Sunteți pe pagina 1din 832

[Next]

A Cryptographic Compendium
This site contains a brief outline of the various types of cipher systems
that have been used historically, and tries to relate them to each other
while avoiding a lot of mathematics.

Its chapters are:

1. Introduction
2. Paper and Pencil Systems
3. Electrical and Mechanical Cipher Machines
4. Telecipher Machines
5. The Computer Era
6. Public-Key Cryptography
7. Miscellaneous Topics

You can also go directly to a complete table of contents.

Thus, although this page is about cryptography, it does not fall into
certain categories of worthwhile and helpful pages about cryptography
that are more common; it is neither:

● a page introducing beginners to methods of solving different kinds


of paper and pencil ciphers,
● a page explaining how you can obtain a copy of PGP, ScramDisk, or
Private Idaho to start protecting your own communications, or
● a page devoted to the history of cipher machines, with photographs
of various ones.

There are links to some of the pages in these categories in the Links
section of this site.

Occasionally, some methods of cryptanalysis are briefly touched upon


here, but the details are very limited, compared to the excellent material
available elsewhere.
This site has a great deal in common with sites of the third category, but
alas, it doesn't include any photographs. What it does have are schematic
diagrams (in my own, somewhat nonstandard symbolism, designed to be
easy to recognize at small sizes) and descriptions of the operation of many
historical cipher machines. The story of the Enigma's decryption, derived
from a multitude of secondary sources, is, I hope, explained with both
completeness and clarity here.

It covers forms of cryptography ranging from the simple paper-and-pencil


methods to the modern computer cipher systems, and attempts to point
out the common features that link them.

One word of warning, however: I have indulged my own ego rather


shamelessly here, and have described a series of block ciphers of my own
design (under the name of "Quadibloc"; the first one was inspired by DES
and Blowfish, although in a way it was the opposite of Blowfish, and the
others are the result of appropriating various ideas found in the AES
candidate ciphers), some paper-and-pencil fancies of mine, and a rather
elaborate fractionation scheme for converting the binary output of
modern encryption methods to letters for transmission by Morse, or base-
78 armor (more efficient than base-64, if less efficient than base-85), or
encryption by classical letter-based methods.

In only one section do I discuss, and very briefly, codes, in which words or
phrases rather than letters, bits, or digits are the unit of encipherment.
However, the word code is used legitimately in mathematics to refer to
substitutions which are non-linguistic (and hence, in cryptology, would be
called ciphers) from Morse code to Hamming code (used for error-
correction) and Huffman code (used for data compression). I have,
therefore, been unable to be rigorous about the use of the word "code" in
these pages.

Return to Home Page

Copyright (c) 1998, 1999, 2000, John J. G. Savard

[Next]
[Next] [Up/Previous/Index]

Introduction
This page is about codes and ciphers, which people use to communicate
with each other in ways that other parties cannot (it is hoped) understand.
Although secrecy in communication can precede literacy, for example by
the use of obscure allusions, a spoken language that is different from the
one commonly spoken, a jargon or cant of terms with special or secondary
meanings, or a conventionalized way of speaking such as Pig Latin, the
efflorescence of many and sophisticated methods of secret
communications waited for the development of alphabetic writing, which
allows any thought to be represented by a small number of easily
manipulated characters.

Even then, it took a conceptual breakthrough to realize that letters can be


represented by other symbols; particularly in introductory books on the
subject for children, this is often illustrated by various examples that are
used today, such as Morse code, signal flags, Baudot, ASCII, or, as
illustrated below, Braille and semaphore:
And, for another even more prosaic illustration, here is the color code
used on resistors (as well as on the old mica capacitors) and the color
code, if one can call it that, of pool balls:
One early and entertaining historical survey of the use of codes and
ciphers was the book Secret and Urgent, by Fletcher Pratt, also the author
of several novels. This book came out in the same year as Elementary
Cryptanalysis, by Helen Fouché Gaines, which will be mentioned below.
The title of this book is a particularly apt description of why methods of
scrambling messages to keep them secret are used.

Obviously, if a message contains nothing that is confidential, there is no


need to bother putting it into code or cipher.

But equally, if a message is not urgent, then even if it is secret, it can be


communicated at some time when there is an opportunity to meet
privately.

Only when both conditions exist: when the contents of a message must be
kept secret, and yet the message is so urgent that the risk must be taken of
sending it by a means that may allow others to read it, would people take
the time and effort to put a message into cipher, and take the risk involved
in relying on cipher to maintain its secrecy.
Of course, today computers carry out the steps involved in enormously
complicated cipher schemes at the push of a button, so neither the effort
nor the risk looms as large as it did during most of the history of the
subject.

This site contains a brief outline of the various types of cipher systems
that have been used historically, and tries to relate them to each other
while avoiding a lot of mathematics.

Suggestions for Reading


The following books can be recommended for someone beginning to learn
about the subject of secret writing:

The Codebreakers, David Kahn, Macmillan (1st ed.) Simon and Schuster
(2nd ed.). This book is a fascinating history of cryptography, dealing with
the role it has played in many historical events. There are also some
nuggets of technical information not seen in other books aimed at the
general public, and there is historical information about subjects related
to secret codes, such as cable codes (which do not involve secrecy, and
were for saving money on sending telegrams).

Elementary Cryptanalysis, Helen Fouché Gaines, Dover. Published under


the title Cryptanalysis to avoid confusion with a book by Abraham Sinkov
(also a good book), this book deals with pencil and paper ciphers, and is
particularly aimed at people who solve such ciphers as a hobby. It
describes a wide variety of ciphers and a multitude of solving methods.

And I will also mention two other books here:

Machine Cryptography and Modern Cryptanalysis, Cipher A. Deavours


and Louis Kruh; Artech House. This book is a gold mine of information
and was the source for much of what you will see in this web site about
cipher machines of the rotor era. It is now out of print. Unfortunately, it
was marred by a number of typographical errors. I had thought that
regrettable, but felt that this was a common occurrence in books with a
limited anticipated sale. An otherwise positive review in Cryptologia
magazine (also a significant source, particularly for my account of the
Siemens T-52) did include the comment that one might expect better than
that, and as a result my faulty memory led me to categorize the review as
"scathing", for which I apologize to its author (himself a significant source
of information for my section on the Enigma's Uhr box), Frode Weierud.
A number of the illustrations from this book were reprinted (with full
permission, of course) in the more recent book Decrypted Secrets from
Springer-Verlag.

Applied Cryptography, Bruce Schneier; John Wiley and Sons. This book
is aimed at the computer professional who needs to implement secure
systems involving cryptography. As it describes a wide selection of
algorithms and protocols, it will be of interest to anyone concerned with
cryptography in the computer era. This book is one of the most widely
available books covering the subject matter, and it is frequently cited as a
source and as an authority on the USENET newsgroup sci.crypt. The 2nd
edition is considerably expanded, with fascinating detail on a much larger
number of cipher systems.

[Next] [Up/Previous/Index]

Return to Home Page


Main Screen

Copyright (c) 1998, 1999, 2000 John J. G. Savard


[Next] [Up/Index] [Previous]

Pencil and Paper Systems


The most obvious way, perhaps, of taking text and concealing it from the prying
eyes of those who don't know your secret is by replacing each letter by something
else, like this:

ABCDE FGH IJKL MNO PQRST UVW XYZ


----- --- ---- --- ----- --- ---
$7+Q@ ?)/ 2X3: !8J 9%6*& 15= (;4

which turns
Please send me some money
into

9:@$*@ *@8Q !@ *J!@ !J8@;

This is called substitution, and ciphers based on this principle date back to
ancient times.

For example, the diagram to the right


illustrates several cipher alphabets used by the
ancient Hebrews. Three of them are based on
arrangements of the alphabet according to a
definite pattern, and these patterns can be
illustrated in terms of the 26-letter alphabet
used by the English language by showing what
the equivalent substitutions are in that alphabet:

Atbash:
A B C D E F G H I J K L M
-------------------------
Z Y X W V U T S R Q P O N

Albam:
A B C D E F G H I J K L M
-------------------------
N O P Q R S T U V W X Y Z

Atbah:
A B C D J K L M E S T U V
------- ------- - -------
I H G F R Q P O N Z Y X W
Note that all three of these are reciprocal, in
that if one letter becomes another letter, then
that other letter becomes the original letter in
turn.

The illustration also contains other information. The numerical value of each
letter is given below the name of the letter, and the original Hebrew form of the
name of the letter is also shown to the right. Also, Cryptic Script B, an alphabet
used in the writing of part of the Dead Sea Scrolls is shown (albeit imperfectly;
the symbol for Shin is only known to be used for one of the two values of that
letter, as indicated by dots, and an additional special-purpose character is not
shown.)

The other method of concealing a message is called transposition, which was also
used in ancient times, at least by the Spartans with the scytale, a baton around
which a leather belt could be wound, so that a message could be written on the
belt, crossing from one loop to the next, so that it could only be read while the
belt was so wound.

In transposition, instead of replacing letters with something else, the letters of a


message are moved around, so that they aren't written down in order.

● Cryptanalyzing the Simple Substitution Cipher


● Methods of Transposition
● Improving Substitution
❍ Homophones and Nomenclators

❍ Polygraphic Ciphers and Fractionation

■ Playfair and its Relatives

■ The Bifid, the Trifid, and the Straddling Checkerboard

■ Fractionated Morse, and Other Oddities

■ The VIC Cipher

■ Two Trigraphic Ciphers, and a Heptagraphic One

❍ Polyalphabetic Substitution

● Code Books
● Fun With Playing Cards
● Conclusions
[Next] [Up/Index] [Previous]

Skip to Next Section


Table of Contents
Main Screen
Home Page
[Next] [Previous] [Up/Index]

Electrical and Mechanical Cipher


Machines
Using machinery to automate encryption permitted ciphers to be much more
complicated than those which can reasonably be applied by hand without too
many mistakes. And this was true even though machines had to be reliable and
inexpensive, and this meant they could only carry out fairly simple operations.
(Today, of course, the microchip has changed everything immensely!)

There are several types of cipher machine that we will examine in this section;
and a few more that belong to another section, since they hint at the computer age
to follow.

● Early Machine Ciphers


❍ The Bazeries Cylinder

❍ The Kryha Cryptograph

❍ The Hill Cipher

❍ The RED Machine

❍ The Reihenscheiber

❍ The A-22 Cryptograph

● The Hagelin lug and pin machines


❍ Cryptanalysis of the Basic Lug and Pin Machine

● Rotor Machines - and their PURPLE cousins


❍ Rotor Machine Basics

❍ The Interval Method

❍ The Method of Isomorphs

❍ PURPLE, CORAL, and JADE

● The Enigma: a unique rotor machine


❍ Basic Principles of the Enigma

❍ The Uhr Box

❍ The Enigma A and Enigma B

❍ Relatives of the Enigma

❍ Cryptanalysis of the Enigma

■ Cliques on the Rods


■ Indicators and Jefferys Sheets
■ The Bombe and the Diagonal Board

● An American Achievement: the ultimate rotor machine


● Miscellaneous Machine Ciphers
❍ The Hagelin B-211

❍ Sweden's HC-9

❍ LACIDA

● Conclusions for Chapter II


❍ Fantastic Rotor Machines

❍ Child's Play

❍ Irregular Rotor Movement

[Next] [Previous] [Up/Index]

Skip to Next Chapter


Table of Contents
Main Screen
Home Page
[Next] [Up/Index] [Previous]

Telecipher Devices
This section looks at cipher machines that worked with teletypewriters.

Just as today's computers represent printed characters as 8-bit bytes using the ASCII code,
teletypewriters used a similar code for communications purposes. However, they used only
five bits per character, which conserved bandwidth, although it meant that shifting between
letters and other characters such as numbers and punctuation marks required sending
characters that indicated a shift was taking place.

Thus, we have a family of cipher machines that, before the computer age, was already
working in binary code.

Two early American attempts at a telecipher machine were not used in practice, since they
were found to be insecure. One was designed by Gilbert S. Vernam for A. T. & T., the two-
tape machine, where two punched tape loops of unequal size each provided a current
character to be XORed with the plaintext character. The other was devised by Col. Parker
Hitt, who was one of America's foremost cryptologists of the World War I era, for ITT, and
involved ten cams with 96, 97, 98, 99, 100, 101, 102, 103, 104, and 105 positions, two of
which supplied the bits to be XORed with one bit of the current plaintext character.

The XOR or exclusive-or logical operation is the simplest possible way to apply a key to a
plaintext to conceal it. This operation is also modulo-2 addition, with the very small table:

| 0 1
---+-------
0 | 0 1
1 | 1 0

If we view 0 as standing for "False", and 1 as standing for "True", then A exclusive-or B is
true if either A is true exclusively (that is, A is true and B is false), or if B is true exclusively
(B is true and A is false).

However, the machine devised by Vernam was modified to a form which was secure, and
many countries have used similar devices. Instead of increasing the number of punched tape
loops used to XOR with the plaintext, the number of key inputs was reduced from two to just
one: and that one took a key tape consisting of completely random bits, used only once.

This, the one-time tape, is again the perfect case of polyalphabeticity, which was previously
noted as the one-time pad under pencil-and-paper methods.

If anyone is unfamiliar with the alphabet used for 5-level teletypewriters, which is called the
Baudot code (although, more accurately, it is in fact derived, with slight modifications, from
the Murray code, a later 5-unit printing telegraph code, just as the code for transmitting chess
moves by telegraph is called the Uedemann code, for the first person to invent such a code,
even though the code actually used is a later one, properly known as Gringmuth notation;
also, the International Morse Code, though it has several characters in common with the code
of dots and dashes originally devised by Samuel Findley Breese Morse, is actually a revision
of his code devised by one Frederick Gerke from Austria, as I have recently learned thanks to
Terry Ritter) a table of it is given here.

(In the interests of making complete information handy, the table included is one with some
additional information from one of my USENET posts.)

International Telegraph Alphabet No. 5 is the international version of ASCII;

International Telegraph Alphabet No. 1 was a version of Emile Baudot's original 5-unit code,
the one that included a 'letters space' and a 'figures space'. (I've seen a web site that
incorrectly claims that International Morse, formerly Continental Morse, was ITA 1.)

International Telegraph Alphabet No. 2 is what is most commonly called Baudot; it is the 5-
level code derived from the Murray code.

ITA 3 and ITA 4 are obscure, but they are both derived from ITA 2, as are a couple of other
codes.

The final code, ten bits long, is AUTOSPEC. All the codes, except for CCIR 476, are shown
in order of transmission; CCIR 476 is shown the other way around, being assumed to be sent
LSB first as is ASCII.

Characters ITA 2 ITA 4 ITA 3 CCIR 476 AUTOSPEC


(ITA 2 on left,
some national
ones follow)

Character 32 00000 100000 0000111 1101010 0000000000


Space 00100 000100 1101000 1011100 0010011011

Q 1 11101 011101 0001101 0101110 1110111101 Q 1 q !


W 2 11001 011001 0100101 0100111 1100100110 W 2 w
E 3 10000 010000 0111000 1010110 1000001111 E 3 e
R 4 01010 001010 1100100 1010101 0101001010 R 4 r $
T 5 00001 000001 1000101 1110100 0000111110 T 5 t
Y 6 10101 010101 0010101 0101011 1010101010 Y 6 y ^
U 7 11100 011100 0110010 1001110 1110000011 U 7 u &
I 8 01100 001100 1110000 1001101 0110001100 I 8 i
O 9 00011 000011 1000110 1110001 0001100011 O 9 o ~
P 0 01101 001101 1001010 0101101 0110110010 P 0 p

A - 11000 011000 0011010 1000111 1100011000 A - a _


S ' BEL 10100 010100 0101010 1001011 1010010100 S ' s "
D WRU $ 10010 010010 0011100 1010011 1001010010 D d
F % ! 10110 010110 0010011 0011011 1011001001 F % f `
G @ & 01011 001011 1100001 0110101 0101110100 G @ g }
H £ # STOP 00101 000101 1010010 1101001 0010100101 H # h {
J BEL ' 11010 011010 0100011 0010111 1101000101 J * j
K ( 11110 011110 0001011 0011110 1111011110 K ( k [
L ) 01001 001001 1100010 1100101 0100101001 L ) l ]
Z + " 10001 010001 0110001 1100011 1000110001 Z + z
X / 10111 010111 0010110 0111010 1011110111 X / x \
C : 01110 001110 1001100 0011101 0111010001 C : c ;
V = ; 01111 001111 1001001 0111100 0111101111 V = v |
B ? 10011 010011 0011001 1110010 1001101100 B ? b
N , 00110 000110 1010100 1011001 0011000110 N , n <
M . 00111 000111 1010001 0111001 0011111000 M . m >
CR 00010 000010 1000011 1111000 0001011101
LF 01000 001000 1011000 1101100 0100010111
FIGS 11011 011011 0100110 0110110 1101111011
LTRS 11111 011111 0001110 1011010 1111100000
alpha (all 0) 000000 0101001 0001111
beta (all 1) 111111 0101100 0110011
SYNC 110011
repetition 0110100 1100110

Unlike ITA 3, CCIR 476 has a pattern that relates it to ITA 2: except for the letters B and U,
whose natural codes are used for alpha and beta, those ITA 2 characters which have 4, 3, or 2
one bits set are represented by 0x0, 0x1, and 1x1 respectively, where x is the five bits of the
ITA 2 character; and 1nnnnn0 represents the characters that don't fit into this range, with
again exactly 3 of the n bits set. Note that ITA 3 is a 3 of 7 code, while CCIR 476 is a 4 of 7
code.

Perhaps this is why the newer CCIR 476 is the one US radio amateurs are permitted to use,
and do use for AMTOR, while the older ITA 3 was used for ARQ purposes originally. But
it's odd to see a new code developed to fill exactly the same purpose as an older code already
accepted as an international standard.

ITA 3 was known as, or derived from, the Moore ARQ code, also known as the RCA code. It
appears to have been the first code used for ARQ (automatic repeat request) purposes, and to
have been invented in or prior to 1946 by H. C. A. van Duuren. ITA 3 was adopted as an
international standard in 1956, according to the source which first brought him to my
attention.

AUTOSPEC repeats the five-bit character twice, but if the character is one with odd parity,
the repetition is inverted. Thus, the parity bit is transmitted with high reliability, and every
other bit of the character is effectively repeated twice. It can be thought of the result of
applying an error-correcting code with the matrix:

1 0 0 0 0 0 1 1 1 1
0 1 0 0 0 1 0 1 1 1
0 0 1 0 0 1 1 0 1 1
0 0 0 1 0 1 1 1 0 1
0 0 0 0 1 1 1 1 1 0

to 5-level characters.
The entries

F % ! and
V = ;

mean that, for F, no figures shift character is defined by ITA 2; however, the % sign is uses as
a national-use figures shift character for Britain. The U.S. figures shift character is !. For V,
however, the = sign is defined as the official figures shift character. The U.S. 5-unit
teletypewriter code, which is nonconformant to ITA 2, defines ; as the figures shift character
for V instead.

After the code bits, there are four more columns of characters, giving the characters used by
ASCII over AMTOR. The all-zeroes character is used to toggle between the ordinary
character set in the first two columns, and the auxilliary one in the second two. The ordinary
character set is that of the international version of the 5-level code, rather than the U.S.
version, but the figures shift of J, instead of being the bell, is the asterisk.

Note that there is also an official standard of very recent vintage for using lowercase with 5-
level code, which works on a different principle: a LTRS code while already in letters case is
used to toggle between upper and lower case.

This standard does not include ASCII graphics characters, but it was designed to be
compatible with the use of the all-zeroes code for supplementary alphabetic characters; these
characters could have their lower case available using their shift character in the same fashion
as LTRS is used.

This new standard works as follows: FIGS LTRS operates as a reset into upper-case mode. In
normal upper-case mode, when returning to letters case from figures case, one is returning to
upper-case letters.

When in letters case, a superfluous LTRS code switches into lower-case. This is true even
when reset into upper-case mode; but then it also clears lower-case mode, so that, whether
one is printing upper-case or lower-case, when one returns from printing figures characters to
print letters, one begins with lower-case letters.

This is a bit confusing, so I will illustrate it:

ABC [FIGS] 1234 [LTRS] DEF [LTRS] ghi [FIGS] 1234 [LTRS] jkl
[LTRS] MNOPQ [FIGS] 1234 [LTRS] rst [FIGS][LTRS] UVW
[FIGS] 1234 [LTRS] XYZ

Essentially, toggling between upper and lower case with a superfluous LTRS is always on.
FIGS LTRS resets (to upper-case, or capitals) only the default letters case that a normal
LTRS, used for exiting figures printing, returns to. And that default flips back to lower case
the first time lower case is accessed with an (otherwise) superflous LTRS.

Thus, this example proceeds as follows:


ABC [FIGS] 1234 [LTRS] DEF

One begins by having only figures and upper-case letters available.

[LTRS] ghi [FIGS] 1234 [LTRS] jkl

The superfluous LTRS now switches one into lower-case mode, as well as immediately
switching to printing lower-case letters. The FIGS shift still takes you to normal figures case,
and a LTRS shift returns you to lower-case letters.

[LTRS] MNOPQ [FIGS] 1234 [LTRS] rst

A superfluous LTRS shift changes you to printing upper-case characters, but the mode
remains lower-case mode. Thus, FIGS takes you to printing digits, and LTRS takes you to
printing in the default case for the current mode, which is lower case.

[FIGS][LTRS] UVW [FIGS] 1234 [LTRS] XYZ

A superfluous LTRS toggles between printing upper-case and lower-case, but only moves
you from upper-case mode to lower-case mode. To change mode in the reverse direction, the
combination FIGS LTRS is required. Once that combination is used, not only do you print in
upper-case, but a LTRS shift used after printing figures will return you to the new default
case, which is again upper case.

The bits are numbered from 1 to 5, in the order in which they are transmitted. They are
normally preceded by one start bit (0) and followed by one and a half stop bits - that is, a 1
level on the wire for one and a half times the time used for transmitting a data bit. In ASCII,
the bits of a character are transmitted least significant bit first; since the 5-level code bits
don't represent codes in any kind of numerical order, sometimes bit 5 and sometimes bit 1 is
taken as the most significant bit, although the tendency has been to treat bit 5 as the MSB
because of the use of the same UART chips for ASCII and 5-level code.

And here is a graphical version, showing the standard, U.S., financial, and weather character
sets:
The top two lines show the original Murray code, from which the modern 5-level code is
derived. (The original Baudot code was completely different.) It too, like the original Baudot,
used a letters space and a figures space. I'm not sure about the functions of the line feed and
carriage return characters: one of them could be a newline, and the other might have had a
different control function. Also, in my reference, the space for the figures shift of A was left
blank. My guess is that that should have been a comma.

Incidentally, the reason that this code is not so organized that when the letters are in
alphabetical order, their codes are in binary numerical order, as is the case for ASCII, is
because the codes were chosen so that the most common letters would have codes that would
cause less wear and tear on the moving parts of teleprinters. The following chart shows the
scheme by which the codes were assigned:

lsc lf
EfprT AINO UCM KV SRH DL FG TP BW QX tiYZ
1 * * * * * * * * ** ** ****
2 * ** ** ** * * * ** * * **
.........................................
3 * ** *** ** * * * * ** * *
4 * ** ** ** * * ** * * * **
5 * * * * * * * * ** ** ****

● The Lorenz Schlusselzusatz SZ-40


● The Siemens Geheimschreiber T-52
● The Swedish SA-1
● An American patent
● Converter M-228
● Conclusions

[Next] [Up/Index] [Previous]


Skip to Next Section
Table of Contents
Main Screen
[Next] [Up/Index] [Previous]

The Computer Era


The era of computers and electronics has meant an unprecedented freedom for
cipher designers to use elaborate designs which would be far too prone to error if
handled by pencil and paper, or far too expensive to implement in the form of an
electromechanical cipher machine.

There are rumors that the secret cipher machines of the 1960s and beyond
involved the use of shift registers, and, more specifically, that they used nonlinear
shift registers, since it is known that a linear feedback shift register produces a
sequence which, while it has a long period and an appearance of randomness, is
not itself a secure additive key for a cipher. Since it is very difficult to guarantee
that a shift register whose feedback is nonlinear will always have a reasonably
long period, I think I will continue to doubt these rumors until the facts finally
become declassified. (However, since the mathematical theory does exist by
which the conditions for maximum period of the quadratic congruential
generator are known, I definitely could be wrong.)

However, some published papers use the term "nonlinear shift register" to
describe a stream cipher system which has a linear feedback shift register at its
heart, but which has as its output a nonlinear function of the shift register's state.
Since it is trivially possible to produce any output sequence with the same period
as the underlying LFSR in this way, (Proof: use the outputs from all the cells in
the LFSR as inputs to the address lines of a one-bit wide ROM programmed, in a
suitable order, with the desired sequence) I have no problem accepting the
existence of nonlinear shift register designs in this sense.

Publicly known designs based on shift registers instead use linear shift registers,
but do such things as combining the output from several, controlling the stepping
of one shift register with another, as was done with the pinwheels in some of the
more secure telecipher designs of the last chapter, or using one shift register to
select between the outputs of two other shift registers.

But the main thrust of the computer era has been in the development of block
ciphers, starting with the LUCIFER project at IBM, which was the direct
ancestor of DES, the Data Encryption Standard.
● LUCIFER
● The Data Encryption Standard
❍ Details of DES

❍ Variations of DES

● And Now For Something Completely Different: SAFER


● Something Not Quite As Different: IDEA
● Formerly Secret: SKIPJACK
● Blowfish
● My Own Humble Contribution: QUADIBLOC
❍ Description of QUADIBLOC

■ Euler's Constant and the QUADIBLOC S-boxes

❍ Variants with different key sizes

❍ The QUADIBLOC FAQ

❍ Key Enrichment

❍ Quadibloc II

❍ Quadibloc III

❍ Quadibloc IV

❍ Quadibloc V

❍ Quadibloc VI

❍ Quadibloc S

❍ Quadibloc VII

❍ Quadibloc VIII

■ The Standard Rounds

■ The Mixing and Whitening Phase

■ The Key Schedule

■ The Rationale of the Design

❍ Quadibloc IX

❍ Quadibloc X

● Towards the 128-bit era: AES Candidates


❍ The Advanced Encryption Standard (Rijndael)

❍ Twofish (finalist)

❍ SERPENT (finalist)

❍ RC6 (finalist)

❍ DEAL

❍ MARS (finalist)

❍ SAFER+

❍ FROG
❍ LOKI-97
❍ CAST-256

❍ Magenta

❍ DFC

● Block Cipher Modes


● Cryptanalytic Methods for Modern Ciphers
❍ Differential and Linear Cryptanalysis

■ Extensions of Differential Cryptanalysis

■ The Boomerang Attack

❍ Cryptanalysis, Almost by Aimlessly Thrashing About

❍ Hidden Markov Methods

● Stream Ciphers
❍ Shift-Register Stream Ciphers

■ An Illustrative Example

■ Other Constructions

■ More Realistic Examples

❍ Other Stream Ciphers

■ Panama

❍ A Note on the Importance of Galois Fields

● Conclusions
❍ Modified Panama

❍ Mishmash

❍ Combining Two Unrelated Block Ciphers

❍ A Base Conversion Block Cipher and Other Concepts

❍ The Large-Key Brainstorm

❍ The Inner Structure of the Feistel Round

[Next] [Up/Index] [Previous]

Skip to Next Section


Table of Contents
Main Screen
Home Page
[Next] [Up/Index] [Previous]

Public-key Cryptography
Public-key cryptography is a very novel form of cryptography that first became
known to the public during the decade of the 1970s. Not only is it novel, its very
name seems paradoxical and confusing.

Although cryptographic techniques have other uses besides sending secret


messages, such as authentication, and this is especially true of public-key
cryptography, sending secret messages is still one of the things public-key
cryptography can be used for.

And if a message is secret, that means that the key to unlock it must be a secret,
or else anyone could decipher it. That is still just as true for public-key
cryptography as it is for the regular kind.

If that's the case, what does the word "public" in public-key cryptography mean?

Normally, with a conventional cryptographic system, if you know both the key
for sending a secret message, and the method of encryption in which that key is
used, then you also know everything you need to know to decipher secret
messages sent with that key and in that system. A few conventional encryption
systems are reciprocal, so that exactly the same key and procedure serves for
encryption and decryption; but in those that are not reciprocal, the key and
procedure for decryption are both still easily derived from those for encryption,
and in most cases, only one of the two differs.

A public-key cryptosystem is one where a key, useful for sending messages, can
be made public without revealing the still-secret key that allows those messages
to be read.

How can this be possible?

A two-part codebook is one where the code groups don't have the same order as
the plaintext words and phrases they represent. If you publish only the
enciphering half of such a codebook, keeping the deciphering part to yourself,
then it is easier to send coded messages to you than it is to read them.
Of course, that doesn't really provide genuine security. But it hints as to how
PKC can be possible.

Another example, one of the first PKC concepts expressed in the open literature,
goes as follows:

Transmit a large number of encrypted messages to a correspondent. These


messages are in a cipher that can be broken, but not without some work. The
messages look something like this:

"Key number 2126 is EXVRRQM"

"Key number 1253 is PTXYZLE"

and so on.

The keys for each key number are chosen genuinely at random.

You keep a table of what every numbered key is.

The person who wants to send you a message picks any one of your large number
of encrypted messages, and breaks it. Then, using the key found inside, he
encrypts his message to you, and the precedes it with a note saying: "I am using
key number 2126 to encrypt this message".

He only had to decrypt one of the encrypted key messages to send you a
message, but anyone who wanted to read it would have to keep decrypting all the
messages until he found the right one.

So, the principle of PKC is to find some trick that works one way without
revealing how to reverse the process. And one good place to look for tricks like
that is in higher mathematics, and each of the public-key methods we will look at
in the remainder of this section will have had a basis that came from that source.

Public-key cryptography is certainly very different from conventional


cryptography, and is of general mathematical interest. But it is also of very
considerable practical importance.

Without public-key cryptography, you could still send an encrypted E-mail to a


friend who was away on vacation, if before he left you had given him a secret
key to use. You could also encrypt your E-mails to someone you hadn't met,
provided you sent him, or he sent you, a secret key by a more secure method,
such as a letter by regular mail. (Of course, letters can be read too by a
determined adversary, but exchanging keys even in this simple fashion would
keep your communications out of reach of someone who has the opportunity to
intercept your E-mail but not the contents of your mailbox.)

With public-key cryptography, however, no resort to an alternative more secure


channel of communications for prior setup is required. Instead, encrypted
communications can be set up on an impromptu basis, entirely over an insecure
medium such as the Internet. It is not an overstatement to claim that public-key
cryptography is the factor which changed cryptography from something which
was only used by people with either a strong need for secrecy, or an interest in
cryptography itself, to something used routinely by many people for such
practical purposes as making credit-card purchases over the Internet.

If PKC did not exist, however, credit-card companies could instead have issued
secret passwords to credit-card holders. If a merchant verified a password by
comparing a one-way hash of the password and the user's account number to a
coded number on the credit card, knowing the one-way hash of the password
wouldn't enable him to create a new password to decieve other merchants. Thus,
even without public-key methods, it would be possible to avoid the requirement
that every transaction would have to be directly verified with the credit-card
company. But precautions would be needed to ensure that a hash code could not
be used in place of a password, by being inserted into a stage of the verification
process which comes after the password being converted to its hash. Including
the account number in the hash prevents making forged credit cards for someone
else's account with a different password, if the hash also involves a secret key.

The RSA public-key cryptosystem is a straightforwards example of public-key


cryptography: using the same operation, key E transforms plaintext to ciphertext,
key D transforms ciphertext to plaintext, but it isn't possible to find D only
knowing E; the two prime factors of the modulus used are required.

But there are other ways to send a message from one place to another without
prior exchange of a secret key.

The Diffie-Hellman key exchange method relies on a one-way transformation


from a private key x to a public key A^x, which has the property that two parties
can exchange public keys, and using either private key and the other public key,
it is possible to arrive at the same secret session key which no one knowing only
the two public keys can derive.

The Massey-Omura cryptosystem is based on Shamir's three-pass protocol,


where an encryption method is used such that, after it is applied twice, the two
encryptions do not need to be removed in the exact reverse of the order in which
they were applied, but can be removed in any order. This allows one party to
send an encrypted message, and the recipient can send it back encrypted again,
and then the first party can remove his own encryption, sending it back to the
recipient as if only the recipient had encrypted it. (While there are many
encryption methods that are commutative, most, if used in this way would
provide no security whatever, because relationships between the messages sent
would reveal the secret keys used.)

● Modulus Arithmetic
● The Rivest-Shamir-Adleman (RSA) method
❍ Looking for Primes

❍ Finding d from e

❍ Large Number Exponentiation

❍ Factoring

● The Diffie-Hellman method


❍ El Gamal

❍ Digital Signatures Based on Diffie-Hellman

● Other Methods
● The Uses of Public-key Cryptography
● Conclusions

[Next] [Up/Index] [Previous]

Next Chapter
Table of Contents
Main Screen
Home Page
[Next] [Up/Index] [Previous]

Miscellaneous Items
Computer programs that handle data encryption, such as the well-known program
PGP (Pretty Good Privacy) involve other functions besides encryption itself.

The information to be encrypted is usually compressed first, because this


squeezes out patterns in the plaintext that might be useful to a cryptanalyst. And,
of course, it also saves bandwidth, and compression isn't going to be possible
after encryption, because encrypted texts look random.

But there is one oversimplification in that last statement. If an encrypted text


consists of random binary bits, then if these bits are transmitted in the form of
bytes containing eight random bits each, no further compression is possible. On
the other hand, if they were transmited one bit to a byte, each byte either
containing the ASCII character "0" or the ASCII character "1", then compression
would be possible.

While that would be silly, transmitting an encrypted series of bits in the form of
printable ASCII characters only might make good sense, by making it easier to
transmit your data without problems over a network where control characters
have special meanings. Although TCP/IP was specifically designed to permit all
256 possible byte values to be transmitted transparently (the only control
character with special meaning is DLE, Data Link Escape, and two DLEs in a
row always represent a real DLE that is part of user data) binary data is usually
transmitted over the Internet in "base-64" format, where 64 printable ASCII
characters, specifically chosen not to be different in the versions of ASCII used
for different languages, and to be also present in EBCDIC, are used.

Even the case of a simple pencil and paper cipher does, in a rudimentary form,
illustrate these two additional phases of encryption.

Changing

Please send more money.

to
WGRXT RTRVU IPQRI PVRE

actually involves three transformations of the plaintext to reach the ciphertext.

First,

Please send more money.

is changed to

PLEASESENDMOREMONEY

to remove information that is harder to encipher securely, and which is not


essential to the understanding of the text. This is a form of compression, even if it
is not lossless, and functions more by discarding information than by
compressing it. Of course, we've already seen the straddling checkerboard
principle, which does use the same basic principle (prefix-property variable-
length coding) as Huffman codes, which are a serious method of compression.

Then,

PLEASESENDMOREMONEY

is changed to

WGRXTRTRVUIPQRIPVRE

which is the actual encryption procedure, described in terms of the 26 letters of


the alphabet, and nothing else.

Finally,

WGRXTRTRVUIPQRIPVRE

is changed to

WGRXT RTRVU IPQRI PVRE

for ease of reading and transmission, which illustrates the process of applying
armor to the output of an encryption process.
Finally, digital signatures need one-way hash functions. Ordinary checksums
aren't adequate, since it is possible to construct a message with a different
meaning having the same checksum as the one someone intended to sign. One-
way hash functions are similar to block ciphers in some ways, but different in
others.

Hash functions can also be used as a way of producing encryption keys from pass
phrases or from random input of imperfect quality.

● Data Compression
❍ The Representation of Speech

❍ Semi-Arithmetic Coding

❍ Character Codes

● Error-Correcting Codes
● Armor, Message Termination, and Base Conversion
❍ From 47 bits to 10 letters

❍ Armor-Related Fractionation

❍ Tying up Loose Ends

❍ From 93 bits to 28 digits

❍ Keystream Base Conversion

❍ Message Blocking

❍ Optimized Morse Armor

● Steganography
● One-way Hash Functions
❍ Description of SHA

● Hardware Security
❍ When Somebody's Looking Over Your Shoulder

● Key Management
❍ The IBM Key Management Scheme for DES

❍ Kerberos

❍ Protocols and Privacy Amplification

❍ Passwords and Protocols

❍ Military Key Management

❍ Red Thread Resistance

❍ Key Escrow

❍ Pass Phrases and Randomness

❍ The Interlock Protocol

● Quantum Mechanics and Cryptography


❍ Quantum Computing
❍ Quantum Cryptography
● Cryptanalysis
❍ The Limits of Cryptanalysis

❍ The Nature of Cryptanalysis

● Security Without Proof


● The Ideal Cipher
● Cryptography for Content Protection
● Fallacies of Cryptography and Compression
● The Politics of Cryptography
● Conclusions for Chapter VI

[Next] [Up/Index] [Previous]

Table of Contents
Main Screen
[Up]

A Cryptographic Compendium

Contents
Introduction

1. Paper and Pencil Systems


❍ Cryptanalyzing the Simple Substitution Cipher

❍ Methods of Transposition

❍ Improving Substitution

■ Homophones and Nomenclators

■ Polygraphic Ciphers and Fractionation

■ Playfair and its Relatives

■ The Bifid, the Trifid, and the Straddling

Checkerboard
■ Fractionated Morse, and Other Oddities

■ The VIC Cipher

■ Two Trigraphic Ciphers, and a Heptagraphic One

■ Polyalphabetic Substitution

❍ Code Books

❍ Fun With Playing Cards

❍ Conclusions

2. Electrical and Mechanical Cipher Machines


❍ Early Machine Ciphers

■ The Bazeries Cylinder

■ The Kryha Cryptograph

■ The Hill Cipher

■ The RED Machine

■ The Reihenschieber

■ The A-22 Cryptograph

❍ The Hagelin lug and pin machines

■ Simple Cryptanalysis of the Basic Lug and Pin Machine


❍ Rotor Machines - and their PURPLE cousins
■ Rotor Machine Basics

■ The Interval Method

■ Isomorphs

■ PURPLE, CORAL, and JADE

❍ The Enigma: a unique rotor machine

■ Basic Principles of the Enigma

■ The Uhr Box

■ The Enigma A and Enigma B

■ Relatives of the Enigma

■ Cryptanalysis of the Enigma

■ Cliques on the Rods

■ Indicators and Jefferys Sheets

■ The Bombe and the Diagonal Board

❍ An American Achievement: SIGABA, the ultimate rotor

machine
❍ Miscellaneous Machine Ciphers

■ The Hagelin B-211

■ Sweden's HC-9

■ LACIDA

❍ Conclusions for Chapter II

■ Fantastic Rotor Machines

■ Child's Play

■ Irregular Rotor Movement

3. Telecipher Machines
❍ The Lorenz Schlusselzusatz

❍ The Siemens Geheimschreiber T-52

❍ The Swedish SA-1

❍ An American patent

❍ Converter M-228

❍ Conclusions for Chapter III

4. The Computer Era


❍ LUCIFER

❍ The Data Encryption Standard

■ Details of DES

■ Variations of DES

❍ And Now For Something Completely Different: SAFER

❍ Something Not Quite As Different: IDEA


❍ Formerly Secret: SKIPJACK
❍ Blowfish
❍ My Own Humble Contribution: QUADIBLOC
■ Description of QUADIBLOC

■ Euler's Constant and the QUADIBLOC S-boxes

■ Variants with different key sizes

■ The QUADIBLOC FAQ

■ Key Augmentation

■ Quadibloc II

■ Quadibloc III

■ Quadibloc IV

■ Quadibloc V

■ Quadibloc VI

■ Quadibloc S

■ Quadibloc VII

■ Quadibloc VIII

■ The Standard Rounds

■ The Mixing and Whitening Phase

■ The Key Schedule

■ The Rationale of the Design

■ Quadibloc IX

■ Quadibloc X

❍ Towards the 128-bit era: AES Candidates


■ The Advanced Encryption Standard (Rijndael)

■ Twofish (finalist)

■ SERPENT (finalist)

■ RC6 (finalist)

■ DEAL

■ MARS (finalist)

■ SAFER+

■ FROG

■ LOKI-97

■ CAST-256

■ Magenta

■ DFC

❍ Block Cipher Modes


❍ Cryptanalytic Methods for Modern Ciphers
■ Differential and Linear Cryptanalysis
■ Extensions of Differential Cryptanalysis
■ The Boomerang Attack

■ Cryptanalysis, Almost by Aimlessly Thrashing About

■ Hidden Markov Methods

❍ Stream Ciphers

■ Shift-Register Stream Ciphers

■ An Illustrative Example

■ Other Constructions

■ More Realistic Examples

■ Other Stream Ciphers

■ Panama

■ A Note on the Importance of Galois Fields

❍ Conclusions for Chapter IV

■ Modified Panama

■ Mishmash

■ Combining Two Unrelated Block Ciphers

■ A Base-Conversion Block Cipher and Other Concepts

■ The Large-Key Brainstorm

■ The Inner Structure of the Feistel Round

5. Public-Key Cryptography
❍ Modulus Arithmetic

❍ The Rivest-Shamir-Adleman (RSA) method

■ Looking for Primes

■ Finding d from e

■ Large Number Exponentiation

■ Factoring

❍ The Diffie-Hellman method

■ El Gamal

■ Digital Signatures Based on Diffie-Hellman

❍ Other Methods

❍ The Uses of Public-key Cryptography

❍ Conclusions for Chapter V

6. Miscellaneous Topics
❍ Data Compression

■ The Representation of Speech

■ Semi-Arithmetic Coding

■ Character Codes

❍ Error-Correcting Codes
❍ Armor, Message Termination, and Base Conversion
■ From 47 bits to 10 letters

■ Armor-Related Fractionation

■ Tying up Loose Ends

■ From 93 bits to 28 digits

■ Keystream Base Conversion

■ Message Blocking

■ Optimized Morse Armor

❍ Steganography
❍ One-way Hash Functions
■ Description of SHA

❍ Hardware Security
■ When Somebody's Looking Over Your Shoulder

❍ Key Management
■ The IBM Key Management Scheme for DES

■ Kerberos

■ Protocols and Privacy Amplification

■ Passwords and Protocols

■ Military Key Management

■ Red Thread Resistance

■ Key Escrow

■ Pass Phrases and Randomness

■ The Interlock Protocol

❍ Quantum Mechanics and Cryptography


■ Quantum Computing

■ Quantum Cryptography

❍ Cryptanalysis
■ The Limits of Cryptanalysis

■ The Nature of Cryptanalysis

❍ Security Without Proof


❍ The Ideal Cipher
❍ Cryptography for Content Protection
❍ Fallacies of Cryptography and Compression
❍ The Politics of Cryptography
❍ Conclusions for Chapter VI

Return to Home Page

Copyright (c) 1998, 1999 John J. G. Savard


[Up]
[Next] [Up] [Previous] [Index]

Fractionated Morse, and Other Oddities


Fractionated Morse

Morse code uses variable-length symbols made up of dots and dashes, but unlike a straddling checkerboard, the
length of a symbol is not determined by the dots and dashes within it. Instead, spaces are also needed to mark off
the symbols from each other.

But fractionation is still possible using Morse code as a basis. Elementary Cryptanalysis, by H. F. Gaines, gives a
cipher devised by M. E. Ohaver, the author of an early series of magazine columns on cryptanalysis which was
of value to her in the writing of that book, called a "mutilation" cipher, that works like this:

Split the message in Morse code into two parts; the string of dots and dashes, and a series of numbers giving the
number of dots or dashes in the representation of each letter. Then, take the numbers, divide them into groups of
n, and reverse the order of the numbers in each group. Using the now transposed numbers as a guide, turn the
string of dots and dashes back into letters.

A table of Morse code follows (and, while I'm at it, I may as well include Japanese Morse, having the data
available from one of my old USENET posts):

E . CD he I .. DE [A] S ... D7 ra H .... C7 nu


V ...- B8 ku
U ..- B3 u F ..-. C1 ti
(1) ..-- C9 no
A .- B2 i R .-. C5 na L .-.. B6 ka
(2) .-.- DB ro
W .-- D4 ya P .--. C2 tu
J .--- A6 wo
T - D1 mu N -. C0 ta D -.. CE ho B -... CA ha
X -..- CF ma
K -.- DC wa C -.-. C6 ni
Y -.-- B9 ke
M -- D6 yo G --. D8 ri Z --.. CC hu
Q --.- C8 ne
O --- DA re (3) ---. BF sho
(4) ---- BA ko

5 ..... 5 6 -.... 6
4 ....- 4 = -...- D2 me
(5) ...-. / -..-. D3 mo
3 ...-- 3 -..-- D5 yu
(6) ..-.. C4 to (c) -.-.. B7 ki
Inter ..-.- D0 mi Start -.-.- BB sa
..--. DF [B] ( -.--. D9 ru
2 ..--- 2 -.--- B4 e
Wait .-... B5 o 7 --... 7
(9) .-..- yi (e) --..- CB hi
+ .-.-. DD n --.-. BC shi
.-.-- C3 te (f) --.-- B1 a
.--.. ye 8 ---.. 8
(a) .--.- B0 - ---.- BD su
(b) .---. BE se 9 ----. 9
1 .---- 1 0 ----- 0

These notes represent two special marks in Japanese:

[A] double stroke following kana (nigori),


[B] small circle following kana (han-nigori).

These notes represent accented letters in European languages or Turkish:

(1) u umlaut (2) a umlaut, cedilla (3) o umlaut or other accent (4) ch, s cedilla (5) s hat (6) e primary accent
(usually acute, grave in Italian) (9) e accent grave (a) a accent (b) j hat (c) c cedilla or accent (e) z accent grave
(f) n tilde

To remove ambiguities, the Japanese syllables are preceded by the hex code, in the version of 8-bit ASCII that
includes kana, of the kana symbol represented. The symbols whose phonetic values I give as yi and ye have the
appearance, respectively:

* ********
******* *
* * *
* * * *
* * *
******* *
* *******

Here is a graphic, giving all the kana used in Japanese Morse:

Since this system requires that the ciphertext letters must be able to represent all combinations of from one to
four dots or dashes, four extra symbols, used in Morse for accented letters in some languages other than English,
need to be included in the cipher alphabet.

While the original system, having only the group length as a key, may not have been all that secure, the basic
concept is clever and original. The character lengths could as easily have been transposed by means of a double
columnar transposition, and the dots and dashes could be translated to 0s and 1s, and enciphered by any
applicable method, even DES.

While I consider Ohaver's "mutilation" cipher very interesting, for the principle which it illustrates, the term
Fractionated Morse is normally used for a less elegant, but more secure, system, in which possible combinations
of three symbols from the set of dot, dash, and x, the latter standing for the space between letters, are represented
by letters. Note that combinations with two consecutive "x"s are not required, so the ciphertext uses a 22-letter
alphabet.

The letters will vary in frequency, and since two adjacent letters that would produce two consecutive "x"s do not
occur, redundancy still remains in subtle forms as well.

Mixed Fractionation for the Computer

Also, fractionation can be done in a mixed fashion.

● 25 times 27 is one less than 26 times 26, so one could encipher bigrams (except 1 that is ignored) into
objects consisting of two symbols from a five-character alphabet and three symbols from a three-character
alphabet, and then seriate the two kinds of symbols separately, also using two tables, one 125 entries long,
and one 81 entries long, for substitution on them;
● 32 equals 27 plus 5, and 128 equals 125 plus 3, so there are two different ways to encipher a binary
bitstream as a mix of symbols from a three-character and a five-character alphabet;
● 26 to the 10th power is very slightly larger than 2 to the 47th power; this is noted in a section in the last
chapter dealing with ways of preparing a binary message for transmission as text (known as "armor"), but
even this could be made use of in an elaborate fractionation scheme.

Because there are convenient ways to convert both letters and bits to a mix of symbols from a 3-element set and
from a 5-element set, as well as an efficient way to convert from bits to letters, intriguing possibilities suggest
themselves. An elaborate fractionation scheme combining the threads mentioned here together is described later.

Enciphering Digits

One interesting way to produce a mixed fractionation scheme comes from the fact that the square of any
triangular number is the same as the sum of the cubes of the consecutive numbers which, when added, produced
that triangular number!

Making use of that fact, and since 10 is a triangular number, one can construct a table like this:

0 1 2 3 4 5 6 7 8 9
0 AAA AAB AAC * -+- -++ aca acb acc acd
1 ABA ABB ABC --- +-- +-+ ada adb adc add
2 ACA ACB ACC --+ ++- +++ baa bab bac bad
3 BAA BAB BAC CAA CAB CAC bba bbb bbc bbd
4 BBA BBB BBC CBA CBB CBC bca bcb bcc bcd
5 BCA BCB BCC CCA CCB CCC bda bdb bdc bdd
6 aaa aba daa dab dac dad caa cab cac cad
7 aab abb dba dbb dbc dbd cba cbb cbc cbd
8 aac abc dca dcb dcc dcd cca ccb ccc ccd
9 aad abd dda ddb ddc ddd cda cdb cdc cdd

As 1 cubed is just 1, and 2 cubed is 8, these symbols make up only a very small part of the square table above,
and thus this part of the table is seldom used. One way to deal with that is to change the table, so that those 9
spaces are instead filled by two symbols from the ABC set of symbols.

0 1 2 3 4 5 6 7 8 9
0 AAA AAB AAC AA AB AC aca acb acc acd
1 ABA ABB ABC BA BB BC ada adb adc add
2 ACA ACB ACC CA CB CC baa bab bac bad
3 BAA BAB BAC CAA CAB CAC bba bbb bbc bbd
4 BBA BBB BBC CBA CBB CBC bca bcb bcc bcd
5 BCA BCB BCC CCA CCB CCC bda bdb bdc bdd
6 aaa aba daa dab dac dad caa cab cac cad
7 aab abb dba dbb dbc dbd cba cbb cbc cbd
8 aac abc dca dcb dcc dcd cca ccb ccc ccd
9 aad abd dda ddb ddc ddd cda cdb cdc cdd

Using the straddling checkerboard that we saw above,

9 8 2 7 0 1 6 4 3 5
-------------------
A T O N E S I R
2 B C D F G H J K L M
6 P Q U V W X Y Z . /

we can encipher a sample message in this scheme, just seriating across the whole message for simplicity (in
practice, one would want to do other things):

TH EREISAP AC K AG EW AITING F ORY OU ATTH ESTATION message


821151349699282492016093830202775667629882114898370 straddling checkerboard
d A B C c c b C d A a d d A A c b c d c d A b c b fractionation
c B C A d d a B d A a d c A A b d a a d c B c d b encoding
a B B B a d c a B a b b C C b a b a c a B c c b

For this example, I won't worry about enciphering the last digit of the message. Padding, or another
encipherment step might take care of that.

Now, I seriate the symbols from the ABC and the abcd sets independently, retaining the type of each pair of
digits, and thus the symbols are rearranged as follows, leading to enciphered digits:

d A B B c a c B d C a c d B C d b a c d d A a a a seriation
a B C B d d b A d A c b c B A b b b d a c A a b d
a C A A a c d c C d c a A B b c c c d c B b b b
621250409618791394350978824034733881986584017071170 reconversion

One could also leave all the "d" symbols in their place, and seriate only the "abc" and "ABC" symbols as though
case did not matter - but then convert either to capital or small letters so that the type of each two digit group is
kept the same. (Some care, of course, must be taken when developing a variation so that decipherment remains
possible.) That would produce the following result:

d C A A b b b C d B c d d A B c a c d b d A c c b seriation
a A A B d d a A d A b d c B A a d c a d a C c d b
b B A C a d b a A c c c A A b b b c c c C b b b
633400125659272392307894841030671787645864228797370 reconversion

and this method has its strengths, but also its weaknesses (mainly because the "d"s remain fixed).

Giant Playfair

Another technique I once described involved first using the straddling checkerboard to encipher a message as
digits, and then to use Playfair to encipher it. But instead of using the Playfair technique over a 5 by 5 square of
letters, one uses a 10 by 10 square containing digit pairs, like the following:

68 71 07 49 76 42 54 77 21 82
02 09 98 65 70 55 17 01 50 91
33 35 30 08 62 22 97 44 06 57
64 18 78 58 96 34 11 56 52 38
95 26 86 20 27 37 93 05 14 85
63 29 39 61 87 10 88 32 00 80
31 81 16 83 24 99 67 72 13 53
89 94 47 40 25 73 04 59 84 19
03 75 28 60 12 41 43 48 66 74
79 46 36 45 51 69 23 15 92 70

Thus, the four digits 2076 would encipher to 2749 with this square.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]

Armor
A number of methods are possible for converting binary bits to printable characters.

One of the simplest is to take five or six bits of binary data to select one of 32 or 64
characters. Other, more complicated schemes are possible, though.

If 85 characters can be used, then five characters are enough to represent four bytes of
random data. If 86 characters can be used, a simplified scheme can achieve the same
result, since 86 times 3 is 258, which is larger than 256. Assign not more than three of
the 256 possible values for a byte to each of the 86 allowed characters. Then, after
representing four bytes by one of those characters, one character from a set of 81 (3
times 3 times 3 times 3) can resolve which of the 256 byte values, or which of up to 3
values for the character given, is valid for each of the four bytes.

The problem of converting messages to text form for transmission over the Internet is,
of course, closely tied to the ASCII representation of characters. Here is a chart
showing the printable characters in ASCII in graphical form:

and here is an ASCII chart in text form, first just the control characters:
0 0
0 0
0 1
0000 NUL Null DLE Data Link Escape
0001 SOH Start of Header DC1 Device Control 1
0010 STX Start of Text DC2 Device Control 2
0011 ETX End of Text DC3 Device Control 3
0100 EOT End of Transmission DC4 Device Control 4
0101 ENQ Enquiry NAK Negative Acknowledge
0110 ACK Acknowledge SYN Synchronization
0111 BEL Bell ETB End of Transmission Block
1000 BS Backspace CAN Cancel
1001 HT Horizontal Tab EM End of Medium
1010 LF Line Feed SUB Substitute
1011 VT Vertical Tab ESC Escape
1100 FF Form Feed FS Field Separator
1101 CR Carriage Return GS Group Separator
1110 SO Shift Out RS Record Separator
1111 SI Shift In US Unit Separator

and now the entire 7-bit ASCII code, with only the abbreviations of the first 32 control
characters:

0 0 0 0 1 1 1 1
0 0 1 1 0 0 1 1
0 1 0 1 0 1 0 1
0000 NUL DLE 0 @ P ` p
0001 SOH DC1 ! 1 A Q a q
0010 STX DC2 " 2 B R b r
0011 ETX DC3 # 3 C S c s
0100 EOT DC4 $ 4 D T d t
0101 ENQ NAK % 5 E U e u
0110 ACK SYN & 6 F V f v
0111 BEL ETB ' 7 G W g w
1000 BS CAN ( 8 H X h x
1001 HT EM ) 9 I Y i y
1010 LF SUB * : J Z j z
1011 VT ESC + ; K [ k {
1100 FF FS , < L \ l |
1101 CR GS - = M ] m }
1110 SO RS . > N ^ n ~
1111 SI US / ? O _ o DEL Delete
The problem of transmitting data in ASCII text characters over the Internet is
complicated by the fact that some of the characters in ASCII do not have counterparts
in other data transmission codes used by some computers, such as the original version
of EBCDIC. Also, some character positions in 7-bit ASCII are used to represent
different characters in other countries. Thus, the characters in the same columns as the
letters are often used to represent accented letters; the symbol # is replaced in the
United Kingdom by the British pound sign.

In some transmissions over the Internet, a line beginning with a minus sign or hyphen
(-) runs the risk of being interpreted as a header line, indicating the MIME type of a
section of a document.

Of course, if one wishes to send a text by Morse Code, or over a 5-unit teletypewriter
link, the best way to do it would be to convert the binary data to letters from the 26-
letter alphabet, using no other characters.

I have worked out an elaborate and efficient scheme for doing this.

This scheme could also serve other purposes. Since a great many historical encryption
algorithms are aimed at the 26-letter alphabet, one could apply them to a text already
encrypted by modern methods in binary after such a conversion.

And there is an easy way to send a text composed only of uppercase letters over the
Internet efficiently, if a 78-character character set is possible. Take four letters: the first
can be encoded as three symbols from 1 to 3. Combine one such symbol with each
remaining letter to determine which character to use from a character set with 3 times
26 characters, which is 78 characters.

A section is also included here about the question of how to perform the special
processing required to end a message efficiently and securely when the length of the
original plaintext message isn't an integer number of blocks in size, whether those are
blocks used by a block cipher or blocks for the conversion process used to produce
armor for transmission. Also, since base conversion is discussed here, this spot seemed
as good as any to place a discussion of base conversion as it applies to random or
pseudorandom keystreams.

A Table of Powers, useful in finding ideas for ways to perform fractionation.

● From 47 bits to 10 letters


● Armor-Related Fractionation
● Tying up Loose Ends
● From 93 bits to 28 digits
● Keystream Base Conversion
● Message Blocking
● Optimized Morse Armor

[Next] [Up] [Previous] [Index]

Skip to Next Section


Table of Contents
Main Page
[Next] [Up/Previous] [Index]

Cryptanalyzing the Simple Substitution


Cipher
This page is not complete. It is placed here now to reserve
space, to allow other changes to this section to take place.

Here is a short message, enciphered only by replacing each of its letters by a different letter on a
consistent basis:

MGSVR WWJXS VPTRY SSOEF YYTMQ SVSYM MTPTR XYMGS RVRFJ


NFVGX TYFWF EIFUS AXJJQ SJSNM QPMGS TJOTF IMLSS TYSJO
SLQSL LPLTF OYSHM MRSVO FP

How would one go about trying to read it?

The first step that would occur to many people would be to make use of the fact that some letters
are more common than others in English. E is the most common letter, and letters like J, Q, X,
and Z are quite rare.

And so, we count the letters in our message. This produces the following table of frequencies:

A E F G H I J L M N O P Q R S T U V W X Y
1 2 9 4 1 2 7 5 10 2 5 5 4 6 18 9 1 6 3 4 8

In comparison, a frequency count I had my computer perform on a sample of literary text


produced these frequencies:

A 443747 8.03 H 331686 6.00 O 420966 7.62 V 54921 0.99


B 88298 1.60 I 382552 6.92 P 102205 1.85 W 114048 2.06
C 152187 2.75 J 7112 0.13 Q 5841 0.11 X 12081 0.22
D 225040 4.07 K 33872 0.61 R 330126 5.97 Y 95514 1.73
E 711756 12.88 L 220858 4.00 S 351389 6.36 Z 3519 0.06
F 139985 2.53 M 141726 2.56 T 514613 9.31
G 103279 1.87 N 383526 6.94 U 156536 2.83

Arranged in order of frequency, for clarity, they become:

E 12.88 H 6.00 F 2.53 K 0.61


T 9.31 R 5.97 W 2.06 X 0.22
A 8.03 D 4.07 G 1.87 J 0.13
O 7.62 L 4.00 P 1.85 Q 0.11
N 6.94 U 2.83 Y 1.73 Z 0.06
I 6.92 C 2.75 B 1.60
S 6.36 M 2.56 V 0.99

Comparing these frequencies to those of the message:

18: S 7: J 3: W
10: M 6: R V 2: E I N
9: F T 5: L O P 1: A H U
8: Y 4: G Q X

it might be tempting to start by aligning like frequencies wherever possible:

Cipher: S M Y J W
---------
Plain: e t n i f

to begin deciphering the message like this:

MGSVR WWJXS VPTRY SSOEF YYTMQ SVSYM MTPTR XYMGS RVRFJ


t e ffi e n ee nn t e ent t nt e i

NFVGX TYFWF EIFUS AXJJQ SJSNM QPMGS TJOTF IMLSS TYSJO


n f e ii eie t t e i t ee nei

SLQSL LPLTF OYSHM MRSVO FP


e e ne t t

Here, it looks like we've been luckier than we have a right to expect. With frequencies of 6.94
and 6.92 for N and I respectively, it isn't hard to imagine that I might be more common than N,
instead of N being more common than I, in the text of a particular message.

The combination t-e occurs three times from MGS, and once each from MQS and MLS, so it
seems reasonable to think that G stands for h. e-ent might be event, and -ffi-e might be office,
although it is actually hard to take seriously that W necessarily stands for f.

To make a good start on breaking a simple substitution, however, single-letter frequencies are
not enough. They might work for picking out the letters E and T in most cases, but more
information is available that can serve as a better guide.

We've seen that N and I have frequencies of 6.94 and 6.92 respectively. This is a very small
difference. But one is a consonant, and the other is a vowel. So we might expect them to behave
differently. And they do.

[Next] [Up/Previous] [Index]

Next
Skip to Next Chapter
Table of Contents
Main page
[Next] [Up] [Previous] [Index]

Methods of Transposition
After looking at ciphers which can replace the letters of one's message by completely
different letters, a cipher that can't change any letters at all seems weak.

And, if your message might mention, or might not mention, someone with, say, a Q or
an X in his name, then a transposition cipher will indeed give that away, although one
could solve that by adding some garbage to the end of your message before encrypting
it. But transposition ciphers can be secure in themselves, and as well, transposition
methods are useful to know, since they can be mixed with substitution methods for a
more secure cipher.

The best known method of transposition, simple columnar transposition, works like
this:

Using a key word or phrase, such as CONVENIENCE, assign a number to each letter
in the word using this rule: the numbers are assigned starting with 1, and they are
assigned first by alphabetical order, and second, where the same letter appears twice,
by position in the word.

Then, write in the message under the keyword, writing across - but take out columns, in
numerical order, reading down. Thus:

C O N V E N I E N C E
1 10 7 11 3 8 6 4 9 2 5
---------------------------------
H E R E I S A S E C R
E T M E S S A G E E N
C I P H E R E D B Y T
R A N S P O S I T I O
N

produces

HECRN CEYI ISEP SGDI RNTO AAES RMPN


SSRO EEBT ETIA EEHS

Of course, it wouldn't be left with the spaces showing the columns that were used.

Decoding is harder - to read a message scrambled this way, you first have to count the
letters to determine, in this case, that there are 45 letters, and so the first column will
have five letters in it, and the other ones four, so that you know when to stop when
filling the letters in vertically to read them out horizontally.

Since the text being transposed is split into nearly regular divisions of almost equal
length, even double columnar transposition can be broken without recourse to multiple
anagramming: the use of several messages of the same length, enciphered in the same
key, to recover the transposition by matching together columns of letters that form
reasonable letter pairs.

Another method of transposition, which appeared in a book by General Luigi Sacco, is


a variant of columnar transposition that produces a different cipher:

C O N V E N I E N C E
1 10 7 11 3 8 6 4 9 2 5
---------------------------------
H
E R E I S A S E C R
E T M E S
S A G E E N C I
P H E R E D B Y T R A
N S P O S I T
I O N

produces

HEESPNI RR SSEES EIY A SCBT


EMGEPN ANDI CT RTAHSO IEERO

Here, the first row is filled in only up to the column with the key number 1; the second
row is filled in only up to the column with the key number 2; and so on. Of course, one
still stops when one runs out of plaintext, so the eighth row stops short of the key
number 8 in this example. This method has the advantage of dividing the text being
transposed in a more irregular fashion than ordinary columnar transposition.

Various methods of modifying ordinary columnar transposition slightly to make it


irregular have been used from time to time.

For example, during World War I, the French army used a transposition in which
diagonal lines of letters were read off before the rest of the diagram. Also, several
countries have used columnar transpositions in which several positions in the grid were
blanked out and not used.

The method of transposition used on the digits produced by a straddling checkerboard


in the VIC cipher can be illustrated here with the alphabet; first, knowing the number
of letters to be encrypted, the area to be filled is laid out, and then the triangular areas
on the right to be filled with plaintext last are marked out:

2 4 3 1 5
-----------
a b c d e
f g h i U
j k l V W
m n X Y Z
o p q r s
t

here, the alphabet becomes DIVYR AFJMOT CHLXQ BGKNP EUWZS.

Another interesting form of transposition is the "turning grille", used by Germany


during the First World War.

A square grille, divided into a grid of squares, one-quarter of which are punched with
holes, is placed over a sheet of paper. The message is written on the paper through the
holes, and then the grille is rotated by 90 degrees, and then the message continues to be
written, as the grille is turned through all four possible positions.

The trick to designing such a grille is to divide the grille into quarters, numbering the
squares in each quarter so that as the grille is rotated, corresponding squares have the
same number. Then, choose one square with each number for punching.

In World War I, the Germans used turning grilles with an odd number of holes on each
side as well as with an even number; to do this, they marked the square in the centre,
which was always punched, with a black border to indicate it was only to be used in
one of the grille's positions.

Example of a turning grille and its use:

Grid numbering:

1 2 3 4 5 16 11 6 1
6 7 8 9 10 17 12 7 2
11 12 13 14 15 18 13 8 3
16 17 18 19 20 19 14 9 4
5 10 15 20 X 20 15 10 5
4 9 14 19 20 19 18 17 16
3 8 13 18 15 14 13 12 11
2 7 12 17 10 9 8 7 6
1 6 11 16 5 4 3 2 1

Layout:

O - - O - O - - - 1 4 16
- - O - - - - - O 8 2
- O - - - - O - - 12 13
- - O - O - - O - 18 20 9
- - - - X - O - O X 15 5
- - - O - - - O - 19 17
O - - - - O - - - 3 14
- O - - O - - - O 7 10 6
- - O - - - - - - 11

Filling-in:

first position
T H I O - - O - O - - -
S I - - O - - - - - O
S A - O - - - - O - -
M E S - - O - O - - O -
S A G - - - - O - O - O
E T - - - O - - - O -
H A O - - - - O - - -
T I A - O - - O - - - O
M - - O - - - - - -
(this is a message that I am)

second position
t E h N i C - O - - O - - O -
s R Y i - - - O - O - - -
s P T a - - O - O - - - -
I m e N s O - - - - - O - -
G s a W g - - - O . - - O -
I e T t O - - - - O - - -
h H A a T - O - O - - - - O
t U i R a - - O - - - - O -
N m I O - - - - - O - -
(encrypting with a turni)

third position
t e h n i N c - - - - - - O - -
G s r G y R i O - - - O - - O -
s p I t a L - - - O - - - - O
i L m e E n s - O - - - O - - -
T O g s a w g O - O - . - - - -
i P e R t O t - O - - O - O - -
h h V a a I t - - O - - - - O -
D t u i E r a O - - - - - O - -
n m T H i I - - - O - O - - O
(ng grille to provide thi)
fourth position
t e S h n i n c I - - O - - - - - O
g L s r g y L r i - O - - - - O - -
U s p i t S a T l O - - - - O - O -
i l m R e e n s A - - - O - - - - O
t T o g s I a w g - O - - . O - - -
i p V e r t o t E - - O - - - - - O
h h v a E a X i t - - - - O - O - -
d t i A i M e r a - - - O - O - - -
n P m t L h i E i - O - - O - - O -
(s illustrative example)

to produce the encrypted result:

TESHN INCIG LSRGY LRIUS PITSA TLILM


REENS AITOG SIAWG IPVER TOTEH HVAEA
XITDT IAIME RANPM TLHIE I
There are two important uses of transposition which are connected with substitution
ciphers.

Transposition can be used to generate a scrambled order of the letters in the alphabet
for use as a substitution alphabet.

Transposition forms part of a fractionation cipher, where letters are divided into parts,
then the parts are put back together in a different order, belonging to different letters.

[Next] [Up] [Previous] [Index]

Next
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

Improving Substitution
A cipher based on the use of a secret alphabet is not very secure; such ciphers are
presented as puzzles in crossword puzzle magazines. To achieve security it is
required to do something better.

Today, even to people not acquainted with cryptography, a number of


possibilities suggest themselves. Originally, though, the new ideas came one at a
time, separated by hundreds or thousands of years.

