk,ck,dk,ek are defined within the picture.
The idea is to solve KO first. The first bits to solve are the 6 least
significant bits of xo. l k s starts by keeping a3,a2,a1 @ ao constant and also the
two most significant bits ao and study the behaviour of one particular bit f15 for
the remaining 64 cases. Observe that b1,b2,b3,c1,c2,c3,d2,d3are constant in those
cases. Let bol=bomod 64 and cll=c*mod 64 and carry=(bOl+cll)div 64. Then it
holds for the bits c07,d07,d17,e1 5,f15 that their value is of the form "constant 7
carry ".The value is a constant and as the 6 least significantbits of ao assume
all 64 possibilities and so bol assumes all 64 possible values. Counting the number
of times f15 is equal to one, leaves us with at most two possibilities for c l l .
In order to determine which possibility holds for c1 observe that
changing a1 1 or a10 the six most significant bits of c1 and therefore the four most
significant bits of cl remain constant. Combining the results of two or three
297
counts will give only one consistent possibilty for the two or three values of c1
The actual counting never requires the full 192 ciphertexts but at most 127
ciphertexts in special cases (in a very favourable case 10 is enough).
To determine the 6 least significant bits of xo note that at least one of the
two or three actual values of c is o d d h that case there exist exactly one value
bol such that bol will give c q = l and bol 631 will give carry=O.From this we
conclude that bol equals 64-c1 l.We know the correspondingvalue of ao so indeed
we can determine the six least significant bits of xo.
To proceed we use this knowledge and start changing the lowest bit of ao
63 a1.Two well-chosen plaintexts and the corresponding values of f 5 is enough to
determine the least significant bit of xo 63 xl. The Same is true for the next two
bits of xo G3 x1 .Simultaneously the three least significant bits of x2 G3 x3 are
determined. To determine the next three bits of xo G3 x1 and x2 63 x3 might
require 42 plaintexts in the worst case. Still only the value of f15 is all what we
need of the ciphertext.
Along similar lines we can determine xo x1 ,x2 63 x3 ,the seven least
significant bits of xo and the seven least significant bits of x3. For the moment we
are allowed to assume that xog and x30 are zero. In other words KO is determined
and at the cost of at most 250 plaintexts.
Once Ko is determined the determination of KI and K2 is easy and will
cost at most 30 well chosen plaintexts with the corresponding
ciphertexts. There is a freedom in K1 of two bits but we can just do a choice.
Now observe what happens if we change Po $PI. Then the new value of
K1 is known. With the above described technique we establish the new value of
KO. Then K2 follows directly because of a linear relation.
This results in knowledge of Mo 63G(M1 €B (Po @PI)) for values
Po63P1 of our own choosing. With say at most 30 values we can establish Mo and
M1 except for a freedom of two bits.
Finally we study the values Co we have encountered up to this
moment.Those give equations of the form
Q1=M5 @ G W 3 @Qd
where Q1 and are known. Considering the fact that up to now we have between
298
100 and 10000 ciphertexts it is safe to assume that we have enough data to
determine M3 and M5.
Combining this knowledge we can decipher any ciphertext. If we want to
recover the original key we use the restricted possibilities for M2 and M3 to
reduce the uncertainty in Mo up to M5 . Given those Mi's we can use these data
and the last fk-box to solve Bg and B4 and a few more bytes. After that we can
simply try the 256 possibilties for B3(2) and resolve the keyschedule.
Conclusions
In the presented version the G-box is too regular. If one wants this small
number of rounds(4) a better design should be possible. In [3] the algorithm with
twice as many rounds is considered by the authors to be secure because four
statistical values are close or equal to theoretical values but the same argument was
used for the algorithm presented at Eurocrypt '87. As this turned out not to be
sufficient one should use other arguments for the security of an encipherment
algorithm.
Acknowledgement
The author wishes to thank D. Chaum and W. Fumy for a
challenging remark which made me start the investigations. Further the author
wishes to thank D. Chaum for stimulation during the investigations.The author
also wishes to thank TSiegenthaler for remarks on a draft version of this article.
References
1 W. Fumy, On the F-function of FEAL, lecture at Crypt0 87.
2 A. Shimizu & S. Miyaguchi, Fast data encipherment algorithm FEAL,
Abstracts of Eurocrypt 87.
3 A. Shimizu & S . Miyaguchi, Fast Data Encipherment Algorithm FEAL,
Advances in Cryptology - Eurocrypt '87, Lecture Notes in Computer Science
304.
299
a
X0 4
P
0.
bo
Y 4 F
M
4
f0 f' f2 f3
fig 1
FAST CORRELATION ATTACKS ON STREAM CIPHERS
(Extended Abstract)
Willi Meier Othmar Staffelbach
HTL Brugg-Windisch
CH-5200 Windisch, Switzerland
GRETAG Aktiengesellschaft
Althardstr. 7 0 , CH-8105 Regensdorf
Switzerland
For proofs and further explanations of the results presented herein we

refer the reader to the full paper ([l]). A description of the crypt-
analytic algorithms is appended.
1. Extended Abstract
A common type of running key generator employed in stream cipher systems

consists Of n (mostly maximum-length) binary linear feedback shift reg-
isters (LFSR's) whose output sequences are combined by a nonlinear
Boolean function f . The output of several combining functions previously
proposed in the literature is known to be correlated to some input vari-
ables with probabilities p up to 0.75 (this holds, e.g. for the genera-
tors of Geffe, Pless, or Bruer). These generators have been broken in
[ 2 ] for LFSR-lengths k < 50 (roughly), according to the computational
complexity of the attack (based on an exhaustive search over all phases
of the LFSR). But also other generators, e.g. certain types of multi-
plexed sequence generators, are known to be correlated to LFSR-
components. In fact any generator having such correlations may be vul-
nerable to a correlation attack.
Let the output sequence I. of a running key generator be correlated

to a linear feedback shift register sequence (LFSR-sequence) 2 with COT-
rGlatiOn probability p > 0 . 5 . Then two new correlation attacks (algo-
rithms A and B) are presented to determine the initial digits of 5 , Pro-
302
vided that the number t of feedback taps is small (t < 10 if p 2 0 . 7 5 ) .

The computational complexity of algorithm A is of order O ( Zck) , where k
denotes the length of the LFSR and c c 1 depends on the input parameters
of the attack, and algorithm B is polynomial (in fact, even linear) in
the length k of the LFSR. These algorithms are much faster than an ex-
haustive search over all phases of the LFSR, and are demonstrated to be
successful on shift registers of considerable length k (typically
k = 1000). On the other hand, for correlation probabilities p 5 0.75 the
attacks are proven to be infeasible on long LFSR's if they have a
greater number of taps (roughly k 2 100 and t 2 10).
In order to set out our results in more detail, suppose that N

digits of the output sequence 2 are given, and correlated to an LFSR-
sequence 5 , produced by a LFSR with t taps. We assume that the feedback
connection is known. Observe that this is no essential restriction as
there is only a very limited number of maximum-length feedback connec-
tions with few taps. Hence an exhaustive search over all primitive feed-
back connections is possible.
The sequence 5 may be viewed as perturbation of the LFSR-sequence

by a binary asymmetric memoryless noise source (with Prob(0) = p). For
the purpose of reconstructing the LFSR-sequence 5 from 5 the following
principle is essential to the algorithms: Every digit an of satisfies
several linear relations derived from the basic feedback relation, all
of them involving t other digits of 2. By substituting the corresponding
digits of 2 in these relations, we obtain equations for each digit zn,
which either may or may not hold. To test whether zn = an, we count the
number of all equations which turn out to hold for zn. Then the more of
these equations hold, the higher is the probability for zn to agree with
an. This can be justified by a statistical model, computing the cor-
responding conditional probabilities.
On the basis of this idea, we roughly outline algorithm A: We use

the test to search for correct digits (i.e. digits zn with zn = a,).
This is done by selecting those digits which satisfy the most equations.
In this way we obtain an estimate of the sequence 9 at the corresponding
positions. Under favourable conditions these digits have high probabil-
ity of being correct, which means that only a slight modification of our
estimate is necessary. This results in a considerably reduced exhaustive
search to rule out sufficiently many correct digits, in order to
303
determine the LFSR-sequence by solving linear equations.
We can give precise conditions under which this procedure is suc-

cessful, and determine its computational complexity, which in general is
of order 0(zCk) , where c < 1 is a function of t; p and N/k . To il-
lustrate this estimate we mention that for t = 2 taps, N/k = l o 6 , and
p 2 0.6, the number c is smaller than 0 . 2 5 , and for p > 0 . 6 7 Table 1
shows that c is below 0 . 0 0 1 . This is a considerable improvement compared
to exhaustive search, where c = 1. On the other hand, for large t
(t 2 1 6 ) o.ur estimate shows, that c comes very close to H(p), where H(p)
denotes the binary entropy function. This proves that algorithm A for
large t gives no advantage over (a modified) exhaustive search.
P\t 2 4 6 8 10 12 14 16 m
0.51 0.999 1.000 1.000 1.000 1.000 1.000 1.000 1.000 1.000
0.53 0.976 0.997 0.997 0.997 0.997 0.997 0.997 0.997 0.997
0.55 0.870 0.992 0.993 0.993 0.993 0.993 0.993 0.993 0.993
0.57 0.642 0.982 0.986 0.986 0.986 0.986 0.986 0.986 0.986
0.59 0.362 0.963 0.976 0.976 0.976 0.977 0.977 0.977 0.977
0.61 0.132 0.926 0.963 0.965 0.965 0.965 0.965 0.965 0.965
0.63 0.039 0.856 0.945 0.950 0,951 0.951 0.951 0.951 0.951
0.65 0.007 0.734 0.917 0.932 0.934 0.934 0.934 0.934 0.934
0.67 0.001 0.555 0.875 0.910 0.914 0.915 0.915 0.915 0.915
0.69 0.000 0.327 0.805 0.880 0.891 0.893 0.893 0.893 0.893
0.71 0.000 0.150 0.692 0.836 0.863 0.868 0.868 0.869 0.869
0.73 0.000 0.043 0.515 0.768 0.825 0.838 0.841 0.841 0.841
0.75 0.. 00 0 0.009 0.311 0.660 0.771 0.800 0.808 0.811 0.811
Table 1: c(p,t,N/k) for N/k = lo6
In algorithm B we do not search for the most reliable digits. In-

stead we take into account a l l digits, together with their probabilities
of being correct. A priori, with probability p a digit of f agrees with
the corresponding digit of 5 . Now to each digit zn of 5 we assign a new
probability p*, which is the probability for zn = an, conditioned on the
number of equations satisfied. This procedure can be iterated with the
varied new probabilities p* as input to every round. After a few rounds,
all those digits of are complemented whose probability p* is lower
304
than a certain threshold. Under suitable conditions we can expect that

the number of incorrect digits decreases. In this case we restart the
whole process several times, with the new sequence in place of 2, until
we end up with the original LFSR-sequence 5 .
To obtain conditions under which algorithm B succeeds, a function

F(p,t,N/k) is introduced to measure the correction effect. Thus if
F(p,t,N/k) S 0 there is no correction effect and algorithm B will not be
able to reproduce the LFSR-sequence 5 . Therefore we get a definite limit
to this attack (which is attained for t 2 10, if p 5 0 . 7 5 ) . In the
other direction, investigations of F(p,t,N/k) show, that for t = 2 or
t = 4 taps algorithm B still remains effective f o r correlation probabil-
ities quite close to 0 . 5 (cf. Table 2 ) . This implies in particular that
a LFSR with two feedback taps is completely breakable if its output
shows correlation to a known sequence f. The striking efficiency of al-
gorithm B, as observed in numerous experiments, is explained by the fact
that its computational complexity is of order O(k) (i.e. linear in the
length k of the LFSR, f o r fixed t, p and N/k).
For given t and d = N/k Table 2 shows the value p = p(t,d) with
F(p,t,d) = 0. p(t,d) turns out to be the limit probability where algo-
rithm B may still be successful
d/t 2 4 6 8 10 12 14 16 18
0.584 0.739 0.804 0.841 0.864 0.881 0.894 0.904 0.912

0.533 0.673 0.750 0.796 0.827 0.849 0.865 0.878 0.890
0.521 0.648 0.727 0.776 0.809 0.833 0.852 0.866 0.878
0.514 0.629 0.709 0.760 0.795 0.821 0.841 0.856 0.869
0.511 0.620 0.699 0.752 0.787 0.815 0.834 0.850 0.863
0.509 0.612 0.692 0.745 0.782 0.809 0,830 0.846 0.860
0.508 0.605 0.684 0.738 0.775 0.803 0.825 0.842 0.855
0.507 0.601 0.680 0.733 0.771 0.800 0.821 0.838 0.852
0.506 0.597 0.676 0.729 0.768 0.797 0,818 0.836 0.850
0.505 0.592 0.671 0.725 0.764 0.793 0.815 0.832 0.847
Table 2 : p with F(p,t,d) = 0

305
Algorithms A and B enable attacks on LFSR's of considerable length

(e.g. k = 1000 or greater) with software implementation. However, a
comparison shows that algorithm A is preferable if c < c 1 and p is near
0 . 7 5 , whereas algorithm B becomes more efficient for probabilities p
near 0.5. (Simulations of algorithm B have shown to be successful in at-
tacks with p = 0.55 even on a personal computer).
The methods developed for algorithms A and B allow several generali-

zations and conclusions. To prevent attacks based on these methods,
suitable precautions are necessary. This leads to new design criteria
for stream ciphers:
1. Any correlation to a LFSR with less than 10 taps should be avoided.
2 . There should be no correlation to a general LFSR of length shorter

than 100 (especially when the feedback connection is assumed to be
known).
It is remarkable that the importance of the number of LFSR taps for

the correlation analysis was not recognized in cryptologic literature SO
far.
II. Appendix: Description of the Algorithms
In this appendix we give a brief outline of the algorithms. Proofs and

further explanations are contained in [l].
11.1. Algorithm A
Suppose that N digits of the sequence 5, the length k of the LFSR with t
taps as well as the correlation probability p are given.
Our method exploits the linear relations of the LFSR-sequence 5 to

find correct digits, i.e. digits with zn = an. Linear relations can be
described in terms of their feedback polynomials. By iterated squaring
of the feedback polynomial, a variety of linear relations is generated
for every digit an, all of them involving t other digits of 5 . The
306
average number m of relations obtained in this way can be computed as

(cf. [ I l l
m = m(N,k,t) = log2(&) (t + 1)
2k
The probability p* for zn = an, given that h of m relations are

satisfied, is
p sh( 1-s)m-h
p* =
p sh(l-s)m-h + (1-p)(l-s)hsm-h
where s = s(plt) can be comuted using the recursion
S(Plt) = p s(p,t-l) + (l-P)(l - s(p,t-l)), (3)

S(Pt1) = p.
Moreover, the probability that a digit zn satisfies at least h of these

m relations is given by
and the probability that zn = an and that at least h of m relations are

satisfied
m
R(p,m,h) = c (y) p s i ( i - ~ ) m-i (5)
i=h
Thus the probability for zn = an, given that at least h of m relations

are satisfied, is the quotient T(m,p,h) = R(p,m,h)/Q(p,m,h). These for-
mulas show that with increasing m we have more freedom to choose a
suitable h such that at the same time the two probabilities Q(p,m,h) and
T(p,m,h) will be sufficiently large f o r an attack. The following exam-
ples illustrate these facts.
307
Example 1: Assume that 5 has length N = 5 0 0 0 correlated with probability

p = 0 . 7 5 to a LFSR of length k = 100 having t = 2 feedback taps. Hence
in the average we obtain m = 1 2 relations to test the digits of f. TO
determine the optimum number h of relations to be satisfied we generate
the following table:
h = # of relations new prob.

satisfied P*
12 0.9993 0.002666 0.000725

11 0.9980 0.021890 0.001855
10 0.9944 0.085554 0.004618
9 0.9847 0.214141 0.011040
8 0.9586 0.392461 0.024840
7 0.8929 0.576251 0.051090
6 0.7500 0.729409 0.092856
5 0.5192 0.843183 0.145199
4 0.2800 0.922315 0.194519
3 0.1228 0.970429 0.228367
2 0.0480 0.992595 0.244528
1 0.0178 0.999106 0.249335
0 0.0065 1.000000 0.250000
Table 3
A digit that satisfies h = m = 12 relations has the highest probability

p* = 0 . 9 9 9 3 to be correct. But according to Table 3 we can only expect
0.00266.5000 J 13 digits to satisfy this condition which obviously do
not determine the phase of the LFSR-sequence. However h 2 11 relations
are expected to hold for 0 . 0 2 1 8 9 . 5 0 0 0 1 0 9 digits, hence a number which
J
is greater than k = 100. Furthermore the entry in the 4th column shows
that 0 . 0 0 1 8 5 5 * 1 0 9 = 0 . 2 < 1 digits among these are expected to be wrong.
Thus we can expect to have already found more than k = 100 correct
digits. In fact this can be confirmed experimentally.
Example 2: We extend the above example to the situation N = 2 5 0 0 0 ,

k = 5 0 0 , and let p = 0 . 7 5 and t = 2 unaltered. Thus again m = 1 2 , and
Table 3 also applies to this case. Hence h 2 11 relations hold for
0 . 0 2 1 8 9 . 2 5 0 0 0 = 5 4 7 > k digits. However 0 . 0 0 1 8 5 5 . 5 4 7 = 1 digit among
these may be wrong. Thus in order to find at least k = 5 0 0 correct
digits one would have to perform a number of trials of magnitude 500,
using the correlation method as referred to in [ 2 ] .
308
In the general case the algorithm proceeds as follows.
Algorithm A
Step 1: Determine m according to formula (1)
Step 2: Find the maximum value of h such that Q(p,m,h)*N Z k (e.g. by

generating a table similar to Table 1). Then the average number
-
r of errors is determined by r = (1 T(p,m,h))-k.
Step 3 : Search for the digits of z satisfying at least h relations and

use these digits as a reference guess I~ of at the correspon-
ding index positions.
Step 4 : Find the correct guess by testing modifications of 10 having

Hamming distance 0,1,2, ... , by correlation of the correspon-
ding LFSR-sequence with the sequence 2
Under favorite conditions (cf. Example 1, where r << 1) step 4 is not

necessary. In general it can be shown that the computational complexity
of algorithm A is of order O(2H(e)) , where 8 = r/k and where H(x)
denotes the binary entropy function (cf. [I]).
11.2. Algorithm B
Table 3 shows that the ccnditional probability p* is small if a digit

satisfies only a few relations, and hence tends to be incorrect. Roughly
speaking this observation leads us to the following method of attack:
Any digit of the sequence 5 is complemented if it satisfies less than a
certain number of relations. Under favourable conditions we can expect
that the "corrected" sequence has less digits differing from the LFSR-
sequence 2.
An alternative and better approach is to leave the whole sequence

unchanged in the first instance and to assign instead the new probabil-
ity p* to every digit. This allows to iterate this process with varied
new probabilities p* at each round, After a few rounds, the wrong digits
tend to have low, and the correct ones tend to have high probability.
309
This gives us a refined criterion to correct the sequence 2 by com-

plementing the digits which have a probability p* lower than a suitable
threshold Pthr. Then we can restart the whole process with the new se-
quence in place of z I this time assigning the original probability to
every digit. The intuitive idea is to repeat the procedure until we end
up by reproducing the LFSR-sequence d .
To give a more precise description we need some additional formulas

for computing probabilities:
a) The probability that a digit zn satisfies at most h of m relations
h
U(p,m,h) =
i=O
(y) ( p s
i (1-s) m-i+ (1-p)(l-s) is m-i)
b) The probability that zn = an and that at most h of m relations are

satified
c) The probability that zn # an and that at most h of m relations are

satisfied
With regard to the described method to correct digits if they satisfy at

most h relations, these formulas enable us to compute the total number
of digits of z changed by
Moreover the number of erroneously changed digits is

310
and the number of correctly changed digits is
Thus the increase of correct digits is the difference of the values in

(11) and ( l o ) , and the relative increase is
Next we determine the value h = kax such that I(p,m,h) is maximum

for given p and m. To this purpose we generate a table as illustrated in
the following example:
Example 3: As in example 1 let N = 5000, p = 0.75, t = 2 and k = 100.

Then m = 1 2 and we obtain the table
h = # of relations new prob. U(Pimrh) I(Prm,h)

satisfied P* (Prmr h 1
0 0.0065 0.000894 O.OG0882

1 0.0178 0.007405 0.007161
2 0.0480 0.029571 0.027201
3 0.1228 0.077685 0.063500
4 0.2800 0.156817 0.098325
5 0.5192 0.270591 0.093949
6 0.7500 0.423749 0.017370
7 0.8929 0.607539 -0.127036
8 0.9586 0.785859 -0.290587
9 0.9847 0.914446 -0.415237
10 0.9944 0.978110 -0.478191
11 0.9980 0.997334 -0.497337
12 0.9993 1.000000 -0.500000
Thus we see that I(p,m,h) is maximum for hmax = 4 relations. Under these
conditions 1 2 5 0 digits are expected to be wrong. Carrying out the cor-
rection with respect to 4 relations, 0 . 1 5 6 8 . 5 0 0 0 = 7 9 3 digits are com-
plemented. According to the fourth column, the number of wrong digits
decreases by 0 . 0 9 8 3 . 5 0 0 0 = 4 9 2 from 1 2 5 0 to 7 5 8 digits.
For our (alternative) refined method as described above , taking p*

into account, we need a appropriate probability threshold. A n optimum
correction effect is obtained with the choice
31 1
After the first round the expected number Nw of digits with p* below
Pthr is
Basically, the whole attack will swap between two phases:
I. A computation phase assigning the new probability p* to every digit

of 2.
11. A correction phase complementing those digits with p* below Pthr and
resetting the probability of each digit to the original value p.
Phase I can be iterated. To this purpose, formula (2) for s(p,t) has to
be generalized to the situation where each of the t digits may have dif-
ferent probabilities pl, pzf ... pt:
This generalization carries over to all other formulas, in particular to

formula ( 2 ) for pi.
It is natural to iterate phase I until there are enough digits with

p* below Pthr. However, after a few iterations a strong polarization can
be observed between digits having probability p* either very close to 0
or very close to I. Apart from a few digits, this polarization tends to
become stable, which means that we needn't iterate phase I any longer.
This gives us another criterion to terminate phase I after a limited
number a of iterations. (In many cases a = 5 is a suitable choice.)
Based on these ideas we are now prepared to formulate algorithm B.
Algorithm B
Step 1: Determine m according to formula (1).
Step 2 : Find the value of h = hma, such that I(p,m,h) is maximum. If

Imax = I(p,mrhmax) 5 0 there will be no correction effect in
phase I which means that the attack fails. If ,,I > 0 compute
Pthr and Nthr according to (13) and (14), else terminate.
312
Step 3 : Initialize the iteration counter i = 0
.
Step 4 : For every digit of f compute the new probability p* (cf (2)
and (15)) with respect to the individual number of relations
satisfied (phase I). Determine the number Nw of digits with
P* ' Pthr.
Step 5: If Nw < Nthr or i < a increment i and go to step 4
Step 6 : Complement those digits of f with p* < Pthr and reset the pro-
bability of each digit to the original value p (phase 11).
Step 7 : If there are digits of 2 not satisfying the basic feedback rel-
ation go to step 3 .
Step 8 : Terminate with = 5.
Under conditions for which algorithm B succeeds, its computational

complexity is of order O(k), i.e. linear in the length k of the LFSR. To
obtain such conditions a function F(p,t,N/k) is introduced in [l] to
measure the correction effect (F(p,t,N/k) = I(p,m,hmax)*(N/k), for
details we refer to [l]). If F(p,t,N/k) S 0 algorithm B definitely
fails.
We conlude with a simulation of algorithm B.
Example 4 : We consider the following situation; N = 20,000, k = 200,

t = 4 and p = 0.60. Then N/k = 100 and F(p,t,N/k) turns out to be 0.615.
The parameters of the algorithm B can be computed as Pthr = 0.481, Nthr
= 1154. Thus 1154 digits are expected to be changed in the first itera-
tion resulting in a decrease of wrong digits by 0 . 6 1 5 - 2 0 0 = 123. The
following table shows the intermediate results after each step. The
terms round and iteration refer to the outer loop and the inner loop,
respectively. The entry in the third column always indicates the
decrease of wrong digits if phase I1 had been applied.
313
# of digits # of wrong decrease # of wrong

with digits with of wrong digits after
p* < Pthr p < Pthr digits phase I1
round 1
iteration 1 1784 998 212 7998
phase I1 0 0 0 7786
round 2
iteration 1 264 151 38 7786
iteration 2 1354 838 322 7786
phase I1 0 0 0 7464
round 3
iteration 1 133 80 27 7464
iteration 2 880 601 322 7464
iteration 3 2364 1537 710 7464
phase I1 0 0 0 6754
round 4
iteration 1 62 44 26 6754
iteration 2 623 474 325 6754
iteration 3 1693 1244 795 6754
phase 11 0 0 0 5959
round 5
iteration 1 26 26 26 5959
iteration 2 515 443 371 5959
iteration 3 1499 1223 947 5959
phase I1 0 0 0 5012
round 6
iteration 1 36 28 20 5012
iteration 2 617 550 483 5012
iteration 3 1594 1383 1172 5012
phase 11 0 0 0 3840
round 7
iteration 1 52 50 48 3840
iteration 2 675 619 563 3840
iteration 3 1578 1425 1272 3840
phase 11 0 0 0 2568
round 8
iteration 1 73 72 71 2568
iteration 2 650 604 558 2568
iteration 3 1317 1231 1145 2568
phase 11 0 0 0 1423
round 9
iteration 1 66 66 66 1423
iteration 2 509 498 487 1423
iteration 3 921 905 889 1423
iteration 4 1002 984 966 1423
iteration 5 1039 1022 1005 1423
phase I1 0 0 0 418
314
# of digits # of wrong decrease # of wrong

with digits with of wrong digits after
p* ' Pthr p ' Pthr digits phase I1
round 10
iteration 1 32 32 32 418
iteration 2 183 183 183 418
iteration 3 289 287 285 418
iteration 4 306 305 304 418
iteration 5 314 313 312 418
phase I1 0 0 0 106
round 11
iteration 1 4 4 4 106
iteration 2 62 62 62 106
iteration 3 96 96 96 106
iteration 4 106 106 106 106
phase 11 0 0 0 0
Rounds 1 to 8 are terminated by Nw Z Nthr, and rounds 9 to 10 by the

criterion i = a (a = 5). Observe that iteration 4 and 5 in rounds 9 and
10 have only small correction effect. This justifies the termination Of
a round after a certain number of iterations. It also shows that a = 3
would have been a suitable choice as well. Finally round 11 is
terminated since the corrected sequence after iteration 4 satisfies the
basic feedback relation. Thus we have reconstructed the original LFSR-
sequence after 35 iterations in total.
References:
[l] W. Meier and 0. Staffelbach, "Fast correlation attack on stream

ciphers", full paper, to appear.
[2] T. Siegenthaler, "Decrypting a class of stream ciphers using
ciphertext only", IEEE Trans. Comput., vol. C-34, pp. 81-85,
Jan. 1985
A New Class of Nonlinear Functions for
Running-key Generators
(Extended Abstract)
Shu Tezuka
ATR Communication Systems Research Laboratory

Twin 21 MID Tower, 2-1-61 Shiromi
Higashi-ku, Osaka 540, Japan
ABSTRACT
A systematic approach to the design of running-key generators in stream

cipher systems is proposed using a new class of nonlinear functions based
on integer arithmetic operations. This approach is applicable t o both
feedforward- and feedback-types running-key generators. Most practical
nonlinear functions that use bnly one addition and one multiplication
are fully analyzed. Cryptographic properties, such as 0-1 balance, linear
complexity, and correlation, of the key-sequence generated by this scheme
are examined and several important criteria for determining the parame-
ters of such generators are derived. This approach will prove valuable in
designing running-key generators.
I . INTRODUCTION
Most common running-key generators in stream cipher systems are based

on a Combination of shift registers and several nonlinear Boolean func-
tions[l, 31. According t o the method of combination, the generators are
mainly divided into two categories; One is of the feedback type and the
other, feedforward. The first type of generator is an n-stage shift register
together with a feedback loop which computes the next term for the first
stage of the shift register based on a nonlinear Boolean function using the
previous n tenns. The latter consists of n driving linear feedback shift
31 8
registers and a nonlinear Boolean function that operates on the n output

sequences to generate a key sequence[8, lo].
Golomb conducted a comprehensive study on the characteristics of
feedback-type generators, particularly the distribution of cycle lengths
from both theoretical and empirical viewpoints. On the other hand,
several authors are continuing their efforts in analyzing the sequences
produced by feedforward-type generators. In either case, however, few
systematic methods for synthesizing nonlinear functions can be found.
In this paper, a new nonlinear function design approach for running-
key generators is proposed on the basis of integer arithmetic operations
such as addition, multiplication. This approach is used for both types
of feedback and feedforward generators. The paper is organized as fol-
lows. In Section 2, we overview the theory of nonlinear functions for
running-key generators in stream cipher systems. In Section 3, a new
class of nonlinear functions based on integer arithmetic operations is in-
troduced and some fundamental properties are derived. Section 4,using
most practical generators that require only one addition and one multi-
plication, continues the analysis of cryptographic strength, such as 0-1
balance, linear complexity, and correlation. Section 5 describes some
examples of running-key generators based on this scheme. The last sec-
tion summarizes the advantages of this approach and discusses further
research topics.
I1 . Overview of Nonlinear Functions

A nonlinear Boolean function F(zl ,...,2 , ) is represented in the following
general form ( the so-called algebraic normal form )[8]:
where ao, a;, a j j , ... are in GF(2), the Galois Field with two elements.
In particular, if F(z1, ...,2,) has the following form:
it is of great importance.
319
Golomb[3] obtained important results concerning the characteristics

of binary sequences generated by this type of feedback shift registers.
Some of the major results are described as follows:
Theorem A. In the case of the feedback type, the nonlinear function

has the form of (1) if and only if the cycle of the key-sequence generated
has no branch points.
Theorem B. In the feedback type, the truth table of Fl(x2,...,z), has

an odd/even number of 1's if and only if the generator yields a,n odd/even
number of cycles.
The following two theorems are applicable to the feedforward-type

generators [5, lo].
Theorem C. In the feedforward type where an >I-sequence generator is

equipped with a nonlinear function, if the function has the form of (l),
then the key-sequence will be 0-1 balanced.
Theorem D. In the feedforward type, the linear complexity L of the key

sequence produced by the function of nonlinear order d operating on the
contents of an n-stage M-sequence generator is bounded by
Moreover, when the function Fl(z2, ..., zn) of (1) has a balanced truth
table, there are two additional theorems that must be considered[3, 91.
Theorem E. In the feedback type, the function Fl(z2, ..., 5 , ) has a bal-
anced truth table if and only if the autocorrelation with delay n of the
key-sequence con>-erges zero as the cycle length approaches 2".
Theorem F. In the feedforward type, the function Fl(q,..., z,) has

a balanced truth table if and only if probability P ( z = xi) = 1/2, for
i = 1 , 2 , ,.., n, where z is the output of the nonlinear function F ( z 1 , ...: xn),
provided that zl, ..., z, are independent and identically distributed bal-
anced binary variables.
320
From above results, we can see that when F(x1,...,xn) has the form
of (1) it is very significant for both types of feedback and feedforward gen-
erators. Therefore, we will concentrate on this type of nonlinear function
in this paper.
I11 . A New Class of Nonlinear Functions
Define f as a mapping; f : I , to I,, where I , = {0,1, ..., Zn - 11,and

fm(x) = f ( ~ ) ( m o d 2 x~ )E, I,, rn = 1,...,n. Consider a set of mappings
satisfying the following two conditions for all rn,m = I,2, ...,n,:
1. fm(x) is bijective on Im = {0,1, ...,2" - l}, and
2. fm(x) = f m ( z ( m o d Z m ) )for any z E I,.
Note that f(z) fn(x). Denote the set by rn. The next theorem is
fundamental.
Theorem 1. I?, is a group with respect t o the composition of mappings.

The following theorems are important when we apply this set of mappings
to the design of stream cipher systems.
Theorem 2. If f E rn,then the most significant bit z of f ( x ) , x E I,,

is given in GF(2) as follows:
where x; is the i-th bit of an integerx.
Theorem 3. The following sets of mappings are the subsets of r, as

defined above.
+
(1). f ( x ) = ax b(mod2"), where a is odd and b is any integer.
(2). f(x) is a polynomial with integer coefficient modulo 2" such that
f'(x) # O(rnod2),for any x E I,, and f(0) # f ( l ) ( m o d 2 ) .
(3). f ( x ) = [b2+"/4](mod2"), where b = 5(mod8),a is any integer, and
[x]is the integer part of x.
(4). f(x) = [(b"+" + 1)/4](rn0d2~), where b = 3(mod8), and a is any
integer.
(5). All the inverse mappings of the above ones form a subset of rn.
321
Example. If f ( x ) = x +. l(mod2"), then the most significant bit z of

f(z)is given in GF(2) as
where xi is the i-th leading bit of an integer x .
The above theorems mean that any mapping f f rn

caa be ex-
ploited as a nonlinear function for running-key generators in stream ci-
pher systems. In the following sections, f(x) is said to be of order d if
the nonlinear order of Fl(x2, ...,2,) is d.
IV . Analysis of Mapping f ( x ) = ux + b ( m 0 d 2 ~ )
+
The mapping of f(x) = ax b(rnodZn) , which we refer to hereafter
as an affine mapping, is of great importance from a practical viewpoint.
It requires only one addition and one multiplication, thereby making the
implementation much easier and speeding up the generation of the key-
sequences. Another merit is theoretical due to the fact that the linearity
in the integer arithmetic sense makes the analysis of the key-sequence
characteristics easier. First, we obtain the theorem that deals with the
total number of distinct truth tables provided by &ne mappings.
Theorem 4. Let fl(x), f2(z) be two affine mappings. For all II: E In
f l ( 4 + f2(2) = 2-l- l(modY)
if and only if the truth table associated with f l ( x ) is identical with that
of f 2 ( x ) .
The following corollary is easily obtained.
Corollary 1. T h e total number of distinct truth tables provided by

af€ine mappings is given as 22n-2.
The next theorem is important since this theorem holds for not only affine
mappings but also for any mappings in rn.
Theorem 5. The number of 1's in the truth table of Fl(x2, ...: zn) is
given as follows:
322
2"-l - Sn(f),
where Sn(f)denotes the number of points (z,f(z)) in the range 0 4
x , f ( z ) < 2-l.
The value of Sn(f)can be calculated by exploiting the exponential sum,

which plays a crucial role in calculating the discrepancy in the field of
numerical integration[4, 6, 71.
Theorem 6. The truth table of Fl(x2, ...,5), is balanced if and only if
+ t;-b
~ n - 2
c
k= 1
t;+1
(tg - l ) ( t k - 1)
= 0,
where tk = u2'-', and w is the 2"-th root of one.
The next corollary is useful for the practical design of nonlinear functions.
Corollary 2. Fl(z2, ...,2 , ) has a balanced truth table if
a - 2b - 1 = 2n-l(mod2"),
where a is odd and b is any integer with 0 5 a, b < 2".

As shown in Theorems C and D, the order of nonlinearity is highly
associated with the linear complexity of the sequence produced by the
feedforward-type generator. As for the feedback-type generator, it is
known that nonlinear order is equal to n - 1 if the key-sequence is a de
Bruijn sequence[2]. The following theorems deal with this property for
&e mappings.
Theorem 7. T h e nonlinear order of F~(zz, ...,2,) is equal to n - 1 if

+
a = 2" 1,s > 1.b = odd, or if a = 3, b = even.
This theorem ca.n be generalized t o the case of any mapping in rn in the

following way.
Theorem 8. Let f ( z ) = g ( h ( ~ ) ) ( m o d 2for

~ )any two mappings g(z): h ( z )
in I?". Then, the nonlinear order of f(z)is equal to n - 1 if and only
if one of the two mappings is of order n - 1 and the rest is of order less
than n - 1.
323
V . Discussions
DES ( Data Encryption Standard ) can be regarded a s a nonlinear
function when used in the output-feedback or in cipher-feedback modes.
This cipher scheme, as well as classical ones, consists of two basic ele-
ments: permutation and substitution. However, in this paper we have
proposed a new approach to building nonlinear functions by using inte-
ger arithmetic operations such as addition, multiplication. This approach
has the following advantages:
1. It makes theoretical analysis of the cryptographic strength of the
generated key-sequence easier.
2. It makes the implementation of the system easier and cheaper be-
cause integer arithmetic operation units are accessible or available
in both software and hardware.
3. It provides wide variety in selecting nonlinear functions when design-
ing a stream cipher system.
Future major research topics will be to analyze the characteristics of

other mappings such as those in sets (2) through ( 5 ) in Theorem 3, and
to determine the order of rn as well as the total number of distinct truth
tables provided by rn for any n.
REFERENCES
[l] H.Beker and F.Piper, Cipher Systems: The Protection of Communi-

cations, Wiley Interscience, New York, 1982.
[2] HRedricksen, A Survey of Full Length Nonlinear Shift Register Cy-
cle Algorithms, SIAM RevZew,Vol.Z4,pp.195-221 (1982).
[3] S.W.Golomb, Shift Register Sequences, Holden-Day, San Francisco,
Calif., 1967.
[4]G.H.Hardy and E.M.Wright, An Introduction to the Theory of Num-
bers, 5th ed.,Oxford University Press, Oxford, 1983.
[5] E.L.Key, An Analysis of the Structure and Complexity of Nonlinear
Binary Sequences Generators, IEEE Transactions on Information
Theory, l-01. IT-22, pp.732-736 (1976).
324
[6] D.E.Knuth, The Art of Computer Programming: V01.2, Seminumer-

ical Algorithms, 2nd ed., Addison-Wesley, 1981.
[7] H-Niederreiter, Quasi-Monte Car10 Methods and Pseudorandom Num-
bers, Bull. Amer. Math. Soc.,V01.84,pp.957-1041 (1978).
[8] R.A.Rueppe1, Analysis and Resign of Stream Ciphers, Springer-Verlag,
Berlin, 1986.
[9] T.Siegenthaler, Decrypting A Class of Stream Ciphers Using Cipher-
texts Only, IEEE Transactions on Computers, Vo1.C-34, pp.81-85
(1985).
[lo] M.K.Simon, J.K.Omura, R.A.Scholtz, and B.K.Levitt, Spread Spec-
trum Communications, vol. I , Computer Science Press, Maryland,
1985.
Windmill Generators
A generalization and an observation
of how many there are
B.J.M. Smeets') W.G. Chambers')
'1 Dept of Inform. Theory

University of Lund
Box 118, S-222 46, Lund, Sweden
2,Dept of Eletronic and Electrical Engineering
King's College London
Strand, London, WCZR ZLS, United Kingdom
ABSTRACT
The windmill technique has several practical advantageous over other techniques
for high-speed generation or blockwise generation of pn-sequences. In this paper
we generalize previous results by showing that if f ( t ) = a ( t " ) - p (t -")t L is the
minimal polynomial of a pn-sequence, then the sequence can be generated by a
windmill generator. For L = 1, . . .127, and v = 4,8,16 such that L = 1 3 mod 8
no irreducible polynomials f ( t > were found. When L E f l mod 8 the number of
primitive f(t)'s was found to be approximately twice the expected number.
I INTRODUCTION
In various crypto systems m-sequence generators are used as building blocks in
more complex systems. In such systems like the EBL proposal [l] for the en-
cryption of TV-pictures, the m-sequence generators are used t o generate blocks of
(pseudo-)random symbols. A straightforward method to generate blocks of v , say,
symbols is to operate the m-sequence generator at c times the rate at which the
blocks are needed. This method, for instance, is used in the above mentioned EBU
proposal. Other methods which do not require this rate increase were described,
for instance, in 121, (31, [4], and [5]. The windmill technique is one of such methods.
It offers several practical advantages over all the other methods.
Part of this work was supported by the National Swedish Board for Technical Development under grant 863759 a t
the University of Lund.
326
0 No initialization problems as found in the type of generators discussed in [2].

0 the generator can produce all the distinct phases of s when s is a maximal-
length sequence (m-sequence) unlike the example in [4].
0 The generators exhibit a structural parallelism which is useful in VLSI real-
izations.
0 The construction of the generator is easily derived from the feedback poly-
nomial f ( t ) that corresponds with the generated sequence s. This makes it
simple to alter the generator to let it produce a sequence s associated with
another feedback polynomial.
The latter fact is very useful for cryptographic purposes because it will make it
easy to use the generating polynomial as part of the key information.
In this extended abstract we describe a generalization of the windmill tech-
nique for generating m-sequences. The windmill structure is more general than the
ones discussed in [3]and [ 5 ] . We state a new result that generalizes Theorem 7.4 in
[5] and that gives the sdicient and necessary conditions for a feedback polynomial
to be a primitive windmill polynomial. With this result it becomes easy to devise
a straightforward search for all the primitive windmill polynomials.
Furthermore, we investigate the number of distinct windmill generators that
can generate m-sequences of period 2L - 1 in blocks of size v = 4 , s and 16.
When L f 3 mod 8 no irreducible windmill polynomials for L = 7,. .. ,127.
When L E fl mod 8 the number of primitive windmill polynomials was found to
be approximately twice the expected number which is 2 F ( L ) / L , where F ( L ) =
+(2L - 1). If the number of primitive windmill polynomials is small then the
possibility to change easily the feedback polynomial of the generated sequence has
not much value for cryptographic applications. Hence, the latter result, combined
with the simple mechanism to change the generating (windmill) polynomial in a
windmill generator, shows that it is realistic to use the windmill polynomials as
part of the key information.
I1 THE WINDMILL CONFIGURATION
A windmill consists of a cyclic cascade connection of u , u 2 1, linear feedback shift

registers as shown in Figure 1. Each shift register together with its linear feedback
polynomial and a linear feedforward network is called a vane of the windmill.
The k-th vane has feedback, respectively feedforward connection described by the
polynomials a ( t ) = 1 - Cjm=lc y j t J , respectively, the polynomial y h ( t ) = t L ( k ) p ( t - l ) ,
where’ ,B(t-’) = Cj”=oP j t - J and l(k) denotes the number of shift register stages of
‘For convenience we say that deg$(t-’) = n
327
vane v-1
I
I
I
permutation 0
I I
I
1
Figure 1: A [cr(t),P ( t - ' ) , (, v , u]windmill with u vanes.
the vane. Evidently I(k) 2 max(m,n). Each vane has identical a ( t ) and p ( t - ' ) .
The contents of the first stage of each vane is used to form a v-tuple. The manner
in which the v symbols are combined to form the final v-tuple is governed by a
permutation 0. The output sequence z is the sequence
The whole generator is conveniently referred to as a [a(t),p(t-l), e, v, 0

1 windmill,
where
-I = (!(O), . . . ,e(v - 1)).

For each vane k, t = 0,1,. . . , v - 1 and i E N we have the initial state, zi,
z b l , .. . , " - e ( k ) + l and the recurrence relationzf+l = xjml
k k k k-1
Pjzi+j-e(k-l)+l.
Let x k = x k ( t )be the generating function of the sequence (&,), i.e.
Xk = x"t) = c
00
i=O
";ti.
The blocks of length v are consecutive blocks from a sequence z which is given
by the expression.
z(t) = g
k=O
tQ(k)Xk(t") (2)
In general the sequences corresponding to z(t) is an interleaving of z1 sequences

each generated by LFSR's with feedback polynomial 4(t>= (a(t>>'- tL(a(t-'))",
so that z ( t ) may b e expressed as a rational-form with a denominator 4(t") of
degree Lv,c.f. [ 5 ] . However under the conditions stated in the next theorem the
rational-form simplifies considerably.
328
Theorem Let L , u be integers such that 1 5 v < L and let L and u be relatively
prime. Furthermore, let a ( t ) ,respectively p(t-') be two polynomials over GF(q)
of positive degree m < L / u and n < L / v respectively such that a ( 0 ) = 1 and
P(0) # 0. Suppose f ( t ) = a ( t ' ) - p(t-")tL is a primitive feedback polynomial
over GF(q). Then there exist a permutation u of the numbers 0, 1,. .. ,v - 1,
and a set & of length parameters given by
a(k) = L k + c (modv),
f(k) = ( u ( k ) - a ( k + 1)+ L ) / . ,
for c, k = 0, 1,. . . ,v - 1 and c fixed, such that the windmill [ a ( t )p(t-'),
, &, u , 01
generates the m-sequence z with generating function
where pk is defined by equation

m i-1 n -j-1
Pk = P k ( t > = 2; + c cajx,"_jt' + c c
j = 1 i=l j=O i=-f(k-l)+l
p3,
k-lti+l(k-l)
i+l
Before we will look at the number of f ( t ) ' s of the above type which are prim-
itive we want to make some comments. First, if the polynomial f ( t ) in the above
theorem is a primitive polynomial, then the sequence z is an m-sequence. Secondly,
if degP(t-') = [L/vJ then at least one of the vanes will have its input connected by
the feedforward connection to the output of the vme. Such a connection could be
source of timing problems in practical applications. Windmill polynomials which
do not result in such connections will be called proper windmills. A windmill
is certainly proper if it satisfies the additional restriction v(degp(t-l) 1) 5 L . +
Thirdly, without loss of generality we may put c = 0 and hence the values of t(k)
and u ( k ) depend only on L and v. Fourthly, the theorem can easily be generalized
to arbitrary polynomials of the type f ( t ) .
I11 The number of binary windmill polynomials

Let us call a polynomial f ( t ) a windmill polynomial if it has the form f ( t ) = a ( t " )-
P ( t - ' ) t L , where a ( t ) and p ( t - ' ) satisfy the conditions stated in the above theorem.
Those windmill polynomials which are irreducible over GF(q) we call irreducible
windmill polynomials and those that are even primitive we call prirnitive wind-
mill polynomials, (ML=maximum length). In this section we will investigate the
number of binary irreducible ( and primitive ) windmill polynomials. We present
mainly our investigations done for values of v that are powers of 2.
The desired estimates are obtained by assuming that the windmill polynomials
form a random subset of all the polynomials of degree L with f(0) = 1. Under
329
this assumption we expect the find the same fraction of windmill-type polynomials
to be irreducible respectively to be primitive. We find that the number of binary
windmill polynomials of degree L which satisfy the condition f(0) = 1 and thbt
are irreducible should be roughly
21+21WJ
L
For the corresponding number of primitive windmill polynomials we find the esti-
mate
where F(L)=4(2L - 1)/2L=(1 - 1/2L) np(l- i).

In the latter formulas the p ’ s are
the distinct prime divisors of 2L - 1 and 4 is Euler’s 4 function.
We counted also the number of polynomials that were proper. The quality of
our estimates is investigated by determining the exact counts for L = 7 to 127. We
obtained the following results. When L = f 3 mod 8 then there are no windmill
polynomials at all!. However if L 51 mod 8 the number of windmill polynomials
is about twice the number we predicted by using our probabilistic model.
Recently S.D. Cohen proved that if L G f 3 mod 8 and L , v co-prime, then
every polynomial over GF(q”), with m odd is reducible [7]. In his proof the
analogue of Stickelberger’s theorem over fields with characteristic two plays a
similar role as in the derivation of Swan’s corrolary on the reducibility of binary
trinomials [S].
References
[l]European Broadcasting Union: ”Specification of the systems of the MAC/packet

family)”, Tech 3258-E (Brussels: EBU technical centre), 1986.
[2] A. Lempel, W.L. Eastman, ” High speed generation of maximal length se-
quences”, IEEE Trans. on Comput., Vol. C-20, ( l g i l ) , pp. 227-229.
[3] A.C. Arvillias. D.G. Maritsas, ”Combinational logicfree realisations for high-
speed m-sequence generation”, Electronics Letters. Vo1.13, no.17, (1977), PP.
500-502.
[4]F. Surbock, H. Weinrichter, ”Interlacing properties of shift-register sequences
with generator polynomials irreducible over GF(p)”, IEEE Trans. on Inform. ,
Theory, Vol. IT-24, (1978), pp. 386-389.
[5] B.J.M. Smeets. O n Linear Recurring SepGences, PhD dissertation, rniversity
of Lund, 1987.
330
[S] R. Lid, H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its

Applications, Vol. 20, Addison-Wesley, Reading, Mass, 1983.
[7] S.D. Cohen, "Windmill polynomials over fields of characteristic two", preprint.
[S] E.R. Berlekamp, Algebraic Coding Theory, McGraw-Hill, New York, 1968.
LOCK-IN EFFECT IN CASCADES
OF CLOCK-CONTROLLED SHIFT-REGISTERS
William G Chambers') Dieter Gollmann2)
')Department of Electronic and Electrical Engineering,

King's College (KQC), Strand,
London WC2R 2LS, United Kingdom
*)Fakul&t fir Informatik, Universitit Karlsruhe,

Technologie-Fabrik Karlsruhe, Haid-und-Neu-Strasse 7,
7500 Karlsruhe 1, W Germany.
ABSTRACT
Cascaded cryptographic keystream generators as proposed by Gollmann pos-

sess a cryptanalytic weakness termed "lock-in'' in this article. If the initial
state has been guessed correctly apart from its phase a decryption cascade can
be set up in which the effects of each stage of the original cascade are
unravelled in reverse order. Once the decryption cascade has "locked in" on
the original cascade, the state of the latter is known, and hence its future out-
put and its output in the remote past. This weakness is studied; its effects are
readily mitigated by taking certain precautions. Lock-in may also be used
constructively as a synchronization technique.
I. INTRODUCTION
Cryptographic binary sequences produced with the aid of shift-registers have

been much studied in the open literature over the last twenty years. An
hportant parameter is the linear equivalence, which measures the resistance
of a sequence generator to attacks using linear algebra [I, ~1991.A good dis-
cussion of ways of increasing the linear equivalence is given by Rueppel [91.
332
One method is to use a non-linear function to combine the simultaneous out-

puts of several shift-registers. The use of clock-controlled shift-registers has
also been proposed by several authors [2, 5, 12, 131. Typical of such systems
is a cascade of clock-controlled shift-registers [63. The periods and linear
equivalences are readily made very large, and the statistical properties of at
least the original versions have been proved to be good [7].
The fact that these systems are readily designed to have a high linear
equivalence and hence be immune against the algebraic attack does not pre-
clude other types of weakness. Thus attacks on sequences produced by non-
linear combining functions have been studied by Siegenthaler [lo, 111. In this
article a weakness which may occur in systems using clock-controlled shift
registers is examined. This weakness can readily be guarded against by taking
suitable precautions; nonetheless the user should be made aware of the possi-
bility, since the weakness is not obvious. Of course this does not guarantee
that there are no other hazards.
The cryptanalytic problem is the following: Assume that an enemy knows
a) the construction of the generator and b) a large number of consecutive bits
of the output, which for the sake of definiteness will be assumed to start at the
beginning of the sequence. Then with limited computing resources can he
deduce the initial setting of the generator, or at least the future output?
II. THE CASCADE GENERATOR
The keystream generator proposed in [6] consists of a number of stages, K

say, each like that shown in Fig 1. The main component of each stage is 8
clock-controlled cycling register (CR) of length p , this length being the same
for each stage. If regularly clocked (or stepped), CR produces an endless
repetition b" of the binary sequence b={ b (0), b (l), . . . b (p -l)}, where the
b ( i ) are determined by the initial setting for this stage. (The only restriction
on b is that b" should have shortest period p . Thus with p =3 the choices b =
{ 000) and b = { 11 1 } are excluded for then bmhas period 1 .) The binary input
a, is added (mod 2) to the output of CR to give the output c, of this stage,
which then becomes the input of the next. The binary input also causes CR to
be stepped (afterwards) if ut=l, but not if a,*. The "slight delay" is put in
the figure to emphasise that the step takes place after addition, that is, the rule
is "add then step". We shall say that the stage uses the sequence b. The
input to the first stage is 111.., . The output of the final stage is the output of
the generator.
333
The sequences {c,} and {a,} of the stage in Fig 1 are related by
C,q,+b(S,-J mod 2, Sr=St-lM, mod p . f=OJJ,-. (la)

with the initial condition
I
Evidently S, is the s u m C alemodp . Since it determines where CR has got
r'=O
to in its cycle it will be called the phase of CR. (By a m o d p for positive p
we mean the value x satisfying O l x < p obtained by adding (subtracting) a
suitable integer multiple of p to (from) a .)
A modified system (the "m-sequence cascade") consists of a similar cas-
cade of clock-controlled linear feedback shift registers of length n with primi-
tive feedback polynomials [1, ~1871.The regularly clocked output of such a
register has period p =2" -1, and the sequence ( b(0), b (l), . . . b (p-l)} is a
period of the m-sequence.
The output of a Gollmann cascade of length K has period pK if p is an
odd prime [6]. I f p satisfies a further fairly weak condition (that (2'-1) is not
a multiple of p for any j satisfying 0 c j - q - 1 ) then the linear equivalence is
either p K or pK-1 [6, 41. Among the small primes 3, 5, 11, 13, 19 and 29
satisfy this condition whereas 7, 17, 23, and 31 do not. In an m-sequence
cascade of length K the period is (2n-1)K and the linear equivalence exceeds
n (2" -l)K-l [3].
III. THEATTACK
We now suppose that the stage just described is the fmal stage of the genexa-
tor, so that [c, } is the final output, some of which has been intercepted by the
cryptanalyst X. (How much he needs is considered below.) In the attack to be
described he tries to reverse the transformation from {a, } to {cl } effected by
the final stage. Iteration of this technique should then enable him to "unravel"
the cascade, starting with the f d stage.
The reversing transform is carried out as follows: X guesses a sequence
b' and a value S'-l, and then sets
a',=c,-b'(S'I-l) mod 2, S',=S'f-l+a'I mod p , t=0,1,2 ,... (2)
where the primed quantities are guesses or deductions from guesses. W e n
334
b ‘=b and S ’,
we find that { a }={a, ) .) Such a transform may be imple-
mented by a decryption stage (Fig 2) using the sequence b’ with initial phase
S’-l. In the case when b’(t)=b((t+$)mod p ) for some $ we say that b has
been guessed correctly except for phase. (Thus for p=3 there are only two
non-trivial choices for b differing by more than phase.)
We now make Assumption A (to be examined below): Suppose that X
has guessed the sequence b’ correctly except possibly for the phase. Let ct in
(2) be the output from (1). We may instead presume that b‘=b and that the
initial guess S’-l needed for (2) may be incorrect. Then as the iteration (2)
proceeds the phase S’, may be expected to bounce around in some manner
until it happens to take the correct value S,. Thereafter it will be locked in
into its correct value, so that for all future r we find S’, =S, and a’,= a t .
(Investigations described in Sec 4 indicate that this takes a number of steps
roughly equal to Yip2 on average.)
When the whole cascade is unravelled, the original input 111... is
recreated. This is how X knows whether he has succeeded. At the same time
he learns the phase of each CR in the generating cascade, not, it is true, at the
start t =0, but at a value of t ( t o say) where it is fairly safe to assume that
lock-in has taken place. Thus the output from the generator after t o can be
predicted. It is also possible to work backwards from t o to t =0, so that the
initial setting can be deduced. Let us consider (la) as applying to the first
stage of the generator, where X knows the input a, for all t (as 1). Let us
suppose moreover that X knows for r>tP Then he may frnd St-2 as
S,-l-al-l mod p , and so proceed backwards to Thus the c, may also be
found all the way back to the start. But {c, } is the input to the second stage,
and thus the process can be iterated.
Assumption A is now examined. There are situations where it is valid for
every stage without further ado: a) If for ease of manufacture the contents of
each CR are laid down in advance, with the key determining how many steps
are taken by each CR in preparing the initialization, then X knows each CR
except for phase. b) In the m-sequence cascade with registers of length n the
period of each register is p = 2”-1. If the feedback polynomial of each stage
is specified in manufacture, the outputs are again known apart from their
phase, since all m-sequences associated with a given primitive feedback poly-
nomial are cyclic shifts of one another [l, ~1861.
In other cases X has to make a number of trials, in only one of which
Assumption A is valid for every stage. Thus in Gollmann’s cascade with p
prime there are 2 P -2 initial settings for CR, and (2p - 2 ) l p initial s e b g s
that differ by more than phase. For a cascade of length K the number of
335
possible trials is thus ( ( 2 p - 2) / p >K, that is 2K with p = 3.
IV. NUMBER OF STEPS NEEDED
In this section the number of steps needed to achieve lock-in is discussed,

firstly just for the final stage, and then for the whole cascade. Assumption A
is taken as valid for every stage. Evidently this number is also the minimum
length of the sequence needed for the attack described in Section 3.
The number of steps needed on average to get a decryption stage (using
the correct sequence apart from phase) to lock-in to the final stage of a cas-
cade can be estimated as follows. The previous stages of the cascade are
regarded as a random binary generator G . The output (a,} of G is then
passed through the final encryption stage E to produce an output [ c, ) accord-
ing to (1). The sequence {ct ] is then passed through the decryption stage D
to produce an output (u’, } according to (2). The stage D uses the same
sequence b as is used by E , but the initial phases may not agree. Until lock-
in is achieved the input to D will be regarded as random, and so the differ-
ence of the phases A, =S, -S‘, behaves as though in the problem of the ran-
dom walk [8, ~2131,either increasing or decreasing by unity with equal pro-
bability, or staying the same. Initially A, is taken to have any value between
0 and p -1 with equal probability, so that its mean is approximately % p .
Lock-in takes place when At reaches either of the values 0 or p . For a ran-
dom walk to cover a distance d requires a number of steps of the order of d’,
and so in this case we may expect the mean number of steps needed to
achieve lock-in to be of order p 2 .
This conclusion is borne out for p up to 31 by the more careful treatment
described in the appendix. The mean pp and standard deviation oP of the
number of steps to lock-in for a single stage have been computed for p taking
the prime values from 3 to 31 to give the results shown in Table 1, which lists
the values p’p = p p / p 2 and dP=crP / p 2 . The results are approximate to about
6 percent for p 219.
336
TABLE 1
Complete lock-in for the whole cascade E l , E,, . . . EK (with K the

number of stages) requires a similar cascade of decryption stages
D 1, D,, * * * D,, with D, having the same sequence as El:. The output
from D, is the input to Dk-l. By an iterative argument starting with k = K it
is evident that once D, has locked in on Ek the input to Dk-l is the same as
the output from Ek-1, and so Dk-l can start to lock-in on Ek-l. It is conceiv-
able that Dk-l might already have started to lock in on Ek-1 before D, had
locked in properly on E,, but we shall assume that each lock-in starts with
random initial conditions as soon as the previous stage has locked in. Thus
the number of steps needed to achieve over-all lock-in is the sum of K
independent identically distributed random variables, and so its mean is
K p’, p 2, and its standard deviation is K Lh dpp ’.
Computer simulations (for p = 3, 5 , 11, and 13) bear out these conclu-
sions. The only surprise was that for p = 5 , 11 and 13 in about 10% of the
cases D l and D , failed to lock-in. This is presumably because the input
111... to E l can hardly be regarded as random. Although this may be an
embarrassment to the cryptanalyst it is probably not a serious obstacle.
V. USE OF ‘STEP THEN ADD’
It might appear that the arrangement where the “slight delay” of Fig 1 is put
instead at the point X would give a different problem, with a, implicitly
dependent on c, , rather than explicitly as in (2). For then we have
c, =ar +b(S,)mod 2, St=St-l+ar m o d p . (3)
Appearances are however deceptive, and the inversion may be carried out by
a, =c, - b ( S , ) m d 2, S f _ 1 = S , - a , m o d p , (4)
337
where we let r run downwards from some large value N to 0, and all we need
to guess is the initial value .S, Thus lock-in can be made to occur if the out-
put sequence from (3) is fed backwards into (4).
This suggests that if the cryptographer arranges that a choice between
"add then step" and "step then add' be made for each stage under the control
of the key, then the use of lock-in as a cryptanalytic technique is made more
difficult. It may however be better to spend the additional cryptographic
effort on extending the length of the cascade, with a corresponding increase in
the linear equivalence and the period [6].
VI. GUARDING AGAINST CRYPTANALYSIS BY LOCK-IN
First suppose the validity of Assumption A. Then the length of the bit-string
needed for the attack by lock-in is of the order of S = Kp2, where p is the
length of the cycling sequence b and K is the number of stages in the cas-
cade. Since the decryption involves passing the string through K decryption
stages the computing complexity, that is the number of computing steps
needed, is of the order of C, = K2p2. If on the other hand Assumption A is
not valid then every possible instance of b has to be med in each stage and so
the computing complexity is of the order of C = K2p2.((2p- 2)/ p >K . To give
examples of these values we note that C exceeds Id'for p = 3, K = 56, or for
p = 11, K =8, with S less than 1000 in both cases.
For an m-sequence cascade we set p =2" - 1 where n is the register
length. It may be necessary to use fixed feedback connections, so that
Assumption A is valid. Then we find that C, > lpl for n = 34, K =2, or for
n =29, K =59. Huge string-lengths are needed in these cases. We find
~ ~1.7 x lOI9 respectively. On the other hand small values of n
S = 5 . 9 ~ 1 0and
would not be safe.
Without Assumption A the attack may be improved by a "meet-in-the-
middle" technique. The encryption cascade is regarded as being in two sec-
tions, of length a at the top and b at the bottom, with a + b = K . All
(2p - 2 y possible initializations of the top section are tried and the initial part
of each sequence thus generated is stored in order, together with the sening
that generated it. All ((2p - 2 ) l ~ )initializations
~ of the lower part are used
in a decryption cascade of length b to lock-in on to the sequence to be bn>-
ken. Again the output strings are ordered. Then the analyst looks for
matching pairs in the two ordered lists. If a matching pair is found it is
338
investigated further. Optimally the two lists should be roughly of the same
size, so that for s m a l l values of p the size of b is around two-thirds to three-
quarters of K. This vdue should perhaps replace K in the above considera-
tions.
VII. USE OF LOCK-IN FOR SYNCHRONIZATION
So far it has been assumed that the cascade is used as a pseudo-random binary
sequence generator, with the all-1’s sequence fed in at the top. Under these
conditions lock-in is a cryptanalytic hazard. However it may be employed
more constructively by the cryptographer. Suppose that the plaintext is fed
into the top of the cascade, and the ciphertext taken from the bottom. Then
the legitimate receiver will use a decryption cascade. Here the key given to
the receiver specifies the contents of each register and Assumption A is cer-
tainly satisfied. Then it is almost certain that the lock-in property ensures the
self-synchronization of the decryption, even if it is not properly synchronized
at any stage. Under these circumstances we would want fairly quick lock-in,
so that short registers (say p =3) would be used in a long cascade (say
K=100). A long cascade is of course vital for security, the effective
keylength being K bits with p = 3. The mean time to lock-in with p = 3 and
K=100 is about 0 . 3 2 1 0 ~ 3 ~ ~ 1 0 0 = 2steps.
90
We have also studied the effects of a single-bit error on lock-in. There
are three types of such an error, the alteration, the insertion and the loss of a
bit. Computer simulations (carried out for p = 3 , 5 , 7 and 11 with K =31)
suggest that lock-in times after a single-bit error have a distribution very like
that for lock-in starting with random phases. Thus for the cascade with p = 3
and K = 100 the mean recovery time would be around 290 steps. This is just
over twice the recovery time for a 64-bit block cipher such as DES [I, p2671
used in the cipher-feedback mode [l, ~2871. Moreover as far as a cascade
cipher is concerned the loss or insertion of a bit is no worse than the altera-
tion of a bit, whereas for a block cipher such an error causes misalignment of
the blocks, and some method for maintaining synchronization is needed.
339
APPENDIX: Number of steps for lock-in of a single stage
We develop further the model of Sec 4 in which a random binary input (a,1
is fed into an encryption stage E using a given .sequence b of given least
period p, and the output { c, ] generated according to (1) is fed to a decryption
stage D also using b. We find easily computed expressions for the mean and
variance of the number of steps to lock-in for any given b, averaged over the
initial states of D and E . By a random binary sequence {a, ] we mean that
the a, are independent identically distributed random variables taking just the
values 0 and 1 with equal probabilities, or equivalently that for any n all
sequences of length n are equally likely. Since the sequences {a, ] and ( c, }
(for given b and S - , ) are in one-to-one reciprocal correspondence it is readily
shown that [c, } is also a random binary sequence in the above sense.
Equations (la) and (2) may be written as
S, = ((C, + b (Sl-1)) mod 2) + Sl-1 mod p 9 (5 4