The basic ways to improve on simple substitution are the following:

● Instead of using just 26 substitutes, make the problem harder by using a


bigger substitution. This is divided into several cases:
❍ Use several substitutes for each letter (homophonic substitution)

❍ Replace every two letters, or every three letters, by something else

that stands for that combination of two letters or three letters


(polygraphic substitution)
❍ Replace common combinations of letters, or words, or phrases, by

their own substitutes (nomenclators and codes)


● Instead of using the same set of substitutes all the time, change from one
secret alphabet to another as you encipher a message (polyalphabetic
substitution).

Another way of improving on simple substitution is less obvious. Today, text is


often converted from the letters, punctuation marks, digits, and other symbols
you find on a typewriter to the binary bits of ASCII. Before that, other
representations of text were used to substitute for the printed word, such as
Morse code. The ancient Greeks used the Polybius square for signalling, by
means of which each letter was represented by two groups of from one to five
signal fires.

If a letter can be broken up into smaller pieces for purposes of signalling, those
smaller pieces can also be used in a cipher. For example, one can take the letters
of a message apart into smaller pieces, transpose the smaller pieces, and then put
the pieces back together again into letters.
This is called fractionation, and is closely related to polygraphic substitution for
two reasons; one is that both deal with different sized units - parts of letters and
letters, or letters and pairs of letters - and the other is that fractionation is
sometimes used as a method of polygraphic substitution.

● Homophones and Nomenclators


● Polygraphic Ciphers and Fractionation
❍ Playfair and its Relatives

❍ The Bifid, the Trifid, and the Straddling Checkerboard

❍ Fractionated Morse, and Other Oddities

❍ The VIC Cipher

❍ Two Trigraphic Ciphers, and a Heptagraphic One

● Polyalphabetic Substitution

[Next] [Up] [Previous] [Index]

Next
Skip to Next Section
Chapter Start
Table of Contents
Main Page
Home Page
[Next] [Up/Previous] [Index]

Homophones and Nomenclators


One of the earliest methods used to create ciphers stronger than simple substitution was to create
cipher tables which had more than one substitute for each letter, and which had additional
substitutes for names that would be commonly used. Because of the significance given to proper
names, these systems were called nomenclators.

Some of the early nomenclators were fairly unsophisticated; the substitutes for the letter B might
be the letter M or the digit 4, written in several distinctive styles - and then the substitutes for C
might be the letter N or the digit 5, again written in distinctive styles. Thus, a cryptanalyst
willing to try a simple guess would only need to solve a Caesar cipher - a simple substitution
where the alphabet is merely displaced instead of being thoroughly scrambled - instead of facing
the full problem of finding substitutes for the full set of symbols individually.

One ingenious modern method of producing a homophonic cipher, called the Grandpré cipher,
involves choosing ten ten-letter words, which can be ordered so that their first letters form an
eleventh ten-letter word, and which collectively include all 26 letters of the alphabet.

For example:

0 1 2 3 4 5 6 7 8 9
0 S T R A T I F I E D
1 U N D E R S T O O D
2 B A R K E N T I N E
3 M A J O R I T I E S
4 A S T R O L O G E R
5 R E E X A M I N E D
6 I N V E S T M E N T
7 N E G A T I V E L Y
8 E F F E R V E S C E
9 S Q U E E Z I N G S

The advantage it has, over a more routine type of homophonic table, for example:

0,3,8 4,7 9 1 5 2 6
1,2,7,8 E T A O I N S
0,4,5 H R D L U B C
3,9 M F G J K P Q
6 V W X Y Z

is that the multiple substitutes for each letter are not closely related.

The book The American Black Chamber, by Herbert Osborn Yardley, illustrated a cipher wheel
used by the Mexican Army which could be set up to produce a homophonic cipher with a key
that could be easily changed.

Changed from a wheel to a slide, it would look like this:


A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
15 16 17 18 19 20 21 22 23 24 25 26 01 02 03 04 05 06 07 08 09 10 11 12 13 14
43 44 45 46 47 48 49 50 51 52 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 53 54 55 56 57 58 59 60
92 93 94 95 96 97 98 99 00 79 80 81 82 83 84 85 86 87 88 89 90 91

having four movable disks, one containing the two-digit pairs from 01 to 26, the second the
pairs from 27 to 52, the third the pairs from 53 to 78, the fourth the pairs from 79 to 99,
followed by 00 and four blank, unused spaces. The key consisted of the four two-digit pairs
aligned under the letter A, and the possible substitutes for any letter were the four (or possibly
three) two-digit pairs aligned under it. Obviously, the system would have been more secure had
the alphabet and the sequence of digit pairs been mixed.

The most important weakness of a homophonic system is that the person using it can become
lazy, and use the same substitute for a letter over and over, or use the substitutes in rotation,
rather than using them randomly.

Also, as many homophonic systems are devised by amateurs, they can have defects of one kind
or another. Helen Fouché Gaines in Elementary Cryptanalysis notes that Givierge, author of the
Cours de Cryptographie, described a homophonic system of the following kind:

E J G F D
O K M H S
P R W
---------
IT |a b c d e
AL |f g h i j
BQ |k l m n o
CN |p q r s t

u v x y z
---------
V X Y Z U

This is a type of straddling checkerboard, and we will meet a more elegant form of it later in the
section on fractionation. The word straddling refers to the fact that while most letters have a
two-letter group as their substitute, consisting of the letters indicating their row and column
(which may, incidentally, be taken in either order, as the alphabet has been split in half for this
purpose), five less-frequent letters represent each other. Thus, the presence of occasional one-
letter symbols is intended to complicate the problem for the cryptanalyst, making it difficult for
him to find out where the letter pairs that make up most of the message begin and end.

Although this cipher has many nice features, it does have a number of defects. Since the letters
that have only one letter as their substitute are, essentially, in a separate table, why use only a 25-
letter alphabet? Of course, in French, the letter W is so little used as almost not to be part of the
alphabet. But there are other defects.

● Although a group can begin with a letter from either half of the alphabet, the second letter
always has to be from the other half.
● Also, the second letter of a two-letter group can't be one of the five letters that represent
themselves, although since the first letter already indicates that there is a two-letter group,
that would not cause confusion.
Hence, this cipher omits a large number of two-letter substitutes which it could be making use
of. An improved design could be the following:

E J G F D b|M
O K U H S f|T
V W g|N
--------- p|R
IZ |r q l m x| DFOQTX v|P
AL |e u w h n| CJLNPWY y|Q
BY |c i k z a| AEGKUV
CX |o j t s d| BHIMRSZ
---------
E A C F G
I B H J L
P D O K M
Q T R N V
S U Z X W
Y

Here, six mid-frequency letters have single-letter substitutes, but these substitutes are drawn
from other letters in the alphabet.

The rest of the alphabet is divided into two halves, but once a letter is chosen to indicate either a
row or a column, the other co-ordinate of the plaintext letter is chosen from a set made from the
entire alphabet. Hence, if a letter on the left begins a two-letter group, it is ended with a letter
below; if a letter on the top begins a two-letter group, it is ended with a letter on the right.

Thus, the plaintext letter R can become ED, EO, OO, IQ, ZQ, or II.

As noted previously, the basic concepts of cryptography were slow to emerge. David Kahn's
book The Codebreakers illustrates the earliest known example of a cipher with homophones,
from the year 1401. It looked like this:

a b c d e f g h i k l m n o p q r s t u x y z
---------------------------------------------
Z y x D t s r q p o n l m k j h g f e d c b a
2 4 8 F
3 H 9 T
+ J L ~

where the capital letters stand for various special symbols (Z indicates a reverse script lowercase
z, F indicates an ff ligature, and J indicates the astrological symbol for Jupiter, for example).

To modern eyes, what is particularly striking about this cipher is that, even though the step of
improving on simple substitution by using multiple equivalents was taken, the basic cipher
alphabet itself is not thoroughly mixed, but instead varies only slightly from a simple reversed
alphabet.

Incidentally, the British publisher Hodder and Stoughton has an extensive series of books on
various subjects in a series called "Teach Yourself Books": particularly noteworthy in this series
are the instructional books for foreign languages, which the case of some languages are the only
readily available introductory book in print in English. (These are the books that used to have
yellow covers, but which changed to light blue covers some years back.) The book Codes and
Ciphers by Frank Higenbottam in this series, while a general introduction to the subject, is
distinguished by its uniquely extensive coverage of the topic of breaking messages enciphered
using nomenclators.

[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Home page
[Next] [Up] [Previous] [Index]

Polygraphic Ciphers and Fractionation


Instead of arbitrarily choosing a list of common words or syllables to give cipher
equivalents for, one might be able to achieve the same increased security another way,
by enciphering several letters at once using some simple system that handles all
possible combinations of two letters, or three letters.

Of course, one could just use a random list of all 676 possible combinations of two
letters, and this would give the maximum possible security for a system that handles
two letters at a time.

Or, one could even follow the lead of Giovanni Battista della Porta, and use a table
giving different symbols for every pair of letters:

This is a redrafting of the table of 400 symbols for the digraphs of a 20-character
alphabet given by Porta in his De Furtivis Literatum Notis. In the original, there are a
few typographical errors, leading to some duplicate symbols:

ZI is a duplicate of ZO, VM is a duplicate of LL, NG is a duplicate of NB. The


replacements for the first two were obvious, that for NG is somewhat arbitrary.

Naturally, since Porta was expressing the idea of a digraphic cipher in print for the first
time, he did so in a way that seems unsophisticated by modern standards.

The columns in Porta's diagram all contain characters related in shape. This makes it
easier to look up a symbol, but also gives away information. One way to retain the
advantage of easily finding a symbol, but without giving away information to the
cryptanalyst, is illustrated in the diagram above: have similar symbols arranged along
the diagonals of the diagram, and use mixed alphabets along the edges. While a
digraphic symbol cipher is something that isn't too practical, similar techniques have
been used for small code charts to make them practical and secure.

Systematic methods of enciphering several letters at once, without simply using a very
large table, will be outlined in what follows. Fractionation lends itself to many
complicated and bizarre developments, a few of which will be illustrated there.

Hopefully, all the examples that will be contained in the following pages will prove a
starting point from which you can let your imagination run wild.

Fractionation, although a powerful technique, has seldom been used in paper-and-


pencil ciphers, because it is too complicated and prone to error. Two schemes that
actually were used, the ADFGX or ADFGVX cipher used by Germany in the First
World War, and the VIC cipher used by Reino Hayhanen while engaged in espionage
in the United States, involved substituting multiple symbols for each letter, and
transposing the letters or digits so obtained, but did not attempt to then reconstitute the
symbols back into letters.

Representing letters by five symbols from a set of two, or three symbols from a set of
three, has tended to be used mostly for steganography, as proposed by Bacon and
Trithemius. (That is, in the former case, if one does not count the use of the 5-level
code for teletypewriters.)

The Hagelin B-21 and its relatives also involved fractionation, combined with
polyalphabeticity but without transposition.

● Playfair and its Relatives


● The Bifid, the Trifid, and the Straddling Checkerboard
● Fractionated Morse, and Other Oddities
● The VIC Cipher
● Two Trigraphic Ciphers, and a Heptagraphic One

A Table of Powers, useful in finding ideas or opportunities to perform fractionation.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up/Previous] [Index]

Playfair and its Relatives


Since 26 by 26 tables are awkward and bulky, and certainly impossible to memorize,
various systematic methods were developed to encipher more than one letter at a time.

Playfair

The most famous polygraphic system is, of course, the Playfair cipher, which works as
follows: given a 5 by 5 square, containing a jumbled alphabet, such as:

T X V H R
L K M U P
N Z O J E
C G W Y A
F B S D I

doing without one letter by some rule: i.e. if Q is omitted, as here, use KW to stand for
QU; or treat I and J, or U and V, as one letter.

Then, a pair of letters is converted to a ciphertext pair using one of three possible rules,
whichever one applies:

if the two letters are neither in the same row or the same column, replace each letter by
the one that is in its own row, but in the column of the other plaintext letter. Examples:
TI becomes RF, TW becomes VC, KA becomes PG, UB becomes KD, WX becomes
GV

T------>R T-->V H R
| K M U | | K | U P
| Z O J | | Z | J E
| G W Y | C<--W Y A
F<------I F B S D I
if the two letters are both in the same column, replace each one by the one below it,
wrapping around if necessary. Examples: VW becomes MS, TN becomes LC, TL
becomes LN, TF becomes LT, KB becomes ZX

T X V H R
L K M U P
N Z | J E
C G W Y A
F B S D I

it the two letters are both in the same row, replace each one by the one to the right of it,
wrapping around if necessary. Examples: TH becomes XR, KP becomes ML, NZ
becomes ZO.

T X---H R
L K M U P
N Z O J E
C G W Y A
F B S D I

Double letters aren't allowed within a single digraph, and must be split up by inserting
a letter used as a null (for example, an X) between them.

If the Playfair cipher is used on a computer, perhaps in combination with other ciphers,
it might be more convenient to make a rule for double letters, such as using the letter
that is both below and to the right of the plaintext letter, and also doubling it. Then, EE
would become CC.

The Four-Square and Two-Square Ciphers

Playfair has inspired some related bigraphic ciphers that, on the one hand, improve
security by involving multiple, unrelated alphabets, but on the other hand, are simpler
in that they use fewer rules than Playfair.

In the Four-Square cipher, two squares are used to find the two plaintext letters, and
two others are used to find the two ciphertext letters:

D W X Y M | E P T O L D W X Y M | E P T O L
R J E K I | C V I Y Z R J E K I | C V I Y Z
U V H P S | R M A G B U V H---------->M A G B
A L B Z N | F W J H S A L | Z N | F | J H S
G C O F T | U N D X K G C | F T | U | D X K
-----------|----------- ----|------|----|------
J T B U E | V I M A G J T | U E | V | M A G
Z H N D X | S W P O H Z H N<----------W P O H
L A F R G | U T Z K E L A F R G | U T Z K E
P M I Y C | N R D X Y P M I Y C | N R D X Y
V S K W O | B J L C F V S K W O | B J L C F
and the only rule for finding the substitute for a digraph is similar to the first rule given
for Playfair: the first letter is replaced by the letter in its row, and the second letter's
column, and so on. Thus, as the diagram above illustrates, HW becomes MN.

With only two squares, the first plaintext letter and the second ciphertext letter are
found in the square on the left, and if both plaintext letters are in the same row, each
one is replaced by the other letter. (Other rules are possible, as long as the result is a
pair of letters, the first from the square on the right, the second from the square on the
left, in the same row. For example, each letter could be replaced by the letter to the
right of, or below, the other letter in the other letter's own square.)

During World War II, several digraphic ciphers were used by the German armed
forces. All had the common feature that text was broken up by seriation before being
enciphered: that is, the message MORE TROOPS NEEDED HERE would be broken
up like this:

MORET NEEDE
ROOPS DHERE

and the digraphs to be enciphered would be MR OO RO EP TS ND EH EE DR EE.

While the seriation step is an essential part of some fractionation ciphers we will see
below, using it with a digraphic cipher has been questioned, since it allows the
cryptanalyst to pretend he is dealing with simple substitution with 26 homophones for
each letter, and therefore may make solution easier instead of harder.

According to the book Codebreakers, a collection of reminiscences by those who


worked at Bletchley Park during the war, the German army used a cipher in which the
digraphs were then enciphered using the two-square cipher. The German Navy used a
reciprocal table of digraphs, again after a seriation step, in what was called the
Dockyard cipher.

Jim Gillogly has noted that declassified NSA documents refer to another cipher of this
type, in which the digraphs were enciphered twice by means of the two-square cipher.
Since each letter enciphered the first time was then found in the square on the other
side for the second encipherment, the relation between plain and cipher digraphs was
much more complicated than in regular Playfair.

[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]

The Bifid, the Trifid, and the Straddling


Checkerboard
The Bifid and Trifid ciphers

The first of the three rules for Playfair encipherment changes one two-letter group, or digraph, to
another by exchanging column co-ordinates. This suggests using row and column co-ordinates in a
more general fashion. Let's take the 5 by 5 square above, but number the rows and the columns, like
this:

1 2 3 4 5
---------
1) T X V H R
2) L K M U P
3) N Z O J E
4) C G W Y A
5) F B S D I

Then, another method of encipherment would be as follows: Divide a message into groups of letters of
a fixed length, say five letters, and write the row and then the column co-ordinate of each letter
beneath it, like this:

THISI SMYSE CRETM ESSAG E


11555 52453 41312 35544 3
14535 33435 15513 53352 5

and then, going across within each group, read the numbers in order, and turn them, in pairs, into
letters: that is, read 11555 14535 52453 33435... and turn them into the letters corresponding to 11, 55,
51, 45, 35, 52, and so on.

1155514535 5245333435 4131215513 3554453352 35


T I F A E B A O J E C N L I V E D A O B E

This is the Bifid cipher of Delastelle, and the general principle of this form of cipher is called
seriation. This is one of the most secure pencil-and-paper ciphers that is still used by hobbyists as a
puzzle. It isn't hard to make this kind of cipher just a little bit more complicated, and thereby obtain
one that is genuinely secure. It belongs to the class of cipher methods known as fractionation, where
letters are divided into smaller pieces, or "fractions". Just as two symbols from 1 to 5 give 25 letters,
three symbols from 1 to 3 give 27 letters; and five binary bits provide a 32-character alphabet.

The Trifid, also due to Delastelle, is the analogous cipher using a 27-letter alphabet represented by
three symbols from 1 to 3:

W 111 M 121 Z 131 N 211 O 221 L 231 C 311 T 321 U 331


A 112 & 122 Y 132 E 212 V 222 P 232 X 312 J 322 G 332
K 113 B 123 H 133 Q 213 R 223 S 233 I 313 F 323 D 333
to encipher a message by seriation like this:

THISISM YSECRET MESSAGE


3132321 1223223 1222132
2313132 3311212 2133131
1333331 2321321 1233222

which again is read off horizontally after being written in vertically, yielding a cipher message like
this:

313 232 123 131 321 333 331


I P B Z T D U

122 322 333 112 122 321 321


& J D A & T T

122 213 221 331 311 233 222


& Q O U C S V

Representing the letters as combinations of two groups of from one to five signal fires was originally
proposed by Polybius in his Histories, as being a general method of communications, unlike ones he
noted as being previously used that depended on a small list of pre-arranged messages. It looked like
this:

with the letters of the Greek alphabet placed on five numbered tablets, and each letter being numbered
on each tablet.

Other forms of dividing a character into smaller pieces, such as ASCII or Baudot, or Morse Code (to
be seen below) were also developed to allow communications over various types of channel, as were
the signal flags used by ships, to use an example of a different type.

The Straddling Checkerboard

Some ciphers actually used by Soviet spies used a square like this:

9 8 2 7 0 1 6 4 3 5
-------------------
A T O N E S I R
2 B C D F G H J K L M
6 P Q U V W X Y Z . /
Eight of the most common letters are translated to a single digit. The two digits not used in this way
begin two-digit combinations that stand for the remaining letters. This is an example of a variable
length code with the prefix property. When it is possible to tell, from the digits one has already seen of
a symbol, whether or not one needs to include the next digit in the symbol, then spaces between the
digits of a symbol are not needed, and this is what is known as the prefix property.

At one time, telephone numbers in North America had this property, because the middle digit of an
area code was always 0 or 1, and the first three digits of a regular telephone number, also known as
the exchange, never had 0 or 1 as the middle digit. Therefore, it was possible to dial 1 plus the seven-
digit number to make a long-distance call within one's own area code, since the first three digits could
not possibly be an area code. However, the increased need for more telephone numbers made it
necessary to abandon this rule, in January 1995 and therefore when dialing a long-distance call within
one's own area code, it is now still necessary to dial the area code. This method of dealing with the
increased demand for telephone numbers had the advantage that the number of digits in a telephone
number did not have to be increased, and this avoided problems with computer data-processing
systems that allocated the fixed minimum amount of space for a telephone number, as well as limiting
the amount of alteration needed for older telephone equipment.

In Britain, on the other hand, it was necessary to lengthen every telephone number by one digit, and
this was done by inserting the digit 1 in every number in the second position on a day called "phONE
day", April 16, 1995, although permissive dialing remained in effect until April 22, 2000. A number
of other countries also modified their systems of telephone numbers during roughly the same period;
Australia began in 1996, and Finland changed over its phone system on October 12, 1996.

Since in Morse code, a dot is the letter E, and a dash is the letter T, but other Morse code symbols also
begin with a dot or a dash, Morse code is a variable-length code that does not have the prefix property,
and so spaces are required between letters in Morse code.

Of course, the second digit of a two-digit combination could also have stood, by itself, for another
letter; but because when you start from the beginning and move forwards, there is no chance of
confusion, this is a workable and usable system.

Thus, the message SENDMONEY would become 4 1 0 22 25 7 0 1 66, or, rather, 41022 25701 66
because spaces to show where the letters begin are not needed; the first digit representing a letter
determines if its substitute is one or two digits long.

More complicated codes that work this way, using only the two binary digits 0 and 1, are used as a
form of data compression. The most famous variable-length prefix-property binary codes are the
Huffman codes; but this term only applies to such a code when symbols were assigned in it by a
specific algorithm, which has been proven to be optimal, within the limitations of only considering
single-symbol frequencies, and only using this kind of code: arithmetic coding, which doesn't work in
whole bits, can be more efficient. Before Huffman's proof, codes of that nature assigned in a different
fashion, which are known as Shannon-Fano codes, were the best known.

In one case, the VIC cipher used by Reino Hayhanen (the message in that cipher on microfilm, inside
a hollow nickel, was the background to the page introducing this section) the digits produced by a
straddling checkerboard were then subjected to a form of columnar transposition which was varied by
selecting triangular areas to be filled with plaintext last.

In other cases, after the message was converted to digits, encipherment similar to the Vigenère to be
described in the next section was performed. Since Vigenère is a form of addition, doing addition on
digits is easier for most people, without special equipment, than doing it on letters.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]

The VIC Cipher


The VIC cipher is an intricate cipher issued by the Soviet Union to at least one of its
spies. It is of interest because it seems highly secure, despite being a pencil-and-paper
cipher. It was the cipher in which a message was written which was found on a piece of
microfilm inside a hollowed-out nickel by a newspaper boy in 1953. The workings of
this cipher were explained by Hayhaynen to FBI agents shortly after his defection to the
United States in 1957.

David Kahn described that cipher briefly in an article in Scientific American, and in full
detail in a talk at the 1960 annual convention of the American Cryptogram Association
which was later reprinted in his book Kahn on Codes.

The VIC cipher, which I will demonstrate here adapted to the sending of English-
language messages, begins with an involved procedure to produce ten pseudorandom
digits. The agent must have memorized six digits (which were in the form of a date), and
the first 20 letters of a key phrase (which was the beginning of a popular song) and must
think of five random digits for use as a message indicator.

Let the date be July 4, 1776, to give the digits 741776. (Actually, the Russians used their
customary form of dates, with the month second.) And let the random indicator group be
77651.

The first step is to perform digit by digit subtraction (without carries) of the first five
digits of the date from the indicator group:

77651
(-) 74177
---------
03584

The second step is to take the 20-letter keyphrase, and turn it into 20 digits by dividing it
into two halves, and within each half, assigning 1 to the letter earliest in the alphabet,
and so on, treating 0 as the last number, and assigning digits in order to identical letters.
Thus, if our keyphrase is "I dream of Jeannie with t", that step proceeds:

I D R E A M O F J E A N N I E W I T H T
6 2 0 3 1 8 9 5 7 4 1 6 7 4 2 0 5 8 3 9

The result of the first step is then expanded to ten digits through a process called chain
addition. This is a decimal analog of the way a linear-feedback shift register works:
starting with a group of a certain number of digits (in this case five, and later we will do
the same thing with a group of ten digits), add the first two digits in the group together,
take only the last digit of the result and append it to the end of the group, then ignore the
first digit, and repeat the process.

The 10 digit result is then added, digit by digit, ignoring carries, to the first 10 digits
produced from the keyphrase to produce a ten-digit result, as follows:

6 2 0 3 1 8 9 5 7 4
(+) 0 3 5 8 4 3 8 3 2 7
-----------------------
6 5 5 1 5 1 7 8 9 1

And these 10 digits are then encoded by encoding 1 as the first of the 10 digits produced
from the second half of the keyphrase, 2 as the second, up to 0 as the tenth.

using code: 1 2 3 4 5 6 7 8 9 0
1 6 7 4 2 0 5 8 3 9

6 5 5 1 5 1 7 8 9 1
becomes 0 2 2 1 2 1 5 8 3 1

This ten digit number is used by chain addition to generate 50 pseudorandom digits for
use in encipherment:

0 2 2 1 2 1 5 8 3 1
---------------------
2 4 3 3 3 6 3 1 4 3
6 7 6 6 9 9 4 5 7 9
3 3 2 5 8 3 9 2 6 2
6 5 7 3 1 2 1 8 8 8
1 2 0 4 3 3 9 6 6 9

The last row of these digits (which will still be used again) is used like the letters in a
keyword for transposition to produce a permutation of the digits 1 through 9 (with 0 last
again):

1 2 0 4 3 3 9 6 6 9
---------------------
1 2 0 5 3 4 8 6 7 9

and those digits are used as the top row of numbers for a straddling checkerboard:
1 2 0 5 3 4 8 6 7 9
-------------------
A T O N E S I R
-------------------
0 B C D F G H J K L M
8 P Q U V W X Y Z . /

One detail omitted is that the checkerboard actually used had the letters in the bottom
part written in vertical columns with some columns left until the end. That doesn't work
as well in an English example, as there are only two left-over spaces after the alphabet.

With the straddling checkerboard in place, we can begin enciphering a message.

Let our message be:

We are pleased to hear of your success in establishing your false identity. You will be
sent some money to cover expenses within a month.

Converting this to numbers, we proceed:

W EAREP L EASED TOH EAROF Y OU RSU C C ESSINESTAB L ISH ING


834194810741640025044195058858096800202466734621010776047303

Y OU RF AL SEID ENTITY Y OU W IL L B ESENTSOM EM ONEY TOC O


88580905107647004327288885808370707014643265094095348825025

V EREX P ENSESW ITH INAM ONTH


854948481436468372047310953204

For the sake of our example, we will give our agent a small personal number of 8. This
number is used to work out the widths of the two transposition tableaux used to
transpose the numbers obtained above. The last two unequal digits, which in this case are
the last two digits (6 and 9) of the last row of the 50 numbers generated above, are added
to the personal number with the result that the two transpositions will involve 8+6, or 14,
and 8+9, or 17, columns respectively.

The keys for those two transpositions are taken by reading out the 50 numbers by
columns, using the 10 digits used to generate them as a transposition key. Again, 0 is
last, so given the table above:

0 2 2 1 2 1 5 8 3 1
---------------------
2 4 3 3 3 6 3 1 4 3
6 7 6 6 9 9 4 5 7 9
3 3 2 5 8 3 9 2 6 2
6 5 7 3 1 2 1 8 8 8
1 2 0 4 3 3 9 6 6 9

we read out the digits in order:

36534 69323 39289 47352 36270 39813 4

stopping when we have the 31 digits we need.

Our first transposition uses the first 14 digits as the key of a conventional simple
columnar transposition:

36534693233928
--------------
83419481074164
00250441950588
58096800202466
73462101077604
73038858090510
76470043272888
85808370707014
64326509409534
88250258549484
81436468372047
3109532049

Since our message consisted of ten rows of 14 digits, plus one extra row of 9 digits, it is
149 digits long. At this initial stage, one null digit is appended to the message, making it
150 digits long, so that it will fill a whole number of 5-digit groups.

Thus, with the null digit added, it gives us the intermediate form of the message:

09200274534 6860181384 80577786883 15963702539 11018309880


75079700479 4027027992 90628086065 42040483240 30833654811
44818035243 4864084447 84005470562 1546580540

The fact that our message is 150 digits long was important to note, since the next step in
the encipherment, although it is also a columnar transposition, includes an extra
complexity to make the transposition irregular, and so it is necessary to lay out in
advance the space that will be used in that transposition.

The remaining 17 digits of the 31 we read out above, 9 47352 36270 39813 4, are the
key for this second transposition. The numbers, in addition to indicating the order in
which the columns are to be read out, indicate where triangular areas start which will be
filled in last.

The first triangular area starts at the top of the column which will be read out first, and
extends to the end of the first row. It continues in the next row, starting one column later,
and so on until it includes only the digit in the last column. Then, after one space, the
second triangular area starts, this time in the column which will be read out second.

Since we know that our message is 150 digits long, we know that it will fill 8 rows of 17
digits, with 14 digits in the final row. This lets us fill in the transposition block, first
avoiding the triangular areas:

94735236270398134
-----------------
09200274534686
018138480577786
8831596370253911
01830988075079700
47940
270279
9290628
08606542
040483240

and then with them filled in as well:

94735236270398134
-----------------
09200274534686308
01813848057778633
88315963702539116
01830988075079700
47940548114481803
27027952434864084
92906284478400547
08606542056215465
04048324080540

from which the fully encrypted message can be read out:

36178054 289959253 507014400 011342004 746845842 675048425


03100846 918177284 83603475 035007668 483882424 283890960
350713758 689914050 008042900 873786014 472544860
The last digit, 6, in the date shows that the indicator group is to be inserted in the final
message as the sixth group from the end, so the message in the form in which it will be
transmitted becomes:

36178 05428 99592 53507 01440 00113 42004 74684 58426 75048
42503 10084 69181 77284 83603 47503 50076 68483 88242 42838
90960 35071 37586 89914 05000 77651 80429 00873 78601 44725
44860

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]

Two Trigraphic Ciphers, and a Heptagraphic One


Playfair for Three

Based on the Playfair cipher, I once thought of a way to make a cipher that worked on groups of three
letters.

Using a square, as with Playfair:

T X V H R
L K M U P
N Z O J E
C G W Y A
F B S D I

encipher with the following rules:

● If all three letters are the same, replace them by three repetitions of the letter diagonally below
and to the right of that letter. Thus: MMM becomes JJJ in the square above. Below, and to the
right, are always interpreted cyclically, so DDD becomes RRR, and PPP becomes NNN, and
even III becomes TTT.
● If two of the letters are the same, encipher the two letters as if they were part of a digraph to be
enciphered with Playfair.
❍ If the two letters are in the same row, replace each one with the letter to its right. Thus:

PKK becomes LMM, NON becomes ZJZ.


❍ If the two letters are in the same column, replace each one with the letter below it. Thus:

HUH becomes UJU, ZZB becomes GGX.


❍ If the two letters are neither in the same row nor the same column, replace each letter

with the letter that is in its own row, but in the column of the other letter. Thus: BOO
becomes SZZ, MIM becomes PSP.
● When all three letters are different, follow these rules:
❍ If all three letters are in the same row, replace each one with the letter to its right. Thus,

CYG becomes GAW, ZEN becomes ONZ.


❍ If all three letters are in the same column, replace each one with the letter below it.

Thus, MOW becomes OWS, KGB becomes ZBX.


❍ If two letters are in the same row, and one of those two is in the same column as the

third letter, replace the letter that is in the same row as one other letter and the same
column as the other other letter with the letter that is in the same column as the letter
with which it shares a row, and in the same row as the letter with which it shares a
column. Replace the two other letters by each other. Thus, YUK becomes KGY, WVY
becomes HYV, POE becomes OPM, GAP becomes PKG.
❍ If two letters are in the same column, but the third letter is neither in that column nor in

the same row as either of those two letters, replace each letter by the letter which is in
its own row, but in the other column used by the three letters. Thus, TCO becomes
VWN, TAN becomes RCE, HUG becomes XKY.
❍ If two letters are in the same row, but the third letter is neither in that row nor in the

same column as either of those two letters, replace each letter by the letter which is in
its own column, but in the other one of the two rows used by the letters. Thus, NED
becomes FIJ, GAS becomes BIW, LOP becomes NME.
❍ If no two letters share either a row or column, each letter is replaced by the letter in its
own row, but in the column of the next letter of the trigram, the first letter being the
'next letter' for the last one. Thus, TOY becomes VJC, LOB becomes MZF, GET
becomes ANX.

Note that since a trigram with repeated letters always enciphers to a trigram with repeated letters, one
could use a separate square for each of the three possibilities, or even just use an arbitrary substitution
alphabet for the case of three identical letters.

Trigraphic from Fractionation

If one uses a substitution where each letter of a 27-letter alphabet is replaced by three digits from 1 to
3, then the obvious method of constructing a trigraphic cipher from this is to write the equivalents of
the three letters in by columns and take them out by rows; thus, with the alphabet

W 111 M 121 Z 131 N 211 O 221 L 231 C 311 T 321 U 331


A 112 & 122 Y 132 E 212 V 222 P 232 X 312 J 322 G 332
K 113 B 123 H 133 Q 213 R 223 S 233 I 313 F 323 D 333

we encipher like this:

T H E
3 1 2 X
2 3 1 L
1 3 2 Y

For 26 Letters

But how can we adapt these two ciphers to a 26-letter alphabet?

Let's imagine that we want to have a method that doesn't require, as the original Playfair did, inserting
a letter like X into the plaintext when a double letter occurs; we want something that can be applied
mechanically to any arbitrary input text. This would make it suitable for use as a step in encryption
performed by a computer.

For the cipher derived from Playfair, the structure of the rules provides a clue. When the extra letter
turns up, ignore it for encryption, but place it in the ciphertext without alteration, and treat two
remaining letters, if they are different, as in regular Playfair, and a single remaining letter (or two
identical remaining letters) as if they were three identical letters.

How, though, can we possibly make the cipher which requires a 27-letter alphabet work with only 26
letters?

First, choose a substitution table such that the unused letter, &, is represented by the code 333.

U 111 F 121 P 131 Q 211 D 221 W 231 B 311 R 321 G 331


X 112 J 122 I 132 C 212 A 222 K 232 Y 312 T 322 V 332
H 113 M 123 O 133 S 213 Z 223 L 233 E 313 N 323 & 333
Now then, any combination that does not contain an ampersand, but which produces a combination
that does contain one, will have produced a combination that, when enciphered again, doesn't contain
an ampersand.

L O G S & G
2 1 3 S 2 3 3 L
3 3 3 & 1 3 3 O
3 3 1 G 3 3 1 G

That appears to be a trivial consequence of the fact that this cipher is reciprocal.

Since an ampersand is represented by the code 333, however, that means that whether or not a square
produces an ampersand depends only on the positions of the 3s in that square; the other two digits, 1
and 2, are irrelevant. Thus, we can do better than leaving trigrams which encipher to combinations
including an ampersand unenciphered.

Between the two encipherments, we can apply a substitution to the letters of the first result, as long as
that substitution leaves the 3s unchanged. Since this substitution operates perpendicular to the
plaintext and the ciphertext, the cipher still mixes the letters of the trigram together in this case.

Such a substitution might look like this:

111 212 113 123 131 232 311 321 133 233
112 122 123 223 132 231 312 311 233 133
121 211 213 113 231 131 321 322 313 313
122 221 223 213 232 132 322 312 323 323
211 121 331 332
212 222 332 331
221 111
222 112 333 333

With such a substitution, our encipherment would become:

L O G H & V
2 1 3 S 213 -> 113 (H) 1 3 3 O
3 3 3 & 333 -> 333 (&) 1 3 3 O
3 3 1 G 331 -> 332 (V) 3 3 2 V

Heptagraphic encryption

Having now obtained two trigraphic ciphers which both operate on trigrams of the 26-alphabet, but
which operate on different principles, one is immediately tempted to combine them to create a cipher
which will be much stronger than either one alone.

One way to do this is simply to apply both in sequence. However, inspired by recently encountering
the polymorphic block ciphers of Kostadin Bajalcaliev, I have thought of a more elaborate way of
doing this.

Let us encipher a block of seven letters at a time. Three letters are enciphered trigraphically by one of
the two systems given above, and the next three are enciphered using the other system. The seventh
letter is used to indicate which system is used.

Then, the letters are rearranged according to the permutation

from 1 2 3 4 5 6 7
to 4 7 1 2 3 5 6

and the process is repeated.

Since it seems wasteful to leave a letter unenciphered just to use it as the source of one bit of
information, that letter could also be used to choose between twelve possibilities: there could be three
different sets of tables for one of the block ciphers, and four different sets of tables for the other. For
the one based on Playfair, it is not even necessary that the omitted letter be the same for each set of
tables.

Nonagraphic Encryption

Of course, with two different trigraphic ciphers, performing some sort of transposition between
applying them is another way to produce a very strong cipher.

Just as the trigraphic cipher based on a 27-character alphabet places digits in a square by columns, and
takes them out by rows, one could encrypt nine letters at a time by placing them in a square array, and
encrypting first the columns by one cipher, and then the rows by the other. One could even do that
twice, inspired by Square, the predecessor of Rijndael, the new Advanced Encryption Standard.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]

Polyalphabetic Substitution
The idea of using substitution ciphers that change during the course of a message was a very important step forwards in
cryptography. David Kahn's book, The Codebreakers, gives a full account of the origins of this idea during the Italian
Renaissance.

The earliest form of polyalphabetic cipher was developed by Leon Battista Alberti by 1467. His system involved writing the
ciphertext in small letters, and using capital letters as symbols, called indicators, to indicate when the substitution changes,
now and then through a message. The plaintext alphabet on his cipher disk was in order, and included the digits 1 through 4
for forming codewords from a small vocabulary.

Subsequently, more modern forms were devised, which change the substitution for each letter:

● A progressive-key system, where keys are used one after the other in normal order. This was first published
posthumously, in a book by Johannes Trithemius that appeared in 1518. The key ABCD...Z was used with regular
alphabets in the form depicted therein.
● A keyword indicating the alphabets to use in turn. Although this system is what is called the Vigenère, it originated
with Giovan Batista Belaso in 1553. In 1563, Giovanni Battista Porta added the use of mixed alphabets to this system.
● The autokey system, where a key starts the choice of alphabet, but the message itself determines the alphabets to use
for later parts of the message. Although an unusable form of this was first proposed by Girolamo Cardano, it was
Blaise de Vigenère who proposed the modern form of the autokey cipher in 1585.

The following compact table provides 26 alphabets, each labelled with a letter of the alphabet:

B C D E F ZABCDEFGHIJKLMNOPQRSTUVWXY
G H I J K UVWXYZABCDEFGHIJKLMNOPQRST
L M N O P PQRSTUVWXYZABCDEFGHIJKLMNO
Q R S T U KLMNOPQRSTUVWXYZABCDEFGHIJ
V W X Y Z FGHIJKLMNOPQRSTUVWXYZABCDE

B G L Q V ABCDEFGHIJKLMNOPQRSTUVWXYZ
C H M R W BCDEFGHIJKLMNOPQRSTUVWXYZA
D I N S X CDEFGHIJKLMNOPQRSTUVWXYZAB
E J O T Y DEFGHIJKLMNOPQRSTUVWXYZABC
F K P U Z EFGHIJKLMNOPQRSTUVWXYZABCD

The A alphabet isn't shown, since in that alphabet, every letter stands for itself, and so, if nothing is done, nothing need be
looked up in the table. For any other alphabet, use the letter indicating the alphabet to find a row among the top five, and a
row among the bottom five; using those two rows, the upper row stands for plaintext, the lower for cipher.

Thus, for alphabet Q, the top row begins KLMNO... and the bottom row begins ABCDE..., and so K becomes A, Q becomes
G, and A becomes Q in that alphabet.

If you think of A as standing for zero, B for 1, up to Z for 25, this particular set of alphabets is nothing more than the modulo
26 addition of the plaintext and the key to obtain the ciphertext. Circular disks or sliding scales can be used to carry out the
addition. This, perhaps, can be more easily seen if we exhibit the Vigenère tableau in full, accompanied by the table for
modulo-26 addition:

|ABCDEFGHIJKLMNOPQRSTUVWXYZ | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19 20 21 22 23 24 25
-+-------------------------- --
+-----------------------------------------------------------------------------
A|ABCDEFGHIJKLMNOPQRSTUVWXYZ 0| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19 20 21 22 23 24 25
B|BCDEFGHIJKLMNOPQRSTUVWXYZA 1| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
20 21 22 23 24 25 0
C|CDEFGHIJKLMNOPQRSTUVWXYZAB 2| 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 0 1
D|DEFGHIJKLMNOPQRSTUVWXYZABC 3| 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
22 23 24 25 0 1 2
E|EFGHIJKLMNOPQRSTUVWXYZABCD 4| 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
23 24 25 0 1 2 3
F|FGHIJKLMNOPQRSTUVWXYZABCDE 5| 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25 0 1 2 3 4
G|GHIJKLMNOPQRSTUVWXYZABCDEF 6| 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
25 0 1 2 3 4 5
H|HIJKLMNOPQRSTUVWXYZABCDEFG 7| 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
0 1 2 3 4 5 6
I|IJKLMNOPQRSTUVWXYZABCDEFGH 8| 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0
1 2 3 4 5 6 7
J|JKLMNOPQRSTUVWXYZABCDEFGHI 9| 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1
2 3 4 5 6 7 8
K|KLMNOPQRSTUVWXYZABCDEFGHIJ 10|10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2
3 4 5 6 7 8 9
L|LMNOPQRSTUVWXYZABCDEFGHIJK 11|11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3
4 5 6 7 8 9 10
M|MNOPQRSTUVWXYZABCDEFGHIJKL 12|12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4
5 6 7 8 9 10 11
N|NOPQRSTUVWXYZABCDEFGHIJKLM 13|13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5
6 7 8 9 10 11 12
O|OPQRSTUVWXYZABCDEFGHIJKLMN 14|14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6
7 8 9 10 11 12 13
P|PQRSTUVWXYZABCDEFGHIJKLMNO 15|15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7
8 9 10 11 12 13 14
Q|QRSTUVWXYZABCDEFGHIJKLMNOP 16|16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8
9 10 11 12 13 14 15
R|RSTUVWXYZABCDEFGHIJKLMNOPQ 17|17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16
S|STUVWXYZABCDEFGHIJKLMNOPQR 18|18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17
T|TUVWXYZABCDEFGHIJKLMNOPQRS 19|19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11
12 13 14 15 16 17 18
U|UVWXYZABCDEFGHIJKLMNOPQRST 20|20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12
13 14 15 16 17 18 19
V|VWXYZABCDEFGHIJKLMNOPQRSTU 21|21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13
14 15 16 17 18 19 20
W|WXYZABCDEFGHIJKLMNOPQRSTUV 22|22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
15 16 17 18 19 20 21
X|XYZABCDEFGHIJKLMNOPQRSTUVW 23|23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22
Y|YZABCDEFGHIJKLMNOPQRSTUVWX 24|24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23
Z|ZABCDEFGHIJKLMNOPQRSTUVWXY 25|25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
18 19 20 21 22 23 24

And, of course, instead of the modulo-26 addition table for our 26-letter alphabet, a Vigenere
table can be constructed for any alphabet. Thus, modulo-24 addition would be used for the
Greek alphabet, modulo-32 addition for the Russian alphabet, or, as shown in the picture at
left, modulo-22 addition for the Hebrew alphabet. Here, the table is written from right to left, in
the same direction as normally used for Hebrew writing.

The message "Wish you were here" can be encrypted by the three possible methods, using SIAMESE as the keyword:
Straight keyword:

Message: WISHYOUWEREHERE
Key: SIAMESESIAMESES
Cipher: OQSTCGYOMRQLWVW

Progressive key:

Message: WISHYOUWEREHERE
Key: SIAMESETJBNFTFU
Cipher: OQSTCGYPNSRMXWY

Autokey:

Message: WISHYOUWEREHERE
Key: SIAMESEWISHYOUW
Cipher: OQSTCGYSMJLFSLA

For the progressive key, the keyword, followed by the keyword advanced one position at a time through the alphabet, is
used. Just using ABCDEF... as the key would not have been unique enough to serve as a real cipher.

The table shown here can be thought of as a table for the addition of letters, which is equivalent to addition modulo 26,
where A stands for 0, B stands for 1, continuing on to Z, which would stand for 25.

The plain keyword system can be solved by the Kasiski method; look for repeated sequences of letters in a message, and
count the number of letters between them. From this, it is easy to spot common factors, and determine the length of the
keyword used. This lets one sort the letters into the ones enciphered with the same alphabet. If normal alphabets are used,
looking at the profile of the frequency count makes solution trivial.

For the other two methods, elementary cryptanalysis only allows solution for normal (or at least known) alphabets. The
progressive key case can be made to yield its period if one looks not for repeated letters, but for repeated distances in the
alphabet between adjacent letters; this subtracts out the slow movement of the keyword through the alphabet. The autokey
can basically be solved by brute-force trial on the length of its starting keyword. Of course, these systems can still be solved
with mixed alphabets, but more advanced methods are needed, involving statistics or multiple messages with the same key.

In addition to using mixed alphabets for greater security, there are other systems of historical importance.

The Gronsfeld, which added a numeric key to the plaintext, meant that there were only ten possible equivalents for each
letter, but was easier to do by hand without a table or slide or disk. The Porta system used a smaller table; the first half of the
alphabet was stationary while the second half moved, and equivalents for letters in each half of the alphabet were found in
the other half.

The table for the Porta system (converted to the modern 26-letter alphabet) is as follows:

ABCDEFGHIJKLM
-------------
AB |NOPQRSTUVWXYZ
CD |OPQRSTUVWXYZN
EF |PQRSTUVWXYZNO
GH |QRSTUVWXYZNOP
IJ |RSTUVWXYZNOPQ
K KL |STUVWXYZNOPQR
e MN |TUVWXYZNOPQRS
y OP |UVWXYZNOPQRST
QR |VWXYZNOPQRSTU
ST |WXYZNOPQRSTUV
UV |XYZNOPQRSTUVW
WX |YZNOPQRSTUVWX
YZ |ZNOPQRSTUVWXY

The Gronsfeld, and, even more easily, the Porta, because they only allow some letters, but not others, as equivalents for any
given plaintext letter, can be attacked through this weakness.

In attempting to devise a cipher that, like the Gronsfeld, lends itself to mental arithmetic, I used (for the English alphabet)
the method of representing numbers as letters that was used by the ancient Hebrews and the ancient Greeks:

A 1 J 10 S 100
B 2 K 20 T 200
C 3 L 30 U 300
D 4 M 40 V 400
E 5 N 50 W 500
F 6 O 60 X 600
G 7 P 70 Y 700
H 8 Q 80 Z 800
I 9 R 90

Then, the rule for encipherment is this:

a) If the plaintext and key letters are in the same column, they are added:

B (2) + F (6) = H (8)


L (30) + J (10) = M (40)

b) If the plaintext and key letters are in two different columns, their nonzero digits are added, and the letter in the third
column which contains neither key nor plaintext containing the sum is taken:

D (4) + L (30) = Y (700)


W (500) + K (20) = G (7)

If we had a 27-letter alphabet, we would only have to add that when the sum is greater than 9, subtract 9 (in the appropriate
digit place):

M (40) + Q (80) = L (30)

For the 26-letter alphabet, it's easy to modify rule (a): if the two letters are in the third column, subtract 800 instead of 900.

U (300) + Y (700) = T (200)

Rule (b) is modified in this way: always subtract 9; if the cipher letter and the key letter produce 900 as the result, use
instead the letter that would be produced by enciphering a letter with the value 900 with the key letter. Since there is no letter
with that value, when one is produced by deciphering, decipher 900 with the key to get the true plaintext letter.

This produces the table seen below:

Plaintext
ABCDEFGHI JKLMNOPQR STUVWXYZ
----------------------------
A|BCDEFGHIA TUVWXYZJS KLMNOPQR
B|CDEFGHIAB UVWXYZKST LMNOPQRJ
C|DEFGHIABC VWXYZLSTU MNOPQRJK
D|EFGHIABCD WXYZMSTUV NOPQRJKL
E|FGHIABCDE XYZNSTUVW OPQRJKLM
F|GHIABCDEF YZOSTUVWX PQRJKLMN
G|HIABCDEFG ZPSTUVWXY QRJKLMNO
H|IABCDEFGH QSTUVWXYZ RJKLMNOP
I|ABCDEFGHI STUVWXYZR JKLMNOPQ

J|TUVWXYZAS KLMNOPQRJ BCDEFGHI


K|UVWXYZBST LMNOPQRJK CDEFGHIA
L|VWXYZCSTU MNOPQRJKL DEFGHIAB
K M|WXYZDSTUV NOPQRJKLM EFGHIABC
e N|XYZESTUVW OPQRJKLMN FGHIABCD
y O|YZFSTUVWX PQRJKLMNO GHIABCDE
P|ZGSTUVWXY QRJKLMNOP HIABCDEF
Q|HSTUVWXYZ RJKLMNOPQ IABCDEFG
R|STUVWXYZI JKLMNOPQR ABCDEFGH

S|KLMNOPQRJ BCDEFGHIA TUVWXYZS


T|LMNOPQRJK CDEFGHIAB UVWXYZST
U|MNOPQRJKL DEFGHIABC VWXYZSTU
V|NOPQRJKLM EFGHIABCD WXYZSTUV
W|OPQRJKLMN FGHIABCDE XYZSTUVW
X|PQRJKLMNO GHIABCDEF YZSTUVWX
Y|QRJKLMNOP HIABCDEFG ZSTUVWXY
Z|RJKLMNOPQ IABCDEFGH STUVWXYZ

This table is slightly imperfect. For each of the first eighteen letters in the alphabet, when they occur in the plaintext, there is
one letter that no key letter will cause to be its ciphertext equivalent, and there is another letter that will be that plaintext
letter's ciphertext equivalent for two different key letters. However, although imperfect, it is less so than the Gronsfeld
cipher, and so the system might be of some use (although just converting to digits with a straddling checkerboard achieves
the same goal, of simplifying applying a key, without any imperfections, and considerably more simply).

It is, however, more important to recognize the names of two other systems. If Vigenère can be thought of as plaintext + key
= cipher, Beaufort amounts to key - plaintext = cipher. Since cipher = key + plaintext, Beaufort, like Porta, is reciprocal: the
same steps exactly will both encipher and decipher. Variant Beaufort is plaintext - key = cipher, and is the same as
deciphering for Vigenère.

Slides and disks are often used for the Vigenère and other polyalphabetic ciphers, particularly mixed-alphabet Vigenère.

Helen Fouché Gaines' Elementary Cryptanalysis gives a classification of mixed alphabet slides into four types:

● Type 1: Mixed plaintext alphabet, plain cipher alphabet.


● Type 2: Plain plaintext alphabet, mixed cipher alphabet.
● Type 3: The same mixed alphabet for plain and cipher.
● Type 4: Different mixed plain and cipher alphabets.

I would like to extend this classification slightly to make it comprehensive:

● Type 0: Plain plaintext and cipher alphabet.


● Type 0a: Plain plaintext alphabet, reversed cipher alphabet.
● Type 1: Mixed plaintext alphabet, plain cipher alphabet.
● Type 2: Plain plaintext alphabet, mixed cipher alphabet.
● Type 3: The same mixed alphabet for plain and cipher.
● Type 3a: Mixed plaintext alphabet, the same alphabet in reverse for cipher.
● Type 4: Different mixed plain and cipher alphabets.

A slide of type 0a produces a reciprocal cipher, and can be used for Beaufort. The mechanical equivalent of such a slide is an
element of a Hagelin machine.

The Type 1 slide is more easily cryptanalyzed than the Type 2 or above slides since once the different alphabets have been
determined by discovering the period of the cipher by the Kasiski method (looking for repeated digrams, trigrams and above,
noting the distance between them, and looking for a common factor to most of the distances, giving greater weight to longer
repetitions) the frequency counts can be lined up, since they are displaced along the cipher slide, which in this case has the
known regular alphabet along it.

Even in the mixed-alphabet case, once the period is found, letter frequencies and bigram frequencies can be used to read the
message. For a frequent letter, whether only a few letters, or a wide variety of letters, appear before or after that letter helps
to identify whether the letter is a vowel or a consonant, or to determine exactly which letter it is.

When some alphabets are partly reconstructed, if you know that the alphabets have been produced by a slide, even one with
two mixed alphabets, there are certain logical inferences that you may be able to make that will obtain the values of
additional letters. This technique is known as symmetry of position.
Let us suppose that we know that the plaintext letters E and N become, in one alphabet, the ciphertext letters P and Q, and in
another alphabet the ciphertext letters K and V.

Since the distance between the letters E and N on the slide with the scrambled plaintext alphabet does not change, even
though it is unknown, we know from this that the letters P and Q are the same distance apart on the ciphertext slide as the
letters K and V are.

And since one goes from one alphabet generated by a slide to another by moving one of the alphabets a certain distance, one
also knows that the two equivalents for E, the letters P and K on the ciphertext slide, are the same distance apart as Q and V.

Of course, these two facts are really consequences of one another: since P-Q = K-V, then it must also be true that P-K = Q-
V, where P, Q, K, and V are now standing for unknowns in modulo-26 arithmetic.

In any event, if we then find that in a third alphabet, the plaintext letters R and T become the ciphertext letters P and K,
respectively, and if we are fortunate enough to have an alphabet in which R becomes Q, we can then conclude that T will
become V in that alphabet.

Later, when at least two alphabets are almost completely reconstructed, it may be possible to work out what alphabets were
present on the slide that generated them. This can help in continuing the solution, or in reading future messages.

For example, a slide in two consecutive positions generates these alphabets:

QWERTYUIOPASDFGHJKLZXCVBNM abcdefghijklmnopqrstuvwxyz
BOXWITHFVEDZNLQURJGSPACKMY dkanxlqufrjgymvebwzihcopts

QWERTYUIOPASDFGHJKLZXCVBNM abcdefghijklmnopqrstuvwxyz
OXWITHFVEDZNLQURJGSPACKMYB zmclwqurvjgsbyedointfkxahp

On the left is the way the slide looks, and on the right are the alphabets as they appear to the cryptanalyst, who does not yet
know what alphabets are on the slides. Consecutive alphabets are shown; the method works for any odd shift between
alphabets except 13 (not because it's unlucky, but because it is exactly half of 26, the number of letters in the alphabet); for
an even shift, partial information about the slide is obtained: two separate 13-letter pieces.

The slides can be reconstructed because of the information the alphabets above give about them: D and Z are the equivalents
for A in the two alphabets. So, the distance between D and Z on the bottom slide must be the amount by which the slide must
be moved to get from one alphabet to the other. But that is also true of K and M, the two equivalents for B, and A and C, the
two equivalents for C, and so on.

So, we start with the letter D. The letter Z is our displacement ahead of it: here, it happens that the displacement is one, so
we'll get the exact alphabet on the slide, instead of simply an equivalent alphabet. To move another displacement forward,
we find Z as the equivalent for S in the first alphabet, and N as its equivalent in the second.

Thus, we reconstruct the alphabets like this:

a s d f g h j k l z x c v
DZ ZN NL LQ QU UR RJ JG GS SP PA AC CK

b n m q w e r t y u i o p
KM MY YB BO OX XW WI IT TH HF FV VE ED

If the shift were three instead of one, then the alphabets would be subjected to decimation, so that instead of DZNLQ... the
first few letters after D would be in positions D..Z..N..L..Q..., but the slides would still generate the same cipher alphabets,
only after different shifts.

It is particularly because the Kasiski method of attacking the simple keyword form of the Vigenere is so powerful that other
methods, such as key progression and the autokey were originated to avoid it.

The Lanaki Classical Cryptography Course, available at The Crypto Drop Box, notes two other methods sometimes tried.
One is to repeat the letters of one's keyword an increasing number of times, with a period different from the length of the
keyword: thus, the keyword SIAMESE might be repeated with the pattern 12345, so that one's key would begin
SIIAAAMMMMEEEEESEESSSIIIIAAAAAMEESSSEEE...

and an idea suggested by W. F. Friedman is then noted, where instead of using a simple sequence like 12345, one uses the
lengths of the Morse Code symbols for the letters in a keyword to control the pattern of repetitions.

These methods don't make a truly aperiodic cipher the way the autokey does, but like the progressive-key method, they
provide a longer period. However, the presence of stretches of plaintext enciphered with the same keyletter at least seems
like a weakness.

Of course, one could take Friedman's idea, and make it more complicated (and therefore impractical for actual use!) in a
number of ways.

Let us use a Morse Code keyword of BAKER, which is, in dots and dashes,

-... .- --. . .-.

and use two other keywords, ORANGE and CHOCOLATE, for Vigenere use.

A dot selects a letter from the first keyword, a dash selects a letter from the second keyword. And let both keywords also
experience key progression.

While this will still lead to a sequence with a finite period, the period will be a long one, and will start like this:

ORAN GE PSB O HFQ TCPI GR UDQ J HSV ERKI TW FSL J UXG TMKV YH UNL W ZIV
CHOC OL ATE D IPD PMBU FE JQE Q NCV GFKR FR ODW H GLS GSPE XI HMT H TQF
-... .- --. . .-. -... .- --. . .-. -... .- --. . .-. -... .- --. . .-.
CRAN GL ATB O HPQ PCPI GE JQQ J HCV GRKI TR ODL J ULG GMKV YI HML W ZQV

alternatively, the ends of each letter in the Morse keyword could control key progression for the first keyword, and the end
of each occurence of the whole keyword could control key progression for the second keyword, like this:

ORAN HF QTC Q KIS WFSL KU YHU O NXA KXQO ZC MZS R CFO CVTD HQ EXV G KTG
CHOC OL ATE C HOC PMBU FD IPD P MBU GEJQ EQ NCV G EJQ FROD WH FKR F ROD
-... .- --. . .-. -... .- --. . .-. -... .- --. . .-. -... .- --. . .-.
CRAN HL ATC Q KOS PFSL KD IPU O NBA GXQO ZQ NCS R CJO FVTD HH FKV G KOG

thus making use of more of the information in the Morse keyword, but, since such things are clearly impractical by hand, we
shall instead let such devices as rotor machines and the Hagelin lug and pin machine introduce complicated polyalphabetic
ciphers, as it was with such devices that such ciphers finally became usable.

Cipher disks are harder to make than slides, but they do look prettier. One type of cipher disk I invented independently looks
like this:
This disk was the best of my attempts to devise something which would be easy to use, but involve something more than just
sliding one alphabet against another. My intention was to approach the power of a rotor machine.

The wheel is built from four components, as illustrated below:

Essentially, the wheel is constructed from four disks, one of which has half of its outer portion removed.

On the bottom is a disk with the mixed plaintext alphabet, shown as item 1 in the diagram.

Above it is item 2, a disk with the numbers 1 through 13 repeated twice, against a backround of one color (shown here as
purple).
Then comes item 3, a disk of the same diameter, but with half of its perimeter removed to expose thirteen of the spaces on
the disk below. The half remaining has a background of a color contrasting with that disk (shown here as green), and a
mixed sequence of the numbers 1 through 13.

Finally, there is the smallest disk on the top, item 4, with the mixed cipher alphabet.

How the disks are stacked one on top of the other is illustrated by item 5 in the drawing, a view of the four disks one on top
of the other, but slightly offset to allow the perspective to be visible.

In use, one looks up a letter in the plaintext alphabet, and proceeds to the number in the next inner band. Then, starting from
the same number, against the background of the opposite color, also in that band (but on the other of the two middle disks)
one proceeds to the cipher letter on the innermost circle with the cipher alphabet. This is illustrated by item 6 in the picture.

One idea I had for making this type of device useful, by making it easier to move the disks with each letter enciphered, was
to add to each disk a rim (presumably with 26 notches or bumps around the outside, not shown for simplicity) so that the
four disks could be advanced like thumbwheels.

Versions of the disks using latticework to hold the outside rim in place, while allowing all the letters and numbers in lower
disks to be visible, are shown as items 7, 8, 9, and 10 in the diagram. Item 11 shows an oblique view of the disks stacked,
item 12 a face-on view.

One way to make use of this construction would be to have layers of cardboard between the disks, so that each rim is
individually exposed for a short distance. The 26 possible key letters would be allocated so that seven of them are used to
indicate that the lowest disk is to turn counterclockwise from 1 to 7 spaces, another 7 turn the smallest disk clockwise 1 to 7
spaces, and 6 indicate the disk shown with a purple rim is to turn counterclockwise from 1 to 6 spaces, and 6 indicate the
disk with half its periphery cut away is to turn clockwise from 1 to 6 spaces.

For use with text as a key, the letters would be allocated so that the frequent letters represented odd displacements, and were
distributed evenly among the four disks.

A version of the same device as a slide instead of a disk would look like this:

-----------------------------------------------------
F S H G Y M L Q K X O N E R Z A D I V C U T P W J B
-------------------------
------| 1 1 1 1 |--------------------
|7 4 1 6 3 5 0 1 9 2 3 2 8| 1 1 1 1
3 4 5| |6 7 8 9 0 1 2 3 1 2
------ --------------------
-----------------------------------------------------
X V I D U J C G M E Z A F T W O S H K Y P B R N Q L
-----------------------------------------------------

The Byrne Chaocipher, which was mentioned in David Kahn's The Codebreakers, was subsequently the subject of a
Cryptologia article, which indicated that the principle of this wheel may have been used before in that cipher.

Another device I designed myself in trying to produce a convenient cardboard approximation to a rotor machine is the
following slide:
The slide has a frame with an approximately rectangular pattern of holes, but with two corners clipped. Behind the frame,
there are two slides; one with slots in it that moves vertically, and a solid one that moves horizontally behind it.

The letters on the vertical slide are arranged so that as it moves up or down one position, the letters that become concealed
are rearranged and fill the spaces on the slide that now become visible, like this:

P E H S C A p e h s c a
L V F O K R Z l V F O K R Z
I B Q Y G W N I B Q Y G W N
X T M J D U X T M J D U E
C H L S P A

The same principle applies to the horizontal slide. However, since space is required for the vertical sliding alphabets, and the
spaces between the open rectangles, instead of being filled with merely one set of alphabets, it contains three interlaced
alphabets, which independently change in this way.

In the previous section, we saw how a straddling checkerboard like this:

9 8 2 7 0 1 6 4 3 5
-------------------
A T O N E S I R
2 B C D F G H J K L M
6 P Q U V W X Y Z . /

could be used to convert letters to digits. Since it takes account of letter frequencies, the conversion is an efficient one.

This type of conversion makes the various types of polyalphabetic encipherment more convenient by hand, since the
Vigenere encryption is now simply addition (on a digit-by-digit basis, ignoring carries).

The table for this operation is, of course:

|0123456789
-+----------
0|0123456789
1|1234567890
2|2345678901
3|3456789012
4|4567890123
5|5678901234
6|6789012345
7|7890123456
8|8901234567
9|9012345678

and, as this is the table for addition modulo 10, it is not surprising that it resembles the table above for addition modulo 26,
or the equivalent Vigenère table.

So, using this conversion from letters to numbers to perform the equivalent of the examples above:
Repeating key:
W ISH Y OU W EREH ERE
603421667626015121151
439251414392514143925
---------------------
032672071918529264076

Progressive key:
W ISH Y OU W EREH ERE
603421667626015121151
439251415403625265147
---------------------
032672072029630386298

Autokey:
W ISH Y OU W EREH ERE
603421667626015121151
439251416034216676260
---------------------
032672073650221797311

so the same methods are as applicable to digits as they are to letters. However, the ease of doing addition on digits as
opposed to letters also means that the equivalent of the use of mixed alphabets is not found often with digits.

As noted in the previous section, Soviet spies using a straddling checkerboard for converting letters to digits have then often
encrypted these digits using a polyalphabetic substitution of the Vigenere type.

However, the attempt was made to use a perfect form of Vigenere encryption. (As the declassified information concerning
VENONA reveals, the attempt wasn't made quite well enough: supposed "one-time pads" were used at least twice on many
separate occasions.)

If, ahead of sending a message, you and your correspondent have arranged to share a key consisting of:

● genuinely random digits,


● long enough to be used only once, that is, matching in length all the messages you will be sending

then there is no way to "break" your messages by cryptanalysis. (Of course, the length and timing of messages may still give
information away.)

Why is there no way to break messages in such a case? Because, if the key is random, and if it is never used anywhere else
but with just one message, so there is no other way to get information about that key, then that key could be anything.

So any possible message having the same length as the intercepted message remains possible, because there is no way to
exclude the key that would give rise to any hypothetical message. If the key were not random, but generated by some rule,
then perhaps the key that would transform some possible plaintexts into the ciphertext actually intercepted could not have
been generated by that rule, thereby ruling out those plaintexts. If the key were used another time, then one possible text for
the first message could be ruled out because the other message would not make sense. But without either of these
opportunities, one speculative plaintext is only as good a guess as any other, and no better.

This survey of cryptographic algorithms has not gone very far, still being in its first chapter, and already we have found
perfection. But not only is quite a bit of key required, but more importantly, when that key is used up, no more secure
communications are possible using this method. And since the key is bulky, and impossible to memorize, this is only useful
where the messages are easy to intercept but the key is safe, for example, in communications, but not in protecting files on
your hard disk. Also, it can't complement public-key cryptography, since it doesn't provide a way by which encrypting a
small session key by a slow method with some useful special properties (making it possible to start communicating securely
without any advance secret exchange of a key) can protect a large message.

The one-time pad is perfect, and it is relatively easy to understand why it is impregnable. In general, it is not suitable for
everyday use, since computers make it very easy to carry out conventional encryption with methods of enormous
complexity. Such enormous complexity that there seems to be no rational reason to doubt their security. But just as there is a
tendency in some quarters to advocate the use of methods that aren't quite complex enough (for example, DES with its 56-bit
key, or other block ciphers that are only a step or two better), there is a tendency in other quarters to say that the "experts"
should not be trusted, and only the one-time system, in one of its various forms, is any good.

Incidentally, for the polyalphabetic encryption of a stream of message digits by a stream of key digits, it is not strictly
necessary to use only addition without carries. Just as either addition modulo 10 or addition modulo 26 are equally valid,
depending on whether the message is made up of digits or letters, addition modulo 100,000 is also equally valid. That is, five
message digits could be added to five key digits to produce five cipher digits using normal addition with the propagation of
carries within the five-digit group.

The one carry, though, that must be discarded is the one out of the five digits, if it is not propagated to the preceding five-
digit group. Sending the sum of 53478 and 88412 as 141890 instead of 41890 is a serious mistake, as it proves that both the
plain and key groups at that position must be larger than 41889, as neither of those five-digit groups can be larger than 99999.

One method of polyalphabetic encipherment that suffered from this error is any cipher of the Nihilist type.

A five-by-five square like that illustrated below was used to convert both a message and a key (repeatedly used, as in Porta's
cipher commonly known as the Vigenère) into a stream of digits:

1 P Z R M T
2 Y A V F I
3 O H K W N
4 G D X B U
5 S J C E L
1 2 3 4 5

However, when the stream of key digits was added to the stream of cipher digits, instead of using a modified modulo-5
tableau such as:

| 1 2 3 4 5
-------------
1 | 2 3 4 5 1
2 | 3 4 5 1 2
3 | 4 5 1 2 3
4 | 5 1 2 3 4
5 | 1 2 3 4 5

the digits were simply added by normal decimal addition without carries. Hence, while each digit which was added belonged
to a family of only five digits, the sum as transmitted could have any of nine values, (a sum of 1 could not occur) and only
one of those values, the digit 6, did not place some constraint on both the key digit and the message digit, as can be seen
from the table of that operation:

| 1 2 3 4 5
-------------
1 | 2 3 4 5 6
2 | 3 4 5 6 7
3 | 4 5 6 7 8
4 | 5 6 7 8 9
5 | 6 7 8 9 0

The actual Nihilist cipher, as described in Gaines, was even worse than this: the letters in the checkerboard square were in
their normal order, and the addition was performed with carries, to the extent that messages were sent in two-digit groups,
and three digit sums (such as 45 + 55, or 52 + 51) were sent in three digit form, preserving the carry out of the group.
However, the Russian language, before the Russian Revolution, had a thirty-six letter alphabet, and the use of a full 6 by 6
square would have improved things slightly.