S’, =((ct+b(S’,-,)) mod 2)+S’,-, mud p . (5b)
Lock-in occurs as soon as S, = S’, mod p . The value pair (S, ,S’*) specifies
the state of the system at time t. We first show that, starting from any state,
lock-in can take place with non-zero probability after p (p - 1) steps. This
result will be used to show that lock-in takes place eventually with probability
one, and it guarantees the convergence of the theory below, as well as the
existence of the mean and variance of the time to lock-in. To do this we sup-
pose that {a,} happens to be the all-ones sequence. Then by (la) S, increases
by 1 on every step (mod p of course). Now suppose that lock-in does not
take place. Then beyond some step to the quantity S’, must keep some fsed
distance s ahead (0 < s < p ), so that S ’,=S, + s mud p for f > to. Then from
( 5 ) it follows that b ( ( i + s ) mod p ) = b ( i ) for all i such that O I i < p , and SO
b“ has a period less than p , in fact the highest common factor of s and P .
This contradicts the assumption that p is the least period. This catching up
needs at most p (p - 1) steps. For S, must gain on S’, by at least 1 every
time it goes round the cycle (0, 1, , . . . p - 1). However S’, cannot be
more than p - 1 ahead of S, at the beginning, and hence the result.
To compute the mean and variance we use a state-transition matrix T
whose rows and columns are labelled by states of the system. The
”coalesced’ states (with S, = S ’ , ) need not be included among these, and there
340
',,
is no need to distinguish between S, and S so the states may be represented
as number pairs ( a ,b ) with 0 Ia c b cp , the numbers being of course values
of S, and S',. There are altogether %p(P -1) such states, and they will be
denoted by Greek suffices a, p and y. Let T g u denote the probability of a
transition from a to p. Then we find that T P a 2 0 , and that c,TPall with
P
xTpa< 1 if a can go to a coalesced state in one step. Let p a ( t ) denote the
P
probability of the system being in the state a at step t . We find
p p(f + 1) = Z T m p ,(t ) or in vector-matrix notation p(t + 1)= Tp(t ), so that
a
p(n)=T"p(O). The probability of "no lock-in after n steps" may be written
as P, = e'p(n ) where e is the all-ones vector. With a start from any state a,
lock-in takes place with a probability not less than h=2-Q after Q = p (p - 1)
steps. (The quantity h is the probability that { q }starts with Q consecutive
1's.) Now the probability distribution after n steps starting from the state a is
p P = (T")pa,so that X(TQ)Ba I1 - h. Thus for any integer 1 2 0 we find
B
By iteration this is then less than or equal to (1-h)l+l, and hence so is each
term in the sum on the left. We are using the fact that all these matrix com-
ponents are non-negative. Thus we fmd that T" + 0 as n +00. From this it
follows (by reductio ad absurdum) that the eigenvalues of T are strictly less
than unity in magnitude. This approach may well give a hopelessly pessimis-
tic estimate of the rate of convergence of T" to 0, but it is all that is needed
for the theory.
The initial probability distribution will be taken as uniform, with
p(0) = (2/p2)e;this takes account of the possibility of coalescence at the start,
since P o = e'p(0) = 1 - Up. The mean time to coalescence is then given by
00
P = C (n +1)(P, -Pn+l)
n =O
since a fraction P, -P, + coalesces at step n + 1. Thus we find that
p= c Pn =(Up2)c e'TRe=(2/p2)e'(I-T)-'e
00 oa
n=O n =O
where I is the unit matrix. Here a matrix geometric progression has been
summed, which is possible since all the eigenvalues are less than one in mag-
nitude.
341
In like manner the mean square time to coalescence is given by
from which we find

v = (2/p*)e'(I3- T)(I - T)-2 e.
For reasonable values of p (say up to 31) these computations are not too hard.
They involve the solution of linear equations rather than matrix inversions,
and they are assisted by the facts that T is sparse, with all the non-zero ele-
ments equal to ?4, and that it is a banded matrix if the states are ordered by
increasing separation of the locations.
As an example we consider a case with p = 5 . The matrix T is then of
size l o x 10. The states used for labelling are preferentially ordered as 01, 12,
23, 34, 04, 02, 13, 24, 03, 14. Here 01 stands for (0, 1) etc. With
b={0,1,1,0,1} the possible transitions a+p are 01+02, 12+12, 12-23,
23-24, 34-03, 04-14, 02+12, 0 2 4 3 , 13+23, 13+14, 24403, 24+24,
03+03, 03-14, 14-14, 1 4 4 2 . For these Tpais %. The other elements of
T are zero.
The final part of the calculation is to average p and v over all possible b
with p specified. These averages are denoted by pp and vp. The standard
deviation op of the lock-in time is given by o i = v p -pi. Since for p 2 19 the
number of instances of b is rather large (being equal to (2p - 2) / p ), the com-
putations were restricted to averaging over 300 quasi-random choices, giving
an accuracy of a few percent.
342
REFERENCES
[l] H Beker, F Piper, Cipher Systems: The Protection of Communications,

(New York: Wiley) 1982
[2] T Beth, F C Piper, "The Stop-and-Go Generator", Advances in Cryptology:
Proceedings of Eurocrypt 84 (T Beth, N Cot, I Ingemarsson, eds)
Lecture Notes in Computer Science 209, 88-92 (Berlin: Springer-
Verlag) 1985
[3] W G Chambers "Clock-controlled Shift Registers in Binary Sequence Gen-
erators", IEE R o c E, 1988, 135, 17-24
[4] W G Chambers and D Gollmann, "Generators for Sequences with Near-
maximal Linear Equivalence", IEE Proc E, 1988, 135, 67-69
[5] W G Chambers,S M Jennings, "Linear Equivalence of Certain BRM Shift
Register Sequences", Electronics Letters, 1984,20, 1018-1019
[6] D Gollmann, "Linear Recursions of Cascaded Sequences" Contributions fo
General Algebra 3, Proceedings of the Vienna Conference June
1984 (Verlag Holder-Pichler-Tempsky, Wien 1985 - Verlag B G
Teubner, Stuttgart)
[7] D Gollmann, "Pseudo Random Properties of Cascade Connections of
Clock Controlled Shift Registers" in Advances in Cryptology,
Proceedings of Eurocrypt 84, (ed T Beth, N Cot, I Ingemarsson)
Lecture Notes in Computer Science 209, pp93-98 (Berlin: Springer
Verlag 1985)
[8] A Papoulis, Probability, Ramlorn Variables, and Stochastic Processes 2nd
ed, (Singapore: McGraw-Hill) 1984
[9] R A Rueppel, Analysis and Design of Stream Ciphers, (Heidelberg:
Springer-Verlag) 1986
[lo] T SiegenthaIer, "Correlation Immunity of Nonlinear Combining Functions
for Cryptographic Applications", IEEE Trans Info Theory, 1984,
IT-30, 776-780
[ l l ] T Siegenthaler, "Decrypting a Class of Stream Ciphers Using Ciphertext
only", IEEE Trans Computers, 1985, C-34, 81-85
[12] B Smeets, "A Note on Sequences Generated by Clock Controlled Shift
Registers", Advances in Cryptology: Eurocrypt '85, (F Pichler ed),
Lecture Notes in Computer Science 219, pp142-148 (Berlin:
Springer-Verlag) 1986
[13] R Vogel, "On the linear complexity of cascaded sequences", Advances in
Cryptology: Proceedings of Eurocrypr 84 (T Beth, N Cot, I
Ingemarsson, eds) Lecture Notes in Computer Science 209, 99-109
(Berlin: Springer-Verlag 1985)
343
c
delay
-- Ct
X
FIG 1: A stage of Gollmann's cascade, as described in Sec 2. The input bit
a, is added to the output from the cycling register CR to give the output c,.
It is also used to clock CR after the addition. In another arrangement (Sec 5)
the "slight delay" is put at X instead, so that CR is clocked before the addi-
tion.
-
CR 1
%
I....
slight I b'(.)
I delay 1 c+
FIG 2: A decryption stage for reversing the transformation accomplished by

the stage in Fig 1. Here the "slight delay" prevents a race round the loop.
PBOOF OF WASSEY'S CONJECTURED ALCORITHH
C w s h e n g Ding
Department o f Applied Mathematics
N o r t h w e s t Telecommunication Engineering I n s t i t u t e
X i a n , P e o p l e ' s Republic o f China
ABSTRACT: Massey's c o n j e c t u r e d a l g o r i t h m f o r multi-sequence shift register

s y n t h e s i s i s p r o v e d , a n d i t s s u i t a b i l i t y for t h e minimal r e a l i z a t i o n o f any
l i n e a r system is also v e r i f i e d .
I . INTRODUCTION
It i s well known that t h e SLFSR(shortest l i n e a r feedback s h i f t r e g i s t e r )

s y n t h e s i s o f single-sequence is o f great importance i n p r a c t i c e ( 1)(2 ) . The
Berlekamp-Nassey a l g o r i t h m gives an e f f i c i e n t one( 2). The problem o f s y n t h e -
s i z i n g m u l t i - s e q u e n c e w i t h LZSR has been g i v e n much concern by many s c h o l a r s in
i n f o r m a t i o n and c o n t r o l s o c i e t y . J.L. Wassey gave a c o n j e c t u r e d a l g o r i t h m for
t h e SLFSRsyntheais of m u l t i - s e q u e n c e i n 1972. I n 1985 Fen C u e i l i a n g and K.K.
Tzeng also gave a n o t h e r o n e ( 3 ) . I n t h i s paper we are g o i n g t o prove Massey's
c o n j e c t u r e d a l g o r i t h m , and v e r i f y that it is an u n i v e r s a l one and i s s u i t e d f o r
t h e minimal r e a l i z a t i o n o f any l i n e a r system.
I1 . PROOF OF MASSEY'S CONJECTURED ALGOBITl33
L e t Bi= ail... as, ill, ... , M , be H sequences of l e n g t h N i n t h e f i e l d F
and Si-(ali aZi ... sri)t , %(B1 B2 ... B M ) t , Si=S I...S i'
Then t h e Massey's
c o n j e c t u r e d a l g o r i t h m in F i g . 1 can be s t a t e d as
MASSEY'S CONJECTUREr Assume t h a t ( f i , l i ) i s t h e SLF'SR which g e n e r a t e s Si,
and d i = f i ( S i + l ) i s t h e ith d i s c r e p a n c y , i - 0 , ... , n. Then
( i ) i f dn=O, t h e n l n + l = land fn+l=fn.

n
'
( 1 1 ) if d 3 0 , and i s a l i n e a r combination o f di, i-0, ... , n-l, l e t %, ,...
\,be a basis of d. : OSiSn-1 s u c h t h a t max{n-ki+lki : 1SiSx-r)is minimal
and (kl, k2, ... , kr ) i s m a x i m a l i n a l p h a b e t i c o r d e r . Let
dn = - 2
i=1
ui&Ki , I= ti : uiko, 16isr)
346
( i i i ) i f dn i s not a l i n e a r combination o f d i , L O , ... , n-1, t h e n ln+l=
n+l and fn+l can be any p o l y n o m i a l i n F[x] o f degree n+1.
F i r s t , w e give some n o t a t i o n s and simple r e s u l t s :
L e t fi= l + f i , l s +
=** + fi,li
,Ii, and ffi-(O ... 0 fiYl ... f i , l i l 0 ... 0)
be a v e c t o r of l e n g t h n+l. Denote Dn+l=(do dl ... dn) t , An+l-(sl 82 a

. 6 n+ 1 )t
and Fn+I=(ffO f f l ... f f n ) t . Then it i s e a s y t o know that
(i) Fn+l i s a l o w e r t r i a n g u l a r matrix, and i s i n v e r t a b l e .
(1') Dn+1 = F n + l *n+1- An+l Cn+l Dn+l'

where Cn+l= Fn+l,
-1 and is a l s o a lower triangular matrix.
Let us s p l i t t h e m a t r i o e e Fn+l, Cn+l, Dn+l and p a r t i t i o n them by u r i t i n g
[n-L )xn
where B-(0 ... 0 '4. ...ul) t , 0 c (0 ... O)t. By d e f i n i t i o n , it i s a p p a r e n t that
t h e f o l l o w i n g t h e o r e m 1 holds.
Theorem 1. L e t f ( x ) = 1 + ulx + ... + uLxL ( L < n + l ) , then (f,L) generates
S n + l i f and o n l y if U(n-L)x(n)GnDn - 0 and BGnD, f g,Dn + dn = 0-
Theorem 2, If ( f , L ) can g e n e r a t e S n + l , L d n + l , t h e n t h e r e must e x i s t a v e c t o r

u such t h a t
i
Theorem 3. A s s u m e that ( f i , L ) i s t h e SLFSR u h i c h g e n e r a t e s S , GO, .a. n*
Then ln+l=n+l if and o n l y i f dn i s n o t a l i n e a r combination of di, 160, ... ,

n-1.
Theorem 4. Assume t h a t g c fn + ZCl ui x

n-ki
fki, uifO, i=l, ... , B.
Let 1; be t h e s h o r t e s t L s u c h t h a t ( f i , L ) can g e n e r a t e S
i
. If (g,L) g e n e r a t e s
347
Sn+', then we have
Lzmax 4 1;) n-kl+l& , ..., n-ks+%,> m a { ln, n-kl+\, , ... , n-ks+\,}

I n o r d e r t o prove theorem 4, we now prove t h e following lemma:
Lemma: Assume 0 - f m + ulx

m-k
' fk, , ulfO, kl<m, and (fm,lm), ( f k , are
t h e SLFSR's whioh g e n e r a t e Sm and Sk' r e s p e o t i v e l y , then if (g,L) g e n e r a t e Sw1,

we have
L a m a r {l;, m-kl+Gl) = m a x {lm,
m-kl+ h,}
Proofs Prom the d e f i n i t i o n o f 1; and lm,w e o b t a i n that l=lmand I
- lk,.
Becauae L a l m , 80 L>,ln- .;1 Suppose lksL<m-kl+ 1$, . Let j be t h e last j =oh
t h a t fk ,*O.
9 3
1) i f j+m-k1sY, because L a l k , so L-m+kl~l~-m+kl>,j.Put LLGm+kl and

h(x)-l+hlx+ ..+ h x j , where h f
j i' kt ,i'
ill, ..., j . Then
g(x)=fn+ P ~ X " - ~ ' h( I), js LL (5,.

Because (g,L) g e n e r a t e s Sm and L 2 1 m , so g(S")= ... -g(S L+l
)=O, and f(S")= -=*
-f(Sbl)-O.
k
Thus h(S ' 1- ... =h(SLL+l)-O.This meas that (h,LL)=(g,LL) g e n e r a t e
Sk', b u t LL<$ . It is c o n t r a r y t o t h e minimality o f , henoe L',m-kl+ GI -

m= ilk, *kl+
I
%'} - nax {I", h,).

2 ) i f j+n-kl>lk, regard g(x) and fm+ xm-k' f k , as polynomials o f degree m y
m s n . Then t h e d e g e n e r a t i n g t e r m s of fm+ xmek'fk, is m-(m-kl+j), so m-Lsm-(m-
k l + j ) . Put LLL-m+kl, t h e n j a L L C 5
I
. For t h e same reason we know t h a t ( h ( x ) ,
LL) g e n e r a t e s Sk' , but LL<l;Cl . T h i s i s a l s o c o n t r a r y t o t h e minimality of 5,.

Thus L2ma.x ilk, m-kl+ s,} = m-kl+lkl}.
m a x {lm,
PROOF O F THIEoBE# 4 1 By u s i n g t h e above lemma and induction on 8, it is not

d i f f i c u l t t o s e e that Theorem 4 i s t r u e .
i+l
Theorem 5 . Let ( f i l l i ) be t h e SLFSR which generate Si, and di=fi(S 1, i-
0, -..)n-1, n. I f dn(=%O) can be expressed as a l i n e a r oombination of d i , b 0 ,
..a 9 n-1, say dn= 4n-l

L -zu.d..
1 1
Let Iu= { O s i s n - l t ui*O) . Put
ln+l
min m a r { l n ,n-i+li I i E I ~ ) ... (a)
U
dn=-0,
348
n-1 n-i
1
where u'- (ub, ... , is t h e v e c t o r which makes t h e r i g h t a i d e o f (a) t a k e
i t s minimal value. Then (fn+l,ln+l) i s a s h o r t e s t LFSR that generate Sn+l.
Proof: L e t L d e n o t e t h e r i g h t s i d e o f (a). It is obvious that l n + l S L . Let
(f,ln+l) i s a SLFSB t h a t g e n e r a t e S ,
n+1 and ln+l-=n+l. By theorem 2 t h e r e mast
exist a vector u snoh t h a t
f - fn + ui In-i f i , di - YDn I -YE: uidi,
Then theorem 4 t e l l us that ln+l),max {In, n-ki+lk, : i E xu) aL, t h e r e f o r e ln+l
= L. Thus (fn+l,ln+l) is a SLFSB which generate S.
From t h o base chosen i n Massey's algorithm and Theorem 5 we can e a s i l y C o b

olude that t h e p a r t ( i i) i n Hassey's algorithm is t r u e . P a r t ( i i i ) has been
proved i n theorem 3. P u t ( i ) i s apparently t r u e . "hue we have c o m l e t e l g proved
Masscry's o o n j e c t u r e d a l g o r i t h m u n t i l now.
Let V be a v e o t o r spaoe o v e r t h e f i e l d P, S-sl...s be a v e c t o r sequence o f

n
l e n g t h n. t h e problem o f f i n d i n g a p a i r ( f n ( x ) , l n ) such that ( f n , l n ) g e n e r a t e s
n
S and ln i s minimal i s r e f e r e d t o as t h e problem of minimal r e a l i z a t i o n f o r
veotor sequence.
Notioe that t h e p r o o f s o f a l l t h e theorems and lemma i s independent o f what
the si'a a r e , but o n l y require t h a t si's belong t o a v e c t o r space o v e r F. So
a l l t h e r e s u l t s a r e t r u e f o r v e c t o r sequence. This means t h a t Yarrsey's a l g o r i t h m
is an u n i v e r s a l one, it is s u i t e d f o r t h e minimal r e a l i z a t i o n of any linear
system. We now g i v e some s p e c i a l c a s e s of t h e u n i v e r s a l algorithms
1 ) I f V = F, t h e n it i s t h e B-M a l g o r i t b .
2) If V
3) If V
-- Fm, t h e n it i s t h e Massey's one f o r multi-sequence LFSR s y n t h e s i s .
Fnxn, t h e n it g i v e s a minimal r e a l i z a t i o n algorithm f o r matrix
sequence.
4 ) If F - CF(q), V - G F ( 4 , then it g i v e s a minimal r e a l i z a t i o n a l g o r i t h m
f o r t h e sequence i n CF(qm) o v e r CF(q) .
ACKNOWLEDMWT
The a u t h o r w i s h e s t o thank Prof. Xiao Cuozhen for h i s guidanoe. Also much

thanks t o Shan U e i j u a n , Cuo Baoan and the people i n t h e 'Seminar f o r t h e Theory
of Coding and Cryptologg' f o r t h e i r h e l p f u l l suggestions.
349
"CES
(1) X i s a Ouoeheng et.al, 'Pseudorandom s q u e n o e s and t h e i r a p p l i c a t i o n s ' . The

National Defense I n d u e t r y Press of China.
.
( 2 ) J.L. Mirssey, ' S h i f t - r e g i s t e r synthesis and BCH deooding' IgEE T r a n s . I n f o r .
Theory, Vol. IT-15, Jan. 1969.
(3) Fang G u e i l i a n and K.K. Teeng, ' A I t a r a t i v e Algorithm for Wulti-aequenoeS
.
Synthesis with S h o r t a e t LFSB' S o i e n t i a Sinioa(Scienoa i n China), A. Angust
c.-i
c(D)+l n+l COHMENT: any ~ ( D ) - l + c ~ D + . . . + cDn+
can be used a t t h e point marked
~+~ 1
0 .
Does t h e r e exist 5, ... , &al+. ..+aedt

ae such that dry$+...+ yes - I-- ( i i aixo}
a,<? d;cmar{Lgi+Ii I iEI}
Inn
o*,(D) +c( D) %--L

c(D)+l
L +n + l aeDq o z ( D)
1
Fig. 1 Massey' s Conjectured Algorithm for Multi-sequence Shift

Synthesis.
LINEAR RECURRING m-ARXAYS
Dongdai Lin,-Mulan Liu.

Institute of Systems Science, Academia Sinica
Beijing, 100080, China
ABSTRACT
In this paper, the properties, structures and translation equivalence relations

of linear recurring m-arrays are systematically studied. The number of linear recurr-
ing m-arrays is given.
1. Intrduction
Reed and Steward [ll], Spann [5] and [2] have studied the arrays of so-called
perfact maps. This has ied IIO research on various types of window properties for
arrays(see [2]-[11]).
In this paper, we make a systematic study of the linear recurring m-arrays of
dimension 2 . We characterize their structure, discuss their properties o f translation
- addition, pseudo-random and sampling. We also give the number of linear recurring
m-arrays,
A11 the results in this paper are obtained over the finite field GF(2). One can
easily generalize the results to any finite field GF(q).
2 . Basic concepts
Let A = ( a . ) . be z n array. An mxn submatrix A(i,jj=(a..) of A i s

iJ lPo,j&o i j OLi<m,O<j<n
called an mxn window o f A at ( i , j ) . A(i,j) is the r o w vector (a ) o f dimension
t O&t(mn
mn, where at=a. i+i',j+j'' i'=the integer part [t/n] of t i n , and j(=(t/n)=t-n[t/n].
Definition 2.1: Let A be a n array of period rxs. If all mxn windows in a period
Of A are exactly all non-zero mxn matrices o v e r GF(2), then we call A an mxnth order
m-array of period rxs or (r,s;m,n) m-array in short.
mn
Corollary 2 . 1 . 1 : T h e r ~exists an Ir,s;m,n)m-array only i f rs=2 -1.
Definition 2 . 2 : Let A=(a..). be an array, v and n are two positive integers.

1~ l>,O, j>O
If there exist two mnxmn matrices T and T .as in ( 2 . 2 ) such that
h
for all i,j@ (2.1)
and
352
0 0 . . .O"O.. -04.. .o.. .O" .0 0 . . .O" . . ." .

1 0 . . .O " 0 ...
o*...o . . . 0" 3 0 . . .O" . . ."
01...0*0...0". . . O...O*
..............
0 0 . . . 1 " O . . . 0". .. o...o*
OO...O"O . . . 0". . . o...o* T = 00 . . . 0" ..."
OO...O"l. . . O"...O...O"
V
10.. .O" .. .*
T = .............. 01 . . . 0" ..." (2.2)
00 . . . 0 * 0 . . . 1" . . . 0...0*
h
00 . . . O"0
00...0*0
. . . o* . . . o...o+
. . .0"...1 . . . 0"
. D O . . .1* .. ." ,
.............
00. . . O " 0 . . .0" ... 0...1"
where the entries at * s ' positions are elements in F 2 , tien we say A is an LR array
o f order mxn. The window A(0,O) (or A(0,O)) is called t52 initial state of A .
Definition 2.3: If an LR array of order mxn is alsc +n m-array oE order mxn, then
we call it an LR m-array of order mxn.
Definition 2 . 4 : Lec A=(a..). "u(b. . ) . 5s two periodic arravs. If

ij 130, j 5 0 ' ij ip0,j)O
there exist two non-negative integers p , q such that
b. .=a. f o r all it0, j20

1J l+P.J'q
then B is called (p,q)-translation of A , denoted by B=X .

P.9
Obviously, the translation relation is an equivalence relation.
Proposition 2 . 1 : Given T Tv as in ( 2 . 2 ) , let G(Th,T ) be the set of a l l LR arrays

h'
with linear recurring relations ( 2 . 1 ) and let A , B EG(T -
hei"
). Then
1 ) Ap,q€G(Th,TV) f o r any integers p,q30.
2 ) Define l * A = A , Then G(T
,T ) is a vector s?ace over GF(2).
O"A=O.
h v
3) If chere exists one LR m-array of order mxn in z . ( Th,TV), then every one in
G(T ,T ) is an LR m-array o f order mxn. Futhermcre Th Tv =Tv Th and Th,TV a r e
h v
non-degenerate.
Definition 2.5: 'ie call an array A non-degenerate. L E ( 2 . 1 ) holds f o r some non-

degenerate matrices T. and T as in ( 2 . 2 ) .
n V
Corollary 2.5.1: .:. non-degenerate LR array must be ?eriodic.
Since we are interested in studying LK m-arrays. f r : ~n o w on, WE always assume

that Th,TV are non-dezenerate and chat they commute.
3. +Array
4e call an array $=(a..). *-array it its ccrponent a . .=~ia'@J>

for all i ,
i>,O,jpO
IJ 1J
j?O, where U , @ C G F ( a i , L is a linear function o n CF(q' z y e r GF(2)(CF(2)CSFlq!).
In this section, -ie will mainly study linear recur:;?., relacions o f da-arrays
and the necessary and sufficient condition f o r an a b - a r r a y to b e a n m-arr?y. 'Ye wil!
353
also compute the number of equivalence classes of dg-m-arrays.

mn
Lemma 3.1: Let rs=2 -1, (r,s)=l, o ( 2 mod r)=m(i.e. the order of 2 in& is m) Or
is+jr.
o ( 2 mod s)=n and let A=(a. . ) . where a. .=Lo) 1 for all i)O, j 3 0 , L is a
1J l>oO,dRO' 1J mn
non-zero linear function on GF(Z ) over G C ( 2 ) , 3 is a primitive element of GF(2
Then A is an (r,s;m,n) LR m-array.
Proof: See [13].
Let L be a non-zero funcrioi, o n the field GF(q) over its prime field GF(p). We
define L* to be an elementwise transformation between vectors or matrices over GF(q)
and those over GF(p) respectively as follows
(at)L*=(L(at)) and (a. .)L*=(L(a. ))

1J 1j
where (a is a row or column vector over GF(q) and (a,.) is a finite or infinite
1J
mdtix over GF(q).
Proposition 3 . 2 : Let ~ , @ ~ G F ( Z ~ )o,( d ) = r , o(P)=s. If rs=Zm-l for some m and

(r,s)=l, then there exists a primitive element '$ of GF(Zrn) such that a d B= fr.
i j
Theorem 3.3: Let A=(U @ )L* be an ap-array, where L is a non-zero linear function
on F2(a(,P). Then A is a non-degenerate LR arrays. Furtermore, A is an (r,s;m,n)
m-array if and only if the following conditions are satisfied.
mn
1) o(p)=s, o(a)=r and rs=2 -1.
2)I'&( O(i<s,OdjCr) is the set of all non-zero elements of GF(2
mn
1-
3) pi$/
mn
O&m,Ogj<n) is a basis of GF(2 ) over GF(2).
In fact, A is an (r,s;m,n) LR m-array.
Corollary 3.3.1: Let r x s be the period of an dp-m-array. Then (r,s)=1.
Let f(x)=x
m
+ xi=l
m
c.x
m- i
be a monic polynomial of degree m o v e r GF(2). Let
T=(d. , ) be an mxn matrix over GF(2) and A=(a..). an arbitrary array.

1J O(i<m,Ogj<n IJ l)O,j@
If
(3.1)
we say A G ( f , T ) .
Proposition 3.b: Suppose f , T as above. Then there e x i s t Th , TV, such rhat

ThTv=T vTh ,G(Th,Tv)=Zlf,T).
Proposition 3.5: Let f , T be as in p r o p . 3 . h . If a l l non-zero arrays ir, ;!f,T)

are m-array oE order mxn, then f(x) must be irreducible.
Proposition 3.6: Let AEG(€,T) be a n m-array of order mzn and period rss. Then
r=the period p(f) of f(x) a n d o ( 2 mod r)=m.
Proposition 3.1: If rs=Zmn-l, then either o(2 mod r)=mn o r 0 ( 2 mod s)=F^.
Proposition 3.8: Let f, T be as in prop. 3.4, all arrays in G(f,T) be (r,s;m,n)
m-arrays, o(2 mod r)=m and u be a root of f(x). Construct a polynomial g(x) of degree
n over F (~)=cF(z"') a s fol1ows:
2
then g(x) is irreducible over F (00 and p(g)=s.

2
Theorem 3.9: Let A = ( L ( ot:))i30, @:
j>,o, B='(L( p 'i at)!.
i
1?O,j>O
be two ap-m-arrays of
period ris. Then A and B are equivalent if and only if the following statements are
satisfied.
1) d and c( aye conjugate over GF(2).
2)
1
if CX1 ='atb (for some io), then @, and pii are conjugate over
F2(a1)=F2(N2).
Theorem 3.10: The number of equivalence classes of +m-arrays of period rxs is

+(rs)/log2(rs+l), where 9 i s Euler function.
4 . General LR m-Array
In this section, we discuss general LR in-arrays. The main results are about their
structure, enumeration and the necessary and sufficient conditions f o r existence of
arrays with given period rxs.
Proposition 4.1: Suppose A E G ( TT ) is an (r,s:m,n) LR m-array. Then p(Th)=s,

h' v
p(T )=r and the order of any eigenvalue of T (T res?.) is s(r resp.).
h v
Proposition 4 . 2 : Suppose AcG(Th,T ) is an (r,s;m.n> LR m-array and o(2 mod s)=mn.
Then
1) the characteristic polynomial of Th is irreducible, and both Th and Tv are
similar to a diagonal f o r m under same transformation.
2) the minimal polynomial gtx) of T is irrelccible and deg(g(x))=m'if o ( 2 mod
r ) =m?
Theorem 4.3(Existence): For given positive i n t e g - r s r and s, there exists an

m-array with period r x s , if and only if (r,s)=l and rs=2m-1(for some m ) .
Theorem 4.4(Structure): Any LR m-array must be an dg-n-array.
Remark 4 . 5 : By Prop. 3.2, we know that there i s a srinitive element in C,F(Zmn)

such that
Therefore each LR a-array can be determined by a pri~itive elementfand a Linear

function L. We denote X by A ( p , L ) , where r x s is :he period O E A . Obviously, for
rxs
different linear functions, X r x s ( r' ,L)'s are equivalent.
Corollary 4 . L . 1 : A n (r,s;m,n) L R m-array is alss a n ( r , s ; r n n , l ) or (r,s:l,mn) LR

355
m-array according which one of o(2 mod r) and o ( 2 mod s ) is mn.
Corollary 4.4.2: The number of equivalence classes of LR m-arrays of period rxs

is $(rs)llog2(rs+l).
Remark 4 . 6 : By Prop. 3.9, i t is easy to prove thac, for any two conjugate primi-
tive elements 9, and v2
of GF(2mn) with respect to GF(2), A
rx s
(fl,L) and Arxs(Y2,L)
are equivalent. But the number o f conjugate classes of primitive elements of GF(2mn)
with respect to GF(2) is also #(rs)/log (rs+l), so that there is a 1-1 correspondence
2
between the equivalence classes of rss periodic LR m-arrays and the conjugate classes
of primitive elements o f GF(Zmn) (or a l l primitive polynomials of degree mn over GF(
2))(see Remark 4.5 and Corollary 4.4.2). This map can be obtained by (4.1) o f Remark
4.5.
The above correspondence is very powerful in Section 5 f o r studying the properties
of LR m-arrays. From now on, Grxs(f) will 5enote the set of all the arrays of period
rxs which are corresponded to a primitive polynomial f.
5. Properties of LR m-Arrays
LR m-arrays can be thought of as generalized m-sequences. LR m-arrays have many

good properties, as m-sequences do. In this section, we study the properties of
translation-addition, sampling and correlation.
Proposition 5.1: An infinite matrix A of period rxs is an LR m-array if and only

if
1) (r,s)=l
2) F o r any given integers p1,p2,q1,q2b0,eithsr A +A =O or =A for
P i * q l P2'92 P9q
some p.430.
The property given above is a characteristic property of LR m-arrays called the

translation-addition property of LR m-arrays.
Proposition 5.2: For any LR m-array of order rnxn, the mn vectors X(i,j)(O<i<m,
O<j<n) are linearly independent and all A(i,j) can be linearly expressed by them.
Definition 5.1: Let A=(a.~ )j. , ~ ~ ~ (,r ,js ) ~beo a, pair of positive integers. We
call is called a
(air,js)iaO, jzo an (r,s)-sample o E A. Especilly,
diagonal sample of A .
Let A be an LR array with period P x P and (r,s) be a pair of posi-

Theorem 5 . 3 :
v h
tive integers. If ( r , P )=l=!s,Ph), then is again an LR m-array with period
P X P and any LR m-array of period P xPh are equivalent to some (diagonal) sample o f
v h
A. Furthermore, if (r',P )=(r,P )=(s;,P )=(s,P )=l, then A("') and are
h h
equivalent if and oniy if
r'=r2t nod 2 m -1 and s'zs2t+mnt mod Zmn-l for some t and t'
Definition 5 . 2 : Let A=(a, . ) , be an arrav o f period r g s . The autoc3rrelation

L J i)O,j>O
function of A is defined a s the function
where 2's a function from GF(2) to <1,-13 such that z(O:=l,1(1)=-1.
Difinition 5 . 3 : Let A be a binary array with period r s. If
rs when p ~ modr
0 and q10 mod s
CA(PA)' (-1 others
then we call A a pseudo-random array.
Theorem 5 . 4 : Suppose A is a pseudo-random array with period rxs. Then rs=3 mod 4
and the difference between the numbers o f 1 ' s and 0 ' s in a period of A is 1.
Theorem 5.5: Any LR m-array is a pseudo-random array.
Definition 5 . 4 : Let A=(a..). B=(b. . ) . be two arrays of period r x s .