Since the most natural way to apply a stream of key letters to a stream of plaintext letters is the Vigenère, and the most
natural way to apply a stream of key digits to a stream of plaintext digits is modulo-10 addition, when applying a stream of
key bits to a stream of plaintext bits, the very simple operation of modulo-2 addition, or exclusive-OR (XOR) is often used,
with the very short table:
| 0 1
-------
0 | 0 1
1 | 1 0

The following two tables:

| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7
------------------- -------------------
0 | 0 1 2 3 4 5 6 7 0 | 0 1 2 3 4 5 6 7
1 | 1 2 3 4 5 6 7 0 1 | 1 0 3 2 5 4 7 6
2 | 2 3 4 5 6 7 0 1 2 | 2 3 0 1 6 7 4 5
3 | 3 4 5 6 7 0 1 2 3 | 3 2 1 0 7 6 5 4
4 | 4 5 6 7 0 1 2 3 4 | 4 5 6 7 0 1 2 3
5 | 5 6 7 0 1 2 3 4 5 | 5 4 7 6 1 0 3 2
6 | 6 7 0 1 2 3 4 5 6 | 6 7 4 5 2 3 0 1
7 | 7 0 1 2 3 4 5 6 7 | 7 6 5 4 3 2 1 0

the first for modulo-8 addition, and the second for an independent exclusive-OR of each of the three bits of an octal digit,
shows how these two operations differ in their algebraic structure; thus, some modern computer ciphers alternate between
XOR and addition modulo 256 or modulo 65,536 within a complicated sequence of operations to make the cryptanalyst's
path a more tangled one.

The following two tables:

| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7
------------------- -------------------
0 | 0 1 2 3 4 5 6 7 0 | 0 1 2 3 4 5 6 7
1 | 1 2 3 0 5 6 7 4 1 | 1 2 0 4 5 6 7 3
2 | 2 3 0 1 6 7 4 5 2 | 2 0 1 5 6 7 3 4
3 | 3 0 1 2 7 4 5 6 3 | 3 4 5 6 7 0 1 2
4 | 4 5 6 7 0 1 2 3 4 | 4 5 6 7 1 3 2 0
5 | 5 6 7 4 1 2 3 0 5 | 5 6 7 2 3 4 0 1
6 | 6 7 4 5 2 3 0 1 6 | 6 7 3 0 2 1 4 5
7 | 7 4 5 6 3 0 1 2 7 | 7 3 4 1 0 2 5 6

illustrate two ways of obtaining tables that are different algebraically from either of the previous two. The first is a table of
the operation of adding the last two bits of a three-bit octal digit with modulo-4 addition, and XORing the first bit
independently. The second results from deliberately constructing a table which must be algebraically distinct from anything
like this, by beginning with a subtable for modulo-3 addition, which could not occur in a table built from exclusive-OR and
addition modulo a power of two, and then using displacements of the other five digits in the shadow of that subtable. Finally,
the remaining five by five square is filled; at first, some diagonals are filled systematically, and then the rest is filled through
trial and error, with some backtracking.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Main page
Home page
[Next] [Up] [Previous] [Index]

Code Books
Before it became possible to build complex electrical and mechanical cipher machines,
cipher systems requiring many complex manipulations would have been impractical
and error prone.

A code book, with its long list of equivalents for thousands of words and phrases, as
opposed to the 26 letters of the alphabet, offers a degree of security without requiring a
large number of operations for each word encoded.

Codes have also been used for sending messages by telegraph at lower prices, by
representing common phrases used in business with single codegroups. Such
codebooks are arranged so that both the codegroups and their meanings are in easy-to-
find alphabetical order. A codebook arranged this way is called a one-part code.

Most (but not all) secret codebooks are called two-part codes; the codegroups are
assigned in a random order to the words encoded, and there is both an encoding
section, with the words in alphabetical order, and a decoding section, with the
codegroups in alphabetical (or numerical) order.

Thus, the decoding section of a codebook might look like this imaginary example that I
also used as the background to this page:

EZNLJ Shanghai
EZNKL OUGH
EZNLM 270 degrees
EZNMN Ship may not be
EZNNO Docking facilities
EZNOP Diesel fuel
EZNRS France
EZNST Repair-s-ed-ing
EZNTU Ship has
EZNUV Cancun
EZNVW 43 degrees
EZNYZ 500
EZNZA 23 knots
EZOAA Maintenance urgently required
EZOBB Perth
EZOCC 15 metres
EZODD Captain will be
EZOEE 23 3/4

The rationale behind the sequence of 5-letter groups shown is explained in the section
on Error-Correcting Codes.

Some codebooks assign both numeric codegroups and alphabetic codegroups to words;
the alphabetic codegroups are easier to actually transmit by Morse code, but the
numerical codegroups are easier to manipulate.

For secret codes, the manipulation might consist of superencipherment, the


encipherment of a message that is already in code. But many nonsecret cable codes
also provided numeric codegroups. This allowed people in a specialized business to, by
agreement, use the codegroups in one section of a large codebook, which contained
words and phrases they did not use, to instead represent the words and phrases another,
shorter codebook or in a section of another codebook. All that was needed was to add
or subtract an offset from the codegroups in the other codebook to fit them into the
unused space.

To increase security, secret codebooks often included nulls, that is, codegroups which
were to be ignored upon decipherment. Also, many codebooks included more than one
substitute for the most common words or phrases.

David Kahn's book The Codebreakers is illustrated with actual pages from once-secret
codebooks, such as the British and Allied Merchant Ship code, and the Hudson code of
the American Expeditionary Force.

Another codebook illustrated was Cypher SA, the codebook of the British Navy in the
last months of World War I. Another illustration of a different part of this codebook
also appeared in David Kahn's article in the July 1966 issue of Scientific American.

This codebook was perhaps unique, in that it used a stripped-down form of the autokey
principle.

It used a considerable number of nulls, and every message had to start with a null,
because many of the most common words and phrases in the code could not begin a
message.

Each five-digit codegroup in the code was followed by one of the three letters A, B, or
C. Many of the more common words and phrases had three different substitutes,
preceded by A, B, and C in order, and the one to be used was determined by which
letter had followed the previous codegroup.

Naturally, only the numbers were transmitted in the enciphered message.


Some of the most common words and phrases were also homophones in the ordinary
sense; instead of merely having one set of three substitutes, they might have had three
sets of substitutes, so that for each letter ending the previous word, there would still be
three arbitrary choices for the codegroup to use.

Since what we have is essentially three different codes, A, B, and C, although these
codes are the same in part, determined for each group by the codegroup enciphered
before, Cypher SA is properly classed as a form of autokey.

With many codes, a form of polyalphabetic substitution is used. In addition to the two-
part codebook, with numerical equivalents for the words or phrases to be sent, a second
book, filled with random numbers, is required. This second book's contents are called
the additive. A random starting point in the book is chosen for each message, and that
starting point is sent at the beginning of the message. Then, the numbers in the book
are added to the codegroups from the codebook before transmission. Always, carries
past the start of a codegroup are discarded; almost always, all carries are ignored, the
individual digits being added in isolation. This is the decimal equivalent of doing an
XOR instead of addition.

Sometimes other methods of encrypting an already coded message, called


superencryption, are used. For example, a short table giving subsitutes for pairs of
digits can be used, either on the codegroups, or just on the group which gives the
starting point of the additive.

When a long running key is used for Vigenere encryption, but that key is re-used,
Kerchoffs superimposition can be used to align different messages encrypted with the
same key. The messages are slid against each other, and positions that provide a high
number of coincidences, particularly those involving groups of consecutive characters,
are chosen.

For breaking codes used with additives, Kerchoffs superimposition is usually used in a
more sensitive form, as improved by W. F. Friedman. The kappa test compares the
proportion of coincidences that would be found, in the Vigenere case, between two
sequences of random letters, which would be exactly 1/26, and between two normal
plain-language texts. That is higher, because the letters are not all equal in frequency.
That figure equals the sum of the squares of the probabilities of all the plaintext
symbols; the chance of an A in the first message times the chance of an A in the second
message, plus the chance of a B in the first message times the chance of a B in the
second, and so on. The same applies to two strings of random groups of five digits,
which would have one group in 100,000 matching by chance, and two coded messages
without an additive applied. If two messages are aligned so that their additives
coincide, as far as coincidences between them at that position are concerned, it is as if
no additive was applied.
The following illustates why the random kappa is always smaller than the plaintext
kappa:

--------------------- ----------------------
|----| | |---------| |
|----| | |---------| |
|---------- | |---------| |
| |----| | |---------| |
| |----| | |--------------- |
| ----------- | | |----| |
| |----| | | |----| |
| |----| | | --------- |
| ----------| | |--| |
| |----| | ------|
| |----| | |--|
--------------------- ----------------------

The square of a number gains size from both of its factors, so taking size from a
smaller number squared and giving it to a larger one causes that size to be placed more
advantageously; therefore making all the numbers equal minimizes the sum of the
squares.

[Next] [Up] [Previous] [Index]

Next
Skip to Next Chapter
Table of Contents
Home page
[Next] [Up] [Previous] [Index]

Fun With Playing Cards


To accompany the recent novel Cryptonomicon, Bruce Schneier, author of Applied
Cryptography, developed a cipher using the 52 playing cards and two jokers called
Solitare, which is described on the Counterpane web site.

This has been an inspiration to both myself and others; for example, Paul Crowley has
developed another cipher using playing cards called Mirdek.

My Playing Card Cipher

I, too, have now succumbed to the temptation to construct an alternative to Solitare.


The basic cycle that takes a deck that has already been scrambled to produce a
keystream operates as follows:

Step 1: From the prepared deck (the order of the cards in it is the key), turn up, and
deal out face up in a row, successive cards until the total of the cards (A=1, J=11,
Q=12, K=13) is 8 or more.

Step 2: If the last card dealt out in Step 1 is a J, Q, or K, take its value, otherwise take
the total of the values of the cards dealt out in Step 1. (This gives a number from 8 to
17.) In the next row, deal out that many cards from the top of the deck.

Step 3: Deal out the rest of the deck under that row, in successive rows that begin on
the left, and end under the lowest card in the top row, the next lowest card in the top
row, and so on, in rotation. A red card is lower than a black card of the same
denomination, and when there are two cards of the same color and denomination, the
first one in the row is considered lower.

These first three steps may lead to a layout which looks like this:

7S QH
3D 6S 3C 2D QD 4S 8S JS JD 10H QC 8H
5H AC 6D KS
10C
QS 9D 5D
2H 3S KD JH 2S 9C
9H 6H
8C 2C 7H JC 4C 8D 3H KC 7D 6C AH 4H
5C 10D 10S 7C 9S KH 4D
AD 5S AS

Step 4: Take the cards dealt out in Step 3, and pick them up by columns, starting with
those under the lowest card in the row dealt out in Step 2. The top card in the column is
to be on the bottom of a pile of face up cards, and the first column picked up is to be on
the bottom of the re-assembled deck.

Step 5: Place the cards dealt out in Step 2 (the last one on the bottom) in face-up form
on top of the re-assembled deck, and then the cards dealt out in Step 1, again, the last
one on the bottom of a face up pile put on top of the re-assembled deck.

Step 6: Turn the deck of cards over to face-down position to repeat Step 1.

Thus, these steps would cause the following new order of the deck to result from the
layout above:

KS JH JC 7C 5H 10C QS 2H 9H 8C 5C AD 6D
5D KD 7H 10S AS 9C 8D KH AC 9D 3S 6H 2C
10D 5S 4H 3H 4D 6C 7D KC 2S 4C 9S AH 8H
QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S

And the cards that were at the beginning of the deck, and thus controlled the
transposition, are now at the end of the deck, and will be subject to the next
transposition instead of controlling it.

After doing this three times, obtain a keystream digit as follows:

Looking at the cards from the top of the deck, ignore all J, Q, and K cards; take the first
other card, from A to 10, and count down that many cards to find a card from A to 10.
Do the same from the bottom of the deck. The last digit of the sum of the values of
those two cards is the keystream digit.

Applying this to the scrambled deck obtained above (which is cheating a bit, since in
practice the transposition has to be done three times), it works this way:

KS JH JC 7C 5H 10C QS 2H 9H 8C 5C AD 6D
(7) 1 2 3 4 5 6 7*
5D KD 7H 10S AS 9C 8D KH AC 9D 3S 6H 2C
10D 5S 4H 3H 4D 6C 7D KC 2S 4C 9S AH 8H
QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S
7* 6 5 4 3 2 1 (7)
the two selected cards are the ace of diamonds and the ten of hearts, so the keystream
digit is a 1.

This way, people don't have to memorize a bridge ordering of the suits, and they use a
straddling checkerboard to allow false addition to apply the key, instead of trying to do
Vigenere or modulo-26 arithmetic in their heads.

By limiting the mental arithmetic required, I'm trying to make my method simpler.
However, the way in which the cards are rearranged is more complex; the cards are
dealt out in a layout, not merely manipulated in a straight line, and thus the result looks
somewhat more like a game of solitare. In the novel, the cipher Solitare was based on a
computer stream cipher; my method for using playing cards is instead based on an old
pencil-and-paper cipher.

The method of transposition used is the one given by General Luigi Sacco, that breaks
up a block into uneven units, and which perhaps has some advantages over ordinary
columnar transposition.

Of course, some of the rules used mean that there are biases in the transposition; if
every card had a distinct value, the order of the columns would be slightly more
random, and the rule intended to limit the row size to 17 instead of 21 makes 11, 12,
and 13 more likely row lengths. Note that Step 4 is set up to make the scrambling
invertible, so I did accept some good advice from Bruce Schneier's Solitare. The well-
known reason for this is noted elsewhere on this site: a non-invertible transformation
risks shrinking the state space of the thing transformed. That is: the fact that the
transformation is invertible is no guarantee of a long or maximal period. But if every
possible ordering of the deck is possible at the start, then every possible ordering of the
deck remains possible after 20, 30, or 2000 iterations of an invertible transformation. If
two orderings of the deck both transformed to the same ordering of the deck, then the
transformation would not be invertible. On the other hand, with a non-invertible
transformation, the number of possible orderings can continue to shrink as the
transformation is repeated.

The Keying Procedure

Starting with a deck in a fixed order, say AS 2S ... KS AH 2H ... KH AD 2D ... KD AC


2C ... KC, the procedure to obtain a scrambled deck order from a keyphrase is as
follows:

Divide the keyphrase into parts that are eight or more letters in length as follows: first,
use all the words that are eight or more letters long in the phrase, then, go through the
phrase, and, using only the shorter words, take as many words as needed at a time to
reach eight or more letters. When the last part is formed, and there are less than eight
unused letters in the key phrase, include them in the last part.

Then, take these parts of the keyphrase, and use them in pairs.

First, for each part, imagine the word as standing above the columns of cards, and then
perform Step 3 and Step 4 of the normal cycle, but on the entire deck.

Example:

Phrase: THE QUICK BROWN FOX JUMPED OVER THE LAZY DOG

This phrase has the parts:

THEQUICK
BROWNFOX
JUMPEDOVER
THELAZYDOG

So, the first two parts lead to the deck being scrambled as follows:

First, the deck is laid out like this:

T H E Q U I C K
7 4 2 6 8 3 1 5
AS 2S 3S 4S 5S 6S 7S
8S 9S 10S
JS QS KS AH 2H 3H
4H 5H
6H 7H 8H 9H 10H JH QH KH
AD 2D 3D 4D
5D
6D 7D 8D 9D 10D
JD QD KD AC 2C 3C 4C
5C 6C 7C
8C 9C 10C JC QC KC

Since the first card of a column is placed on the bottom when the cards are face up, and
the first column picked up is at the bottom of the cards when they are face up, they will
be on the top when the deck is in normal face-down order, and so this step leads to the
cards being in the order:

7S QH 4C 3S 10S KS 8H 3D 8D KD 7C 10C 6S
3H JH 3C KC 2S 9S QS 5H 7H 2D 7D QD 6C
9C KH 4S AH 9H 4D 9D AC JC AS 8S JS 4H
6H AD 5D 6D JD 5C 8C 5S 2H 10H 10D 2C QC

Now, the deck is then laid out like this for the second part:

B R O W N F O X
1 6 4 7 3 2 5 8
7S
QH 4C 3S 10S KS 8H
3D 8D KD 7C 10C
6S 3H JH
3C KC 2S 9S QS 5H 7H
2D 7D
QD 6C 9C KH
4S AH 9H 4D 9D AC JC AS
8S
JS 4H 6H AD 5D 6D
JD 5C 8C 5S 2H
10H 10D 2C
QC

which, when picked up, places the deck in this order:

7S QH 3D 6S 3C 2D QD 4S 8S JS JD 10H QC
8H 5H AC 6D KS 10C QS 9D 5D 2H 3S KD JH
2S 9C 9H 6H 8C 2C 7H JC 4C 8D 3H KC 7D
6C AH 4H 5C 10D 10S 7C 9S KH 4D AD 5S AS

Then, each of the two parts is used to scramble half of the deck again; the
transpositions above depended on the order of letters in each part, but this step will
instead depend on which letters are present.

Go through the alphabet, from A through Z, as you take cards from the top of the deck.
When you reach a letter that is part of the current part of the keyphrase, that card
completes the current pile you are making. The next card starts a new pile. Z always
completes the last pile, even if it is not present.

Then put the piles back together, but in the reverse order in which they were obtained.

Thus, the first part, THEQUICK, divides the first half of the deck like this:

A B C
7S QH 3D
D E
6S 3C
F G H I
2D QD 4S 8S
J K
JS KD
L M N O P Q
10H QC 8H 5H AC 6D
R S T
KS 10C QS
U
9D
V W X Y Z
5D 2H 3S KD JH

causing that half of the deck to be placed in the order:

5D 2H 3S KD JH 9D KS 10C QS 10H QC 8H 5H
AC 6D JS KD 2D QD 4S 8S 6S 3C 7S QH 3D

Then, the second half, BROWNFOX, is applied to the second half of the deck.

When there is an odd part of the key phrase, then the deck is transposed with that part,
and only its first half is mixed again.

Once the entire keyphrase is applied to the deck of cards, the deck is then subjected to a
non-invertible triple cut, as follows:

From each end of the deck, a card with a value from A to 10 is located, by the
procedure used to find the keystream numbers in normal encipherment. Then, starting
from the top of the deck when it is face down, which we will assume is placed on the
left, additional cards are counted from that card according to its value: one more card if
it is an ace, two more if it is a deuce, and so on, but this time, face cards are not ignored.

This part of the deck is then placed on the right-hand side.

The procedure is repeated from the other keystream card, again counting inwards. If
cards are left, these stay in the middle, and those from the bottom of the deck to the end
of the count are placed on the left-hand side.

Using the previous example of obtaining a keystream digit to illustrate how this works:

KS JH JC AH 5H 10C QS 2H 9H 8C//KC AD 6D
(1) 1* 1 2 3 4 5
5D KD 7H 6C AS 9C 8D 5C AC 9D 3S 6H 2C
7D 5S 3H 10D 4D 9S 10S//2S 4C 4H KH 7C 8H
7 6 5 4 3 2
QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S
1 7* 6 5 4 3 2 1 (7)

the pairs of slashes indicate the points at which the deck will be cut, ending up in the
order 2S...7S, KC...10S, KS...8C from the order above.

Finally, the cards are laid out according to the word spacing of the keyphrase:

T H E
2S 4C 4H
Q U I C K
KH 7C 8H QC 10H
B R O W N
JD JS 8S 4S QD
F O X
2D 3C 6S
J U M P E D
3D QH 7S KC AD 6D
O V E R
5D KD 7H 6C
T H E
AS 9C 8D
L A Z Y
5C AC 9D 3S
D O G
6H 2C 7D
T H E
5S 3H 10D
Q U I C K
4D 9S 10S KS JH
B R O W N
JC AH 5H 10C QS
F O X
2H 9H 8C

repeated until the deck is all laid out, and then they are picked up in face up form with
the last column, and its top card, on the bottom.

In the example, that leads to the cards ending up in this order when turned face down:
6D 10H QD AD JH QS QC 4S KC 6C 3S KS 10C
4H 8H 8S 6S 7S 7H 8D 9D 7D 10D 10S 5H 8C
4C 7C JS 3C QH KD 9C AC 2C 3H 9S AH 9H
2S KH JD 2D 3D 5D AS 5C 6H 5S 4D JC 2H

[Next] [Up] [Previous] [Index]

Next
Table of Contents
Main page
[Next] [Up] [Previous] [Index]

Conclusions for Chapter 1


This first chapter has touched on the major basic elements that apply to any form of
encryption.

Its treatment of them has been brief, almost to the point of being perfunctory.
Encyclopedia articles and inexpensive books cover this territory fairly well. The more
recent methods of encryption are covered in more specialized publications; that, and a
fascination with their intricacies, has led me to cover them in more detail.

Because most methods of substitution require some sort of chart or table (the Gronsfeld
was specifically designed to avoid this problem), or a slide or disk for polyalphabetics,
transposition ciphers were quite popular with armies as field ciphers.

Although it is easy to create a cipher that is very difficult to solve by a sufficiently


complicated combination of transposition and substitution, some simple ciphers
combining both are breakable.

During World War I, for a short time Germany used Vigenere encipherment with key
ABC (and, later, with key ABCD - but only for deceptive transmissions and not
important messages) followed by a simple columnar transposition.

For puzzle-solving purposes, the "Nicodemus" cipher breaks a message into complete
rectangular blocks, which are transposed by exactly the same keyword as was
previously used to encipher them in Vigenere. Thus, the enciphered message consists
of groups of plaintext letters encrypted in Vigenere with the same key, which can, of
course, be exploited by the cryptanalyst.

Claude Shannon, the father of information theory, who also contributed to the theory of
chess-playing computers, wrote a paper in The Bell System Technical Journal the title
of which was The Communications Theory of Secrecy Systems in which he noted that
the two basic elements of a cipher system are confusion and diffusion.

This has influenced the design of some cipher systems. A preliminary sketch of the
design of IBM's LUCIFER block cipher, appearing in Scientific American embodied
these elements in almost a pure form. (The actual LUCIFER cipher as implemented
was quite different, although it also embodied those elements, but in a less
straightforward way.)
Generally, confusion is understood as substitution, and diffusion is understood as
transposition.

These terms are, however, general and inclusive. Based on the specific methods of
attaining security found in the actual pencil-and-paper systems we've met so far, I feel
it is warranted to take the dangerous step of moving to a more specific and concrete
division of the operations within a cipher system.

The danger is that it could limit the imagination of cipher designers by being more
concrete. But since the terms 'confusion' and 'diffusion' are tending to be identified with
the simplest forms of substitution and transposition, it seems to me that more detail
might instead stimulate cipher designers to consider more options.

Thus, I propose the following set of basic elements in a cryptographic system:

Confusion
replacing symbols by other symbols.

Diffusion
moving of plaintext symbols to other positions within the ciphertext.

Convolution
the achievement of diffusion by means of confusion; the effect of performing
diffusion on a finer scale than confusion. This refers to what happens in
polygraphic and fractionation systems.

Alternation
changing, from one portion of the ciphertext to the next, of the rules for
confusion and/or diffusion.

Indirection
placing elements in a cipher 'behind' other elements so that their effects are
harder to analyze.

With this division, more of the methods actually used suggest themselves. Also, a
measure of quality can perhaps be noted. For confusion and diffusion, bigger seems to
be better. For alternation, the complexity of the scheme of alternation, its
unpredictability, is the measure of quality.

Associated with these goals are specific means, such as substitution for confusion.

If we view a message as an array of symbols, where P(n) is the n-th element of the
plaintext message P, and C is the ciphertext message, one can illustrate the various
techniques by formulas.
Substitution (Confusion)
Transforming a message by replacing the values of its elements according to
some rule; for example, C(i)=S(P(i)) over all i in the message, where S is a
substitution table indexed over the elements of the alphabet used.

Transposition (Diffusion)
Transforming a message by placing its elements in different locations within the
message; for example, C(T(i))=P(i) over all i in the message, where T is a
transposition table indexed over all the character positions in the message.

Fractionation (Convolution)
Transforming a message from being expressed in a number of symbols of one
alphabet to a different number of symbols in an alphabet of a different size,
combined with transpositions and substitutions on those alphabets. Such a
transformation might have a form such as C(i/2) = S(P(i)*N+P(i-1)) where i
starts as 2 and goes over all the even-numbered characters of the original
message, and N is the number of characters in the original alphabet. Its inverse
would be P(2i) = SL(C(i)) and P(2i-1) = SR(C(i)), where SL and SR are
substitutions such that mapping the characters c of the original alphabet to pairs
( SL(c), SR(c) ) is bijective; that is, different inputs become different outputs in
both directions. This is most useful when substitutions are applied to the
message with the larger alphabet size and fewer characters, and transpositions
are applied to the message with the smaller alphabet size and more characters.

Polyalphabeticity (Variation)
Applying a different substitution rule to different characters of the message.
Thus, C(i)=S(P(i),i) where the output of the substitution is a function of the
character's position in the message as well as the particular character.

Autokey (also Variation)


Causing the rule of encipherment for a part of a message to depend on another
part of the same message. C(i)=S(P(i)+P(i-1)) is a classic form of autokey,
which requires adding a dummy P(0) character to the start of the message. This
results in encipherment differing from one message to another.

Indirection involves preparing things like substitution tables in ways that are ciphers in
their own right; hence, it isn't found very much in simple paper-and-pencil ciphers,
where the amount of work to be done must be kept limited. The methods used for
forming substitution alphabets from a keyword by means of a transposition block, such
as the Ohaver method, noted previously, involve indirection in a sense, but only once
during a message. So there is no basic pencil-and-paper technique which is an effective
example of indirection. However, later on we will see the rotor machine SIGABA,
which may be considered the classic illustration of indirection.
[Next] [Up] [Previous] [Index]

Next
Table of Contents
Main page
[Next] [Up/Previous] [Index]

Early Machine Ciphers


This section looks at some of the simpler ciphers involving mechanical aid to the
cryptographer. Cipher disks or slides are left in the pencil-and-paper section, but the
Wheatstone cryptograph (a set of geared cipher disks which achieved polyalphabeticity
by using plain and cipher alphabets of different lengths) would go here if it were
covered.

● The Bazeries Cylinder


● The Kryha Cryptograph
● The Hill Cipher
● The RED Machine
● The Reihenschieber
● The A-22 Cryptograph

[Next] [Up/Previous] [Index]

Next Section
Chapter Start
Skip to Next Chapter
Table of Contents
Home Page
[Next] [Up/Previous] [Index]

The Bazeries Cylinder


Although originally invented much earlier, by Thomas Jefferson, this type of cipher
machine became generally known after its later re-invention by Commandant Etienne
Bazeries, who wrote a book about cryptology which recommended this device.

About 20 or 30 disks, each with a different scrambled alphabet on the edge, and with a
hole in the centre so they can all be stacked on a common axle, make up the device. The
disks can be numbered on one side, and the order in which they are stacked can be used
as a key that can easily be changed.

To encipher a message, rotate the disks so that its letters line up in one row, and take the
letters in any other row as the encrypted message. Decipherment is possible, because it is
easy to pick out one row of plaintext among 24 others of gibberish that are possible.

This is quite a secure cipher device, especially considering that it doesn't involve a lot of
fancy technology. Since every letter in a block is displaced through a different alphabet,
and every block has a different displacement, it is even possible to mistakenly assume
that it is unbreakable.

However, it isn't unbreakable. Like the Enigma, which we will meet later, no letter can
represent itself. This allows probable plaintext to be positioned against intercepted
messages.

The main attack against this type of cipher is the de Viaris method. If the alphabets on
the cylinder are poorly chosen, it may be that the fifth letter clockwise from E, for
example, can never be some letters, and is one particular letter several times. Thus, an
opponent who has a copy of the cylinder itself and some plaintext may be able to
identify the displacement for a block - and, with that, then determine the order of the
disks.

The alphabets on the M-94, a version of the Bazeries cylinder made from aluminum, and
used by the U.S. during the Second World War, were chosen to be part of a Latin square
to be more resistant to a de Viaris attack. A Latin square is an N by N square containing
the numbers from 1 to N, each N times, so that no number occurs twice in either the
same row or the same column. For example,

1 2 3 4 5
3 1 4 5 2
2 5 1 3 4
5 4 2 1 3
4 3 5 2 1

is an example of a Latin square. However, since

1 2 3 4 5
2 3 4 5 1
3 4 5 1 2
4 5 1 2 3
5 1 2 3 4

is also a Latin square, and is obviously not a good type of sequence for a cylinder cipher,
as every cylinder has the same alphabet, only shifted by one, there is more to choosing a
good set of alphabets for a cylinder than simply using a Latin square.

Ideally, if one were using 25 cylinders for a 26-character alphabet, one would like a
sequence such that, if one aligns any one letter to form a solid row of that letter, then the
remaining 25 letters on the 25 cylinders are, in each case, a Latin square. Then, for each
displacement, and each letter, all substitutes would be equally possible. I do not know
whether or not it is possible to fulfill this condition.

Even when the de Viaris attack is not possible, cylinder ciphers can be broken. During
World War II, the U.S. used an improved version of the cylinder cipher. Strips instead of
disks were used (which, of course, makes no difference in itself), and there were 100 of
them to choose from. The cipher procedure involved choosing 30 strips, but breaking up
the message into blocks of only 15 letters long.

Despite all this, and the fact that they did not have a captured specimen of the device to
work with, cryptanalysts in Nazi Germany were able to break messages enciphered with
the M-138-A.

If one does not have a copy of the device, and in any case the strips or disks used have
been made resistant to the de Viaris attack, it is still possible to attack a Bazeries cylinder
if one has several hundred messages, all sent with the same key.

Using the kappa test (the fact that two unrelated plaintexts will have more identical
characters in corresponding positions than two sequences of random letters, which will
have one coincidence for every 26 letters), one can group together messages with the
same displacement from the row with the plaintext message.

Once this is done, and if one had enough messages to work with, frequency counts can
be used for each position.

After the war, a further improvement was made to the strip cipher. In addition to a daily
order for the strips, keylists also gave a table with a column number (or a blank) under
each of the 26 letters. A random set of five letters was chosen for each message; the
column numbers in the frame corresponding to these letters were not used to encipher
that message. These were called "Channel Elimination Numbers", and the numbers
where the numbers of positions in the frame, not strips. (Since which strip went in which
column was also part of the same daily key, this was important operationally - for ease of
sending different messages, each with its own indicator, during the one day, not
cryptographically.)

As this essentially varied the key for every message, it prevented the statistical attack
outlined above.

The Bazeries cylinder relies on the input plaintext being plaintext, with some
redundancy, so that it can be found. Of course, if one allows expanding the text with an
extra letter, or using a pre-arranged scheme to pick the ciphertext row, variations of the
cipher method can be designed without this limitation, and therefore useful for the
subsequent encipherment of ciphertext.

The following diagram, showing a different kind of strip used for this type of
encipherment:
retains the limitation, while reducing it somewhat. The plaintext SEND MONEY is
being enciphered to the numerical ciphertext 345589628759, and its redundancy is being
reduced in the process by the same amount as a straddling checkerboard would do so.

The principle involved is that a plaintext letter, if found on the right side of the strip, is
represented by that single strip; otherwise, two strips, the first with the symbol > or >>
on the right-hand side, and the second with the plaintext letter in the first, or second,
column on the left-hand side are aligned to represent that letter.

Such a method, though, is only practical if, at least with practice, the row containing
plaintext "leaps out" at the eye of the decipherer.

In the diagram above, the first row contains the nonsense string OGOSRIERH, while the
second one contains the desired plaintext SENDMONEY, and the third contains
YORNEPCF, but that does seem to take some effort to see.

[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

The Kryha Cryptograph


The Kryha cryptograph had a number of variations. It had two disks, each with a
scrambled alphabet that could be changed by the user. One disk moved for each letter
enciphered. The movement was controlled by a pinwheel; if there were, on the
pinwheel at one place, five teeth out followed by one pushed in, then that caused the
moving disk to move five places forwards for one letter.

An earlier model used a fixed gear, which caused the following movements, in order:

7 6 7 5 6 7 6 8 6 10 5 6 5 7 6 5 9

Essentially, the cipher it produced was similar to a progressive-key encipherment with


a keyword and mixed alphabets. Although it took W. F. Friedman only a few hours to
solve a message enciphered on one of these machines, the principles required are
already beyond those normally dealt with in books on cryptanalysis aimed at amateurs
and beginners.

Although the version of the machine solved by W. F. Friedman in "2 Hours, 41


Minutes" (the title of the chapter in Machine Cryptography and Modern Cryptanalysis
by C. Deavours and L. Kruh discussing the Kryha machine) appears to have been the
fixed-gear version, since Friedman was not given the machine to examine, he did not
have the opportunity to solve its cipher even more quickly, as in that case, only 17
trials would have been needed to sort the letters of the test message into
monalphabetically-enciphered groups.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

The Hill Cipher


This cipher was once implemented in the form of a machine using gears and chains like
those used with bicycles. That, and the fact that it is impractical for hand use, while it
predates the computer age, has caused me to put it in this section, although the
appropriateness of this choice is also doubtful.

Supposing you are given the following problem to solve:

2x + y = a
x - y = b

and you want to find out what x and y are in terms of a and b.

The steps you can take to find it are the following:

You can add or subtract a multiple of one equation from another.

You can multiply one of the equations by a number.

You can change the order of the equations.

That last step may seem trivial, but it is included for completeness.

You can make a chart to save you copying the letters x, y, a, and b every time you
perform a step:

x y a b
-------------
2 1 | 1 0
1 -1 | 0 1

and the rows of this chart can be treated like the equations were. In this case, one might
proceed as follows:

x y a b
-------------
2 1 | 1 0 2x + y = a
1 -1 | 0 1 x - y = b
3 0 | 1 1 3x = a + b
1 -1 | 0 1 x - y = b

3 0 | 1 1 3x = a + b
-3 3 | 0 -3 -3x + 3y = -3b

3 0 | 1 1 3x = a + b
0 3 | 1 -2 3y = a - 2b

Of course, the last step of multiplying each row by 1/3rd (or, equivalently, dividing
each row by 3) is still to be taken. I've avoided it here, to omit dealing with fractions.

If one works with numbers in modular arithmetic, particularly if the modulus is not a
prime number, the rules change slightly.

If you add or subtract a multiple of one of the equations from another, you can still use
any multiple, since a multiple of zero is the same as doing nothing, and so since that
does not destroy information, neither will using a number that is not relatively prime to
the modulus.

When multiplying a single row by a number, however, you cannot use a number unless
it is relatively prime to the modulus. The Hill Cipher deals with modulo-26 arithmetic,
and so in addition to zero, 13 and all the even numbers are disallowed for this
manipulation.

Enciphering in the Hill Cipher is the same as finding a and b given x and y, where x
and y are numbers from 0 to 25 substituted for two letters of a digraph being
enciphered, and deciphering is solving for x and y given a and b.

Note that not all systems of linear equations can be solved, and you must choose one
that has an inverse. One way to do this is by performing the manipulations allowed for
finding an inverse on a square with zeroes everywhere except along the diagonal, since
this will always result in a square that can be brought to that form by these same
manipulations.

Also, the square formed by the coefficients of this kind of equation is called a matrix.
The act of finding a and b for x and y, using the original form of the equations which
directly give a and b as functions of x and y, thought of as an operation using the
square of numbers we began with in the x and y columns (called a matrix) is called
multiplying the vector (x,y) by the matrix to get the vector (a,b). The square
representing x, y, and z or a, b, and c on one side of a set of equations, with a 1 at the
start of the first row, in the second place in the second row, and so on, with zeroes
everywhere else, is called the identity matrix, since if a=x, b=y, c=z, then finding a, b,
and c for x, y, and z gives you the same numbers.

The linearity in the Hill cipher is its weak point. So a scrambled alphabet for
converting letters to numbers needs to be used, and it is important to remember that
that scrambled alphabet is a very important part of the key.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

The RED Machine


A rotor machine usually uses a disk with 26 contacts arranged in a circle on each side.
When the rotor moves, the contacts on both sides of it advance.

A rotor which had 26 contacts in a circle on one side, and a spindle with 26 contact
strips on the other side, is always sure, when it moves, to take each letter to a different
substitute. Such a rotor is called a half-rotor, and the Hagelin B-211, which we will
meet later, uses such rotors as well.

The Japanese cipher machine which was codenamed RED by American codebreakers
behaved as if it consisted of two half-rotors, one with 20 contacts for 20 consonants,
and one with 6 contacts for 6 vowels, counting Y as a vowel. This property allowed
encrypted text to be pronounceable, thus allowing use of the commercial telegraph
system.

This division of the alphabet was perpetuated in the PURPLE machine, which was a
weakness of that machine, although it at least had a plugboard so that the six letters
handled by themselves could be any six letters.

Also, while American codebreakers built their own RED work-alikes that really did
have two half-rotors, the actual machine used by the Japanese had only one half-rotor;
the spindle had all 26 strips, and the wheel face had two sets of 60 contacts, one wired
with the same scramble of 20 characters repeatedly, and the other wired with the same
scramble of the other 6 characters repeatedly.

The 60-contact wheel usually moved one step for each character enciphered, but not
always. Its motion was controlled by a 47-position gear or pinwheel. Only eleven of the
teeth could be disabled, including four adjacent pairs of teeth.

When an enabled tooth is active, the rotor advances one position for the letter currently
enciphered.

When a disabled tooth is encountered, the rotor also advances one position, but the 47-
position gear continues to advance for the current letter. Thus, occasionally the rotor
will move two or even three positions when a letter is enciphered, but it will always
move exactly 47 positions for each cycle of the 47-position gear. That cycle will take
less than 47 letters, one less for every disabled tooth.
[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

Reihenschieber
This device really belongs among the paper-and-pencil systems. But it is placed here in consideration of the fact
that, briefly, from 1958 to 1960, it was considered adequate to safeguard even top secret material.

The Reihenschieber resembled a slide rule in shape. Ten square sticks, taken from a set of 26, were placed in it, and
a grille slid along the device.

The 26 sticks that came with the device were each labelled with a letter of the alphabet. Which ten sticks to use in
the device was determined by the daily key, a sequence of ten different letters. Each stick had ten dimples on each
of its four sides, which allowed it to be placed between the Reihenschieber's rails in ten positions. These were
determined by another daily key, this time of ten digits. The ten digits (with the last one repeated to make an
eleventh digit) were used to encipher a five letter area indicator, which was sent with the message, repeated twice
using the same method that the digits the Reihenscheiber generates are used to encipher messages: each digit
indicates the column in a table containing the enciphering alphabet, and in addition the following digit, depending
on whether it is low (0-4) or high (5-9), selects one of two tables.

The sticks were printed with random sequences of digits, interspersed with the odd dot. The dots were ignored when
encountered, being present to make the sequence of digits produced by the device irregular. To the left of these
digits, there was an expanse with some letters and blank spaces; this expanse contained each of the 26 letters once
in an area 10 characters long on the four sides of the stick. The ten letters, generated from the ten digit key called
the "message key", were placed in a line, and thus these 10 letters specified both the horizontal placement and the
side which was to be uppermost, for each stick.

A frame that held grilles on the front and back (the strips were also printed with digits on the back) slid along the
device like the cursor on a slide rule. With each month's supply of key material, three sets of grilles were supplied,
each for use for a period of 10 or 11 days. As the strips ran along the device, going from left to right, the numbers
the device produced were those read out from the grille vertically, first from top to bottom, and then from the
leftmost column to the rightmost column. After reading out the digits shown at one slide position, the slide was
flipped over to read the numbers showing on the back as well before the slide was advanced along the ruler for the
next group of numbers. The grilles had 10 columns; the article which is my source claims they had 25 holes, but
gave an example with 26.

The grille could be slid through 52 positions, labelled first with the lowercase alphabet and then the uppercase
alphabet. The first position used was the one with the lowercase letter corresponding to the last letter of the
enciphered area indicator as used to slide and rotate the ten sticks.

Therefore, the Reihenschieber looked something like this:

____________ ______________
______| |___________________________|
/ | | |_
| | | abcdefghijklmnopq| ----------
---------------| |---------------------------| | - -|
|X u ae l pr| | 1701.5433.626.90512.3| | |7| |4|
---------------| |---------------------------| |- - - -|
|E i qj| |ooo 849.216.55.1034.2| |6| |.| |
-------------| |---------------------------| |-- -- - |
|G m uwi o| |o 65.20473.12.9.14516| ||4| |.||3||
-------------| |---------------------------| | - - - -- |
|P a| |ooooooo 9.250.3961490| | |0| |7| |
------------| |---------------------------| |- - - - -|
|V oi u xm| |oo 131.6150492.747318| |9| |2| |5|
--------------| |---------------------------| |-- - --|
|A py x q r| | 24619.43.529.6565.34| ||.| |5||.||
--------------| |---------------------------| | -- - -- |
|W hwm z| |oooo 5.1693.40453.112| | |.| |3| |
------------| |---------------------------| |- - - - |
|C i eqrl| |oo 87.21295.306172.91| |4| |3| |
------------| |---------------------------| |- - -- -|
|T c| |oooooooo .40541.331.6| | |1||.||8|
-----------| |---------------------------| | - -- - --|
|J u mtnw| |oooo 259.10129.6542.3| ||8||4| |1||
-----------| |---------------------------|_ | - - - |
| | | abcdefghijklmnopq| ----------
\______| |___________________________|
|____________| |______________

and in the position shown, the encipherer would read off the digits 6944870142537331458 for use in enciphering.
The slide continues on like this:

_____
|_____________________________________
| \
-- |IJKLMNOPQRSTUVWXYZ |
-| |----------------------------------------
|4| |802.1221607.435549.2076.24391462 EF|
-| |--------------------------------------------
| |.4335.20623.49.17029.33406.415.3307. EF|
- | |--------------------------------------------

Also, the four sides of one of its sticks would have looked something like this:

---------------------------------------------------------------------------
|A py x q r oooooooooo 24619.43.529.6565.3471.52.403569.19382.1
---------------------------------------------------------------------------
|A u mvjo zt oooooooooo .95190.317.45602.12995.138.440.27061.630
---------------------------------------------------------------------------
|A ek lbd c s oooooooooo 437.1512.44691.703977.69.405631.29331.95
---------------------------------------------------------------------------
|A nh gfi aw oooooooooo 2026.19.5113.4072.6198.20541.35622.9271.
---------------------------------------------------------------------------

The A at the left end indicated which square stick it was; on the other end, a code of two capital letters indicated
which set of sticks a stick belonged to. There are 52 usable positions for the grille; as the grille is 10 columns wide,
and there are 10 possible horizontal positions for the slide, the area of numbers and dots is 52 + 9 + 9 or 70
characters long.

Thus, the Reihenschieber did not encipher text directly. It simply was used to generate a stream of digits, which was
used as a key.

The digits were used to encipher text using a table of twenty alphabets, organized as two tables of ten alphabets.
One digit was used per letter to be enciphered; the digit picked one of the alphabets from a table; which table was
decided by whether the next digit (which will later be used to encipher another letter) was high (5-9) or low (0-4). A
new set of tables was provided each month.

My source for the information in this section is an article from the April 1996 issue of Cryptologia. The author,
Michael van der Meulen, had also done a few previous articles on German paper-and-pencil systems.

Comments on the Reihenschieber


The Reihenschieber as described here is certainly an interesting and unusual type of device. It is possible that the
old cipher device known as Ducros' Scotograph was somewhat similar to this, rather than being a variant of the
Bazeries cylinder as usually thought. And a device of this type has the potential to be quite secure.

But the Reihenschieber as described here seems to have some flaws that reduce its potential security.

● The grille has more than 10 holes. Although the dots on the sticks help, this still means that digits will repeat
at almost regular intervals.
● Of the forty possible positions for each stick, only 26 are ever used. This would not be a problem if the sticks
were frequently replaced, but they are part of the "hardware" of the device.
● The "area key" is the only thing that varies the keying of one day's messages using the same key list. There
is no indicator that varies randomly with each message.
● There is no reason for the message key not to consist of eleven digits, even if the last one need only be either
0 or 5. Or, for that matter, why not twelve digits, so that the starting position of the grille can be derived
separately.

If one is ambitious, one might even advocate using a monthly table with 100 alphabets, and using two digits to
encipher every letter, rather than using 20 alphabets (a number less than 26, and therefore also dangerous).

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

The A-22 Cryptograph


This cipher machine was a simple one of purely mechanical construction, but it
produced a cipher with a long period.

A drum, containing 29 mixed cipher alphabets, advanced two positions each time the
machine was used to encipher a letter.

An alphabet in normal order contained the plaintext letters. A window high enough to
expose two of the alphabets on the drum was present on the device. The plaintext
alphabet was moved in an irregular sequence to cover either the top or the bottom
alphabet of the two on the drum that were behind the window, but whether the normal
alphabet was the high one or the low one, it was always the one used for plaintext.

Thus, the movement of the bar with the plaintext alphabet simply controlled which of
two of the 29 cipher alphabets would be used at each step.

The irregular movement of this bar was controlled in two steps. First, a 25-pin
pinwheel advanced with each letter enciphered. Active pins on this pinwheel advanced
a chain with a variable number of links; some of those links were shaped to call for the
plaintext alphabet bar to be in its lower position, some were shaped to call for it to be
in its higher position.

Unfortunately, the cipher produced by this machine as described so far is quite weak; if
one knows that an A-22 has been used, one simply divides the encrypted message into
groups of 29 letters. Then, for each column of letters at that spacing, only two
alphabets are used, and this fact diminishes the benefit of the elaborate mechanism
devoted to alternating between those two. Instructions provided with the machine,
however, suggested advancing it two or three steps after enciphering some letters;
those who went to this extra effort would have obtained a greater degree of security.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

The Hagelin Machines


Although the Swiss firm founded by Boris Hagelin has manufactured, and continues to
manufacture, many kinds of cipher machine, the words "Hagelin machine" will
normally inspire thoughts of their unique lug and pin based machines.

The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the
C-38, used by the U.S. Army as the M-209, six pinwheels, with 17, 19, 21, 23, 25, and
26 positions on them, can be set by the user with an arbitrary series of pins that are
active. For every letter enciphered, all the pinwheels rotate one space.

The combination of active and inactive pins is presented to a cage with 27 sliding bars.
Each bar has two sliding lugs on it, which can be placed either in a position where it is
inactive, or in a position corresponding to any of the pinwheels, so that it will slide the
bar to the left, if the pin currently presented by that pinwheel is active.

The number of lugs sticking out rotates the cipher alphabet against the plaintext
alphabet. The two alphabets used are just the regular alphabet, and the alphabet in
reverse order, from Z back to A. This meant that encipherment was reciprocal,
although the machine still had a switch to select encipherment or decipherment: this
determined if the machine printed its output in five letter groups, or if it translated one
letter, chosen by the user, to a space.

The C-52, a postwar version of the Hagelin lug and pin machine, added an extra five
sliding bars to the cage that, instead of moving the cipher alphabet, caused the stepping
of the pinwheels to be irregular. The first pinwheel always moved, but the remaining
five pinwheels only moved when their corresponding bars were slid to the left. The six
pinwheels were labelled A, B, C, D, E, and F from left to right; bar 1 controlled
pinwheel B, bar 2 pinwheel C, and so on.

Also, on the C-52 the lugs could be moved from bar to bar, and the six pinwheels were
chosen from a set with lengths 25, 26, 29, 31, 34, 37, 38, 41, 42, 43, 46, and 47. Using
the pinwheels with lengths 34, 38, 42, 46, 25, and 26 allowed one to achieve
compatibility with the C-36: provided one also turned off the irregular pinwheel
stepping feature.

The alphabet always started from its normal position, instead of the position last used,
before being rotated by the projecting slide bars. This was perhaps the machine's main
weakness, as it made attacks based on frequency counts of displacements possible, but
it was perhaps unavoidable, since there was always a slight possibility of occasional
mechanical errors. Particularly as the machines were often used on battlefields.

In setting the lugs on the sliding bars, it was important to put many lugs for some
pinwheels, and few lugs for others, so as to get an even distribution of displacements:
basically, although some bars with two lugs active were desirable for irregularity, the
arrangement needs to approximate a binary coding of the active pins - that is, one
pinwheel might have only one lug facing it, another two, another four, and another
about eight, and another about thirteen or so.

For the C-52, in setting up lugs on the first five bars, it was important to ensure
frequent movement of the pinwheels.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up/Previous] [Index]

Simple Cryptanalysis of the Basic Lug


and Pin Machine
Although the Swiss firm founded by Boris Hagelin has manufactured, and continues to
manufacture, many kinds of cipher machine, the words "Hagelin machine" will
normally inspire thoughts of their unique lug and pin based machines.

The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the
C-38, used by the U.S. Army as the M-209, six pinwheels, with 17, 19, 21, 23, 25, and
26 positions on them, can be set by the user with an arbitrary series of pins that are
active. For every letter enciphered, all the pinwheels rotate one space.

The combination of active and inactive pins is presented to a cage with 27 sliding bars.
Each bar has two sliding lugs on it, which can be placed either in a position where it is
inactive, or in a position corresponding to any of the pinwheels, so that it will slide the
bar to the left, if the pin currently presented by that pinwheel is active.

In this section, we will examine how messages sent on the original C-38 machine could
be cryptanalyzed, in the simplest case. That is, I will assume that a large number of
intercepts for a given day (or whatever period intervenes between key changes) are
available, and that the message indicator, giving the initial positions of the pinwheels,
is not encrypted (or, which is the same thing in practice, any method of encryption used
for the pinwheel position has been revealed to the cryptanalyst by some other method
of intelligence).

The first thing to do is to find a pair of messages that have pinwheel settings that
overlap. To find overlaps, the first step is to convert a pinwheel setting into a number in
the sequence of pinwheel positions that the machine experiences. (Note that when the
machine was improved to have an irregular pinwheel motion, this approach could not
be used; overlaps could still be found, but then one would have to perform kappa tests
on every pair of messages, a tedious process requiring automated assistance.)

Such conversion relies on the Chinese Remainder Theorem: given a series of integers,
such as a, b, and c, which are all relatively prime to one another, the remainder of a
number after division by a, b, and c is sufficient to uniquely identify that number if it is
known to be within a range of length a times b times c.

Thus, for example, the numbers 1 through 15 have different remainders modulo 3 and
modulo 5:
1 | 1 1 6 | 0 1 11 | 2 1
2 | 2 2 7 | 1 2 12 | 0 2
3 | 0 3 8 | 2 3 13 | 1 3
4 | 1 4 9 | 0 4 14 | 2 4
5 | 2 0 10 | 1 0 15 | 3 0

How can we quickly convert a pair of remainders to the number it is associated with,
without performing a table lookup? Basically, we can take one remainder as is; the
remainder modulo 5 tells us something we will need to know to find the number. But
we then want to use the other remainder, the one modulo 3, to tell us how many times a
whole 5 needs to be added to this remainder.

How might we do this? Looking at the way the groups of five numbers start, it seems
that the difference between the two numbers might be considered. That difference is:

1 | 1 1 0 6 | 0 1 -1 11 | 2 1 1
2 | 2 2 0 7 | 1 2 -1 12 | 0 2 -2
3 | 0 3 -3 8 | 2 3 -1 13 | 1 3 -2
4 | 1 4 -3 9 | 0 4 -4 14 | 2 4 -2
5 | 2 0 2 10 | 1 0 1 15 | 3 0 3

From this, it can be seen that if we take the difference modulo 3, it nicely separates the
numbers into three groups of five, but we have to shift to starting with 0, as is only to
be expected, since the remainders modulo 15 run from 0 to 15.

Since 5 modulo 3 is 2, the difference increases by 2 for each group of 5.

Thus, the rule, which can be applied repeatedly to convert a group of several
remainders to a remainder modulo their product, is:

Given two prime numbers, A and B, where A is less than B, and the remainders
modulo those primes, a and b, of an unknown number, the remainder of that number
modulo AB is determined as follows:

● Let k equal a minus b, modulo A.


● Divide k by the value of B modulo A, and call the result m.
● The remainder of our number modulo AB is b plus m times B.

Once we have found two overlapping messages, the second step is to solve for the
plaintext of those messages over the extent of the overlap. Because the machine
produces successive shifts of a known alphabet, we know that the distance between two
ciphertext letters at a given position corresponds to the distance between the two
plaintext letters they represent, so for each position, we have only 26 out of 676
possibilities to consider for two letters. (Remember, the plaintext alphabet and the
cipher alphabet are the normal alphabet and the reversed alphabet, and the distances
between letters must be considered in their own alphabets.) Eliminating pairs which
have an uncommon letter in either position narrows down the possibilities for each
letter in each message.

For a machine like the Sigaba, which produces a different alphabet for each letter, an
attack at a "depth of two" is probably impossible without much additional information.

Having some plaintext and corresponding ciphertext, we can derive from that the series
of displacements generated by the operation of the lugs and pins over the part of the
sequence of pinwheel positions in question.

At this stage, one can apply sophisticated techniques, which have been described
elsewhere, to attempt to reconstruct the lug and pin settings of the machine. In order
that different combinations of active and inactive pins will tend to produce different
numbers of shifted lugs (different displacements of the alphabet), the lugs need to be
distributed among the positions corresponding to pinwheels in a manner that assigns
different weightings to the different pinwheels, resembling, but not identical to, the
weighting of binary numbers (16, 8, 4, 2, 1). Thus, if one looks for large displacements
and how they alternate with small ones, one may find a pattern that indicates where the
lugs are on at least one pinwheel.

The third step is to find messages which have an almost overlap. A list of all the
pinwheel positions in the overlap will help with this; it can be compared to the start and
end pinwheel positions of other messages (and middle positions, if the other messages
are long enough, and the overlap is short enough). An almost overlap is a span of
letters in a message where the positions of five of the six pinwheels have matching
positions to the pinwheels enciphering the (full) overlap sequence with which it is
being compared.

Since each pinwheel contributes only a single bit of input to the cage which determines
the displacements (note that for a computer version of this type of cipher, which
XORed together whole bytes in lists of differing length as input to an S-box, this would
not work), half the time, the displacement would match that of the displacement in the
message with which the almost overlap exists. So, a trial decipherment can be made
using those displacements, and it should not be hard to pick out the half of the letters
that are right. This gives information on whether a pin in one position on a pinwheel
has the same active or inactive state as a pin somewhere else.

Multiple almost overlaps involving the same odd pinwheel allow reconstruction of the
pinwheel; so does the fact that an extra active pin results in an increased displacement
(although there are exceptions to that rule once the cage has more than 25 lugs in it).
Constructing a table with 64 entries (corresponding to the combinations of active and
inactive pins) giving displacements is sufficient to read messages, although it is
doubtless possible to reconstruct the lug settings from the displacement table.

[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

The Hebern Rotor Machine, and PURPLE


The rotor machine is what many people will think of when they think of a cipher
machine. And the most straightforward type of rotor machine is the one invented by
Edward Hebern, in the United States.

Here's a very crude artistic impression (in ASCII-Art, yet!) of what this beautifully-
made machine looked like:

___
___ '-.
_ ___ '-. \
_ o\_____ ___ '-. \ |______
_ \ | ___ '-. \ | _/\
_ o\ | ___ '-. \ | _/ _ |
/ \ ___ '-. \ | _/ _/o\ \
| O | ___ '-. \ | _/ _/o | |
_/| |.-' '-. \ | _/ _/o o \ \
_/ / \ | _/ _/o o o | |
/_______| |_____ _/ _/o o o _/ _/ === ===
| .-. | /o o o _/ _/ === === ===
| /-. )_________ \ \ o o _/ _/ === === ===|
| ( )________ \ | | o _/ _/ === === ===| |
| \_________ \ ) \ \o _/ _/|=== === ===| |_|
| | ( ) | |/ _/|__|| || || |_|
| .-. | |'-' \ _/|____||__||__||_|
| ( ) _|____|_ | | | |___|
| '-' \ / | |_____|---
| \_____======O===========O/
|________________________________|/

The Japanese cipher machine the American solvers of which called it PURPLE didn't
have any rotors in it, but instead used telephone stepping switches. However, in some
ways, it was still closely related to a rotor machine, and so it will be discussed here as
well.

While the term code as distinct from cipher sometimes refers to a substitution on words
and phrases as distinct from one on letters or digraphs, and sometimes (as in "Morse
code", "Hamming code", or "Huffman code") seems to be applicable to any fixed
substitution, forcing me to employ it somewhat loosely, I have been fastidious in
restricting the use of the term "rotor machine" to cipher machines with wired rotors,
which operate by changing a substitution produced by wires inside the rotor to its
contacts when the rotor is rotated. Other cipher machines, operating on different
principles, but with rotating parts (such as the Hagelin lug and pin machines, or the
Lorenz SZ-40) which operate on entirely different principles, have occasionally been
referred to in print as "rotor machines". I wish to disparage this trend, as it would make
the term "rotor machine" much less useful, by causing it no longer to refer to a family
of cipher machines which all are based on a common cryptographic principle.

● Rotor Machine Basics


● The Interval Method
● The Isomorph Attack
● PURPLE, CORAL, and JADE

[Next] [Up] [Previous] [Index]

Chapter Start
Skip to Next Section
Next Chapter
Table of Contents
Home Page
[Next] [Up/Previous] [Index]

Rotor Machine Basics


A rotor is a small disk of insulating material, with perhaps 26 equally-spaced electrical contacts
in a circle on each side. The contacts on one side are connected to the contacts on the other side
in a scrambled order.

In Hebern machines, the contacts on the rotors were simply flat circles of metal; the machine
had ball contacts on springs to make contact with them. This allowed the rotors to be put in
upside down, for more possible keys. The Enigma, on the other hand, was built more cheaply;
the rotors had plain metal contacts on one side, and spring contacts on the other. This almost
halved the number of contacts needed, provided you didn't decide to use a new set of rotors.

A rotor provided a changing scrambled alphabet, by (you guessed it!) rotating. A rotor with 26
contacts on each side, each corresponding to a letter of the alphabet, that changed E to M before
rotating would now change D to L (or F to N, depending on the direction in which it rotated),
while E could become any other letter, depending on the way the different wire went that was
now brought into position to encipher it.

Note that the example given had the rotor moving "backwards" by default. If the rotors are
labelled with letters going in the same direction as the use of the input contacts, and they
advance so that the next letter in the alphabet becomes visible at a fixed position, the result will
be to move the contacts on the rotor to the input contacts corresponding to the previous letter
from the ones to which they were previously connected.

The five rotors on a Hebern machine came close to moving like the wheels of an odometer.
However, they did not move precisely in this way. There were fast rotors, which moved once for
every letter enciphered, medium rotors, which moved once for every 26 letters, after a carry
from the fast rotors, and there were slow rotors, which moved once after 650 (rather than 676)
letters were enciphered. And there could also be rotors that didn't move at all, except that they
could be set by hand before encipherment began. Some versions of the five-rotor Hebern
machine had control levers, which determined which rotors moved each way.

The 'carries' between rotors were handled by ratchet gears that were at the two ends of the shaft
carrying the rotors. The reason for the slow rotors moving after every 650 letters was because
the machine was designed to avoid having the slow rotor moving at exactly the same time as the
medium rotor, since having all the rotors move together seemed like a weakness.

A good picture of a Hebern rotor machine appears in the July, 1966 issue of Scientific American,
which has an article on cryptology by David Kahn.

The following diagram may illustrate a little about how a rotor machine works:
In the first section, we see the keyboard connected to a set of contacts, arranged in a circle,
forming the input to the first rotor. Often, the contacts are arranged so that the contacts on the
circle are in alphabetical order; the early commercial Enigmas were wired so that the contacts
matched the keyboard arrangement instead.

In the second section, I attempt to illustrate that the contacts on both sides of a rotor are
connected so that each contact on one side is connected to one contact on the other side, but in a
scrambled way.

In the third section, I follow the fate of the letter E through three rotors, before and after the one
in the middle advances one step. The path of electricity through the first rotor stays the same;
but the movement of the second rotor has brought a second wire into contact with the electricity;
the wire formerly used is shown as a dotted line in its new position. The third rotor has not
moved, but since the electrical current has left the second rotor from a different contact, a
different wire in that rotor is used also, the old one also shown as a dotted line, but this time in
the same position.

The Hagelin HX-63

One late rotor machine design that has become known to the public is that of the Hagelin HX-
63, which was offered for sale in the early 1960s, but was quickly phased out by electronic
cipher devices.

It had nine rotors, each with 41 contacts. As it enciphered a 26-letter alphabet, wires looped 15
of the rotor bank's output contacts back to its input.

There were two plugboards with the machine; one scrambled the 26 plaintext letters on input,
and another scrambled the 15 loopback connections. (It is somewhat surprising that a plugboard
scrambling the plaintext on input was chosen over one scrambling the ciphertext on output: it
would seem the latter would provide better protection against cryptanalysis, for the same reason
that a Type II slide is to be preferred over a Type I slide.)

The following diagram illustrates the wiring of an HX-63, showing the wires that are looped
back and the plugboards:

It is described as having a "very irregular" motion of the rotors, and each rotor had a set of 41
switches the setting of which would vary the effective wiring of that rotor.

Although I do not know what wiring scheme was chosen for those switches, one possibility
might be something like this:
Friedman Squares and Symmetry of Position for Rotors

The alphabets produced by a single rotor in its various positions can be shown in a tableau
similar to those used for Vigenere; such a table would look like this:

Rotor
position Plaintext
| A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
-----------|-----------------------------------------------------
A | L N K Y U W Z J X H E I A O G S P V C T D R B Q F M
B | M J X T V Y I W G D H Z N F R O U B S C Q A P E L K
C | I W S U X H V F C G Y M E Q N T A R B P Z O D K J L
D | V R T W G U E B F X L D P M S Z Q A O Y N C J I K H
E | Q S V F T D A E W K C O L R Y P Z N X M B I H J G U
F | R U E S C Z D V J B N K Q X O Y M W L A H G I F T P
G | T D R B Y C U I A M J P W N X L V K Z G F H E S O Q
H | C Q A X B T H Z L I O V M W K U J Y F E G D R N P S
I | P Z W A S G Y K H N U L V J T I X E D F C Q M O R B
J | Y V Z R F X J G M T K U I S H W D C E B P L N Q A O
K | U Y Q E W I F L S J T H R G V C B D A O K M P Z N X
L | X P D V H E K R I S G Q F U B A C Z N J L O Y M W T
M | O C U G D J Q H R F P E T A Z B Y M I K N X L V S W
N | B T F C I P G Q E O D S Z Y A X L H J M W K U R V N
O | S E B H O F P D N C R Y X Z W K G I L V J T Q U M A
P | D A G N E O C M B Q X W Y V J F H K U I S P T L Z R
Q | Z F M D N B L A P W V X U I E G J T H R O S K Y Q C
R | E L C M A K Z O V U W T H D F I S G Q N R J X P B Y
S | K B L Z J Y N U T V S G C E H R F P M Q I W O A X D
T | A K Y I X M T S U R F B D G Q E O L P H V N Z W C J
U | J X H W L S R T Q E A C F P D N K O G U M Y V B I Z
V | W G V K R Q S P D Z B E O C M J N F T L X U A H Y I
W | F U J Q P R O C Y A D N B L I M E S K W T Z G X H V
X | T I P O Q N B X Z C M A K H L D R J V S Y F W G U E
Y | H O N P M A W Y B L Z J G K C Q I U R X E V F T D S
Z | N M O L Z V X A K Y I F J B P H T Q W D U E S C R G

This kind of table, for a rotor, is called a Friedman square.

Just as a Vigenere table has a regularity, in that it shows the same alphabet in its rows (and
columns) repeatedly, only shifted, here a regularity is visible as well, but it is subtler: the
diagonals of this square are shifted regular alphabets.

A powerful technique, symmetry of position, is used with polyalphabetic ciphers produced by


mixed-alphabet slides. Since this table also has regularities, the same technique can be adapted
to its structure.

In a mixed-alphabet Vigenere, if the letters A and B become Q and V in one alphabet, and T and
R in another, then Q and V are separated by the same distance as T and R in the cipher alphabet.
In a rotor machine where the entry rotor is the fast rotor, the principle is the same, except now if
the fast rotor has moved one position between the two alphabets, the comparison would be
between A and B becoming Q and V in one position, and Z and A becoming T and R in the
other position.

So in this case, the two mixed alphabets being considered are the one provided by the fast rotor,
and the one provided by the other rotors. The shifts of the fast rotor need to be compensated for
in the input. Similarly, if the output rotor were the fast rotor, the shifts would be adjusted for in
the ciphertext letters.

What about the case when the input and output permutations to a rotor are both unknown? For
example, when the fast rotor is in the middle of a stack of five rotors. At first, it might seem
hopeless to apply symmetry of position to that case, because there seems no way to tell when an
input or output in one case involves the same wire in the moving rotor or not as in another case.

But there is a way to apply symmetry of position in this case, given enough text with
overlapping key settings. Incidentally, if the entry and exit alphabets of the rotor machine as a
whole are known, in the case we are considering, where rotor 3 is the fast rotor, positions where
rotors 1, 2, 4, and 5 are all displaced by the same amount, the known plaintext, known
ciphertext, and fast rotor position can all be translated to permit including known plaintext from
such a key setting for comparison.

One thing is assumed to be known, the position of the rotor being examined, which advances
one step each time while the other rotors do not move.

With nearly complete alphabets, some progress can definitely be made in this case.

Another possibility does not produce certain results, only probable relationships.

Suppose that in position 1 of the rotor under study, plaintext A becomes ciphertext B; in position
7 of the rotor under study, plaintext C becomes ciphertext B; in position 11 of the rotor under
study, plaintext C becomes ciphertext D; and in position 14 of the rotor under study, plaintext A
becomes ciphertext D.

This creates a closed cycle of equivalents, separated by a given pattern of rotor displacements.

If we also knew that in position 2 of the rotor under study, plaintext W became ciphertext X; in
position 8 of the rotor under study, plaintext Y became ciphertext X; in position 12 of the rotor
under study, plaintext Y became ciphertext Z; and in position 15 of the rotor under study,
plaintext W became ciphertext Z, then we might think it likely that the two structures
correspond, and the same rotor wires are involved in corresponding steps of the two cases.

If so, then W precedes A, and Y precedes C, on the input side of the rotor, and X precedes B,
and Z precedes D, on the output side of the rotor, by exactly one position in each case.

Since all our elementary facts about the rotors are of the form perm(e-7)=R-7, that is, a
relationship between one plaintext letter and its equivalent for one particular rotor position, there
is no way to directly amass equations that can be used to solve for any direct facts about the
structure of the rotor as an unknown; instead, differences and patterns have to be relied upon.

Entry Into a Rotor System

Symmetry of Position is a technique that is used to reconstruct rotor wirings when a large
amount of information is available about the alphabets produced by a rotor. But how does one
get started attacking ciphertext produced by a rotor machine?

Let us assume the simplest case, where one knows the initial positions of the rotors for each
message, and where the fast rotor is the exit rotor. However, we can allow an unknown
assignment of the exit contacts from the rotor bank to the display or printer of the rotor machine,
and we will assume that only ciphertext is available.

With the exit rotor the fast rotor, one has stretches, 26 letters long, where the fast rotor, in its
different positions, is the only thing enciphering monalphabetically enciphered text. But each
stretch deals with text enciphered in a different monalphabetic cipher, so how can that help us?

The chance that two texts, enciphered independently, will have the same letter at any given
position, is 1/26. Two plain-language texts, or two texts enciphered in an identical manner by
means of a polyalphabetic cipher, will have a greater number of coincidences; aligning
messages on the basis of single letter coincidences is called the kappa test. But let us assume we
do not have any overlapping rotor settings to help us. How can the principle of the kappa test
help us?

Monalphabetically enciphered texts, even if they are not enciphered by the same monalphabetic
cipher, still have one thing in common: they have an uneven frequency distribution. In English,
the letter E makes up 12% of an average text, and the letter T makes up 9%. Twelve percent of
26 is just over three.

Thus, one can take our stretches of 26 enciphered letters, and compare them with each other.
When we find coincidences, it is likely that the monalphabetic substitutions which provided the
inputs to the fast rotor in both cases used the same letter or letters as substitutes for one or more
high-frequency plaintext letters.

Thus, in the ideal case, by coincidences we might find a number of stretches with many
coincidences with each other, and in each of the 26 positions in a stretch, the letter involved in
the most coincidences would be the substitute provided by the fast rotor for the particular letter
that, for most of those stretches, was the substitute for plaintext E produced by the rest of the
rotor machine.

Since there are several high-frequency letters in English, the result is not likely to be that easily
obtained; instead, there will be many possibilities, and the technique of symmetry of position,
above, will be one of the things used to narrow down the possibilities.

[Next] [Up/Previous] [Index]


Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

The Interval Method


If you could rotate only one side of a rotor, then you would be guaranteed that for each of the 26 possible positions, every
input letter would be connected to a different output letter. A special kind of rotor, called a half-rotor, can do this, by
having contacts in a circle on one side, and bands around an axle on the other side. But this kind of rotor is bulky and
expensive compared to a normal rotor. To ensure that moving a rotor through its possible positions will produce 26
alphabets that are as different as possible, a method called the interval method can be used in wiring rotors.

Edward Hebern originated this method himself; this perhaps is less surprising than it seems (one would, perhaps, have
expected the master cryptologist W. F. Friedman to come up with it, for example) when one considers that his first rotor
machine, made for use by users in the commercial world, only had one rotor in it.

Finding an interval method rotor sequence is related to solving the Eight Queens problem, except in this case the problem
involves a chessboard that allows one to move off any edge and then back on on the opposite edge, and the "queens" can
only move and capture along one diagonal, the same diagonal for all of them. A perfect solution is possible only on a board
of odd order; seven queens on a 7x7 board, nine queens on a 9x9 board, but for this modified problem, there is no solution
for eight pieces.

A simple proof of this fact depends on properties of triangular numbers. The nth triangular number is (n^2+n)/2. If n is an
odd number, this is a multiple of n, but if it is an even number, this is an odd multiple of n/2.

On both sides of a rotor, one wire is connected to each contact. So, if the wires are connected to each contact on the
opposite side, the sum of the displacements must be equal to zero, modulo the size of the rotor, since the wires are still
connected to contacts with the same numbers, contact 1 through contact n. If one tries to use all possible displacements
from 1 to n, (or from 0 to n-1, if you prefer) then for even n, the sum will be wrong.

Here is an example of an interval method wiring:

From: 1 2 3 4 5 6 7 8 9
To: 5 4 3 2 1 9 8 7 6

(Difference: 4 2 0 7 5 3 1 8 6)

An interval method wiring for an even number of contacts will have exactly one possible difference omitted, and one
repeated twice. Fortunately, while the above example of an interval method sequence is highly symmetrical, there are many
possible arrangements that satisfy the interval criterion, and most appear almost random.

Here is another example of an interval method wiring, this time for a 26-contact rotor:

From: A B C D E F G H I J K L M N O P Q R S T U V W
X Y Z
To: L N K Y U W Z J X H E I A O G S P V C T D R B
Q F M

(Difference: 11 12 8 21 16 17 19 2 15 24 20 23 14 1 18 3 25 4 10 0 9 22 5
19 7 13)

Here, only the difference of 6 is omitted, and only the difference of 19 occurs twice.

Note that it is the alphabet used for constructing an example of a Friedman square on the previous page.

Table of the number of interval method wirings

Ignoring rotations Ignoring rotations All


of the whole rotor of the whole rotor
and one side by
itself

1-contact rotors: - 1 1
2-contact rotors: 1 2 2
3-contact rotors: - 1 3
4-contact rotors: 1 4 16
5-contact rotors: - 3 15
6-contact rotors: 4 24 144
7-contact rotors: - 19 133
8-contact rotors: 32 256 2,048
9-contact rotors: - 225 2,025
10-contact rotors: 464 4,640 46,400
11-contact rotors: - 3,441 37,851
12-contact rotors: 8,768 105,216 1,262,592
13-contact rotors: - 79,259 1,030,367
14-contact rotors: 227,008 3,178,112 44,493,568
15-contact rotors: - 2,424,195 36,362,925
16-contact rotors: 7,814,144 125,026,304 2,000,420,864
17-contact rotors: - 94,471,089 1,606,008,513

where the number of odd-contact rotors in the third column is from integer sequence A006717 in the Handbook of Integer
Sequences, while the number of even-contact rotors is calculated by my own computer program. Note that, in the case of 2-
contact rotors, one does not multiply by n (which is 2) going from the second to the third column, because in that case the
arrangements are symmetric.

The same type of backtracking algorithm as is used to solve the Eight Queens problem was used in my program to generate
the numbers for even-contact rotors, but instead of trying various permutations of the output contact numbers from 1 to n, I
instead tried permutations of the set of intervals I was using. This let me exploit a symmetry (instead of considering all
possibilities for the duplicated and omitted intervals, I only needed to work with one), and divide the number of
arrangements I generated by n, as well as reducing the number of levels the program went through to build an arrangement
by one, since the two duplicate intervals of zero were fixed by an outer loop.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Return to Home Page
[Next] [Up] [Previous] [Index]

Isomorphs
It is possible to break even the complicated cipher produced by a rotor machine.
Especially when only one rotor moves with every letter enciphered, that rotor is at
either the input or output end of the rotor machine, and no other rotor moves more
often than once every 26 letters.

Of course, having some cribs, that is, plaintext for a number of cipher messages, will
be helpful. As will cracking the 'indicator system', that is, the method by which the
sender notifies the recipient of the starting positions of the rotors for each message.

When only one rotor moves, and the rest of the machine stands still, and the moving
rotor is on the outside, then the only difference between the cipher applied for one such
period of 26 letters and any other is a monalphabetic substitution.

With enough overlapping cribs, one may be able to reconstruct little pieces of the fast
rotor relative to more than one of the monalphabetic substitutions produced by the
others, and it may even be possible to link these pieces together. As soon as it becomes
possible to nullify the effect of the fast rotor, messages become almost trivial to solve.

If you know the wiring of all the rotors, and you have some known plaintext, and the
fast rotor is on the outside, the procedure is to try each rotor, in all 26 rotational
positions as the fast rotor (this amounts to 130 trials for a machine with five rotors)
until you find one that produces a monalphabetic result. If the fast rotor is on the output
side, you use it to decipher the ciphertext. If it is on the input side, you use it to
encipher the plaintext. Either way, if the plaintext and ciphertext are made to match, so
that repeated letters in both match up, you have found an isomorph.

Note that while frequent or complicated rotor movement can make it impossible to
mount an isomorph attack, having the fast rotor in the middle of the rotor stack makes
such an attack more difficult, since one has mixed alphabets to deal with, and these will
not be the same in all messages, it does not make attacks based on this principle
completely impossible.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Return to Home Page
[Next] [Up] [Previous] [Index]

PURPLE, CORAL, and JADE


The Japanese cipher machine which the American cryptanalysts codenamed CORAL is
perhaps the easiest to understand of the three.

All three machines were built from common telephone stepping switches. These
switches had six input wires. Each wire was connected to a wiper, and each wiper
could make contact with one of twenty-five terminals. All six wipers moved together,
and each one had its own set of 25 terminals to contact.

A solenoid controlled the movement of the wipers. When a current pulse was fed to it,
the wipers advanced one position, except that, if the wipers were already at position 25,
a spring caused the wipers to go back to the first position. Thus, although the 25
terminals were arranged in a semicircle, the switch acted as though they formed a full
circle, with stepping in only one direction.

In CORAL, a stack of five stepping switches did the same job as a rotor would do in a
Hebern rotor machine. 26 input wires carried current to 26 outputs, in 25 different
ways. The alphabets for each of the 25 wiper positions, unlike the alphabets for the
different positions of a rotor, were completely independent and unrelated.

JADE was just about the same as CORAL, except that it was used to encipher
messages written with the Japanese katakana syllabary, which has 48 symbols. Thus, it
added a shift key to the keyboard. The shifts weren't enciphered; only a 25-symbol
alphabet was, giving equivalents to the 48 kana and the two diacritical marks used with
katakana.

PURPLE, the earliest of the three machines, had a somewhat stranger structure. A
plugboard selected 20 letters of the alphabet to be enciphered through banks of four
stepping switches. The other six letters were enciphered by means of only one stepping
switch. This division of the alphabet was easily detected through frequency counts, and
was perhaps the most serious weakness of the machine. (Another very serious
weakness, and also a strong contender for the title of "most serious", was the fact that
the stepping switch banks were, for obvious reasons, not removable, so one could never
perform the operation equivalent to changing the rotor order.)

The following diagram:


attempts, with many parts omitted, to illustrate how PURPLE worked. The plugboard
reassigned letters for both input and output. The stepping switches only have fifteen
tick marks around them - representing the 25 contacts each wiper actually has. For only
one wiper position for each switch or bank of ganged switches, the scrambled
arrangement in which the wires are connected to corresponding wires in the next stage
are shown. However, the 20 versus 6 division is easily visible in the diagram, as is the
general arrangement of the device.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

The Enigma
In 1974, the British government permitted the disclosure of the story of the
decipherment of the German Enigma cipher machine in World War II. That the Enigma
had been broken by the Allies in World War II, however, was not in fact secret up until
that time; the account of the capture of the German U-505 submarine in David Kahn's
book The Codebreakers from 1967 notes not only that a German cipher machine was
captured along with its monthly keys, but that messages on machines of this type were
already being read, "with the help of a mass of machinery that filled two buildings".
Also, the book "The Broken Seal" by Ladislas Farago referred to a meeting between
British and U.S. representatives to discuss a swap of American information on
PURPLE for British information on the Enigma (the Americans were generous, but
went away empty-handed at the time, but Britain very shortly thereafter relented, as
later revealed). But only after 1974 did the details of this cryptanalytic feat emerge.
Despite some continued secrecy, it can fairly be said that the cryptanalysis of the
Enigma is the only case in which not merely the story of an isolated cryptanalytic
success, but instead the ongoing saga of coping with changes in a cipher system, has
become public.

Because of the intense concern in the United States about whether or not the Japanese
bombing of Pearl Harbor could somehow have been prevented, it was officially
revealed quite shortly after the war that cryptanalysts working for the U. S.
Government and Armed Forces had solved both Japanese codes and Japanese ciphers,
including the cipher produced by the so-called "PURPLE machine".

Had this not been the case, perhaps this would have been kept secret for the same
amount of time as the British success in cracking the cipher of the Enigma machine, as
a result of the normal reticence of nations concerning matters relating to an activity of
such high sensitivity.

As well, given the role of Polish nationals in the early part of the Enigma story, a
genuine concern to avoid any of them still residing in Poland being summoned for, at
the least, debriefing, may well have been a consideration. As to the sale of used
Engimas, I would think that the rule of caveat emptor, rather than any imputation of
fraud, would be applicable.

Starting with the commercial Enigma C, the Enigma differed from other rotor
machines (although, later, the British Typex and a commercial machine from Ottico
Maccina Italiana were based on it) in that the electrical signal for a plaintext letter did
not just go in one end of the rotor stack and out the other, but also was sent back to go
through the rotors the other way by a reflecting rotor.

This strengthened the cipher in some ways, but also gave it important weaknesses. And
it also meant that quite a number of unique cryptanalytic techniques were developed
for the Enigma which were specific to it. In comparison, CORAL, although a more
difficult target, would still be approached with almost the same techniques as would be
used against a Hebern rotor machine, with the exception that the unrelated nature of the
alphabets provided by a stepping switch increased the amount of text required for
applying those techniques.

● Basic Principles of the Enigma


● The Uhr Box
● The Enigma A and Enigma B
● Relatives of the Enigma
● Cryptanalysis of the Enigma
❍ Cliques on the Rods

❍ Indicators and Jefferys Sheets

❍ The Bombe and the Diagonal Board

[Next] [Up] [Previous] [Index]

Skip to Next Section


Chapter Start
Table of Contents
Return to Home Page
[Next] [Up/Previous] [Index]

Basic Principles of the Enigma


The Enigma had a stack of three or four normal rotors, not in principle unlike those in a Hebern machine.
They had 26 contacts in a circle on each side, those on one side were connected in a scrambled order to
those on the other, and the rotors moved to vary their effects on the alphabet.

There was a mechanical difference: the rotors had plain contacts on one side, and spring-loaded contacts on
the other. A Hebern machine had only plain contacts on its rotors, and the machine itself therefore needed
twice as many spring-loaded contacts as a permanent part of the machine. This cut total costs for an Enigma,
but it meant that rotors were more expensive, and indeed during the war, the German forces kept on using
their old rotors, only gradually adding the odd new one to the set.

In addition to the contacts and the wires between them, a rotor often has two other parts of significance to
the cipher it will generate which are often overlooked. Like the wheels in an odometer or a mechanical
adding machine, rotors in some rotor machines include what is essentially a gear with one tooth to cause the
next rotor to move one position forwards at one point in its own rotation. Some rotor machines, of course,
use completely different principles to move the rotors; the Hebern machine did use this principle, but still
kept that part of the gearing physically separate from the rotor itself. Also, the rotor has to be labelled, so
that there is some way of recording and communicating the starting position in which the rotors of a rotor
machine are to be set. Otherwise, the two parties to a communication will be unable to set up their machines
the same way. On the Hebern machine, the rotor itself was marked.

In the Enigma, a movable alphabet ring was labelled with the letters identifying rotor positions. The rotor
itself, of course, was marked so that alphabet ring settings could be written down too. The ratchet wheel,
which determined when one rotor would cause the next slower one to advance, was attached to the alphabet
ring. This is quite important to note, as it determined how methods of exploiting the Enigma's indicator
method would work, and how the Bombe had to be designed.

But the main distinguishing feature of the Enigma was its reflecting rotor. Instead of plaintext going in one
end with ciphertext coming out the other, the reflecting rotor, with the 26 contacts on one side connected to
each other in a scrambled fashion, caused the electrical signal to go through the rotors a second time in the
opposite direction, coming out on the same side it came in, but at a different contact.

This meant two contacts on the entrance side of the rotor stack were "live". Instead, therefore, of the switch
operated by a typewriter key on the Enigma merely connecting the battery to the proper contact of the
outermost rotor, it instead took the contact of that rotor, and disconnected it from the lamp under the same
letter as well as connecting it to the battery.

As an extra security feature, the Enigmas used by German forces during World War II included a plugboard.
The wires leading from the lamps and keyboard to the rotors were all cut, and then wired to a socket that
acted like the socket for a phone plug. If nothing was plugged in, the two wires to the plug were connected
together. If a plug was inserted, the two wires were not connected to each other, instead, each one was
connected to one of the two contact points in the plug.

Although a commercial Enigma, modified by Polish cryptanalysts to match a military Enigma, used phone
plugs, the plugs in the plugboard of the actual Enigma had two prongs, but they still functioned electrically
in the same way as phone plugs.

So, think of 26 phone plug sockets, and a set of ten wires, with a phone plug at each end, with the tip at one
end wired to the shaft at the other end, and you will have an accurate electrical picture of the plugboard of
the Enigma.

An attempt at a diagram of the Enigma in ASCII graphics:

| | |
----- ----------| ----------| ----------|
| --||- -----||----------||- -|------
| / || \ / || || \ / | |
| | -||--\- ---||- ----||- \ --/--|----- |
| | / || \ / || \ / || \ \| / | ||
| || -||- ------||----- ---||--\-\- _-|---- ||
| ||| || \ / || \ / || _-\|\-- | |||
| ---||---- ---||------ -||- \ ----|--- |||
| || || \ / || \ / || |\ | ||||
| | -||------ _-||--_ ----||--_ | ----|-- ||||
| | || _--\-- || ---/-_ || -|--_ | |||||
| --||-- ----||------ -||---- --|- |||||
----- ----------| ----------| ----------| ||||||
Slow | Medium | Fast | ||||||
||||||
---------------------------- ||||||
| | | | | | | ||||||
- | | | | | | ||||||
--- ( ) (*) ( ) ( ) ( ) ( ) Lamps ||||||
- | | | | | | ||||||
--- | | | | | | ||||||
| | | | | | | ||||||
--------|---|---|---|---|---|- ||||||
| | | | | | | | | | | | ||||||
I I / I I I Keyboard ||||||
| | | | | | ||||||
| | | | | | ||||||
|_ _| | | | | ||||||
_X_ I I I I Plugboard ||||||
| | | | | | ||||||
| | | | | ------------- |||||
| | | | ------------------ ||||
| | | ----------------------- |||
| | ---------------------------- ||
| --------------------------------- |
--------------------------------------

And here is a similar diagram in graphic form:


To make it simple to understand the principle which allows pressing a key on the Enigma to light the lamp
to which the key is connected through the rotors, but not the lamp connected to the key itself, the wires have
been colored red and blue, depending on whether they are at a positive or negative potential (I've chosen the
battery orientation in the diagram arbitrarily for clarity, and do not claim it matches that of the actual
Enigma) and wires carrying current are shown in a lighter red or blue, and, where convenient, are shown
thicker, with little yellow arrowheads showing the direction of current.

The Germans themselves broke messages transmitted by Republican forces during the Spanish Civil War on
conventional Enigma machines without plugboards. And it was the plugboard, more than anything else, that
convinced them that the Enigma was unbreakable.

The rotor wirings of the Naval Enigma, most of which were also used by the Wehrmacht, were:

Initial input contact:


A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Output contact from rotor #: In window


for "carry":
I : E K M F L G D Q V Z N T O W Y H X U S P A I B R C J Q
II : A J D K S I R U X B L H W T M C Q G Z N P Y F V O E E
III : B D F H J L C P R T X V Z N Y E I W G A K M U S Q O V
IV : E S O V P Z J A Y Q U I R H X L N F T G K D C M W B J
V : V Z B R G I T Y U P S D N H L X A W M J Q O F E C K Z
* VI : J P G V O U M F Y Q B E N H Z R D K A S X L I C T W MZ
* VII : N Z J H G R C X M Y S W B O U F A I V L P E K Q D T MZ
* VIII : F K Q H T L X O C B J S P D Z R A M E W N I U Y G V MZ

Thick reflecting rotors:


B : Y R U H Q S L D P X N G O K M I E B F Z C W V J A T
C : F V P J I A O Y E D R Z X W G C T K U Q S B N M H L

Extra ("Greek") rotors inserted before thin reflecting rotors:


* Beta: L E Y J V C N I X W P B Q M D R T A K Z G F U H O S
* Gamma: F S O K A N U E R H M B T I Y C W L Q P Z X V G J D

Thin reflecting rotors:


* B : E N K Q A U Y W J I C O P B L M D X Z V F T H R G S
* C : R D O B J N T K V E H M L F C W Z A X G Y I P S U Q

The first five regular rotors, and the two reflecting rotors above were used in both the Wehrmacht and the
Navy. Only the Navy used the last three regular rotors, numbers 6 through 8, and two thin rotors, one
reflecting, to replace the reflecting rotor. The rotors only used in the Naval Enigma are marked with an
asterisk.

Each rotor, other than the reflecting rotor, is described this way: the line at the top with the letters in order
from A to Z indicates the contact which is on the side of the rotor facing the wires from the keyboard and
lamps, and the table entry indicates the contact on the side facing the reflecting rotor connected to that
contact, when the alphabet ring is in the A position, and A is the letter showing through the window at the
top of the machine.

While this form of the Enigma was used by the Wehrmacht, and by the Navy with improvements, other
forms of the Enigma were used during the war by other military and governmental organizations within
Nazi Germany.

One of the most famous is the Abwehr Enigma, which used rotors with 11, 15, or 17 notches, but which had
no plugboard. Its keyboard had numerals and punctuation marks on the keys above the letters. The Mil Amt,
which succeeded the Abwehr, used a machine with a set of six rotors, all with nine notches.

The Railway Enigma was an Enigma with a typewriter keyboard entrance permutation, like the commercial
Enigma C and Enigma D.

Although the Army and Navy continued to use their original rotors throughout the war, each of the other
groups using Enigmas used their own rotor wirings. This was a natural security precaution. Probably the
reason that other Enigma machines used did not have plugboards is also because security kept groups using
Enigma machines from knowing about the Enigmas used by other groups: it may well be that the different
Enigmas were made in separate factories. However, the Mil Amt seems to have learned the same lesson as
was used in the Naval Enigma, by switching to rotors all having the same notches.

[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

The Uhr Box


The Uhr box was a replacement for the patch cords that were plugged into the Enigma's
plugboard. Each day, the relationship between the alphabet and the contacts on the
Enigma's rotors was changed in accordance with the daily key by plugging in the patch
cords as it specified.

I am indebted to some USENET posts, in reply to questions of my own concerning the


Uhr box, by Frode Weierud from Switzerland in clearing up some of the details about
how it worked. The facts he provided allowed me to propose a tentative reconstruction
of how the Uhr box might have been wired internally.

By using the cords coming out of the Uhr box instead, it became convenient to change
the plugboard setting more often, because it could be changed just by turning the knob
on top of the Uhr box. The knob had forty settings, numbered from 0 to 39. These
settings were indicated by a two letter code, given by a sticker on the lid of the Uhr box.

When set to setting 0, the Uhr box acted like a set of ordinary patch cords. Of the
twenty plugs coming out of the Uhr box, ten were painted white, and ten were painted
red. The plugs in the two groups were numbered from 1 to 10, and the pairs of one red
plug and one white plug both bearing the same number each behaved like a patch cord
in setting 0.

Even in other settings, although the connections between the input of one plug and the
output of another plug were now scrambled, it was still true that the input of any red
plug was always connected to the output of a white plug, and the input of any white
plug was always connected to the output of a red plug.

Because patch cords always connected their input and output to the output and input on
the other end, they produced a reciprocal permutation of the alphabet. The Uhr box
allowed this to be avoided. This didn't change the fact that the Enigma's cipher was
reciprocal, since the permutations of the Enigma's individual rotors weren't reciprocal
either, but the cipher of the Enigma as a whole was still reciprocal, since the reflecting
rotor caused the electrical signal from the keyboard to the glowlamps to go through
each rotor twice, first one way, and then the other. The same thing was true of the Uhr
box.

But the fact that ordinary patch cords produced a permutation which was reciprocal on,
as it were, a second level did prove helpful to British cryptanalysts. For one thing, it
permitted an adjunct to the Bombe called the 'diagonal board' which allowed it to be
both more versatile and more effective.

Reconstruction of the Uhr box

Based on these facts concerning the Uhr box, I had suspected that it may have been
wired as follows:

The knob on the Uhr box would have turned what was, essentially, a reflecting rotor
with 40 contacts.

These 40 contacts could be thought of as being labeled with the letters


ABCDABCDABCD... over and over again.

The contacts marked A would all have wires connecting them to the contacts marked
C, but in scrambled order. Similarly, the contacts marked B would all be connected to
the contacts marked D, again in a scrambled order.

The contacts in the box which connected to this movable reflecting rotor would also be
divided into four groups, which we can also think of as being labelled
ABCDABCDABCD... and so on.

The input contacts from the red plugs would be connected to the contacts marked A,
and since these were always to be connected to the output contacts of the white plugs,
those would be connected to the contacts marked C.

Similarly, the input contacts from the white plugs could go to the contacts marked B,
and the output contacts from the red plugs to the contacts marked D.

The order in which the plugs were connected to the contacts would match the
scrambled wiring in the 40-contact reflecting rotor, so that when it was set to position
0, the desired objective of emulating plain patch cords would be achieved.

It would be possible, although unnecessary, for all the input contacts, for example,
from the patch cord plugs to be wired in numerical order around the circle.

The following diagram may make the description of my tentative reconstruction of the
Uhr box clearer:
However, a paper in the July 1999 issue of Cryptologia has now explained the actual
workings of the Uhr box, and it differed somewhat from my tentative reconstruction.

Instead of having 40 contacts, the reflecting rotor that was the heart of the Uhr box had
80 contacts, of which only 40 were used at any one time.

The contacts on the reflecting rotor were in two consecutive rings of 40 contacts, and
either the even or odd ones were used in any position. Thus, the contacts on the Uhr
box were in two rings of 20.

The outer ring was wired to the red plugs, and the inner ring was wired to the white
plugs. In both rings, the even-numbered contacts of the Uhr box were wired to the thick
pin of the two pins on the plugs. The wires from the red plugs were wired to these
contacts in order, but those from the white plugs were wired in a scrambled fashion.
Essentially, therefore, the Uhr box worked somewhat like my hypothetical
reconstruction, except that it had two sets of scrambled wirings, each one of which
could be rotated to only half as many positions.

However, there was another peculiarity of the wiring of the Uhr box that led to a
weakness.

Although the wires from the white plugs were not wired to the Uhr box contacts in
order, they were wired to those contacts in pairs. This meant that of the two wirings in
the reflecting rotor, one, in order to allow the zero setting to emulate ordinary
plugboard wires, had to take pairs of contacts (with a contact in between belonging to
the other wiring) to pairs of contacts in the other ring, reversing the two elements in the
pair (so as to take a large pin from a red plug to a small pin on a white plug and vice
versa). This meant that every fourth setting of the Uhr box behaved like a set of
conventional plugboard wires.

A diagram of the actual Uhr box may help to make its design clearer:

in this diagram, only the wires in the rotor are shown that are in the set used in the zero
position, which reflect the flaw in the device that makes every fourth setting (every
second setting using that set of wires) reciprocal. The Uhr box is shown here set in the
zero position. Because of the extra complexity of inner and outer contacts, a more
schematic diagram, rather than one showing the rotor contacts in a circle, is given.
While the Uhr box did not do much by itself, only providing a fixed substitution that
did not change during a message, this kind of design illustrates how one could, for
example, build an interesting type of rotor machine for a 26-letter alphabet using
especially-wired 52-contact rotors. The idea of wiring a rotor with a number of contacts
that is a multiple of the size of the alphabet used, so that it acts like two different rotors
that are used alternately, also will surface in the Hagelin B-21, which we will meet
later.

Another enhancement used on some Enigmas late in the war was a reflecting rotor that
could be completely rewired by the user based on a daily key.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

The Enigma A and Enigma B


The very first cipher machines sold under the Enigma trademark were rotor machines,
but they did not have the reflecting rotor that made the Enigma so unique.

Also, they both looked like very large typewriters, and printed their output rather than
merely indicating letters with glowlamps. The Enigma B used the normal 26-letter
alphabet, while the Enigma A had a 28-letter alphabet, including three accented letters
for the German language, but omitting one letter of the alphabet not often used in
German.

Instead, they had four rotors, used once in normal fashion, controlled by four cams,
with 11, 15, 17, and 19 positions. These cams all moved one position with every letter
enciphered, and a raised tooth on any one cam caused the rotor corresponding to that
cam to advance one step.

Occasionally, none of the four rotors would advance between letters, and this probably
made the machine appear weak. However, this kind of irregular rotor movement does
eliminate the isomorph method of attack, and therefore this kind of design appears to
be quite promising. Since, however, it was cams and not user-settable pinwheels that
were used, an adversary knowing the sequence of raised teeth on each cam would no
doubt have been able to develop alternative methods of attack on this system.

Had the machine had five rotors instead of four, then the thirty-two possible rotor
motions would have exceeded the number of letters in the alphabet. With four rotors,
there were at most only sixteen possible alphabets the machine could present at each
step, and this could also be exploited.

A machine with ten pinwheels, all of different sizes, with the XOR from two pinwheels
controlling each of five rotors? Such a machine might well have been very strong.
However, the search for the ultimate in irregular rotor movements was pursued in a
different direction by the Americans, resulting in an even stronger machine, the
SIGABA, which we will meet later.

Another variation of the Enigma was the one used by the Abwehr. It was an Enigma
without a plugboard, but the rotors had a large number of notches, so that the slower
rotors still moved fairly often.

In the chapter of Codebreakers (not David Kahn's book, but a collection of


contributions by former cryptanalysts at Bletchley Park, published by Oxford
University Press) entitled "The Abwehr Enigma", it was observed that multinotched
rotors created a serious difficulty for the cryptanalyst, but not quite as serious as that
created by the plugboard. It was seen as peculiar - but fortunate - that the Germans did
not get the idea of putting both improvements on the same Enigma. As at that time,
thanks to the book Machine Cryptography and Modern Cryptanalysis by Cipher A.
Deavours and Louis Kruh, it was already public knowledge that the British were doing
exactly that: the Typex, which we will meet in the next section, used extra entrance
rotors as a non-reciprocal plugboard (thus also gaining the advantages of the Uhr box)
and highly multinotched rotors, this comment was worth a raised eyebrow when I first
encountered it.

It may also be noted that the Abwehr Enigma's reflecting rotor moved as the slowest
rotor during encipherment. Also, like the commercial pre-war Enigma C and D, in
addition to not having a plugboard, the keyboard and lamps were connected to the
rotors following the layout of the typewriter keyboard rather than in alphabetical order;
thus, an Abwehr Enigma had the rotating reflecting rotor, and the multiple notches on
the rotors, as its only changes from the commercial model Enigma. With one other
minor, but interesting, addition: this version of the Enigma also had digits and
punctuation marks printed above the letters on both the keyboard and the lampboard.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

Relatives of the Enigma


Despite the fact that the Enigma never enciphered a letter as itself, thereby making it easy to align
probable plaintext with an intercept, several other rotor machines were based on the Enigma.

W. F. Friedman devised Converter M-325. It was similar to the Enigma, except that the rotor nearest
the reflecting rotor, rather than the rotor farthest from it, was the fast rotor. This produced a machine
that did not need a plugboard to be reasonably secure.

The British cipher machine during World War II was the Typex. Its rotors were notched several times
for frequent and irregular motion. Three rotors moved, and the farthest of them from the reflecting
rotor was still the fast rotor. But there were two other rotors beyond the fast rotor, and they acted as a
plugboard replacement.

Some models of the Typex had two concentric sets of 26 contacts. According to those who have had
the opportunity to examine surviving specimens of this machine, they were not used for the obvious
purpose of providing a return path for electrical current, thus allowing the unique weaknesses of the
Enigma design to be avoided.

Despite this, I still wonder; there is a simple way, using dummy rotors connected by cables, to turn a
SIGABA into a plain Hebern machine. As the SIGABA and the Typex were made to interoperate by
means of accessories which turned them into the "Combined Cipher Machine", it makes sense to
conclude that the second set of contacts was used as a return path on the Typex, since then suitably
wired rotors with some sets of contacts wired without scrambling could allow Hebern type operation
of such a machine as well, thus facilitating this particular method of interoperation. Although the fact
that the fast rotor is on the entrance side (like an Enigma, unlike an M-325) makes it more difficult to
turn a Typex into a Hebern machine with the fast rotor in the middle, it is not impossible: an
auxilliary wiring harness, with dummy rotors, is also required as with the SIGABA, and the reflecting
rotor is one of those that has to be replaced. The following diagram shows a principle that may have
been used:
As the details of the actual CCM are available, no doubt I will soon be hearing if my reconstruction is
near the mark or not. As only three rotors aren't much, the actual CCM may have been somewhat
more complicated, for example by including entry and exit plugboards to replace the two stators in a
real Hebern five-rotor machine.

As the Typex is said to have very closely resembled the Enigma, I had assumed that it had a "650
break" as well, and this would have further complicated interoperation with the SIGABA. However,
since the Typex used heavily multinotched wheels, such a gearing arrangement would have shortened
its period considerably, so perhaps that problem did not arise. (It's even possible there was a lever
somewhere to choose with!)

On some later models of the Typex, the two entrance rotors also moved. This is merely a speculation
on my part, but one simple way in which they could have been caused to move is this: the entrance
rotor would be the slow rotor, the next one the medium, and the same notches in the wheels that
caused the regular carry would also cause movement of the wheels on the entrance side, but the
ratchet wheels would be displaced. So, if the positions B, G, J, M, O, R, T, V, and X caused the
original medium wheel to move when the fast wheel reached them, and the original slow wheel to
move when the medium wheel reached them, then perhaps the positions Z, E, H, K, M, P, R, T, and
V, each two positions earlier, would cause movement on the other side of the fast rotor. Or another
row of notches could be present on the wheels, and the number of notches in that row could very well
be even, since the ordinary rotor motion would already be providing the maximum period. No such
motion, however, unlike the original motion with those two rotors as stators, or better yet a motion
resembling that of the Converter M-325, would allow easy interoperation with a SIGABA using
dummy rotors by emulating a Hebern machine, basically the lowest common denominator of the two
machine types.

Some time after World War II, Switzerland, which had been using a version of the Enigma for its
own communications, designed its own significantly improved cipher machine based on the Enigma,
the NEMA (for Neue Maschine, not National Electrical Manufacturers Association). Recently, a
computer program simulating its operation, accompanied by a description of the machine, became
available. One of the program's authors, Frode Weierud, has a forthcoming article in Cryptologia
about the machine.

It used lamps to indicate the letters it produced as output, and physically it looked like a metal box
with a sloped front in which a typewriter keyboard was sunk. Recently, examples have become
available on the open market, at prices considerably below those of World War II Enigmas.

The device had four rotors, plus a reflecting rotor, all of which (including the reflecting rotor) moved
during encipherment. However, it had the appearance of having ten (rather thin) rotors. This was
because each rotor was manually adjusted by means of a flange on its left with 26 segments labelled
with the letters of the alphabet, and bore on its right a ring of appearance similar to that flange, but
which contained a notched gear. Each rotor's movement was controlled by the ring to its right; when a
notch on the ring came into position, its corresponding rotor did not advance for the current letter
being enciphered. In addition, the ring on the entrance rotor, towards the right of the rotor bank, was
distinctively colored (it was red) and had a second notched gear on it. This gear, when a notch on it
came into position, prevented the second and fourth rotors, and their corresponding rings, from
moving. Usually, all the rings would move with every character enciphered.

Thus, the NEMA had a period of 17,576 letters, each ring-rotor pair having a period of 676. If the red
ring had stopped only two other rings, and not their corresponding rotors as well, the period could
have been 26 times longer. In any case, it has a large number of initial settings, and a very irregular
rotor movement, bettered only by that of the SIGABA (although the Enigma A and Enigma B also
had a rotor movement that is more irregular than usual). Note that the diagram, for simplicity, shows
the mechanics of the rotor movement by lines which may suggest electrical wires; actually, the result
was achieved mechanically. Also note that the wheels with notched gears, although concentric on the
same shaft as the rotors, are shown in the diagram in a row below the rotors, using the usual diagram
symbol for pinwheels.

And, during the sixties, an Italian firm, O.M.I., offered a version of the Enigma with seven rotors. But
it embodied an ingenious idea for providing security in a machine sold openly without requiring
customers to rewire their rotors. The rotors came in two pieces, both with scrambled wiring, that the
customer could interchange and rotate to form the rotor set to use.

It would be a little harder to do this with rotors of the Hebern type, if one wished to take full
advantage of the fact that both sides of these rotors are identical, but it could still be done using
androgynous connectors positioned in alignment with the centers of the contacts, as shown below:

An interesting web site in Germany, which no longer exists, described several cipher machines from
behind the Iron Curtain. Three of them were described in enough detail (which I tried to make out as
best I could, not understanding German) that I found their mention of interest.

The T217, or ELBRUS, is an electronic cipher machine, having at least a superficial external
resemblance to the early electronic cipher machines used by the United States (as those machines are,
as far as I know, still classified, I have no knowledge of whether the resemblance is more than
superficial). A linear-feedback shift-register generator feeds a longer shift register, and bits from that
are selected under the control a key cassette to go into combinatorial logic to produce bits for stream
cipher use.

The M105 uses a principle I don't quite understand yet: 5-level code characters are converted to a 12-
bit form, then XORed with a key tape, then converted back down to 5-bit form. It isn't quite clear to
me how transformations more involved than an XOR can actually be accomplished by this principle,
particularly when decoding is also performed by precisely the same method. However, such a
machine could work by cheating; for example, the 5-bit character

abcde

could be converted to

abcde0000000
to be enciphered, and then the 12-bit result of being XORed with the key tape could be converted to 5
bits by taking the first 5 bits, performing a nonlinear operation controlled by the last 2 bits, and then
XORing with the second 5 bits. To decipher using the same key tape, the 5-bit ciphertext character

pqrst

would simply be converted to

00000pqrst00

before the XOR with the key tape. Even something like that, particularly if a plugboard can be used to
scramble the 12 bits from the key tape, might not be entirely silly. Also, if the nonlinear transform
controlled by the last 2 bits leaves something invariant, that, rather than 0, could be put in the last 2
bits. For example, if the last 2 bits are used to choose between different ways of transposing the 5 bits
of a character, for encryption the parity of the plaintext character could be placed in one, or both, of
those bits before the XOR, affecting which bit transpose is used.

For decryption, the parity of the ciphertext character after being XORed with the five bits for that
purpose on the tape, XORed with the parity of the five bits that will later be XORed to form the
plaintext character, will produce the parity of the plaintext character before the bit transpose (affected
by that parity) is known.

And, finally, the M125, or the Fialka, is described on his site, which is why I am mentioning his site
on this page: it is a variation of the Enigma.

It enciphers a 31-character alphabet. A punched card is used to perform the function of the Enigma
plugboard, but for only of 30 of the 31 symbols enciphered. The punched card has been described to
me as square, with two centering holes, and with the regular punched holes only below a diagonal on
the card. This suggests to me that each hole position controls a double-pole double-throw (DPDT)
switch, determining if two lines in a folded crossbar pattern are crossed.
There are 10 highly multinotched rotors, and they have fixed contacts on one side and spring-loaded
contacts on the other, like those of the Enigma.

Now, these 10 rotors all have 31 contacts on each side. There is also a reflecting rotor, but how can a
reflecting rotor with an odd number of contacts work?

One contact of the reflecting rotor, instead of being connected to another contact, is connected to a
circuit that causes the machine to encipher the input letter as itself. Note, however, that the machine's
cipher is fully reciprocal.

Like the Typex, we have an Enigma with both multinotched rotors and a plugboard; British
cryptanalysts working on the Abwehr Enigma on the one hand, and the Army and Navy Enigmas on
the other saw that to be an effective combination. This may not be terribly surprising, as there was
Soviet penetration of the British Ultra effort during World War II. The patch panel, like the Uhr Box,
avoids the problem of the plugboard substitution being reciprocal in itself.

Although the machine is connected to 5-level tape equipment, instead of enciphering normal 5-level
code (leaving, perhaps, the all-zeroes character unenciphered) the German-language version of this
device omits the letters W, X, and Y, and uses J to represent the space (thus printing a space when
deciphering, and a J when enciphering), leaving room for the digits from 2 through 9 in the character
set. As Russian has a 32-letter alphabet, presumably the original Russian-language version did not
include digits in its character set.

My initial attempt to reconstruct the Fialka from the information I had found resulted in a somewhat
different machine, with its own features of interest.

In the a block diagram I saw, there were three signals going from the reflecting rotor to a transistor
symbol. I thought that perhaps this meant that three contacts were wired in a loop, with diodes going
from one to the next, in rotation. As a DC current is used to go from the keyboard to the rotors and
back to the output mechanism, this can mean that A becomes B, B becomes C, and C becomes A.
(However, there is nothing to prevent the current from going through two diodes in a row. This can be
avoided by the use of resistors or multiple diodes, and a suitable choice of voltage threshold, or by a
simple transistor circuit.)

That would mean the cipher of the machine as a whole would not be quite reciprocal, but no letter
could represent itself. The easiest way to reverse the action of such a circuit during decipherment
would be simply to reverse the polarity of DC current through the machine.

The fact that the punched-card "plugboard" affected only 30 of the machine's 31 characters was
baffling to me, and implied some sort of external constraint. As I assumed a simple crossbar
arrangement for card sensing, to minimize parts count, the fact that a standard 80-column card has
over 900 holes in it meant that it could indeed control a 30 by 30 crossbar patch panel. (One needs
961 hole positions for a 31 by 31 crossbar patch panel!) The diagram shows a possible arrangement
for the crossbar circuitry that uses the first 75 columns of the card, and which, by taking into account
the zone and digit positions of the card, allows key cards to be produced with conventional punched
card equipment, using only &, -, /, and the digits and the upper-case letters.

Perhaps the construction I reached through speculation will be helpful to amateur builders intending
to build a replica of the Fialka at home, but with the use of more standard parts, even if it departs
from the historical reality.

The following diagram is provided for those who aren't familiar with the code used on the 80-column
punched card:

or, if that diagram is difficult to understand, here is a more explicit one:


Gordon Welchmann, the inventor of the diagonal board, has commented that it would have been
possible, but difficult, to design an Enigma that did not have the feature of being unable to encipher a
letter as itself.

Obviously, the simplest method to avoid this problem with the Enigma would be to revert to sending
the signal through the rotors in only one direction, as with the Enigma A and Enigma B, or as with the
original Hebern machine. But if one wanted to avoid having to switch a large number of wires when
changing from encipherment to decipherment, or if one felt it useful to have the signal going through
the rotors twice instead of just once, how would an Enigma not having this problem be designed?

One can begin by merely changing the labels which are over the indicating light bulbs. If the light
bulb that is on the circuit with the Q key is now labelled B instead of Q, then it is B that the letter Q
will not be enciphered as.

But then one would have to have one wiring for encipherment, and a different wiring, either selected
by a large and complex switch, or by constructing enciphering Enigmas and deciphering Enigmas.

One way to avoid the problem would be to replace the plugboard of the Enigma with two
switchboards, one connecting the keys to the machine, and one connecting the lamps to the machine.
Then one could select any wiring configuration for encipherment, and its counterpart, with lamp and
key wirings exchanged, for decipherment.

Could a suitable choice of new labels for the light bulbs allow a simpler solution, one that involved a
lesser change to the way the Enigma worked? One possibility would be, given the keys are connected
to the rotor contacts in alphabetical order, to label the light bulb connnected to the A key with N, the
light bulb connected to the B key with O, and so on. Then, if the setting rings are labelled with two
alphabets similarly displaced, in contrasting colors, and the gear teeth by which one ring advances the
next are so arranged that if a tooth is at one position, there is also a tooth at the position diametrically
opposite (shortening the period, because all the rotors must now have an even number of teeth), one
could indeed have a machine that behaved almost exactly like the Enigma.

However, the fact that the letter A can now never be represented by N, instead of never by A, is just a
fixed substitution that would soon be discovered, and then it would cause no real difficulties for the
cryptanalyst. A normal Enigma plugboard would not change this: and the sockets on it would also
have to be labelled in two colors, as the plugboard wiring would have to be displaced 13 positions to
decipher.

Another thought would be, instead of having two switchboard-type plugboards, where a set of 26
sockets is matched by 26 plugs from within the Enigma, to have a second plugboard of the regular
Enigma type in a single Enigma. In addition to the one between the rotors and the lamps and keys
both, the additional plugboard would be between the lamps and the keys. The reciprocal nature of the
plugboard substitution would not be a problem, and would in fact allow the same wiring to serve for
encryption and decryption. This arrangement is illustrated below:

However, it wouldn't quite work as illustrated. Although the rotor substitution and the plugboard
substitution are both reciprocal, that does not mean that they commute. But a more complicated
wiring based on this principle would be possible, such as placing the rotors on the lamp side for
decipherment; this would require a bank of 26 relays to simulate the effect of the switches in the
keyboard.

One simple way to make this work, with some limitations, is this: for encipherment, use only the
plugboard between the lamps and keyboard. For decipherment, also use the regular plugboard, and
wire it in the same way as the plugboard between the lamps and keyboard. This works because
plugboard wirings are reciprocal.

The basic problem of this sort of arrangement is that the rotors are connected to the keyboard and not
the lamps in an Enigma, hence a permutation between the keyboard and lamps disrupts the
relationship between the rotor contacts and the lamps and keys that makes decipherment possible
when it is reversed for decipherment. Could an Enigma be modified so that the rotors were connected
to the lamps? Yes, if each lamp were shorted with a diode:
This diagram shows the flow of electricity in an Enigma. On the left, a simplified diagram of the
Enigma is shown. Wires at a positive potential are red, wires at a negative potential are blue, and
wires carrying current are shown thicker with yellow symbols indicating the direction of current.

On the right, the arrangement involving diodes needed to allow the rotors to be connected to the lamp
side of a modified Enigma is illustrated. Current that pressing a key allows to flow goes first through
the shorting diode belonging to the lamp with the same letter, then through the rotors, and on its
return trip lights the correct lamp, since it is going the other way, and cannot be shorted by that lamp's
diode.

Suitable switching circuitry, allowing either arrangement to be selected, and reversing other
connections, would allow a two-plugboard Enigma of the type shown above to even have an Uhr box
connected at either or both plugboards.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Cryptanalysis of the Enigma


The story of the cryptanalysis of the Enigma is perhaps the only story of military
cryptanalysis ever recounted where a detailed view was given of that cryptanalysis on
an ongoing basis, over multiple revisions and modifications of the cipher system under
attack.

The cryptanalytical methods used are sorted by type in the following sections, and thus
a more chronological summary may help to make the story more understandable.

Initially, the Enigma was without a plugboard. The method of "cliques on the rods"
was used against it at this stage; this was a version of the isomorph attack against a
Hebern machine, modified as required for the Enigma.

Next, a plugboard was used, but only three cords were plugged into it, affecting only
six of the twenty-six letters. A common ground setting was used to encipher the
starting setting which operators were supposed to choose at random; this setting was
enciphered twice. Here, the tables generated by the cyclometer were used: the doubly-
enciphered indicator meant that if one message had A as its first letter and Q as its
fourth, A as the first letter of the message always implied Q as the fourth. Thus, the
relation between the first and fourth letters of a day's intercepts defined an alphabet,
and the same was true of the second and fifth letters and the third and sixth. The
characteristics of these alphabets allowed those tables to pinpoint the day's ground
setting.

Then, instead of a ground setting, a setting picked also at random, and sent in the clear,
was used. This nine-letter indicator was attacked on the basis of watching for cases
where corresponding letters in the doubly-enciphered indicator, now the fourth and
seventh, fifth and eighth, and sixth and ninth letters of the message, were the same. The
original Polish Bombe, and also the perforated sheets, were used at this stage.

When the number of rotors in the rotor set was increased to five from three, the British
took over from the Poles, and relied mainly on the perforated sheets.

When the rotor starting position for an individual message was enciphered only once,
the Turing Bombe, soon augmented by the diagonal board, allowed decrypting Enigma
messages to continue.

On the Naval Enigma, eight rotors as well as a split reflecting rotor were used. This
was dealt with by aligning messages to find key overlaps; from this, and a study of the
indicators, constraints on the possible rotor orders were found, allowing the Bombe to
still be used.

Near the end of the war, the Uhr box and a rewirable reflecting rotor were used in some
places. The Uhr box merely required giving up the diagonal board. The reflecting rotor
required a major redesign of the Bombe, but decoding continued.

● Cliques on the Rods


● Indicators and Jefferys Sheets
● The Bombe and the Diagonal Board

[Next] [Up] [Previous] [Index]

Next Section
Chapter Start
Table of Contents
Home Page
[Next] [Up/Previous] [Index]

Cliques on the Rods


Before the plugboard was added to the Enigma, the fact that the fast rotor was on the
side opposite the reflecting rotor meant that it was vulnerable to an isomorph attack.
But the isomorph attack had to be modified from that used on a Hebern machine, in the
obvious way.

Both the probable plaintext and the ciphertext had to be put through the fast rotor, and
it was the two results that had to match, that is, be monalphabetic encipherments of one
another, having repeated letters in the same places.

Since a rotor can be in 26 different positions, changing both the input and output
letters, one needs 26 different strips. Each strip shows, for one particular input letter,
the possible output letters for each position of the rotor.

Thus, if a rotor is wired as follows:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
E K M F L G D Q V Z N T O W Y H X U S P A I B R C J

the strip for the letter A would contain the sequence

E J K C H...

and the strip for the letter B would contain the sequence

K L D I...

since in the A position of the rotor, A becomes E, the A strip begins with E. When the
B contact, that takes B to K in the A position, is moved back to the A position, then it
will take A to the letter before K, or J. Similarly, when the C contact is moved two
positions back, its destination, the M contact, is moved two places back to K. Of
course, the strips might also be prepared for the rotor moving the other way, with the
letters in reverse order.

The strips will have their sequences of letters repeated twice; one chooses the strips
which correspond to plaintext and ciphertext, and puts them next to one another, but
staggered, because the fast rotor is always moving one step for every letter. Then, the
rows across, between the strips, show the possible encipherments of the plaintext or
ciphertext letters for every starting position of the fast rotor.

Strips with the rotor outputs on them were aligned to produce the results, and thus the
method was called "La Méthode des Bâtons" in French, and in Britain the strips were
called rods, with the repeated letters that matched up called cliques.

The sequence of 26 letters that a rotor would produce from a given letter in different
positions cannot be a scrambled alphabet, with no letter repeated, for reasons seen in
the previous section on the interval method. In the colorful terminology of Bletchley
Park, the duplicated letter on a rod resulting from two wires producing the same
displacement was called a "beetle", and the result of two wires having exactly opposite
displacements was called a "starfish", as recently revealed in papers by C. H. O'D.
Alexander available on Frode Weierud's web page. These papers note, among other
things, that the rods were sometimes used against Enigmas with plugboards as well, in
cases where the indicators could not be interpreted. (Two of the papers, about
something called JNA-20, appear to be about PURPLE or CORAL, even though they
still use the term "Stecker" in reference to its plugboard.)

[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

Attacking the Indicators


As is recounted in the several books and articles recounting the story of the Enigma,
the Germans used two very dangerous indicator systems with it.

First, they started the Enigma, for a given day, with a fixed secret setting, called the
ground setting or Grundstellung. At this setting, the actual starting rotor setting was
repeated twice and enciphered.

Then, still before the war started, while only the Poles were breaking the Enigma, a
change was made. Instead of a secret ground setting, a starting point was picked by the
user at random, and started the message in the clear. Then the starting rotor setting used
for the message itself was again repeated twice and enciphered.

In both cases, the relationship between the two repetitions of the rotor start position
gave too much away.

The Common Ground Setting

In the first case, since one had many messages for a given day, all with the same
ground setting, one could look at the alphabet formed by combining that produced by
the machine at the ground setting with that produced three letters later. This alphabet
was visible in the clear: if a message began VBT RSQ, then V became R in that
compound alphabet.

Essentially, tables could be made of the distinguishing features of the alphabets created
at each starting position. And alphabets had such features, even after the plugboard was
used. These were visible when an alphabet was reduced to 'cycle form': if V becomes
R, then what does R become, and how many steps does it take to get back to V? Any
scrambled alphabet basically divides the alphabet into pieces of various sizes, and
those sizes aren't changed by the plugboard. The cyclometer, used to create these
tables, will be described along with the Bombes in the next section.

The three alphabets derived from a day's intercepts (or three months' intercepts,
actually) had, when reduced to cycle form, some very special properties. Although they
were formed by comparing two encipherments at positions separated by 3, they could
also be thought of, since decipherment and encipherment were the same, as the results
of applying the encipherments at those two positions, one after the other.
This has the following curious result:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

U V T X R W M I H Z Q P G S Y L K E N C A B F D O J
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

G K R P S Y A J M H B Q I U W D L C E V N T O Z F X

In the pair of reciprocal alphabets shown above, A becomes U, and then U becomes N.
So, in the compound alphabet, A becomes N. Note that U also becomes A in the first
alphabet, and N becomes U in the second, but these don't connect, so the compound
alphabet is not reciprocal.

As noted, in the compound alphabet, A becomes N. Then N becomes (S, then) E, E


becomes (R, then) C, C becomes (T, then) V, V becomes (B, then) K, K becomes (Q,
then) L, L becomes (P, then) D, D becomes (X, then) Z, Z becomes (J, then) H, H
becomes (I, then) M, and M becomes (G, then) A.

So, we have a cycle, involving the letters:

(a n e c v k l d z h m)

What happens if we follow the fate of the letter U, which becomes A in the first
alphabet, just as A became U?

U becomes A, which becomes G. G becomes M, which becomes I. I becomes H, which


becomes J. In starting with the middle letter of each two-step substitution, we simply
go through exactly the same cycle, but in reverse. So we have a second cycle of exactly
the same length, with the letters:

(u g i j x p q b t r s)

Because this sequence consists of the middle letters, taken in reverse order, of the
previous cycle, the individual substitutions can be found at one of the positions these
two sequences have when slid against each other after one is reversed:

A N E C V K L D Z H M
U S R T B Q P X J I G

are all pairs in the first alphabet, and

A N E C V K L D Z H M
G U S R T B Q P X J I

are all pairs in the second.

Because at that stage poorly chosen rotor starting positions, both consisting of adjacent
letters on the keyboard, and also consisting of the same letter repeated three times,
were common, it was possible to eliminate ambiguity in aligning the cycles and
determine the rotor starting positions, without as yet knowing either the alphabet ring
settings, the rotor order, or even the wiring of any rotors.

The Slotted Sheets, or Grilles

Knowing the letters visible in the little windows on the enemy's Enigma was an
accomplishment, but by itself it did not let you read any messages. The Poles did know
the rotor wirings of the Enigma, though. They had not captured a machine, and doing
so in peacetime would have made it obvious that one was missing. Instead, a spy had
given the French, and the French had given them, keys for a period and some matching
plain and enciphered messages, from which they laboriously reconstructed the rotor
wirings and internal connections of the Enigma.

In addition to knowing the initial rotor settings, applying the pencil-and-paper method
noted above provides you with six successive alphabets produced by the Enigma. At
this stage, only a limited number of letters are modified by the plugboard, and the
Enigma had only three rotors to insert in any of six different orders.

If, for the encipherment of the first six letters after the ground setting, the medium rotor
did not move, these alphabets are produced from an inner alphabet, produced by the
medium, slow, and reflecting rotors, at six consecutive positions of the fast rotor.

The grille or slotted sheet method involved sheets with the successive alphabets
produced by one rotor printed on them, which were slid over a piece of paper on which
these six alphabets were written.

If it weren't for the plugboard, negating the fast rotor would produce six identical
alphabets: even with the plugboard, the right position produced six alphabets with
many letters in common, and from the similarities and differences, both the plugboard
settings and the inner permutation could be determined.

The initial rotor settings are known in terms of where the alphabet rings are; now the
ground setting is known in terms of the positions of the rotors themselves. Still more
work needs to be done to read messages: the original Polish Bombe automated that
next step.
Arbitrary Ground Settings

Since the ratchet that allowed one rotor to move the next slower rotor and the alphabet
ring which was used to refer to rotor positions were fixed together, in the second
system it was often possible to determine, since the Enigma's original five rotors all
had their one carry in different positions, which rotor was the fast rotor.

Among the many indicators for a day, there would be some with repeated letters. And
there would be some with the starting positions given in the clear possibly adjacent to
each other. Which positions are adjacent depends on when carries occur. And if the
same letter becomes first N and then V three letters later, and then fails to change from
N to V when it is apparently in the same two positions, then one is mistaken about
when the medium rotor moved.

Combinations where the same letter becomes the same letter in the same message, in
two positions three places different could not always occur, and these indicators, called
"females", eliminated possible indicator settings.

Also useful to Bletchley Park at this stage were "Herivel tips", which were the result of
Enigma operators choosing, after setting up their machine for the day, to use as their
first setting the position of the rotors as they stood, or possibly moving them only a few
places, from the position after setup which meant the rotors were near their initial
positions, and the setting sent in the clear would give away the alphabet ring settings
(either by itself, or in combination with the arbitrary ground settings of other operators
making the same mistake).

The Perforated Sheets

The perforated sheets were one set of 26 square sheets, with punched holes, for each
possible rotor order. They were used when the ground setting was sent in the clear,
followed by two encipherments of the current setting. Each sheet corresponded to the
position of one of the wired rotors (in Poland, apparently the slow one) and the rows
and columns on the sheets corresponded to the positions of the other two rotors. The
rows and columns, except the first one, were repeated twice. A hole was punched in a
sheet whenever a letter would be enciphered to itself by an Enigma with that position
of the three rotors plus an Enigma with the fast rotor three places further ahead.

Since a rotor order is assumed by one's choice of perforated sheet set to use, one can
exclude all indicators in which the medium rotor moved. This is because the ratchet
wheel and the alphabet ring are attached to each other. In practice, unless there is other
information available, one needs to try all 60 rotor orders. And, yes, one also needs to
try 26 stacks of sheets for each rotor order. However, 1560 trials is not an
unmanageable brute-force search, even by manual methods.
One finds numerous indicators with repeated letters in the same position, and places,
one on top of each other, alphabet sheets so staggered as to match the relative
displacements of the ground settings for the different messages. Then, a hole through
the stack of alphabet sheets indicates which position of the wired rotors corresponds to
each of the ground settings.

The Final Period

During the war, the double encipherment of the indicator was eventually abolished.
This increased the reliance of cryptanalysts on a large piece of electrical machinery, the
Bombe. But for a period of time before it became available messages were still
deciphered, as the result of the continuation of the practice of choosing adjacent
keyboard letters, then called "cillies" by the British, (well, they were silly) even if
settings consisting of three identical letters were by then suppressed.

With the Naval Enigma, instead of switching to a single encipherment of the initial
rotor position, the use of a common ground setting was revived; however, the
indicators recieved an additional layer of encryption; the two repeated encipherments
of the initial rotor setting were enciphered by means of a table of digraphs.

If the enciphered starting setting was ABC DEF, then the digraphs that would be
enciphered in the table would be AY BD CE XF where X and Y represent two
additional letters chosen by the encipherer at random; that is, the starting setting was
staggered like this:

A B C X
Y D E F

and the digraphs were taken off by columns.

This would have made the indicators useless for cryptanalysts, except that the digraph
table was not itself part of the daily key. Instead, for one period, a set of nine digraph
tables were used, and only which one was to be used was part of the key that changed
each day. As copies of the digraph tables (which were, for convenience, reciprocal)
were captured, the result was merely that all nine possibilities had to be checked. With
a common ground setting, as noted above if letter 1 was A and letter 4 was D once,
then letter 4 had to be D whenever letter 1 was A, and so one would normally be able,
with 27 messages, to swiftly determine the right table to use.

Had this method been used with the later indicator method used by the other services,
an arbitrary ground setting and a single encipherment, considerably more work would
have been multiplied by a factor of nine, even using the digraph tables that had been
captured. Had the digraph tables been changed more often, that too would have
diminished the usefulness of the indicators, but by then the advanced Bombes in use
eliminated the need to break the indicator system; it would have meant more work, but
their Engima messages would not have become inviolate.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

The Bombe
The Bombe, in its various forms, was a device containing multiple sets of Enigma
rotors that rotated quickly to try all possible positions of the rotors.

Because the Enigma had a plugboard, and because no simple relay circuit would
recognize valid German-language text, even having a device of that nature did not
make it trivial to crack the Enigma machine's cipher. Thus, the Bombe came in
different forms during the life of the cryptanalytic effort against the Enigma.

The Cyclometer

The cyclometer was the first modified Enigma mechanism used in cracking Enigma
ciphers, but it was used to prepare tables in advance, rather than working on
information from a specific day's intercepts.

It consisted of two sets of Enigma rotors connected so as to face one another, and
positioned so that the fast rotor was three positions different in the two sets, the other
rotors being in the same position. A keyboard and lights was also connected to the 26
wires between the rotor sets. A key did not disconnect the light corresponding to it.

The rotors were manually stepped. For each position, one depressed a key, and noted
how many lights lit up, and then depressed a key corresponding to a light that hadn't
yet lit up for that position, until all the letters were divided into groups of different size.

The table thus generated was useful when the indicators of the Enigma were
enciphered twice according to a common ground setting for the entire day.

From the messages intercepted, one could form alphabets based on the indicators.
Since the ground setting was always the same, if the first letter of the starting setting
chosen by the operator was A, the same two alphabets would be applied to it at the
ground setting position and the position three letters later, and so if the indicator was
X-- Q-- for one message, it would be in the form X-- Q-- for every message where A
was the first letter of the starting setting.

Thus, one could compile an alphabet in which X became Q, and so on.

The pattern of that alphabet which would survive changes in the plugboard settings was
its cycle decomposition. That is, an alphabet might be made up of three letters that
stayed the same, two pairs of letters swapped with each other, one group of three letters
in which each letter was replaced by the next one, and so on.

The characteristics of the three alphabets produced from a days indicators would match
three consecutive alphabets in the table produced by the cyclometer, unless the ground
setting was chosen so that the medium rotor moved during the first six letters.

The Polish Bombe

The original form of the Bombe was designed back when the Enigma only had a set of
three rotors to interchange, and when only three wires were connected to the
plugboard, affecting only six out of 26 letters.

It was used against the doubly-enciphered indicator system of the Enigma during the
period when ground settings were chosen at random by the operator, and sent in the
clear with each message.

If one has two "females", indicators where one letter is repeated in the two
encipherments of the actual rotor starting position, and furthermore, they result in the
same letter and are in different positions, which was a common enough occurence
given the volumes of traffic in use, one could proceed as follows:

Connect a voltage to that contact on four rotor sets. Take these in two pairs, each pair
with positions offset by three, and if both pairs, at the same time, produce the same
output letter (that is, both sets in each pair produce the same letter, but the two pairs
may produce a different one) then one has found the right starting position.

This won't work, however, if the letter found in the ciphertext was changed by the
plugboard. The actual machine had six rotor sets, and could take advantage of finding
the same letter in all three possible positions.

The Turing Bombe

The Turing Bombe exploited the fact that messages sent by the Enigma often included
long stretches of probable plain text, particularly the titles, spelled out in full, of
military officers. Since the Enigma never enciphered a letter to itself, it was possible to
find possible exact alignments for such likely phrases, or "cribs".

Let us suppose that, comparing some probable plaintext to matching ciphertext, we find
the following:

The 4th letter of the crib was a plaintext E that was enciphered to N.
The 8th letter of the crib was a plaintext E that was enciphered to X.

The 19th letter of the crib was a plaintext N that was enciphered to X.

These encipherments form a loop. For some position of the rotors, N becomes E at that
position, and then for the position four steps later, E becomes X, and a further 11
positions later, X goes back to E.

Since the Enigma has a plugboard, instead of N, E, and X, one can only say with
certainty that "some letter" becomes "some other letter", which then becomes "yet
another letter", which then goes back to "the first letter".

So, a Turing Bombe worked this way: the three rotors plus the reflecting rotor of an
Enigma were replaced by seven rotors, with a conventional rotor imitating the
reflecting rotor in the middle. For the loop in the example, one would have three such
sets (machines would be working in parallel for every possible rotor order, so as to
avoid taking time to re-order rotors: in fact, one complete set of all 60 orders
constituted a single Bombe at this point) positioned so that when one set was at the
position it was in for the 4th letter of the crib, the next was in the position 4 steps later,
and the next was in the position 15 steps later.

Each set of rotors was connected to the next set by 26 wires in parallel. A voltage was
applied to one of the wires at one point. That wire was chosen to be the wire for the
actual letter found in the crib, so that if that letter was not changed by the plugboard,
the actual closed loop in the crib would be the only part of the circuit reached by the
voltage, and so each of the 26-wire links would have only one live wire.

Otherwise, when the correct position was reached, even if all 25 other wires in each
link were reached by voltage, the actual closed loop would, being closed, be isolated,
and not get voltage.

So a relay circuit checked the 26 wires at one point in the loop, and halted the Bombe
whenever not all 26 wires had voltage (presumably ignoring the times when the rotors
were between positions).

If the notches that caused one wheel to move the next slower wheel had been fixed to
the rotor body, the Turing Bombe would have been simpler to understand, and would
always have worked, since then for any position of the wired rotors, the position of the
rotors a certain number of steps later would be known.

Since the notches were in fact fixed to the alphabet wheel, what was done instead was
to perform the carry from the fast wheel to the medium wheel, and one from the
medium wheel to the slow wheel, at only one position in the apparatus, with
corresponding wheels in all rotor sets linked together. If only the fast wheel was
displaced between rotor sets, the machine worked if the medium wheel did not move
anywhere inside the crib.

One could also displace the medium wheel by one place in some rotor sets to try
different assumptions about where the medium wheel moved.

It might be noted that, since we don't care which letter our test letter was taken to by
the plugboard, a relative displacement of the whole rotor set would make no difference.
Since the reflecting rotor could not even be moved to alternate positions by hand,
however, different rotor positions were absolute, not relative. But if the reflecting rotor
had been settable, the Bombe would not have had to run 26 times longer.

In the example, only a single closed loop was taken from a crib. In fact, a single closed
loop would have stopped the Turing Bombe with too many false alarms, and thus this
Bombe had more than three rotor sets, and was used with cribs that gave more than one
loop, with the loops connected to each other.

The Diagonal Board

The Turing Bombe, as noted, simply looked for cases where some letter became some
other letter, and so on. But the cribs also included information about which letter
became which other letter. Despite the plugboard, there was a way to make use of this
information, and that way was the diagonal board.

Let us begin with the simple 3-letter loop used as an example above: N becomes E
becomes X becomes N.

Let us suppose that E was not modified by the plugboard, for ease of understanding,
and so we apply our voltage to the wire corresponding to E at the point corresponding
to where we encountered E in the plaintext and ciphertext.

Then, E might become X at the point corresponding to X.

On the other hand, X might have been affected by the plugboard. If so, E will become
some other letter, which will become either N or some other letter, which becomes E
again.

Suppose E becomes N, at the point where X was expected.

This means that X and N were switched by the plugboard, and so this N had better
become an X at the point N is expected. Otherwise, an impossible plugboard
arrangement is required, and so the apparent successful hit is a false alarm.
The diagonal board was used to cover all the possibilities of an inconsistency like this.
It was a square matrix of sockets, wired so that column P in the Q row was wired to
row P in the Q column, for every two different letters in addition to P and Q.

The 26 wires for any position in a crib were also connected to the row of the diagonal
board corresponding to the plaintext and/or ciphertext letter that was seen at that
position of the crib. Current going through the wire for that actual letter was not
connected anywhere, but current for a different letter was connected to the row for that
different letter being seen, at the position where the original letter would be actually
encountered.

This provided additional connections. Yet, if the voltage entered the setup at the correct
position, the closed circuit was not extended to other wires; so, if the voltage entered at
another position, the closed circuit still recieved no voltage.

Thus, the Bombe still worked as before, except that it automatically ignored many of
the false alarms for which it had previously stopped.

The "Machine Gun"

An additional device attached to the Turing Bombe to eliminate additional false alarms
performed the following function:

When not all the wires were live, if all the wires but one were live, the voltage was
redirected to that one wire.

Then, all the different letters of the crib were scanned, to ensure that no two letters in
the crib (including both its plaintext and ciphertext forms) which were different would
have had to have been brought to the same letter, instead of to different letters, by the
plugboard for the current bombe position to be valid.

Autoscritcher

Thanks to a Cryptologia article by Cipher A. Deavours, and an earlier paper in IEEE


Annals of the History of Computing, the equipment used for dealing with the rewirable
reflecting rotor has been unveiled as well, at least in part.

For this device, a crib is required where, at several positions, the same plaintext letter
has become the same ciphertext letter.

A Bombe with sets of the three regular rotors only is used to find positions consistent
with this. As the letters can be displaced by the plugboard, all possible pairs of
plaintext and ciphertext letters are tried by external circuitry for each position of the
fast rotor. However, a very good crib is needed for there to be enough detectable
inconsistencies for such an approach to be useful; the article itself notes that the
description must still be incomplete.