1 J 130,j@' 1J i a O , j > , O
Define their crosscorrelation function as follows:
CA,B: 2x2- Z: C
A , B (p,q)= x:Ii x3lfi ?(aij) T(bi+p,j+q)
where l i s just as in Definition 5.2.
Theorem 5.6: Sppose is a primitive element of GF(2n), Yu', q U z , ..., ?""

(O<K<Zn-l) are the first roots of primitive polynomials f ( x ) , ...,f (x) respectively,
u1 k'
u >u >..>uk, (r,s)=l, rs=Zn-l. Then for any arrays A E G (f ) , BECmS(fU,) and
1 2 rrs u.
J
any tl, t2>0, we have
CA,B (t 1' 2
t ) ,< zn-1-2" k
Theorem 5.7(gold Optimum Pair): Let 3 be a primitive element of GF(2").

n- 1
u =2 -1
1
-2 (n-1)/2 -1 if 2jn
2n / 2
-1 if 21n but 4./n
REFERENCE
[l]. Zhe-xian Wan, "Algebra and Coding Theory." Science Press, B e i j i n g . LT'SO,
revised edition.
[2]. B. G o r d o n , "On the existence of perfect maps" !EEE T r a n s . Inform. Thezry Val.
IT-12 486-487 1966.
[3]. F.J. Macwilliams and N.J.A. Sloane, "Pseudo-random sequences and arrays". Proc.
357
IEEE vo1.64 pp 1715-1729. 1976.

~41. T . Normura, H. Miyakawa, H. Imai and A . Fukuda, "A theory of two dimensional
linear recurring arrays". IEEE Trans. Inform. Theory vol. IT-18 pp 775-785,
1972.
R. Spann, "A two-dimensionaL correlation p r o p e r 5 y of pseudo-random maximal-
length sequences". Proc. IEEE vol.53 pp 2137, 1963.
J . H. van Lint, F. J. Macwilliams and N. J . A . Sloane, "On pseudo-random
arrays". S1.W J. Appl. Math. vol 36 pp 62-72, 1979.
C. T. Fan. S. 3 . Fan, S. L. Ma and M. K. Siu, "On de-Bruijn arrays". AXS Combin.
vol. 19A (1985), 205-213.
S. Homer, J e r r y Goldman, "Doubly-periodic sequences and two-dimensional recur-
rence", SIAM J . Alg. disc. Math. v o l 6 (1985), 360-370.
S.L. Ma, "A note on binary arrays with a certair: window property", IEEE Tran.
Inform. T h e o r y vol IT-30 (19841, 774-775.
[lo]. T. Nomura and A. Fukuda, "Linear recurring planes and two-dimensional cyclic
codes" Trans. Inst. Electron. Commun. Eng. Jap. V O ~ . 54-A pp 147-154 Mar. 1971
I. S . Reed and R. M. Stewart, "Notes on t h e existence of perfect maps: IEEE
Trans. Inform. Theory vol. IT-8 pp 10-12 Jan. 1962.
D. CaLabro and J. K. Wolf, "On the synthesis of two-dimensional arrays with
desirabLe correlation properties:, Inform. Contr. vol. 11 pp 537-560 Nov/Dec.
1967.
M. K. Siu, "m-Arrays and M-Arrays." (1985).
L. E. Diccson, "On the cyclotomic function", h e r . Nath. Monthly vol. 12
(1905) 86-89.
SUBSTANTIAL NUMBER OF CRYPTOGRAPHIC KEYS
AND ITS APPLICATION TO ENCRYPTION DESIGNS
Eiji OKAMOTO
C&C Information Research Laboratories

NEC corporation
4-1-1, Miyazaki, Miyamae-ku
Kawasaki, 213 JAPAN
ABSTRACT
A new concept of the substantial number of cryptographic keys (SNK) in key

spaces is proposed and is applied to encryption designs. SNK is defined as the
number of keys which is far from each other. It must be greater than 256, for
instance, to have essentially the same number of keys in DES. This SNK condition
restricts design parameters of encryption systems. In this paper, SNK is strictly
defined in key spaces, followed by illustrations of SNK's in fundamental encryption
algorithms and product ciphers. Then SNK is applied to the design of encryption
systems to decide the design parameters. It is usefui for designing product cipher
in particular. SNK should be considered as one of the criteria of encipherment
strength.
I . INTRODUCTION
In encryption designs, the technique of combining two or more fundamental en-

cryption algorithms is very useful, because it produces a complicated encryption
scheme and a lot of keys. The product of the numbers of keys in the fundamental
encryption algorithms is usually regarded as the number of keys in the combined
encryption scheme. Some product ciphers, however, do not have so many keys.
In Fig.1, for example, the total number of keys in the product cipher of an n bit
block substitution cipher and an n bit block transposition cipher is not substan-
tially equal to n ! 2 " ! , but 2"!. This shows all encryption scheme inust have the
property of key independence from each other. In other words, the deciphered
message with a wrong key must be totally different from the original message.
362
There are two methods of designing encryption schemes to overcome the mu-
tual dependence of keys. The first method is based on the key selection such that
the keys to select are separated from each other in the key space, called ‘sphere
packing cipher’. Na.kamura[l] showed this kind of seKsynchronizing stream cipher
scheme using error correcting codes. The design of transposition ciphers using
Reed-Solomon codes in [2] is also based on the same idea.
The second method is based on the design scheme such that the probability
of any key lying in the neighborhood of any other key is to be made as small as
2-56, for instance. This method does not require special selection of keys as in the
first method. Users can select any key in the key space.
The second method leads to a new concept of the number of keys, Substantial
Number of Keys (SNK). Roughly speaking, SNK is the number of keys which are
different from each other in the sense that the close keys are regarded as one key.
In this paper, the difference of two keys in the key space is defined precisely and
SNK is discussed in this space. The design parameters of any encryption scheme
are restricted by the condition that the encryption scheme should have enough
SNK to avoid exhaustive key attacks. The sphere packing cipher is also reviewed
from the point of SNK. The SNK should be considered as one of the criteria of
encipherment strength.
11. SUBSTANTIAL NUMBER OF KEYS (SNK)
1. Definition of SNK
A key space consists of a set of all keys, probabilities of selecting any key and
differences between any two keys. The key set of transposition cipher, for example,
contains all transpositions including the through one of input data. Let Qd(K) be
the probability of selecting a key lying in the sphere of radius d from key K . Then,
the substantial number of keys, S N & , regarding any two keys within difference
d of each other as same, is defined as
where A [ ] means the average with respect to the probability of selecting keys.
This definition is justified by the following example: the total number N of stones
is given by l / Q when the probability of selecting any one stone from all stones is
Q , because Q = 1 / N .
Although the difference of two keys in the key space could be defined variously,
this paper employs reversed-bits rate[l],r ( K 1 ,K 2 ) , to define it.
363
Here, M is any message, and E K ( ), DK( ) are encryption and decryption with
key K , respectively. Key K2 is not necessarily the corresponding decryption key
of K1. Function h( , ) shows Hamming distance, and L( ) shows length. In the
Eq.(2), A [ ] is the average when message M is randomly selected from the message
space which contains all messages. Then, the difference p(Kl,K2) between two
keys K1 and K2 is defined as
2 2 l1
p(Kl,K2) = - - - - T(Kl,K2) . (3)
The difference p is the reversed-bits rate T when T 5 1/2, or 1 - T when r > 1/2.
In other words, it means the minimum difference between the reversed-bits rate
and 0 or 1. The measure is useful especially for voice data.
2. Examples of SNK
This section illustrates SNK's of four block ciphers in Fig.2. In the figure, (a),(b)
and (c) are examples of fundamental ciphers and (d) is an example of a product
cipher. Every key is selected with equal probability. The integer n meam block
length of ciphers.
a) Exclusive-or cipher
An exclusive-or cipher has vector P as a key. The key space is an n dimensional
space which contains 2" keys in all. If the Hamming distance between the en-
crypting key P1 and the decrypting key P2 is h , the reversed-bits rate r is given
by
h
r=-. (4)
n
If P2 is a uniform random variable, the distance h is a binomial random variable.
Then the probability of Q d = A[Qd(Pl)] is
+<d - h<dn
r>l-d h>(l-d)n
Since binomial distribution is approximated by Gaussian:
ck
i=O
(n) p'qn-'
a
21 1 - e7-f
k - np
p+q=l
364
The probability Qd is nearly equal to
Qd N 2 erf ((1 - 2 d ) L ) . (9)
Therefore SNKd is
1
Figure 3 (a) shows the SNK curve of exclusive-or ciphers with respect t o n,
where d is regarded as a parameter. The number k is a length of SNK:
k = log, S N K . (11)
The data block length n should be more than 500, if S N K > 256 and the
reversed-bits rate lies between 0.3 and 0.7.
b) Substitution cipher
A substitution cipher of n-bit block is a permutation of n-bit patterns, hence the
total number of keys is 2"!. Let Kl,K2 denote keys of encryption and decryption
transformations, respectively, and D K , E K ~be the composite transformation of
the two transformations. The reversed-bits rate between any input bit to D K Z E K ~
and any output bit from it is equal to that of between the MSB's (most significant
bit) of the input and the output. Figure 4 illustrates an example of substitution
ciphers when n = 3. When Hamming distance between column I1 (MSB in the
input bits) and 01 (MSB in the output bits) is 2h, which is always even, the
reversed-bits rate is
2h
r=-
N'
and the total number of substitution ciphers is given by:
Therefore, a probability of T < d or T > 1 - d is
4..
h<dM
h>(l-d)M
365
where M = N / 2 = 2"-'. As the binomial distribution is approximated by
the probability Qd is approximately equal to
The equation (14) is the same as Eq.(9), if the integer n in Eq.(9) is replaced
with 2". This means substitution ciphers might be exponentially stronger than
exclusive-or ciphers. Hence, SNK of substitution ciphers is equal to:
Figure 3 (b) shows the SNK curve of exclusive-or ciphers with respect to n,
where d is regarded as a parameter. The data block length n should be more than
8, if S N K > 256 and the reversed-bits rate lie between 0.3 and 0.7.
c) Transposition cipher
There are n! transposition ciphers of n-bit block in all. Since an inverse of a
transposition cipher and a composite transformation of two transposition ciphers
are transposition ciphers, the transformation D K ~ E KisI another transposition
cipher. An example of D ~ z l . 3 ~is1 illustrated by Fig.5. In the figure, the integer
h is the number of bits permutated actually in the product transposition. The
reversed-bits rate of the product transposition cipher is
h 1
r=-<-.
2n 2
The total number of transposition ciphers whose h bits are actually permuted is
The symbol Dh means

h
j=o
366
In other words, Dh is the number of transpositions (ul,u2,.. . , a h ) of (1,2, ...,h )

such that a1 # 1,a2 # 2,. . .,U h # h. When h is large enough, Dh is approximately
equal to h!/e:
Dh
-h!
-e-' (h - m) . (18)
When h > 5 , &/h! coincides with more than 2 digits. The probability of
Y- < d is obtained by
Though Dh is not equal to h ! / e if h is small, we can ignore it in Eq.(19), because

then both (L) and Dh are much smaller than that of other terms and so is h!/e.
Therefore,
2 dn
= F ( ( 1 - 2d)n, 1) ,
where F is Poisson distribution:
Since Poisson distribution citn be approximated by Gaussian distribution, SNK is

approximately
SNKd M e L( 1 - 2d)nJ! . (22)
The symbol 1L. denotes the maximum integer not greater than 2. Figure 3 (c)
shows the SNK curve of exclusive-or ciphers with respect to n, regarding d as a
parameter. The data block length n should be more than 45, if S N K > 256 and
the reversed-bits rate lie between 0.3 and 0.7.
d) Transposition & Exclusive-or ciphers

The substantial number of keys in a product cipher of a transposition cipher and
an exclusive-or cipher is calculated as an example of SNK in product ciphers. The
product cipher has 2"n! keys in all. Although this product cipher is simple, it is
rather important in radio transmission, for instance, because it is the general form
with no error propagation[3]. That is, the decryption process does not expand
errors occurred in transmission, and the cipher with no error propagation is only
the transposition and exclusive-or product cipher.
The composite transformation of the encryption with key K1 and the decryp-
tion with key 11'2 is another transposition and exclusive-or transformation. Figure
367
6 shows an example of the product cipher L ) K ~ E KIn

I . the figure, the reversed-bits
rate is
h
U f T
r=-. (23)
n
The integer h is the number of actually permutated bits, and a is the number of 1's
in P that are not permutated. The total number of transposition and exclusive-
or ciphers which have h bits permutated actually and a bits of 1's in P as just
Using Eq.(18), the total number equals to
Z h n!
e ( n - h - a)! a!
Hence, the probability of r < d or r > 1 - d is
j-[:even
2e-' c-
I= ( 1 2 d)n
1
fi
Here, the second and third w hold because the terms corresponding with j = 2
and 1 = (1 - 2 d ) n are much larger than other terms. Therefore, SNK of the
transposition and exclusive-or cipher is obtained by
The length of SNK of the transposition and exclusive-or ciphers, JCTkE, is nearly
equal to
kT&E kT + (1 - 2d)n - 1 , (26)
where kT indicates the length of SNK of the transposition cipher. This shows the
SNK length of the transposition cipher increases owing to exclusive-or of bit pat-
tern P. Figure 3 d) illustrates the SNK. The data block length of the transposition
368
and exclusive-or ciphers should be more than 37, when SNK is more than 256 and
the reversed-bits rate lies between 0.3 and 0.7.
111. BOUNDARY OF SNK
The substantial number of keys are closely related with sphere packing. In this
section, boundary of SNK is given with the number of spheres packed in key spaces.
Though the difference defined by Eq.(3) does not necessarily constitute distance
in key spaces, the key spaces are assumed to be metric spaces in this section.
The differences in exclusive-or ciphers or nonlinear feedback shift register stream
ciphers[l], for instance, are proved to be distance.
Sphere packing is to pack as many spheres in thP key space as possible. The
maximum number of spheres of diameter d, that is the number of keys of the
sphere packing cipher Nd, is less than or equal to S N K d :
This inequality may be considered as nearly equal. However, Nd is much larger

than SNKd in general, because the radius of the sphere is d / 2 :
Hence, SNKd is bounded by:
IV . APPLICATION T O ENCRYPTION DESIGN
In encryption designs, both substantial number of keys SNK and difference d (or
reversed-bits rate T ) are given as design parameters. When S N K = 256 and the
reversed-bits rate is more than 0.3 and less than 0.7 ( d = 0.3), for example, Fig.3
shows the block size n should be
369
~ T &2
E 38.
Under these SNK conditions, one can pick up any key in the key space as
an encryption key. One does not have to select special keys. An arbitrary n-bit
pattern P can be used as a key in the exclusive-or cipher. You don’t have to worry
about an eavesdropper happening to pick up a decipher key close to the right key,
because the probability is less than SNK-’ = 2-56.
The sphere packing ciphers have to satisfy the SNK condition too. Though
Nd is the number of keys of the ciphers, the condition N d 2 Z56 is not enough.
The ciphers must also satisfy SNKd 2 256. Otherwise, the key picked up by an
eavesdropper, which is not necessarily the key of this scheme, is close to the right
key with probability greater than 2-56. This shows the condition Nd 2 256 is
meaningless. Eq.(28) shows SNKd, not Nd, is critical.
DES probably satisfies the SNK condition, because SNK of DES is much larger
than 256. SNK of DES is approximately given by 2 e(217(1--2d)2)/7r using EQ.(15),
if DES is treated as a huge substitution cipher. When DES is considered as a
product cipher, SNK would be less than that, but much larger than 2 5 6 , though
actual calculation is very complicated.
The SNK condition is useful when one wishes to construct a rather simple
encryption scheme by the combination of fundamental ciphers.
.
V CONCLUSION
The substantial number of keys, SNK, is defined and illustrated with examples
of fundamental ciphers and a product cipher, SNK is one of the encipherment
strength criteria. In encryption designs, SNK is used to condition design parame-
ters. The SNK is useful for designs of product cipher in particular.
I would like to thank Mr. Nakamura and Ms. Tanaka for lots of helpful
discussions.
REFERENCES
[ 11 K. Nakamura, “On Self-synchronization Encryption Systems,” 24th ALlerton

Conf., pp.1057-1063, 1986, (also in Proc. of SITmO, pp.371-377, in Japanese).
[2] E. Okamoto and K. Nakamura,“Permutation Ciphers Based on Reed-Solomon
Codes,” 1983 IECE Conf., pp.1.463-1.464 (in Japanese).
131 E. Okamoto and K. Nakamura,“Relation between Error Propagation and Non-
linearity in Cryptosystems,” I985 IECE Cod., p.6.27 (in Japanese).
370
Tr a n s p o s i t i o n Subs t i tu t i on
Fig. 1 Product C i p h e r
n n n n
(a> Excl us ive-or (b) Substitution
( c > Transposition ( d ) Transposition & Exclusive-or
Fig. 2 E x a m p l e s of Cipher
371
l o g z SNK
l o g z SNK 1 d=0.2 0.3 0.4
100 I d=O. 2
d=O. 3
00
c
0,
a
x
z
rn
n+ 500 1000 1500 ZOO0 2600 07 10 20 n

Block Length Block Length
(a> Exclusive-or (b) Substitution
logz SNK logz SNK
dz0.2 d=0.3 d=O. 4

lWt dz0.2 d=0.3 d=O. 4
1
l n L n
0 20 40 60 80 100 120 0 20 40 60 80 100
Block Length Block Length
(c> Transposit ion ( d ) Transposition & Exclusive-or
F i g . 3 Examples o f SNK
372
Input Output
0 0 0
-1 0 1
0 0 1 O i l
0 1 0 1 1 0
0 1 1 I -----
l l
--------I--
h=3
1 0 0 0 0 1
1 0 1 0 0 0
I 1 0 I 0 0
1 1 1 -
0 1 0
Fig. 4 Substitution Cipher

D*; GI
Fig. 5 Transposition Cipher

G 2 EL
373
Ip
w -
n-h h
TIE ET&E
Fig.6 Product Cipher OK, KI
A MEASURE O F SEMIEQUIVOCATION
Andrea Sgarro
Department of Mathematics and Computer Science

University of Udine
33100 Udine, Italy
ABSTRACT
A Shannon-theoretic cryptographic model is described in which the pur-

pose of the cryptanalist is to find a set of M elements containing the solu-
tion, rather than finding the solution itself. For h.l = 2 we introduce the
notions of semientropy, semiequivocation and duplicity distance, which
are counterparts to well-known notions met in the case M = 1. It is ar-
gued that in some situation our model takes into account the semantical
competence of the cryptanalist.(as opposed to his statistical competence)
better than the usual model does.
I. Introduction
In Shannon-theoretic cryptography the clearmessage source is usually

described as a stochastic process. In the literature results have appeared
for substitution and transposition ciphers (cf e.g. /1/ to / 5 / ) which hold
assuming that the message source has a well-defined statistical behaviour,
for example that it is memoryless and stationary; the letter probabilities
might be given, as in /1/ to /5/, or might be left unspecified. The latter
point of view is called "universal" in non-secret coding theory, but we feel
that this term is rather misleading in the context to follow (statisticians
prefer the less ambitious term "robust"). In /6/ also the case of Markov
sources is covered.
Let us assume that the clearmessage is written in a natural language
like English. Describing English as a Markov process with memory 3 is
often considered to be reasonably adequate; actually, in non-secret cod-
ing much coarser descriptions have brought forth considerable practical
376
success, starting with the Morse code of 1838. As a matter of fact, a

natural language results from the superposition of comparatively simple
frequency-type dependences and extremely complicated semantical de-
pendences which can act even on a very large range. In principle, also this
latter type of dependences can be captured in a single all-comprehensive
statistical description: its intricacy, however, is far past the possibility of
numerical assessments.
In cryptography, unlike in non-secret coding, keeping only short-
range frequency-type dependences does not seem to be a wise policy.
Frequency-type descriptions are too optimistic, because they ignore the
semantical competence of the cryptanalyst. This is the opposite of what
one should do in cryptography, where, if need be, models have to be
over-pessimistic, and not the other way round.
In /6/ and / 5 / this author has pointed out certain unpleasant "para-
doxes" which result from assuming that the clearmessage source has a
simple and well-defined statistical behaviour, like, say, niemoryless and
stationary, or Markov with given memory. Certainly, no paradox arises
in the case of results which are "universal" in the proper sense of this
term. Take the perfection of the one-time pad (cf e.g. /8/), which holds
true whatever the message statistics may be; no assumption is needed,
not even ergodicity or stationarity. This result, covering even the most
misterious long-range dependences, is perfectly sound and ready to be
used. Unfortunately, accepting only results which have such universal
validity is a very restrictive policy, indeed.
Below we describe an alternative Shannon-theoretic model which
takes inspiration from historical cryptanalytic practice. The idea is the
following: a cryptanalyst would first use his frequency-type Statistical
knowledge to curtail the number of possible solutions; when this num-
ber is small, semantics gets the upper hand of frequency-type statistics,
and he can find directly the solution without further bother. 111 other
words, the purpose of the spy is not to find the solution by frequency-
type arguments, but only to find a "small" set of possible solutions. In
the following we shall fix a n integer M and declare "smalY a set with
M elements; actually in calculations we shall go so far as to take 111 = 2.
Of course, this is quite arbitrary; however, our purpose here is to explore
the quantitative variations in the new case M = 2 with respect to the
classical case n/r = 1 to derive qualitative information for the more gen-
eral situation M > 1. Observe that since we assume that the first part of
the spy's job is statistical "strict0 sensu" we are justified in using those
377
neat descriptions for the behaviour of the message source which we have
argued to be fishy in the case M = 1.
Our approach leads us to define a new measure of equivocation,
which we call semiequivocation. Key equivocation, say, represents the
uncertainty of the spy who has intercepted the cryptogram and wants
to identify the correct key (cf e.g. /8/); instead, key semiequivocation
will represent the uncertainty of the spy who only wants to find a dou-
bleton containing the correct key. Equivocation is a conditional entropy;
its meaning is based on the fact that Shannon's entropy is an adequate
measure of statistical uncertainty. Before introducing our new measure of
semiequivocation, we shall have to introduce an (unconditional) new mea-
sure of "semi-uncertainty", called sernientropy, which will be the counter-
part to Shannon's entropy. This will be done in section 11, while section
I11 is devoted to the notions of semiequivocation and duplicity distance,
the latter being the counterpart to that of unicity distance (cf e.g. / 8 / ) ;
an example is given. Section IV contains a final comment.
We adopt the notation of /9/ for information-theoretic concepts; in
particular, H ( X ) = H ( P ) is the entropy of the random variable (r.v.)
X with probability distribution (p.d.), or probability vector, P = @ I ,
p 2 , . . . , p ~ )while
, I ( X ;Y ) = I ( P ,W ) is the mutual information between
the r.v.'s X and Y , the probability distribution of this random couple
being determined by the p.d. P of X and the stochastic matrix W
which gives the conditional probabilities of Y given X ;h ( p ) is the hi-
nary entropy function: h ( p ) = H ( P ) with P = ( p , 1 - p ) ; D(P I &) is
the informational divergence (cross-entropy) of P and Q, in this or-
der. Logarithms are to any base greater than 1. The source alphabet
is N = {ul ,a2, . . . ,a K } ,K 2 2; we s h d write indifferently p i or P ( a ; ) .
11. Semientropy
Shannon's entropy is considered to be an adequate measure of statisti-

cal uncertainty. There are several justifications, both "axiomatic" and
"pragmatic", to this interpretation (cf e.g. /9/). The pragmatic point of
view derives the meaning of entropy from coding theorems which, roughly
speaking, state that H ( X ) = H ( P ) is the minimum (not necessarily in-
teger) number of bits needed to reliably describe the outcome of r.v. X;
these bits are "nearly" independent and equidistributed, so that each hi-
nary digit contains almost exactly one binary bit of information (cf /9/);
378
(we suppose here t h a t the logs are t o the base 2). In our setting a '7re-
liable description" of the outcome of X must be understood in a slacker
sense. Actually, we are not interested in knowing the exact value of X,
but rather in finding out a n M-set to which this value belongs. We shall
take inspiration from rate-distortion theory. Let us take a reproduction
alphabet whose "letters" are the M-sets of primary letters (we assume
M 5 K ) ; let us consider a distortion measure d ( a , y ) which is zero iff (if
and only if) letter a belongs t o set y (one may define d ( a , y ) = 1 other-
wise, but this is irrelevant for zero distortions). We shall resort to R p ( O ) ,
the rate-distortion function computed for distortion level 0, to measure
the "reduced uncertainty" contained in X which is relevant to us. Of
course, for M = 1 one re-finds Shannon's entropy; for M = 2, R p ( 0 ) will
be called the semientropy of X , or of P , and denoted by S ( X ) = S ( P ) .
In the following, unless otherwise specified, we assume M = 2.
S ( P ) represents the minimum (not necessarily integer) number of
bits (of D-its if logs t o the base D are used) needed to reliably describe
the outcome of X,taking into account our reduced needs of fidelity with
respect to the classical case A4 = 1.
Definition 1. T h e semientropy S ( X ) = S ( P ) of r.v. X with p.d. P is
defined as
Above the first minimum is taken with respect to stochastic matrices

W such that W ( y I a ) > 0 implies a E y, or d ( a , y ) = 0; the second with
respect to a random couple X Y with distribution given by P and W ,
Ty as above. Corollary 2.3.7. in /9/ allows us t o give an alternative
definition of S(P ):
Above Q = ((11, q z , . . . ,Q K ) is a d.p. over the primary alphabet H.

The theorem below gives an explicit formula for S ( P ) .
Theorem 1.
S ( P ) = H ( P ) - log2 if p* 5 3,
S ( P ) = H ( P ) - h ( p * ) if p a 2 $,
p' being the largest probability in P .
379
Proof. The bound S ( P ) 2 H ( P ) - log 2 follows from I ( X ;Y )= H ( X ) -

H ( X I Y ) = H ( P ) - H(X I Y ) because, given doubleton Y , X takes
at most two values with positive probability, the two elements of Y .
We explore the conditions for equality in that bound. The bound is
attained when an admissible W exists such that P(u I y) = P(b I y) = f
for any y = { a , b } such that R(y) > 0 (the notation is self-explaning; R
criterion for having equality in the bound is W(y 1 u ) =

Suppose R has been fmed over the set of couples. A W giving t h at R
a,
is the marginal distribution over the secondary alphabet). Therefore the
a E y.
exists iff, for each a:
(non-negativity for W is ensured by non-negativity for P ) . Therefore the

lower bound is attained iff the system:
has non-negative solutions R(y) (these sum to 1 as ensured by Cpi = 1:

the sum of the first sides is 2 CyR(y)). For p* > the system is clearly
impossible. In the Appendix we prove that the system does admit of
positive solutions for p' 5 i.
Then S ( P ) = H ( P ) - log 2 for p* 5 i,
S ( P ) > H ( P ) - log 2 for p* > 4.
Fix letter a and use a test matrix W
defined as follows (u # b ) :
A computation shows tha t in this case I ( P ,bV) = H ( P ) - h ( P ( a ) ) .Then,

for all i : S ( P ) 5 H ( P ) - h ( p i ) . Consider now the alternative defini-
tion (1) of S ( P ) . Without real restriction assume p l = p'; we shall use
the test distribution Q with components proportional to ( p * ,1 - p',
1 - p * , ..., 1 - p ' ) . Ifp'?f, orp'>l-p'>oneobtainsafter afew
calculations:
Therefore, for p' 2 i:

S ( P ) 2 H ( P ) - h ( p * ) . Combining the two in-
equalities for S ( P ) one has S ( P ) = H ( P ) - h(p') for p' > +. QED
380
As a corollary to the theorem we soon obtain a list of properties of

S ( P ) which vindicate its interpretation as an uncertainty measure to be
used when the ”experimenter” does not care about the precise value taken
by r.v. X , but is satisfied as soon as he knows a doubleton containing X:
Corollary 1.
i) S ( P ) is a concave function of P ;
ii) 0 5 S ( P ) 5 log5;S ( P ) = 0 iff P has at most two positive compo-
nents; for K > 2: S ( P ) = log 4 iff P is uniform;
3
iii) H ( P ) - log 2 5 S ( P ) 5 H ( P ) ; S ( P ) = H ( P ) - log 2 iff p* 5 (cf
theorem 1); S ( P ) = H ( P ) iff H ( P ) = 0: that is iff X is determin-
istic.
The properties in i) and ii) are obvious counterparts to similar prop-

erties of Shannon’s entropy H ( P ) ;we stress that, as soon as there are at
least three positive probability letters, S ( P ) is positive too. In iii) S ( P )
and H ( P ) are compared; the inequality S ( P ) 5 H ( P ) is always strict in
the non-deterministic case. The difference H ( P ) - S ( P ) is largest when
the uncertainty H ( P ) is ”large”, in the sense there is no single 77event”
of ”high” probability.
Remark. Observe that similar properties with M instead of 2 can be
derived also in the general case 2 5 M 5 K directly from the definition
of S ( P ) extended to the case M > 2 (take the secondary alphabet to
be the set of M-sets of primary letters; in the alternative definition (1)
one has to consider the sum of the M , and not of the two, most Q-
probable letters). Property i) is a general property of the rate-distortion
function for fixed distortion-level and follows from the (weak) concavity
in P of I ( P , W ) (cf /9/); the left side of ii) is trivial; the right side can
be obtained from representation (1) computing the maximum in P of the
right side of (1) and interchanging the two extrema; the left side of iii)
can be obtained generalizing the arguments given at the beginning of the
proof of the theorem; the right side is trivial. We go back to the case
M = 2.
The concavity of S ( P ) is not strict, since S ( P ) = 0 for all P with
at most two positive components. Theorem 2 below deepens property
i). It turns out that there is more linearity than that brought about by
the case S ( P ) = 0; therefore, from the point of view of concavity S ( P )
and H ( P )exhibit an important difference of behaviour (cf the discussion
after corollary 2 below).
381
Theorem 2. Consider the closed segments of p.d.'s of the following form:

i) [ R , Q ]with
, R and Q deterministic, R # Q;
ii) [R,Q],
with ri = $ ) q i = 1.
S ( P ) is linear over all segments of this form and nowhere else. If P is a
p.d. over a segment of type i) one has S ( P ) = 0; if P is a p.d. over a seg-
ment of type ii) one has S ( P ) = 2(1 - pi)S(R) = 2(1 - p i ) [ H ( R )- log 21.
Proof. In the "inner region" maxp; 5 , S ( P ) is strictly concave, H ( P )

being so. Let us go to the "outer region" maxpi 2 $ (the regions' fron-
tiers overlap). The case i) when S ( P ) = 0 has already been disposed
of. We go t o case ii) assuming K 2 3 else S ( P ) is identically zero. A
p.d. P over [R, Q] has the form P = ( p l , e n , pr3,. . . , p K ) , 5 p l I1, fr
e = 2(1 -PI), 0 5 e 5 1 (we have taken i = 1 without real restriction).
A computation shows that:
S ( P ) = H ( P ) - h(p1) = e [ H ( R )- log21 = e S ( R ) (3)
Clearly, S ( P ) cannot be linear over a proper super-segment of [R,Q],

else one would trespass into the inner region. We have still to prove that
S ( P ) is linear only over segments i) and ii). Take R and Q distinct in
the outer region. First assume that R and Q have their maximum in the
same position, say the first. Then this is true also of the outer region
+
point V = $ R $ Q . Assume S ( P ) is linear over segment [ R , Q ] .Then
S ( V ) can be computed in two ways (use linearity and (3)):
1
S ( V )= - S ( R )
2
+ -12S ( Q ) = (1 - Tl)S(-Il) + (1- qr)S(Q)
and
S ( V ) = 2(1 - ?Jl)S(iq
Above R , Q, V are suitable p.d.'s over the region intersection with

= g1 = ijl = I2 . By comparison, recalling that ~ 1 1= &Q: +
or:
uH(fi) + (1 - a ) H ( Q )= H ( c ) , with Q = 1-r
2--rl'ql
(the denominator is not zero, because R and Q are distinct). Actually,

+
= O R (1 - a ) Q ,as a computation shows (convert the definition of V
382
into a n equality for p7R and a). It is enough to observe that H ( P ) is

strictly concave to conclude = R = Q; then V , R and Q lie on one of the
old segments. Assume now that R has its maximum in the first position,
while Q in t h e second, say. If r1 = q2 = 12 ' the open segment ] R ,&[ lies
in the inner region, and there S ( P ) is strictly concave. If T I > 3, say,
there is a sub-segment of [R,Q] with positive length for whose points the
first component is at least $. Taking into account this sub-segment, we
go back t o the cases already dealt with. QED
The figure shows some of the Linearity segments in the case K = 3;

the dotted lines show the region intersection.
III. Semiequivocation and duplicity distance
Below we deal with the case i W = 2; however. much of what follows can
be extended t o the case of any M (cf the remark in section I1 ).
So far we have defined a measure of unconditional "semi-uncertain-
ty". Now we define a measure of conditional semi-uncertainty. Assume
S C is a finite random couple; for convenience S will he interpreted as
the random key (also the random message would be a suitable interpre-
tation) and C as the random cryptogram. For an observed cryptogram c.
S(X I c;' = c), the unconditional semientropy of the conditional distribu-
tion of S given C = c, is well-defined unless c has zero probability. We
set:
303
Definitzon 2. The semiequivocation of r.v. X given r.v. C is
S ( X I C) = x P r o b { C = c} S ( X I C = c),
the sum being extended to all c's of positive probability.
Recall that the usual equivocation (conditional entropy) H ( X I C)
can be defined in a similar way.
From the properties of the semientropies S ( X I C = c) one soon de-
rives properties for the semiequivocation S ( X 1 G ) (use corollary 1):
Corollary 2.
j ) S ( X 1 C)5 S ( X ) ;if X and C are independent S ( X I C) = S ( X ) ;
jj) o 5 S ( X I C ) 5 log C; S ( X I C ) = o iff for any cryptogram of posi-
tive probability there are at most two keys with positive conditional
probability; for IC > 2: S ( X 1 C ) = Eog5 iff for any such cryptogram
the conditional probability of the random key is uniform.
The inequality in j), which is an essential requirement for any mea-
sure of conditional uncertainty, follows from concavity; note that the in-
dependence of X and C is not a necessary condition to have S ( X I C)=
I
S ( X ) : actually S ( X C ) = S ( X ) iff the conditional distributions of X
given the cryptograms c of positive probabilities lie all on the same lin-
earity segment (use theorem 2), or if they coincide, that is if X and C
are independent. This is at variance with the case of the usual equiv-
ocation H ( X 1 C), where independence is also a necessary condition to
have H ( X I G ) = H ( X ) . An explicit expression for S ( X I C) follows (use
theorem 1).
Corollary 3. Set h * ( p ) = h ( p ) if p 2 f , h*(p)= log 2 else. Then
S(X I C ) = H ( X I C ) + Prob{G = c } h*(maxProh{X = z I C = c } )

2
the sum being extended t o all cryptograms c of positive probability and

the max to all keys z.
We can now consider two functions of the non-negative integer n.
Below C, is the random cryptogram of length n made up of the first n
random outputs of the cryptogram letter source. We use the equivocation
function e ( n ) and define a semiequivocation function s(n):
s(,n)= S ( X 1 CJ, s(0) = S ( X ) .