Incidentally, I recently found that this page has a very good description of how the
Bombe worked as well.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

The ECM Mark II, also known as SIGABA,


M-134-C, and CSP-889
During World War II, the United States used a rotor machine which was so well
designed that it appears to be immune to any kind of cryptanalysis other than a brute
force attack, offering security somewhat comparable to that which DES very much
later made available in the civilian sector. (Since writing these words, I have noted that,
if one had over a dozen messages enciphered at the same initial rotor setting, which
would be unlikely in practice, it is possible to compare different alphabets produced by
the machine and obtain at least some information about the rotor wirings. From there,
the technique used by Frank Rowlett against the M-228 might allow further progress.)

This machine was originally called the ECM Mark II within the predecessor of the
NSA that developed it. The ECM Mark I was a machine developed by Edward Hebern,
and the ECM Mark III was a machine that, like the Mark II, had irregular rotor
movement, but which achieved it by a simpler system. Edward Hebern was involved
with the development of both the ECM Mark I and the ECM Mark III, while the ECM
Mark II, our present subject, was developed entirely within the U.S. Government. Its
basic principles were originiated within the Army Security Agency, but its the ECM
Mark II itself, in its specific form, was developed within the U.S. Navy.

The basic principle of the SIGABA that made it so strong is the use of additional
rotors, rather than gears, to control the movement of the rotors used to encrypt a
message.

As this excellent design has, very recently, been declassified in its entirety, it has
become possible for you and I to examine and admire it.

The SIGABA contains fifteen rotors, ten of which are conventional 26-contact rotors,
and five of which are smaller rotors with only 10 contacts on each side. These rotors
are divided into three groups.

Five 26-contact rotors, called cipher rotors, encipher or decipher the message being
transmitted in the same way as the rotors in a regular Hebern rotor machine. Any of
them can move after a letter is enciphered; their motion is controlled by electrical
signals.

Another five 26-contact rotors are called control rotors. On the input side, the four
contacts (corresponding to the letters F, G, H, and I) get electricity. On the output side,
the contacts are wired together in nine bunches of various sizes, as follows:

1 B 4 FGH 7 PQRST
2 C 5 IJK 8 UVWXYZ
3 DE 6 LMNO 9 A

These rotors move as if they were controlled by conventional gearing (actually,


electromechanical means are also used to move them, for reasons of parts commonality
or due to patent considerations): the middle one moves one space for every letter
enciphered; the one after it (closer to the output side) moves once for every 26 letters,
and the one before the middle rotor moves once for every 676 letters. When a rotor
changes from the letter O to the letter N is when a carry takes place to the next slower
rotor.

The five 10-contact rotors are called the index rotors. They are only set by hand before
starting to use the machine. Nine of their ten inputs are connected to the nine bunches
of contacts which take the output of the control rotors, and the numbers of the bunches
in the table above show which contact recieves the signal from that bunch. Their ten
outputs are connected together in five pairs, each of which supplies the signal which
controls the advance of the cipher rotors.

The following diagram illustrates the wiring of the SIGABA:


Because exactly four inputs to the control rotors recieved a live signal, at most four of
the cipher rotors could step after any letter was enciphered. Since no signal was ever
thrown away, although the number of live signals could be reduced if two were both
wired together, at least one of the cipher rotors had to step each time.

When using the machine, the ten 26-contact rotors were first set to their starting
positions, which were the ones marked by the letter O instead of the ones marked with
the letter A that one might expect, usually with the aid of an automatic feature in the
machine. It could also be done by hand, but if the user was not careful, one of the
control rotors, particularly one of the two on the outside, could be left in a halfway
position, preventing the cipher rotors from ever moving.
The index rotors, however, were set by hand. Setting them was in a sense easier, or at
least less problematical, and for each day there were three different settings for them,
for three different levels of security classification of the message being sent. The order
of the index rotors apparently was at one time changed each day, but during World War
II the procedure was changed to always leave these rotors in order.

The wiring of the index rotors (or at least a wiring used at one time with the index
rotors) is known, and is as follows:

Input
0 1 2 3 4 5 6 7 8 9
Rotor -------------------
1 7 5 9 1 4 8 2 6 3 0
2 3 8 1 0 5 9 2 7 6 4
3 4 0 8 6 1 5 3 2 9 7
4 3 9 8 0 5 2 6 1 7 4
5 6 4 9 7 1 3 5 2 8 0

These rotors are all wired by the interval method. In addition, it is always the interval -
3 that is duplicated (and therefore the interval +2 that is omitted). And furthermore, the
two wires with interval -3 both always start from two contacts which have exactly one
contact between them.

This means that they all belong to one class of the classes into which a program I wrote
to count the number of interval method wirings for rotors of even size divided the
possible wirings into. As it turns out, rotor wirings recorded for the 26-contact rotors of
machines Edward Hebern made for the U.S. Navy to test had the same structure, which
has led me to suspect that this may also have been true of the 26-contact rotors of the
SIGABA, no actual specimens of which (the wirings, not the rotors) have been
preserved. However, the actual wirings of two rotors for SIGCUM, a telecipher
machine, which were recovered by Frank Rowlett during tests of its security have
survived, and have recently been disclosed, and these rotors were not wired according
to the interval method. Since SIGCUM was manufactured by the same contractor as
SIGABA, and it was also contemporary with the later period of the use of SIGABA,
this seems to be more conclusive.

The keyboard on the SIGABA had a row of digits like the keyboard on a regular
typewriter. While the SIGABA didn't encipher messages containing digits, the keys for
the digits 1 through 5 were used, when the machine was switched to a setup mode, to
advance the control rotors. When sending a message, the operator first picked five
letters at random, which were sent with the message as an indicator. Then, starting
from the OOOOO position, using the 1 to 5 keys, the control rotors were moved to
spell out the five letter indicator, starting with the first control rotor (which the 1 key
moved). Although the mechanical gears that usually moved the control rotors were not
active during this setup mode, each time a number key was pressed, the cipher rotors
moved based on the electrical signal travelling through the control and index rotors in
the same way as during normal encipherment. Thus, the indicator specified a position
for the cipher rotors as well as for the control rotors, but the starting position of the
cipher rotors was, in effect, well encrypted.

When messages were enciphered, the space bar could be used on the keyboard, and
caused the letter Z to be enciphered; on the other hand, the Z key as well as the X key
both caused the letter X to be enciphered. Also, the machine inserted a space after
every five letters enciphered for ease of reading for transmission. For decryption, Z
printed as space, thus restoring the spaces in the original message.

In the postwar period, the CSP-889, as the SIGABA was known in the Navy, was
replaced by a modified version, the CSP-2900. This had some interesting differences.

Six, rather than four, inputs to the control rotors were live. These corresponded to the
letters D, E, F, G, H, and I. Since this meant that all five cipher rotors could move at
the same time, cipher rotors 2 and 4 were changed to move backwards when they
moved, so that if all the rotors moved, they still wouldn't all move in step.

The outputs of the control rotors were now gathered in ten bunches instead of nine, and
the largest connected together only four contacts, not six. Also, three control rotor
outputs were left unused, instead of none, as before. Since the number of discarded
outputs was less than six, it was still true that at least one rotor would always move.

The arrangement was:

0 UV 4 FGH 8 WXYZ
1 B 5 IJK 9 A
2 C 6 LMNO
3 DE 7 ST not connected: PQR

This diagram is modified to illustrate the newer form of the ECM Mark II:
Machines of the ECM Mark II type used for a communications link between the
President of the U.S. and the Prime Minister of the U.K., which was called "POTUS-
PRIME", were operated in a fashion that produced additional security. The five cipher
rotors were set by hand, and apparently so were the control rotors, and the settings for
the cipher and control rotors were taken from a list of thirty five-letter groups for use as
either of cipher rotor settings and control rotor settings, with a three-letter codeword
which was pronounceable and had error-correction properties, for each one. (The two
three-letter codewords were combined into a single six-letter group for transmission.)
Thus, the idea of increasing the SIGABA key length by using a ten-letter indicator was
indeed considered, and it was used, along with the other possible way of achieving
ultimate rotor security, a codebook for message indicators, where circumstances
warranted the extra effort.
This link was used during World War II, and the British were not allowed access to the
American cipher machines at their end at that time.

The SIGABA, or the Electric Code Machine Mark II, was developed before World
War II by people from both the U.S. Army and the U.S. Navy. The story of its
development is a somewhat complicated one. The basic idea of electrically-controlled
rotors was originated by W. F. Friedman, who implemented it in the original M-134
machine, which had five rotors that enciphered text, the motion of which was
controlled by a paper tape. A plugboard was included to vary which channel of the
paper tape controlled which rotor. Frank Rowlett then came up with what could be
considered the core concept of the SIGABA: the idea of using rotors to control the
rotors that enciphered text.

At the time, the U.S. Army had limited funding for the development of new cipher
machines, and thus Friedman and Rowlett embodied this new principle in an add-on
device, called the M-229 or SIGGOO, that connected to the M-134. The M-229 had
three rotors. A six-position switch controlled how these rotors moved (shown as a
plugboard with three plugs and sockets in the diagram). Five inputs to these three
rotors, having the role of the control rotors in the SIGABA, were live. The outputs
were connected together in two groups of five and three groups of four. Here is a
diagram of the combined M-134 and M-229:

Meanwhile, this new idea was conveyed to the cryptological department of the U.S.
Navy as well. Laurence F. Safford and Donald J. Seiler developed the Electric Code
Machine Mark II (Mark I was the Hebern rotor machine) which was essentially the
SIGABA in its final form there. For a period during this development, Army-Navy
collaboration was disrupted by other factors, but when channels were reopened, the
Army group recognized that the ECM Mark II was a superior embodiment of their
ideas, and were happy to accept it as a cipher machine for use by both services.

The source for most of the information on this page is the U.S.S. Pampanito web site,
which has an entry in my Links section.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Miscellaneous Machine Ciphers


This section looks at a number of cipher machines which are more secure than the
relatively simple devices examined in the first section of this chapter, but which still
can be dealt with in less space.

● The Hagelin B-211


● Sweden's HC-9
● LACIDA

[Next] [Up] [Previous] [Index]

Next
Skip to Next Section
Skip to Next Chapter
Chapter Start
Table of Contents
Home Page
[Next] [Up/Previous] [Index]

The Hagelin B-21 and B-211


The Hagelin B-21 makes an interesting use of half rotors for encipherment. It uses a 25-
letter alphabet, and the row and column co-ordinates of each letter are enciphered
separately.

For enciphering, co-ordinate signals entered on the spindle side of a half-rotor with ten
positions. Essentially, it worked like two separate half-rotors with five inputs and
outputs: the odd contacts were wired one way to the five contact strips on the output
side, and the even contacts were wired another way.

The following illustration:

shows how such a half rotor works: the five contact strips on the spindle side are shown
in yellow. Five wires in blue proceed to the rotor side; then these five wires are
connected in a random order to one group of five rotor contacts by green wires, and to
another group by purple wires.

The B-21 had pinwheels of sizes 17, 19, 21, and 23. These advanced one step for each
letter enciphered. An OR (not an XOR), between two pinwheels caused each half rotor
to move one step if the result was a 1.

The B-211, in addition to printing its output on a strip of paper, had two plugboards
with five plugs and five sockets to scramble the five outputs taken from the half rotors.
The arrangement of the B-211 is illustrated below:

The French military used a variation of the B-21 which had a second pair of half rotors.
The extra pair of half-rotors had fifteen rather than ten positions.

[Next] [Up/Previous] [Index]

Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

The HC-9
The HC-9 is a handheld mechanical cipher machine used by the Swedish armed forces
during the postwar era.

It is of some interest in that, although it operates by a completely different principle, it


and the original version of the Hagelin lug and pin machine are the only secure modern
cipher machines that are both very compact and of all-mechanical construction.

It behaves as if it contained five pinwheels, of sizes 29, 31, 33, 34, and 35. Each
"pinwheel" advances one space for every letter enciphered, and their outputs are used
to select one of sixteen cipher alphabets as follows: four bits are formed from the five
bits presented by the five sequences by taking the XOR of each pair of adjacent bits.

This result is treated as a four-bit number. Thus, the XOR of the bits from the 29-bit
and 31-bit sequences controls displacing the list of alphabets by eight places.

But instead of pinwheels, the sequences are supplied by a punched card, which sits in
the device and whose large round holes are sensed by little metal fingers inside the
device.

Another replaceable card inside the device gives the sixteen alphabets in use. These
alphabets were all chosen to be reciprocal in practice for ease of use.

[Next] [Up] [Previous] [Index]

Next
Skip to Next Chapter
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

LACIDA
LACIDA, a rotor machine developed in Poland, uses conventional rotors, like a Hebern
machine. However, it is unusual in that its moving rotors come in three different sizes;
with 24, 31, and 35 contacts.

These rotors each move one step with every character enciphered, thus providing a
period of 24*31*35, or characters.

The input alphabet consists of the alphabet with the letters Q and V omitted; the output
alphabet uses all the letters, and all the digits except zero.

The conversion between 24 contacts and 31 contacts, and the conversion between 31
contacts and 35 contacts, are claimed, in the accounts I have read, to be accomplished
by stators: rotors that don't move during encipherment, but which can be set initially to
any position. (The rotors and stators are marked with the alphabet from A to Z, and at
most 26 initial positions are used with any rotor.) In addition, an extra 35 contact rotor
is used as a stator on exit. Originally, I thought that rather odd, as it seemed to require
rotors made of rubber, but because mechanically, the rotors are similar to those of the
Enigma, in that they contain one set of spring-loaded contacts, and a flange that serves
as a gear, upon further reflection I realized that the conversion stators were possible,
and would probably be achieved by placing the teeth on their gear flange at somewhat
irregular positions.

[Next] [Up] [Previous] [Index]

Next
Skip to Next Chapter
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

Conclusions for Chapter 2


Here, we have met a series of cipher systems that are fascinating in their intricacy. Most of them, however, share
many common features.

The Hill Cipher and the Bazeries Cylinder are the unusual members of this group in that they deal with several
characters at once.

Putting them aside, the other designs reflect the relative difficulty of incorporating any kind of memory in a simple
electrical or mechanical device.

Rotor machine usage illustrates an elaboration of the concept of a key to a cipher system. In addition to a general
method of enciphering, cipher systems require a key that is easily changed. This allows many messages to be sent in
a given system, while the number of messages enciphered in exactly the same way is kept limited by varying the key.

In the case of rotor machines, the key is split up into three parts, which are treated differently.

There are the rotor wirings. These are difficult to change, but they are worth keeping secret, and do need to be varied
periodically.

The order of rotors in the machine, and other settings depending on the type of the machine (index rotor settings in
the SIGABA, plugboard and alphabet ring settings in the Enigma) are changed perhaps each day, on the basis of a list
of daily keys which is distributed once a month.

The initial setting of rotors for a given message is also a part of the key. This part, however, is sent with the message,
perhaps in some way encrypted, as it is chosen randomly for each message by the operator of the rotor machine. (It is
often termed a message indicator, which is prefixed to a message along with a system indicator which identifies the
particular type of cipher used or the particular family of keys used.)

This same kind of multi-level key structure can be found in modern block ciphers, despite the fact that they operate
on very different principles. The contents of S-boxes can be thought of as at least potentially subject to change, and
therefore as corresponding to rotor wirings. The key proper is secret, and must be somehow distributed like a rotor
order. For many block cipher modes, an initialization vector is required, which functions like a message indicator.

Thus, rotor ciphers illustrate how care must be taken, for a system that will be used widely, to limit the number of
messages that will be sent with the same key, and to vary as much of the key as often as is feasible. So, the parts of
the key that are harder to vary are varied less often.

The different strengths of the different types of rotor cipher also teach us something about good cipher design.

The fact that the SIGABA stands head and shoulders above the other devices here illustrates the importance of
allowing elements in a cipher design to have the power to scramble the plaintext, and yet having these elements do so
in an indirect way, so that even with matching plaintext and ciphertext, their values are hard to determine.

The Enigma and the Bazeries cylinder shared a very serious weakness; since no letter can represent itself, it is easy to
align probable plaintext with enciphered messages. One apparently simple way to eliminate this weakness would be
to use columnar transposition on the ciphertext produced by such a device.

While that would create a very strong cipher, since the ciphertext produced by a Bazeries cylinder, let alone an
Enigma, is so scrambled that it would seem there would be little in the way of clues for breaking the transposition
cipher, such methods do not tend to be often used. That is because a pencil and paper transposition cipher is tedious
to perform, thus negating the advantage of using a machine for cryptography in making encryption quick and
efficient. Also, encrypted messages are often sent over the radio in Morse code. The problems caused by garbled
letters are magnified by a cipher of this type. However, as long as cipher letters are transmitted in five-letter groups,
and the total number of letters in a message is sent with every message, a garbled letter in the ciphertext would still
imply only one garbled letter in the plaintext, so such a method is not completely impractical.

For two of the systems covered in this chapter, an interesting question arises for the first time. For the Bazeries
cylinder, instead of a random arrangement of letters on the disks, a Latin square is used to improve resistance to the
de Viaris attack. For rotor machines, rotors wired according to the interval method may be used, to maximize the
variety in the alphabets produced by each rotor as it rotates.

The question arises: is good better than random? One way to look at it is to view any constraints on permutations as
part of the system of a cipher, part of what is needed for it to work properly; and to compare the cipher in that form to
one without the constraint, to evaluate whether a larger choice of keys, or the possibility of a design weakness
without the constraint, is a more serious problem.

While these examples seem to be ones in which the use of an optimum sequence is justified, there can be cases where
the reverse is true.

Sometimes, fairly poor sequences are used for paper-and-pencil digraph encipherment tables. Instead of an
arrangement of all 676 digraphs, one winds up performing an encipherment which is equivalent to reversing every
pair of letters, and then alternating between two cipher alphabets.

Obviously, a random table of digraphs is much better than this. One might not be sacrificing much if one used a table
that was reciprocal, since otherwise one would need two tables, one for enciphering and one for deciphering.

The advantage of a random table is that changing one cipher letter almost always changes both cipher letters.

It is possible to use a special form of table where changing one cipher letter is guaranteed to change both cipher
letters:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A aa xe bq wx hn qs my cm jn td zc yr di sl vw nz gu ck ep lo fj kf pb ut rg iv
B qc bb xf cr ax io rt ny dn ko ue zd ys ej tm wa oz hv dl fq mp gk lg vu sh jw
C mh rd cc xg ds bx jp su oy eo lp vf ze yt fk un ab pz iw em gr nq hl wv ti ka
D im ni se dd xh et cx kq tv py fp mq wg zf yu gl vo bc qz ja fn hs or aw uj lb
E ps jn oj tf ee xi fu dx lr uw qy gq nr ah zg yv hm wp cd rz kb go it ba vk mc
F ju qt ko pk ug ff xj gv ex ms va ry hr os bi zh yw in aq de sz lc hp cb wl nd
G iq kv ru lp ql vh gg xk hw fx nt wb sy is pt cj zi ya jo br ef tz md dc am oe
H ne jr lw sv mq rm wi hh xl ia gx ou ac ty jt qu dk zj yb kp cs fg uz ed bn pf
I vz of ks ma tw nr sn aj ii xm jb hx pv bd uy ku rv el zk yc lq dt gh fe co qg
J hi wz pg lt nb ua os to bk jj xn kc ix qw ce vy lv sw fm zl yd mr eu gf dp rh
K fv ij az qh mu oc vb pt up cl kk xo ld jx ra df wy mw ta gn zm ye ns hg eq si
L ot gw jk bz ri nv pd wc qu vq dm ll xp me kx sb eg ay na ub ho zn yf ih fr tj
M yg pu ha kl cz sj ow qe ad rv wr en mm xq nf lx tc fh by ob vc ip zo ji gs uk
N zp yh qv ib lm dz tk pa rf be sw as fo nn xr og mx ud gi cy pc wd jq kj ht vl
O kr zq yi rw jc mn ez ul qb sg cf ta bt gp oo xs ph nx ve hj dy qd ae lk iu wm
P bf ls zr yj sa kd no fz vm rc th dg ub cu hq pp xt qi ox wf ik ey re ml jv an
Q sf cg mt zs yk tb le op gz wn sd ui eh vc dv ir qq xu rj px ag jl fy nm kw bo
R gy tg dh nu zt yl uc mf pq hz ao te vj fi wd ew js rr xv sk qx bh km on la cp
S ln hy uh ei ov zu ym vd ng qr iz bp uf wk gj ae fa kt ss xw tl rx ci po mb dq
T dj mo iy vi fj pw zv yn we oh rs jz cq vg al hk bf gb lu tt xa um sx qp nc er
U tx ek np jy wj gk qa zw yo af pi st kz dr wh bm il cg hc mv uu xb vn rq od fs
V wo ux fl oq ky ak hl rb za yp bg qj tu lz es ai cn jm dh id nw vv xc sr pe gt
W xd ap vx gm pr ly bl im sc zb yq ch rk uv mz ft bj do kn ei je oa ww ts qf hu
X eb fc gd he if jg kh li mj nk ol pm qn ro sp tq ur vs wt au bv cw da xx yy zz
Y rl sm tn uo vp wq ar bs ct du ev fw ga hb ic jd ke lf mg nh oi pj qk yz zx xy
Z ck dl em fn go hp iq jr ks lt mu nv ow pa qb rc sd te uf vg wh ai bj zy xz yx

The digraphs in this table form a Graeco-Latin square of order 26. Something that Euler conjectured was impossible.
A Graeco-Latin square of order 6 is impossible. For larger numbers of the form 4n+2 for some integer n, a special
construction is required to create Graeco-Latin squares, which was only discovered in 1960. The square shown above
is, of course, constructed according to the method given in the original paper by Bose, Shirikande, and Parker.

While the Graeco-Latin square above could be dressed up to make it look more random, by applying a simple letter
substitution to its contents (three letters are special, but they don't have to be x, y, and z) and rearranging rows and
columns, it would seem that choosing such a square, instead of a random one, for a digraphic substitution would not
be a sensible idea.

However, as a mixing step, perhaps even an unkeyed mixing step, inside a block cipher with a long key in other
areas, Graeco-Latin squares may still be useful. This, in fact, is the subject of a patent for a technique called Balanced
Block Mixing, held by Terry Ritter. Also note that odd order, or order 4n, both allow a much larger number of
Graeco-Latin squares than order 4n+2.

Next, we can look at some elaborate rotor machine designs that combine the principles and original ideas of the rotor
machine designs we have examined in this chapter.

● Fantastic Rotor Machines


● Child's Play
● Irregular Rotor Movement

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Main Page
[Next] [Up/Previous] [Index]

Fantastic Rotor Machines


Of course, many different encryption principles have been seen in the devices covered in this chapter. One could
imagine combining many of these techniques in a single elaborate device, such as the following:

The heart of this device is two pairs of two half rotors, each pair with one with five inputs and ten outputs and
one with five inputs and fifteen outputs, as in the improved French version of the B-211.

The coordinates for each letter of the alphabet are varied by preceding and following that part of the device by
three conventional rotors. Almost conventional, that is, since these rotors all have two duplicate concentric sets
of wiring, so that each letter is connected to its home in both row and column. Note that since these rotors have
26 positions, one letter bypasses the B-21 -like part of the device.

And to top it all off, these six rotors are advanced by means of a SIGABA-like setup. Obviously too bulky and
expensive to build out of real electromagnetic components, and yet fascinating.

Here is an example of an interesting rotor machine design using some of the ideas suggested by the design of the
Uhr Box:
The arrangement for rotor motion is of interest. With each letter enciphered, a pinwheel is used to select whether
rotor 2 or rotor 4 moves. Rotor 3 moves whenever a notch on either of those rotors is advanced, and then it
advances rotor 5, which advances rotor 1, normally. Given multinotched rotors, this produces a fairly irregular
movement with only one pinwheel.

However, the main unusual feature of the design is the way the rotors are wired.

As may not be readily apparent from the diagram, unless you are familiar with the conventions I've used in
previous diagrams in this chapter, the rotors have two concentric rings of 26 contacts on each side.

Rotors 1, 2, 4, and 5 are wired like this:

● The 26 contacts in the outer ring on one side are connected in a jumbled fashion to the 26 contacts in the
outer ring on the other side.
● The 26 contacts in the inner rings are divided into 13 odd contacts and 13 even contacts. The 13 odd
contacts in the inner ring on one side are connected in a jumbled fashion to the 13 odd contacts in the
inner ring on the other side, and the same applies to the 13 even contacts on both sides.

The middle rotor connects the 26 contacts in the outer ring on one side to the 13 odd contacts of the inner rings
on both sides, and the 26 contacts in the outer ring on the other side to the 13 even contacts of the inner rings on
both sides.

Plaintext enters through the contacts on the outer ring on the left side of the rotor stack, and ciphertext leaves
through the contacts on the outer ring on the right side.

On each side of the rotor stack, a plugboard controls the reflection of the odd contacts of the inner ring to the
even contacts of the inner ring.

When a letter is enciphered, its signal first passes through the outer rings of rotors 1 and 2 in a normal rotor
machine fashion.

Then, rotor 3 sends the signal through the inner rings, either of rotors 2 and 1 or of rotors 4 and 5, through their
odd (or even) contacts, to be reflected back through the even (or odd) contacts of rotors 1 and 2 or rotors 5 and 4.

And then rotor 3 takes the reflected signal, and sends it through the outer rings of rotors 4 and 5 to continue in a
normal rotor machine fashion.

There is some potential for additional flexibility in the design; for example, it would still work if the two
plugboards were cross-wired (but not if they were merged into one), and the specially-wired rotor used as rotor 3
does not absolutely have to be in the central position.
In the section on the Enigma, I noted that if one shorted the indicator lights with diodes, it would be possible to
attach the rotors to the lamps instead of the keys. This would allow one to design an Enigma in which the rotors
could be switched from being connected to the keys or the lamps, so that a plugboard could be placed between
the keys and the lamps. In this way, enciphering and deciphering would both be possible, but a letter could
represent itself.

This diagram illustrates how this principle could be taken to its ultimate conclusion. On the left hand side of the
keyboard and lampboard, a letter is being shown as being enciphered, and on the right hand side a letter is shown
as being deciphered. Note how the polarity needs to be taken into account in enciphering mode, so that the
diodes across the lamps do not prevent normal Enigma-like operation.

Here are a couple of other attempts to construct elaborate rotor machines combining principles we've seen in
previous examples. The first also uses rotors with two concentric rings of 26 contacts, but this time the two sets
of contacts are wired differently, not in parallel.
The cipher rotors act a bit like those in the Enigma; the plaintext letter causes electricity to go from left to right,
and then the signal returns, going right to left, to produce the ciphertext letter. However, the returning signal uses
the second set of contacts, and so the cipher is not reciprocal.

The general structure of the machine is like the SIGABA; but the extra set of contacts in the control rotors is
used to provide an ever-changing "reflecting rotor" for the cipher rotors.

The following (originally done for use as a background, with different colors) illustrates a double-sized
SIGABA. However, five of the signals controlling the ten cipher rotors are created somewhat differently, using a
method from a rotor-based telecipher machine, the SIGCUM, which we will encounter later.
The five new control signals have some poor properties, but they nicely complement the SIGABA-type ones,
since they have an exact 50% probability of being active.

Changing the wiring a bit (and making more rotors electrically controlled) gives us this:

While it has the drawback that the SIGABA-style superior control rotors may occasionally remain immobile,
because only the SIGCUM-style ones have unused output contacts, this design causes five of the ten cipher
rotors to be controlled by a set of control rotors (the SIGABA-style ones) that are themselves controlled by
control rotors (the SIGCUM-style ones) also used to directly control the other five cipher rotors. Not explicit in
the diagram is a timing issue requiring a more basic redesign; in the original SIGABA, the cipher rotors move in
response to the control rotor position at one time, and the control rotors advance at another time, requiring two
clock phases; as the SIGABA-style control rotors can't move simultaneously with either the SIGCUM-style
control rotors or with the cipher rotors, we now need three clock phases.

A simpler construct, based on the SIGABA, is illustrated below:

which is simply how I, and perhaps others, imagined the SIGABA might have worked after reading a brief
description of it by David Kahn from about 1980, and seeing the first pictures of it that were released some years
later. Since the actual design didn't involve the five ten-contact rotors moving, this design would have been even
more expensive to build.

[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Child's Play
The M-134 and the M-229, as described in the section on the SIGABA rotor machine,
have suggested to me the idea of a very flexible style of rotor machine, one which
could even be used, if made from plastic, as an educational children's toy!

As a toy, the heart of it would be three rotor machines of the type diagrammmed below.

These machines consist of a bank of five rotors. At each end, there is a plugboard like
that of the Enigma, but using standard phono plugs. Beyond the plugboard, on each
side, there is a 26-contact connector used to connect a keyboard and a lampboard, only
one of each being included in the set. The keyboard would also have a 26-contact
connector; plugging the lampboard into that connector would allow the Enigma to be
simulated.

The machine would use rotors that have plastic slip rings on the outside with bumps to
control rotor motion, signalling a carry from one rotor to the other. The rotors and the
rings would both be reversible.

The complement of rotors provided would be:

● Four unnumbered dummy rotors, wired straight through. (white)


● Six randomly wired rotors in two sets of three identical rotors, numbered from 1
to 2. (grey)
● Six randomly wired rotors in three sets of two identical rotors, numbered from 3
to 5. (grey)
● Ten randomly wired rotors, each of which is different, numbered from 6 to 15.
(grey)
● Five rotors wired by the interval method, each of which is different, numbered
from 16 to 20. (red)
● Three identical reflecting rotors, which have no contacts on one side, but which
otherwise fit in the same space as a regular rotor. (green)
● Three rotors with a symmetrical wiring that produces the same permutation
going through the rotor as is provided by reflection in the reflecting rotor. (blue)
● Six rotors in two sets of three identical rotors, wired so as to be mirror images of
the grey rotors numbered 1 and 2, also numbered from 1 to 2. (purple)

All the slip rings would have only one bump on one side. They would have multiple
bumps on the other side, and there they would differ.

● Five identical slip rings, with three bumps on the other side. (yellow)
● Five slip rings, with five bumps on the other side, each one having a different
arrangement, and numbered from 1 to 5. (green)
● Five identical slip rings, with seven bumps on the other side. (blue)

As noted, the plugboards on the device use phono plugs, and work like that on the
Enigma, so that straight-through wiring is the default when no plugs are inserted.

The cables provided with the machine will have the forms illustrated in this diagram:

Although it may not be obvious, the first cable crosses over the two parts of the
contact. The complement of cables would be:

● 52 cables with phono plugs at both ends, with crossover wiring like those of the
Enigma. (grey)
● 52 cables with phono plugs at both ends, and parallel wiring. These will
primarily be used when connecting different machines together. (red)
● 93 cables with a phono plug at one end, accompanied by a socket for a banana
plug, and a stackable banana plug (like the ones on cables made by Pomona
Electronics) on the other end. These allow arbitrary permutations to be set up.
93 is 78 plus 18, so that one set is provided for each machine, plus six extra for
the wheel advance section, with its smaller plugboard using the same connector.

The kit would include plans for many projects, starting with a Hebern rotor machine,
going on to an Engima, and then the SIGABA, and even a small Turing bombe for use
against a two-rotor Enigma. (Maybe that would require some additional pieces not
mentioned here. And, of course, I'd have to come up with a way to manufacture an
economical diagonal board.)

U. S. Patent 6097812 has recently been granted on the design used in the M-138 (and
M-138-T2 and M-138-A) cipher machine, and this design combines the M-138 with
the M-228 and M-229, and hence is likely to be affected by this patent.

[Next] [Up] [Previous] [Index]

Next
Skip to Next Chapter
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Irregular Rotor Movement


In this chapter, we have seen some examples of rotor machines with very irregular rotor movements.

The SIGABA achieved very irregular rotor movement by a uniquely strong method, using the changing jumbled
maze of wires in a part equivalent to a complete conventional rotor machine to supply electrical signals
controlling the seemingly random stepping of rotors in what amounted to a second conventional rotor machine for
enciphering the letters of the text.

The Swiss NEMA cipher machine achieved irregular rotor movement by accompanying each rotor with an
adjacent rotating ring, which had notches on it that inhibited that rotor's movement. The rings always moved,
except for two rings that were sometimes prevented from moving by a second set of notches on the first rotor's
ring.

Also, U. S. Patent 4,143,978, filed on May 4, 1938, but only issued on March 13, 1979, with inventors Bern
Anderson and Donald J. Seiler, describes a machine which made use of five pinwheels with 25 positions to control
the five rotors with 26 positions. This patent appears to be for the ECM Mark I, which was the design which
preceded the ECM Mark II, also known as the SIGABA.

And, of course, the Enigma A and Enigma B had a very irregular rotor movement at the dawn of the rotor era, by
having each rotor controlled by its own cam, and each cam having a number of positions relatively prime to all the
others. Had the cams been resettable pinwheels, the design would have been quite impressive indeed.

Descriptions of a later rotor machine imply that it achieved irregular rotor stepping based on a principle we will
see later in the descriptions of the Siemens T-52d and T-52e Geheimschreiber telecipher machines:

Given three or more pinwheels or cams, each of which produces a sequence of binary bits as it rotates, bits from
each pinwheel (perhaps sensed at a different position on the cam than the bits used for the purpose of
encipherment) could be used to control the movement of other pinwheels.

Although this seems like a compromise of the potential security of a rotor machine, using the rotors to step
themselves instead of having a separate set of pinwheels or cams to control stepping has the major advantage of
making it simpler to set up the machine for an encipherment.

But if one tries to do this in the simplest way, just using one pinwheel to cause another to step, what is there to
prevent all the pinwheels from coming to a position where they are producing a zero value for their stepping
output, so that they will all stay in one position thereafter?

The Siemens Gehemschreiber prevented this by a scheme that looked something like this, illustrated with five
cams labelled A, B, C, D, and E:

A steps if D or (not E)
B steps if E or (not A)
C steps if A or (not B)
D steps if B or (not C)
E steps if C or (not D)

In this illustration, the output from each cam forces the stepping of one other cam, and the complement of that
output forces the stepping of a third cam. This ensures that some stepping will always take place.

In this case, as the bits from the cams are also used to encipher a binary signal by being XORed with it, active and
inactive positions on the cams need to be close to equal in number. Since each cam steps based on the OR of two
inputs, this means that the cams step about 3/4 of the time.

Since outputs from those cams are used for encipherment as well, they should step almost all the time. While
occasional failures to step can make the bit sequence irregular, bits that do not change also allow plaintext patterns
to be visible.

The Lorenz Schlusselzusatz, which used two sets of five pinwheels, one which always moved, and another set
which moved, or remained still, in unison, half the time either way, based on a more conventional scheme
involving control from two other pinwheels, was cryptanalyzed with the aid of the early electronic calculating
device COLOSSUS partly because the patterns of the constantly moving pinwheels were visible when the other
ones did not move. (The fact that 5-level teleprinter code is designed so that 0 bits strongly outnumber 1 bits, to
prevent mechanical wear and tear and to make paper tape less fragile, also was an important factor.)

In a rotor machine, however, moving even one rotor completely scrambles the cipher alphabet it provides. If each
rotor moved with probability 1/2, then each new alphabet would be from the largest and most uncertain possible
set of alternatives.

Could the principle used in the T-52 be modified to produce movement with probability 1/2, and yet still ensure
continual movement which will not cease to involve any of the rotors?

The first scheme I came up with to do this is illustrated by the following diagram:

It may be easier to understand with the diagram shown below and to the right:

Using seven rotors in this example, I first start with four live inputs,
which are turned into eight outputs having a 50-50 chance of being
live by being redirected by the active teeth on four of the rotors.

This is shown in the diagrams above and to the right by a red wire,
carrying a live input from the power supply, being switched to four of
eight wires by four switches, each controlled by a rotor. In the
diagram to the right, this is the first layer of the circuit, shown in the
leftmost column.

Then, six of these eight signals, in pairs from different rotors, are
swapped (or not) under the control of three other rotors.

One of the two remaining signals is selected by means of an extra pole


in the switch under one of the first four rotors.
The swapping and the selection is always done under the control of a
rotor which was not involved in determining if either signal used as
input was live. The color scheme in the diagrams is chosen to make
that clear. In the diagram to the right, this is the second layer of the
circuit, shown in the middle column.

The seven output signals then control the stepping of the rotors.
Again, as the colors help to make visible, each signal is directed to a
rotor that had no part in its creation, in either the first or the second
layers.

With reference to the color scheme in the diagrams:

Green: Two signals controlled by rotors 1 and 2 are then swapped


under the control of rotor 6. The two resulting signals control the
movement of rotors 4 and 7.

Dark Blue: Two signals controlled by rotors 3 and 4 are then swapped
under the control of rotor 5. The two resulting signals control the
movement of rotors 1 and 6.

Purple: Two signals controlled by rotors 1 and 3 are then swapped under the control of rotor 7. The two resulting
signals control the movement of rotors 2 and 5.

Gray: Two signals controlled by rotors 2 and 4 then have one signal selected from them under the control of rotor
1. The resulting signal controls the movement of rotor 3.

This basic principle, with little change, would work with any odd number of rotors, starting with five.

The specific arrangement in the diagrams shown above was selected to minimize wire crossings in the original
(horizontal) diagram, so that it would be as legible as possible, and, with the rotors labelled in order from left to
right as A, B, C, D, E, F, and G is:

A steps if (D and E) or (C and (not E))


B steps if ((not C) and G) or ((not A) and (not G))
C steps if ((not D) and A) or ((not B) and (not A))
D steps if (B and F) or (A and (not F))
E steps if ((not C) and (not G)) or ((not A) and G)
F steps if (D and (not E)) or (C and E)
G steps if (B and (not F)) or (A and F)

where the control signal different from the others is the one stepping rotor C.

Since we start with eight signals, four of which are active, and swap them in pairs, only in one case selecting only
one of two signals to use, half the time four rotors will advance, and the other half of the time three rotors will
advance.

With an even number of rotors, of course, the same principle could be applied even more simply, without the need
for one control signal to be different from the others.

But many other arrangements are also possible. An arrangement based on a slightly different principle is shown
here:
Here, each rotor is controlled by the OR of the AND of two independent inputs, so, based on each rotor having
half of its teeth present and half of them absent, causing each signal and its complement to be active half the time,
the chance of any one rotor moving on average is 7/16 rather than 1/2.

We start by creating seven signals. To ensure that at least one rotor will always move, two of them are the signal
from one rotor and its complement; the other five are the signals from five other rotors.

Then, we change these seven signals into fourteen signals, by switching them to one of two destinations, and the
output from each of the seven rotors is used to perform one such switch.

Finally, the wired-OR of two of these signals controls one rotor that had no direct part in creating it.

Here, from one to six rotors will always move, creating more possibilities for the next rotor position. However, as
we will see at the start of the following chapter, a 3 out of 7 code contains 35 entries, so with seven rotors rather
than five, having only 3 or 4 rotors move each time already creates more than twice as many possibilities as are
needed.

The actual arrangement in the diagram shown, again chosen for clarity, with the rotors labelled as A, B, C, D, E,
F, and G from left to right, is:

A steps if (B and D) or (E and (not G))


B steps if (C and E) or (F and (not A))
C steps if (D and F) or ((not A) and (not B))
D steps if (E and G) or (A and (not C))
E steps if (F and A) or (B and (not D))
F steps if ((not A) and B) or (C and (not E))
G steps if (A and C) or (D and (not F))

While these arrangements will certainly produce rotor movements that seem jumbled and unpredictable, it is not
immediately clear how long the period of such rotor motions might be; it might be only a few times larger than the
number of positions on a rotor.

Here is an example of a slightly more complicated setup, based on the same general principles.
Essentially, the wiring is the same as the first example, (although the ordering of the connections has been
changed slightly, as indicated by the reversal of the colors green and blue in one portion of the diagram) but in
addition, one signal is created using the scheme in the second example, and a switch controlled by rotor 4
determines whether that signal, shown in dark green, or the normal signal following the pattern of the first
example, shown in purple, is fed to rotor 5.

The sections of the diagram have been labelled.

The first three sections show the switches which operate as in the first example.

Section 1 shows the four switches which, given the live signal as input, produce eight outputs, four of which are
active.

Section 2 shows six switches, wired so as to swap three pairs (shown by blue, green, and purple wires) of signals
from the first four switches.

Section 3 shows one switch, which selects between the two remaining signals from the first four switches to
provide the seventh output signal.

The next two sections show the new wiring which creates an alternate signal that can be used to step rotor 5,
following the principle shown in the second example.

Section 4 shows two switches, fed the live input, which produce two outputs, each of which may be active or not.

Section 5 shows two switches, fed those two outputs, producing two outputs which are only have as likely to be
active, and which are then joined by a wired-OR.

The final section selects the signal to use to advance rotor 5.

Section 6 shows one switch, which selects between the output from section 5 or one of the outputs from section 2.

Again, labelling the rotors from left to right as the letters A through G, the logic of the wiring in the diagram is
equivalent to:

A steps if ((not D) and F) or ((not C) and (not F))


B steps if (C and G) or (A and (not G))
C steps if (B and (not A)) or (D and A)
D steps if ((not B) and E) or ((not A) and (not E))
E steps if (( (C and (not G)) or (A and G) ) and (not D)) or
((((not F) and B) or (G and C) ) and D)
F steps if ((not B) and (not E)) or ((not A) and E)
G steps if ((not D) and (not F)) or ((not C) and F)

Note that the signal controlling the stepping of rotor E is a function of whether an active or inactive tooth position
is found on all six other rotors.

One could even use, with a suitable rearrangement of rotor assignments in one case, the complete wiring
arrangements of both the first and second examples, with their outputs connected together in a wired-OR, and a
single switch controlling whether the live input goes to the first or second circuit. However, even if the first or
second examples would prove too simple, such a drastic remedy should not be required. Instead, the example
above should be sufficiently complex to correct the problem, because although only the stepping of rotor 5 (or E)
is made more complex in this example, it in turn affects the stepping of all the other rotors.

Other arrangements, based on the more conventional scheme of moving rotors like the wheels on an odometer,
which guarantees the maximum possible period, could be produced which also result in a fairly irregular
movement of the rotors.

Incidentally, before proceeding, it is very important to clarify the difference between the situation which I have

denoted in my schematic diagrams by and the situation which I denote by in a diagram. In the first

case, a tooth on one rotor causes another rotor to move only once, when the first rotor moves into the position
distinguished by that tooth. In the second case, a tooth on one pinwheel, or cam, or even a rotor, causes the next
one to move with the encipherment of each letter for as long as the first pinwheel remains in the position
associated with that tooth.

While the first type of movement is usually accomplished mechanically, the control rotors of the SIGABA and the
rotors of the M-228 and M-229 moved this way under electrical control. The second type of movement seems like
an obvious consequence of electrical control: a wheel that is in different positions turns a switch on and off
depending on what position it is in. So how can the first type of movement also be electrical?

This diagram illustrates the difference between the arrangements required for the two types of motion. The large
teeth shown in green correspond to the 26 normal positions of the rotor, where a tooth may be either present or
absent. The small teeth shown in red are located between rotor positions, so that a tooth, if present, will move
across the sensing position as the rotor advances from one position to the next.

For the first type of motion, pulses occur when the rotor that is their source is moving, and so it is reasonable that
another rotor would move when a pulse of electricity is switched on. Making a rotor move only one step per pulse
seems like only a small mechanical detail.

For the second type of motion, instead of an elaborate approach involving storing the
signals sensed from the rotors in a buffer, what is necessary is, first of all, that the
live inputs to the circuit are actually timing pulses, and, so that the rotors will not
move while their positions are being sensed, rotors should move just after the
trailing edge of a pulse. This can be achieved by having the pulse go through a
solenoid, pulling a lever back which is then restored to its original position by a
spring after the pulse ends, with a rachet mechanism causing the lever to advance the
rotor it controls only on its return journey: this is a very common and standard
mechanical arrangement, illustrated in the diagram at left. Since the device also
supplies a gentle push to the sawtooth gear when moving in the "wrong" direction, a
conventional ratchet mechanism, which is not shown in the illustration, is also
required to keep that gear moving only one way (although in some cases, friction
may be sufficient).

For the other case, the same mechanical arrangement could be used, although in that case, having the rotor
advance on the leading edge of the pulse would be appropriate, as it would avoid unnecessary delay. This would
involve reversing the positions of the electromagnet and the spring in the diagram above, and in that case, the
spring would not have to be as strong, since it would only return the mechanism to position instead of also having
to push on the gear. A similar mechanism, rather than a small motor, is likely to be found in those quartz clocks
and quartz watches that have hands instead of a numeric display.

Now that this is clarified, let us examine a more complicated design based on the first type of rotor motion.

Instead of having just one notch or tooth on a rotor, any number of teeth that is relatively prime to the number of
positions on the rotor, if used in an odometer-style arrangement, would still produce a maximal period, since when
one rotor returns to its original position, the rotor it advances will be in a spot from which it will only return to its
original position at the same time that the rotor preceding it returns to its original position after being advanced 26
times if it is a 26-position rotor, even if it has also passed through its original positions at different times several
times before then.

Another thing that would not interfere with a maximum period would be for a rotor participating in such an
arrangement to also be advanced any number of times for each revolution of a rotor which preceded the rotor
directly controlling it. All such advances would ultimately cancel out, being a multiple of 26 or other rotor size,
over a full revolution of the rotor immediately preceding the rotor.

I would diagram such an arrangement in this fashion:

One important thing, to avoid problems with a mechanical version of this design, and to ensure that maximum
period is achieved, is that the teeth used to advance a later rotor must never be in the same position as the teeth
used to advance the next rotor.

Of course, to achieve both a guaranteed long period, and a more irregular sequence of motions, one could combine
both types of rotor motion, the first type, or transition-driven advance, and the second type, or state-driven
advance, in a single design.

Thus, we might have two groups of rotors, ABCDE and GHIJK, which are connected for state-driven advance,
and in addition, rotor E might drive rotor F, and rotor F might drive rotor G, using transition-driven advance.

Is it possible to combine a guarantee of long period with irregular rotor movement from the same source?
Obviously, one could use five cams to produce an irregular motion, and another five cams to produce motion with
a period equal to the product of their lengths. But can things be arranged so that the period is guaranteed to reflect
all the items used, and yet the motion is irregular as well? Already, we've seen in my example of a transition-
driven design with extra further forward carries one way to do this, but while the period is guaranteed, the motion
is only irregular to a limited extent.

Would the SIGABA have a guaranteed period of 26 to the tenth power if it were modified as shown in this
diagram:

Here, all ten of the rotors are shown as being advanced by a conventional rotor mechanism, in addition to the
cipher rotors being advanced by the unique control signals of the SIGABA. Instead of showing an OR gate
controlling input to the rotor stepping mechanism, two separate symbols for rotor advance are shown, one behind
the other. This indicates that, to ensure maximum period, I think it would be necessary to use different clock
phases for the two types of rotor advance, so that it would be possible, if both systems of rotor advance would
cause a rotor to advance, for that rotor to step twice. However, when one rotor advances due to a control signal, it
would also have to cause conventional carries. But this separation of phases would then occur without (a certain
kind of) special effort, since the control rotors cannot be moving when the cipher rotors are moving in response to
the control signals which have passed through their wiring.

One way that it seems obvious it is safe to combine transition-driven and state-driven rotor advance would be
through something like this:

Here, superimposed on a conventional transition-driven odometer-like rotor advance, earlier rotors are also
driving later rotors, further down the chain, but based on their state, not on transitions. Again, it seems that over a
full cycle of transition-driven advances, the extra state-driven advances should cancel out, not affecting the overall
period, even if they provide additional movement in the interim.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Main Page
This page is about a dark and mysterious subject. (Or, more
accurately, and for fairness' sake, a subject with a dark and mysterious
reputation.) A subject that is fascinating both for the air of mystery
that has surrounded it, and because of the complexities and intricacies
which are unavoidably part of its subject matter.

My little book about cryptography:

A Cryptographic Compendium

This series of pages has information about a large number of cipher systems. So far, the
coverage of cryptanalysis is quite limited, though.

Direct link to full table of contents


Direct link to start

This page covers a wide range of topics. None of the


things described on this page are, of course, secret
today, although some were secret until fairly recently.

It only mentions, here and there, a few things about


breaking ciphers; it is mostly concerned with the various
kinds of ciphers people have used. Except where
unavoidable, the use of mathematics has been kept to a
strict minimum. It begins with ciphers that only require
pencil and paper to apply, and it continues with
electrical and mechanical cipher machines of the type
used during World War II, both the rotor machines and the
machines used with teletypewriters. Then, it continues on
into the computer age, with a discussion of block ciphers
like DES and then proceeds further, attempting to make
understandable the advanced topic of public-key
encryption which has made the use of encryption practical
under circumstances where it had never been practical
before. Finally, it addresses other miscellaneous topics
relating to cryptography, such as data compression and
key management.

This site now contains a very useful table of powers of integers that uses frames.

Also, this page is still under construction.

Although there is no space for an archived version of the entire site, there is one, which
may not be fully up to date at any given time, at this location.

I have many interests, such as old science-fiction TV shows, and easy listening music
from Tin Pan Alley.

One interest, cryptography, is dealt with at length on this site.

Items covering a number of other topics as well are at the following location:

http://members.xoom.com/quadibloc/index.html

At that site are charts for some methods of storing Chinese characters. Here in this site,
you can find a space habitat design, a discussion about going to Mars, a tall building
design, a page about signal flag systems as used by ships, a map projection, several
topics concerning mathematics: (an explanation of the mathematical notion of infinity,
a discussion of Gödel's proof and the halting problem, an explanation of two famous
equations, a diagram of the rotations of a dodecahedron, a page about pentagonal
tilings, a page about Archimedian solids, a little page about the fourth dimension), an
attempt to explain the Einstein-Podolsky-Rosen experiments, and a discussion of the
Eldredge-Gould theory of punctuated equilibria some color charts, an example of a
computer architecture, a discussion of the musical scale, a couple of comments about
chess, and three pages about calendars: (perpetual calendars for the Gregorian calendar
which show not only the day of the week, but also the position of the day in the
Chinese sexagesimal cycle of days, a luni-solar calendar, and a simplified calendar
proposal), and, finally, a page containing some handy unit conversions.
Links to Other Sites Other Topics

Highlights of the Cryptography


Pages

Needless to say, any trademarks referenced are the property of their respective owners,
and are used here only for purposes of identification.

As this series of web pages contains some ideas and speculations about how to design
and implement ciphers, readers are notified that I am not engaging in providing
professional advice in these pages, and are advised to seek the direct advice of a
competent professional before embarking on projects using cryptography.

Copyright (c) 1998, 1999, 2000 John J. G. Savard


[Next] [Up/Previous] [Index]

The Lorenz Schlusselzusatz


The Lorenz SZ-40 and SZ-42 cipher machines were widely used by German forces
during World War II. It was primarily to break this machine's cipher that the British
devised what is now considered the world's first electronic computing machine, the
once-secret COLOSSUS.

It had twelve pinwheels, all of which could have all their pins set by the user. Ten of
these pinwheels formed two groups of five, and one wheel from each group inverted its
corresponding plaintext bit when a pin was active on it.

The wheels of the first group had sizes 41, 31, 29, 26, and 23. Those of the second
group had sizes 43, 47, 51, 53, and 59.

Two additional wheels were of size 37 and 61. The wheels of the first group, and the
wheel with 61 positions, advanced one position with every letter enciphered. When the
current pin on the 61-position wheel was active, the wheel with 37 positions advanced
one space. When the current pin on the 37-position wheel was active, then the wheels
of the second group advanced one space.

The following diagram illustrates the workings of the Lorenz Schlusselzusatz:

Although the SZ-40 appears to be a simple design, and a very similar design proposed
by Col. Parker Hitt, but without the feature that the stepping of five wheels was
irregular, was shown to be insecure, the British found breaking SZ-40 messages to be a
more difficult problem than breaking Enigma messages. Some cribs were available that
helped them to break into the system; part of the difficulty seems to have come from
the limited availability of resources, and another part from the lack of captured
equipment and tables: for example, the list giving numbers representing wheel settings
was never captured, while the bigram tables for the Enigma were.

The machines used in cracking messages on the Lorenz Schlusselzusatz, known as


HEATH ROBINSON and COLOSSUS, have been described to a limited extent in the
open literature. A paper by F. L. Carter, in "Cryptography and Coding", the
proceedings of the 6th IMA International Conference, from December, 1997, gave
significant additional details of how COLOSSUS was used.

HEATH ROBINSON, named after a British cartoonist who, like Rube Goldberg in the
U.S., was famous for his drawings of elaborate contraptions (although the styles of the
two artists were very different), worked by comparing the holes punched in two paper
tapes, one containing an intercepted message, and one containing a reproduction of part
of the sequence of bits the pinwheels of an SZ-40 might be expected to generate. The
tapes were padded with nulls to make them of relatively-prime length, and HEATH
ROBINSON indicated at what point in the motions of both tapes a correlation between
the two was found. This required the two tapes to move synchronously, and so the
sprocket holes had to be used, which limited the speed at which the tapes could move.

COLOSSUS was built to improve on HEATH ROBINSON by generating the SZ-40


stream cipher output, or the portion thereof used for testing (such as the output of the
five always-moving wheels) electronically. This way, the tapes could be moved on
pulleys, at very high speeds, without any problems. A glass mask with lens-shaped
patterns was used so that the light shining through the round holes on the paper tape
would produce an approximation to a square wave. Thus, the paper tape, in addition to
supplying input data, actually supplied the clock signal for COLOSSUS' internal logic.
Apparently, in generating the pattern which a second paper tape provided on HEATH
ROBINSON, COLOSSUS was capable of some sort of conditional branching, on
which its claim (having been first installed in December 1943) to being the first
electronic computer rests.

The paper by Carter sheds considerable light on the cryptanalytic principles behind
COLOSSUS. The 5-level code used for teletypewriters was designed to minimize
mechanical wear and tear; hence, the codes for the most frequent letters E and T, as
well as the code for the space, consisted of a single 1 bit and four zeroes. This meant
that zeroes predominated in the plaintext, and in addition, it meant that for any two
characters in succession, corresponding bits in them were more likely than not to be the
same. (Of course, this characteristic of the plaintext was weaker than the higher
frequency of zeroes.)
Since one set of pinwheels in the SZ-40 did not advance with every character
enciphered, this meant that when two succeeding cipher characters had a corresponding
bit that changed, then it was likelier than not that the fast pinwheel for that bit was at a
point where two adjacent pins were in different positions, and when two succeeding
cipher characters had a corresponding bit that stayed the same, then the probability that
the fast pinwheel had two similar pins was also increased. (Since the slow pinwheels
did move half the time, this correlation was again weakened, but it still existed.)

Because the pin settings for the fast pinwheel were chosen so that like and unlike pairs
of pins were as close to being equally likely as possible, it was not possible in practice
to correlate a single pinwheel at a time, but correlations involving pairs of pinwheels
were easier. (At first, this appears odd, since, the fast wheels all having relatively prime
periods, they are independent. However, since all the slow pinwheels either move or
not at the same time, a search for correlations in two wheels at once could improve its
effectiveness by giving more weight to an observation in one wheel which takes place
when another wheel is in the more common change or no-change state for its part of
the period of that fast wheel.) An abbreviated notation was used to specify types of
tests to be run with COLOSSUS: one test was a simple correlation on two particularly
favored pinwheels; other tests searched for common pairs of characters, such as space-
figures shift, or figures shift-period. In some messages, doubled letters were quite
common, and there was a test that looked for them as well.

There is also a paper by W. T. Tutte, one of the cryptanalysts who worked on messages
enciphered by the Schlusselzusatz at Bletchley Park, now available on the site of Frode
Weierud that details the early days of the cryptanalysis of the Schlusselzusatz,
codenamed Tunny by the British. That source notes the following:

Originally, the machine was used with a 12-letter indicator, which contained initial
positions for all twelve pinwheels without encryption (e.g. under a "ground setting").
Each letter stood for an initial position, and the wheels had only 25 positions which a
letter could indicate, except, of course, for the wheel with only 23 positions.

The initial analysis which allowed the British to determine the basic principles of the
Sclusselzusatz was aided by the reciept of some pairs of messages enciphered with the
same starting positions, including one re-encipherment of a long message with changes
in word spacing and punctuation with exactly the same indicator.

In 1943, the Germans switched to using a number as an indicator, which was assumed
to signify a 12-letter combination from a list. Later, they switched from changing
pinwheel settings once a month to changing them each day, and they also modified the
machine so that the wheels in the second group, instead of having their irregular
motion controlled only by the 37 and 61 pinwheels, had that motion depend on a
function of the pinwheels that moved with each character, or on the previous plain text
(thus employing the autokey principle). However, the five wheels that stepped with
every character continued to do so, and although the five slow wheels were controlled
differently, they still either all moved or all stayed still, so the existing cryptanalytic
approaches remained valid.

[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Error-Correcting Codes
After text has been compressed, and even more so after it has been encrypted, the resulting output is random in appearance.
This makes it easy to make mistakes in handling it, and hard to see errors if they are introduced through electrical noise on a
communications link or any similar cause.

Thus, even if redundancy is removed as far as is possible before encryption by means of data compression, after encryption is
complete, it becomes desirable to put redundancy back in, to give resistance to errors.

There are mathematical techniques, given an arbitrary text, to add more symbols to it in a way that gives resistance to a
specific number of errors. Since they depend only on the input text, if the ciphertext is used as input, this kind of added
redundancy does not help the cryptanalyst, except by giving both him and the legitimate recipient a copy of the ciphertext that
is more likely to be accurate.

Thus, telegraph codes were designed so that an error in a single letter of a codeword, or switching two adjacent letters in a
codeword, would not result in another valid codeword, by the use of tables such as this:

AA AB AC AD AE AF AG AH AI AJ AK AL AM AN AO AP AQ AR AS AT AU AV AW AX AY AZ A&
BB BC BD BE BF BG BH BI BJ BK BL BM BN BO BP BQ BR BS BT BU BV BW BX BY BZ B& BA
CC CD CE CF CG CH CI CJ CK CL CM CN CO CP CQ CR CS CT CU CV CW CX CY CZ C& CA CB
DD DE DF DG DH DI DJ DK DL DM DN DO DP DQ DR DS DT DU DV DW DX DY DZ D& DA DB DC
EE EF EG EH EI EJ EK EL EM EN EO EP EQ ER ES ET EU EV EW EX EY EZ E& EA EB EC ED
FF FG FH FI FJ FK FL FM FN FO FP FQ FR FS FT FU FV FW FX FY FZ F& FA FB FC FD FE
GG GH GI GJ GK GL GM GN GO GP GQ GR GS GT GU GV GW GX GY GZ G& GA GB GC GD GE GF
HH HI HJ HK HL HM HN HO HP HQ HR HS HT HU HV HW HX HY HZ H& HA HB HC HD HE HF HG
II IJ IK IL IM IN IO IP IQ IR IS IT IU IV IW IX IY IZ I& IA IB IC ID IE IF IG IH
JJ JK JL JM JN JO JP JQ JR JS JT JU JV JW JX JY JZ J& JA JB JC JD JE JF JG JH JI
KK KL KM KN KO KP KQ KR KS KT KU KV KW KX KY KZ K& KA KB KC KD KE KF KG KH KI KJ
LL LM LN LO LP LQ LR LS LT LU LV LW LX LY LZ L& LA LB LC LD LE LF LG LH LI LJ LK
MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ M& MA MB MC MD ME MF MG MH MI MJ MK ML
NN NO NP NQ NR NS NT NU NV NW NX NY NZ N& NA NB NC ND NE NF NG NH NI NJ NK NL NM
OO OP OQ OR OS OT OU OV OW OX OY OZ O& OA OB OC OD OE OF OG OH OI OJ OK OL OM ON
PP PQ PR PS PT PU PV PW PX PY PZ P& PA PB PC PD PE PF PG PH PI PJ PK PL PM PN PO
QQ QR QS QT QU QV QW QX QY QZ Q& QA QB QC QD QE QF QG QH QI QJ QK QL QM QN QO QP
RR RS RT RU RV RW RX RY RZ R& RA RB RC RD RE RF RG RH RI RJ RK RL RM RN RO RP RQ
SS ST SU SV SW SX SY SZ S& SA SB SC SD SE SF SG SH SI SJ SK SL SM SN SO SP SQ SR
TT TU TV TW TX TY TZ T& TA TB TC TD TE TF TG TH TI TJ TK TL TM TN TO TP TQ TR TS
UU UV UW UX UY UZ U& UA UB UC UD UE UF UG UH UI UJ UK UL UM UN UO UP UQ UR US UT
VV VW VX VY VZ V& VA VB VC VD VE VF VG VH VI VJ VK VL VM VN VO VP VQ VR VS VT VU
WW WX WY WZ W& WA WB WC WD WE WF WG WH WI WJ WK WL WM WN WO WP WQ WR WS WT WU WV
XX XY XZ X& XA XB XC XD XE XF XG XH XI XJ XK XL XM XN XO XP XQ XR XS XT XU XV XW
YY YZ Y& YA YB YC YD YE YF YG YH YI YJ YK YL YM YN YO YP YQ YR YS YT YU YV YW YX
ZZ Z& ZA ZB ZC ZD ZE ZF ZG ZH ZI ZJ ZK ZL ZM ZN ZO ZP ZQ ZR ZS ZT ZU ZV ZW ZX ZY

M N O P Q R S T U V W X Y Z & A B C D E F G H I J K L AA BB CC
DD EE FF GG HH II JJ KK LL MM NN OO PP QQ RR SS TT UU VV WW XX YY ZZ
N O P Q R S T U V W X Y Z & A B C D E F G H I J K L M A& BA CB
DC ED FE GF HG IH JI KJ LK ML NM ON PO QP RQ SR TS UT VU WV XW YX ZY
O P Q R S T U V W X Y Z & A B C D E F G H I J K L M N AZ B& CA
DB EC FD GE HF IG JH KI LJ MK NL OM PN QO RP SQ TR US VT WU XV YW ZX
P Q R S T U V W X Y Z & A B C D E F G H I J K L M N O AY BZ C&
DA EB FC GD HE IF JG KH LI MJ NK OL PM QN RO SP TQ UR VS WT XU YV ZW
Q R S T U V W X Y Z & A B C D E F G H I J K L M N O P AX BY CZ
D& EA FB GC HD IE JF KG LH MI NJ OK PL QM RN SO TP UQ VR WS XT YU ZV
R S T U V W X Y Z & A B C D E F G H I J K L M N O P Q AW BX CY
DZ E& FA GB HC ID JE KF LG MH NI OJ PK QL RM SN TO UP VQ WR XS YT ZU
S T U V W X Y Z & A B C D E F G H I J K L M N O P Q R AV BW CX
DY EZ F& GA HB IC JD KE LF MG NH OI PJ QK RL SM TN UO VP WQ XR YS ZT
T U V W X Y Z & A B C D E F G H I J K L M N O P Q R S AU BV CW
DX EY FZ G& HA IB JC KD LE MF NG OH PI QJ RK SL TM UN VO WP XQ YR ZS
U V W X Y Z & A B C D E F G H I J K L M N O P Q R S T AT BU CV
DW EX FY GZ H& IA JB KC LD ME NF OG PH QI RJ SK TL UM VN WO XP YQ ZR
V W X Y Z & A B C D E F G H I J K L M N O P Q R S T U AS BT CU
DV EW FX GY HZ I& JA KB LC MD NE OF PG QH RI SJ TK UL VM WN XO YP ZQ
W X Y Z & A B C D E F G H I J K L M N O P Q R S T U V AR BS CT
DU EV FW GX HY IZ J& KA LB MC ND OE PF QG RH SI TJ UK VL WM XN YO ZP
X Y Z & A B C D E F G H I J K L M N O P Q R S T U V W AQ BR CS
DT EU FV GW HX IY JZ K& LA MB NC OD PE QF RG SH TI UJ VK WL XM YN ZO
Y Z & A B C D E F G H I J K L M N O P Q R S T U V W X AP BQ CR
DS ET FU GV HW IX JY KZ L& MA NB OC PD QE RF SG TH UI VJ WK XL YM ZN
Z & A B C D E F G H I J K L M N O P Q R S T U V W X Y AO BP CQ
DR ES FT GU HV IW JX KY LZ M& NA OB PC QD RE SF TG UH VI WJ XK YL ZM
& A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AN BO CP
DQ ER FS GT HU IV JW KX LY MZ N& OA PB QC RD SE TF UG VH WI XJ YK ZL
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z & AM BN CO
DP EQ FR GS HT IU JV KW LX MY NZ O& PA QB RC SD TE UF VG WH XI YJ ZK
B C D E F G H I J K L M N O P Q R S T U V W X Y Z & A AL BM CN
DO EP FQ GR HS IT JU KV LW MX NY OZ P& QA RB SC TD UE VF WG XH YI ZJ
C D E F G H I J K L M N O P Q R S T U V W X Y Z & A B AK BL CM
DN EO FP GQ HR IS JT KU LV MW NX OY PZ Q& RA SB TC UD VE WF XG YH ZI
D E F G H I J K L M N O P Q R S T U V W X Y Z & A B C AJ BK CL
DM EN FO GP HQ IR JS KT LU MV NW OX PY QZ R& SA TB UC VD WE XF YG ZH
E F G H I J K L M N O P Q R S T U V W X Y Z & A B C D AI BJ CK
DL EM FN GO HP IQ JR KS LT MU NV OW PX QY RZ S& TA UB VC WD XE YF ZG
F G H I J K L M N O P Q R S T U V W X Y Z & A B C D E AH BI CJ
DK EL FM GN HO IP JQ KR LS MT NU OV PW QX RY SZ T& UA VB WC XD YE ZF
G H I J K L M N O P Q R S T U V W X Y Z & A B C D E F AG BH CI
DJ EK FL GM HN IO JP KQ LR MS NT OU PV QW RX SY TZ U& VA WB XC YD ZE
H I J K L M N O P Q R S T U V W X Y Z & A B C D E F G AF BG CH
DI EJ FK GL HM IN JO KP LQ MR NS OT PU QV RW SX TY UZ V& WA XB YC ZD
I J K L M N O P Q R S T U V W X Y Z & A B C D E F G H AE BF CG
DH EI FJ GK HL IM JN KO LP MQ NR OS PT QU RV SW TX UY VZ W& XA YB ZC
J K L M N O P Q R S T U V W X Y Z & A B C D E F G H I AD BE CF
DG EH FI GJ HK IL JM KN LO MP NQ OR PS QT RU SV TW UX VY WZ X& YA ZB
K L M N O P Q R S T U V W X Y Z & A B C D E F G H I J AC BD CE
DF EG FH GI HJ IK JL KM LN MO NP OQ PR QS RT SU TV UW VX WY XZ Y& ZA
L M N O P Q R S T U V W X Y Z & A B C D E F G H I J K AB BC CD
DE EF FG GH HI IJ JK KL LM MN NO OP PQ QR RS ST TU UV VW WX XY YZ Z&

A miniature version of such a code construction table is shown in The Codebreakers by David Kahn, but here I've put the last
two letters of the codeword in alphabetical order in the rows of the square on the lower right, since a code compiler would
want to generate codewords in alphabetical order. The row of the top square, and the column of the square on the lower right,
which contain digraphs beginning with &, are omitted, since those are unused if codewords from a 26-letter alphabet are
wanted.

Valid codewords consist of two letters from the top, a letter from the lower left, and two letters on the lower right, such that
the single letter shares the same column as the pair of letters from the top and the same row as the pair of letters from the
lower right. The use of an extra dummy letter & is required to avoid codewords differing only by a swap of two adjacent
letters. The middle square can start with any letter; here it is started with M to indicate that this feature can be used to produce
codewords different from those in someone else's code.

For example, given a string of bits, a single bit which contains the parity of that string of bits can be appended to it. In that
case, if the result is transmitted, and exactly one bit is in error in what is recieved, the parity will be wrong, and the fact that an
error has taken place will be detected.

Another simple example would be to transmit one's message three times. For every group of three corresponding bits from the
three copies of the message, if exactly one error takes place in communications, that error can be corrected, because of the
three recieved copies of that bit, two will be correct, and only one will be wrong.

These are the two trivial examples of perfect codes: adding a parity bit, and repeating each bit a certain number of times.

If we confine ourselves to the even parity form of a parity bit, both these codes can be represented by matrices:

A parity bit:

1 0 0 0 0 0 0 0 1
0 1 0 0 0 0 0 0 1
0 0 1 0 0 0 0 0 1
0 0 0 1 0 0 0 0 1
0 0 0 0 1 0 0 0 1
0 0 0 0 0 1 0 0 1
0 0 0 0 0 0 1 0 1
0 0 0 0 0 0 0 1 1

Triple repetition:

1 1 1

In general, matrix multiplication works like this: introduce the numbers which are the elements of the vector being multiplied
from the left, starting with the first one on the top; for each bit in that row, calculate the product of the number introduced
from the side with the number in the matrix; then, after all the products have been calculated, total them down the columns to
obtain the output.

For error-correcting codes illustrated by matrices, it is the bits of the message that are introduced from the left. Then, an AND
is performed (rather than a multiplication) between them and the bits of the matrix, and the results are accumulated by an
XOR going down the columns (rather than addition).

Illustrating this in the case of a parity bit applied to a nybble:

1 0 0 0 1
1 --> 1 0 0 0 1

0 1 0 0 1
0 --> 0 0 0 0 0

0 0 1 0 1
1 --> 0 0 1 0 1

0 0 0 1 1
1 --> 0 0 0 1 1
-------------------
1 0 1 1 1

As this is a code applied to a binary signal, all arithmetic is done modulo 2 (hence, 1+1+1 = 1 instead of 3).

Just using parity bits can allow correcting errors. One way to do this is to have both a parity bit for each byte of data, and a
parity byte that results from the XOR of all the data bytes. If there is one error, the byte it is in is indicated by the parity bit for
that byte, and the bit it is in is indicated by which byte of the final parity byte shows the wrong parity.

A simple way to obtain row and column parity for a sequence of characters on a computer would be to add three parity
characters to a line of 49 7-bit characters on this basis:

● Start with three seven-bit accumulators, initialized to zero.


● With each character read, modify the three accumulators as follows:
❍ XOR the character to the first accumulator, and rotate it right one bit.

❍ XOR the character to the second accumulator, and rotate it left one bit.

❍ XOR the character to the third accumulator, and after every seven characters, rotate it right one bit.

This would allow one single-bit error in a line to be found and therfore corrected, as follows:

33333X3-----*------*------*------*------*------*- ==?
----2-13333*3*----2-1----2-1----2-1----2-1----2-1 ===
1--2---1--2---*33*3331--2---1--2---1--2---1--2--- ?==
-12-----12-----12----3**3333-12-----12-----12---- ===
-21-----21-----21-----21----3**3333-21-----21---- ===
2--1---2--1---2--1---2--1---2--1---*33*3332--1--- =?=
----1-2----1-2----1------1-2----1-2----1-23333*3* ===

The X is at the only point where the three lines of bits marked by 1, 2, and 3 all coincide. Note that the asterisks mark points
where two of them cross. Assuming the shifts after a byte is XORed in even take place after the last byte, the question marks
indicate where the three parity characters would show the wrong parity if there was an error at the point marked by the X.

It is easier to do this for 7-bit characters because 7 is an odd number, but it can also be done for 8-bit bytes, simply by rotating
only one accumulator by one bit for each byte, and not rotating one accumulator at all, as follows:

33313333---1-------1-------1-------1-------1-------1-------1---- ==?
----1---3333*333----1-------1-------1-------1-------1-------1--- ===
22222*2222222*22*****X**22222*2222222*2222222*2222222*2222222*22 =?=
------1-------1-------1-333333*3------1-------1-------1-------1- ===
-------1-------1-------1-------13333333*-------1-------1-------1 ===
1-------1-------1-------1-------1-------*33333331-------1------- ?==
-1-------1-------1-------1-------1-------1------3*333333-1------ ===
--1-------1-------1-------1-------1-------1-------1-----33*33333 ===

However, approaches based only on using parity bits are unsophisticated, and more efficient ways of correcting and detecting
multiple errors can be found if more sophisticated codes are used.

Another class of error-correcting codes are called Hamming codes. No longer trivial, these codes are also perfect, which
means they add exactly enough redundancy to a group of input bits to detect and correct a certain number of errors.

Note that this perfection applies to one particular situation, where errors occur randomly among bits. Where there is a
tendency for bits close together in a message to be in error together, this being called a burst error, other strategies are needed.
One common way of dealing with this is simply to apply conventional error-correcting codes to widely-separated bits at equal
intervals in a message. This, or the strategy of applying the error-correcting code first, and then spreading out the bits of each
output group, is called interleaving.

In a Hamming code, after the group of bits being encoded, the extra parity bits are formed by allocating every combination of
those bits with two or more of them equal to 1 to each bit position in the input. Hence, changing one bit in the input always
changes at least three bits in the word with error-correction added. Since no two rows in the error-checking part of the matrix
are identical, changing two bits in the input still results in a three-bit change at least; thus, the number of bits difference (or the
Hamming distance) between possible outputs (valid codewords) is a minimum of three.

A parity bit can be added to a Hamming code; the result is another perfect code, this time with a four-bit change resulting
from any change in the input.

The Hamming distance between valid codewords tells us how much error-checking we have. If there is no error-checking
added, each different input still gives a different output, for a distance of 1. If the distance is 2, one error can be detected, as is
the case for the code that just adds one parity bit. If the distance is 3, as for repeating a bit three times, or the basic Hamming
code without a parity bit added, one error can be corrected.

The error-correcting capabilities of an error-correcting code are given by the Hamming distance between codewords, but it is
possible to choose how to make use of them. For example, if we repeat every bit three times, we can either choose to accept
011 as standing for 1, hence correcting one error when it occurs, but being fooled if two errors happen, or we can choose to
discard it, accepting only 000 and 111. Thus, a Hamming distance of 3 can be used either to correct one error, or to detect two
errors. A distance of 4, such as obtained by a Hamming code with a parity bit, or by repeating a bit four times, allows
correcting one error and detecting two errors, or detecting up to three errors.

Some Hamming codes are:

1 0 0 0 0 1 1
0 1 0 0 1 0 1
0 0 1 0 1 1 0
0 0 0 1 1 1 1

1 0 0 0 0 0 0 0 0 0 0 0 0 1 1
0 1 0 0 0 0 0 0 0 0 0 0 1 0 1
0 0 1 0 0 0 0 0 0 0 0 0 1 1 0
0 0 0 1 0 0 0 0 0 0 0 1 0 0 1
0 0 0 0 1 0 0 0 0 0 0 1 0 1 0
0 0 0 0 0 1 0 0 0 0 0 1 1 0 0
0 0 0 0 0 0 1 0 0 0 0 0 1 1 1
0 0 0 0 0 0 0 1 0 0 0 1 0 1 1
0 0 0 0 0 0 0 0 1 0 0 1 1 0 1
0 0 0 0 0 0 0 0 0 1 0 1 1 1 0
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1

1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1
0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0
0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1
0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0
0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1
0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1 1 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1

Since a Hamming code, as shown, can only correct one error, decoding is simple:

● Take the data portion of the recieved codeword (the portion that should just contain the unmodified input data), and
place it through the Hamming code again. If there is a perfect match between the error-checking part of the recieved
block and the error-checking part of the one now generated, or if there is no more than one bit difference, the data as
recieved is assumed to be correct.
● If there are two or more bits of difference, find the row in the matrix where those bits are 1 bits in the error checking
part. The data bit which is passed through by a 1 on the diagonal in the data part of the matrix is the one in error.

This, of course, assumes that the transmitted block actually was subjected to no more than one error. When a parity bit is
added to the Hamming code, decoding is modified slightly:

● If parity is correct, decode the first part of the block, but accept the result only if no errors are found. (In this case, the
block is assumed to have been recieved correctly.)
● If parity is wrong, decode the first part of the block, and accept the result if either no errors are found (here, the error is
assumed to be in the parity bit itself), or if one error is found (and therefore corrected).

These are just one particular form for each of the three Hamming codes shown. Rearranging the rows or columns, or certain
other modifications, will not change the ability of the code to be used to detect or correct errors. Replacing one row of the
matrix by the XOR of itself and another row is allowed, because that will result in the matrix generating exactly the same set
of codewords, but they will be generated in some cases for different inputs.

There are a number of other codes used for error detection and correction. Examples of codes used in the same kind of form as
used with Hamming codes include Hadamard codes and Reed-Muller codes. These codes all add slightly more redundancy
than is required for the error-checking they seek to attain.

An example of a Hadamard code looks like this:

1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1
1 1 0 0 1 1 0 0 0 0 1 1 0 0 1 1
1 0 0 1 1 0 0 1 0 1 1 0 0 1 1 0
1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1
1 0 1 0 0 1 0 1 0 1 0 1 1 0 1 0
1 1 0 0 0 0 1 1 0 0 1 1 1 1 0 0
1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1

These codes are obtained by a procedure similar to that used to create fractal designs:

1 1 1 1
1 1 1 0 1 0
1 0 - becomes -->
1 1 0 0
1 0 0 1

applied as many times as desired, and then the result has its complement appended to it. Mariner 9 used the code of this type
that occupies a 32 by 64 matrix. This method only generates Hadamard codes of orders which are powers of 2. Hadamard
codes and matrices of many other orders which are multiples of 4 are also known, and it is conjectured, but not yet proven,
that one exists for every such order. These Hadamard codes are obtained by other, more difficult methods.

Only one other perfect code for binary signals is known, the binary Golay code. It takes a 12-bit input, and adds 11 error-
checking bits to it. Like the Hamming codes, an extra parity-check bit can be added, and the code remains perfect.

A modified form of the Golay code with parity bit added, so that the parity bit is no longer explicitly visible, is shown in a
book by two of the three co-authors of the Handbook of Applied Cryptography, and an equivalent form, modified by some
rearrangement of rows and columns (to obtain a shifting of the cyclic 11 by 11 portion of the error-checking matrix, and to put
the row and column of 1 bits in a more conventional position) is shown here:

1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1
0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 1 1
0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 1 0 1
0 0 0 1 0 0 0 0 0 0 0 0 1 0 1 1 1 0 0 0 1 0 1 1
0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 1 0 0 0 1 0 1 1 1
0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 0 0 1 0 1 1 0 1
0 0 0 0 0 0 1 0 0 0 0 0 1 1 0 0 0 1 0 1 1 0 1 1
0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 1 0 1 1 0 1 1 1
0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 1 1 0 1 1 1 1
0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 0 1
0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 1 0 1 1 1 0 0 1
0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 0

In this code, the minimum Hamming distance between valid codewords is eight; without the parity bit, it would be seven.

A distance of seven allows either correcting three errors, correcting two errors and detecting four errors, correcting one error
and detecting five errors, or detecting six errors.

A distance of eight allows either correcting three errors and detecting four errors, correcting two errors and detecting five
errors, correcting one error and detecting six errors, or detecting seven errors.

Examine the error-checking portion, the second square half, of the matrix for the Golay code shown above. The right and
bottom edges consist of all ones except for a zero where they meet.

The remaining 11 by 11 square consists of the sequence 10110111000 repeated in every row, but shifted one space to the left
in each row. This sequence contains exactly six one bits, an even number.

The matrix is symmetric, hence unchanged when flipped around the diagonal running from the top left to the bottom right.

Hence, the fact that every row contains an odd number of 1 bits, the last row ANDed with any other row produces a row with
six one bits, and any two of the first 11 rows, when combined by an AND, produces a rotated version of one of the following
strings:
10110111000 and 01101110001 = 00100110000 (3 bits)
10110111000 and 11011100010 = 10010100000 (3 bits)
10110111000 and 10111000101 = 10110000000 (3 bits)
10110111000 and 01110001011 = 00110001000 (3 bits)
10110111000 and 11100010110 = 10100010000 (3 bits)
10110111000 and 11000101101 = 10000101000 (3 bits)
10110111000 and 10001011011 = 10000011000 (3 bits)
10110111000 and 00010110111 = 00010110000 (3 bits)
10110111000 and 00101101110 = 00100101000 (3 bits)
10110111000 and 01011011100 = 00010011000 (3 bits)

preceded by a single 1 bit, means that, using modulo 2 arithmetic, the error-checking matrix in the code as represented here is
its own inverse. (If it weren't for that extra zero, a different decoding matrix would be required, and a slightly more
complicated version of the decoding procedure given below would be required.) Because of the symmetry around the
diagonal, this is true both in the usual convention for matrix multiplication (numbers go in from the top, and come out on the
right) and the one used for error-correcting codes (numbers go in from the left, and come out on the bottom). For more
information on matrix multiplication, see the section concerning the Hill Cipher.

This helps to make it practical to check a codeword formed by this code, and then transmitted, for errors. The following
procedure will find the correct original 12-bit input if there were three or fewer errors in the transmitted 24-bit block, or it will
fail if there were four errors. (With more than four errors, of course, it can be fooled.)

● First, take the first half, and put it through the code, to see what the codeword would have looked like, if the first half
containing the actual data happens to be perfectly without error. Since we are able to correct up to three errors, if the
error-checking part of this result differs by no more than three bits from what was recieved, all the errors (if any)
happened in the error-checking part, so the data as recieved can be accepted.
● Second, take the second half, and put it through the code. Since the error-checking part of the matrix is its own inverse,
the error-checking half of the result will be what the data was supposed to have been, if the error-checking half of the
block was recieved perfectly without error. If that result differs by no more than three bits from what was recieved in
the data portion of the block, then the data as recovered from the error-checking part can be accepted.
● Third, consider the possibility that there were errors in both the data and error-checking part of the block. With three
errors it is possible that there could be one error in one of the two parts of the block, and two errors in the other part.
So, decoding continues by a limited amount of trial and error. Here, we will assume that exactly one bit in the data
portion of the block is in error. Thus, we will take the data portion of the block, and for each of the 12 bits of it in turn,
we will invert that bit, put the result through the code, and compare the error-checking portion of the result with that
recieved. If the result is two or fewer errors in the error-checking portion then the right bit has been found, and the data
portion with the bit you flipped is correct.
● Fourth, assume that exactly one bit in the error-checking portion of the block is in error, and for each of the 12 bits in
the error-checking portion, invert that bit, apply the code to the result, and compare the error-checking portion of the
output to the data portion of the recieved block. If two or fewer errors are found, then the data calculated from the error-
checking portion with one flipped bit contains the correct data.

Another perspective on the binary Golay Code, which I also found understandable, is contained in this thesis. In the form of
the Golay Code given above, eleven rows are cyclic, and one special, in the error-checking matrix; in the form discussed in
that thesis, all twelve rows are equivalent, but as they relate to the faces of a dodecahedron, there is no way to put them in a
cyclic order.

The form of the Golay code discussed there is:

1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 1 1 1 1
0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 1 1 1 1
0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 0 0 1 1 1
0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 1 1
0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 0 1 1 1 0 0 1
0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 0 1 1 1 0 1
0 0 0 0 0 0 1 0 0 0 0 0 1 0 1 1 1 0 1 0 1 1 0 0
0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 1 1 1 0 1 0 1 1 0
0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 1 1 1 0 1 0 1 0
0 0 0 0 0 0 0 0 0 1 0 0 1 1 1 0 0 1 1 1 0 1 0 0
0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 1 0 0 0 1 1 0 1 0
0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 0 0 0 0 0 1
Each of the twelve rows and columns of the error-checking part of the matrix corresponds to a face of the dodecahedron, and
it contains a zero for every pair of faces that are next to one another. (A face is not considered to be next to itself.) This is still
a Golay code, with the same error-correcting property of a Hamming distance of 8 between codewords, and not only is the
error-checking matrix symmetric, but once again it is its own inverse as shown here. Because of the dodecahedral symmetry,
once again, it is only necessary to AND one row of the matrix with the eleven other rows to establish that. For example, row 1
shares four bits with rows 2 to 11, and two bits with row 12.

But being self-dual is not a necessary property of a Golay code; either example of a Golay code given here would still be a
Golay code if the error-checking matrix were reflected left to right, since the error-checking properties would be identical, but
then that matrix would not be its own inverse.

This site contains a link to a paper in DVI format giving eight different constructions of the binary Golay code.
(Unfortunately, you may have difficulty in viewing documents in DVI format on your system.)

And here is an example of a form of the Golay code, again one that generates 24-bit output, with the parity bit concealed, that
may have actually been used in the transmission of information; it is part of an unofficial draft standard for automatically
establishing radio links, and thus it may have been taken from previous actual practice or standards:

1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1
0 1 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 0 1 0 0 1 0
0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 1 0 1 0 1 1
0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 0 1 1 1 0 1 1 0
0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 0 0 1
0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 0 1
0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 1
0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0
0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0
0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1 0 1
0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1 1

The error-checking part of the matrix is not symmetric along the main (upper left to lower right) diagonal, and its transpose is
shown as being used in decoding. Also, it is said to have been generated from the polynomial

11 9 7 6 5
x +x +x +x +x +x+1

Each column has seven ones in it, so when multiplied by its transpose, there will be a 1 in every position on the diagonal in
the result. Any two distinct columns have either four or two ones in common, (as I had to verify by brute force with a short
BASIC program) and so the transpose of the error-checking part of the matrix is indeed also the inverse of that part.

Despite the fact that each column and row contains seven ones, the error matrix can't be produced simply by rearranging rows
and columns of the one produced from the dodecahedron. This can be shown because the columns corresponding to opposite
faces can be identified (no zeroes in the same row), and two non-opposite faces must be adjacent to two other faces, and those
two faces must be adjacent to three other (than the first two: those two faces may be adjacent to each other if the two non-
opposite faces were not adjacent) faces each, two from each group of which are opposite to two from the other group (which
is the point at which it breaks down if you start with the first two columns).

Error-checking in this case involves the use of the inverse of the error-checking part of the matrix, but otherwise the algorithm
is the same as the one given above.

The field of error-correcting codes, like the field of data compression, is still a very active one, with new research being done
and patents being issued on new methods.

In the 1970s, a set of error-correcting codes called "Fire codes" were developed. One of the simplest of these could be used as
a direct replacement for a parity bit, used with each character in many existing systems, providing error correction instead of
just the detection of erroneous characters.

It worked like this:

Data * - - - - - - - * * - - * - - - - * - - *
bits - * - - - - - - * - * - - * - - - * - - *
- - * - - - - - * - - * - - * - - * - - *
- - - * - - - - * - - - * - - * - * - - *
- - - - * - - - * - - - - * - - * * - - *
- - - - - * - - * - - - - - * - - X - - *
- - - - - - * - * - - - - - - * - * * - *
- - - - - - - * * - - - - - - - * * - * *
Parity = = = = = = = = P = = = = = = = = ! = = !

Each parity bit is the XOR of parity for the data byte with which it is associated and parity for staggered bits from the eight
previous bytes. Essentially, it is a clever way to obtain the same results as are provided by the use of row and column parity
bits. (After the last byte of data, one extra byte, with the extra parity bit, is needed to provide parity for all the remaining
diagonals.)

More complicated forms involved XORing these parity bits with the parity of another group of eight bits, staggered by being
from bytes separated by a larger distance.

A very recent exciting development in error-correcting codes is the class of codes known as "Turbo Codes". These codes are
based on the principle of applying two error-correcting codes to the data bits, but with different interleaving. Just as
interleaving by itself turns a burst error into scattered individual-bit errors, which error-correcting codes can deal with more
easily, using two different interleaving schemes on the data being transmitted reduces to a very small value the chance that
any bit will be unrecoverable due to an excessive number of random errors in both of the error-correcting code blocks in
which it is found. (The same principle can also be applied to continuous error-correcting codes as well as block codes.)

[Next] [Up] [Previous] [Index]

Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

The Siemens and Halske


Geheimschreiber T-52
This teletypewriter enciphering machine was bulky and expensive and complicated.
Swedish cryptanalysts under Arne Beurling cracked the cipher of the simplest variant
of this machine, the T-52a and T-52b.

The British never achieved a regular penetration of T-52 messages. It now appears that,
at least during the war, that the only T-52 messages they deciphered were messages
that belonged to pairs sent with the same key, but they were able to determine how the
T-52 worked from those messages.

One part of the reason for this is that many messages encrypted by the T-52 were sent
over land lines, which the Swedes, but not the British, had the opportunity to intercept.
But another reason was that the T-52 was used to encrypt high-level strategic traffic for
the Luftwaffe, which also sent similar messages using Enigmas. Thus, attacking the T-
52 was lower in priority than attacking the Lorenz Schlusselzusatz, which was used to
encrypt high-level strategic traffic for the German Army, or Heer, which, although it
did use Enigmas for tactical messages, did not generally use them for messages with
information of strategic importance.

It may also be noted that the final version of the machine, the T-52e, which included
two improvements which previously appeared separately in the T-52c and T-52d,
seems to be a very secure design, although the use of cams instead of resettable
pinwheels was a serious flaw.

Ten wheels, in this machine cams whose pattern of 0 and 1 positions could not be
modified, of sizes 73, 71, 69, 67, 65, 64, 61, 59, 53, and 47, which were called A, B, C,
D, E, F, G, H, and K respectively, provided the raw material for this machine's cipher.

In additon to having their states sensed at the primary tap point, producing the output
that was XORed with the plaintext characters or controlled their shuffling, they were
also sensed at a point 25, 24, 23, 23, 22, 22, 20, 20, 18, and 16 positions earlier,
respectively.

This additional position controlled the movement of the wheels, so that they stepped in
an irregular fashion.

The way in which the wheels stepped can best be explained by an oversimplified form
of that motion. Each wheel moved unless both of two possible conditions was met, in
which case it was prevented from moving: In the simplified model:

These wheels remain still:


A B C D E F G H J K
if
~C C ~E E G ~G J ~J A ~A
and
~B ~D D F ~F ~H H K ~K B

Note that the twenty conditions involved both the extra tap on each wheel and its
inverse, and no wheel controlled itself. Since every wheel had to be either 1 or 0, and
the condition was OR for movement, at least five of the ten wheels had to move with
this arrangement, so although the wheels controlled each other, they could not get stuck
in a state where they never stepped.

Mechanically, this worked as follows: both the plus and minus connections to an
electromagnet were controlled by relays, so the electromagnet was energized only if
the relays at both ends allowed current to flow. The magnets were interposer magnets:
if active, they prevented the cam they controlled from moving.

From the main sensing position on the cams A through K, ten signals were derived,
labelled 1, 3, 5, 7, 9, and I, II, III, IV, and V, that performed the actual operation of
modifying the plaintext to produce the ciphertext.

I through V were XORed with bits 1 through 5 of the plaintext character. Then bits in
the character were swapped: 1 caused (if its value was 1 instead of 0) bits 1 and 5 to be
swapped; signals 3, 5, 7, and 9 swapped bits 4 and 5, 3 and 4, 2 and 3, and finally 1 and
2.

First, bits A through K were exchanged, by a simple plugboard on the T52a, T52b, and
T52d, and by a set of switches that performed the same function as a plugboard on the
T52e, and by an elaborate set of five switches with eight positions on the T52c. Then,
in the T52c and the T52e, the ten signals went into a bank of relays, so that each of the
signals, 1 through 9 and I through V, that performed the actual encipherment was the
XOR of several cam outputs.

The following is a diagram of the T52e:


Circles, except when they are sockets or plugs for a plugboard, are XOR gates. The
rectangles are AND gates. The black and white hourglasses are inverters. The wide
white hourglasses swap the two inputs from the top to form the two outputs at the
bottom depending on the input from the side. The logic being relay logic, wired-OR is
present.

The T52e, shown here, included all the features that this telecipher acquired over its
development. The extra features, over and above a simple set of ten cams controlling
XORs and swaps of plaintext bits, are divided into two groups; one group was also
present only on the T52c, and the other group was also present only on the T52d.

The relay bank was also present in the T52c, but it was wired differently. The T52c
also had a means of altering the order in which cam outputs went to the relay bank, but
instead of a plugboard, it was a set of five eight-position switches, each one controlling
three swaps of the cam signals.
The T52d did not have those features, but it did have cam stepping logic; again, that
logic was somewhat different from that of the T52e.

Here is a diagram of the T52c:

In this diagram, the switch-controlled swaps should be considered to be positioned as


follows:

3 6 9 12 15

2 5 8 11 14
1 4 7 10 13

and the five switches control the fifteen swaps as follows:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
-----------------------------------------------------
P 0 0 0 0 1 0 0 0 1 1 0 1 1 1 1
S 0 1 0 1 0 0 0 1 1 1 1 0 0 0 0
T 1 0 0 0 0 1 1 0 1 1 1 1 0 1 0
U 0 0 1 0 1 1 1 1 0 0 0 0 1 0 0
W 0 1 1 1 0 1 1 1 1 0 1 0 0 0 1
X 1 0 1 1 1 0 0 0 0 1 0 0 0 1 1
Y 1 1 0 1 1 1 0 1 0 0 0 1 1 0 1
Z 1 1 1 0 0 0 1 0 0 0 1 1 1 1 0

And here is one of the T52d:

The T52d and T52e are shown here in the "ohne Klartextfunktion" mode. They also
had a feature where the third bit of a plaintext character, after a delay, was introduced
into the cam stepping logic, which was also changed in that mode. This limited
autokey, or "clear text function", caused serious problems of garbling in practice, and
was therefore little used.

However, that does not prevent me from including diagrams of the T52d and T52e in
this mode, particularly as the stepping logic is somewhat more symmetrical in this
mode in both cases.

First, the T52e "mit Klartextfunktion":


then, the T52d "mit Klartextfunktion".
[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

The Swedish SA-1


This telecipher device combines some of the features of the SZ-40 and T-52, in a
design that is secure yet economical.

The device has two sets of five pinwheels, of lengths 19, 21, 23, 25, and 26. ( Toby's
Cryptopage, now available again after a hiatus, also discusses the TA-1, a later version
with larger pinwheels of lengths 26, 29, 31, 33, and 35.) The pins are pushed in or
pulled out by the user, and the five bits of each plaintext character are modified by
being subjected to an exclusive-OR operation with the current pin of the corresponding
pinwheel from each of the two sets.

The first set of pinwheels steps one position for every character enciphered. An
additional position on the pinwheels, besides the one used to XOR the plaintext, is
sensed (two positions earlier). That alternate output, from all five pinwheels, is XORed
together, creating a single bit; if 0, the second set of pinwheels steps only once; if 1,
they step twice.

The second set of pinwheels is also sensed at the same alternate position, and the
output from all of them is combined by XOR. This time, the result, if 1, causes the
entire output ciphertext character to be inverted.

This design allows two identical modules to be used in the device, thus making
manufacture more economical. It achieves irregular stepping, but only ten, not twelve,
pinwheels are required.

The source for the information on this page is the home page of Torbjörn Andersson,
entitled Toby's Cryptopage, which has an entry in my Links section. It is well worth a
visit, and includes original photos of many of the machines discussed here; not just the
SA-1, but also the T-52 and the B-211.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

An American Patent
U. S. Patent 4157453 is one of the few patents that were secretly issued to people
working for the NSA or one of its predecessor agencies that has now been publicly
issued in normal fashion, many years later.

It was filed on October 10th, 1944, but issued on June 5th, 1979. The inventor was Leo
Rosen, known to history as the one who had the inspiration to realize that the Japanese
cipher machine codenamed PURPLE used telephone stepping switches.

This patent refers only to scrambling the order of bits in a teletypewriter signal, without
inverting any bits. However, in addition to shuffling the bits within a single character,
as the T-52 did, this device moved bits between characters.

Originally, I was only able to see the claims of this patent, but the text of it has since
become available. It turns out that it referred to buffering two or four 5-level-code
characters, recieved serially, in banks of relays, transposing the stored bits, and then
transmitting the result. Given the technology of the time, commutator switches were
used to access relays serially; today, a designer thinking of how to perform such an
operation would no doubt think of shift registers.

Having just seen a brief description of the purpose of the invention, I had supposed that
this patent could have been for a system that was actually applied to a combined time
and frequency division voice scrambler, with its application disguised for security.

However, as a telecipher device, one of the simplest ways in which to accomplish this
kind of scrambling would be to do the following: use pinwheels to scramble the bits
within a character; then, subject these bits to a fixed pattern of delays, so that they are
distributed among two to five different characters; then, perform a second pinwheel-
controlled scramble of the bits within each character.

To decipher, one first inverts the second scramble. Then, one delays the bits in a
complementary fashion to that used for enciphering: if bits 1 to 5 are subject to delays
0 1 0 1 0 on enciphering, then use delays 1 0 1 0 1 on deciphering, for a net delay of
every bit by 1 character; if bits 1 to 5 are subject to delays 0 1 2 3 4 on enciphering, use
delays 4 3 2 1 0 for deciphering, for a net delay of 4 characters. Then, invert the first
scramble, with the pinwheels controlling it offset so that their scramble is delayed to
match the net delay of the enciphering delay stage and its deciphering complement.
[Next] [Up] [Previous] [Index]

Next
Skip to Next Chapter
Chapter Start
Table of Contents
Home Page
[Next] [Up] [Previous] [Index]

Converter M-228 or SIGCUM


This machine is described in an article in a recent issue of Cryptologia magazine,
which also provides accompanying information of historical and human interest.

It is a telecipher device built around a five-rotor machine.

The original version supplied thirteen live inputs to the input rotor. Five outputs from
the other end were XORed to the five bits of a teletypewriter character. The rotors
advanced conventionally for each character enciphered, and had only one carry
position. Like the SIGABA, the letter O, and not A, indicated the zero position of the
rotors. The five rotors included one that moved for every letter enciphered, and one that
moved only when that first rotor completed a full rotation and so on, like an odometer,
but with one difference: which rotor moved with which frequency could be chosen
arbitrarily. The original Hebern machine had three classes of rotor movement, and it
too allowed the selection of how the individual rotors moved, but in a less
straightforwards manner.

Here is a diagram of the way the original SIGCUM was wired:


Since 13 inputs out of 26 were live, each bit of the five outputs had a 50-50 chance of
being live, but not all 32 combinations of all five outputs were equally likely: five ones
or five zeroes were the least likely, and 2 or 3 of each was the most likely.

This simple design was found to be insecure, after being put into use, for a particular
case of operator error. A considerably revised version served for some time, and its
description is as follows:

In the revised version, there were only five live inputs to the input rotor. Fifteen
outputs from the other end were wired together in five groups of three to provide the
five output bits. This gave each bit a probability of about 48.846%, or exactly 381/780,
of being a one.

In the original design, all five rotors moved in the conventional manner of wheels on an
odometer, except that the position of the rotor that moved with every character
enciphered, and the position of each rotor that moved when another rotor completed a
full circle, could be set arbitrarily. In the revised design, three rotors moved in that
way, and two other rotors had movements called fast bump and slow bump that
depended on the bits the rotors generated.

If bit 1, bit 3, and bit 5 of the generated bits (to be XORed with the plaintext to create
ciphertext) were all ones, the slow bump rotor would advance for the next character. If
bit 2 and bit 4 were both 1, the fast bump rotor would advance. In addition, the slow
bump rotor skipped an extra position when it reached O, as well as stepping the slow
rotor (if the slow rotor was also at O; this may have been a misprint for 'slow bump',
since that won't happen very often).

Here is a diagram of the modified version of the SIGCUM:


The bump rotors meant that extra parts did have to be added to the machine to effect
the conversion; it was not a simple case of rewiring. Even the early version of the
machine appeared to be highly secure at first glance, which makes Frank Rowlett's feat
of establishing its weaknesses impressive.

An issue of Cryptologia some years previous to the issue in which SIGCUM or the M-
228 was described, quoted a government memo which referred to the M-294. This
machine was very similar to the SIGABA, except that the five "cipher rotors" supplied
a bitstream to encipher a teletypewriter message; presumably using an arrangement
similar to that seen here. Such a device would certainly provide a method of
encipherment for teletypewriter messages of impressive security. SIGNIN was an
alternative designation for the M-294. The M-138 and M-138-A, indirect predecessors
of the SIGABA, were rotor machines, of the Hebern type, acting upon the 26 letters of
the alphabet, but with the motions of their five rotors controlled by a paper tape; in a
way, these machines were the exact inverse or complement of SIGCUM.

Frank B. Rowlett passed away on June 29, 1998, at the age of 90.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Conclusions for Chapter 3


In some ways, the cipher systems outlined in this chapter are disappointing, compared
to what we had seen in the previous chapter.

This reflects the difficulty of manipulating binary signals with simple


electromechanical devices, and it may also involve the psychological effect of
overconfidence in the security of a system based on new and unfamiliar principles.

The M-228 is an exception to both halves of this generalization; it is secure, but it isn't
entirely new, being largely based on a rotor mechanism.

Of course, it is true that I could have described the T-52 in more detail (at least in
words, for those who cannot recieve the schematic diagrams included in that section,
which do accurately describe it). It is certainly very complex. But the complexity and
expense of the machine are beyond those of the SIGABA, while the security may well
be less even than that of the Enigma. (Yes, it was broken less often than the Enigma;
but there were fewer intercepts, and the more restricted distribution of the machine
makes it likely that it was more carefully used.) Had the routing of signals to the
various inversion and swapping relays changed with every character, instead of merely
being a static part of the key, the system might have been significantly more secure. Of
course, even more important would be the change to pinwheels instead of cams.

It is interesting that one wire in the Swedish SA-1 seems to hold the key to the security
of that machine. That wire is the one from the first pinwheel bank which controls the
stepping of the second pinwheel bank. But can something that contains only a single bit
of information per five-bit character really provide security?

The M-228 is interesting, and as noted in the section on it, apparently a newer machine
existed that was like a SIGABA, except that the cipher rotors were used to encipher
teletypewriter signals in the fashion of the M-228.

The following diagram:


illustrates an interesting idea for taking that concept even further. The cipher rotors
work like the old M-228, in order to XOR the message with unbiased individual bits.
The control rotors are also simplified, so that they can produce five extra signals, which
are also XORed with the message.

This appears to strengthen the machine, since bits from two essentially independent
sources are XORed with the plaintext. Can we be sure that the bits from the cipher
rotors completely mask those from the control rotors, though, or could this design have
a weakness, by offering a "window" to the control rotors?

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Main Page
[Next] [Up/Previous] [Index]

LUCIFER: the first block cipher


One could perhaps quarrel with the title of this section. What about Playfair, or
the Hill cipher? But LUCIFER, part of an experimental cryptographic system
designed by IBM, was the direct ancestor of DES, also designed by IBM.

Like DES, LUCIFER was an iterative block cipher, using Feistel rounds. That is,
LUCIFER scrambled a block of data by performing an encipherment step on that
block several times, and the step used involved taking the key for that step and
half of that block to calculate an output which was then applied by exclusive-OR
to the other half of the block. Then, the halves of the block were swapped, so that
both halves of the block would be modified an equal number of times.

Incidentally, this page refers to LUCIFER as actually implemented, and


described in an article in the journal Cryptologia by Arthur Sorkin. An article in
Scientific American discussed plans for LUCIFER on a more general level, and
described what was essentially a different kind of block cipher.

LUCIFER enciphered blocks of 128 bits, and it used a 128-bit key.

The F-function in LUCIFER had a high degree of symmetry, and could be


implemented in terms of operations on one byte of the right half of the message
at a time. However, I will describe LUCIFER here in the same general fashion
that DES is described.

Subkey generation
Each round uses a 72-bit subkey. The subkey for the first round consists of the
first byte of the key repeated twice, followed by the next seven bytes of the key.
Rotate the key left by seven bytes, then generate the subkey for the next round.

The f-function
XOR the right half of the block with the last eight bytes of the subkey for the
round.
Based on the bits of the first byte of the subkey for that round, swap nibbles in
the eight bytes of that result for those bytes which correspond to a 1 bit.

Use S-box 0 for the most significant nibble of each of these eight bytes, and S-
box 1 for the least significant nibble of each byte:

Input: 0 1 2 3 4 5 6 7
S-box 0 output: 12 15 7 10 14 13 11 0
S-box 1 output: 7 2 14 9 3 11 0 4

Input: 8 9 10 11 12 13 14 15
S-box 0 output: 2 6 3 1 9 4 5 8
S-box 1 output: 12 13 1 10 6 15 8 5

Permute the 64 bits of the result, numbered from 0 (for the most significant bit)
to 63 (for the least significant bit), by the following permutation:

10 21 52 56 27 1 47 38 18 29 60 0 35 9 55 46
26 37 4 8 43 17 63 54 34 45 12 16 51 25 7 62
42 53 20 24 59 33 15 6 50 61 28 32 3 41 23 14
58 5 36 40 11 49 31 22 2 13 44 48 19 57 39 30

The General Structure


LUCIFER has sixteen rounds. In each round, the f-function is calculated using
that round's subkey and the left half of the block. The result is then XORed to the
right half of the block, which is the only part of the block altered for that round.

After every round except the last one, the right and left halves of the block are
swapped.

Comments
Although LUCIFER has a larger block and key size than DES, it is considerably
more vulnerable to attacks from differential cryptanalysis, and is also weak due
to the regular nature of its key schedule.

However, this does not mean that the LUCIFER algorithm is useless. If a
reasonably good stream cipher is used both before and after LUCIFER, its
weaknesses essentially become irrelevant, and its strengths are still present. It
might indeed be argued that this kind of precaution ought to be used with DES as
well.
[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]

The Data Encryption Standard


You may remember that when the Data Encryption Standard was first presented,
there was a great deal of controversy. Since then, much of the dust has settled.

We know now for sure that the key was much too short. (Since that was written,
we learned that it was really much too short, thanks to this project.)

But we also know that enciphering whole messages by means of public-key


systems is not a reasonable alternative. Instead, just encrypt the key that way, and
use a conventional cryptosystem, but a better one than just plain DES, for the
message.

It's clear that the secret the NSA asked IBM not to reveal was the method of
differential cryptanalysis. Since the S-boxes were not optimized against linear
cryptanalysis, this proves that IBM didn't know about that attack back then.
Although the fact that the NSA did certify the design as secure might suggest that
the NSA didn't have that technique either, the inference is not really warranted:
the NSA is, after all, an agency noted for its reticence.

And there is also a result showing that DES with all sixteen subkeys specified
independently is not much stronger than a cipher with a 65-bit key.

DES is designed for implementation in hardware, and even includes some steps
which do not appear to strengthen the cipher at all but which are hard to perform
in software. If, however, DES had been a secret algorithm, these extra steps
would have helped to make it harder to determine the algorithm by analysis.

As it is a Frequently Asked Question, I think I really can't skip giving the


algorithm here, although it appears in many other sources; the official standard is
even available from the NIST web server.

DES closely resembles LUCIFER, since it is also a cipher based on sixteen


Feistel rounds.
[Next] [Up] [Previous] [Index]

Details of DES
Variations of DES
Next Section
Chapter Start
Skip to Next Chapter
Table of Contents
Main Page
Home Page
[Next] [Up/Previous] [Index]

Details of the Data Encryption


Standard
In my description of LUCIFER, I numbered bits from 0 to 127 or from 0 to 63;
here, bits will be numbered from 1 to 64 or from 1 to 32. In both cases, the
lowest-numbered bit is the MSB of the first character, and the highest-numbered
bit is the LSB of the last character; that is, big-endian (68000-like and not 8086-
like) conventions are observed throughout.

First, for no particularly good reason (except, just possibly, to group together the
most and least significant bits of uncompressed text characters) the bits of the
block are transposed according to the following permutation:

58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

As in the section on LUCIFER, all bit permutations are to be interpreted as


follows: if the permutation begins 58 50 42..., that means that the first bit of the
output came from bit 58 of the input, the second bit of the output came from bit
50 of the input, and so on.

For 16 rounds, the left half, or the first 32 bits, is modified by being XORed with
a 32 bit result calculated from the right half of the block in its current state and
the subkey for that round. After each of the first 15 rounds, the halves are then
swapped.

The f-function
This calculation, known as the f-function, proceeds as follows:

The 32-bit right half of the block is expanded to 48 bits by means of this, the
expansion permutation:

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13
12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25
24 25 26 27 28 29 28 29 30 31 32 1

The eight groups of four bits in the right half are each made the middle four bits
of a group of six bits in the result, and they are joined, on each side, by the bits
that were adjacent to them originally. Those two outer bits are, in a way,
supplementary to the four bits in the middle, since the S-box tables contain four
encodings of the middle bits, in which every different value has a different result,
selected by the two outer bits.

(One could even implement DES with a permutation starting

32 5 1 2 3 4 4 9 5 6 7 8

to allow the S-boxes to be laid out more simply, provided that one generated and
stored the subkeys with the same change in the order of their bits.)

After the right half of the block has been expanded to 48 bits, it is XORed with
the current round's 48-bit subkey. The result is then used as the input to eight
lookup tables, with a six bit input and a four bit output.

The DES S-boxes


Bit |Bits 2, 3, 4, and 5 form:
1 6 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 1 | 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
1 0 | 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
1 1 |15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

Bit |Bits 8, 9, 10, and 11 form:


7 12 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
0 1 | 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
1 0 | 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
1 1 |13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

Bit |Bits 14, 15, 16, and 17 form:


13 18 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
0 1 |13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
1 0 |13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 1 | 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

Bit |Bits 20, 21, 22, and 23 form:


19 24 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 | 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
0 1 |13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
1 0 |10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
1 1 | 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

Bit |Bits 26, 27, 28, and 29 form:


25 30 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 | 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
0 1 |14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
1 0 | 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
1 1 |11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

Bit |Bits 32, 33, 34, and 35 form:


31 36 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
0 1 |10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
1 0 | 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
1 1 | 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

Bit |Bits 38, 39, 40, and 41 form:


37 42 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 | 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
0 1 |13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 0 | 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
1 1 | 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

Bit |Bits 44, 45, 46, and 47 form:


43 48 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
0 1 | 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
1 0 | 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
1 1 | 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

Then, the 32 bit result formed by the output of the eight S-boxes above in turn is
subjected to the following permutation, P:

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

One round of DES, with the f-function shown in detail, is illustrated by the
following diagram, accompanied by another diagram giving an overview of the
whole block cipher:

Round:
Overview:

Since bit transposition is slow in software, software implementations of DES will


normally use, for the S-boxes, a table with 32-bit entries showing each four-bit
output as it looks after going through permutation P.

After the sixteen rounds of DES are complete, the left and right halves of the
block together, not swapped in the last round, are then subjected to the inverse of
the initial permutation, which takes the bits from 1 to 64 of the block, and puts
them in the final result in this order:

40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25

Subkey generation
The 56-bit key used by DES is, when in standard format, stored in eight bytes, in
which the least significant bit of each byte is used for parity! Thus, the
permutation, called Permuted Choice 1, which divides the 56-bit key into two 28-
bit halves, acts on bits 1 through 7, 9 through 15, 17 through 23, and so on.

Permuted choice 1 is the following:

First half:

57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36

Second half:

63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4

Like the initial permutation and inverse initial permutation, permuted choice 1 is
irrelevant to the strength of DES, except insofar as it makes things awkward for
general-purpose computers. On the other hand, the permutation P is vitally
necessary to the cryptographic strength of DES.

The two 28-bit quantities are then subjected to successive circular left shifts of
different sizes before the subkey for each round is determined from them. These
circular left shifts, one of which is applied before the first subkey is taken, are in
order of the following sizes:
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Note also that to decrypt, the only alteration in the DES algorithm is that the
subkeys are used in reverse order.

The 48-bit subkey for each round is extracted from the two 28-bit quantities, the
first consisting of bits 1 to 28, and the second of bits 29 to 56, by the following
permutation, Permuted Choice 2:

14 17 11 24 1 5 3 28 15 6 21 10
23 19 12 4 26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40 51 45 33 48
44 49 39 56 34 53 46 42 50 36 29 32

Note that, since only 48 bits are produced, some numbers from 1 through 56 are
absent. This permutation is important to the strength of DES. (Also, if the
implementation is modified to simplify the arrangement of the S-boxes, as noted
in the preceding parenthetical note, then this permutation is the one that must be
changed correspondingly, to 14 5 17 11 24 1, 3 10 28 15 6 21, and so on. Also,
likely the subkeys would be stored in 8-byte spaces, with each byte containing
only six bits of the subkey.)

[Next] [Up/Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]

Variations of DES
DES, being the best known of a whole class of ciphers, has inspired many
suggestions for variations of it.

The initial permutation and inverse initial permutation, and perhaps also
permuted choice 1, could be removed, to obtain a cipher of equivalent intrinsic
strength, but simpler to perform on a computer.

The sixteen subkeys could be supplied directly as a key, instead of being derived
from a short 56-bit key. However, a result reported in Bruce Schneier's book
Applied Cryptography shows that the strength of that is only a slight
improvement on that of regular DES, essentially equivalent to using a 65-bit key.

If the eight S-boxes are moved, from their regular positions so that the order in
which they are applied to the successive six-bit groups of their input is 2, 4, 6, 7,
3, 1, 5, and 8, without altering the permutation P, DES remains highly resistant to
differential cryptanalysis, but becomes resistant to linear cryptanalysis as well.
(Any re-ordering of the S-boxes in which S-boxes 1, 7, and 4 are consecutive and
in that order can make DES very weak against differential cryptanalysis, as noted
in Biham and Shamir's original paper on differential cryptanalysis.)

RSA Data Security has recommended DESX, which is simply DES strengthened
by performing an XOR against additional key bits at the beginning and at the end
of encipherment.

One way in which DES might be strengthened by a simple modification that has
occurred to me is this: retain the initial and inverse initial permutations, but
perform them after rounds 4 and 12 of the cipher respectively. This way, they are
contributing something to its strength. Perhaps it would even be possible to use a
112-bit key, as follows: for the first 56 bits, generate the regular key schedule,
and use it during rounds 1 through 4 and 13 through 16. For the last 56 bits, use
the decrypting key schedule from those bits during rounds 5 through 12. Unlike
DESX, though, this kind of modification is only applicable if one is performing
DES encryption in software, not when using existing DES hardware.
Another possible way of using a 112-bit key would be by enhancing DES with an
idea I use in QUADIBLOC: use 32 subkeys, by applying the f-function twice,
first to the right half of the block, then to the first f-function output, before
XORing the result to the right half. This propagates changes in the block more
quickly.

Also, it would seem to me that one could obtain a very strong cipher by
alternating pairs of rounds of DES with rounds of SAFER, a block cipher based
on very different principles.

A more economical way to realize increased strength would be, perhaps, to take
the variation suggested above, with IP after round 4, and IIP after round 12, and
apply, before and after each of these permutations a user-supplied substitution,
part of the key, acting on the eight bytes of the block. The inverse of this
substitution would be used on deciphering. Since differential cryptanalysis
depends on substitutions being known, this would seem to improve the strength
of the cipher against that kind of attack; and, since a random substitution on the
possible byte values from 0 to 255 takes quite a bit more than 56 bits to describe
it, key size is also increased. Applying the substitution at the beginning and end
of the block cipher would probably be advisable as well; this would increase the
amount of this extra key that is actually used, and it would protect all sixteen,
rather than just the middle eight, rounds of the block cipher from outside scrutiny.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]

SAFER (Secure And Fast Encryption


Routine)
This algorithm is of interest for several reasons. It is designed for use in software.
Unlike DES, or even IDEA, it does not divide the block into parts of which some
parts affect others; instead, the plaintext is directly changed by going through S-
boxes, which are replaced by their inverses for decryption.

Description of SAFER
SAFER uses eight rounds. The first step for a round is to apply the first subkey
for the round to the eight bytes of the block. The operation by which each byte of
the subkey is applied to each byte of the block depends on which byte is used: the
sequence is

XOR, add, add, XOR, XOR, add, add, XOR

Then, the S-box is used. Those bytes to which the subkey was applied by an
XOR go through the regular S-box; those bytes to which it was applied by
addition go through the inverse S-box.

The S-boxes:
The regular box represents 45 raised to successive powers modulo 257 (with the
modulo 257 result then squeezed into a byte by being taken modulo 256):

1 45 226 147 190 69 21 174


120 3 135 164 184 56 207 63
8 103 9 148 235 38 168 107
189 24 52 27 187 191 114 247

64 53 72 156 81 47 59 85
227 192 159 216 211 243 141 177
255 167 62 220 134 119 215 166
17 251 244 186 146 145 100 131

241 51 239 218 44 181 178 43


136 209 153 203 140 132 29 20
129 151 113 202 95 163 139 87
60 130 196 82 92 28 232 160

4 180 133 74 246 19 84 182


223 12 26 142 222 224 57 252
32 155 36 78 169 152 158 171
242 96 208 108 234 250 199 217

0 212 31 110 67 188 236 83


137 254 122 93 73 201 50 194
249 154 248 109 22 219 89 150
68 233 205 230 70 66 143 10

193 204 185 101 176 210 198 172


30 65 98 41 46 14 116 80
2 90 195 37 123 138 42 91
240 6 13 71 111 112 157 126

16 206 18 39 213 76 79 214


121 48 104 54 117 125 228 237
128 106 144 55 162 94 118 170
197 127 61 175 165 229 25 97

253 77 124 183 11 238 173 75


34 245 231 115 35 33 200 5
225 102 221 179 88 105 99 86
15 161 49 149 23 7 58 40

Since the second S-box is the inverse of the first, it can be thought of as
containing logarithms base 45 modulo 257, although, given the intractability of
the discrete logarithm problem, it is not calculated that way directly, but is
instead just the inverse of the preceding one:

128 0 176 9 96 239 185 253


16 18 159 228 105 186 173 248
192 56 194 101 79 6 148 252
25 222 106 27 93 78 168 130

112 237 232 236 114 179 21 195


255 171 182 71 68 1 172 37
201 250 142 65 26 33 203 211
13 110 254 38 88 218 50 15

32 169 157 132 152 5 156 187


34 140 99 231 197 225 115 198
175 36 91 135 102 39 247 87
244 150 177 183 92 139 213 84

121 223 170 246 62 163 241 17


202 245 209 23 123 147 131 188
189 82 30 235 174 204 214 53
8 200 138 180 226 205 191 217

208 80 89 63 77 98 52 10
72 136 181 86 76 46 107 158
210 61 60 3 19 251 151 81
117 74 145 113 35 190 118 42
95 249 212 85 11 220 55 49
22 116 215 119 167 230 7 219
164 47 70 243 97 69 103 227
12 162 59 28 133 24 4 29

41 160 143 178 90 216 166 126


238 141 83 75 161 154 193 14
122 73 165 44 129 196 199 54
43 127 67 149 51 242 108 104

109 240 2 40 206 221 155 234


94 153 124 20 134 207 229 66
184 64 120 45 58 233 100 31
146 144 125 57 111 224 137 48

Then the second subkey for the round is applied to the block. This time, the
sequence of operations complements that used previously:

add, XOR, XOR, add, add, XOR, XOR, add

Then, the different bytes are mixed together without using a bit transpose.
Instead, arithmetic is used.

The first byte is replaced by twice the old first byte plus the old second byte. The
second byte is replaced by the old first byte plus the second byte. Only the last
eight bits of the sums are kept, of course.

This same method of combining the bytes is applied to the third and fourth bytes,
the fifth and sixth bytes, and the seventh and eighth bytes.

Then the bytes are interchanged; after the interchange, the order of the bytes
becomes

1 3 5 7 2 4 6 8

in terms of which byte each byte was before.

The mixing is performed on pairs of bytes again, and then the interchange, and
then the mixing.

After the eighth round, an extra subkey is applied in the same way as the first
subkey of each round.

The following diagram illustrates a round of SAFER:


Decryption
Unlike most other block algorithms, SAFER is inverted by doing the reverse of
each step, in reverse order, without the possibility of achieving the same result
merely by some alteration of the subkeys used.

The reverse of the method of mixing pairs of bytes is this: to get the old first
byte, subtract the new second byte from the new first byte. The old second byte is
the new second byte minus the old first byte, which is the same as twice the new
second byte minus the new first byte.

Subkey generation
In the original version of SAFER, the first 64-bit subkey was the key itself. To
generate successive subkeys, the individual bytes of the key were given a circular
left shift of 3 bits between the rounds, and the current result is then XORed with
a fixed constant for each round.

These constants are:

(for the first subkey, 0)


16733B1E8E70BD86
477E2456F1778846
B1BAA3B7100AC537
C95A28AC64A5ECAB
C66795580DF89AF6
66DC053DD38AC3D8
6AE9364943BFEBD4
9B68A0655D57921F
715CBB22C1BE7BBC
63945F2A61B83432
FDFB1740E6511D41
8F29DD0480DEE731
7F01A2F739DA6F23
FE3AD01CD1303E12
CD0FE0A8AF82592C
7DADB2EFC287CE75
1302904F2E723385
8DCFA981E2C4272F
7A9F52E115382BFC
42C708E409555E8C

The first several constants are given, enough for up to 10 rounds. Originally, six
rounds were proposed for SAFER, but this was increased to 8. The constants are
also derived mathematically.

SAFER SK
A new version of SAFER, SAFER SK, has a more secure key schedule.

The 64-bit key is expanded by one byte, that byte being the XOR of all the
previous bytes. For generating the first subkey, that byte is ignored; for the
second, where the key would have been used, one instead takes the eight bytes
starting with the second byte of the nine-byte expanded key; for the second, start
with the third, and after the ninth go back to the first; and so on.

SAFER SK-40

A 40-bit version of SAFER-SK also exists, with the starting nine-byte expanded
key beginning with bytes 1 to 5 being the 40-bit key, and the remaining bytes
being, in order:

byte 1 xor byte 3 xor 129


byte 1 xor byte 4 xor byte 5 xor 66
byte 2 xor byte 3 xor byte 5 xor 36
byte 2 xor byte 4 xor 24

SAFER-128, SAFER SK-128


The 128-bit key schedule, both for SAFER and SAFER-SK, consists of using the
first subkey and the other odd subkeys from the sequence generated from the
right half of the key, and the second and the other even subkeys from the
sequence generated from the left half of the key.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]

IDEA (International Data Encryption


Algorithm)
IDEA, unlike the other block cipher algorithms discussed in this section, is patented by
the Swiss firm of Ascom. They have, however, been generous in allowing, with
permission, free noncommercial use of their algorithm, with the result that IDEA is
best known as the block cipher algorithm used within the popular encryption program
PGP.

The IDEA algorithm is interesting in its own right. It includes some steps which, at
first, make it appear that it might be a non-invertible hash function instead of a block
cipher. Also, it is interesting in that it entirely avoids the use of any lookup tables or S-
boxes.

IDEA uses 52 subkeys, each 16 bits long. Two are used during each round proper, and
four are used before every round and after the last round. It has eight rounds.

The plaintext block in IDEA is divided into four quarters, each 16 bits long. Three
operations are used in IDEA to combine two 16 bit values to produce a 16 bit result,
addition, XOR, and multiplication. Addition is normal addition with carries, modulo
65,536. Multiplication, as used in IDEA, requires some explanation.

Multiplication by zero always produces zero, and is not invertible. Multiplication


modulo n is also not invertible whenever it is by a number which is not relatively prime
to n. The way multiplication is used in IDEA, it is necessary that it be always
invertible. This is true of multiplication IDEA style.

The number 65,537, which is 2^16+1, is a prime number. (Incidentally, 2^8+1, or 257,
is also prime, and so is 2^4+1, or 17, but 2^32+1 is not prime, so IDEA cannot be
trivially scaled up to a 128-bit block size.) Thus, if one forms a multiplication table for
the numbers from 1 through 65,536, each row and column will contain every number
once only, forming a Latin square, and providing an invertible operation. The numbers
that 16 bits normally represent are from 0 to 65,535 (or, perhaps even more commonly,
from -32,768 to 32,767). In IDEA, for purposes of multiplication, a 16 bit word
containing all zeroes is considered to represent the number 65,536; other numbers are
represented in conventional unsigned notation, and multiplication is modulo the prime
number 65,537.

Description of IDEA
Let the four quarters of the plaintext be called A, B, C, and D, and the 52 subkeys
called K(1) through K(52).

Before round 1, or as the first part of it, the following is done:

Multiply A by K(1). Add K(2) to B. Add K(3) to C. Multiply D by K(4).

Round 1 proper consists of the following:

Calculate A xor C (call it E) and B xor D (call it F).

Multiply E by K(5). Add the new value of E to F.

Multiply the new value of F by K(6). Add the result, which is also the new value of F,
to E.

Change both A and C by XORing the current value of F with each of them; change
both B and D by XORing the current value of E with each of them.

Swap B and C.

Repeat all of this eight times, or seven more times, using K(7) through K(12) the
second time, up to K(43) through K(48) the eighth time. Note that the swap of B and C
is not performed after round 8.

Then multiply A by K(49). Add K(50) to B. Add K(51) to C. Multiply D by K(52).

The intricacies of IDEA encryption may be made somewhat clearer by examining the
following diagrams:
Details: Overview:

Decryption

How can the round in IDEA be reversed, since all four quarters of the block are
changed at the same time, based on a function of all four of their old values? Well, the
trick to that is that A xor C isn't changed when both A and C are XORed by the same
value, that value cancels out, no matter what that value might be. And the same applies
to B xor D. And since the values used are functions of (A xor C) and (B xor D), they
are still available.

This cross-footed round, rather than a Feistel round, is the most striking distinguishing
factor of IDEA, although its use of multiplication, addition, and XOR to avoid the use
of S-boxes is also important.

Those that are added are replaced by their two's complement. Those that are multiplied
in are replaced by their multiplicative inverse, modulo 65,537, in IDEA notation when
used to change blocks directly, but those used to calculate the cross-footed F-functions
are not changed. Keys XORed in would not need to be changed, but there aren't any
such keys in IDEA. Due to the placement of the swap, the first four keys for decryption
are moved somewhat differently than the other keys used for the same operation
between rounds.

The decryption key schedule is:

The first four subkeys for decryption are:

KD(1) = 1/K(49)
KD(2) = -K(50)
KD(3) = -K(51)
KD(4) = 1/K(52)

and they do not quite follow the same pattern as the remaining subkeys which follow.

The following is repeated eight times, adding 6 to every decryption key's index and
subtracting 6 from every encryption key's index:

KD(5) = K(47)
KD(6) = K(48)

KD(7) = 1/K(43)
KD(8) = -K(45)
KD(9) = -K(44)
KD(10) = 1/K(46)

Subkey generation

The 128-bit key of IDEA is taken as the first eight subkeys, K(1) through K(8). The
next eight subkeys are obtained the same way, after a 25-bit circular left shift, and this
is repeated until all encryption subkeys are derived.

This method of subkey generation is regular, and this may be a weakness. However,
IDEA is considered to be highly secure, having stood up to all forms of attack so far
tried by the academic community.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

Skipjack
Skipjack, the originally secret algorithm associated with the infamous Clipper chip, was
declassified on Tuesday, June 23, 1998, and appeared as a .PDF document at the NIST web
site the following morning.

The basic round type of Skipjack forms another alternative, alongside those offered by SAFER
and IDEA, to the Feistel round structure seen in DES, LUCIFER and Blowfish, among other
block ciphers. In each round, one of four quarters of the block is subjected to four Feistel
rounds on a small scale, and one other quarter is modified by being XORed with the round
number and the quarter that went through the mini-Feistel cipher, either before or after that
step. No bit transposes are required in Skipjack, making it efficient to implement on a general-
purpose computer.

Skipjack has 32 rounds. These rounds are of two types, A and B. A type A round proceeds as
follows:

The first quarter of the block (called W1) is enciphered by the "G permutation", which is
actually a four-round Feistel cipher. The result, and the round number (where round numbers
go from 1 through 32), are XORed with the fourth quarter of the block (W4). Then each
quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to W4, and W4
back to W1.

A type B round proceeds as follows:

The second quarter of the block (W2) is XORed with the round number and the first quarter of
the block (W1). Then the first quarter of the block is enciphered by the "G permutation".
Again, each quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to
W4, and W4 back to W1.

The rotation of quarters of the block is not omitted after the last round. The 32 rounds of
Skipjack consists of eight type A rounds, eight type B rounds, eight type A rounds, and eight
type B rounds. Note that by having a type A round first, and a type B round last, the form of
the first quarter on the "inside" is XORed with one of the other quarters in the first and last
rounds.

Permutation G is a four-round Feistel cipher, involving dividing its 16-bit input into two 8-bit
halves. Like DES, the left half of the block is not changed in each round, but acts as input to
the f-function, the output of which is XORed to the right half. Unlike DES, the two halves are
swapped after the last round (as the algorithm has only four rounds, all four iterations of the f-
function can be illustrated, going alternately from right to left, and then from left to right; in
that form, no swaps at all are required).
The f-function of the G permutation is as simple as one might expect for an f-function only 8
bits wide: the input is first XORed with the current round's subkey, and then the result is
substituted according to a lookup table, called F.

The subkeys for G, each one byte long, are simply four consecutive bytes of the 80-bit key.
The first four bytes are used in the first round, the next four bytes in the second, the last two
bytes followed by the first two bytes in the third, and so on.

The operation of Skipjack may be made clearer by the following diagram:

which illustrates the first 12 rounds of Skipjack. The first round, of type A, is shown with the
G function illustrated in full. The next seven rounds, also of type A, are shown with the G
function indicated by a box marked with a G. Then the last four of the twelve rounds shown, of
type B, are showed the same way. There are dotted lines dividing the rounds in the diagram.

Instead of rotating the quarters of the block, the functions move between columns; since the
last rotation is not skipped, this illustration will show, if continued to include all 32 rounds, the
quarters ending up in their proper places without any final rotation being required.

The S-box of Skipjack, called F, which is the heart of the f-function of the Feistel mini-cipher
that is the G permutation, is as follows:

a3 d7 09 83 f8 48 f6 f4 b3 21 15 78 99 b1 af f9
e7 2d 4d 8a ce 4c ca 2e 52 95 d9 1e 4e 38 44 28
0a df 02 a0 17 f1 60 68 12 b7 7a c3 e9 fa 3d 53
96 84 6b ba f2 63 9a 19 7c ae e5 f5 f7 16 6a a2
39 b6 7b 0f c1 93 81 1b ee b4 1a ea d0 91 2f b8
55 b9 da 85 3f 41 bf e0 5a 58 80 5f 66 0b d8 90
35 d5 c0 a7 33 06 65 69 45 00 94 56 6d 98 9b 76
97 fc b2 c2 b0 fe db 20 e1 eb d6 e4 dd 47 4a 1d
42 ed 9e 6e 49 3c cd 43 27 d2 07 d4 de c7 67 18
89 cb 30 1f 8d c6 8f aa c8 74 dc c9 5d 5c 31 a4
70 88 61 2c 9f 0d 2b 87 50 82 54 64 26 7d 03 40
34 4b 1c 73 d1 c4 fd 3b cc fb 7f ab e6 3e 5b a5
ad 04 23 9c 14 51 22 f0 29 79 71 7e ff 8c 0e e2
0c ef bc 72 75 6f 37 a1 ec d3 8e 62 8b 86 10 e8
08 77 11 be 92 4f 24 c5 32 36 9d cf f3 a6 bb ac
5e 6c a9 13 57 25 b5 e3 bd a8 3a 01 05 59 2a 46

or, in decimal form,

163 215 9 131 248 72 246 244 179 33 21 120 153 177 175 249
231 45 77 138 206 76 202 46 82 149 217 30 78 56 68 40
10 223 2 160 23 241 96 104 18 183 122 195 233 250 61 83
150 132 107 186 242 99 154 25 124 174 229 245 247 22 106 162
57 182 123 15 193 147 129 27 238 180 26 234 208 145 47 184
85 185 218 133 63 65 191 224 90 88 128 95 102 11 216 144
53 213 192 167 51 6 101 105 69 0 148 86 109 152 155 118
151 252 178 194 176 254 219 32 225 235 214 228 221 71 74 29
66 237 158 110 73 60 205 67 39 210 7 212 222 199 103 24
137 203 48 31 141 198 143 170 200 116 220 201 93 92 49 164
112 136 97 44 159 13 43 135 80 130 84 100 38 125 3 64
52 75 28 115 209 196 253 59 204 251 127 171 230 62 91 165
173 4 35 156 20 81 34 240 41 121 113 126 255 140 14 226
12 239 188 114 117 111 55 161 236 211 142 98 139 134 16 232
8 119 17 190 146 79 36 197 50 54 157 207 243 166 187 172
94 108 169 19 87 37 181 227 189 168 58 1 5 89 42 70

This was double-checked by looking at the inverse of this S-box generated by the same
program that converted what I typed from hexadecimal to decimal, as the S-box is a straight
permutation of the numbers from 0 to 255. In the original document in its electronic form,
lowercase c and e are sometimes difficult to distinguish.
For decipherment, each round is replaced by a corresponding deciphering round, and these
rounds are, of course, executed in the reverse of the enciphering order.

The deciphering equivalent of a type A round is as follows:

The first quarter, W1, is XORed with W2 and the round number (rounds now counting down
from 32 to 1). Then the second quarter, W2, is subjected to the inverse of the G permutation.
Then, each quarter is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to
W2, and W4 to W3.

The deciphering equivalent of a type B round is the following:

The second quarter, W2, is subjected to the inverse of the G permutation. The third quarter,
W3, is then XORed with the round number and the changed value of W2. Again, each quarter
is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to W2, and W4 to
W3.

The deciphering equivalent of the G permutation involves using the four subkeys in reverse
order - and reversing the roles of the right and left halves of the 16-bit quarter block.

Comments

SKIPJACK was declassified in order to facilitate finding private companies to manufacture


devices using that algorithm for use by the U.S. Government. Some people have called
attention to the fact that only a short time previously, government spokespersons were saying
that the disclosure of that algorithm would harm national security.

However, I have noted that the inconsistency involved may be more apparent than real.
Between the statements cited, and the declassification of SKIPJACK, a paper was published by
an academic researcher noting that Feistel ciphers of a particular type, specifically those in
which the f-function was itself a series of Feistel rounds, could be proven to be immune to
differential cryptanalysis.

SKIPJACK, although not precisely of that type, is closely related: one of the four subblocks
undergoes Feistel rounds, but in addition to the result being used, as an f-function output, on
another subblock, the subblock is also retained in its modified state.

Also, note that SKIPJACK consists of eight type A rounds, followed by eight type B rounds
twice, instead of sixteen type A rounds and then sixteen type B rounds. Since the type A
rounds are appropriate for the beginning of the cipher, and the type B rounds are appropriate
for its end, it might seem at first that this weakened the cipher. However, the boomerang
attack, which was discovered after the declassification of SKIPJACK, allows differential
cryptanalysis to be done independently on the first and last half of a block cipher; thus, if
SKIPJACK were composed of two halves, each with one type of round, it could have been
attacked as if it consisted of only a single type of round.

It may also be noted that a recent book, Top Secret Intranet, reveals that SKIPJACK was
considered adequate to safeguard information classified SECRET but not information
classified TOP SECRET. This appears to refer to early 1999, and may still be the case as of
this writing (May 1999). Also, note that SKIPJACK has an 80-bit key, the key-length limit for
exportable ciphers is 40 bits, and some suppliers of encryption equipment to the U.S.
government have advertised their equipment provides a 120-bit key or a 160-bit key. This may
be because 40 is a multiple of both 8 and 10, and 2^10 equals 1024, which is just over 1000.
Thus every 40 bits in a key can have just over a trillion possible values, making it easy to
express the number of possible keys in decimal terms.

One notes that the key consists of 10 bytes, which is a number of the form 4n+2. While it
might not increase the security of SKIPJACK to do so, if there are no subtle traps in the
structure of SKIPJACK, which appears to have a simple and uniform structure, it might be
possible to use a key composed of the next such number of bytes with it: 14 bytes. That is an
interesting possibility, because such a key would be a 112-bit key, exactly twice as long as the
key used in DES.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

Blowfish
The Blowfish program was developed by author and computer security and
cryptography consultant Bruce Schneier. Blowfish is a cipher based on Feistel
rounds, and the design of the f-function used amounts to a simplification of the
principles used in DES to provide the same security with greater speed and
efficiency in software. The block ciphers Khafre and CAST have somewhat
similar rounds.