384
It is known that e ( n )is non-increasing; using j ) one obtains a similar

property for s ( n ) . The corollary below lists also properties derived from
corollary 1:
Corollary 4.
The semiequivocation function s ( n ) is a non-negative non-
increasing function of n. One has:
e ( n )- log2 5 s(n)5 e(n),

with equality on the left iff there are no keys with a conditional probability
exceeding 3,and equality on the right iff e ( n ) = 0.
Now we fix a "negligible" positive real number E . We use the u n i c -
i t y distance d l and define a duplicity distance dz. The former is the
least integer for which e(n) 5 E , the latter is the least integer for which
s ( n ) 5 E ; if one or both of these integers do not exist, the corresponding
distance is set equal to +m . As for their meaning, d l and d2 represent
the least number of cryptogram letters to be intercepted before the key
equivocation, or the key semiequivocation, respectively, become negligi-
ble. If d l = +a, the cipher system with random key X and random
cryptogram C, is called (simply) ideal, if d2 = +oo the cipher system is
called doubly ideal. (Note that different definitions of unicity distance
and ideal ciphers are found in the literature; the notions to be captured,
however, are similar). As s ( n ) 5 e ( n ) , one has d2 5 d l . In particular:
any doubly ideal cipher is also simply ideal. The possibly void set of
integers { n : s ( n ) _< ~ , e ( n>) E } = {n : d2 _< n < d l } is of relevance here:
if the cryptogram length is in that set the cipher is unbreakable for a
cryptanalyst who is devoid of "semantical competence" ( M = l), but is
breakable for a cryptanalyst whose "semantical competence" is M = 2.
E x a m p l e . Take a single-letter substitution cipher for a memoryless and
stationary source (cf /1/ to /3/, /6/ or / B / ) . Assume that the cipher is
complete (all t! alphabet permutations are allowed to be used as keys,
t being the number of distinct message letters in the message alphabet)
and canonical (keys are equiprobable). Set:
A = t l ! t z ! .. . t,!
where r is the number of distinct components in the message letter p.d.,
+ + +
each appearing t l , t 2 , . . . , tr times, respectively (tl t 2 . . . t r = t ) .
One has 1 5 A 5 t ! ;A = 1 when all the t letter probabilities are distinct,
A = t! when the message letter p.d. is uniform. Then, for a suitable
infinitesimal S(n):
e ( n ) = H ( X I C,) = logA + E(n)

385
(cf /1/ where more information on the asymptotic behaviour of b(n) is

given). This cipher has no asymptotic security for A = 1; in the sequel we
assume that there are at least two source letters with the same probability.
Then, for each key z and each cryptogram c, Prob{X = 5 1 C, = c } =
Prob{X = 2 I C, = c} 5 3,
5 being .the alphabet permutation obtained
from 2 by interchanging those two letters. Therefore (corollary 4):
s ( n >= e(n)- log 2 = log 4 + 6(n)

In particular, for A = 2 (only two letters have the same probabil-
ity) the cipher is simply ideal ( d l = +m) and so cannot be broken how-
ever long the intercepted cryptogram is; instead, d2 is finite (we assume
E < log2) and so, a t least for sufficiently long cryptograms, the cipher
can be broken by a semantically equipped cryptanalyst.
N.A final comment
From the point of view of cryptographic applications our model based

on the notions of semiequivocation and duplicity distance appears only
as a mathematical abstraction: measuring the "semantical competence"
of the cryptanalyst by an integer hi!, e.g. by M = 2, is certainly not a
practical approach. On the other hand, in spite of all its drawbacks) the
new model is more adequate than the classical one ( M = 1))when the
statisticd description of the message source is not sufficiently robust so
as to cover subtle and possibly long-range semaitical dependences. The
weakness of a frequency-type description has already been emphasized
by exibiting certain paradoxes which it brings about (cf /6/ and /7/).
Our new model serves as a warning against the dangers of using "clean7'
statistical message-source descriptions in crypt.ographic applications.
Appendix. We show that the system (2) has solutions when p' 5 4. We
proceed by induction on K . For K = 2 there is nothing to prove. For
K = 3, H = { a , b, c } , the system is solved by R(a,b ) , R(a,c ) and R ( b , C)
given by
R(z,y) = P(.) + P ( y ) - P(.), zy. = abc,acb,bca
Non-negativity holds since there is 110 single P-probability exceeding the

sum of the other two (p' 5 f ; we have writt.en R ( a , b ) etc. instead of
R ( b ,b ) ) etc).
386
In the induction step from K - 1 to K we shall blend the two

smallest-probability letters, c and d , say; observe that, sinre K 2 4,
+
P(c ) P ( d ) cannot exceed $. To improve readability we shall c o n h e
ourselves to describing the step from 3 to 4: it,will be transparent that
the restriction is only in the notation. We shall be contented with solu-
tions with R ( c , d ) = 0 and so the system to solve is:
R(a,b) + R ( a , c )+ R ( a , d ) = 2 P ( a )
R ( a ,b) + R ( b , c ) + R(b,d ) = 2P(b)
R ( a ,c) + R(b,c) = 2P(c)
R(a , d ) + R(6, d ) = 2P(d )
We blend c and d to form a super-letter e = { c , d } ; we set P ( e ) =

+ +
P ( c ) P ( d ) , R ( z , e ) = R ( z , c ) R ( z , d ) , z = a , z = b. The reduced
system is as the one we have already solved for icI = 3, with e instead
of c. We obtain a non-negative solution R ( a ,b ) , R(a,e), R(b,e). Now we
have to split R ( a , e ) and R ( b , e ) as the sum of two non-negative terms,
+ +
R(u,c) R ( a , d ) and R ( b , c ) R ( b , d ) respectively, in such a way as to
solve the unreduced system. As for the first two equations there (for the
first I( - 2 equations in the generic induction step) any such non-negative
splitting will do. As for the last two equations, a splitting as requested
is feasible since we already know that one has
[ R ( a ,C) + R(b,c)] + [ R ( a ,d ) + R(b,d ) ] = 2[P(c)+ P ( d ) ]= 2 P ( e )
References
/1/ R. J. Blom, Bounds on k e y equivocation for simple substitution ci-

phers, IEEE Trans. Inform. Theory, vol. IT-25, pp.8-18, Jan. 19’79
/ 2 / J . G. Dunham, Bounds on message equivocation f o r simple substitu-
tion ciphers, IEEE Trans. Inform. Theory, vol. IT-26, pp.522-527,
Sept. 1980
/3/ A. Sgarro, Error probabilities f o r simple substitution ciphers, IEEE
Trans. Inform. Theory, vol.IT-29, pp.190-198, March 1983
/4/ A. Sgarro, Equivocations for homophonic ciphers, in Advances in
Cryptology, Proceedings of Eurocrypt 1984. pp. 51-61, Springer-Ver-
lag, 1985
387
/ 5 / A. Sgarro, Equivocations f o r transposition ciphers, Rivista di mate-

maticn per le scienze economiche e sociali, Anno 8, fasc. 2 , pp.107-
114, 1985
/6/ A. Sgarro, Exponential-type parameters and substitution ciphers,
Prbls. of Control and Inform. Theory, vo1.14, pp. 393-403, 1985
/7/ A. Sgarro, Inforrnation- theore tic versus d ecision-theore tic cryp togra-
phy, E und K , Sonderheft "Kryptologie und Datensicherheit", v.12,
pp. 562-564, Springer-Verlag, 1987
/8/ H. Beker, F. Piper, Cipher Systems, Northwood Books, London, 1982
/9/ I. Csiszzir, J. Komer, Information Theory, Academic Press, New
York, 1982
SOME NEW CLASSES O F
GEOMETRIC THRESHOLD SCHEMES
Marijke De Soetel) and Klaus Vedder')
')Seminar of Geometry and Combinatorics

State University of Ghent
Krijgslaan 281
B-9000 Ghent, Belgium
')GAO
Gesellschaft fur Automation
und Organisation mbH
Euckecstrafle 1 2
D-8000 Miinchen 70, West Germany
Abstract We construct and discuss new infinite classes of t-threshold

schemes with t = 2 and 3 which are based on generalized quadrangles.
The paper also contains threshold schemes which deal with the case where
the group of trustees is made up of mutually distrusting parties.
1 INTRODUCTION
Any scheme which is to protect information has to be designed with the
following three main points in mind: possible loss or destruction of the
information or parts thereof, attack from inside or outside to obtain or
destroy the information and efficiency.
One obvious way to guard the information against loss or destruction

is to make multiple copies of it and distribute them amongst trustworthy
parties. This has two obvious drawbacks. Too few copies might cause
the loss of the information while too many copies could lead to the infor-
mation falling into wrong hands. Moreover, each trusted party is in the
390
possession of all of the information.
In 1979 Blakley and Shamir independently introduced what is known

under the name ”threshold schemes”. In those schemes pieces of informa-
tion are distributed amongst ”trustees” in such a way that any number
of trustees which achieve a quorum or threshold can reconstruct the in-
formation.
Clearly ”reconstruction of the information” can be replaced by ”gaining
access’), ”starting a computer program”, ”signing a cheque” or anything
which is similar to this. A more formal definition reads as follows.
A t-threshold scheme consists of s >_ t pieces of information, called

shadows, such that
(i) a secret datum X can be retrieved from any t of the s shadows and
(ii) X cannot be determined from any t - 1 or fewer of the s shadows.
The second condition needs some explanation. First of all, it means

that the knowledge of t - 1 shadows should suggest every possible da-
tum with about the same probability. If the number of possible data is
finite, then one can, of course, guess the correct datum in a finite amount
of time and the knowledge o f t - 1 shadows might even reduce the time
necessary. It should, however, be beyond any reasonable computing time.
The security considerations depend on the nature of the secret datum

X. If the value of X is, for instance, the master key of a cryptosystem
([3], [S]), then a correct guess of X compromises the system. The proba-
bility to do this might be different to the probability to cheat the system
by entering ”made-up” shadows. If the knowledge of X is by itself of no
use, X might be a trigger to start a computer program, then this proba-
bility determines the security level. The possible difference of these two
probabilities is illustrated by the schemes given in Section 3.3.
In the above definition the number s stands for the maximum number
of shadows one can hand out to the trustees. If s = t , the loss of any one
391
shadow is, by definition, equivalent to the loss of the secret datum. This
is also the case, if s > t but the number of shadows handed out is equal
to t. Administrative procedures such as a back-up list of all shadows, of
course, prevent such a break down but impair the security.
Hence it is advantageous to the designer of a t-threshold scheme, if he

has some room of manoeuvre between t and s. This allows him to fix the
number of distributed shadows according to his needs.
In the present paper we discuss a class of threshold schemes with t = 2

and 3 which have the property that the level of security and with it the
number s can be chosen as high and large as desired. They are based on
so-called generalized quadrangles. These finite incidence structures also
allow the construction of threshold schemes which cater for the situation
where the trustees do not trust each other and a threshold has to be
achieved in each one of a number of distrusting parties. This could, for
instance, also be useful in a situation which involves not only human be-
ings but say computer programs as well. We conclude this introduction
with a definition of such threshold schemes.
A ( t l ,. , . ,t,)-thTeshoZd scheme is a t-threshold scheme with t = CF=l ti

where the set of shadows is partitioned into n subsets Bi (i = 1,. .. ,n ) ,
with lBil = si, ELl s; = s, and a quorum of ti 5 si is needed in each
set Bi. If just n thresholds t l , . . . ,t, have to be achieved and it does
not matter in which one of the sets Bi,we call it a ( t l , .. . ,in)*-threshold
scheme.
2 GEOMETRIC BACKGROUND
An incidence structure is a triple ( P , B , I ) which consists of two non-

empty and disjoint sets P and B and a subset I C_ P x B. The elements
of P and B are called points and blocks (or in our context lines), respec-
tively. I is called the incidence relation. We say that a point x and a
392
Line L are incident with each other and write x I L if and only if the pair
(2, L ) is an element of I.
A (finite) generalized quadrangle (GQ) of order ( u , ~is) an incidence

structure which satisfies the following axioms:
+
(i) Each point is incident with exactly 1 7 lines (7 2 1) and two
distinct points are incident with at most one line.
+
(ii) Each line is incident with exactly 1 u points (g 2 1) and
two distict lines are incident with at most one point.
(iii) For every point x and every line L which are not incident with
each other, there exists a unique line which is incident with both x
and a (unique) point on L.
It follows from this definition that every GQ of order (0, T) has associated
with it a GQ of order ( T , a) which is obtained by interchanging the rdes
of the points and lines. We call it the dual GQ. This implies that in any
definition or theorem the words ”points” and ”lines” and the parameters
”u” and ”7”may be interchanged.
The definition allows us to identify each line with the set of points it
is incident with. This and the obvious geometric structure of a GQ are
the reasons for expressions such as ”z lies on L”, ” x is contained in L”
for x I L and ” L and M intersect each other in the point 2’’for L I x I M .
x -
We call two not necessarily distinct points x and y collinear and write
y, if there exists a line which contains both of them. If there is no
+
such Line we say t h a t they are not collinear and write z y. The set of
points collinear with a point x is denoted by xL (note that x E xl).
Axiom (iii) is crucial for understanding most of the arguments in this

paper. It means that, except for exactly one line, all the remaining 7
lines through x do not intersect the line L. So a generalized quadrangle
393
does not contain a "triangle".
The proof of the following lemma is left to the reader as an easy

exercise with the exception of (iii) a proof of which can be found in [7].
Lemma 1 L e t (P,B , I ) be a generalized quadrangle of order (a,r), t h e n
(ii) lzL1= 1 + + 1)a for aU points z E P

(T
(iii) c + T divides ar(a + I ) ( T+ 1).

The threshold schemes we are going to introduce are based on the span
of pointsets. The truce of a pair (z,y)of distinct points is defined to be
the set zL n y' and is denoted as tr(z,y)=(z,y}l. More generally, one
can define for A c P , the set AL = n {zl I z E A } . The span of two
distinct points x and y, is defined as s p ( z , y ) = ( ~ , y } ~ ~ = {E uP I u E
zL Vz Etr(z,y)). Hence it consists of all points which are collinear with
every point in the trace of z and y,
If 2 and y are couinear, then sp(s, y) is the unique line through 3: and
y and hence Isp(z,y)l = a 1. +

If x and y are not collinear, then no two of the points of zLn+ marked by
"0" in the diagram above are collinear. We note that z, y are in sp(z, y),
394
no two points of sp(z, y) are collinear and Isp(z, y)I 5 T + 1. The latter
follows since the points of sp(z, y) have to be contained in the T + 1 lines
through any of the points of zL n yl.
Finally, a triad (of points) is a triple of mutually non-collinear points.

Given a triad T = (z, y, z ) , a centre of T is just a point of T I =tr(z, y, 2).
The reader who is interested in finding out more about the theory of
generalized quadrangles is referred to the book by Payne and Thas [7].
3 THESCHEMES
3.1 The 2-Threshold Schemes
Let G be a generalized quadrangle of order (m, r ) with 0,T > 1, and let x
and y be two non-collinear points of G. Then the points of sp(z,y) can
be used as the shadows of a 2-threshold scheme with the secret datum X
being the span of 2: and y.
For consider two distinct points w and z of sp(z,y). As points of the

span they are not collinear but each one of them is collinear with every
point in z1f l yl- Hence zzI n wL=z* n yL and sp(z, w)=sp(z, y)=X. So
the secret datum is determined by any two of the shadows.
The probability t o obtain X with the knowledge of no or just one shadow
depends on the number of shadows in X. This number is subject to the
structure of G and the particular choice of the span. It is however, never
+
greater than r 1. We obtain the following expression for the possibility
that the secret datum is revealed by entering a valid shadow and some
other point.
s-1 7-
Prob =
a2r+Ur+B
<
- a2r+ar+a
* (3.1)
When setting the security level one has, however, to take into account
that a trustee knows some finite geometry and for some reason or other
the lines through his own shadow. This increases his probability of a
successful attempt to break the system t o
395
s-1 --s-1 1
Prob = - 5 - (3.2)
u2r + +
a7 0 - (ur u) + u2r Is2
as he can rule out the QT + u points which are collinear with his shadow.
Equation (3.2) implies that the security level only depends on or, in
Q
other words, the number of points on a line, if sp(x,y) contains T 1 +

points. If this is the case, the pair (z,y) is called regular. A point x is
said to be regular, if for every y, y + x, the pair (z,y) is regular.
So far we have not said anything about the existence of generalized
quadrangles. If a point of a GQ is regular then 2 r (see [7]). So the
smallest case is u = r . Such generalized quadrangles exist indeed. The
ones in which all the points are regular are derived from the projective
geometry PG(3,q). The points of the GQ are just the points of PG(3,g)
while the lines are the totally isotropic lines with respect to a symplectic
polarity. For the necessary background in finite geometry the reader is
referred to [l],[S]. As these geometries exist for every prime power q, we
have obtained a n infinite class of 2-threshold schemes which admit q 1 +
shadows at a security level of l/q2 and have an implementation size of
+ + +
q3 q2 q 1 points and lines. Since these generalized quadrangles are
coordinatized (see [7]), they can be implemented on a computer.
Using a regular pair of points for an implementation supplies us with

+
at least r 1 2 JI.+1 shadows at a security level of l/u2 since the
inequalities T~ 2 u 2 r hold (see [7]). Such a number is in nearly all
cases far beyond anything needed. So the question arises whether one
should use a non-regular pair of points whose span is sufficiently large.
A span containing s points increases the security level to (s - 1)/ra2at
the same order (a,7).For instance, the generalized quadrangles derived
from a non-singular hermitian variety in PG(4,q2) have order ( q 2 ,q3).
+
Here the spans consist of q 1 points. Hence the probability to cheat is
approximately l/q6 while the above examples attain a security level of
only l/q4 at the same line-size. This is, however, not the only criterion
for the magnitude of the implementation.
396
It should be mentioned that regular pairs have a non-negligible ad-

vantage when it comes to the actual implementation, since we can make
use of the following observation. Two points z' and y' belong to sp(z,y)
if and only if they are collinear with every one of the points in x1 i.'l y
Checking this is clearly not feasible. If the pair (z, y) is regular, it sufEces
to show that x' and y' are collinear with just two of those points. Since
in this case the trace of a span is equal to the span of the trace. So we
just have to store two points of the trace and check whether z' and y' are
collinear with both of them. The amount of computation needed for this
depends on the number of coordinates and the particular field used for
the coordinatization.
3.2 The 3-Threshold Schemes
The threshold schemes constructed in the preceding section were based

on pairs of non-collinear points. Now we are going to use triads of points.
We will see that, when assessing the security of the new systems, it is
not sufficient to just transfer the considerations made for the 2-threshold
schemes. The "extension" will provide an attacker with new possibilities.
Let ( 5 ,y, z ) form a triad, and let sp(a, y, z ) = {z, y, z}'~ be the secret
datum X. It is easy to see that any three points of X uniquely determine
X. So condition (i) for a 3-threshold scheme is satisfied.
Two disloyal trustees with i-espective shadows x',y' have a success rate
of
(s - 2)/(a2r + a7 + I7 - 1) (3.3)
+
in a staight forward attack. If they can rule out the 2a(r 1)- ( r 1) = +
2ar+2u-r-1 points which are collinear with z', y', then their probability
to break the system is
s-2
Prob = . (3.4)
g 2 r - ur - a + r
So far everything is similar to the case of two non-collinear points. Being

able to rule out the points of tr(z',y'), however, opens up new ways of
397
breaking the system in this situation as we will see later.
The number of shadows depends on the underlying GQ. If this is of

order ( a , u 2 )with a > 1, then tr(z,y,z) = {z,y,z}’ always consists of
+ +
a 1 points and hence sp(z, y, z ) contains at most a 1 points. The
+
point z is 3-regular, if Isp(z, y,z)I = a 1 for any triad (z,y,z) through
z in G. Hence X contains s = cr +
1 shadows.
Examples of such generalized quadrangles are Q ( 5 , q), the elliptic qua-

drics in PG(5,q), for every prime power q. These give rise t o 3-threshold
+
schemes with q 1 shadows. We will discuss the security using the gen-
eralized quadrangles of order ( a ,u 2 ) . For these Equation (3.4) reads
Prob = cr-l
--.
- 1
a4-a3+a2-a a3+a
(3-5)
If the two trustees z‘ and y’ can work out the points of tr(z‘,y’) they
could make use of this knowledge and the relationship between a trace
and its span. They take any point u in tr(z,y), choose a Line L through
this point and a point g # u on L. The probability that u is in tr(z, y, Z)
is (a+ l)/(a2+ l), the one for L to intersect s p ( t , y, z ) in a point different
to z and y is ( a - l)/(a2- l ) ,while the probability that g is indeed this
point is l/a. Assuming that the three events are independent the two
disloyal trustees succeed in breaking the system with a probability of
a+l a-1
-.-._- 1 -, 1
- (3.6)
a2+1 ( 7 2 - 1 u a3+a
So all this effort has not increased their chances. An improvement of

this attack can be made if one knows conditions under which a line L
through z does or does not intersect sp(z,y,z) and the checking of these
conditions could be done without the system knowing it. Seing able to
+
determine a correct line raises the ”success rate” t o ( a l)/(a3 a ) . +
Clearly a lot of computing would have to go into such an attack. Any
decrease in the security level given by (3.4) was based on the assumption
that the trustees know not only their coordinates but also enough about
the implementation to work out tr(d,y’). If they can do this it is a h
398
fair to assume that they can determine a point of sp(z’,y’) and feed the
system this point. As sp(z, y, z ) is contained in sp(z’, y’) the security now
depends only on the size of sp(z’, 9‘) which is bounded above by a2 1. +
This yields a probability of
Prob =
a-1
>--a - 1 - -. 1 (3.7)
Isp(x‘,y’)/ - 0 2 - 1 afl
Hence, if the trustees know the underlying implementation, the security
level depends only on the span of 2‘ and y’ and might be unacceptable.
There is clearly no need for a trustee to know ”his” shadow but one
cannot rule out the possibility that he does. There is, however, in this
scheme a way to prevent the trustee from making use of his knowledge.
Before the system checks the shadows for their validity it does apply a
secret coordinate transformation to them. So the secret datum X is not
the span of the points z,y and z but of their transforms. This renders
the knowledge of both tr(z‘,y‘) and sp(z’,y’) a useless information and
increases the security level to the security level given in (3.4).
3.3 Combined Schemes

Distinct threshold schemes defined on the same underlying GQ obviously
give rise to ( t l , . . .,t,)-threshold schemes. Using the geometry of the GQ
allows the construction of more sophisticated schemes.
Let G be a generalized quadrangle with a > T in which every point is

regular. To construct a (1,2)*-threshold scheme we choose a triad (z, y,z )
where z is not coUinear with any point in sp(z,y). The condition a > T
guarantees the existence of such triads since there are .(a - .)(a - 1)
points z for every pair (2, y) of non-collinear points. As the secret datum
X we select a n arbitrary point of tr(z,y). Putting Bl = sp(x,y) and
B2 = tr(X,z) we obtain a (1,2)*-threshold scheme.
To verify this we note that z, is not collinear with X as (z,y) is a

regular pair. The regularity of all points also implies that every triad has
399
exactly 0,1, or T + 1 centres (see [7]).

Let d , y ’ be two shadows of B1 and z’ a shadow of B2. If they form
a triad, then, in view of Axiom(iii), X is the unique centre of this triad.
If z’ and, say x’ are collinear, then X is the unique point on the line
through z’ and x* which is collinear with y‘. Now consider the case that
two shadows are in B2 and one is in B1. The trace T of the two points in
B2 has exactly one point in common with tr(z,y), namely the point X.
This is the only point of T which is collinear with the shadow in B1.
Two non-collinear shadows, whether or not they belong to the same

class, determine a trace which contains X and T further points. Hence
their probability t o guess X is
1
(3.8).
T + 1
Even if all the trustees of one class join their forces they cannot improve
this probability. If the two shadows are collinear, then X is one of the
c7 - 1 2 r points on their common line. So this case gives a probability
of
1 1
a-1-7
< - (3.9).
We note that there are no non-trivial examples known of generalized

+
quadrangles with u = T 1. Examples which can be used are the duals
of those mentioned in the preceding section. They are of order ( q 2 , q ) ,
where q is any prime power.
Using the same kind of implementation as before one can check that
the shadows belong to the correct classes. We store three points X,Z
and w , where w is in tr(z, y). When three points together with their
respective ”class numbers” are entered, the system checks that they are
collinear with the appropiate pair of the three stored points.
So we have joined two 2-threshold schemes to form a (1,2)*-threshold
scheme.
400
Since the system checks the entered values for the correct class, the
probability to break the system is smaller then the ones given above, if
the knowledge of X in itself is not equivalent t o a compromise of the
system.
There are several ways to construct a possible third shadow. None of
these yields a better probability than trying to figure out X first and
then a "correct" shadow. So the probability in (3.8) has to be multiplied
by 1/(a - 1) and the one given in (3.9) by l/a. So the chances to enter
a correct third shadow are about 1/?.
It should be mentioned that a coordinate transformation will reduce all
these probababilities to about 1 over the number of points of the GQ. So
two trustees stand no better chance than two outsiders who just know
the underlying GQ.
We conclude this section with an example involving a "supershadow".

Let (z,y,z) be a triad such that z is not in sp(z,y). Then sp(z,y)
and sp(z,z) have just the point z in common. We define three classes
B1 = {z}, B2 = sp(x,y)\{x} and B3 = sp(x,z)\{x}, and let X =
tr(x,y) U tr(x,z). This yields both a (l,l,l)-and a (0,2,2)-threshold

scheme with the shadow z being more powerful than the other shad-
ows. We note that tr(z, y) and tr(z, z ) intersect in a unique point u , say.
So, if every point is regular, we only need to store u and a further point in
each trace. We leave it to the reader to work out the various probabilities
to cheat the system.
Acknowledgement
The first author is indebted to the Philips Research Laboratory Brussels

for the facilities they offered during the preparation of this paper.
References
[l]T. Beth, D. Jungnickel and H. Lenz, Design Theory, Wissenschafts-
verlag Bibliographisches Institut Mannheim, 1985.
401
[Z] A. Beutelspacher and K. Vedder, Geometric Structures as Threshold

Schemes. Proc. of the IMA Conference on Cryptography and Coding
Theory, Cirencester, Oxford Univ. Press (to appear).
[3] G. R. Blakley, Safeguarding cryptographic keys. Proceedings NCC,

AFIPS Press, Montvale, N.J., Vol. 48 (1979), 313-317.
[4] M. De Soete and J. A. Thas, A coordinatization of the generalized

+
quadrangles of order ( s , s 2), to appear in J. C. T. (A).
[5] G. Hanssens and H. Van Maldeghem, Coordinatization of Generul-

ized Quadrangles, Annals of Discr. Math. 37 (1988), 195-208.
[6] D. R. Hughes and F. C. Piper, Design Theory, Cambridge University

Press, 1985.
[7] S. E. Payne and J. A. Thas, Finite generalzed quadrangles, Research

Notes in Math. # l l O , Pitman Publ. Inc. 1984.
[8] A. Shamir, Row to share a secret, Communications ACM, Vol. 22

nr.11 (1979), 612-4313.
A UNIVERSAL ALGORITHM FOR
HOMOPHONIC CODING
Christoph G. Gunther
Asea Brown Boveri
Corporate Research
CH-5405Baden, Switzerland
ABSTRACT
This contribution describes a coding technique which transforms a stream of mes-

sage symbols with an arbitrary frequency distribution into a uniquely decodable
stream of symbols which all have the same fiequency.
I . INTRODUCTION
In a Caesar cipher each letter from the alphabet { a , b , . .. ,z } is replaced by the

successor of the successor of its successor, i.e. the alphabet is shifted by three:
{a,b, . . ., z } -+ { d , e, . . . ,c}. In general, there are 26 possible shifts, and we say
that the cipher defined by these shifts has a key size of logz 26 21 4.7, which is
very small. If we, however, consider the set of all permutations of the alphabet
{ a , b , . . . ,z } , we get a cipher with a key size log, 26! 2: 88. This is more than
one third larger than 56, which is the key size of todays most widely used cipher
DES. Nevertheless, the cipher described is not secure for the encryption of English
plaintext. In English the letters from the alphabet occur with the frequencies
p , 2~ 0.13, p t 11 0.09, p a N 0.08, . . . , andp, 1z10.001 (see e.g. [l]), and therefore a
frequency analysis of the cryptogram immediately reveals the chosen permutation.
In this respect, English is neither an exception amongst the natural languages
nor amongst the technical data streams like ASCII codes or A-modulated speech.
All of them show statistical irregularities through unequal probabilities of the
symbols or correlations between the symbols. The above permutation cipher is
also not exceptional, it is the most general block cipher defined on an alphabet of
26 symbols.
In order to describe more accurately the weakness discussed, we consider the
uncertainty of the key, i.e. of the enciphering permutation, when n symbols or
406
blocks of symbols of the cipher text are known. This uncertainty is quantified by
the equivocation of the key k E IC given n cipher blocks (CO,c-I,. . . ,~ ( ~ - 1 1E )
cn [2]:
H(~Ico,c-I, .*.,c-(n-1)). (1)
The smallest n for which the key is completely determined is called the unicity
distance d. According t o Shannon [2] and Hellman 131, it is given by
where T is the length over which the blocks become statistically independent and
where the basis of the logarithms involved in the definition of H is equal to the
size C of the cipher alphabet C. For English texts, Hellman [3] has estimated that
which implies
d 21 1.5 H ( k ) . (4)
In the case of DES, the key is therefore completely specified by the redundancy
in the text after two cipher blocks of 64 bits each. The only property that has
prevented so far the design of efficient algorithms to break DES is the mismatch
between the statistical information and the block structure of DES.
Even if cryptography is based t o a large extent on the complexity of certain
computations, unconditionally secure systems are preferable. In the present sit-
uation, unconditional security can be achieved by a suitable conditioning of the
message either by reducing its redundancy with a data compression algorithm or
by increasing its entropy in a randomisation process. The reduction of redundancy
is more attractive from a theoretical point of view. The data compression algo-
rithms known today, however, only imply a unicity distance proportional to the
size of their encoding table, which makes them practically useless for the present
purpose.
Amongst the randomisation techniques, homophonic coding seems by far the
most adequate, as was pointed out by Massey [4].The basic idea of such a coding
is to improve the distribution of the symbols in the cipher text alphabet C towards
equidistribution by introducing a suitable number of representations for each letter
from the message alphabet JM and by randomly choosing one of the representations
at each step. Such a coding was already used in 1401 by the Duke of Mantua in
his correspondence with Simeone de Crema [5]and is also well known through the
407
Beale ciphers [6].An example which by its simplicity is particularly suitable to

explain this type of encoding was proposed by Massey [4].In this example, the
message stream consists of independent, identically distributed ( i i .d.) random
variables from the alphabet M = { a , b } with the letter frequencies p a = and 2
pb = i. A homophonic code for this example is defined on the image alphabet
C = {0,1}* by
f 00
01 w i t h probability 1/3 each,
b
a-l,o
- { 11 w i t h probability 1,
(5)
i.e. the message m = a is encoded at random into 00,01,10, with equal prob-
abilties. As a consequence of this encoding, the message source stays i.i.d. and
becomes equidistributed, and the unicity distance skips from d = 5.3 H ( k ) t o
infinity if at least two keys are used.
A similar approach can in principle be chosen for every rational frequency
distribution. In general, this will however lead to an enormous data expansion.
Furthermore, the frequency distribution completely specifies the cipher text alpha-
bet in this scheme. Both disadvantages are avoided in the systematic approach we
shall adopt now.
11. DESCRIPTION OF THE ALGORITHM
The homophonic code defined in equation (5) contains two essential elements, an
encoding table, i.e. the association of the symbols 00,Ol and 10 with the letter
a and the association of the symbol 11 with the letter b, and an encoding rule
which states that each representation of a letter has to be chosen with equal
probability. The construction of these two elements are the main steps in the
universal algorithm. In order to get an idea of the general form of these elements,
we observe that the following mapping also defines a homophonic code for the
above example:
0 with probability 2/3,
10 w i t h probability 1/3,
b ---+ { 11 w i t h probability 1.
This mapping causes a smaller data expansion than the previous one. The mapping
itself is obtained by noting that the second bit in the strings 00 and 01 of equation
(5) does neither carry information nor contribute to the equidistribution. The
mapping can be interpreted as follows: if a 0 is transmitted it is to represent an a,
if a 1 is transmitted it is not t o represent any letter but just to tell the decoder to
408
wait for the next symbol in order t o determine the information transmitted. With
this interpretation the encoding table can be rewritten as two tables (see Figure
1) with ir denoting the prefix symbol, i.e. the symbol which tells the decoder to
wait and to decode the next symbol according to table T ( 2 :)
T (1) T (2)
Fimre 1: T h e encoding tables f o r the example M = { a , b } , C = (0, l},

3
pa = and pb = 1 4'
This form of the encoding table immediatly suggests the association with a bi-
nary, or more generally with a C-ary representation of the frequency distribution
{ P , } ~ E M . And the two objectives of having a number of representations of the
letters in the encoding tables which is proportional to the probability of that letter
and of having at least one letter represented in each table together with the above
association lead t o the following general construction of the encoding tables:
Initialisation:
C o n s t r u c t i o n of the i-th table T ( i ) :

a) The dimension K; of the table T ( i )is determined by
of symbols p?>'),. . . ,pa

b) A number nk') := [C"%ph"-l)] ( i , n c ) )E C"; is chosen to
represent the letter cy in table T ( i ) .

nt'
c) The remaining T L ( ~ ):= C". - CaEM symbols c(i,l),. . . ,g ( i , n ( ' ) )E C"' are
chosen as prefix symbols.
409
C o m p u t a t i o n o f phi’ and loop control:
If = 0, the construction is completed. If di)# 0, the new probability

distribution is determined by
i is incremented by one and the next table is constructed.
The encoding tables for the slightly more complex example M = {a,b,c}, C =
{0,1} and p a = &, Pb = 31 and p , = $ are shown in Figure 2.
-41
-
5
12
-+-
5
12
1
4
3
a
1
F i w re 2: T h e encoding tables f o r the example M = { a , b , c } , C = {0,1} and

pa =
li, pa = z,p , =
1
a. T h e first table has size C2 = 4 as, due to
pa < $: Qa E iu, n o letter can be represented an a table of size c = 2 .
T h e symbols in the dark areas represent the letter a . T h e symbols in
the pale areas are prefix symbols which are used in the representation of
several letters. T h e codewords 00, 110, 11110, 1111110,. .. all repre-
s e n t t h e letter a .
410
The number of tables generated in this example is infinite. However, only three of
these tables are truly different (T(2")= T ( 2 ) T(2n+1)
, = T ( 3 ) V, n 2 1). The parti-
tion of the interval [0, 1)induced by the probability distribution (p,,pb,pc}, which
is represented in Figure 2, is useful for the construction of the tables themselves
and also for the formulation of the encoding rule. If an a is to be encoded, the rule
for the first symbol reads: choose at random a number T in the interval [0, A), if
T < $ transmit the s_vmbolOOif T 2 $ transmit the s-mbol 11 and encode a using
the next table. This rule is symbolically represented in Figure 3:
p(rlm=a) c I I
a
00
--
01
b 10
C 11
FiRure 3: Symbolic representation of the first step in the encoding of a . A number

T is chosen randomly according to the distribution p ( r l m = a ) . If r < 5
1
the symbol 00 is transmitted and the encoding ends, else the symbol 11
is transmitted and further steps are needed to transmit the letter a to
the receiver.
With these considerations in mind, it is no longer difficult to derive the general

encoding algorithm:
a) Read a new symbol a E M from the data stream.

b) Set i = 1.
c) Choose a random number T E [O,pb;"-')).
(;,rc"ir])
d) If Cnir 5 nk;', transmit pa and go to a),
(i,r+(cRar-nt))l)
if C X ~ T> n$, transmit 0 pa , increment i by one and go to c).
The effect of this algorithm is to combine the message source and the randomness
from homophonic coding such that all symbols 00, 01, 10 and 11, and a fortiori
0 and 1, become equally likely. This does not only hold for the first step but for
41 1
every one, which immediately implies the statistical independence of the output
stream if the symbols from the source are statistically independent. With these
remarks, the proof of the following theorem is easy:
Theorem 1: If a message source generates a sequence of i.i.d. variables but
with unequal letter probabilities, then the sequence obtained by applying the
universal homophonic coding algorithm is i.i.d. and has equal letter probabil-
ities.
Many sources are modelled more accurately by a hlarkovian process with finite
memory. For them the following theorem applies:
Theorem 2: If the message source can be described by a Markovian process
with finite memory 7 , then the sequence obtained by applying the universal
homophonic coding algorithm, with the probability distribution EM re-
placed by the conditional probability distribution
{ p Q l p - l,...,a - , } c r ; Q - l,...,a - , E ~ ,is i.2.d. and has equal letter probabilities.
In both cases we thus have perfect statistical properties and therefore an infinite
unicity distance.
So far the homophonic coding algorithm has been described without taking its
practical aspects into consideration. Amongst these, the two most important ones
are the termination conditions for the table construction and the data expansion.
111. TERMINATION O F THE TABLE CONSTRUCTION
Two simple conditions for the termination of the table construction are obtained
from the observation that the algorithm induces the following representation of
the probabilities p a :
with
i-1
j=1
This is a special form of a C-ary expansion and therefore easily implies:

Lemma 3 : a. If all probabilities have a finite C-ary expansion, the table
construction stops.
b. If all probabilities are rational, the sequence of constructed
tables becomes ultimately periodic.
Condition b is a termination condition as only a finite number of tables needs to
be determined and stored. So in all practical situations the table construction
terminates, but eventually after a very large number of tables.
412
In applications, a given key is only used for a finite message length and cor-
respondingly the unicity distance does not need to be larger than this length.
Therefore, we can tolerate a deviation of the probabilities q7 of the cipher symbol
y from its ideal value and restrict the algorithm to a maximum of say I 1 +
tables. If this is done by constructing I tables according to the algorithm of Sec-
tion I1 and by adding one table, which contains a representation for every symbol
cy E M with pi' > 0, the probability gr of the symbol y E C is given by:
where i7 is the frequency of the symbol y in table T('sl), where M is the size of
the alphabet M , where n ~ is+ the
~ dimension of that table, and where X i is given
bv
6
In this expression, the error gr - converges exponentially to zero for 1
the Taylor expansion of the entropy
- 00 and
therefore implies an ezponential increase of the unicity distance with the table size
1.
IV . DATA EXPANSION
From the description in Section I1 it is rather obvious that the algorithm will
change the data rate. In some singular cases in which the distribution is concen-
trated on a few symbols, this change can be a lowering of the rate. In the example
p d = $, and C = {O, 1) the compres-
3 1 1
M = ( a , b,c, d } , p a = 4, pb = g, p , = Is,
sion factor isg. In the generic case this change will, however, be an expansion
and it is very important to have some information on how large this expansion
will be.
Theorem 4 : The ratio X of the output rate divided by the input rate of the
homophonic coding algorithm is
413
In this theorem we have taken to our disadvantage the value logc M for the input
rate (instead of rlogciCI1) in order not to overestimate the mismatch between
the usual alphabet { a , b, . . . ,z } and the technically relevant binary alphabet. For
M 5 C we have the following general result:
L e m m a 5 : a. If M 5 C, the data expansion X is bounded by
X5 c *log, c.
b. For Ad = C = 2 or 3, the distribution
p j := (=V-l
C
c-1 c
1 - (7)
has a d a t a expansion X = C . log, C.
The proof of this lemma follows easily from the observation that R; = 1 and
T Z ( ~ )5 C- 1 if M 5 C. Lnfortunately, the lemma is too weak for most applications.
Therefore, we have estimated the average value of A, with the average taken
over all probability distributions For M 5 C we have obtained
A Monte Carlo simulation has confirmed this estimate and has provided the fol-
lowing results for the relevant cases M = 27 (usual alphabet with blank) and
C = 2,4,8,16,32,64,128,256 : (the error of X is 5 0.1)
C = 2 4 8 16 32 64 128 256
(A} = 2.7 2.4 1.9 2.4 1.7 1.7 1.6 1.8
Finally, we have also computed X for the frequency distribution of letters in English
texts, as taken from Beker and Piper [l]: (the error of X is 5 0.1)
C = 2 4 8 16 32 61 128 256
X = 2.7 2.3 2.0 2.3 1.6 1.5 1.6 1.8
If we compare this with the above results we see that English is quite typical.
Furthermore, we note t h a t a suitable choice of the alphabet size C can considerably
reduce the data expansion. This indicates that our simple rule for the choice of the
dimension ~i of table T(*) was not optimal and that it can be further improved.
414
V . CONCLUSION
In the present contribution we have shown that homophonic coding is an effi-
cient precoding, suitable to increase the unicity distance of a cipher to any required
length. Furthermore, even if only the lower order correlations are smoothed out,
attacks on the higher order dependencies become practically infeasible due t o the
variable length of the codewords. The additional random data transmitted causes
a data expansion by a factor of roughly two. It can, however, be used t o further
strengthen the system by suitably randomising the cipher applied to the precoded
data. Finally, we note tha t the described precoding can, after some s m d modi-
fications, be run in an adaptive way. Homophonic coding is thus highly adequate
to substantially increase the strength of ciphers in most applications.
ACKNOWLEDGMENT
I would like to thank Professor James L. Massey for his continuous interest and
support .
REFERENCES
[l] H. Beker, F. Piper, Cipher Systems, The protection of Communications,

Northwood Books, London (1982).
[2] C. E. Shannon, “Communication theory and secrecy systems,” Ben System

Tech. J., vol. 28, pp. 636-715 (1949).
[3] M. E. Hellman, “An extension of the Shannon theory approach to cryptogra-
phy,” IEEE Trans. on Inform. Theory, vol. IT-23,pp. 289-294 (May 1977).
[4]J. L. Massey, “On probabilistic encipherment,” 1987 E E E Information The-
ory Workshop, Bellagio (Italy).
[5] D. Kahn, The Codebreakers, The Story of Secret Writing, Weidenfeld and
Nicolson, London (1966).
[6] “The Beale Ciphers”, The Beale Cipher ASSOC.,Medfield, Mass. (1978).
A NEW PROBABILISTIC ENCRYPTION SCHEME
He Jingmin and Lu Kaicheng

Dept. of Computer Science, Tsinghua University
Beijing, People's Republic of China
Abstract. In this paper we present a new probabilistic public key cryptosystem.

The system is polynomially secure. Furthermore, it is highly efficient in that it's
message expansion is l+(k-l)/l, where k is the security parameter and 1 the length
of the encrypted message. Finally, the system can be used to sign signatures.
1. Introduction
The most important problem in modern cryptography is how to encrypt messages in

a secure and efficient way. Here two things are of equal importance: security and ef-
ficiency.Up to now three different notions of security have been proposed: Coldwasser
and Micali's polynomial security, semantic security [l], and Y-security introduced
by Yao [ 2 ] . Micali et al([3]) have pointed out that these three notions are essen-
tially equivalent. In this paper we'll adopt the notion of polynomial security. AS
to the efficiency, it usually means the encrypting and decrypting time and the mes-
sage expansion.
The earliest public key cryptosystem is RSA [ 4 ] . RSA is highly efficient be -
cause it's message expansion is about one (the possiblely least value). However, it's
security remains to be proven. Actually RSA is a deterministic cryptosystem and Can't
be Secure according to [l]. In another direction, Goldwasser and Micali [l] presented
the first probabilistic encryption scheme whose polynomial security is rigorously
proven. But their scheme is not efficient at all. They encrypt every bit of the mess-
age independently, so the message expansion is k (the security parameter) and this
makes the scheme totally unvalued in practice.
In this paper we concern both security and efficiency. We present a new " r a d a
iterative encryption scheme" which can achieve both polynomial security and high
efficiency. The idea is simple: we randomly and iteratively encrypt the plaintext bit
by bit. In this way we can get a secure public key cryptosystem with a low message
expansion of l+(k-l)/l, where 1 is the length of the plaintext and k the security Par-
41 6
ameter. The one more lucky thing is that the new scheme can be used to sign digital
signatures, which seems impossible in the schemes of [l], [5] and [ 6 ] .
Remark: Blum and Goldwasser have presented another secure probabilistic encryp-
tion method with a message expansion of l+k/l. Their method is similar to that of B1-
urn et a1.([5]), in which it exlusive-or the plaintext with a sequence of the same
length generated by a pseudo-random number generator. For the details see [5] and [ 6 1
2 . Background
4
.
Let N denote the set of positive integers and n6N. Let Z* ={xi l s x < n and
1
(x,n) =1 1 , Z =ix 1 1 d x 4 n and (x/n)=l) , where (x/n) is the Jacobi symbol Of
x mod n. The symbol In1 denotes the binary length of n.
Let Q be a predicate defined on Z1 such that Q (x)=l iff x is a quadratic re-
sidue mod n . Let \ denote the set of "hard composite integers", i.e., Hk={nln=Pq,
where p and q are distinct primes such that (pl=]q\=k.).
The security of our scheme is based on the quadratic residuosity assumption (-)-
From QRA Goldwasser d M i c a l i have proven the following.
Lemma 1 ([l]). Under QR4, the predicate Q defined on Z i is unappoximable by any
circuit of polynomial size even if some quadratic nonresidue mod n are known. (Recall
that a circuit C &-approximates a predicate Q:B-+{O,l) if C(x)=Q(x) for at least a
fraction 1/2+E of the xCB.)
Let J =tx\l&xLn/Z and (x/n)=l}. Lec QRn denote the set of quadratic residues mod
n. It is easy to prove the following
Lemma 2 . Let n=pq where p and q are distinct primes such that p=q=3 mod 4. Then
each zfQR has exactly one square root that is in Jn and we denote this root by sqr(z)
1
We point out that Lemma 1 will still hold when Q defined on Zn is restricted to
Jn, and we still call the result Lemma 1.
3 . The New Encryption Scheme
Let n=pq as in L e m a 2 . Let y be a quadratic nonresidue mod n. Now we introduce

a function E as follows:
E : Jnx {O,l}-Jn Y {0,1)
2
E (x,O)=( x m o d n, 0 ) if x2 mod n+n/2,
2
= ( - x mod n, 1) otherwise.
2 2
En(x,l)=( x y mod n, 0) if x y mod n<n/2,
2
=(-x y mod n, 1) otherwise.
From Lemma 2 we know that En is invertible. The inverse of En is denoted by Dn and
can be specified as follows:
41 7
Dn: Jn x {O,lf-bJn x ( 0 , l )
Dn(z, j)=( sqr(z), 0 ) if j=O and zGQR.
-1
=( sqr(zy ),1) if j=1 and ztQR.
-1
=( sqr(-zy ) , 1) if j=1 and ziQR.
=( sqr(-z), 0 ) if j=1 and z4QR.
1
For convenience we denote the first and second components of E (x,i) by En(x,i) and
2
En(x,i) respectively.
For any positive integer 1, E can be generalized as follows:
En: Jn x ;0,l)'-.Jn x {O,l)'
En(x,m l...m 1 )=(xl, bl...bl)
where
xo =xs1
x. =E ( x. mi),
1 ll 1-1'
b. =E ( x . mi),
1 n 1-1'
i =l,Z, ...,1.
The generalized E is also invertible and it's inverse is still denoted by Dn .
Now let k (an even number) be the security parameter. The new probabilistic pub-
lic key cryptosystem works as follows:
(1) it randomly selects two distinct primes p and q such that p=q=3 mod 4 and
\PI= Iqi=k/2,
( 2 ) s e t s n=pq,
(3) picks y, a quadratic nonresidue mod n, and finally,
( 4 ) outputs (n,y) and {p,q).
Some user, say A , publicizes the pair ( n , y) and keeps secret the pair {p,q).
Encryption: Suppose some user B want to send a binary message m=m l"'ml to
A. Then he encrypts rn as follows:
(1) Randomly selects an xCJ and sets z=x.
( 2 ) Performs step ( 3 ) for i=1,2, ...,1.
(3)(z,bi):=En(z,mi).
( 4 ) Sends A the ciphertext E (x,m)=(z,b l...bl).
2
Encrypting an 1-bit long message m takes O(lk ) time, and m is transformed into
an (l+k-1)-bit long ciphertext. So the message expansion is l+(k-l)/l which is much
less than k (the message expansion of Goldwasser and Micali's scheme).
Decryption: Upon receiving the ciphertext (z,bl...b ) , user A decrypts it as
1
follows:
(1) Performs step ( 2 ) for i=l,1-1, ...,1.
( 2 ) (z,mi):=Dn(z,bi).
(3) Gets the message m=m
l'"ml - 3
Recovering m ( I m l = l ) from it's ciphertext takes O(lk ) time.
IJsing the proof techniques in [3] and [ 6 ] , we can prove the following
41 0
Theorem. The crypcosystem introduced above is polynomially secure.

Proof. The proof is tedious long and omitted here.
4 . AppLications
To sign a message m, we randomly select an xCJ and forms

S(m) = ( m, Dn(x,m) )
S(m) will be the signature of m. Of course this simple signature is not strong. By
computing E (z,b)=(x,m), the forger can easily forge the signature of an (unpredict-
able) message m. This is the so-called "chosen signature attack" and can be prevented
in several ways.0ne way is as follows: randomly select x,ytJn, xty, and let S(m)=(m,
Dn(x,m), Dn(y,m)). This time forging the signature of even an unpredictable message
m requires finding w,z€J b,b*E{O,l)*, such that E (w,b)=E (z,b'), and this seems
n'
impossible.
Note that in the above mentioned signature scheme, the signature of ml...mi or
mi...ml for any i (1Sihl) can be easily obtained when the signature of m l...ml is
known. But we may avoid this danger by letting, for example,
S(m l...ml)=(ml...ml, Dn (x,ml . . . r n l ) , Dn(y, mth ...ml m l . . . m t , 2 + , ).
Clearly various signature schemes can be devised based on our new public key crypto-
system. We leave the open problem of implementing a concrete signature scheme, to-
gether with a rigorious security proof.
References
[l] S.Goldwasser and S.Micali, Probabilistic encryption, Journal of Computer and

System Sciences 28 (1984), 270-299.
[ 2 ] A.Yao, Theory and application of trapdoor functions, Proceedings of the 23rd
Annual Symposium on Foundations of Computer Sciencn, 1982, 80-91.
[3] S.Micali, C.Rackoff, and B.Sloan, The notion of security for probabilistic cry-
ptosystems, CRYPTO 86,31.
[4] R.Rivest, A.Shamir, and L.Adleman, A method for obtaining digital signatures and
public key cryptosystems, Corn. ACM, 21 ( 1 9 7 8 ) , 120-126.
[5] M.Blum and S.Golduasser, A n efficient probabilistic public-key encryption scheme
which hides a11 partial information, CRYPTO 8 4 , 289-299.
[ 6 ] L.Blum, M.Blurn, and M.shub, A simple unpredictable pseudo-random number generator,
SZAM J . Computing, 15:2, 1986, 364-383.
PUBLIC QUADRATIC POLYNOMIAL-TUPLES
FOR EFFICIENT SIGNATURE-VERIFICATION
AND MESSAGE-ENCRYPTION
Tsutomu Matsumoto
Hideki Imai
Division of Electrical and Computer Engineering

YOKOHAMA NATIONAL UNIVERSITY
156 Tokiwadai, Hodogaya, Yokohama, 240 Japan
Abstract This paper discusses an asymmetric cryptosystem C* which

consists of public transformations of compIerity O(m2n3)and secret
+
transformations of complexity O((mn)'(m logn)), where each complex-
ity is measured in the total number of bit-operations for processing an
mn-bit message block. Each public key of C' is an n-tuple of quadratic
n-variate polynomials over GF(2m)and can be used for both verifying
signatures and encrypting plaintexts. This paper also shows that for C"
it is practically infeasible to extract the n-tuple of n-variate polynomials
representing the inverse of the corresponding public key.
I. INTRODUCTION
With the aid of public-key cryptography"], how much computation is
sufficient to keep the authenticity and the confidentiality of digital data?
Reducing the computational complexity implies wider and deeper uti-
lization of the fascinating nature of public-key cryptography. This paper
gives an answer t o this challenging question by constructing an asymmet-
ric cryptosystem C' (called c-star) which consists of public transforma-
tions of complexity O(m2n3)and secret transformations of complexity
+
O((mn)'(m logn)), where each complexity is measured in the total
number of bit-operations for processing a message block of mn bits.
Each public key of C" is an n-tuple
420
of quadratic n-variate polynomials over K = G F ( 2 m ) , and the corre-

sponding public transformation translates a message block ( E K“ into
another message block 77 E K”, by evaluating F at (. Here the term
“quadratic polynomials ” means “polynomials of degree 2”, and the de-
gree d e g ( P ) of a polynomial
P(Z0, ...)Z , 4 ) = C{P: 2

B - * ~ i o , . . . , i , _ lO},
o . . . i , _l z ~ . . . Z%,-I
is determined by
42 1
On the other hand, Fell and Diffiel61 have proposed an approach

of combining DES-like structure into multivariate polynomials and con-
cluded that their approach seems not to produce polynomial-tuples sat-
isfying the request (2) since the degrees of the original and the inverse
polynomial-tuple are the same. Here, the degree deg(Q) of a polynomial-
tuple Q = [&('), . . . ,Q(*-')]
is defined as rnas(deg(&(j))lj = 0, - .* , t-l}.
Also, Z h o ~ [ have
~ $ ~proposed
] a cryptosystem using polynomial-tuples
over G F ( 2 ) constructed by a method similar to Fell's and Diffie's.
However, at least by the method due to Matsumoto et al. it is possi-
ble to systematically construct low-degree multivariate polynomial-tuples
whose inverse polynomial-tuples have very high degree. Actually, this pa-
per shows that for C* it is practically infeasible to extract the n-tuple
G of n-variate polynomials representing the inverse of the corresponding
public key F .
In the following, Chapter I1 describes the definition of the asymmet-
ric cryptosystem C* and three important theorems for it. Chapter I11
develops concrete algorithms for implementing C* and proves Theorem
2, which states the operational complexity of C* . Chapter IV describes
the process of deriving C* and proves both Theorem 1, which states the
consistency of the definition of C* , and Theorem 3, which guarantees a
certain security aspect of C* . And Chapter V concludes the paper.
11. THE PROPOSED ASYMMETRIC CRYPTOSYSTEM
Definition 1. The asymmetric cryptosystem C* is defined by the fol-

lowing public items Pl,. . .,P5 and secret items Sl,. ..,S4.
[Public Items]
P1. A positive integer rn and an integer n 2 3, but n # 4;
P2. A finite field K of order q = 2" with an adder and a multiplier;
P3. The set of message blocks K " , which is the n-dimensional vector
space consisting of all n-tuples over K ;
P4. Each public key is an n-tuple F of quadratic n-variate polynomials
over K ;
P5. The public transformation algorithm PA, which transforms a mes-
<
sage block E K" into another message block 77 = PA(F,E) E K"
by evaluating F at <.
422
[Secret Items]
S1. A v-degree extension field L(ul of K and a K-isomorphism $(,) from
K" to L(,) for each integer v = (2X + 1)2P with X 2 1 and p 2 0;
S2. Each secret key is a tuple I? = [SR,TR,r,OJ
:
S2-1. Two n-tuples SR and T R of n-variate polynomials of degree one
over K , representing affine bijections 5-1 and t-' on K" ;
S2-2. A partition T = [ n l ,. . . ,nd] of the integer n such thzt
where d 2 1 and n; = (2;+ 1)2.; with 1, 2 1 and rj 2 0 ;

S2-3. The 7r determines a bijection
and projections
where a; = Cj=l nj ;
i
S2-4. A tuple 0 = [ e l , ... ,Sd] of positive integers, where 6; = bi2"

with 1 5 bi <= 1; ;
S3. The structure of the public key : F represents the composite func-
tion f : K" + K", f = t o p-' o [GG:), .. .,$~t)]
o [ e l , .. . ,ed] 0
[$(,I), .* * $(?Id)] p
7 where '7
S4. The secret transformation algorithm S A , which outputs < = SA(T, 7 ) :

step 1 { A f i n e transformation}: Evaluate T" at 7 E K" to obtain
2, = T R ( q )E K" ;
step 2 {Separation}: Compute pl(w) E I?"',. . . , p , j ( u ) E K n d from

v E K " , i.e., split up a tuple of length n into d subtuples of
lengths nl ,. . . ,nd;
step 3 Execute the following steps for i = 1 to d :
(i-1) {Decoding}: According to the base of L(ni) determined by the
K-isomorphism translate the ni-tuple pi(v) into an ele-
ment zi = d(n;)(pi(u))of L(n,) ;
423
(i-2) {Powering}: Compute

-
h-
w; = 2; ' E L("J
from t; E L ( n i ) ,where hi is the multiplicative inverse of h; =

+
1 q p modulo q r i - 1 ;
(i-3) {Encoding}: Compute the vector-representation (Wi) E
K"' of w; E L+) ;
step 4 {Concatenation}: Compute
i.e., concatenate di-tuples of lengths n l , . . . , n d into a tuple of

length n ;
step 5 { A f i n e transformation}: Evaluate S R at u E K" to obtain
.$ = S R ( u ) E K".
The validity of Definition 1 is checked and summarized as the fol-

lowing theorem.
Theorem 1. For every appropriate pair [F,r] of keys of C* ,
P A ( F , S A ( r , q ) )= 7 , for any E K",

SA(I',PA(F,<))= .$, for any ( E K".
(Proof) See Chapter IV.
We can develop concrete algorithms for C* and have the
Theorem 2. The size of a message block S M B= mn [bit]

The description length of
a secret key = D S K 2mn2 [bit]
-
- N
-a public key = D P K imn3 [bit]

424
The circuit-size complexity (measured in the number of GF(2)-operations

for one message block) of
- the secret key generation = C ~ K =
G O(rn2n2)
- the public key generation = CPKG='0(rn2n4)
- the secret transformation = CSA= O(rn2nn2(rn logn))+
( = O(m2n(rn+ n)) if n = O(d) )
- the public transformation = C P A= O(rn2n3)
( = O(rn2n2+'), (0 < E 5 1)
if transform n blocks at a time).
(Proof) See Chapter I11 .
Suppose that P is an n'-tuple of n-variate polynomials. Define a

function rupby
T % ~ (= ) .
P n' (
Ie$:): .
It can be easily shown that the total number of nonzero terms of P ,
denoted by .(P), is always less than or equal to T ~ , ( P ) .
For the security of C* , the next theorem shows that it is practically

infeasible for large n to extract the n-tuple G of n-variate polynomials
representing the inverse of the function represented by the corresponding
public key F .
Theorem 3. The degree of n-variate n-tuple G satisfies :

27-1 - 1 1
- -2q 5 deg(G) 5 2 { ( 4 - 1)nd f 1)-
In particular, if nd is odd and gcd(Od, nd) = 1, the most right inequality
becomes an equality, and also a upper bound T ~ ~ (ofGthe ) number of
terms in G satisfies
where E is the Napier's number 2.718. ' . .
(Proof) See Chapter TV .

425
426
Besides the above aspect, we must discuss the complexity of de-

ducing a secret key by decomposing the corresponding public key; the
period of the public transformation which reflects the robustness of the
system against the iteratively-transforming-attack; the relation between
bit-security and block-security, etc.
For small values of the parameters m and n, we have some experi-
mental results showing that there seems to be no apparent clues to reduce
the complexities of the above mentioned atacks. However, more advanced
theories should be necessary to confirm this circumstantial evidence.
In our present point of view, if the parameters are set to be 1 5 rn 5
32, 32 5 n 5 64,and 64 5 m n , then C* can achieve both high security
and great realizability.
111. ALGORITHMS FOR C' AND THEIR COMPLEXITY
I11 -1. Secret Key and Its Generation

As defined in Definition 1, a secret key for C' consists of four parts:
two n-tuples of linear n-variate polynomials S R and T R ,a partition x =
[ n l ,. . . , n d ] of n and a tuple of integers 0 = [ e l , . . . ,B d ] .
First, we consider S R and T R . Let B represent either of them. B can

be represented by an n-tuple B , over K and an n-dimensional square
matrix Bc as follows:
B is bijective iff the matrix Bt is nonsingular.