The main claim to fame of Blowfish, however, is in its method of key scheduling.
The round keys, and the entire contents of all the S-boxes, are created by multiple
iterations of the block cipher. This enhances the security of the block cipher,
since it makes exhaustive search of the keyspace very difficult, even for short
keys.

Description of Blowfish
Unlike DES, Blowfish applies the f-function to the left half of the block,
obtaining a result XORed to the right half of the block. Originally, I had said that
this departure from convention may cause confusion in reading the description of
Blowfish. However, upon further reflection, I think that it is really DES that is
creating confusion; the time sequence of events should move from left to right
(particularly in a design that is otherwise big-endian); this is generally what
happens in more recent designs, such as the AES candidates, and particularly in
ciphers with unbalanced Feistel rounds.

Blowfish consists of sixteen rounds. For each round, first XOR the left half of the
block with the subkey for that round. Then apply the f-function to the left half of
the block, and XOR the right half of the block with the result. Finally, after all
but the last round, swap the halves of the block. There is only one subkey for
each round; the f-function consumes no subkeys, but uses S-boxes which are key
dependent.

After the last round, XOR the right half with subkey 17, and the left half with
subkey 18.
The f-function
Blowfish uses four S-boxes. Each one has 256 entries, and each of the entries are
32 bits long.

To calculate the f-function: use the first byte of the 32 bits of input to find an
entry in the first S-box, the second byte to find an entry in the second S-box, and
so on. The value of the f-function is ((S1(B1) + S2(B2)) XOR S3(B3)) + S4(B4)
where addition is performed modulo 2^32.

Decryption
Decryption is the same as encryption, with the 18 subkeys used in reverse order.
At first, this seems unbelievable (although not quite as bad as understanding
decryption of IDEA), because there are two XOR operations following the last
use of the f-function, and only one preceding the first use of the f-function.
However, if you modify the algorithm so that use of subkeys 2 through 17 takes
place before the output of the f-function is XORed to the right half of the block,
and is done to the same data before that XOR, although that means it is now on
the right half of the block, since the XOR of the subkey has been moved before a
swap of the halves of the block, you have not actually changed anything since the
same information is XORed to the left half of the block between each time it is
used as input to the f-function. In fact, you can even move the XOR still earlier,
before the preceding swap of block halves. Once you do that, you have the exact
reverse of the decryption sequence.

Subkey generation
Begin by initializing subkeys 1 through 18, followed by elements zero through
255 of the first S box, then elements zero through 255 of the second S box, all the
way to element 255 of the fourth S box, with the fractional part of pi. The most
significant bit of the fractional part of pi becomes the most significant bit of the
first subkey.

Then, take the key, which may be of any length up to 72 bytes, and, repeating it
as often as necessary to span the entire array of 18 subkeys, XOR it with the
subkey array contents.

Then execute the Blowfish algorithm repeatedly, with an initial input of a 64-byte
block of all zeroes as plaintext input. After each execution, replace part of the
subkeys or S boxes with the successive outputs of Blowfish, in the same order as
the digits of pi in binary (or hexadecimal) form were placed in them; after the
first iteration, replace subkeys 1 and 2; after the tenth iteration, replace the first
two entries (0 and 1) in S-box 1; and so on.

For each iteration of Blowfish in key generation, also use the output of the
preceding iteration as input. (The original description of Blowfish in the April
1994 issue of Dr. Dobb's Journal could be interpreted to imply that zero should
be used as input for every iteration. As the later iterations only change individual
S-box entries, this could lead to large stretches of identical data in the S-boxes,
and is thus a misreading of the directions, not a slightly different original form of
the algorithm.)

Thus, loading Blowfish with a new key takes as much time as encrypting 521
blocks ((256*4+18)/2) in Blowfish. This gives Blowfish an extra 9 bits of
security against a brute force search for keys shorter than maximum length,
which makes the 32-bit, instead of 40-bit limit for export versions of Blowfish
reported by one individual just about exactly right. (Seems you just can't fool the
NSA.)

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

QUADIBLOC (QUick And Dirty


Implementable BLOck Cipher)
QUADIBLOC is a little block cipher that I developed myself. It was designed to be
very easy to implement, so that any obstacles to the distribution of program source
would not be too great an inconvenience for people using it. It uses a modified Feistel
round; when the left-hand half is modified by the f-function of the right-hand half,
instead of merely performing an XOR, the left-hand half first goes through an S-box,
then is XORed with the f-function output, and then goes through an S-box again. The
main security feature of QUADIBLOC that is of interest is that the f-function is
iterated twice, thus accelerating the propagation of changes in the plaintext block
through the entire ciphertext block.

I claim trademark rights to the terms QUADIBLOC, QUADIBLOC-80, QUADIBLOC-


64, QUADIBLOC-40, QUADIBLOC-320, QUADIBLOC-640, QUADIBLOC 96,
QUADIBLOC 99, QUADIBLOC SE, QUADIBLOC-320SE, Quadibloc II, Quadibloc
III, Quadibloc III SC, Quadibloc III MD, Quadibloc III SD, Quadibloc IV, Quadibloc
V, Quadibloc VI, Quadibloc VII, Quadibloc VIII, Quadibloc IX, Quadibloc X, and
Quadibloc S, but except for requiring that these terms be used only to designate the
block ciphers described here, as they are described, the QUADIBLOC block cipher is
freely available for anyone to use, although I do not warrant them as free from patent
problems.

● Description of QUADIBLOC
❍ Euler's Constant and the QUADIBLOC S-boxes

● Variants with different key sizes


● The QUADIBLOC FAQ (includes funny stuff)
● Key Augmentation
● Quadibloc II
● Quadibloc III
● Quadibloc IV
● Quadibloc V
● Quadibloc VI
● Quadibloc S
● Quadibloc VII
● Quadibloc VIII
❍ The Standard Rounds

❍ The Mixing and Whitening Phase


❍ The Key Schedule
❍ The Rationale of the Design

● Quadibloc IX
● Quadibloc X

[Next] [Up] [Previous] [Index]

Next Chapter
Chapter Start
Table of Contents
Main Page
Home Page
[Next] [Up/Previous] [Index]

Description of QUADIBLOC
The intent of the following proposed block cipher is to provide a cipher which is at
least as secure as DES, and possibly somewhat more secure, which is reasonably
efficient when implemented in software, and is furthermore easy to implement.

Changes required for QUADIBLOC 99, which corrects known weaknesses in the
original QUADIBLOC (QUADIBLOC 96), are indicated in highlighted boxes.

Two S-boxes, taking 8 binary inputs uniquely to 8 binary outputs, are used, as well as
the inverse of the second S-box. The S-boxes are constructed from Euler's constant
(.57721...) as follows:

start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place
Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is
decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for
each iteration. The iteration where Number of choices is 2 is the last iteration.

During each iteration, multiply ACC by Number of choices. Leave the fractional part
of the result in ACC; swap

A( Number of choices )

and

A( Number of choices + the integer part of the result).

This generates S-box 1; repeat the procedure with the contents remaining in ACC to
obtain S-box 2. (ACC must be long enough to hold Euler's constant to sufficient
precision to support both applications of the procedure.)

The S-boxes are given on the page entitled Euler's Constant and the Quadibloc S-boxes.

In QUADIBLOC 99, a third S-box, generated by continuing the process, is also used.

In addition, the following 4 of 8 code for the numbers 0 to 63 is used during subkey
generation:
given the 6 bits abcdef, in the output word, let c stand for 01 if the bit c is 0, or 10 if the
bit c is 1, and let DD stand for 0011 if the bit d is 0, or 1100 if the bit d is 1, then

00cdef becomes cdef


010def becomes DDef
011def becomes deFF
100def becomes dEEf
101def becomes DefD
110def becomes DeDf
111def becomes dEfE

or, giving the 64 equivalents in hex,

55 56 59 5A 65 66 69 6A 95 96 99 9A A5 A6 A9 AA
35 36 39 3A C5 C6 C9 CA 53 5C 63 6C 93 9C A3 AC
4D 4E 71 72 8D 8E B1 B2 17 1B 27 2B D4 D8 E4 E8
1D 1E 2D 2E D1 D2 E1 E2 47 4B 74 78 87 8B B4 B8

The cipher is an iterative block cipher, with 16 rounds and 48 subkeys, and uses Feistel
rounds: half the block is used to encipher the other half in each round. It operates on a
64-bit block, and has a 160-bit key.

Initially, the first 4 bytes of data to encrypt are taken as the left half, and the last 4
bytes are taken as the right half.

Each round proceeds as follows:

A copy of the right half, which will actually be unchanged by this round, is taken.

This now describes the f-function

The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for
round 2, to subkey 46 for round 16).

Then, each byte is replaced by its substitute in S-box 1.

In QUADIBLOC 99, the fourth byte is instead replaced by its substitute in S-box 2.

The bits of the result, considered to be numbered from 1 (most significant bit of the
first, leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the
pattern in DES, are to be transposed to lie in the following positions:
1 2 27 28 21 22 15 16
9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32
25 26 19 20 13 14 7 8

Note that this arrangement posesses a great deal of symmetry: only ONE version of S-
box 1, with 256 32-bit entries is needed to perform both the S-box substitution, and the
subsequent permutation, in a single step for efficiency on a computer without hardware
instructions for bit transposition. And, since no bits change their position within a byte,
a slower implementation, using S-box 1 with single byte entries, and doing the
transposition using masking, is also possible.

In QUADIBLOC 99, the symmetry of the bit transposition remains, but one expanded
version of S-box S2 is also required.

The 32 transposed bits are now XORed with the round's second subkey.

In QUADIBLOC 99, the value generated at this point is also retained, and is called
the intermediate result of the f-function.

Each byte of the result is again replaced by its substitute in S-box 1, and the bits of the
result are transposed as before.

In QUADIBLOC 99, in the second part of the f-function, the second and third bytes
are instead replaced by their substitutes in S-box 2.

The result is XORed with the round's third subkey. This produces the output of the f-
function.

Applying the f-function output to alter the left half of the block:

In a QUADIBLOC 99 type A round, the first (leftmost) half of the intermediate result
of the f-function is used to control an ICE-style swap of bits between the halves of the
left half of the block at this time: each bit in that 16-bit quantity which is 1 indicates
that corresponding bits in the two halves of the 32-bit left half of the block are to be
swapped.

Each byte of the left half is replaced by its substitute in S-box 2.


In QUADIBLOC 99, S-box 3 is used for this purpose.

In a QUADIBLOC 99 type B round, the first (leftmost) half of the intermediate result
of the f-function is used to control an ICE-style swap of bits between the halves of the
left half of the block at this time: each bit in that 16-bit quantity which is 1 indicates
that corresponding bits in the two halves of the 32-bit left half of the block are to be
swapped.

The result is XORed with the result of the f-function applied to the right half.

In a QUADIBLOC 99 type B round, first the second and third bytes of the left half of
the block are swapped, and then the second (rightmostmost) half of the intermediate
result of the f-function is now used to control another ICE-style swap of bits between
the halves of the left half of the block: each bit in that 16-bit quantity which is 1
indicates that corresponding bits in the two halves of the 32-bit left half of the block
are to be swapped.

Each byte of the result is replaced by its substitute in S-box 2.

In QUADIBLOC 99, S-box 3 is used for this purpose.

In a QUADIBLOC 99 type A round, first the second and third bytes of the left half of
the block are swapped, and then the second (rightmostmost) half of the intermediate
result of the f-function is now used to control another ICE-style swap of bits between
the halves of the left half of the block: each bit in that 16-bit quantity which is 1
indicates that corresponding bits in the two halves of the 32-bit left half of the block
are to be swapped.

The sequence of rounds:

In QUADIBLOC 99, the type A and type B rounds alternate as follows:

Round: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Type: A A B B A A B B B B A A B B A A

Except for the four middle rounds, this ensures that the ICE-style bit transpositions
alternate with the byte substitutions using S-box 3.

The swap:

After every round except round 8 and round 16:


the left half for the next round is the unchanged right half from the previous round;

the right half for the next round is the modified left half, after the XOR and the two
substitutions, subjected to a circular left shift of 8 bits (which can be carried out by
moving whole bytes, of course).

In QUADIBLOC 99, the swap is performed in all rounds except round 16 only. The
bit transpose after round 8 is removed as not having as much effectiveness as was
hoped for, and instead the ICE-style bit swap is added to every round. The circular left
shift of 8 bits is no longer part of the swap, and is replaced by the exchange of two
bytes preceding the last bit swap.

After round 8:

Each byte of the right half is replaced by its substitute in S-box 2.

Subject the bits of the block, numbered from 1 to 64, from left to right, to the following
(reciprocal) bit transpose:

1 34 11 44 21 54 31 64 9 42 3 36 29 62 23 56
17 50 27 60 5 38 15 48 25 58 19 52 13 46 7 40
33 2 43 12 53 22 63 32 41 10 35 4 61 30 55 24
49 18 59 28 32 6 47 16 57 26 51 20 45 14 39 8

Each byte of the right half of the result is replaced by its substitute in S-box 2.

As previously mentioned, this operation is completely omitted from QUADIBLOC


99, and a simple swapping of halves takes place instead.

After round 16:

Nothing happens: the result at that point, without further swapping, is the output of the
cipher.

The following diagram illustrates what happens during a normal round of


QUADIBLOC 96 (from 1 to 7, or 9 to 15), to help make the description clearer:
And these are the corresponding diagrams for QUADIBLOC 99:

For a type A round:


For a type B round:
Some comments at this stage:

Using a 'double' f-function means:

a) every bit of the f-function output depends on every bit of the right half of the block,
thus making propagation very rapid, and

b) the first half of the f-function can be thought of as substituting for the absence of an
expansion permutation and auxilliary S-box inputs as found in DES.

Decipherment is the same as encipherment, except:

a) S-box 2 is replaced by the inverse of S-box 2 (S-box 1 is unchanged),

In QUADIBLOC 99, for decipherment, S-box 3 is replaced by its inverse, and S-


boxes 1 and 2 are unchanged.

b) after every round except rounds 8 and 16, the modified left half from one round
becomes the right half for the next, and the unmodified right half receives a right
circular shift of 8 bits before becoming the left half for the next round, and

In QUADIBLOC 99, the swap of the second and third bytes in the left half of the
block is changed to take place after the first ICE-style swap and before the first use of
S-box 3. Also, now the ICE-style swap that occurs first uses the second (rightmost)
half of the intermediate result of the f-function as input, and the ICE-style swap that
occurs second uses the first (leftmost) half of the intermediate result of the f-function
as input.

c) the 16 groups of three subkeys for the 16 rounds are used in reverse order, but the
three subkeys within each group are still used in the same order.

The bit transpose with partial substitution between rounds 8 and 9 is intended to create
a 'wall' between the first 8 and the last 8 rounds that will make the cipher much harder
to analyze and solve.

The bit transpose has been removed since the boomerang attack has cast some doubts
on its efficacy.

Subkey generation:

The 160-bit key shall be expanded to 176 bits by applying the 4 of 8 bit code specified
above to each group of 6 bits in the last 48 bits of the key, thus expanding these 48 bits
to 64 bits. (This is done to prevent weak keys.)

In QUADIBLOC 99, the last 64 bits of the 160-bit key shall be used, reduced to 48
bits by ignoring the most significant two bits of each byte, as input to the 4 of 8 bit
code. This avoids having to perform unnecessary shift operations. Then, the 160-bit
key will be expanded to the following: the first 96 bits of the original 160-bit key, the
64 bits generated from the 4 of 8 code, and the last 64 bits of the original 160-bit key
XOR the first 64 bits of the original 160-bit key (so that the expanded key does not
contain both the original form, and the 4 of 8 encoding, of the same bits) to produce
an expanded key that is 224 bits long.

The first 128 bits of the result shall be divided into four 32-bit blocks, which shall be
called, from left to right, P, Q, R, and S.

The subkeys shall be generated for the 16 encipherment rounds in order.

P, Q, and R will be taken as the three subkeys for the current round, subject to an XOR
to be subsequently described.
Then, P, Q, and R shall be shifted left n bits, and S shall be shifted left 3n bits, with the
first n bits of P, then the first n bits of Q, then the first n bits of R being shifted into S,
while the bits shifted out of S into P, Q, and R will alternate, one bit at a time, into
these three registers/locations.

Thus, when n is 6, we have:

Before:

P) P1 P2 ... P32
Q) Q1 Q2 ... Q32
R) R1 R2 ... R32
S) S1 S2 ... S32

and after:

P) P7 P8 ... P32 S1 S4 S7 S10 S13 S16


Q) Q7 Q8 ... Q32 S2 S5 S8 S11 S14 S17
R) R7 R8 ... R32 S3 S6 S9 S12 S15 S18
S) S19 S20 ... S32 P1 P2 ... P6 Q1 Q2 ... Q6 R1 R2 ... R6

The value of n to use for each round in turn shall be

5, 6, 5, 5,
7, 7, 7, 7,
7, 8, 7, 7,
5, 6, 5, 5.

Each of the 48 subkeys thus generated will now be XORed with the leftmost 32 bits of
T, where T begins as the last 48 bits of the expanded key, and is given a right circular
shift of 17 bits after each use.

In QUADIBLOC 99, a right circular shift of 11 bits will be used after generating all
but the last of the 27 subkeys used by the first nine rounds, and then a right circular
shift of 17 bits will be used afterwards. Since the expanded key is 224 bits long, rather
than 176 bits long, T will be 96 bits long and will initially contain the last 96 bits of
the expanded key.

● Euler's Constant and the QUADIBLOC S-boxes

[Next] [Up/Previous] [Index]


Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up/Previous] [Index]

Euler's Constant and the Quadibloc S-


Boxes
The initial values of the subkeys and S-boxes in Blowfish are based on pi. To dispel
worries about S-boxes with a designed-in weakness in my amateur designs, I have chosen
a standard mathematical constant as their source.

The constant I am using is Euler's constant, sometimes called the Euler-Mascheroni


constant, also known as gamma. Its value is .57721 56649 01532 86060 65120 90082...

Euler's constant is defined as the limit, as n tends to infinity, of the sum of 1 + 1/2 + 1/3
+ ... up to 1/n, minus the natural logarithm of n, normally written:

n
/ ____ \
| \ 1 |
lim | > --- | - ln(n)
n -> infinity | /___ i |
\ i=1 /

Since

_n
/
| 1
| ---, dx = ln(n)
| x
_/
1

that is, the integral from 1 to n of 1/x with respect to x is the natural logarithm of n, the
following diagram illustrates what Euler's constant is in graphical form:
Allowing the graph to continue on indefinitely to the right, the boxes shown which are
divided into green and gray areas have a total overall area of 1. (Note that the vertical
scale in the graph is exaggerated compared to the horizontal scale for clarity.) Euler's
constant, .57721 56649... is the total of the areas of the gray parts of the boxes.

Because only scaling makes the shape of the graph of 1/x from 1 to 2 different from the
graph of 1/x from 2 to 4, or the graph of 1/x from 4 to 8, the following diagram:

illustrates a way in which it is possible to derive a formula for Euler's constant that would
only involve calculating the natural logarithm of 2.

This formula is:

(i+1)
infinity 2
____ ____
\ \ 1 1
gamma = (1 - ln(2)) + > (1 - ln(2)) - > --- - ---
/___ /___ i j
i = 1 i 2
j = 2 +1

By superimposing the areas from 1 to 2, from 2 to 4, and 4 to 8 after adjusting them to fit,
one sees that another series for Euler's constant, not involving any logarithms, is possible,
as it is (1/2 - 1/3) + 2 * ((1/4 - 1/5) + (1/6 - 1/7)) + 3 * ((1/8 - 1/9) + (1/10 - 1/11) + (1/12 -
1/13) + (1/14 - 1/15)) + ..., or, in other words:

(i+1)
infinity 2 - 1
____ ____
\ \ (j-1) 1
gamma = > i * > (-1) * ---
/___ /___ j
i = 1 i
j = 2

Euler's constant is more difficult to calculate than the square root of 2, e, or pi, and it is
less well understood. Mathematicians have not yet proven which of rational, algebraic, or
transcendental it is.

The S-boxes constructed from Euler's constant (.57721 56649...) for use in the Quadibloc
series of block ciphers are derived as follows:

start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place
Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is
decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for each
iteration. The iteration where Number of choices is 2 is the last iteration.

During each iteration, multiply ACC by Number of choices. Leave the fractional part of
the result in ACC; swap

A( Number of choices )

and

A( Number of choices + the integer part of the result ).

This generates S-box 1; repeat the procedure with the contents remaining in ACC to
obtain S-box 2. (ACC must be long enough to hold Euler's constant to sufficient precision
to support both applications of the procedure.)
A BASIC program to generate these S-boxes is given here. And this BASIC program
produced the DATA statements it required from a file containing the value of Euler's
constant.

Here are the S-boxes thus produced. S-boxes from 1 through 4 are used in several of the
ciphers in the Quadibloc series. S-boxes 5 and 6 are combined into one S-box with 512
entries, called S5, in Quadibloc II and III, and similarly S-boxes 7 and 8 become S6 and S-
boxes 9 and 10 become S7. S-box 11 is used under the name S9 in Quadibloc III.

S-box 1 is:

147 196 164 55 9 6 90 236


192 207 17 58 52 112 227 221
122 94 60 10 153 245 195 194
50 135 133 186 183 1 177 132
48 126 125 12 137 104 105 77
167 46 228 74 201 5 68 165
0 204 212 254 97 65 14 113
134 171 72 151 169 19 211 71
168 209 238 43 83 84 53 101
187 214 145 231 172 210 36 175
76 38 7 79 156 100 222 103
4 95 217 127 152 198 32 128
70 96 13 131 41 39 250 205
91 102 61 241 22 73 247 28
20 136 33 56 93 108 193 182
233 213 47 11 16 188 224 240
106 208 2 140 230 82 166 99
54 190 243 253 181 255 138 237
111 219 49 220 143 142 161 162
251 226 239 180 98 130 107 24
119 78 146 123 88 45 120 118
57 21 15 234 150 40 64 35
154 25 29 139 114 59 144 215
87 26 37 248 75 86 202 197
34 163 206 44 69 173 81 92
216 31 159 62 27 244 30 232
179 80 218 66 129 148 225 246
252 170 174 8 200 124 18 203
191 189 116 3 67 242 229 141
199 117 121 89 157 42 51 115
85 160 235 109 158 178 176 223
249 155 184 185 63 149 110 23

S-box 2 is:
187 91 192 149 175 80 48 231
19 23 210 35 104 31 72 111
180 20 79 100 45 173 240 113
63 236 201 69 118 181 248 185
115 62 29 166 253 67 60 41
247 124 101 24 135 87 221 144
197 188 93 65 123 142 207 195
105 53 163 145 190 18 130 76
233 251 146 161 193 211 10 235
83 14 174 96 27 151 126 112
43 34 117 157 56 5 219 22
155 4 213 186 245 66 214 196
246 64 49 147 71 61 133 37
12 227 121 17 68 143 165 176
191 232 8 116 238 59 184 102
224 138 170 11 39 205 36 244
183 140 217 228 237 209 212 42
177 77 208 78 25 242 15 50
114 81 97 0 154 13 216 2
119 152 250 88 220 171 127 103
1 21 74 70 252 200 92 156
73 32 226 95 150 99 167 122
182 84 47 136 3 162 125 139
98 153 158 134 172 239 168 178
85 194 249 51 128 33 38 223
107 254 141 241 148 46 120 198
137 75 132 108 58 243 225 204
89 129 131 16 203 255 44 86
160 189 230 106 215 55 222 229
94 164 82 202 26 179 6 7
199 90 30 54 57 40 109 28
206 9 110 52 218 234 169 159

S-box 3 is:

169 101 98 166 37 253 215 99


85 233 210 135 201 79 5 239
53 11 150 105 141 198 219 234
195 60 127 143 165 42 64 121
255 18 78 132 251 159 213 245
230 106 40 175 153 20 81 23
212 217 147 74 240 174 171 97
89 26 187 115 38 220 51 249
73 7 86 24 82 16 164 250
179 123 107 49 194 154 204 94
66 118 231 183 22 113 192 188
180 167 29 119 46 96 117 28
35 114 186 197 138 191 52 122
247 19 103 6 31 102 227 254
145 246 148 12 156 144 189 8
61 33 13 58 36 216 41 68
185 63 69 178 228 172 125 142
59 243 75 235 202 221 80 151
120 226 21 155 93 32 25 209
57 9 168 30 116 252 56 203
128 146 163 205 95 157 222 177
244 190 130 17 242 87 161 83
27 139 44 62 50 4 54 65
225 72 88 3 232 104 136 10
48 109 206 218 126 112 43 90
229 133 14 110 100 162 158 211
152 2 92 176 199 207 1 84
34 173 214 170 223 77 184 67
129 149 182 196 45 200 160 47
224 39 238 208 124 70 137 193
15 71 111 237 76 131 0 248
236 241 181 140 91 108 55 134

S-box 4 is:

56 185 51 63 131 246 69 102


177 84 61 1 228 251 219 60
64 103 34 164 4 0 106 17
120 53 118 204 127 100 27 231
93 26 146 133 72 195 240 202
12 209 236 245 247 149 32 212
47 70 135 158 79 230 76 223
9 125 99 31 16 136 77 147
189 40 188 90 210 159 21 48
74 145 179 132 14 20 55 243
24 39 222 134 38 19 232 119
206 124 168 142 211 171 249 36
15 121 163 187 161 97 215 203
71 201 92 113 128 153 181 167
244 126 58 214 208 250 186 226
111 162 183 199 140 175 110 213
50 139 154 94 174 68 207 11
89 248 166 157 82 115 160 98
180 221 112 235 25 182 169 194
116 28 5 8 2 229 176 88
130 66 192 42 13 86 73 59
225 7 52 18 57 205 234 237
178 255 143 218 114 95 29 109
242 33 129 122 155 35 80 191
238 67 101 137 138 216 108 85
253 152 3 123 217 190 96 197
198 148 200 75 10 233 30 37
41 227 6 254 252 83 43 220
104 49 239 196 45 65 172 105
165 91 150 184 44 173 107 22
62 46 144 170 117 78 151 87
141 81 23 156 224 241 54 193

S-box 5 is:

218 16 5 224 122 22 160 207


90 43 170 153 221 213 140 178
93 145 46 135 10 72 229 102
249 74 254 149 192 45 225 245
94 105 128 206 114 162 23 233
117 7 83 169 31 143 109 230
100 91 34 6 223 240 30 210
86 2 98 147 77 204 188 106
103 244 177 27 184 112 191 9
18 58 68 198 138 251 253 12
200 42 78 176 20 234 150 144
116 146 8 164 88 32 222 59
186 175 47 194 195 141 127 41
155 255 1 28 24 217 252 165
154 21 243 92 70 212 139 205
131 166 196 111 173 123 118 209
183 125 197 220 126 136 69 26
48 216 52 85 242 132 35 36
3 163 219 99 33 211 236 39
179 187 115 110 56 14 66 142
79 121 171 108 208 50 60 13
215 51 181 53 199 167 201 180
133 84 62 113 157 226 40 159
239 214 29 119 231 97 81 57
190 227 168 189 76 11 107 185
38 25 4 63 71 237 182 151
137 80 246 232 174 202 134 203
193 49 250 120 101 96 75 152
73 64 89 124 44 238 148 65
247 15 61 158 235 19 156 129
67 95 54 228 0 87 17 161
241 37 248 172 130 55 104 82
S-box 6 is:

237 205 82 124 69 99 132 0


94 5 244 127 104 115 192 77
217 63 119 245 61 72 222 118
75 234 37 167 134 19 243 210
204 60 195 34 151 229 116 130
32 176 165 197 38 152 41 180
20 249 83 31 46 117 103 87
92 71 108 214 253 144 190 102
10 129 91 8 160 207 157 223
232 153 247 159 12 36 163 27
49 121 79 138 64 219 53 203
42 200 250 137 47 62 107 23
246 67 17 248 142 135 139 154
218 59 68 70 224 97 233 81
45 24 28 25 202 251 169 74
184 14 51 85 1 239 255 21
133 111 120 43 128 215 96 2
227 35 16 30 122 238 193 40
84 126 56 150 211 26 50 146
236 100 44 206 182 158 162 18
76 252 54 145 125 155 156 73
186 183 11 6 15 9 3 140
172 171 48 13 185 164 105 143
78 228 141 39 213 194 90 209
230 254 113 4 95 168 55 147
123 65 175 109 93 196 7 110
149 212 221 201 57 181 148 216
166 240 191 136 241 179 170 52
173 225 98 131 101 33 187 208
231 242 66 161 189 58 198 86
178 188 177 80 29 220 235 22
199 88 174 112 106 89 114 226

S-box 7 is:

182 195 39 188 242 168 253 54


47 205 57 244 111 228 245 221
142 51 237 73 164 190 201 225
74 227 36 251 41 83 8 70
79 222 61 189 224 239 97 139
107 130 48 211 213 55 123 160
161 162 75 105 175 19 148 30
42 33 88 219 134 118 143 66
45 63 0 29 103 67 252 247
174 159 220 178 92 236 22 132
231 12 125 170 49 255 155 169
109 65 56 209 6 181 235 198
136 131 101 197 233 15 230 117
241 217 184 7 163 116 31 153
223 108 194 216 166 114 187 112
16 102 113 104 27 14 86 229
87 11 154 183 214 218 106 40
80 90 64 146 185 119 151 254
91 100 238 126 243 226 172 77
191 68 26 145 52 9 23 179
99 95 206 165 173 4 207 137
122 176 144 13 17 46 1 98
96 158 72 127 28 208 18 35
177 71 60 167 232 249 58 133
32 78 82 203 25 24 21 69
10 85 89 196 202 152 147 157
62 215 246 248 93 210 44 212
34 5 128 149 110 200 193 76
250 192 59 199 124 20 138 115
120 50 53 43 234 84 141 180
135 204 240 150 94 2 3 121
38 156 140 37 81 129 171 186

S-box 8 is:

170 12 142 79 20 169 211 194


48 41 50 44 67 166 237 62
107 68 54 175 28 133 190 214
4 159 108 242 23 207 130 136
36 119 150 110 168 201 156 85
183 189 184 11 239 45 60 140
84 72 249 30 243 158 81 42
29 202 144 90 241 80 135 111
94 212 55 160 38 32 164 122
114 31 224 149 103 97 210 174
177 227 179 181 165 216 252 82
14 232 208 34 18 52 57 71
33 198 217 219 22 121 147 43
151 228 88 167 132 251 63 78
236 255 92 86 253 3 100 188
66 199 235 154 112 248 102 53
21 77 49 197 233 139 6 105
83 218 99 186 220 185 254 91
245 157 176 128 240 178 10 75
0 129 155 24 238 7 117 51
120 123 182 143 191 116 8 196
19 250 27 126 73 39 162 247
76 141 244 221 35 15 37 204
234 205 246 58 95 173 206 187
65 215 172 40 16 69 109 192
124 56 152 26 46 93 145 148
118 195 115 203 223 225 64 131
231 229 134 163 125 98 226 213
161 17 9 25 87 230 138 153
2 61 1 137 70 13 89 106
47 113 222 104 209 200 96 101
59 171 146 74 193 5 180 127

S-box 9 is:

143 174 59 186 83 80 63 121


15 68 182 65 146 189 179 18
253 219 154 42 135 164 74 196
136 229 197 161 4 224 120 238
145 239 103 168 235 245 152 93
62 46 226 91 173 77 22 109
94 95 209 87 86 246 8 122
128 104 64 81 198 236 78 26
1 99 194 180 0 240 125 204
144 175 60 14 176 25 31 222
70 170 167 237 215 142 149 254
20 181 107 36 41 92 72 166
126 255 249 52 214 150 40 7
247 193 234 67 33 210 242 50
248 250 206 133 102 163 199 2
84 134 127 49 243 244 96 132
55 129 39 165 138 117 32 82
160 47 35 216 148 195 218 225
66 156 183 101 76 71 24 124
251 11 153 230 90 211 158 200
85 98 221 233 241 6 69 227
190 207 10 61 73 187 157 123
37 185 100 28 118 16 56 106
51 188 27 131 13 169 17 9
139 21 205 88 29 141 231 108
110 162 54 45 159 111 48 232
114 155 113 203 140 75 208 97
79 223 202 115 53 177 30 217
178 220 38 130 172 192 119 171
3 43 184 112 105 12 212 57
58 19 151 89 252 213 228 116
201 44 34 147 191 5 137 23

S-box 10 is:

18 230 126 161 150 80 132 11


40 51 68 43 192 3 233 179
48 105 33 16 118 6 227 28
231 8 154 168 181 97 223 221
188 209 76 64 27 131 210 13
35 134 164 222 244 145 206 199
243 10 158 239 15 121 171 238
34 162 205 84 90 9 234 99
19 253 207 218 0 178 115 137
170 196 42 155 212 143 119 148
106 104 24 177 140 255 144 120
60 54 110 185 50 91 78 191
111 159 240 47 160 70 22 39
215 59 128 65 112 204 186 216
125 250 195 138 245 247 5 96
92 242 163 77 141 146 55 83
167 224 30 153 252 190 46 103
203 241 208 152 114 52 85 32
219 74 26 200 14 101 20 117
193 214 249 95 67 89 135 94
156 124 72 236 169 56 183 123
166 2 98 237 172 57 217 61
41 189 113 194 136 226 248 63
108 17 180 184 69 44 66 116
37 175 228 130 4 127 53 49
71 235 75 29 81 100 109 211
157 93 246 23 187 86 79 45
102 149 1 176 198 232 165 73
62 147 107 142 87 88 225 182
213 38 197 58 21 82 201 229
12 151 220 122 129 31 202 7
133 139 36 25 174 254 251 173

S-box 11 is:

45 216 52 146 179 234 195 38


199 56 32 25 229 72 190 163
2 12 221 242 154 188 113 0
233 173 251 207 243 231 107 6
16 184 91 50 162 94 51 230
205 30 165 210 187 74 129 232
178 150 177 105 22 156 213 215
235 14 90 203 59 85 183 139
70 212 64 247 180 120 218 240
220 73 110 62 27 39 245 49
175 79 15 238 40 78 86 111
98 169 33 17 167 228 181 253
24 75 61 117 115 35 66 224
126 19 182 193 31 11 47 109
136 255 159 138 96 89 160 10
80 151 121 20 246 143 155 206
82 171 186 164 114 57 119 161
102 241 124 249 26 5 71 192
141 101 9 99 174 84 77 145
236 131 53 103 88 58 118 127
48 87 147 223 152 123 132 252
211 166 29 28 36 13 237 202
63 122 69 4 217 197 201 148
254 60 200 208 95 54 7 130
92 112 222 239 1 204 67 191
194 248 8 142 157 44 34 189
41 225 100 176 23 97 93 198
42 140 116 250 133 106 128 196
81 104 144 137 125 65 83 37
18 68 172 135 3 21 214 43
46 170 219 108 158 244 209 134
227 226 76 168 185 55 153 149

[Next] [Up/Previous] [Index]

Next
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Variations of QUADIBLOC
QUADIBLOC-80

Using QUADIBLOC with the initial key formed by concatenating the 80-bit key with
its inverse (one's complement, bitwise negation), encipher the following:

1) Expand the first 18 bits of the key to 24 bits using the 4 of 8 bit code in
QUADIBLOC; repeat these as often as required to XOR with the last 64 bits of the
key. (Yes, 2 bits are used twice.)

2) Take the first 64 bits of the key; XOR with the 24 bits formed by expanding the last
18 bits of the key, repeated starting from the right.

3) Form a 48-bit string by XORing the first 40 bits + 00000000 with 00000000 + the
last 40 bits; convert that to 64 bits using the 4 of 8 bit code on all of it.

Using the 192 bits which result from these three block encryptions, convert to a 160-bit
key as follows:

concatenate the 64 bits of 1) enciphered with the 64 bits of 2) enciphered and the first
(leftmost, most significant) 32 bits of 3) enciphered,

and XOR these 160 bits with the last 32 bits of 3) enciphered, repeated five times.

QUADIBLOC-64

Expand a 64-bit key to an 80-bit key by converting the first 48 bits of the key to 64
bits, using the 4 of 8 bit code. This, concatenated with the last 16 bits, makes 80 bits.

Produce a 160-bit key from this as outlined for QUADIBLOC-80.

Then XOR the 64 bit key with that, repeated 2 and 1/2 times. (The last one-half uses
the first 32 bits.)

QUADIBLOC-40

Expand the 40-bit key to an 80-bit key by concatenating it with its inverse.
Produce a 160-bit key from this as outlined for QUADIBLOC-80.

Expand the 40-bit key to 52 bits by converting the first 36 bits to 48 bits using the 4 of
8 bit code. XOR the 52 bit result (48 expanded bits + 4 original bits) starting with a
whole block on the left repeatedly with the 160-bit result to get the 160-bit key to use.

QUADIBLOC-320

The first half is used to generate subkeys normally, and so is the second half. First-half
subkeys are used in rounds 1, 2, 5, 6, 9, 10, 13, and 14; second-half subkeys are used in
rounds 3, 4, 7, 8, 11, 12, 15, and 16.

QUADIBLOC-640

The key is divided into four quarters, each of which is used to generate subkeys
normally, and the subkeys generated from the first quarter are used in rounds 1, 2, 9,
and 10; from the second in 3, 4, 11, and 12; from the third in 5, 6, 13, and 14; and from
the fourth in 7, 8, 15, and 16.

Enhanced QUADIBLOC

S-box 2, in QUADIBLOC, is used only when enciphering, and its inverse is used when
deciphering. Since this S-box gets changed anyways, Enhanced QUADIBLOC is
QUADIBLOC changed in that S-box 2 is part of the key, and supplied by the user,
instead of being the fixed value shown in the definition of QUADIBLOC.

[Next] [Up] [Previous] [Index]

Next
Chapter Start
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

The QUADIBLOC FAQ


1) Why is this bozo cluttering up my computer with a 12K file?

2) What are the design goals of Quadibloc?

3) Where can I get source code?

4) What are the known weaknesses of Quadibloc?

5) How could it have been made stronger?

6) Where does Quadibloc get its security from?

7) How does Quadibloc compare to DES?

8) How does Quadibloc compare to Skipjack?

9) How does Quadibloc compare to Blowfish?

10) What is the likely impact of Quadibloc?

1. Why is this bozo cluttering up my computer with a 12K file?

Obviously a shameless attempt to obtain 15 minutes of fame by getting mentioned in


the third edition of Schneier.

2. What are the design goals of Quadibloc?

There are three goals, in the following order:

- Ease of implementation,

- Security, and

- Efficiency in software and hardware.


The primary goal, ease of implementation, was addressed by keeping the size and
number of S-boxes in the cipher to a minimum. Ease of implementation and efficiency
were also promoted by keeping the few bit transposes in the cipher simple. Because of
the order of the goals, security was obtained by performing part of the F-function
twice, rather than relying on fancier S-boxes, and a full bit-transpose was included
ONCE in the cipher.

3. Where can I get source code?

I haven't written any yet. Maybe in a couple of years. At least, in addition to


distributing the source, I'll NEED to implement it at least once in order to generate test
vectors. Which everyone else will probably want before they try their hands at it.

4. What are the known weaknesses of Quadibloc?

QUADIBLOC-640 can have its effective key size shortened by from 32 to 64 bits
through a meet-in-the-middle attack.

Since Quadibloc uses one S-box all the way across in the F-function, if Quadibloc had
weak keys (which, fortunately, it doesn't) it would have a rotational symmetry for all
rotations of a multiple of 8 bits applied to the two halves of the block together. The
permutation after round 8 also limits the damage this would do.

It probably has much worse ones than that, but I don't have the prestige to get Eli
Biham et al to do my work for me... .

Other possible weaknesses:

Does doing an XOR after the substitution and P-permutation in the F-function leak key
bits?

Should an odd value, instead of 8 bits, be used for the circular shift done along with the
swap of halves?

The F-function is more complicated than that of DES in some ways, but unlike that of
DES, it isn't a one-way hash; it's invertible.

The P-permutation, and the "wall" permutation used after round 8, are both regular.

Additional notes:

The use of a single S-box all the way across in the f-function also means that if
characteristics are found for applying differential cryptanalysis, it is easier to use them
in successive rounds. However, the fact that the S-box has 256 entries, the fact that the
f-function is doubled, and the use of S-box 2 on the left half, all make a differential
attack unlikely.

The use of a permutation after round 8 is not as total an obstacle to analysis as I had
originally thought. It is no hindrance whatever to the boomerang attack, discussed in
the section on differential cryptanalysis. However, in addition to a permutation, I also
put the right half of the block through S2 both before and after (the left half goes
through S2 anyways). Thus, it does not appear at this time that the boomerang attack
requires immediate alterations to the QUADIBLOC design.

5. How could it have been made stronger?

I can think of two obvious improvements that I avoided for the sake of ease of
implementation.

- Replace the swap plus circular shift with a straight swap, but in ALL 16 rounds, after
the XOR, and before the second use of S-box 2, do a right circular shift of 12 bits on
the left half of the block.

- Replace S-boxes 1 and 2 by two sets of 8 S-boxes.

6. Where does Quadibloc get its security from?

DES could be made TOTALLY insecure by stripping just TWO elements from it:

- remove the expansion permutation, changing all the S-boxes to have 4 inputs as well
as 4 outputs;

- replace the permutation P with the identity permutation.

Then, DES would become a set of 8 ciphers applied to 8 blocks of 8 bits.

Quadibloc relies on the fact that it uses a simple S-box followed by a regular P
permutation, and repeats that process twice. The first application substitutes for the
expansion permutation, as well as providing some security of its own.

In addition, after round 8, a non-keyed scramble that makes every bit of the block
depend on every other bit is applied, in hopes of frustrating analysis. S-box 2 gets extra
use here, but the bit transpose differs from the rest of the cipher.

The key is expanded slightly, from 160 bits to 176 bits, using a 4 of 8 code. The 4 of 8
code is not intended to have any security properties, since it would not contribute to the
security of the cipher if it were more random. What it DOES do is eliminate weak keys,
like all zeroes or all ones.

Also, by XORing key material before AND after the use of S box 1, complementation
properties are eliminated.

7. How does Quadibloc compare with DES?

DES has a 56 bit key, 48 bits of which are used in each round.

Quadibloc has a key of 160 bits. This is expanded to 176 bits; then, 128 bits are used in
each round to generate an effective round subkey which is 96 bits in length.

DES uses engineered S-boxes with auxiliary inputs from adjacent nibbles for
heightened nonlinearity, and an irregular bit transpose P. The S-boxes are based on
multiple permutations of (0..15). The key material is applied by an XOR prior to using
the S-boxes.

Quadibloc uses a random S-box containing a single permutation of (0..255) and a


regular bit transpose. But this is applied twice, and key material is XORed three times,
at the start, in the middle, and at the end.

DES simply XORs the f-function output with the left half.

Quadibloc uses a second S-box before and after the XOR with the f-function output.
Thus, plaintext actually goes through an S-box, which seems intuitively more
satisfying.

8. How does Quadibloc compare with Skipjack?

Originally, I wrote the following:

How should I know? After all, it is secret, and I have had no access to
the secret.

However, some comparisons can be made on the basis of publicly


available information.

Quadibloc was deliberately designed to have two desirable properties


claimed for Skipjack: no 'weak keys', and freedom from
complementation properties.
Quadibloc has only 16 rounds, not 32 as for Skipjack.

Quadibloc has a 160-bit key, which is longer than an 80-bit key.

Quadibloc does not have a 48-bit internal structure.

Quadibloc was designed to be easy to implement, and has S-boxes of


minimal size.

Quadibloc was designed in one weekend by one person with neither any
particularly relevant academic credentials nor relevant cryptanalytic
experience (hey, I do have an M.Sc. in Nuclear Physics!). Skipjack was
designed by the top cryptographers and cryptanalysts in the U.S.,
entrusted with guarding the nation's security.

You and I don't get to make use of Skipjack without key escrow,
Quadibloc doesn't have this problem.

(Note that, since this was written, Fortezza PCMCIA cards without key
escrow were made available to the public in the U. S., which was an
interesting, and perhaps even amusing, development in the ongoing
Clipper Chip saga.)

Quadibloc is available for open review. However, it is probably so


insignificant that it will never recieve any such review.

At present, I no longer have the excuse I began that section with, as Skipjack has now
been declassified. (I write these words as part of the update of these pages to include its
description!)

Skipjack has a regular key schedule, which would seem to open up the possibility of
related-key attacks; Quadibloc has an irregular one, based on that of DES.

Quadibloc's f-function has two stages to it, which was an apparent innovation at the
time. However, Skipjack's G permutation is actually a four-round miniature block
cipher with a 16-bit block.

Skipjack is both easier to implement than Quadibloc, and more efficient.

9. How does Quadibloc compare to Blowfish?

Quadibloc-40, Quadibloc-64, and Quadibloc-80 all have a relatively simple method of


expanding the key size to 160 bits; they do not explode the work factor in the way
Blowfish does to handicap attempts at brute-force searching. This was done
deliberately, both for ease of implementation, and in hopes that Quadibloc-40 might be
approved for export, thus giving U.S. software authors a royalty-free alternative.

The natural key size of Quadibloc is only 160 bits, while Blowfish makes full use of a
key up to 384 bits in length.

On the other hand, the added complexity of the F-function may be to the credit of
Quadibloc. On balance, though, it may be fair to say that the advantages of Blowfish
over Quadibloc in security are of a sort likely to have real- world value, while the
advantages of Quadibloc are of a more theoretical nature.

10. What is the likely impact of Quadibloc?

Very little.

Possible results:

- revealing Quadibloc to unevolved uninitiates may lead to burdening of my karma

Not worried. Saddam Hussein has already heard of IDEA, Triple-DES, Blowfish...if
the NSA thinks I have endangered U.S. national security, then they've done so, by
choosing to live in a fool's paradise.

- NSA releases Skipjack patent in order to prevent use of Quadibloc

Probability slightly lower than that of one of the primes in your RSA modulus actually
being a Carmichael number.

- Complications of Quadibloc found illusory; new cryptanalytic method discovered that


is an extension of differential/linear cryptanalysis

I can dream, can't I? That would be a noble way to have failed.

The intent of boring the world with yet another block cipher should, however, be stated.

Due to restrictions on source code export, (which may not apply to us lucky Canadians)
I have chosen to lead the way in showing that a secure algorithm can be designed to be
so simple to implement that coding it is trivial, and does not depend on giant S-boxes
or difficult mathematics which requires access to a reference source code
implementation.

Also, Quadibloc illustrates techniques that could be applied to other ciphers. Doubling
the F-function is possible in Blowfish quite simply (you will need more pi); and it
could even be done in DES, with more violence to the key schedule. (In fact, it is
probably one of the more secure ways to create a 112-bit key DES variant.)

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

Key Augmentation
The key schedule of QUADIBLOC, while designed to avoid weak keys, and resist
related-key attacks, is still something of an afterthought compared to the rest of the
cipher.

A procedure to add 64 bits to the key of any variant of QUADIBLOC, and improve its
key schedule (which may be applied repeatedly, even to the extent of modifying the
key for every block enciphered, causing QUADIBLOC to act as sort of a stream
cipher) is described here.

First, the key to be augmented is to be used normally to generate the 48 32-bit long
subkeys used by QUADIBLOC.

Then, the augmented schedule of subkeys is generated as follows:

The 64 bit supplementary key is to be encrypted normally by QUADIBLOC with the


schedule of subkeys in place. (The encrypted result is to be made available externally
by hardware implementations of QUADIBLOC, to allow iterated key augmentation
with a single 64-bit key supplement.) However, both the encrypted result of the
QUADIBLOC encipherment, and the 32-bit output of the f-function in each round of
that encipherment, are to be retained (in internal storage).

These results are to be applied to the subkeys of QUADIBLOC as follows:

The subkeys are to be moved as follows:

The second subkey for each round is to be replaced by the previous value of the first
subkey for the previous round. The second subkey for round 1 is to be replaced by the
previous value of the first subkey of round 16.

The third subkey for each round is to be replaced by the previous value of the second
subkey that round.

The first subkey for each round is to be replaced by the previous value of the third
subkey for that round.

Then, the saved f-function values are to be applied by being XORed with subkeys (the
result replacing the former value of the subkey) in the following sequence:
The f-function for round:

9 7 11 5 13 3 15 1 16 2 14 4 12 6 10 8

is to be XORed with the first subkey for round:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

The left half of the result of the QUADIBLOC encryption is to be XORed with the
second subkey for the first round.

The right half of the result of the QUADIBLOC encryption is to be XORed with the
third subkey for the ninth round.

Three key augmentations will ensure that every subkey is XORed with one f-function
output; twenty-four key augmentations will ensure that every subkey is XORed with
one of the halves of an encryption result.

Key augmentation is equally applicable to QUADIBLOC 96 and QUADIBLOC 99. In


the plain form described here, key augmentation adds at least 64 bits to the length of
the key. Some block ciphers include a process like key augmentation, but with a fixed
input value, as a standard step in the key generation process to improve the quality of
the key schedule.

To operate QUADIBLOC in this fashion, which will be referred to as closed key


augmentation, after generating the initial key schedule from the 160-bit key, perform
three iterated key augmentations, the latter two using as their input value the output
value from the previous one, and the first one using the constant value

55330FAACCF05533

as the input value.

Key Extension

In addition to key augmentation, the use of a longer key can be permitted by the use of
the following operation, intended to be applied after key augmentation has been
applied to a previous set of subkeys.

In key extension, a new 160-bit key is used to generate subkeys in the normal fashion,
but the resulting subkeys are then XORed to the existing subkeys instead of replacing
them.
Thus, an alternative variant of QUADIBLOC with a 320-bit key can be achieved by:

● Using the first 160 bits as a key to generate an initial set of subkeys.
● Performing closed key augmentation.
● Performing key extension with the remaining 160 bits of the key.
● Performing closed key augmentation.

This variant shall be known as QUADIBLOC-320SE (96 or 99), and QUADIBLOC


with closed key augmentation will be known as QUADIBLOC SE (96 or 99).

[Next] [Up] [Previous] [Index]

Next
Start of Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

Quadibloc II
Although this expanded version of Quadibloc is a cipher with a 128 bit block size, I am not trying to detract from
the importance of the candidate ciphers for the AES process. Prior to the deadline for a submission, I had
considered a few designs, but I had nothing that I was quite satisfied with. Precisely because the other designs
were now available to examine, I was able to find the "missing pieces" needed to complete a design.

This design allows key lengths of 128, 192, or 256 bytes, and in fact also allows keys of any length in the
sequence starting 128, 144, 160, 176... provided that the key is not longer than 36 bytes times the number of
rounds. The number of rounds can be 8, 12, 16, 20, 24, 28, 32, 36..., any multiple of 4 greater than or equal to 8.

One round of Quadibloc II takes perhaps 7 1/2 times as long as a round of DES, although a more optimistic
estimate might be 3 3/4 times as long. Thus, 8-round Quadibloc II might manage to take less than 6 times as long
as DES even with the initial estimate, and that would make Quadibloc II more efficient than Triple-DES. (The
estimate is based on the fact that a round of DES requires eight fetches of a 32-bit quantity from a table; a round
of Quadibloc II requires 24 fetches of a 32-bit quantity, and 24 fetches of an 8-bit quantity.)

This design also begins life with an unfair advantage: it partly results from the inspiration provided by the
various AES candidates, and has, in fact, swiped good ideas from two or three of them at least. In any case, this
design is proposed not as something that would have been a potential candidate were it not too late, but instead,
particularly in its 32-round form, as something for those people who want a very secure block cipher without
concern for efficiency.

Instead of two S-boxes, this design uses ten S-boxes generated from Euler's constant, by repeating the following
process, the same one as used in the original QUADIBLOC:

● Load Euler's constant into a very long multi-precision register which is simulated by an array.
● Repeat the following for each S-box to be created.
● Load an array with the numbers from 0 to 255 in order. A pointer to an element of the array is set to point
to the first element in the array, and is called TARGET.
● Repeat the following for each of the integers from 256 down to 2; call the current integer SIZE.
● Multiply the contents of the multi-precision register by SIZE. Leave the fractional part of the result in the
multi-precision register; call the integer part of the result CHOICE. (CHOICE will be an integer from 0 to
SIZE minus one.)
● Swap the elements TARGET and TARGET + CHOICE in the 256-element array. (If CHOICE is zero, do
nothing for this step.)
● Proceed to the next number from 256 down to 2.
● The 256-element array now contains a complete S-box. Save or print out its contents.
● Proceed to the next S-box to be generated.

As previously noted, I chose Euler's constant instead of, say, pi, because the mathematical theory behind Euler's
constant is more complicated than that behind pi, which in turn is somewhat more complicated than e, the base of
the natural logarithms.

The first four of these S-boxes are likely to be stored as arrays of 256 32-bit words, with the bits spread out
reflecting the P permutation, which is again the same one as used in QUADIBLOC, and is as follows:

The bits

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
become

1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32 25 26 21 22 13 14 7 8

and this permutation is to be interpreted according to the following convention: the numbers in the bottom
sequence identify the source of each bit in the permuted result in order.

The round structure of Quadibloc II uses essentially the same f-function as was used in QUADIBLOC, with one
addition: after the second substitution/permutation layer, and the third XOR of subkey material, the 32-bit
subblock then goes through a key-dependent S-box. No permutation follows this S-box.

Three out of four 32-bit subblocks are used as input to f-functions. The f-function of the first subblock is used to
supply additional inputs both to the other two f-functions and to the application of their outputs to the fourth
subblock, which they modify.

There are other things going on in the round, and there are some minor changes to the f-function as well. The
following diagram shows how the main part of a round proceeds:

The dotted lines show a part of the round which is required if less than 32 rounds are used, but which, involving
as it does use of intermediate results from the f-function might produce some theoretical advantages if omitted.

Before the regular rounds of Quadibloc II begin, and after they end, there is an additional phase of extra
manipulations the purpose of which is to make life more difficult for the cryptanalyst. This phase is shown in the
following diagram which gives an overview of Quadibloc II:
The wide boxes are the key-dependent byte permutations; the fixed permutations that take place between regular
rounds are shown as wire crossings.

Initially, the block is divided into 16-bit units, which undergo substitution by means of a miniature block cipher
of four Feistel rounds with the key-dependent S-box S8 as the f-function. First the leftmost byte in each pair of
bytes is used to index into S8, finding the byte to XOR with the rightmost byte, and then it is done in the reverse
direction, and so on, alternating for four rounds.

The 16 bytes of the block are rearranged according to a key-dependent permutation.

Then, each half of the block undergoes two rounds of Feistel encryption with a simplified f-function having only
one S/P (substitution/permutation) layer. For faster diffusion, each f-function output is, in two of the rounds,
XORed with the two subblocks in the other half of the block, and in the other two used to control swapping bits
bitween those two subblocks, in the fashion pioneered by ICE. This operation is illustrated below:
The f-function consists of:

● XOR one subkey with the current subblock.


● Use S-boxes S1, S2, S3, and S4 in order to substitute for each of the bytes in the result.
● Use the QUADIBLOC P-permutation to transpose the bits.

Four rounds are performed. In each round, the f-function of one subblock is XORed to the other subblock in the
same half of the block. In the outer two rounds, that output is also XORed to the two subblocks in the other half;
in the inner two rounds, it is used to control the swapping of bits between those two subblocks, a 1 bit
corresponding to a bit position where swapping occurs, as was done in the block cipher ICE. The four subblocks
are chosen in order, from left to right, as the input to the f-function.

Then, the bytes of the block are again rearranged according to a key-dependent permutation. A similar
transformation takes place at the end. (MARS, of course, uses a different round structure before and after the
main part of the cipher, but here the main idea swiped, but placed in a new form, is the idea of FROG. Instead of
making the targets of XORs key-dependent, a key-dependent rearrangement of the bytes before a series of XORs
achieves the same thing with a simpler key setup.)

The changes required to decipher in Quadibloc II are hinted at by the following diagram:
The initial and final miniature Feistel rounds need not be changed. The degenerate rounds with a short f-function
have to operate on the four subblocks in reverse order, as well as using the subkeys in reverse order. The regular
round experiences these changes: the steps changing the fourth subblock need to be reversed as well as being
done in reverse order: thus, the substitution layers use the inverses of S7, S6, and S5; and the XOR/plus stages
take the f-function of the third subblock first, then that of the second; also, more subtly, the order in which the
two intermediate results of the f-function of the first subblock are XORed to the second and third subblocks are
reversed.

The first four S-boxes generated above are called S1 through S4, and function as S-boxes with 8 inputs and 8
outputs in the first f-function. But in the next two f-functions, they are combined in pairs to form S-boxes with 9
inputs and 8 outputs. This is shown on the diagram: S1/S3 is an S-box that acts like S1 when the extra input is
zero, and like S3 when the extra, most significant or leftmost, input is one.

S-boxes S1, S2, S3, and S4 are as given in the page on Euler's Constant and the Quadibloc S-boxes.

The Rounds

In detail, the round proceeds in this manner; and hopefully the diagram above will enable you to follow the
lengthy description below:

● The first subblock is used as input to the first f-function, calculated as follows:
❍ The first subkey for the round is XORed to it.

❍ The four bytes of the current value are substituted using S1, S1, S2, and S2, from left to right.

(Note that this method of avoiding cyclic symmetry, with a bare minimum of S-boxes, comes from
LOKI 97.)
❍ The result is permuted by the QUADIBLOC permutation P. (This permutation is simple and
uniform, to minimize storage needed to hold the S-box outputs after permutation for a common
optimized implementation of ciphers like this and like DES: this is one way in which I am
specifically differing from LOKI 97.)
❍ The current subblock value is the first intermediate value from the first f-function, and is used

later.
❍ The second subkey for the round is XORed in.

❍ The current value's four bytes are substituted in S-boxes S3, S4, S3, and S4 from left to right.

❍ QUADIBLOC permutation P is applied.

❍ This result is now the second intermediate value from the first f-function.

❍ The third subkey for the round is XORed in.

❍ The four bytes of the result are substituted by means of the key-dependent S-box, S8.

❍ The result is the output of the first f-function. Its bits are considered to be numbered from 1 to 32

from left (MSB of first byte) to right (LSB of last byte), and they will be used individually in
groups of four in what follows.
● The first subblock remains unchanged going into the next round, although an f-function was calculated
from it.
● The second subblock is modified: its new value will be itself XORed with the XOR of the two
intermediate results from the first f-function. The third subblock is also modified in this same way.
However, the input to the second f-function is the second subblock XORed with the first intermediate
result only, and the input to the third f-function is the third subblock XORed with the second intermediate
result only. This can be achieved as follows:
❍ XOR the second subblock with the first intermediate result.

❍ Take the result as the input to the second f-function.

❍ XOR the second subblock with the second intermediate result.

❍ XOR the third subblock with the second intermediate result.

❍ Take the result as the input to the third f-function.

❍ XOR the third subblock with the first intermediate result. (Note that this method of applying the

intermediate results to the middle subblocks is similar to the ingenious technique of applying key
material in LOKI 97. Here, the intent is twofold: to conceal the f-function input, and to minimize
the risk of attack created by the additional use of intermediate f-function results in the round.)
● The second f-function is calculated using its input and the fourth, fifth, and sixth subkeys for the round. It
differs from the first f-function in these particulars:
❍ The intermediate results are not saved.

❍ The first S-box stage consists of placing all four bytes of the current result into the compound S-

box S1/S3. For each byte, the corresponding bit from bits 1 to 4 of the first f-function output
indicate whether that S-box acts like S-box S1 for that byte or like S-box S3.
❍ The second S-box stage consists of placing all four bytes of the current result into the compound S-

box S2/S4. For each byte, the corresponding bit from bits 5 to 8 of the first f-function output
indicate whether that S-box acts like S-box S2 for that byte or like S-box S4.
● The third f-function is calculated using its input and the seventh, eighth, and ninth subkeys for the round.
It is very similar to the second f-function, but the S-boxes are again slightly different, as follows:
❍ As with the second f-function, the intermediate results are not saved.

❍ The first S-box stage consists of placing all four bytes of the current result into the compound S-

box S1/S4. For each byte, the corresponding bit from bits 9 to 12 of the first f-function output
indicate whether that S-box acts like S-box S1 for that byte or like S-box S4.
❍ The second S-box stage consists of placing all four bytes of the current result into the compound S-

box S2/S3. For each byte, the corresponding bit from bits 13 to 16 of the first f-function output
indicate whether that S-box acts like S-box S2 for that byte or like S-box S3.
● The fourth subblock is the one that undergoes the most thorough modification, the change that is the point
of the round. (The changes to the second and third subblocks were an afterthought that may create the risk
of a weakness in the cipher, but which were necessary to make it possible that the cipher could be secure
after only eight rounds, instead of thirty-two, as might be needed if only one subblock were modified in
each round.) This modification proceeds as follows:
❍ The four bytes of the subblock are substituted for using S-box S5, with bits 17 through 20 of the

first f-function output used as the most significant bit of the S-box input for each byte (that
switches between two different permutations of the numbers 0 through 255).
❍ The output of the second f-function is applied to the result. Bits 29 through 32 of the first f-
function output determine if each byte of the second f-function output is XORed (0) or added (1).
❍ The four bytes of the subblock are substituted using S-box S6, with bits 21 through 24 of the first f-
function output supplying the most significant bit of S-box input associated with each byte.
❍ The output of the third f-function is applied to the result. Bits 29 through 32 of the first f-function
output determine if each byte of the second f-function output is added (0) or XORed (1). (This use
of an addition or an XOR followed by its opposite is, of course, reminiscent of SAFER.)
❍ The four bytes of the subblock are now substituted using S-box S7, with the most significant bit of
each S-box input coming from bits 25 through 28 of the first f-function output.

This involved procedure constitutes the round. After each round except the last, a step corresponding to the swap
of left and right halves of the block in DES is performed. Here, however, the movement of individual bytes is
involved.

Bytes

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

become

15 16 8 11 13 1 9 10 2 14 5 6 7 4 3 12

if the number of rounds is a multiple of 16, and

5 10 15 16 9 14 3 12 13 6 7 4 1 2 11 8

if that is not the case (but the number of rounds must still be a multiple of 4, and must be at least 8). Both byte
permutations are presented as a series of 16 numbers giving the number of the source byte for each byte in the
result in order.

It might be noted that some time before I designed Quadibloc II, the idea of using different operations in a block
cipher, based on a data-dependent result in the cipher, played an important role in the block cipher "Anigma"
designed by Kostadin Bajalcaliev.

Key Generation

Each round of Quadibloc II requires nine 32-bit subkeys. In addition, the extra scrambling phases at the
beginning and end of the cipher require four subkeys each. Thus, 8-round Quadibloc II uses 80 subkeys, from K1
to K80, requiring 320 bytes of RAM.

The key for Quadibloc II must be at least eight bytes, or 64 bits, long, and may be any whole number of bytes up
to twice the length of the total size of the subkeys plus sixteen bytes, or 128 bits. Many maximum-length keys
will lead to duplicate internal key states of the cipher, of course; this maximum is an absolute maximum, beyond
which some bits of the key will simply be ignored in the keying process.

As well, S8, the key-dependent S-box, is subkey material, and requires an additional 256 bytes of RAM. This
total requirement of 576 bytes of RAM is the amount of storage needed for a key after key generation, which
may have to be non-volatile in some applications; additional RAM is of course also needed for scratchpad
storage in calculations, particularly during key generation.

Note: the bytes of S8 are stored as single bytes; they do not need to be expanded to four-byte entries to speed up
a permutation, as is true of the fixed S-boxes S1 through S4, and the inverse of S8 is not required for
deciphering, unlike S-boxes S5 through S7; the S-box requiring the least storage was chosen as the key-
dependent one. (Having a key-dependent S-box, of course, is a way to achieve a high degree of resistance to
differential and linear cryptanalysis.)

Initially, the subkeys are filled in the following order:

K1 K2 K3 K4
K5 K8 K11 K6 K9 K12 K7 K10 K13
K14 K17 K20 K15 K18 K21 K16 K19 K22
K23 K26 K29 K24 K27 K30 K25 K28 K31
...
K68 K71 K74 K69 K72 K75 K70 K73 K76
K77 K78 K79 K80

and so on; thus the subkeys are filled for one round before going on to the next, but the first subkey for each f-
function is filled before the second subkey for each f-function, and so on.

The subkeys for the degenerate rounds are just filled in numerical order, the first four at the start, and the last
four at the end.

They are filled from the following sources, in turn:

First, the actual key is placed directly into the subkeys. It must consist of a whole number of bytes, and be at
least eight bytes long, for the rest of the procedure to work.

Next, generate additional bytes of initial subkey material as follows:

Fill A1, A2, A3, and B1, B2, B3, B4, and B5 with the first eight bytes of the key in order. Initialize the variable
Q to be zero.

Split the key into two pieces as follows, where L is the number of bytes in the key:

● If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining
bytes of the key. Then increase each piece in length by one byte by appending the one's complement of
the first byte in the piece to it.
● If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the
second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
appending the one's complement of the first two bytes in the piece to it.
● If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and
the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
appending the one's complement of the first two bytes in the piece to it.

In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In
the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case,
the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of
the two pieces of the key are relatively prime, and uniquely identify the length of the original key.

Each group of bytes is then used as the initial contents of a shift register, which operates as follows:

The sum of the first and third bytes in the shift register is XORed with the second-last byte in the shift register.
The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all
other bytes being moved to the next earlier place, the first byte being discarded.

For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by
carrying out the following instructions:
For each of the numbers 0 to 4, do the following:

● Add the contents of A1 to the number, modulo 256.


● Replace that number by its substitute in S-box 5a (that is, the first half of S-box 5, an S-box with 8 bits of
input as well as 8 bits of output, created by setting the MSB of the input to 0).
● Add the contents of A2 to the result, modulo 256.
● Replace that number by its substitute in S-box 5b (the second half of S-box 5).
● Add the contents of A3 to the result, modulo 256.

Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to
them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are
cumulative.)

Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above.
Add Q to that byte. Put that byte through the following process:

● Add the contents of B1 to the number, modulo 256.


● Replace that number by its substitute in S-box 6a (the first half of S-box 6).
● XOR the result with the contents of B2.
● Replace that number by its substitute in S-box 6b (the second half of S-box 6).
● Add the contents of B3 to the result, modulo 256.
● Replace that number by its substitute in S-box 7a (the first half of S-box 7).
● XOR the result with the contents of B4.
● Replace that number by its substitute in S-box 7b (the second half of S-box 7).
● Add the contents of B5 to the result, modulo 256.

The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the
variable Q.

One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through
B5 have already been changed) as follows: increment A2. If A2 wraps around, being incremented from 255 to
zero, increment A1. If A1 wraps around, increment A3.

An initial value for S8, the key-dependent S-box is generated as follows:

● Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure:
❍ Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey

K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting
where one has left off for subsequent permutations.
❍ Each permutation is generated by the use of either 512, or, under some rare circumstances, only

256, bytes. Note that 8-round Quadibloc II only has 320 bytes of subkey; (4 bytes times 9 subkeys
times 8 rounds, plus 8 additional subkeys for the start and finish); and therefore additional bytes
need to be generated for this version of Quadibloc II and other versions without a sufficiently large
number of rounds. The SIGABA-like procedure used initially to extend the key is used for this, but
with some modifications. In this case, A1 through B5 are filled with the last eight subkey bytes
(the first eight contain the first eight bytes of the key, which were previously used to fill A1
through B5, which would cause the generation process here to partially repeat the operations of the
earlier generation process), and the input byte to the process is obtained from a single shift register,
similar in form to each of the two shift registers using pieces of the original key, which initially
contains all of the subkeys, including the last eight bytes.
❍ A permutation is generated as follows:

■ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0

to 255 in order. The arrays must also be able to hold the value -1. The second and third
arrays are filled with -1.
■ For each byte used: let the value of the byte be called N, and let I be a counter which starts
at 0 for the first byte, incrementing with each byte used, and ending at 255.
■ Then, for each byte:
■ If element N of the first array is not -1, set element N of the first array to -1, and set

element I of the second array to N.