As there are a great many nonsingular matrices, Bc can be found
using the method of trial and error. However, it will be shown in Section
I11 -3 that to generate a public key, we have to solve the following linear
system in 50,. . . ,zn-l :
Hence we can use an excellent method - the LDU decomposition method.

That is, we can first select an n-dimensional lower triangular matrix L
over K whose diagonal components are all 1, a non-zero n-dimensional
diagonal matrix D over K , and an n-dimensional upper triangular matrix
427
U over K whose diagonal components are all 1, then find the product of
them
Bc = LDU.
Apparently, Bc is nonsingular, since L, D and U are all nonsingular.

Of course, there are other nonsingular matrices not expressible by the
above formula, but that part is very small. Using L,D and U but not
Bc, solving the system (1) becomes fairly convenient.
+
Obviously, it requires mn(n 1) [bit)to describe B . Further, it
ziz1
requires 2 d log n;[bit]to describe T and 0 which cannot exceed n [bit].
Thus, we have the following estimations:
DsK{the description length of secret key of C*}

= (2m(n + 1) + 1). [bit]
N 2mn2 [bit],
CsKc{the circuit - size complexity of secret key generation of C*}
=0(m2n2)[ G F ( 2 )- operation].
I11 -2. The Secret Transformation Algorithm

The secret transformation algorithm S A consists of (step l)N(step 5 )
outlined in Definition 1. The running time of (step 1) and (step 5 ) per-
forming affine transformations is clearly O ( m 2 n 2 )[ G F ( 2 )- operation].
As compared with the other steps, the running time of (step a), (step
3-i-l), (step 3-i-3) and (step 4) can be neglected. Now what remain to be
investigated are only the concrete algorithm which performs powering in
step (step 3-i-2), and its complexity. Taking advantage of features of hi,
this section constructs an efficient algorithm for the powering.
First, we have the following theorem.
Theorem 4. For integers m, q,!, n, b, and 8 satisfying m > 0 , q =

2",k' > O , T 2 0, n = (2!+ 1)2',0 < b 5 t , 8 = b2', the integer h = 1 qe +
possesses a multiplicative inverse element h modulo ( q n - l), which can
be expressed as
- "-1 e--1 1-1

h {( C 2 ' ) ( C qJ)(x
q2ek) + q2e'} . .2"-' (modqn - 1).(2)
i=O j=O k=O
428
Proof: We notice that
From this theorem we see that the h t h power of an element of a finite

field L of order q n can be computed from the (C;z: b')th and the bath
powers of the element for some a and 6.
Let us consider evaluating the C
(;:: b')th power. For example, we
can use the fact that
6
b' = ( ( b 2 + l)b2 + l)(b + 1)b + 1 (3)
i=O
to compute z , the xi=*b'th power of z, by the following algorithm:

6 '
--
(stepl) y +- z ;
(step2) y yb2 . y ;
-
(step31
WP4)
y
Y -- yb2 z ;
Yb. Y ;
(step5)
(step6)
y
z - y b .z ;
y .
429
This algorithm requires 4 multiplications and 4 evaluations of the bkth

power (where k is a suitable positive integer). The latter operation re-
quires about 6 times b-th powering.
Similarly, for general ;C
:: b’, to evaluate the (z:::
b’)th power can
be completed by using a formula like (3). The complexity is estimated
as follows.
Theorem 5. For two positive integers a and b, evaluating the

X
;(:: b’) th power can be accomplished in
(0Llog2.u] + W2(a) - 1 times multiplications ;
( 7 ) [log, u ] + W2( u ) - 1 times evaluation of the bk th power,
where k is a suitable positive integer and where Wz(u) denotes the 2-
weight of u defined by
W 2 ( u )= C{Ujlj= 0 )1)* . a
}
,
when the binary representation of a is
u = C{2j. U j l O 5 a j < 2, j = 0,1,. . -}.
Furthermore, if evaluating the bk th power is done by evaluating iteratively

the bth power, then (v) can be expressed as
(q‘) ( u - 1) times evaluation of the 6th power.
Proof(sketch): For a general (Cylib ; ) , we form the corresponding

formula like (3). Counting the number of “+’, appearing in the right
hand side of the formula, we get (C) and ( q ) ;summing the superscripts
of b, we get (71’). 4
Corollary 1. For positive integers u and b, the complexity of evaluat-

ing the (c:zi b’) th power is estimated as “O(1oga) times multiplication”
, if the complexity of evaluating the bth power can be neglected as com-
pared to that of multiplication.
It is known[g] that, for the n-degree extension field L of a finite

field K of order q, there always exists a base of L over K which takes
430
the form of [p,pq,@q2,. . .,,BQ"-'] (called a normal base). Let V ( x ) =

[ q.,. . ,x,-,] E K" denote the (vector) representation . of an element
x of L by a normal base [p,,BQ,,Bq2, . . . ,,f?*
"-1
1, i.e., x is expressed as
x= ~~~~ x i p q ' . Now, for any integer k, we have
since xp = z;, where csk(v(2))is a bijection on K " , and represents the

k-step (right) cyclic shift operation.
By the use of this well-known fact, we see that the complexity of
evaluating the qkth power of an element of L, can be neglected as com-
pared to the complexity of the L-multiplication (the multiplication of two
elements over L ), if elements of L are represented by using a normal base
of L over K .
Assembling all the above results, we get an algorithm for evaluating
the k h power over the field L of order q", where q, n, h satisfy the
conditions stated in Theorem 4.
[HPA : algorithm for evaluating the 71th power]

PREREQUISITE Each element of L is given in the form of a vector
representation by a normal base of L over K .
PROCEDURE (Outline): Evaluating the hth power according to (2). No-
tice that evaluating the 2'th, the x;ii
qjth and the c-1 q2ekthzk=O
powers, is decomposed into the L-multiplication and evaluating the 27th
and the q6th powers of elements of L by using formulae like (3). Also,
all the evaluations of the q'th power are performed by cyclic shifts to the
right.
The complexity of the algorithm HPA is estimated in the following

theorem.
Theorem 6. +
For HPA, O ( m logn) times L-multiplication are
sufficient for evaluating the x t h power of an element of L. And hence,
the circuit-size complexity of HPA is
O(rn2n2(rn+ logn)) [GF(2)- operation].

431
Proof: From Corollary 1, we know that evaluating the C,",: qith and
2 " t hcan be performed in O(log6) and O(logl), re-
the ~ ~ ~ ~ q powers
spectively, times Emultiplication. Since B , C < n/2, the summation of
them is O(1ogn). And also we know, from Theorem 5, that evaluating
the 2'th power can be performed in at most m - 1 [log mJ + +
W2(m)- 1 = O ( m ) times L-multiplication. Further, evaluating q2"th
and the qe-'th powers can be done only by cyclic shifts, hence the com-
plexities of them c m be neglected. Now, evaluating the 2*-lth power
can be accomplished in ( m- 1) times multiplication. Summing all the the
above terms, we get the first half of the theorem. The second half of the
theorem is obvious, since the L-multiplication can be done in O(m2n2)
times operations over GF(2). L,
Thus, when the algorithm HPA is used in evaluating power, the

total circuit-size complexity CSAof the secret transformation algorithm
is estimated by
d
O(m2n2) + O(m2np(rn+ logn;)) [GF(2)-operation].
i=l
The above estimation can be further condensed to
CSA= 0 (m2n2( m log n)) + [GF(2) - operation].

In particular, if there is a constant co independent from n such that n; <
CO, i.e., if n = O ( d ) ,then it holds Cf=,O(rn2n~(rn+logni)) = O(m3n),
which implies that the circuit-size complexity of the secret transformation
algorithm can be estimated by
CSA= O(m2n(m+ n ) ) [GF(2)- operation].
I11 -3. Public Key and Its Generation

A public key F of C* is an n-tuple of n-variate polynomials over K . SO
obviously, we have
D p K = mT,p(F) [bit]
1
= -mn(n
2
+ l ) ( n + 2) [bit]
1
N -mn3 [bit]
2
432
for the description length DpK of a public key of C' .

Next, we consider how to generate a public key F . F can be ex-
pressed by n-tuples F,, F;, F;,, F,j E K" as
n-1 "-1
where F;; = 0 when m = 1. Thus, we can first compute, according

to the definition of the public transformation, values of F at the points
corresponding t o several elements of K " , then from these values, find
F,, F;, Fii, F;, by the use of the interpolation method, and finally, gen-
erate the desired F .
Now suppose that 7, E K n is a 0 vector, 7; E K" a vector whose
ith (0 5 i < n) coodinate is 1 but all of the others are 0, and q;, E K" a
vector whose ith and j t h (0 5 i < j < n ) coodinates are 1 but all of the
others are 0. When m 2 2, we have
When m = 1, we have
Hence, the n-tuple F of n-vatiate polynomials can be computed from

433
Applying this method, we have the following algorithm :

[PKG : algorithm for generating a public key ]
(step 1){Evaluating y = F ( q ) E K" at 7 = v,,qj,uq;, q;k }
(step 1-1) : Compute w E K n satisfying S R ( u )= q ;
(step 1-2) : Find p ; ( w ) E K"1 (1 <_ i <_ d);
(step 1-3) : Execute the following steps for i = 1 to d :
(step 1-3-i-1) : Find w; = $ y n , ) ( p ; ( w ) )E L(n,);
(step 1-3-i-2) : Compute z; = wh' E L(,,,);
(step 1-3-i-3) : Find +G:)(zi) E K".;
(step 1-4) : Find si = p-'(+G;)(z1), . . . ,$;,f,,(zd)) E K";
(step 1-5) : Find y E K" satisfying T R ( r )= (;
(step 2) : Find F,, Fi, Fi;,F,, according to (6).
Using the matrices L, D and U, based on which ST and T R were

computed in Section I11 -1, (step 1-1) and (step 1-5) can be executed
in O ( n 2 ) K-operation. According to Theorem 5 , (step 1-3-i-2) can be
executed in 0(rn2n:)[GF(2) - operation]. Notice that the complexities
of the other steps can be neglected as compared to these, and there are
totally("i2) points 7 to be used, we can estimate the complxity of (step
1) bY
("; 2) (20(rn2n2) + cd
i= 1
O(m2n;)}= O ( m 2 n 4 )
[GF(2) - operation].
From (6), the complexity of (step 2) is estimated as
n.O(rn*n)+n.O(mn)+ .O(mn)= O(mn2(m+n)) [GF(2)-operation].
Thus we conclude that
CpKc{the circuit - size complexity of public key generation of C* 1

= O ( m 2 n 4 ) [GF(2) - operation].
434
I11 -4. Public Transformation Algorithm

As noted in Definition 1, the public transformation algorithm P A evalu-
ates the polynomial tuple F at points of K". Let
be a vector corresponding to 2 = [ro,. . . ,~ n - 1 1 , and
+
be a +n(n 3) x n matrix. Using S and F , we can rewrite (5) as
F ( z ) = F, + zE.
So, we can first find 5, then find F ( s ) to perform the public transforma-
tion. This complexity is
=0 ( ~ 2 ~ 3 ) [GF(2)- operation].
Furthermore, when performing public transformation on n message

blocks d o ).,..,d n - l ) in parallel, we can do it by computing Ao x F +
according to an n x 3n(n+3)matrix 2 = [do), . . . ,dn-l)]T
and an n x n
+
matrix A0 = [F,, . . . ,F,IT. A0 X F can be rewitten into
where X i and A; are n x n matrices and satisfies X = [ X I , .. . ,Xn+3] and

= [ A l ,. . ., A,+3]T,respectively. Here, we can multiply two matrices in
0(n2+')[K-operation] (0 < E 5 1) by the use of various, say Strassen's,
divide and conqure methods. Thus, in this case, the circuit-size complexity
of public transformation for one block is
+
{ ( n 3) * O(n2+")- O ( m * ) } / n= O(rn2n2+")[GF(2)- operation].
I11 -5. Collection of Main Results

Theorem 2 can be directly proved by the results of the above four sections.
435
Corollary 2. For C* with m w n and mn = N , the parameters in

Theorem 2 become :
Now we briefly compare C* with the RSA cryptosystem[l0I. For

the RSA system, the complexities of secret transformation and public
transformation are both O ( N 3 )for a block of size N . When a particular
secret key or a public key is selected, the corresponding complexity can be
reduced to less than O ( N 3 ) .However, it seems that, in general, we have
no way to reduce both of them. As opposed to the above fact, the order
of the complexity of public transformation of C* is much lower than
that of the RSA system. Also, for the RSA system, public and secret
keys connot be generated if an integer with certain particular properties
is not found. For C* , keys can be easily genarated.
The description length of a key for C* is greater than those of
previous systems with the same block size. However, this is not always
a demerit because the total number of usable keys of C* is larger than
that of those. Further, the large description length will not be a serious
problem, if public keys are kept by the corresponding owner after they are
certificated by the manager of the system or network, and when necessary,
sent t o other ones with the certificates.
I11 -6. Implementation-Primary Results

Using a 32-bit microprocessor MC68020 (16.67 MHz) on a SONY NEWS
UNIX workstation with programs written in the "C language, our first
implementation confirms that algorithms S A and P A run at least 100
Kbps for m = 8 and n = 32. Since these programs are not optimized, we
may expect that C* can run much faster in the same environment.
Besides this , we also have been implementing C* using multiple
transputers (T414, T800) with accam programs, and verifying high per-
formance. Detailed results will appear in another paper.
436
IV. A THEORY OF POLYNOMIAL-TUPLE

ASYMMETRIC CRYPTOSYSTEMS
In this chapter we discuss why we have stated C* as Definition 1

and prove Theorem 1 and Theorem 3.
IV -0. Preliminaries
Basic concepts and notations used in this chapter are sketched in the
following.
Finite Fields[g]
Let p be a prime integer, m and n positive integers, and q = p". Fix
a finite field K of. order q (i.e., with q elements). Denote by K" the
n-dimensional vector space over K , each element of which is an n-tuple
over K . Determine an n-degree extension field L of K . L contains q"
elements. When L is taken as an n-dimensional vector space over K , L is
isomorphic to K". The isomorphism between L and K" will be denoted
+
by a bijection : K" L.
----f
Polynomial Representations of Functions

Denote by L[u]the polynomial ring over L in indeterminate u , and by
( P ( u ) )the ideal generated by apolynomial P ( u ) E L[u].As shown in [ll],
any function fl : L -+ L can be represented by a univariate polynomial
E ( u ) E L[u],where E ( u ) is uniquely determined in the residue class ring
L[u]/(uqn - u ) (i-e., mod(u9" - u ) is applied ). In other words, we always
have fl((E') = E ( < )for every (E' E L , and furthermore, there is just one
such E ( u ) which has no terms divisible by u Q n .Such an E ( u ) is called
the univariate polynomial representation of fi over L , and denoted by
Ufd.
Similarly, functions f2 : L + I C n , f 3 : K" -+ L , and f4 : K" --f
K" can be uniquely represented by a tuple of polynomials over L in

indeterminate u mod(u9" - u ) , a polynomial over L in indeterminates
T O , .. . ,2n-1 mod (xi- z o , . . . , zz-l- z n - l ) , and a tuple of polynomials
over K in indeterminates T O , .. . ,z,-1 mod ( 2 : - zo,.. . ,z:-l - xn-l),
respectively. These items are called the univariate polynomial n-tuple
representation of f2 over L , the n-variate polynomial representation of
f3 over L , and the n-variate polynomial n-tuple representation of f4 over
IC, and denoted by if*], [fs] and [,fd], respectively.
437
Functions Represented by Algorithms

Polynomials or tuples of polynomials can be considered to be a kind of
algorithms. In general, there are two sets I and J with related t o an
algorithm A. When A outputs q E J on input ( E I , we say A represents
a function I ---c J,< H 7,and denote the function by { A ) . For example,
since the polynomial representation Ifl] of the function fl is considered
to be an algorithm, it is apparent that ([fl]) = f l .
Functions on Integers
Let a be an integer greater than 1, i a nonnegative integer. Denote the
a-ary representation of i by
We define a function W , on the nonnegative integers as follows:
W,(i) = E{ij1j= 0,1,. . -}.
Wa(z)is called the a-weight of i, which has the following properties:
(Wl) If s 2 0, t 2 0 and 0 5 s + t < a, then
(W2) If 0 5 t < a , then
(W3) If s 2 0 , t 2 0 and s + t = a" - 1, then
Also, we define a function R, from the positive integers to the non-

negative integers as follows:
Ra(i) = max{j 2 012 is divisible by a'}.
R,(i) is called the a-rank of i, which has the following properties:

438
(Rl) &(i) is equal t o the number of consecutive 0's appearing in the

least significant digits of the a-ary representation of the positive
integer i.
(R2) If a is a prime and s > 0 and t > 0, then R,(s.t) = R,(s)+R,(t).
Functions from Polynomials to Integers
For a univariate polynomial E ( u ) = Eo + E1u + E2u2 + . I - + Edud, the
exponential a-weight wt,(E) of E is defined by
Besides this, we use the notations d e g ( P ) , .(P), and T ~ ~ (for

P )
polynomial-tuple P as defined in Chapter I.
IV -1. Multivariate Equations and Cryptosystems

Imagine that we are to realize a public-key signature scheme, when given
an asymmetric cryptosystem with multivariate polynomial-tuples as pub-
lic keys. Finding the valid signature z with respect to a message M and
a public key F can be rephrased as solving the equation F ( z ) = M for z
given F and M . The essential idea behind the present research is that we
can employ a system of multivariate algebraic equations as the equation
F ( z ) = M . The grounds for it are that, in general, as briefly intro-
duced in Chapter I, it is an extremely difficult problem to solve systems
of multivariate algebraic equations. Of course, when given hints about a
system, say some information on the structure of F , one may be able to
to solve the system quickly.
In the rest of this chapter, we will aim at constructing a system of
multivariate algebraic equations F ( s ) = M. The system corresponds to
an asymmetric cryptosystem supporting both authenticity and confiden-
tiality, so we cannot say the system is a completely general one. But
it should not be easy to get any hint on effectively solving the system
of equations, i.e., the system should possess no apparent features. In a
sense, the system should be a nearly random one.
439
IV -2. From Univariate Polynomials Into Tuples of Multivariate

Polynomials
For our purposes, we require that the above tuple F of multivariate poly-
nomials represents a bijection, and that the equation F ( z ) = M can be
readily solved when given some knowledge on it. Hence, we take the
following approach[4] : We begin our discussion by thinking about uni-
variate polynomials. Coping with such polynomials is relatively easy.
Then we transform them into multivariate ones. Several aspects have
to be considered : (1) Tuples of multivariate polynomials must be made
as random its possible; (2) It should be easy to estimate the size, and
the likes, of the resulting multivariate polynomial-tuples from the basic
univariate polynomials.
Here is an idea. Following the ways of thinking on the algorithm
composition method proposed in [5], we consider a function f : K" -+ K"
expressed as follows ( K is a finite field of order q = p" with prime p ) :
where s and t are affine bijections on K " , n is a positive integer which can
be partitioned into d positive integers satisfying n = n1 f n 2 +-
- . + n d , and
L; is an n;-degree extension field of the field K . $*is an isomorphism from
Kn*t o L ; , and e; a bijection on L,. Further, p , : K" -+ K"* is a projec-
tion which maps [Q,. . . ,z,+~] E K" to [z ,. . . ,r(c;=ln J l - l I €
c,=,
I-l
"J
K n * , and p : K" + K"1 x - . . x K"d is a bijection determined by

pL1= [/117.-.,pd]*
Apparently, the function f is a bijection. Now we establish an asym-

metric cryptosystem which uses f as a public transformation.
Definition 2. Let K" be the set of message blocks. The following system
constitutes an asymmetric cryptosystem. The system is constructed by
designating
(1) if], an n-tuple of n-variate polynomials over K , as a public key;
(2) it-'], ley1], . . . ,[.;I] and is-'] as a secret key;
(3) the evaluation of [f ]I as the public transformation algorithm;
(4) the operations series in the following order as the secret transforma-
tion algorithm:
440
(a) the evaluation of

(b) the projections due to p i ,
(c) the transformations due to $;,
(d) the evaluations of [e;lD,
(e) the transformations due to $ill
(f) the concatenation due to p , and

(g) the evaluation of 1s-'1.
This asymmetric cryptosystem will be called C,* for short.
IV -3. Degree of A Tuple of Multivariate Polynomials

Now, the size of public key and the complexity of public transformation
of C,* can be estimated by the following formulae:
{ The description length of a public key of C,* } = O ( ~ ( [ f l log,
) p)[bZt].
{ The complexity of a public transformation of C,* }
= o ( ~ ( [ f ] ) m [GF(2)
~) - operation].
Clearly, both the descreption length of a public key and the complex-
ity of a public transformation are increasing functions of .(If]) - the
number of terms in the n-tuple [f] ( the public key ) of n-variate poly-
nomials. From the equations (7) and (8), we can see that [f] is hardly
sparse, but dense in most cases. Thus, decreasing deg ([in) which domi-
nates the upper bound Tu,([fl) of .(if)), is strongly related to reducing
the description length of a public key and the complexity of the public
transformation.
Similarly, i t is also true that in most cases, the polynomial represen-
tation [f-'] of a secret transformation f-' of C,* is dense. Therefore,
increasing deg ([pI]) which dominates ~ ~ ~ ( [ f - lis] related
) to raising
the number of terms in ~ ( [ f - l ] ) , and also related. to raising tremen-
dously the complexity of extracting the secret key from the public
key [ j ] ]by the use of the symbolic computation, the interpolation, or
other methods for solving algebraic equations.
First, turn our attention to a basic theorem.
Theorem 7. Let s and t be any two affine functions on the vector

space K " , E denote the set of all functions on the finite field L. We have
the following (i), (ii) and (iii) :
441
(i) For any e E E ,
[[el = constant [t o $-I o e o t j ~o s] = constant.
(ii) For any e E E ,
(iii) If and only if both s and t are bijections, the following holds for all
eEE
[el # constant a deg([t o oeo tjI o s]) = wt,((e]).
Proof (sketch): Proving this theorem is not difficult but wastes pages.
So, we mention here only that the proof for general q can be readily
obtained from that for the case q = 2, which is described in [12]. 4
Using Theorem 7, we can compute the degree of the multivariate

polynomial tuple [f 1 from the exponential q-weights of univariate polyno-
mials [ell,. . ., [ e d ] . The computing method is described in the following
theorem.
Theorem 8. For the bijection f defined by (7) and (8), the followings
are true :
1) deg ([In)
= rnax{wt,([ei~)Ii = 1,.. . , d }
2) deg([f-l]) = max{wt,([e;'])li = l,...,d}.
Proof: Using a bijection e : L + L, g can be expressed as
From Theorem 7, we get
deg (us]) = Wt,(uen).
Also, from (7) and (9), f can be expressed as

442
so, from Theorem 7 we have
(10) and (11) imply
Well, from (8) we have
and according to the definition of the degree of a tuple of polynomials,

we have
deg([g]) =max{deg(8$i10e,o'$;n)li= 1, ...,d } . (13)
Further, from Theorem 7, we get
(12),(13) and (14) imply the first half of the theorem. The second half
can be proved in the same way. 4
IV -4. Univariate Monomials as Grounds

The functions e; a.re bijections expressed by univariate polynomials. Poly-
nomials representing bijections are also called permutation polynomials,
and it is well-known that there are many kinds of such polynomials.
However, in this paper, we only deal with those [ e ; ] which possess the
simplest form - the monk monomials. Other forms of [ e ; ] will be topics
for further discussion. We do so for several reasons :
i) It is easy to judge whether a monic monomial represents a bijection
or not;
ii) When the bijections e; are represented by monic monomials [ e ; ] ,
their inverse functions e y l are also represented by monic monomials
[.$], so it is easy to compute [e;'] from [ e ; ] .
iii) A monic monomial can be readily evaluated.
443
Now let [ei], i = 1,. . . ,d, be a monic monomial in indeterminate u

over the finite field L; of order grin, which takes the form of
[e;](u) = u h * , o < < qn' - 1. (15)
Since the exponents constitutes a multiplicative semi-group of order q"' -

1, e; forms a bijection only when hi and g"' - 1 are relatively prime, i.e.,
only when gcd(hi,q"' - 1).= 1.
Furthermore, suppose that 0 < < Q"; - 1 is the multiplicative
inverse element of hi modulo (qni -l), then Be;'] forms a monic monomial
in indeterminate v :
-
hi
[ei'](v) = v", o < < q n i - 1. (16)
Since exponential q-weights of [e;] and [ e f ' ] are equal to the q-weights
of hi and respectively, Theorem 8 immediately implies a new theorem:
Theorem 9. For the bijection defined by (7), (81, (15) and (16), we
have
1) deg([f]) = max{W,(hi)li = 1,. . . , d }
2) deg([f-']) = rnax{W,(h;)li = 1,.. . , d } .
As mentioned in the beginning of Section IV -3, a small deg([f]),

but a large deg( [j-'1) are desirable. Considering Theorem 9, we require
that for all i, W,(h;) are s m a l l , but for some i, W,(h;) is large .
Assume that deg([f]) = 1. Now we have W,(h;) = 1 for all i, and
also W,(h;) = 1 for all i. This implies that deg([f-']l) = 1, which is
not desirable. Hence, it is essential that deg([f) 3 2. The rest of this
chapter will be concerned with the case deg( [ j l ) = 2, which can be easily
treated. The other cases will also be topics for further discussion.
IV - 5 . Utilizing T u p l e s of Quadratic Multivariate Polynomials

For the simplicity of presentation, in this section we only treats the case
d = 1, and instead of n;,$,,L;,ei and h i , we will use the notations
n,$, L , e and h. The results can be easily generalized to the cases d 2 2.
As stated in the end of the last section, here we still assume deg((f])
= 2, i.e., W,(h) = 2. The following theorem can be easily obtained.
444
Theorem 10. Let p be a prime integer, m,n,q and h be integers

satisfying m > 0 , n > 0, q = p" , 0 < h < q" - 1, and gcd(h, q" - 1) = 1.
Then p = 2 is the necessary condition for W,(h) = 2.
Proof: Assume q be odd. When W,(h) = 2, h can be written as

h = q i ( l + q'), where j and 6 are nonnegative integers. Hence h must be
even. Also notice that q" - 1 is apparently even. Thus gcd(h, q" - 1) must
be divided by 2, which contradicts to the assumption of gcd(h, q"-1) = 1.
Therefore q must be even. Put it in other words, p = 2 is the necessary
condition for W,(h) = 2. 4
In the sequel, we will always suppose that p = 2, i.e., q = 2m.

Now that W,(h) = 2, as mentioned in the proof of Theorem 10, h
can be expressed as
h = q J ( 1 q') +
where j and 6 are nonnegative. Since $-I O(U,'}O$J is a linear function, we
can consider the functions of evaluating the qjth power together with the
affine transformations s and t , between them the function e is inserted.
So it suffices t o consider the case j = 0, and 0 5 6 5 [72/2J.
If 8 = 0, t h e n h = 2. In this case, e is a bijection since gcd(2, q"-1) =
1. Now consider the n-variate n-tuple representation of the bijection
t o +-I o e o $ o s over K :
Since both p = 2 and h = 2, it is clear that each P, contains only

constant terms and the terms xi,.. . , In this case, one can quickly
solve the following system of quadratic multivariate polynomial equations
in indeterminates 20,. . . ,zndl :
First, taking the system as a system of linear equations in variables

zi,. . . one can readily solve the new system and get xi,.. . , xi-1.
Then, one can uniquely determine z; from zf (note that p = 2). The
445
above algorithm ( method) requires about 0 ( n 3 )times operations over

the field K . So such a system is far from being a good cryptosystem.
Now let us assume that 8 # 0 furthermore.
From the above discussions, it becomes obvious that we can concen-
trate our attention upon the case h = l+q', 0 < 8 < ln/2_/.The function
e = ( u h )is a bijection if€ gcd(h,q" - 1) = 1, which can be restated in
another way :
Theorem 11. Let m, q, 8, n and h be integers satisfying m > 0, q =

2",0 < 0 < n and h = 1 + g o . We have gcd(h,qn - 1) = 1 iff R2(8) 2
R2(n),where Rz(0) (resp. R2(n))is the 2-rank of8 (resp. n).
Proof: From Theorem A1 of Appendix, it can be proved that gcd(h, qn-

+
1) = gcd(1 '2me,2mn- 1) = 1 is equivalent to R2(m8)2 R2(mn). Ac-
cording to the property (R2) of 2-rank functions, we have Rz(m8) =
+ +
&(m) R2(0) and R2(mn)= R2(m) R2(n),which implies the theo-
rem. 4
According to Theorem 11, it is necessary that n 2 3. Thus it suffices

for us to consider those 8 restricted by
where T- is a nonnegative integer and .t is a positive integer such that
n = (2.t + 1 ) .2', T = &(n).
In this case, the q-weight of TI can be calculated from the q-rank of h, as

is stated in the following theorem.
Theorem 12. For integers m,q,%,n,hsatisfying m > 0 , q = 2",0 5

+
0 < n, h = 1 q', gcd(h, 4" - 1) = 1, the q-weight of the multiplicative
inverse element % of h modulo ( q R- 1) is given by:
446
Proof: In Appendix (Lemma A2), we have
and also from Appendix (Lemma A3), we have
hence,
2Wq(Q = (Q - l)(n - R,(?i)) 1 +
and it proves the theorem. 4
Corollary 3. Under Theorem 12, we have
Proof: 0 5 R,(z) 5 n-1, since 0 < ?i < Q"-1. Hence 1 5 n-Rq(x) 5

n, which implies the corollary. 4
Now we see that, fortunately, W,(?i) can be increased greatly even

when Wq(h)= 2. In certain special cases, the q-weight o f h can be exactly
calculated by using the following theorem.
Theorem 13. R,(?i) = 2" - 1 when gcd(b, 2&+ 1) = 1.
Proof: q(2c+')B E l(modq" - l), since ( 2 t + 1)8 = ( 2 t + 1)2'b = nb.

Hence
Let Q = q2r, the above equation becomes :
2c
- 1
h - Qbk(-l)'(modq" - 1).
2 k=O
Since gcd(b, 2 l + 1) = 1, the multiplicative inverse element 5 of b modulo
+
(2&+ 1) exists. Assume that j = ( b k ) mod (2& l ) , k can be expressed
+
as k = ( z j ) mod ( 2 1). Hence
. 21
Using the relation 1 q . q2c-1 . Q-'(modq" - I), we get
21
In other words, h can be written as

-
hEq2'-1. (-)
4 A(modq" - I),
2
i=o
=1 + c
21-1
i=O
Q i ( - l )[i;(i+l)]mod(2ft1) + Q21
Apparently, A is not divisible by q. Also, we have
and
Therefore, from 0 < h < q" - 1, we have

- Q .A,
h = q2'-I , (-) q does not divide A
2
(Notice : not 2, but = ). Hence R,(h) = 2' - 1. 4

448
From Theorem 12 and Theorem 13, it can be shown that, when n

is an odd integer 2 3 ( T = 0) and 8 is relatively prime to n, the q-
rank of becomes zero, and the q-weight of h reaches its maximum -
+
z1 { ( q - 1). 1). Thus, when R,(h) = 0, we get
where E is the base of natural logarithms. The above inequality tells

us that the n-variate polynomial n-tuple representation of the function
f-' = s-l o I,o t-' , contains approximately exponentially
o e-* o I
in m and n many number of nonzero terms, and writing down all those
terms is practically impossible. The correctness of the inequality can be
ascertained by a simple calculation using the definition of T,~, Theorem
9, Theorem 12, and the Stirling's formula on factorials.
IV -6. Proof of Theorem 1 and Theorem 3

In Sections IV -3, -4 , -5, we discussed in detail specializations of C,* .
The resulting asymmetric cryptosystem is nothing but our C* defined in
Definition 1. Therefore we can see that Theorem 1 really holds. And the
first half of Theorem 3 follows from Theorem 9 and Corollary 3 and from
that nl 5 - - 5 nd. The second half of Theorem 3 immediately follows
from the discussions made in the end of Section IV-5.
V . CONCLUDING REMARKS
On a basis different from the previous, this paper has proposed and an-
alyzed an asymmetric cryptosystem C* which can serve for both digital
signatures and encryption.
An advantage of C* over the previous asymmetric cryptosystems is
that both secret and public transfromations can be done in complexity
much less than U(N 3 ) for a message block of size iV. Actually, we have
implemented C* with the languages "C" and Occam on 32-bit micropro-
cessors and verified high performance of C' .
The description length of a key for C' is greater than that of previous
systems with the same block size. However, this is not always a dement
as mentioned in Section I11 -5.
Thus the present authors believe that C* is a cryptosystem worth
investigating for everybody interested in high-speed cryptographic com-
munications.
449
ACKNOWLEDGMENT
The authors wish t o thank Youichi Takashima for his help on making
numerical examples of C* and Yuliaag Zheng for his kind interpreta-
tion of the Chinese papers [7, 81. This work was supported in part by
the Ministry of Educations, Science and Culture under Grant-in-Aid for
Encouragement of Young Scientists # 62750283.
REFERENCES
[ 11 Diffie,W. and Hellman,M.E., L‘Newdirections in cryptography,” IEEE

Transactions on Information Theorey, IT-22, 6, pp.644-654, (Nov.
1976).
[2] Cardoza,E., Lipton,R. and Meyer,A.R.,“Exponential space complete

problems for Petri nets and commutative semigroups,” Conf. Record
of the 8th Annual ACM Symposium on Theory of Computing, pp.50-
54, (1976).
[3] Garey,M.R. and Johnson,D.S., Computer and Intractability: A guide

t o the theory of NP-comptleteness, Freeman,(1979).
[4]Matsumoto,T., Imai,H., Harashima,H. and Miyakawa,H., “A class

of asymmetric cryptosystems using obscure representations of enci-
phering functions,” 1983 National Convention Record on Information
Systems, IECE Japan, 58-5, (Sept. 1983) (in Japanese).
[5] Matsumoto,T., Harashima,H. and Imai,H., “A theory of constructing

multivariate-polynomial-tuple asymmetric cryptosystems,” Proceed-
ings of 1986 Symposium on Cryptography and Information Security,
E2, Susono, Japan, (Feb. 1986) (in Japanese).
161 Fel1,H. and Diffie,W., “Analysis of a public key approach based on

polynomial substitution,” Advances in Cryptology - CRYPT0 ‘85,
Springer, pp.340-349, (1986).
[7] Zhou,T., “Boolean public key cryptosystem of the second order,”

Journal of China Institute of Communications, Vo1.5, No.3, pp.30-
37, (July 1984) (in Chinese).
450
[8] Zhou,T., "A note on boolean public key cryptosystem of the second
order," Journal of China Institute of Communications, Vo1.7, No.1,
pp.85-92, (Jan. 1986) (in Chinese).
[9] Lidle,R. and Niederreiter,H., Finite Fields, Addison-Wesley (1983).
[lo] Rivest,R.L., Shamir,A. and Adleman,L., "A mehtod of obtaing dig-

ital signatures and public key cryptosystems," Communications of
ACM, V01.21, No.2, pp.120-126, (Feb.1978).
[ll] TakahashiJ., "Switching functions constructed by Galois extension

fields," Information and Control, Vo1.48, pp.95-108, (1983).
[12] Matsumoto,T.,Imai,H.,Harashima,H. and Miyakawa,H., "A crypto-

graphically useful theorem on the connection between uni and mul-
tivariate polynomials," Transactions of the Institute of Electronics
and Communication Engineers, V0l.E68, No.3, pp.139-146, (March
1985).
APPENDIX
Lemma A l . If integers a , b , c and f satisfy a >b > c 2 0 and

a = bf +
c, then
gcd(2" f 1,2* + 1) = gcd(P + 1,2'f

gcd(2= + 1,2b - 1) = g ~ d ( 2- ~1,2" + 1).
Proof: From
2" f 1 = 2bf2c f 1
and
2bf = (71 + (2* f 1))f
= c(;)
f
j=O
(71)j(2b f 1)f-.j
= (2b f l){E
j=O
(i)
3
( T l ) j ( P* 1)f-J-l} + (rfl)f,
451
we get
2" f 1 = ( 2 b + l){E(f)
f-1
j=O3
(-1)J(2b + l)f-j-1}2c + (-1)f2" f 1,
Theorem A l . If integers a,b,d satisfy a > 0,b > 0,d = gcd(a,b),

then
1; Rz(4 2 & ( b )
gcd(2" + 1,2' - 1) =
2d + 1; & ( a ) < RZ(b).
Proof: By applying Lemma A1 iteratively, we can find that gcd(2= +

1,2b - 1) is equivalent to g ~ d ( f 2 ~1,2' + 1) = g ~ d ( f
2 ~l , 2 ) = 1 or
g ~ d ( rjt
2~ 1,2' - 1) = g ~ d ( + ~ = 2d + 1. Now from the definition of
2 1,O)
R2 and Lemma A l , we have
&(a) < & ( b ) a &(a) = R z ( d ) < R2(b)
-1 Rl(U/d) = &(a)
R*(b/d) = &(b)
- &(d) = 0
- &(d)
= -1 and ( - l > b / d= 1
>0
+ 1,2d + 1) = g ~ d ( +2 ~1,2O + (-1))
-1
gcd(2"
=Zd+l
gcd(2' - 1,2d + 1) = g ~ d ( 2 ~ +
1,2O - 1)
=2d+1
'
. (2d + 1)1gcd(2" + 1,2b - 1)
which proves the theorem. 4
Lemma A2. For integers m,q,O,n and h with m > 0,q = 2",0 I
8
- < n,h = 1 + q*,gcd(h,q" - 1) = 1, the multiplicative inverse element
h of h satisfies
452
Proof: Let the q-ary representaiton of 71 be % = xylt

q'J;, (0 5 J; < q ) .
B y introducing an integer k, (1 + q') a h can be writen as k ( q n - 1) 1. +
Hence,
qn - h = q e z - (k - l)(q" - 1) (A2 - 2)
Because
n-1 0-1
we get
n-1 0-1
-
from (A2-2). Also, q" - h < qn - 1 since h > 1. Hence
which implies (A2-1). 4
Lemma A3. If an integer a satisfies 1 5 u 5 q" - 1, then
where X = R,(u).
Proof: We can uniquely determine a positive integer b such that a =

q X . b and b is not divisible by q. Thus
Also, from q" - a = qn - q X b= q X ( ~ n - X- b ) , we get

453
Since b is not divisible by q , and can be expressed as
by using the properties ( W l ) and (W2) of W,, we get
1.e.;
W,(b) = W,(b - 1) + 1. (A3 - 3)
Furthermore, from ( b - 1)+ (@"" - b) = q"-' - 1 and the property (W3)

of W,, we get
W,(b - 1) + W,(q"-X - b) = ( n - X ) ( q - 1). (A3 - 4)
Thus, by (A3-l), ( A 3 - 2 ) , ( A 3 - 3 ) , and (A3-4), we have the following:
Wq(4 + W,(C + Wq(q"-X - b)

- a ) = W,(b)
= 1 + Wq(b- 1) + Wq(q"-' - b)
=1 + (71 - X ) ( q - 1) 4.
Some Applications of Multiple Key Ciphers
Colin Boyd,
British Telecom,
Data Security Laboratory,
1, Cutler Street, Ipswich IP1 lW, UK.
Abstract
This paper describes an implementation of a cipher system with

any number of keys which is a generalisation of the RSA
cryptosystem. Three applications of such a cipher system are
given. The general properties required for possible alternative
implementations are discussed.
1 Introduction
The insight of Diffie and Hellman [6] was that the enciphering
and deciphering keys of a cryptosystem need not be the same.
Therefore a cryptosystem could have two keys, one of which would
remain secret and the other would be made public. This has led to
numerous applications such as digital signatures.
The aim in this paper is to investigate some of the consequences

of generalising these ideas. We consider doing this in two ways.
Firstly the number of keys in the cryptosystem can be increased
to three o r more. Secondly the different keys can be distributed
to sets of users other than a single user or the set of all
users.
We start off the paper with some general ideas about multiple-key
ciphers and then consider some applications and how they fit
in with these ideas. The applications considered in this paper
are selective distribution of information to subsets of a group
of users, digital signatures with more than one signatory, and
electronic voting. There are many other potential applications.
The scheme we consider here appears to be useful for applications
of a type concerning different groups of interacting users. The
456
importance of such applications is discussed together with some

examples in [5].
2 Multiple Key Ciphers
We shall explain our concept of a multiple key cipher in terms of

a generalisation of the RSA public key scheme [7]. Other
implementations are possible and the precise properties of RSA
that are used are examined in section 4 of this paper. An
important property of RSA that we make use of is its
multiplicative property, namely with fixed modulus and any keys
kl,k2,
E(E(M,kl),kZ) = E(M,kl.kZ)
for any message M. Our construction of a multiple key cipher is

as follows.
A modulus m is chosen by the owner of the scheme to be the

product of two large primes as in the RSA scheme. The Special
properties of the primes which are desirable in RSA axe a160
.
desired here. A number of keys kl,k2,.. ,kn are then chosen to
satisfy the property
kl.k2...kn = 1 mod 0(m).
The klf...kn-l may be chosen at random and kn then chosen to

satisfy the equation. To encrypt with the key ki a message MI
with 0 < M < m-1, is transformed by
E(M,ki) = M**ki mod m.
Then it follows that
= M**(r.@(n) + 1) mod m for

some integer r,
= M by Fermat's Little Theorem.
457
Note that because of the multiplicative property it does not

matter in which order the keys are used.
Let U be any population of users of the scheme and K the set of

..
keys {kl ,k2,. ,%I. Any subset of K can be distributed to any
subset of U. A message that has been encrypted with a certain
number of the keys in K may then be read by a certain subset of U
and can only have been written by another subset of U. These
subsets are defined by possession of the necessary keys.
For example consider the case where there are only two keys r and
s. Let R be the subset of users of the population who possess the
key r and S be the set who possess s . These subsets overlap in
the subset of users who possess both keys, which may or may not
be empty.
The following table shows the status of the possible messages.
Message Can be read by Can be written by
M**r mod m S R
M**s mod m R S
In the case that R is equal to the whole population U, and S is a

single user, we arrive at the familiar situation of the RSA
public key cryptosystem. Then messages of the type M**r mod m can
be written by anybody but are confidential to the single user,
whereas those of the form M**s mod m can be read by anybody but
must have been produced by the single user.
When the number of keys is increased to three there are many more
possibilities. We extend the previous diagram by adding a third
458
group of users T in possession of the key t.
I T
The following table shows the status of the possible messages.
M**r mod m S n T R
M**s mod m R n T s
M**t mod m S n R T
M**rs mod m T R n S
M**rt mod m S R n T
M**st mod m R S n T
Where the table indicates that the message can be read or written
by S T, it can be written or read by any member of both groups,
or, what is just as important, can be written or read by any
member of S and any member of T in collaboration. In an
application some of the named subsets of U may be empty. In the
applications described in this paper we always assume the
existence of an authority which is responsible for generating and
distributing keys.
3 Applications
3.1 Selective Distribution
This application is concerned with distributing information to

one or more selected users out of some user population. There are
various situations where different sets of information may be
required to be made available to different sets of entities.
Examples are confidential information in companies which is
restricted to different departments, and.database information
which is only available to those groups who have paid for it.
In order to restrict the information only to authorised users the

information will be encrypted. The information could be encrypted
with a different key for each authorised user or group but this
would require many different versions of the information to be
held or distributed. Therefore we require that each piece of
information is only encrypted with one key but that any
combination of the users may be defined for reception of a
particular piece of information.
The obvious way to solve this problem is for the authority to

issue a key for every possible combination of users. The problem
with this is that if there are N users then 2**N-1 keys are
required which quickly becomes large as N increases. The solution
described here uses the multiple-key cipher and requires only N
different keys.
Consider a set-up with three users of a system. The authority

chooses three keys r,s and t with
r.s.t = 1 mod 0(m).
Let us call the users A, B and C. These users are then issued
with the key sets {r,s}, {r,t}, and {s,t} respectively. The
authority can then choose any combination of the users it wishes
to distribute a given message M. The way this can be done is
illustrated in the following table.
Message Can be read by
M**K C
M**S B
M**t A
M**rs B and C
460
Message Can be read by
M**rt A and C
M**st A and B
Of course messages to be read by all three users can be sent in

the clear.
The above scheme can be extended to any number of users by

choosing the same number of keys as there are groups. suppose
there are N users and N keys kl,k2,.. .kN. Each user is
distributed all keys except one, so that the i‘th user is
distinguished by not possessing key ki. Messages are encrypted by
the authority using any combination of the keys, and messages are
kept secret from the i’th user by leaving ki out of the keys used
in the encryption.
Note the flexibility of this scheme in regard to members leaving

or joining the system. This property is identified in [5] as
being of great importance in “group oriented cryptography”.
Members may be added or removed without the need to change the
keys of any other members. The authority will only need to
re-calculate its inverse key.
In order for this scheme to work the users must not be able to
collude to share keys since the keys of any two users could be
used to read every piece of information. If this is likely the
keys would need to be distributed by the authority in a tamper-
proof form which could not be read by the users, and which could
only be used in a fixed protocol.
For example, the tamper proof module could be programmed only to

output messages which satisfy a certain redundancy condition when
decrypted with the correct key. Messages from the authority will
be provided with the redundancy condition before encryption.
A similar problem to that addressed here is discussed by Simmons

in [8], where the idea of a tamper resistant module plays an
integral part in the solution.
461
3.2 Double Signatures
The idea of digital signature is now well known. In many

commercial applications the signature of more than one person is
required on a document. We call a signature requiring more than
one key a multisignature. Typical uses for such a multisignature
are cheques issued by companies which need to be authorised by
two people and contracts which are to be signed by business
partners.
Multiple key ciphers can provide a neat solution to this problem.

A detailed account of various schemes is given in [l]. In this
section we show a solution that fits into the general framework
of multiple key ciphers. We restrict ourselves to the case Of
just two signatories.
Two keys r and s are selected randomly (subject to the condition

that they are prime to 0(m)) and t is chosen to satisfy
r.s.t = 1 mod Q(m).
The keys r and s are distributed to the authorised signatories

and t is made public. In order to sign the message M the first
signatory forms the signature
S1 = M**r mod m
and passes it to the second signatory. The second signatory Can

recover the message using s and t since
Sl**st mod m = M.
Furthermore he knows it has been signed by the first signatory.

If he is satisfied he forms
S 2 = Sl**s mod m
= M**rs mod m
and passes it to the recipient. The recipient and any member of

the public can verify the signature since
462
S2**t mod m = M.
In terms of the model described in section 2 we may take U to be

the set of all users. The keys r and s are then issued to sets Of
authorised signatories R and S and the key t is issued to all Of
U. The following table shows the status of the messages.
s1 S R
s2 U R n S
In [ l ] it is shown how this idea may be extended so that the two

signatories can be any from a group. For example this would allow
any two directors from the board of a company to sign a document.
Note, however, that it is not possible to extend this scheme to

more than two signatories in the obvious way. This is because
every signatory needs to be able to read the partial signature
before signing, which is only possible for the first or last
signatory. It is shown in [l] how this property can be turned to
advantage to implement "blind signatures"([3]).
3 . 3 A Simple Voting Scheme
Various schemes have been proposed for electronic voting

([2],[4]). This application of multiple key ciphers is a new
simple voting scheme. It enables users to verify that their votes
have been counted while keeping votes anonymous to all other
voters. It has the useful property that there is no interactive
behaviour required between the authority and the voters, and also
that no secret key is required by the voters. In the form
explained here it is only suitable for voting either 'yes' or
'no', but the scheme could be extended to allow any number of
answers.
The scheme suffers from the disadvantage that the authority is

able to read the vote of any person, if it also acts as the
issuer of the 'voting slips'. There appears to be a conflict in
463
voting schemes, also mentioned in [ 4 ] , between maintaining the

confidentiality of the votes cast and ensuring that no voter
Votes twice. Trust has to be placed somewhere and in this scheme
an independent trusted voting authority is assumed. This is
consistent with the way that paper voting 'schemes usually work.
Three keys r,s,t are involved, of which r is kept secret by the

issuing authority and s and t are made public. As usual the
authority chooses r,s and t to satisfy
r.s.t = 1 mod 0(m).
Each voter is issued a voting slip V which is a block consisting

of two parts. One part is a random number g which is used to
ensure that the slip is not used more than once, and the other is
a component of redundancy which is used to avoid forgery. The
redundancy could consist, for example, of every other bit of g
being fixed. (The redundancy component can be changed for each
election, thus allowing the same keys to be used on many
different occasions.)
The voting slip is issued to the voter as V**r mod m. (This must
be transported secretly to the correct voter, a problem we do not
address herel) If the voter wants to vote 'yes' he forms
(V**r)**s mod m
and sends it to the ballot. Similarly if he wants to vote 'no' he

sends
(V**r)**t mod m.
The authority can then validate and count each vote V' by forming
V'**t mod m
or v'**s mod m
and checking for the redundancy condition. The claimed value of

the vote can be sent with it in order to reduce processing.
464
Voting slips may not be forged since they are signed by the
issuing authority. On the other hand they are anonymous (except
to the issuing authority) since the voting keys are public. In
terms of the model of section two a valid vote must have been
written by the issuing authority plus any user, and can be read
by any user.
If the same random number is found more than once then all votes
with that number should be discarded. (Of course, there is a
small probability, depending on the number of voters and the size
of m, that a valid vote is discarded.) Copies of all the votes
(including any discarded ones) can be published with the results
of the ballot and each voter can confirm that his vote was
included.
4 Abstraction : Hultiple Key Ciphers as Groups
For concreteness we have looked at multiple key ciphers a s

generalisations of the RSA cryptosystem. In this section w e try
to abstract the essential properties of RSA that we have used and
discuss what could be a more general approach.
We start off f r o m a finite message space M and consider our

cryptosystem as a finite set of keys K which are permutations Of
M. That i s each k in K is a map M --> M which is one-to-one and
onto (a bijection). We have found a need for the followinc,
properties.
Closure Property
Any two keys k and j in K may be concatenated so that k o j is

another key in K.
Inverse Property
Each key k in K has an inverse k-l in K such that
Associative Property
465
For any three keys j,k,l in R, we have
j o (k o 1) = ( j o k) o 1.
Commutative property
For any two keys k and j in K, we have
k o j = j o k.
We have used these properties to enable us to construct key sets

f o r a multiple key cipher as follows.
First choose any keys in K then concatenate them. The number of

keys chosen is not limited and depends on the application.
i) By the associative property the result of the concatenation

does not depend on the order in which it is performed.
ii) By the Closure Property the concatenated values give a valid

key k in K.
iii) The complementary key of k exists by the Inverse Property.
iv) The commutative property is required because it should not

matter in which order the keys are used.
These properties are exactly those that are required to define K

as an Abelian Group. The inverse property is common to all
invertible cryptosystems including block ciphers such as DES. The
Closure property, however, is not normally held by a symnetric
block cipher but it is held by RSA. The associative and
commutative properties are held in our extension of RSA.
In the case of our RSA extension the message space M consists Of

the integers less than the RSA modulus, and the key group
consists of the multiplicative group of integers Zn*.
One property of RSA that we have used but not mentioned yet is
the trapdoor property. This allows the 'owner' of the 'scheme, Or
466
what we have sometimes called the 'authority' in this paper, to

obtain the correct complementary key while preventing
unauthorised parties from finding such a key. In the applications
considered in this paper the trapdoor property was relied upon,
but further applications may be found which will not require it
while the properties in section 2, regarding which entities may
read o r write a message, still apply. This opens up the
possibility of different implementations of multiple key ciphers
which do not depend on existing public key cryptosystems. One
possible example is the field of integers modulo a prime. Users
given a single key selected randomly by the authority can have no
knowledge of other users keys allocated by the authority which
together form a complementary set.
An interesting further development might be to consider the

effect of removing various of the group properties. For example,
without the commutative property the order of use of keys would
have different effects; this could be significant, for example in
the double signatures application.
5 Acknowledgements
I would like to thank E.J.Humphreys for many valuable discussions

on the topics in this paper and Mark Stirland for pointing out
some errors in an earlier version. Acknowledgement is made to the
Director of Research and Technology for permission to publish
this paper.
6 References
[l] C.A.Boyd, Digital Multisignatures, IMA Conference On

Cryptography and Coding, Cirencester, December 1986.
[ 2 ] D.L.Chaum, Untraceable Electronic Mail, Return Addresses, and

Digital Pseudonyms, Comm.ACM, 24,2,(1981), 84-88.
[3] D.L.Chaum, Blind signatures for untraceable payments,

Proceedings of Crypto 82, Plenum Press 1983, pp.199-203.
467
[4] J.D.Cohen & M.J.Fischer, A Robust and Verifiable

Cryptographically Secure Election Scheme, Proceedings of IEEE
Conference on Foundations of Computer Science, 1985.
[ 5 ] Y.Desmedt, Society and Group Oriented cryptography,

Proceedings of Crypto 87.
[6] W.Diffie & M.Hellman, New Directions in Cryptography, IEEE

Transactions on Information Theory,IT-22,6,1976.
[7] R.Rivest, A.Shamir ti L.Adelman, A method for obtaining digital

signatures and public key cryptosystems, Com.ACM 21,2(1978),
120-126.
(81 G.J.Simmons, How to (selectively) broadcast a secret,

Proceedings of IEEE Conference on Security and Privacy 1985.
Author Index
A g n e u . G . A . , 139. 251 Jingniin. H..1 1 5

Beth. T . , 77 Kaicheng, L . . 11.5
B o > d , c. A , , 455 Kawarnura. S . . 2-15
Braridt, J . . 167 Knapskog. S. J . , 107
Brickell, C. F . , 51. 27; Knobloch, H.-J.. 67
Camion, P . , 97 Iio\arna. K.. 1 1
C a m p a n a. IT..129 L d I l d T O C k . P.. 167
Chambers, i f - . G . , 325. 331 Lee. P. J . . 275

C h a u m . D . . 177 Lin. D. 351
~
Cohen. R . . 129 Liu, h l . . 3\51

Damgard. I. 13.. 167 l I a t s n r n o t o . T . . 319
Davida, G . I . , 183 l l c i e r I T . . 301
Davis, J . .4.,235 llullin. R. C . . 159, 251
Decroos, h l . , 257 Nicderreiter. 1 1 . . 191
Den Boer. B..293 O hta. I < . . 11
Dcsmedt. 1..G . . 2 3 . 183 Okamoto. E . , 361
De S o e t e . M . , 57. 389 Purdy. G . R . , 35
Ding. C . , 335 Quisquater, J.-J. 123 ~
Di Porto. .I.,211 Rueppel. K.'4..3

Dlay, S. S . . 267 Schnorr. c'. P.. 225
Filipponi, P. 211 Sgarro, A . . 375
Girault. AI.. 129. 281 Simmons. G . J . . 35
Godlewski. P h . . 97 Smeets. B. J . I I . , 323
Gorgui-Naguib. R. S.,267 Staffelbach, 0 . . 301
Govaerts, R.,257 Stinson. D. R . . 51
Gollmann. D . . 331 Tezuka, S . . 317
Guillou. L. C . , 123 T o f i n , P., 281
Giinther. C. G . . 105 j7allee, B . . 281
Hirano. K . . 245 \.ande\valle, J . . 237
Holdridge, D. B . . 235 1-anstone, S. A\., 159.251
Hoornaert. F . . 257 I-edder. K.. 389
Imai. I I . . 419
Keyword Index
Anonymity. s e e User anonymity Stream ciphers. 301, 331

Arbitration. 35, 51 see also Attacks
At tacks
Birthday attack, 129 Databasis. see Registration in
Correlation attack, 301 databasis
Attack using lock-in effects. 331 Designs, 57
Meet in t h e middle attack. 129 Diffie-Hellman Algorithm,
Authentication. 23. 3 5 , 51. 57. 87, s e t Key
97, 107, 123 Discrete exponentiation, 159, 251,
s e e also Identification a nd 25;
Signature
Election protocols, see i.oting

Basis
protocols
Kormal basis. 251
El-Gamal scheme, see Signature
Reduction of lattice basis. 281
Entropy, 375
Block ciphers
E2 q u i vo c a t i on, 3 T5
DES, 225 Error correction. s e f Codes
Feistel structure, 225
Error detcction, see Codes
FEAL, 2'33
Euler tot ient function, 267
Claw free permutations. 23, 167

Factorization
Codes
Quadatic sieve. 235
Error correcting codes. 275
Feistel structure, see Block ciphers
Error detpcting codes. 97
Fiat -Sham ir scheme ,
hlaximal distance separable
S C T Identification
codes. 9;
Continued fraction, 191
Cryptanalysis. 375 Geometric schemes, 57, 389
Block ciphers, 293 Goldwasser-Alicaii-Rivest scheme,
Public key systems. 275, 281 see Signature
Hamming distance, 361 1 I c Eliece scheme.
Nash furictio~is.123. 129 s r f Public key cryptosystems
H a r d x a r e . 8;. 123. 183. 2:; 110dular arithmetic
Implementativn of basic llultiplication and reduction,
operations. 2-15. 231 8 7 . 2-13
s c t also Discrete exponentiation
n n d 11o d 111a r ari t ti m e t i c

JI o ~ roi p h o ~i ic coding. 10 5 Normal basis. see Basis
Identification. 33. 77. 123. 183 f’ayriierlt untraceabilitJ., 107. 177

Fiat-Stiarriir scheme, 7 7 . 87.123. I’rimality tests. 211
183 Prime,
Irriprints. s c c Shaduws .scf Factorization
Incidence strilctiire5. 57. 389
SF^ Prirrialit>~ tests
I I I for I I 1 at 1 u 11 t 1I c u r y. 3 73
Prisonrier problerri
Int egri t > . 97
~
s e e \iil)liminal channel
Privac) protected payment, 107
h:e>. Probabilistic mcryption. 41 5
Conference lie!. distribution. 11 Pseiidoprinies. s t c Primalit>, tests
Uiffie-Hellman. 3 . 159 l’seudorandorn sequences
lie\. agreement. 3 , 159 Cascade generators, 331
K e > distribution, 3. 11. 1.59 Clock control. 331
3Iultiple ke!. 455 Correlation attack. s t t .Attacks
Substantial number of keys, 361 Luby and Hackov generator, 225
Knapsack. 97 Son-linear functions, 301. 317
Shift register sequences. 301.
Linear complexity. 191 325. 331
linear complexity profiles. 191 \\-indmill generators. 325
s F E n /so llassey- Berlekamp Public key cryptosystems, 419
.A1 g ori t h m Diffie-Hellman scheme,
Linear recurring m-array. 351 see K e y
Lu b y - R ackov generator, El-Gamal scheme. see Signature
scc Pseudorandom sequences 1Ic Eliece scheme, 275
Lucas numbers. 211 Okamoto scheme, 281
Ri\-est-Shamir-.4dleman scheme,
llassey-Berlekamp Algorithm, 345 10;. 257. 455
R a n d o m numbers, Sublirriinal free protocols. 23. 35
set Pseudorandom sequences
Registration in databases Table look-up. 245
anonymous and verifiable. 167 Threshold scherrirs. 389
RS.4, s t e Public ke! cr) ptos? s i err15
Running k e ~generators
see Pseudorandorri sequences
Semantic kriox! ledge. 375

Semientrop!. 5 f t eritrop?
Semieqiiil ocation, S C L cquix ocnt 011
Shadows ant3 Imprints. 123, 129

Shift register s~rnthesis.3-15 \-otirig protocols. 7;. -155
Signature 2.3. 35, 51. 37. 87,129
281, 115
TYilliams integers. 23. 35
El-Ganial scheme. 7 7 , 159
Il’itncss. 167
G o I d w ~ a s s e r - h I i c a l ~cst
-~i~
scheme, 23, 35
see u h o Hash functions Z r r o knowledge proof. 23. 35. 57.
Statistical tests. 22 5 7;. 6 7 . 123. 183

(Lecture Notes in Computer Science 330) Rainer A. Rueppel (auth.), D. Barstow, W. Brauer, P. Brinch Hansen, D. Gries, D. Luckham, C. Moler, A. Pnueli, G. Seegmüller, J. Stoer, N. Wirth, Christoph G. G.pdf

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Lecture Notes in Computer Science 330) Rainer A. Rueppel (auth.), D. Barstow, W. Brauer, P. Brinch Hansen, D. Gries, D. Luckham, C. Moler, A. Pnueli, G. Seegmüller, J. Stoer, N. Wirth, Christoph G. G.pdf

Uploaded by

Copyright:

Available Formats

Lecture Notes in

Christoph G. Gunther (Ed.)

CR Subject Classification (1987): D.4.6, E.3, H.2.0

ISBN 3-540-50251-3 Springer-Verlag Berlin Heidelberg New York

Baden, J u n e 1988 C.G.G.

lnternational Association for Cryptologic Research (IACR)

General Chairman: James L. Massej.. Swiss Federal Institute of .lechnology.

Organmng Commztttt: Program c'om nr a t t P t :

The conference was generously supported b y

Union Bank of Switzerland. Zurich

SECTION I: KEY DISTRIBUTION

Key Agreements Based on Function Composition ........................... 3

Security of Improved Identity-Based Conference

SECTION 11: AUTHENTICATION

Subliminal-Free Authentication and Signature ............................. 23

Zero-Knowledge Proofs of Identity and Veracity of Transaction Receipts . . . .35

Authentication Codes with Multiple Arbiters .............................. 51

Some Constructions for A4uthentication-SecrecyCodes .....................

Efficient Zero-Knowledge Identification Scheme

SECTION 111: SIGNATURES

.4 Smart Card Implementatiorl of the

hlanipulations and Errors. Detection and Localitation . . . . . . . . . . . . . . . . . . . . . 97

Privacy Protected Payments - Realization uf a I’rotocol

-4 Practical Zero-Knowledge l’rotocol Fitted t o Security llicroprocessor

A Generalized Birthday Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

SECTION IV: PROTOCOLS

-4n Interactive Data Exchange Protocol Based on

Anonymous a n d Terifiable Registration in Databases ..................... .167

Elections with Unconditionally-Secret Ballots and Disruption

Passports and l*isas Versus ID’S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

SECTION V: COMPLEXITY AND NUMBER THEORY

The Probabilistic Theory of Linear Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

A Probabilistic Primalit! Test Based on the Properties

On the Construction of Random Number Generators

SECTION VI: NUMERICAL METHODS

Factorization of Large Integers on a hlassivdy Parallel Computer . . . . . . . . . 235

A Fast Modular Arithmetic Algorithm Using a Residue Table . . . . . . . . . . . . , 2 3 5

Fast Exponentiation in G F ( 2 “ ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Fast RSA-Hardware: Dream or Reality? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ,237

SECTION VII: CRYPTANALYSIS

An Observation on the Security of McEliece's Public-Key Cryptosystem . . .275

How to Break Okamoto's Cryptosystern

Cryptanalysis of F. E. A . L. ............................................. .293

Fast Correlation Attacks on Stream Ciphers .............................. 301

SECTION VIII: RUNNING-KEY CIPHERS

Windmill Generators: A Generalization and an Observation

Lock-in Effect in Cascades of Clock-Controlled

Proof of Massey's Conjectured Algorithm ................................ .345

Linear Recurring m-Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351

SECTION IX: CIPHER THEORY AND THRESHOLD

Substantial Number of Cryptographic Keys and its Application

A Measure of Semiequivocation .......................................... .375

Some New Classes of Geometric Threshold Schemes ...................... .389

SECTION X: NEW CIPHERS

A New Probabilistic Encryption Scheme ................................. .415

Public Quadratic Polynomial-Tuples for Efficient Signature-Verification

Some Applications of Multiple Key Ciphers .............................. .455

Author Index ............................................................ 469

Keyword Index .......................................................... .471

Two protocols are presented that accomplish t h e same goal as the

Suppose we are given an autonomous finite-state machine with

sn= F ( F ( ...F ( S J ...))= F " ( S o )

where Fn stands f o r the n-fold application of F to its argument.

These two functions f and g will commute, i.e..,