■ Otherwise, store N in the first unused position (the first position containing -1) in the

third array.
■ Once this has been done, if the third array contains any numbers other than -1, proceed as

follows:
■ If there is only one filled (not equal to -1) element in the third array, then there is only one

remaining element in the first array, and one element of the second array equal to -1, so fill
the second array with the one available byte, and finish.
■ If there are only two filled elements in the third array, take the least significant bit of the

first filled element. If it is zero, fill the -1 elements of the second array with the remaining
elements of the first array in order; if it is one, do so in reverse order, and finish.
■ If there are less than 256 filled elements in the third array, repeat them over and over to fill

the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when
the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of
the third array.
■ Now, use the third array to complete the second array by doing the following for II from 0

to 255:
■ Let the value of element II of the third array be XX.

■ Swap elements II and XX of the first array.

■ Then, scan through the second array. When an element of the second array is -1, fill it with

the corresponding element of the first array (if it is not also -1) and set that element of the
first array to -1.
■ If there are any -1 elements left in the second array, fill them with the elements of the first

array that are not -1 in order.


● The three permutations obtained in this manner are used to generate a key dependent S-box as follows:
❍ For N from 0 to 255:

❍ Set A to be element N of the first permutation; set B to be element N of the second permutation,

and set C to be element B of the third permutation.


❍ Set element A of the S-box to equal C.

The key-dependent byte transpositions used at the beginning and end of the cipher are derived from the key-
dependent S-box S8 as follows: the first permutation consists in taking bytes 0, 1, ... 16 to the bytes indicated by
the least significant nibbles of the S-box entries in S8 of the form 0x in hexadecimal, taken in the order they are
found. Note that this builds up the permutation in "dispatch" form, while all the fixed permutations in this
description of Quadibloc II are given in "fetch" form. The second permutation is built up from the bytes of the
form 1x in hexadecimal. The third one, which takes place after the rounds are completed, is the inverse of the one
built up from the bytes of the form 9x in hexadecimal, and the fourth one is the inverse of the one built up from
the bytes of the form 8x in hexadecimal.

Then, the actual key sequence used for encipherment is generated by the following procedure:

Using the last 128-bits of the key, if the key is 128 bits long or more, or the key repeated as many times as
required to fill a 128-bit block otherwise (starting from the beginning, not the end and working backwards) as the
plaintext block, encipher it using the initial key schedule generated above, but with the following modifications.

The intermediate results of all three f-functions are saved. The following nine 32-bit words are produced from
each round of the encipherment process:

● The first intermediate result of the first f-function XOR the final value of the fourth subblock
● The second intermediate result of the first f-function
● The first f-function output
● The first intermediate result of the second f-function XOR the initial value of the fourth subblock
● The second intermediate result of the second f-function
● The second f-function output
● The first intermediate result of the third f-function
● The second intermediate result of the third f-function
● The third f-function output

Also, the degenerate rounds produce their f-function outputs as well, so exactly one 32-bit output is produced for
every subkey.

After each round of the encipherment process which is used to generate the final subkeys, the nine words above
are XORed to nine subkeys. The four f-function outputs of the degenerate rounds are also used, so the number of
words used equals the number of subkeys; each set of four degenerate rounds is treated as a single round in that
the four results are not applied to the subkeys until the set of four rounds has been performed completely. The
sequence of subkeys to which they are applied is as follows (reading across):

K80 K76 K67 ... K49 K40 K31 K22 K13


K79 K75 K66 ... K48 K39 K30 K21 K12
K78 K74 K65 ... K47 K38 K29 K20 K11
K77 K73 K64 ... K46 K37 K28 K19 K10
K72 K63 ... K45 K36 K27 K18 K9
K71 K62 ... K44 K35 K26 K17 K8 K4
K70 K61 ... K43 K34 K25 K16 K7 K3
K69 K60 ... K42 K33 K24 K15 K6 K2
K68 K59 ... K41 K32 K23 K14 K5 K1

thus, first the last subkey of each round is modified, then the second-last subkey of each round, and so on. The
subkeys are modified before the encipherment is completed, but only after each round is completed. The subkeys
used in the degenerate rounds are placed in the sequence as well as possible. The intermediate values applied are
taken from those generated by the subkeys in their numerical order.

Once the subkeys have been modified in this manner, if the size of the key was greater than the total size of the
subkeys, any remaining bytes in the key are to be XORed with the subkeys that are now present, using the same
order as was used for initially filling the subkey space,

K1 K2 K3 K4
K5 K8 K11 K6 K9 K12 K7 K10 K13
...

et cetera.

Allowing the key to be larger than the total size of the subkeys, of course, doesn't make sense after a point; but if
the excess is small, the main result is to make it possible for the same set of subkeys to be accompanied by
different values of the key-dependent S-box S8.

Then, the same procedure used to generate the initial value of S8 from the initial subkeys is applied to the final
subkeys. Since the subkeys may not have enough bytes in them to supply the permutation-generating process, the
SIGABA-like procedure of generating additional bytes is used again, as done previously for generating the initial
value of S8. Once again, A1 through B5 are filled from the last eight subkey bytes, and the earlier subkey bytes
are divided into two almost equal parts as was done with the key previously.

The generated result, however, is not used as the final value of S8. Instead, each element of S8 is replaced by the
value it points to in this result; that is, for N from 0 to 255, S8(N) becomes R(S8(N)). (Thus, S8 depends on both
the old and new subkeys, and doesn't relate to the current subkeys in a simple way.)

The new value of S8 is also used as the old value was above to provide the four key-dependent byte
transpositions which begin and end the cipher.
One may, if one wishes, see the view of the subkeys (other than those of the degenerate rounds) as belonging to a
rectangular prism of 32-bit words, accessed in three different directions, as evocative of Rijndael.

An Even More Secure Variation

If you have time to encipher your data with 40 rounds of Quadibloc II, I have a variation for you. A diagram
giving an overview of this variation is provided.

First, the tiny Feistel rounds, the key-dependent byte permutation (derived from
the 0x bytes), the initial degenerate four-subkey series of rounds, and another
key-dependent byte permutation (derived from the 1x bytes), then a second layer
of tiny Feistel rounds, another key-dependent byte permutation (derived from
the 4x bytes), another series of four degenerate rounds, and another key-
dependent byte permutation (derived from the 5x bytes).

Then, four rounds of Quadibloc II, with the byte interchange after the first three
rounds following the pattern for a multiple of four rounds that is not a multiple
of 16 rounds.

Now, the whitening sequence is repeated, again first with a series of miniature
Feistel rounds.

Then, another key dependent byte permutation, derived from the elements of S8
in the form 2x.

Another degenerate four rounds.

Key-dependent byte permutation, derived from the 3x elements in S8.

Miniature Feistel rounds, permutation (6x), degenerate four rounds, permutation


(7x).

Thirty-two rounds of Quadibloc II, but with the additional XORs of the second
and third subblocks with the two intermediate values from the f-function of the
first subblock omitted. Byte interchange after the first 31 of these rounds is as
for a multiple of 16 rounds.

Key-dependent byte permutation, the inverse of the one derived from the
elements of S8 of the form Fx.

Another degenerate four rounds.

Inverse Ex from S8 byte transposition.

Miniature Feistel rounds in inverse form.

Key-dependent byte permutation, the inverse of the one derived from the elements of S8 of the form Bx.

Another degenerate four rounds.

Inverse Ax from S8 byte transposition.

Miniature Feistel rounds in inverse form.


Four rounds of Quadibloc II.

The final three-step whitening sequence, plus the tiny Feistel rounds, and byte transpositions, all repeated twice.
Byte transpositions are the inverses of those derived from the elements of S8 in the forms Dx, Cx, 9x, and 8x.

By restricting the perhaps dangerous - but diffusion-enhancing - XOR of intermediate results to the outer eight
Quadibloc rounds, one has a diffusing outer part and a secure core. This, of course, comes even closer to the
design of MARS.

Note that for this variation, when the keys are initially filled, the thirty-two subkeys for the four sets of
degenerate rounds stand outside the sequence; sixteen at the start, and sixteen at the end, and when the keys are
modified, the subkeys for the first four degenerate rounds are at the left of the top four rows, those for the last
four at the right of the bottom two rows.

Thus, the order for initially filling the keys is as follows:

K1 K2 K3 K4
K5 K6 K7 K8
K9 K12 K15 K10 K13 K16 K11 K14 K17
K18 K21 K24 K19 K22 K25 K20 K23 K26
K27 K30 K33 K28 K31 K34 K29 K32 K35
K28 K39 K42 K37 K40 K43 K38 K41 K44
K45 K46 K47 K48
K49 K50 K51 K52
K53 K56 K59 K54 K57 K60 K55 K58 K61
...
K332 K335 K338 K333 K336 K339 K334 K337 K340
K341 K342 K343 K344
K345 K346 K347 K348
K349 K352 K355 K350 K353 K356 K351 K354 K357
...
K376 K379 K382 K377 K380 K383 K378 K381 K384
K385 K386 K387 K388
K389 K390 K391 K392

and the order for adjusting the keys from f-function outputs and intermediate results is:

K392 K388 K348 K344 K384 K375 K366 K357 K340 ... K26 K17
K391 K387 K347 K343 K383 K374 K365 K356 K339 ... K25 K16
K390 K386 K346 K342 K382 K373 K364 K355 K338 ... K24 K15
K389 K385 K345 K341 K381 K372 K363 K354 K337 ... K23 K14
K380 K371 K362 K353 K336 ... K22 K13
K379 K370 K361 K352 K335 ... K21 K12 K52 K48 K8 K4
K378 K369 K360 K351 K334 ... K20 K11 K51 K47 K7 K3
K377 K368 K359 K350 K333 ... K19 K10 K50 K46 K6 K2
K376 K367 K358 K349 K332 ... K18 K9 K49 K45 K5 K1

Other modifications to Quadibloc II are possible. The following illustration:


shows how the basic Quadibloc II round can be modified to double the size of the S-boxes in the f-functions for
the second and third subblocks; one S-box, made from S-boxes 1 through 4 is used, so two extra nonlinearity bits
are used as input. This function uses all 32 nonlinearity control bits produced as the output of the f-function of
the first subblock.

Instead of using S-boxes S5 through S7 singly, they are used in pairs on the fourth subblock, and so the extra
nonlinearity bits required here are doubled as well. An additional 32 nonlinearity control bits are created from the
XOR of one intermediate result from the f-function of the second subblock and the other intermediate result from
the f-function of the third subblock. As switching between addition and XOR for applying the f-function outputs
directly to the fourth subblock requires only one bit per byte, the remaining four bits are used to switch the
addition operation to a subtraction operation.

The other major modification in this extended variant of the basic round is to use S8 in the same method as used
in the initial whitening phase to promote diffusion within the fourth subblock.

However, I find the following variation on the basic Quadibloc II round even more interesting:
Here, two other intermediate values in the f-function of the first subblock are used to form a 32-bit value used for
an ICE-style interchange between the f-functions of the second and third subblocks. The interchange takes place
just before S8 is applied, thus ensuring it significantly alters the f-function outputs applied to the fourth subblock.
As well, a micro-Feistel layer is used, as in the doubled nonlinearity variant, but this time to modify the first
subblock, so that all four subblocks are changed, and changed in a key-dependent way by every round (the
changes to the first three subblocks depend on the first subblock as well as the key, while those to the fourth
subblock depend on all of the first three subblocks).

To proceed further, we can also have the following type A round:


with its corresponding round of type B:
which adds some additional operations to the round structure. Not wishing to give up being endian-neutral,
instead of throwing in a Pseudo-Hadamard Transform between the second and third subblocks, I used an XOR
but used S8 to avoid it cancelling out. The intent is merely to have an alteration to those subblocks that is slightly
more involved than a simple XOR of intermediate f-function results from the first subblock, but a little bit of
propagation between bytes is achieved by displacing bytes before the second XOR.

Also added is an interaction, taken from the block cipher 3-Way, between three of the subblocks. This places a
very small (3 bits input and output) nonlinear S-box in the cipher that operates on corresponding bits in the three
subblocks. Since it either operates on all but the first subblock, or all but the fourth subblock, two round types
were required to make the cipher equally secure against attacks from either direction. (The deciphering form of
the round could also be used, but that of course creates the slim possibility of some rounds partly undoing the
work of other rounds.)

Since each bit of the output is the bit of the input XOR a function of the other two bits that is 1 most of the time,
the identities of the bits are in a sense preserved; thus, it does not appear that the apparent danger of information
leaking past the involved transformation of the fourth subblock is a genuine concern. In addition, the type A
rounds are used at the beginning, and the type B rounds at the end, so that any leakage is towards the inside of
the block cipher rather than towards the outside.

Since the first subblock is aloof from the values and changes in the other three subblocks, the interaction between
the last three subblocks does not prevent the round from being invertible, even though it happens after the XOR
of intermediate results from the f-function of the first subblock. The interaction between the first three subblocks
does not prevent the round from being invertible, because the operations taking place before it are all self-
contained.

In analyzing Quadibloc II, it may be interesting to examine how it could be attacked if part of the internal key is
known. If S8 is known, Quadibloc II becomes a more conventional block cipher. Is the conventional part of it
still reasonably strong? If the conventional subkeys, but not S8, are known, but not the intermediate subkey
values, can part of the generation of S8 still be retraced? With only a small part of the internal operations of the
cipher controlled by the secret part of the key, can cryptanalysis trace enough to obtain information about S8?

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Chapter
Skip to Next Section
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

Quadibloc III
Quadibloc III is an extension of Quadibloc II which uses a different type of block cipher as its inner core. It too
uses a 128-bit block size. Unlike Quadibloc II, which, at least with only eight full rounds, is not too much slower
than a typical AES candidate (although it isn't fully clear to me if eight rounds is enough for security), Quadibloc
III, while secure, is clearly too slow and complicated to be useful for practical purposes. Its value is that it
illustrates a number of concepts which may be useful in ciphers of a more practical size.

Here is a diagram giving an overview of the structure of Quadibloc III, to accompany a description of its rounds:

The steps in the cipher are symmetric, and they are as


follows:

● Small Feistel rounds, using no subkeys, but


using the key-dependent S-box S8 as their f-
function, transforming 16-bit subkeys of the
block.
● Key-dependent permutation (derived from the
0x elements of S8) of the bytes in the block.
● Four simple rounds, using a single-level f-
function, that are aimed at obtaining high
diffusion, and which use 32-bit subkeys K1
through K4.
● Key-dependent permutation (derived from the
1x elements of S8) of the bytes in the block.
● Eight normal Quadibloc II rounds, each of
which uses nine subkeys, the first using
subkeys K5 through K13, the last using subkeys
K68 through K76.
● Key-dependent permutation (derived from the
2x elements of S8) of the bytes in the block.
● Two rounds of a form of Mishmash, whose
large quantity of subkeys is generated after the
contents of S10 and S11, and by the same
process. These rounds use fixed Quadibloc
subkeys for one half of the block, the subkeys
being K77 through K88 for the encipherment of
that block, and K89 through K100 for the f-
functions applied to the intermediate f-function
results, for the first Mishmash round, and K101 through K124 for the second Mishmash round.
● Key-dependent permutation (derived from the 3x elements of S8) of the bytes in the block.
● Sixteen rounds in which the block is enciphered as follows:
❍ one 16-bit subblock is enciphered by four Feistel rounds, using S8 as the f-function, but this time

preceded by the XOR of a subkey byte;


❍ the results of the XOR are used as intermediate results, and are fed into the S-box S9.

❍ The four S9 outputs produce a 32-bit result whose first 16 bits are the first four bits of each of their

outputs, and whose last 16 bits are the last four bits of each of their outputs.
❍ This result is then enciphered by means of four Feistel rounds, where the f-function consists of first

XORing in a 16-bit half of a subkey, then using the two bytes of the result to index into two key-
dependent S-boxes, S10 and S11, which each take an 8-bit input and give a 16-bit output. The sum
of the two outputs is XORed with the other half of the 32-bit block.
❍ The 32-bit result of this process is used as a 32-bit subkey was used initially to encipher a further
16 bits of the block, and this continues until the entire 128-bit block has been enciphered in 16-bit
pieces.
These sixteen rounds each use fifteen subkeys; the first one uses subkey K125 to supply the four bytes
used for enciphering the first 16-bit subblock, and then subkeys K126 through K139, two at a time, for
enciphering the 32-bit intermediate results from enciphering one subblock to produce the 32-bit input to
use to encipher the next one, and the last one uses subkeys K350 through K364.
● Then, the preceding steps are done in reverse order, with the key-dependent byte permutations now being
the inverses of the ones derived from the Bx, Ax, 9x, and 8x elements of S8, and with the two Mishmash
rounds using subkeys K365 through K412, the eight normal Quadibloc II rounds using subkeys K413
through K484, and the set of four degenerate rounds using subkeys K485 through K488.

The Middle Rounds (GoodStuff)

The following diagram illustrates the method used for the middle 16 rounds of Quadibloc III:

Using four eight-bit subkeys (derived from a single 32-bit subkey, to remain within the overall structure derived
from Quadibloc II), four Feistel rounds are used to encipher a 16-bit subblock; in the first round, the right half is
XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the f-function
alternates from right to left to left to right, and in the two outer rounds, the subkey is XORed and the f-function
output added, and in the two inner rounds, the subkey is added and the f-function output XORed.

The four intermediate results of the f-functions, derived before S8 substitution, are used to index into the fixed S-
box S9. The S-box outputs are used to form a 32-bit word consisting of the first nibbles of the four substituted
results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of the
previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a left-to-
right round of this cipher, by means of a twist upon entry and exit from the horizontal Feistel rounds.)

The resulting 32-bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses
wide key-dependent S-boxes in the f-function. Here, four 16-bit subkeys are used, and so they are derived from
two 32-bit regular subkeys.

The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in in-place format, and
the first round goes from right to left (or, in the diagram, top to bottom).

If the first set of four Feistel rounds operating on a 16-bit subblock is denoted by 1, the second by 2, and angle
brackets are used to show how one round provides the subkey input for the next, the pattern of rounds used in
this phase is as follows:

1 > 2 > 3 > 4 > 5 > 6 > 7 > 8


< 7 < 6 < 5 < 4 < 3 < 2 < 1 8 <

> 8 1 > 2 > 3 > 4 > 5 > 6 > 7 >


8 < 7 < 6 < 5 < 4 < 3 < 2 < 1
> 7 > 8 1 > 2 > 3 > 4 > 5 > 6 >
< 1 8 < 7 < 6 < 5 < 4 < 3 < 2 <

> 6 > 7 > 8 1 > 2 > 3 > 4 > 5 >


< 2 < 1 8 < 7 < 6 < 5 < 4 < 3 <

> 5 > 6 > 7 > 8 1 > 2 > 3 > 4 >


< 3 < 2 < 1 8 < 7 < 6 < 5 < 4 <

> 4 > 5 > 6 > 7 > 8 1 > 2 > 3 >


< 4 < 3 < 2 < 1 8 < 7 < 6 < 5 <

> 3 > 4 > 5 > 6 > 7 > 8 1 > 2 >


< 5 < 4 < 3 < 2 < 1 8 < 7 < 6 <

> 2 > 3 > 4 > 5 > 6 > 7 > 8 1 >


< 6 < 5 < 4 < 3 < 2 < 1 8 < 7 <

The S-box S9 is fixed, and is generated by continuing the process used for generating S-boxes 1 through 7 from
Euler's constant to generate one more permutation of the numbers 0 through 255, therefore this S-box is the one
designated S11 on the page entitled Euler's Constant and the Quadibloc S-Boxes.

The Next Innermost Layer (Mishmash)

The concept of a cipher called Mishmash is noted in the conclusions section of this chapter, to which reference
may be required.

The left half of the block (in the second round, the right half) is enciphered using four rounds of Quadibloc. The
intermediate results, after XORing in the second of the three subkeys, of each of the four f-function outputs are
then subjected to the Quadibloc f-function again, with another twelve subkeys, and the four 32-bit outputs are
XORed together.

The 32-bit result controls the encipherment of the right half of the block. The right half of the block is enciphered
by cipher steps 1 through 5. The first 25 bits of the 32-bit result is divided into five 5-bit values, indicating for
each of the five cipher steps, in order of their numeric labels, which of 32 sets of subkey material is used for
them.

The last 7 bits of the 32-bit result indicates the order in which the five cipher steps take place. Values 0 through
119 of these seven bits give the 120 permutations of the numbers from 1 through 5 in numerical order, as shown
in the following table:

0 12345 24 21345 48 31245 72 41235 96 51234


1 12354 25 21354 49 31254 73 41253 97 51243
2 12435 26 21435 50 31425 74 41325 98 51324
3 12453 27 21453 51 31452 75 41352 99 51342
4 12534 28 21534 52 31524 76 41523 100 51423
5 12543 29 21543 53 31542 77 41532 101 51432

6 13245 30 23145 54 32145 78 42135 102 52134


7 13254 31 23154 55 32154 79 42153 103 52143
8 13425 32 23415 56 32415 80 42315 104 52314
9 13452 33 23451 57 32451 81 42351 105 52341
10 13524 34 23514 58 32514 82 42513 106 52413
11 13542 35 23541 59 32541 83 42531 107 52431
12 14235 36 24135 60 34125 84 43125 108 53124
13 14253 37 24153 61 34152 85 43152 109 53142
14 14325 38 24315 62 34215 86 43215 110 53214
15 14352 39 24351 63 34251 87 43251 111 53241
16 14523 40 24513 64 34512 88 43512 112 53412
17 14532 41 24531 65 34521 89 43521 113 53421

18 15234 42 25134 66 35124 90 45123 114 54123


19 15243 43 25143 67 35142 91 45132 115 54132
20 15324 44 25314 68 35214 92 45213 116 54213
21 15342 45 25341 69 35241 93 45231 117 54231
22 15423 46 25413 70 35412 94 45312 118 54312
23 15432 47 25431 71 35421 95 45321 119 54321

and the remaining values give the following eight preferred orders once again:

120 31425
121 32415
122 51423
123 52413
124 31524
125 32514
126 41523
127 42513

Only one pool of 32 subkey values is used by all four Mishmash rounds in the cipher (which is different from the
Mishmash concept described in the conclusions section), despite the danger that a subkey may be used more than
once.

The five cipher steps are:

1. Two rounds of DES. Two 48-bit subkeys are the subkey material this uses.
2. Two rounds of Quadibloc. Six 32-bit subkeys are the subkey material this uses.
3. Four rounds of SKIPJACK. Sixteen 8-bit subkeys are the subkey material this uses.
4. One round of SAFER. Two 64-bit subkeys are the subkey material this uses.
5. Two rounds of GoodStuff. This consists of two rounds, similar to the middle rounds of this cipher, but
acting on only four 16-bit subblocks each. The ordering of the operations is 1234 followed by 4321 (not
3214). This uses fourteen 32-bit subkeys as subkey material.

In the Mishmash rounds, the final interchange is not omitted after the DES and Quadibloc rounds, since they are
part of an ongoing block cipher. This is true also of the Mishmash concept, as can be seen from the diagrams,
which show the ciphers in in-place form.

The four Skipjack rounds are type A in the first two Mishmash rounds in the cipher, and type B in the last two. In
addition, the SAFER rounds in the last two Mishmash rounds are rounds of SAFER decryption instead of
SAFER encryption, for the same reason.

Subkey Generation

Subkey generation for Quadibloc III follows the same general scheme as for Quadibloc II; initial subkeys are
generated using a method similar to the one used in Quadibloc II, but somewhat more elaborate.

Fill A1, A2, and A3; B1, B2, B3, B4, and B5; and C1, C2, C3, C4, and C5 with the first thirteen bytes of the key
in order. Initialize the variable Q to be zero.
Split the key into two pieces as follows, where L is the number of bytes in the key:

● If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining
bytes of the key. Then increase each piece in length by one byte by appending the one's complement of
the first byte in the piece to it.
● If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the
second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
appending the one's complement of the first two bytes in the piece to it.
● If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and
the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
appending the one's complement of the first two bytes in the piece to it.

In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In
the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case,
the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of
the two pieces of the key are relatively prime, and uniquely identify the length of the original key.

Each group of bytes is then used as the initial contents of a shift register, which operates as follows:

The sum of the first and third bytes in the shift register is XORed with the second-last byte in the shift register.
The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all
other bytes being moved to the next earlier place, the first byte being discarded.

For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by
carrying out the following instructions:

For each of the numbers 0 to 4, do the following:

● Add the contents of A1 to the number, modulo 256.


● Replace that number by its substitute in S-box 5a (that is, the first half of S-box 5, an S-box with 8 bits of
input as well as 8 bits of output, created by setting the MSB of the input to 0).
● Add the contents of A2 to the result, modulo 256.
● Replace that number by its substitute in S-box 5b (the second half of S-box 5).
● Add the contents of A3 to the result, modulo 256.

Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to
them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are
cumulative.)

Once that has been done, using the modified values of B1 through B5, we once again use the numbers 0 to 4 in
order as inputs as we do the following:

● Add the contents of B1 to the number, modulo 256.


● Replace that number by its substitute in inverse S-box 7b (the inverse of the second half of S-box 7).
● XOR the result with the contents of B2.
● Replace that number by its substitute in inverse S-box 5b (the inverse of the second half of S-box 5).
● Add the contents of B3 to the result, modulo 256.
● Replace that number by its substitute in inverse S-box 7a (the inverse of the first half of S-box 7).
● XOR the result with the contents of B4.
● Replace that number by its substitute in inverse S-box 5a (the inverse of the first half of S-box 5).
● Add the contents of B5 to the result, modulo 256.

Modify the variables C1 through C5 by adding the results of this process for the numbers 0 to 4, respectively, to
them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are
cumulative.)
Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above.
Add Q to that byte. Put that byte through the following process:

● Add the contents of C1 to the number, modulo 256.


● Replace that number by its substitute in S-box 6a (the first half of S-box 6).
● XOR the result with the contents of C2.
● Replace that number by its substitute in S-box 6b (the second half of S-box 6).
● Add the contents of C3 to the result, modulo 256.
● Replace that number by its substitute in S-box 7a (the first half of S-box 7).
● XOR the result with the contents of C4.
● Replace that number by its substitute in S-box 7b (the second half of S-box 7).
● Add the contents of C5 to the result, modulo 256.

The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the
variable Q.

One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through
B5 have already been changed) as follows: replace A1 with the former contents of A2; replace A2 with the
former contents of A3; and replace A3 with the former contents of A3 XOR the current output byte (also stored
in Q).

After generating the first 440 regular 32-bit subkeys, initial values of the remaining subkey material is generated
in the following order:

● first, initial subkeys K441 through K488 (which will later be used for subkeys with different numbers),
(192 bytes)
● then the contents of key-dependent S-box S8, (from 1536 to 2304 bytes are used to produce this, since it
is generated from three permutations which require either 512 or 768 bytes to produce)
● then the 256 16-bit entries for each of S10 and S11; (1024 bytes)
● then the Mishmash subkeys; 32 sets of two 48-bit subkeys for the DES rounds, (384 bytes)
● 32 sets of six 32-bit subkeys for the Quadibloc rounds, (768 bytes)
● 32 sets of sixteen 8-bit subkeys for the Skipjack rounds, (512 bytes)
● 32 sets of two 64-bit subkeys for the SAFER rounds, (512 bytes)
● 32 sets of fourteen 32-bit subkeys for the GoodStuff rounds. (1792 bytes)
● An additional 2304 bytes of subkey material to be used later. (2304 bytes)

All the subkey material thus generated, except the material used to produce S-box S8, is retained in order in an
array for later modification.

An initial value for S8, the key-dependent S-box is generated as follows:

● Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure:
❍ Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey

K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting
where one has left off for subsequent permutations.
❍ Each permutation is generated by the use of either 512, or, under some rare circumstances, only

256, bytes.
❍ A permutation is generated as follows:

■ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0

to 255 in order. The arrays must also be able to hold the value -1. The second and third
arrays are filled with -1.
■ For each byte used: let the value of the byte be called N, and let I be a counter which starts

at 0 for the first byte, incrementing with each byte used, and ending at 255.
■ Then, for each byte:

■ If element N of the first array is not -1, set element N of the first array to -1, and set
element I of the second array to N.
■ Otherwise, store N in the first unused position (the first position containing -1) in the
third array.
■ Once this has been done, if the third array contains any numbers other than -1, proceed as

follows:
■ If there is only one filled (not equal to -1) element in the third array, then there is only one

remaining element in the first array, and one element of the second array equal to -1, so fill
the second array with the one available byte, and finish.
■ If there are only two filled elements in the third array, take the least significant bit of the

first filled element. If it is zero, fill the -1 elements of the second array with the remaining
elements of the first array in order; if it is one, do so in reverse order, and finish.
■ If there are less than 256 filled elements in the third array, repeat them over and over to fill

the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when
the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of
the third array.
■ Now, use the third array to complete the second array by doing the following for II from 0

to 255:
■ Let the value of element II of the third array be XX.

■ Swap elements II and XX of the first array.

■ Then, scan through the second array. When an element of the second array is -1, fill it with

the corresponding element of the first array (if it is not also -1) and set that element of the
first array to -1.
■ If there are any -1 elements left in the second array, fill them with the elements of the first

array that are not -1 in order.


● The three permutations obtained in this manner are used to generate a key dependent S-box as follows:
❍ For N from 0 to 255:

❍ Set A to be element N of the first permutation; set B to be element N of the second permutation,

and set C to be element B of the third permutation.


❍ Set element A of the S-box to equal C.

Only the first 440 subkeys, each 32-bits long, which are the first subkey material generated by this method, are
modified by the key augmentation technique of performing an initial encipherment, and XORing subkeys with
intermediate results. Because some of the rounds do not produce intermediate results suitable for this use, the key
augmentation step undergoes an important change. Instead of modifying the 440 subkeys by performing a normal
Quadibloc III encipherment, and using its intermediate results, a modified encipherment, using only normal
rounds found in Quadibloc II is used.

The modified encipherment consists of one group of four degenerate rounds, forty-eight normal Quadibloc II
rounds, and one more group of four degenerate rounds. This arrangement uses exactly 440 subkeys. Four key-
dependent byte permutations are used, from 0x, 1x, and inverse 9x and 8x; only one unkeyed whitening step,
followed by the 0x permutation, begins the cipher; the 1x permutation follows the first group of four degenerate
rounds, preceding the first conventional Quadibloc II round.

The subkeys are initially filled in the following order, consistent with Quadibloc II practice:

K1 K2 K3 K4
K5 K8 K11 K6 K9 K12 K7 K10 K13
K14 K17 K20 K15 K18 K21 K16 K19 K22
...
K428 K431 K434 K429 K432 K435 K430 K433 K436
K437 K438 K439 K440

and are modified during key enrichment in the following order (although the subkeys are aligned in columns to
illustrate their pattern, the order used is that found by reading across):

K440 K436 ... K22 K13


K439 K435 ... K21 K12
K438 K434 ... K20 K11
K437 K433 ... K19 K10
K432 ... K18 K9
K431 ... K17 K8 K4
K430 ... K16 K7 K3
K429 ... K15 K6 K2
K428 ... K14 K5 K1

Bytes for use in the 48 additional subkeys, S10 and S11, and in Mishmash, are generated during the initial part of
subkey generation, even though these parts of the cipher aren't used in key-enrichment; then, during the key-
enrichment phase, nine bytes of output from the same shift register process as was used to fill all the subkey
material with its initial values, but modified in an analogous fashion to that used for Quadibloc II (the last 13
bytes of the 440 regular subkeys are used to fill A1 through C5, and one shift register, rather than two, is used,
consisting of the rest of the subkey material), are used to modify eight bytes in this additional subkey material.

This is done as follows: the first byte determines the use of the next eight bytes; if its most significant bit is a 1,
the next byte is XORed to the previously generated byte, if its most significant bit is a 0, the next byte replaces
the corresponding previously generated byte, and so on through the bits of the first byte and the bytes following.

The additional subkey material being modified in this step consists of 7488 bytes. For the purpose of an
additional operation to be performed concurrently with the XOR or replacement of these bytes in groups of eight
using generated bytes in groups of nine, these bytes are to be considered as 20 blocks of 256 bytes each, plus 64
extra bytes.

The additional manipulation to be performed consists of two steps. Only during the processing of the second
through the 19th of the 20 complete blocks are both steps done; one is done during the processing of the first
block.

For each of the first 256 generated bytes of the 288 generated bytes required to modify the 256 bytes of the
current block, the next block is modified as follows:

Letting c be a counter, 0 for the first generated byte, and incremented by one as we change to use each additional
generated byte, and letting n be the value of the current generated byte, we swap byte c and byte n of the next
block.

This only requires the existence of a following block, and is therefore done when the current block is any block
from the first through the nineteenth.

For each of the last 256 generated bytes of the 288 generated bytes we use in modifying the 256-byte current
block, immediately following the use of that same byte for modifying the next block during the period when both
operations overlap, we modify the preceding block as follows:

Letting c be a counter, 0 for the first generated byte used by this step, the 33rd of the 288 generated bytes for the
current block, and letting n be the value of the current generated byte, we let p be the value of byte c of the next
block, and let q be the value of byte n of the previous block.

We then swap bytes p and q of the previous block. Letting k be the XOR of the values of the two bytes so
swapped, byte n of the previous block is then modified by being XORed with byte k of the next block.

This requires both a preceding and a following block, and is done for the second block through the nineteenth.

Performing these transposition steps on the subkey material helps to destroy any pattern it might contain.

As many of the last 2304 bytes of subkey material as required are used to generate a permutation following the
steps used for generating the initial value of S8. The generated result, however, is not used as the final value of
S8. Instead, each element of S8 is replaced by the value it points to in this result; that is, for N from 0 to 255, S8
(N) becomes R(S8(N)). (Thus, S8 depends on both the old and new subkeys, and doesn't relate to the current
subkeys in a simple way.)

Then, the 488 subkeys required for Quadibloc III are produced from the 440 subkeys generated normally and the
48 additional ones by using the 48 additional subkeys in order as the ones for the f-functions that are used to
modify the f-function results before being XORed together in the Mishmash rounds.

Hence,

● subkeys K1 through K88 retain their identity,


● subkeys K441 through K452 are moved to subkeys K89 through K100,
● subkeys K89 through K100 are moved to subkeys K101 through K112,
● subkeys K453 through K464 are moved to subkeys K113 through K124,
● subkeys K101 through K352 are moved to subkeys K125 through K376,
● subkeys K465 through K476 are moved to subkeys K377 through K388,
● subkeys K353 through K364 are moved to subkeys K389 through K400,
● subkeys K477 through K488 are moved to subkeys K401 through K412,
● and, finally, subkeys K365 through K440 are moved to subkeys K413 through K488.

Note that implementations need not actually move the subkeys around, but merely need to ensure that each
encipherment step uses the correct subkeys from those stored in memory.

Variations of Quadibloc III

Specific named variations of Quadibloc III are provided here to broaden its range of applicability.

The first variation is Quadibloc III SC (Short Cycle). This version retains the complexity of Quadibloc III, but
eliminates the large number of rounds of the GoodStuff kind in the middle of the cipher. Instead, only two such
rounds are retained, with the following arrangement:

1 > 2 > 3 > 4 > 5 > 6 > 7 > 8


8 < 7 < 6 < 5 < 4 < 3 < 2 < 1

This, by reducing the amount of required subkey material from 488 subkeys to 278, and hence the key
augmentation phase of key generation is modified as follows: eight regular Quadibloc II rounds are used, the first
10 words of S10 are also modified, and there is no shifting of subkeys out of numerical order, as was required to
exclude a particular 48 subkeys from key augmentation in the normal version. The unkeyed whitening step, and
the initial and final byte transposes (0x and 8x) are also retained in the modified encipherment.

The next variation is Quadibloc III MD (Maximum Dispersion). This version adds eight 64-bit words of subkey
material to what is used by the cipher. They are not used during the modified encipherment cycle performed for
key augmentation, but they are generated initially, like other parts of the subkey material not then used. They are
generated immediately after the 32 extra normal subkeys which are modified after, instead of during, key
augmentation, and immediately before calculating S-box S8. Otherwise, since the key schedule is only
lengthened, key augmentation is not otherwise modified for this variation.

These 64-bit words are used to perform an ICE-style interchange of the left and right halves of the block,
immediately after the first four key-dependent byte interchanges derived from S-box S8 and immediately before
the last four such byte interchanges. A 1 bit corresponds to a bit to be interchanged, and the words are used in
order during encipherment.

Finally, Quadibloc III SD (Short/Dispersive) combines the modifications in Quadibloc III SC and Quadibloc III
MD. As it has 294 32-bit words of normal subkey, the key augmentation phase of its key generation is based on a
modified encipherment involving a byte transpose based on the 0x row of S8, an unkeyed whitening step, a set of
four degenerate rounds, a byte transpose based on the 1x row of S8, eight normal Quadibloc II rounds, the 9x
transpose, four degenerate rounds, inverse whitening, and the 8x transpose. The first two words of S10 are also
included in the key augmentation for this variation.

A variation in the round structure, like those illustrated for Quadibloc II, will also be illustrated here, but in this
case it is for the Mishmash portion of the cipher.

This diagram gives an overview of the Mishmash rounds as modified. Instead of placing the intermediate results
of the four QUADIBLOC 96 rounds on the left side through an additional QUADIBLOC f-function, these results
are used to produce a 32-bit result by means of the 32-bit Feistel structure used within the GoodStuff portion of
the cipher. This reduces the number of additional subkeys required for this part of the cipher to 8 from 48, but the
strength of the modified cipher appears fully satisfactory.

Another variation on Quadibloc III uses the modified Mishmash rounds described above, but in addition changes
the order of the rounds in line with insights that have come out of looking at how some differential attacks,
including the boomerang attack work. The idea is that parts of the cipher that are analytically simple are put on
the outside, and parts that are harder to analyze, but possibly leaving room for new probing attacks, are put in the
center. A diagram giving an overview of the variation, accompanied by its description, are below:

● Small Feistel rounds, using no subkeys, but


using the key-dependent S-box S8 as their f-
function, transforming 16-bit subkeys of the
block.
● Key-dependent permutation (derived from the
0x elements of S8) of the bytes in the block.
● Four simple rounds, using a single-level f-
function, that are aimed at obtaining high
diffusion, and which use 32-bit subkeys K1
through K4.
● Key-dependent permutation (derived from the
1x elements of S8) of the bytes in the block.
● Two rounds in which the block is enciphered as
follows:
❍ one 16-bit subblock is enciphered by

four Feistel rounds, using S8 as the f-


function, but this time preceded by the
XOR of a subkey byte;
❍ the results of the XOR are used as

intermediate results, and are fed into the


S-box S9.
❍ The four S9 outputs produce a 32-bit

result whose first 16 bits are the first


four bits of each of their outputs, and
whose last 16 bits are the last four bits of
each of their outputs.
❍ This result is then enciphered by means

of four Feistel rounds, where the f-


function consists of first XORing in a 16-
bit half of a subkey, then using the two
bytes of the result to index into two key-
dependent S-boxes, S10 and S11, which
each take an 8-bit input and give a 16-bit
output. The sum of the two outputs is
XORed with the other half of the 32-bit
block.
❍ The 32-bit result of this process is used

as a 32-bit subkey was used initially to


encipher a further 16 bits of the block,
and this continues until the entire 128-bit block has been enciphered in 16-bit pieces.
These two rounds each use fifteen subkeys; the first one uses subkey K5 to supply the four bytes used for
enciphering the first 16-bit subblock, and then subkeys K6 through K19, two at a time, for enciphering the
32-bit intermediate results from enciphering one subblock to produce the 32-bit input to use to encipher
the next one, and the second one uses subkeys K20 through K34.
● Key-dependent permutation (derived from the 2x elements of S8) of the bytes in the block.
● Eight normal Quadibloc II rounds, each of which uses nine subkeys, the first using subkeys K35 through
K43, the last using subkeys K98 through K106.
● Key-dependent permutation (derived from the 3x elements of S8) of the bytes in the block.
● Four rounds of a form of Mishmash, whose large quantity of subkeys is generated after the contents of
S10 and S11, and by the same process. These rounds use fixed Quadibloc subkeys for one half of the
block, the subkeys being K107 through K118 for the encipherment of that block, and K119 through K120
for the Feistel rounds with a 32-bit block using S-boxes S10 and S11 that modify its intermedate results,
for the first Mishmash round, and the remaining Mishmash rounds use subkeys K121 through K162.
● Then, the preceding steps are done in reverse order, with the key-dependent byte permutations now being
the inverses of the ones derived from the Bx, Ax, 9x, and 8x elements of S8, and with the eight normal
Quadibloc II rounds using subkeys K163 through K234, the two GoodStuff rounds using subkeys K235
through K264, and the set of four degenerate rounds using subkeys K265 through K268.

The 268 subkeys required, plus the first 20 32-bit words of the S-box S11, are modified after initial subkey
generation by key augmentation through 32 normal Quadibloc II rounds with no degenerate rounds, (and two
byte transposes, based on the 0x and 8x rows, instead of four, and two unkeyed whitening steps, as for the
regular cipher) and there is no shifting of subkeys out of numerical order, as was required to exclude a particular
48 subkeys from key augmentation in the normal version.

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]

Quadibloc IV
Quadibloc IV is a block cipher with a 128-bit blocksize with a simpler design than that
of either Quadibloc III or even Quadibloc II. It has 32 rounds, numbered from 1 to 32,
each using three 32-bit subkeys.

It uses the S-boxes S1, S2, and S3 (S3 is only used during key generation) derived
from Euler's constant, as listed in the description of Quadibloc II.

It attempts - despite the fact that A xor B and B xor A are the same thing - to use a
strategy derived from hash functions to produce a secure f-function; the quantity
XORed to the first subblock in each round is the XOR of two f-functions, one which
uses a subblock as input, and two subkeys as keys, and one which uses a subkey as
input, and two subblocks as keys.

The Rounds

A round of Quadibloc II proceeds as follows:

The 128-bit block is considered to be divided into four 32-bit subblocks, B1 through
B4. The leftmost subblock, B1, is the only one modified in a round. It has two
quantities XORed to it:

● An f-function, using B2 as input, with the first two subkeys for the round as
keys, using S1 as the S-box.
● An f-function, using the third subkey for the round as input, with B3 and B4 as
keys, using S2 as the S-box.

The f-function is essentially the basic Quadibloc f-function: XOR the input and the first
key, substitute the bytes in the S-box, and then perform the following regular
permutation of the bits:

1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32 25 26 19 20 13 14 7 8

Then, XOR the input and the second key and again perform the S and P steps. In
Quadibloc IV, no third key is used.

The following diagram illustrates a typical round of Quadibloc IV:


The diagram illustrates the way in which the subblocks are interchanged after a typical
round:

3 4 2 1

No interchange is performed after the last round, round 32.

After round 4 and after round 28, the bytes of the 128-bit block are interchanged in the
following order:

1 14 11 8 5 2 15 12 9 6 3 16 13 10 7 4

After round 16, the four subblocks are interchanged in this order:

3 2 1 4

After the other rounds whose numbers are divisible by 4, the four subblocks are
interchanged in this order:

3 1 4 2

Hence, if one numbers the subblocks on entry to round 5 as 1, 2, 3, and 4, the orders in
which they appear from round 5 to round 28 are as follows:
1 2 3 4 3 4 2 1 2 1 4 3 4 3 1 2
1 4 2 3 2 3 4 1 4 1 3 2 3 2 1 4
1 3 4 2 4 2 3 1 3 1 2 4 2 4 1 3
1 4 3 2 3 2 4 1 4 1 2 3 2 3 1 4
1 2 4 3 4 3 2 1 2 1 3 4 3 4 1 2
1 3 2 4 2 4 3 1 3 1 4 2 4 2 1 3

thus going through all 24 possible orders exactly once.

Because of the byte interchange after rounds 4 and 28, the first and last four rounds
function as a whitening phase of the block cipher.

Key Generation

Two shift registers, one 64 bytes in length and one 65 bytes in length, are used to
generate subkeys, and are loaded with the key, which can be from 2 to 63 bytes in
length, as follows:

● If the key is 256 bits (32 bytes) in length or shorter:


❍ The 64-byte shift register is loaded with the key, followed with the one's

complement of the key, followed by as many repetitions of the key as are


needed to fill it.
❍ The 65-byte shift register is loaded with the bytes of the key in reverse

order, followed by the one's complement of the key (in normal order),
followed by as many repetitions of the key as are needed to fill its first
64 bytes, followed by the one's complement of the first byte of the key.
● If the key is from 33 to 63 bytes in length:
❍ The 64-byte shift register is loaded with the first half of the key

(including one more byte than the second half, if the number of key bytes
is odd), followed by the one's complement of the first half of the key and
as many repetitions of the first half of the key as are needed to fill it.
❍ The 65-byte shift register is loaded with the second half of the key,

followed by the one's complement of the second half of the key, and as
many repetitions of the second half as are needed to fill its first 64 bytes,
followed by the one's complement of the first byte of the second half of
the key.

Initial values of subkey bytes are generated from these two shift registers as follows:

The first shift register is cycled as follows:

Take the 49th byte, add the 33rd byte, and XOR the 64th byte. Find the substitute for
the result in S-box S3. XOR the 3rd byte, and add the 1st byte.

The result will be the new first byte of the shift register, the other bytes being advanced
one place, and the old 64th byte being discarded.

The second shift register is cycled as follows:

Take the 23rd byte, add the 65th byte, and XOR the 11th byte. Find the substitute for
the result in S-box S3. Add the 50th byte, and XOR the 1st byte.

The result will be the new 65th byte of the shift register, the other bytes being moved to
the next earlier place, and the old 1st byte being discarded.

The byte of the subkey generated from this step is the generated new first byte of the
first shift register, replaced with its substitute from S-box S3, XORed with the
generated new 65th byte of the second shift register.

Once all 96 subkeys have been filled with their initial values, key augmentation takes
place. A normal encipherment cycle is performed, enciphering the 128-bit block

A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A

but after each round, the four intermediate values generated in the round are applied as
follows:

The four intermediate values are:

1. The output of the SP operation following the use of the first subkey for the
round;
2. The output of the SP operation following the use of the second subkey for the
round;
3. The output of the SP operation following the use of the third subblock;
4. The output of the SP operation following the use of the fourth subblock;

Intermediate values 1, 2, and 4 of each round are XORed to the subkeys after the round
is over, and the order in which the subkeys is modified is:

K1 K4 K7 K10 K13 ... K94


K2 K5 K8 K11 K14 ... K95
K3 K6 K9 K12 K15 ... K96

and then, intermediate value 3 from the round is added, using byte-wide addition (as
well as creating no endian confusion, this is sure to be implementable, even on systems
that support only 16-bit arithmetic with no way to disable integer overflow exceptions)
to the following subkeys in this order:

K96 K93 K90 K87 K84 ... K3

Use as a Hash Function

As this block cipher was designed using design principles from hash functions, it
seemed appropriate to specify a mode in which it could be used to generate a hash of a
file. However, only the simplest mode is specified here, generating a 128-bit hash,
which is not considered adequately long to obtain collision resistance.

One iteration of the cipher will be used to hash a block consisting of 32 32-bit words,
or 128 bytes. The string of bits to be hashed will be converted to a whole number of
blocks by having a 1 appended to it, and then the result will be filled out with zeroes to
fill the last block.

The starting value to be "enciphered" by the block cipher will be:

A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A

as used for key augmentation.

The subkeys for the encipherment will be supplied by the block to be hashed as follows:

Both subkeys

K3 K6 K9 K12 K15 ... K96

and subkeys

K95 K92 K89 K86 K83 ... K2

will be supplied from the bytes of the block, taken in groups of four, in order. (The first
byte is the leftmost byte of the word.)

Subkeys

K1 K4 K7 K10 K13 ... K94

will be the following:


K1: 243F6A88 K4: 85A308D3 K7: 13198A2E K10: 03707344
K13: A4093822 K16: 299F31D0 K19: 082EFA98 K22: EC4E6C89
K25: 452821E6 K28: 38D01377 K31: BE5466CF K34: 34E90C6C
K37: C0AC29B7 K40: C97C50DD K43: 3F84D5B5 K46: B5470917
K49: 9216D5D9 K52: 8979FB1B K55: D1310BA6 K58: 98DFB5AC
K61: 2FFD72DB K64: D01ADFB7 K67: B8E1AFED K70: 6A267E96
K73: BA7C9045 K76: F12C7F99 K79: 24A19947 K82: B3916CF7
K85: 0801F2E2 K88: 858EFC16 K91: 636920D8 K94: 71574E69

which are the hexadecimal digits in the fractional portion of pi (also used as the starting
value of the S-boxes and subkeys in Blowfish, although it uses 784 of them, not just 32
of them).

After each block is hashed, the input to the encryption cycle is XORed with the output
to produce the current value of the hash, which will be the input to the next encryption
cycle.

A Variation of Quadibloc IV

In Quadibloc IV ER (Extra Resistance), after generating the initial values of the


subkeys, an additional 1536 to 2304 bytes are generated to create S8 in the same
fashion as the initial value of S8 was generated in Quadibloc II and Quadibloc III. This
key-dependent S-box is not modified again after key augmentation, and it is used to
perform a substitution on the four bytes of the two f-function outputs after the second
SP portion. This modification makes Quadibloc IV considerably more secure against
differential and linear cryptanalysis.

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Chapter
Skip to Next Section
Table of Contents
Main Page Home Page
[Next] [Up] [Previous] [Index]

Quadibloc V
Quadibloc V is a straightforward and simple member of the Quadibloc family of ciphers. It operates on a 128-bit
block, and has a key which must consist of number of bytes that is a multiple of four and which is equal or
greater than 8. It uses S-box S1 derived from Euler's constant, as used in other ciphers of the Quadibloc series,
and it uses one key-dependent S-box, called S2, which has 16 entries, each 64 bits long.

It has four rounds, and each round uses 72 bytes of subkey material. The halves of the block are swapped after
each of the first three rounds.

As encipherment and decipherment are different, and as the f-function only diffuses half of the information in the
left half of the block, it might seem that there are opportunities for cryptanalysis. But what happens to the right
half of the block, and the use of a key-dependent S-box, even if only a minimal one, appears to close any such
opportunities. Also, the key schedule seems to be secure, although it too is greatly simplified over that of
Quadibloc II or III.

The Rounds

The following diagram illustrates what happens during a round of Quadibloc V:


The bytes in the left half of the block are used in pairs to generate bytes the nybbles of which are then used to
select two entries from S-box S2.

One copy of the second byte in the pair is XORed with a byte of subkey material; the next copy has the next byte
of subkey material added to it. Then both copies are replaced by their corresponding entries in S-box S1. The
first byte in the pair first has the first copy of the other byte, as modified, added to it. This intermediate result is
retained for later use. Then it is replaced by the entry it now selects in S-box S1. Finally, the second copy of the
other byte, as modified, is XORed to it.

The first and second nybbles of this resulting byte are used to index to two elements of S-box S2. The entry
chosen by the second nybble of a byte then has its halves swapped. The intermediate result saved for later use is
also split into two nybbles, each used to index an element from S-box S2. The one chosen by the first nybble is
rotated 16 bits left, and the one chosen by the second nybble is rotated 16 bits right.

These elements of S-box S2 are XORed with the right half of the block at various times.

This portion of the cipher uses the first eight subkey bytes for the round.

First, the bytes in the right half of the block are modified by going through tiny Feistel rounds, similar to
permutation G of SKIPJACK, but here using S-box S1 as the f-function. First, each pair of bytes goes through
two rounds of this, first the left-hand byte modifying the right-hand byte, then the right-hand byte modifying the
left-hand byte. Two subkeys are used to perform these two rounds for one pair of bytes, then the next two
subkeys are used for two rounds for the next pair of bytes, as is visible from the numbering in the diagram.

Then, four S2 outputs,

● the one from the first nybble of the byte generated from the first pair of bytes in the left half of the block
● the one (with its halves swapped) from the last nybble of the byte generated from the last pair of bytes in
the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the
second pair of bytes in the left half of the block
● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the
third pair of bytes in the left half of the block

are XORed to the right half of the block as currently modified.

Then, two more tiny Feistel rounds are applied to each pair of bytes in the right half, and then the bytes are
interchanged as follows:

1 4 3 6 5 8 7 2

and then another two tiny Feistel rounds are applied. Note that this interchange, applied three times, ensures that
each even byte is paired with each odd byte for four tiny Feistel rounds during this process.

Now, four S2 outputs

● the one from the first nybble of the byte generated from the second pair of bytes in the left half of the
block
● the one (with its halves swapped) from the last nybble of the byte generated from the third pair of bytes in
the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the first
pair of bytes in the left half of the block
● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the
last pair of bytes in the left half of the block

are XORed to the right half of the block in its present state.

Then, another four tiny Feistel rounds with a byte interchange in the middle.

Now, four S2 outputs

● the one from the first nybble of the byte generated from the third pair of bytes in the left half of the block
● the one (with its halves swapped) from the last nybble of the byte generated from the second pair of bytes
in the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the last
pair of bytes in the left half of the block
● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the
first pair of bytes in the left half of the block

are XORed to the right half of the block.

Then, another four tiny Feistel rounds with a byte interchange in the middle.

And then the following four S2 outputs

● the one from the first nybble of the byte generated from the last pair of bytes in the left half of the block
● the one (with its halves swapped) from the last nybble of the byte generated from the first pair of bytes in
the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the third
pair of bytes in the left half of the block
● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the
second pair of bytes in the left half of the block

are XORed with the right half.

And now, two tiny Feistel rounds are applied to each pair of bytes in the right half of the block. Finally, the bytes
are interchanged as follows:

1 3 5 7 2 4 6 8

This final interchange sorts the odd and even bytes into groups, so that pairs will later be made on a different
basis.

The Key Schedule

The key material used during encipherment consists of a 512 byte key-dependent S-box S2, and 288 bytes of
subkey material.

Initially, this key material is loaded as follows:

● The key is split into two parts, the first having one byte less than half the bytes in the key, and the second
having the remaining bytes.
● Bytes of subkey material are alternately filled from each half of the key.
● Each time one returns to the first byte of a part of the key, after using the last byte previously, one adds 1
to a constant (initially zero) which is added to each byte as it is taken.

Thus, if the key is initially:

200 160 001 100 080 020 140 120

it is split into the two parts

200 160 001


100 080 020 140 120

and the subkey material is initially filled as follows from it:

200 100 160 080 001 020 201 140


161 120 002 101 202 081 162 021
003 141...

Using this initial subkey material, a block is enciphered consisting of the first sixteen bytes of the key, or, if the
key is shorter than sixteen bytes, the key followed by the key with each byte XORed with 1, followed by the key
XORed with 2 if necessary, all the bytes then replaced with their substitutes in S-box S1.

Each round of encipherment produces eight 64-bit intermediate results: an intermediate result is obtained by
taking the current value of the right half of the block after each pair of tiny Feistel rounds, except that in the case
of those rounds followed by XORing in S-box S2 entries, the intermediate value is taken after that XOR.

After each round is completed, and five rounds are performed, rather than the four used for normal encipherment,
the fifth using the same subkeys as the first, the intermediate results are used to modify the subkeys.

The first 36 of the 40 intermediate results generated are XORed with the subkey material, in the following order:

Result: Subkey bytes:

1 K1 K2 ... K8
2 K73 K74 ... K80
3 K145 K146 ... K152
4 K217 K218 ... K224
5 K9 K10 ... K16
6 K81 K82 ... K88
...
36 K281 K282 ... K288

In addition, each byte of all but the first eight intermediate results (leaving the last 32 intermediate results, which
amount to 256 bytes) is used to modify the 512-byte S-box S2, as follows:

● The S-box S2 is to be considered as consisting of two halves, each 256 bytes in length, called H0 and H1.
H0(n) is the (n+1)th byte of H0; that is, H0(0) is the first byte of H0.
● Let the byte being used to modify the S-box have the value X.
● Let a counter, initially equal to 0, and increasing by 1 each time be noted by N. This counter will run from
0 to 255 as the process below takes place.
● Let W=N xor X.
● Let P=H0(W) xor X and Q=H1(W) xor X
● In all cases, first modify H1(P) by XORing it with H0(P) and with X, then modify H0(Q) by XORing it
with H1(Q) and with X.
● Modify H0(X) by XORing it with Q and with W, and modify H1(X) by XORing it with P and with W.
● If N and X are not equal, swap H0(N), H0(X), H1(N), and H1(X) as follows: H0(N) is replaced by H0(X),
which is replaced by H1(N), which is replaced by H1(X), which is replaced by the former value of H0(N).

Variations

If one wishes to use Quadibloc V with eight rounds, then the key augmentation step of the key schedule is
modified as follows:

The encipherment step used to generate intermediate results now runs for nine rounds. All intermediate results
are used to XOR with subkey bytes, and the order is similar to that for the four-round version: first, an XOR is
done to the first eight bytes in each of the eight rounds, then the next eight bytes in each of the eight rounds. The
ninth round uses the subkeys for the first round.

The last 512 bytes so generated, which involve all but the first eight intermediate results, are used to carry out the
modification of the S-box S2, but this time twice.

With sixteen rounds, the key augmentation step will involve encipherment with eighteen rounds, the last two
using the subkeys of the first two rounds. Again, all intermediate results are used to XOR with subkey bytes. The
last 1024 bytes generated, which exclude the first sixteen intermediate results (or those from the first two rounds)
are used to modify S-box S2 four times.

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

Quadibloc VI
Quadibloc VI attempts to achieve the attractive characteristics of Quadibloc III, but with fewer rounds. The main intention in the design of Quadibloc VI is to
make a block cipher that has the advantages of a stream cipher.

A typical block cipher subjects each block of data it enciphers to a series of manipulations, with the only variation in these manipulations due to the variable and
secret key being that the data, while being manipulated, occasionally has subkey material XORed to it. Perhaps addition will also be used.

A stream cipher can resist analysis by applying different key material to the encipherment of each byte or block it encounters.

Thus, the Mishmash encipherment method used within Quadibloc III imitates a stream cipher, by choosing subkeys from a pool to encipher one half of a block, the
choice being determined by the other half of the block. This principle is employed here as well, but with a simpler structure.

Quadibloc VI uses the same fixed S-boxes S1 and S2 derived from Euler's constant as QUADIBLOC and other ciphers in the Quadibloc series, whose contents
have been listed in previous sections.

Description of Mixing/Whitening

The first step in encipherment, when a 128-bit block is submitted to Quadibloc VI, is to ensure that every bit in the block affects, or potentially affects, every bit in
every other block, through a short series of mixing and whitening transformations, as shown in the diagram below:
First, the bytes, by pairs, go through four mini-Feistel rounds, using the key-dependent S-box S8 as the f-function.

Then, using 64-bit subkey LK1, the two halves of the block have selected corresponding bits swapped, in the manner originated by the block cipher ICE.

Then, to bring bytes that have not yet influenced each other into contact, the bytes are transposed so that after transposition, the bytes in order came from the
following positions, from 1 to 16, as indicated by the numbers below:

1 13 2 14 3 15 4 16 5 9 6 10 7 11 8 12

Once this is done, another four mini-Feistel rounds with the key-dependent S-box S8 used as the f-function are performed on adjacent pairs of bytes.

Then, once again bytes are moved to bring bytes that had not affected one another into contact. As a possible transposition to do so here is the one used previously,
it is applied once again.

Then, a completely unkeyed step is used for the final merging of bytes, a set of Pseudo-Hadamard Transforms applied to pairs of bytes.
Finally, the bytes in the block are transposed according to a key-dependent byte transposition derived from the contents of key-dependent S-box S8.

Description of Regular Rounds

In a regular round of Quadibloc VI, the leftmost six bytes of the block are enciphered by means of two rounds of the GoodStuff method, which proceeds as follows:

Using four eight-bit subkeys (derived from a single 32-bit subkey), four Feistel rounds are used to encipher a 16-bit subblock; in the first round, the right half is
XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the f-function alternates from right to left to left to right, and in
the two outer rounds, the subkey is XORed and the f-function output added, and in the two inner rounds, the subkey is added and the f-function output XORed.

The four intermediate results of the f-functions, derived before S8 substitution, are used to index into the fixed S-box S2. The S-box outputs are used to form a 32-
bit word consisting of the first nibbles of the four substituted results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of
the previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a left-to-right round of this cipher, by means of a twist
upon entry and exit from the horizontal Feistel rounds.)

The resulting 32-bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses wide key-dependent S-boxes in the f-function.
Here, four 16-bit subkeys are used, and so they are derived from two 32-bit regular subkeys.

The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in in-place format, and the first round goes from right to left (or, in the
diagram, top to bottom).

The following diagram illustrates the operations that take place during a regular round of Quadibloc VI upon the leftmost eight bytes of the block:
The first six bytes are subjected to encipherment according to the GoodStuff algorithm, first in one direction, and then in another.

The final f-function outputs in the Feistel rounds applied to the 32 bit quantity that serves as subkeys for the 16-bit Feistel rounds in each of the GoodStuff
encipherments are XORed to the last two of the first eight bytes. Before, between, and after these XORs, those two bytes are modified using the same type of mini-
Feistel round as was used in the initial mixing/whitening phase.

Note that the first and last f-function (or S-box S8) outputs are XORed together to produce one byte of output.

This byte is used to control the encipherment of the other half of the block, which is enciphered using the modification of the original QUADIBLOC round used in
Quadibloc S, to be described in the next section. A Quadibloc S round is illustrated below:
The single byte of output has 256 possible values. 7 times 6 times 5 is 210, which is less than 256, therefore this byte can be used to choose three distinct subkeys
from a pool of seven subkeys to be used as the three subkeys for the Quadibloc S round.

After the first three regular Quadibloc IV rounds in a group of four, the bytes are interchanged according to the following pattern, where each number denotes the
position of a byte in the source to the permutation, the numbers being in the order of the bytes upon] output:

3 4 5 6 7 8 1 2 13 14 15 16 9 10 11 12

The intent of this is to have the two bytes in the first half which are enciphered differently take on four different values, while the halves of the second half are
swapped each time.
After every group of four regular Quadibloc IV rounds except the last four, the halves of the block are swapped.

It is assumed that a mere eight rounds of Quadibloc IV will suffice. At least sixteen rounds, however, would be absolutely required were it not for the initial
mixing and whitening rounds. This is because four rounds are, in a sense, really only one round.

Finally, using 64-bit subkey LK2, the operations of the mixing/whitening rounds are performed in reverse order. The Pseudo-Hadamard Transform is replaced by
its inverse, and so are the two fixed byte permutations. But the groups of four mini-Feistel rounds stay the same (instead of being inversed by having left and right
bytes switched), and the ICE-style swap is its own inverse.

The steps involved in the final mixing/whitening step may be made clearer by this diagram:

The Key Schedule

Although, when compared with the method for generating the key schedule for Quadibloc II and Quadibloc III, many shortcuts are taken in the method used for
Quadibloc VI, it will be seen that key generation for Quadibloc VI is still long and complicated.
Quadibloc VI with eight regular rounds uses the following subkey material:

● Eighty 32-bit subkeys, designated K1 through K80, ten of which are used for each regular round which contains two rounds of GoodStuff encipherment;
● Eight banks of seven 32-bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1
through V56;
● The key-dependent S-boxes S10 and S11, each of which contains 256 random 16-bit entries;
● Two 64-bit subkeys, LK1 and LK2;
● The key-dependent S-box S8, which contains the bytes 0 to 255 in random order;
● A key-dependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements
once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the
block.

For what follows, the first three items in the list above are to be considered to be stored in order contiguously in memory.

First, initially fill the key-dependent S-box S11 as follows:

<key> 1 <key> 1 2 <key> 1 2 3 <key>

that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer.

Then generate initial values for subkeys K1 through K80, pooled subkeys V1 through V56, and the contents of key-dependent S-box S10 (as well as an initial
value for key-dependent S-box S8) by generating 1056 bytes

( (80*4) + (56*4) + (256*2) =


320 + 224 + 512 = 1056 )

through the following procedure: take a copy of the key, and appended to that copy, after its last byte, is a byte equal to the inverse, the bitwise negation, or one's
complement, of the XOR of all the bytes of the original key. This ensures the key as expanded does not consist entirely of zeroes.

Bytes are then generated from the key by chain addition. This means that a byte is generated as follows: the sum, modulo 256, of the first two bytes of the key is
the generated result; and it is also appended to the end of the key, whose first byte is then removed. (Note that the cipher itself uses XOR only, and not addition
modulo 256.)

The method of producing subkey bytes is a degenerate form of the MacLaren-Marsaglia generator. An array with 256 byte positions, called A(0) to A(255), is
filled by generating 256 bytes by means of chain addition.

Then, a subkey byte is generated as follows:

Generate two bytes by chain addition. Call these bytes p and q.

The byte to be used in a subkey is the current value of A(q).

Replace A(q) with p.

The initial value for the key-dependent S-box S8 is generated concurrently with subkey generation by means of the use of two additional arrays, B(0) to B(255)
and C(0) to C(255).

These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also contains the 255 byte values in order as well.

Then, each time a value is stored in a location of A, both the 256 initial values, and the value stored in A(q) each time a subkey byte is generated, the following
procedure is performed:

Let p be the value being stored in the array A, and let q be the index in A of where it is being stored.

If B(q) equals p, then we are finished.

Otherwise:

Store the value of B(q) in v.

Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.)

Store the value of C(p) in w.

Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed v, the former value of B(q), in B(w) which originally contained p).

Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1, and ending with the last (least significant) byte of subkey 12, the
contents of the array B are used as the key-dependent S-box.
Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for
the Quadibloc S part of a round are still empty), we will encipher the contents of S-box S11 as follows:

Four entries in S-box S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment
of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys:

Subkey material Entries in S11


used enciphered

K1 to K10 S11(0) to S11(3)


K11 to K20 S11(4) to S11(7)
...
K71 to K80 S11(28) to S11(31)
V1 to V10 S11(32) to S11(35)
...
V41 to V50 S11(48) to S11(51)
V51 to V56,
S10(0) to S10(7) S11(52) to S11(55)
S10(8) to S10(27) S11(56) to S11(59)
S10(28) to S10(47) S11(60) to S11(63)
...
S10(108) to S10(127) S11(76) to S11(79)

After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated
left by two bytes.

Then, the first 80 (16-bit) entries in S11 are swapped with the first 40 (32-bit) subkeys for GoodStuff encipherment.

Starting with the first byte in K41, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 40
GoodStuff subkeys is now modified as follows:

New Byte(n) = Old Byte(n) XOR


Byte(n-1) XOR
S8( Byte(n-158) + Byte(n-160) )
Next, the second 80 entries in S11 are enciphered, S11(80) through S11(159), two at a time, using the left half of a regular Quadibloc VI round as above, once
again using the subkeys in the order above for the encipherment, starting with subkeys K1 through K10, and are swapped after encipherment with the second group
of 40 subkeys for GoodStuff encipherment.

Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
encipherment, after that result has been rotated left by two bytes.

Then, the last 112 entries in S11, S11(144) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V56. This time,
the subkey material used will extend into the start of S11, as illustrated by the table below:

Subkey material Entries in S11


used enciphered

K1 to K10 S11(144) to S11(147)


K11 to K20 S11(148) to S11(151)
...
K71 to K80 S11(172) to S11(175)
V1 to V10 S11(176) to S11(179)
...
V41 to V50 S11(192) to S11(195)
V51 to V56,
S10(0) to S10(7) S11(106) to S11(199)
S10(8) to S10(27) S11(200) to S11(203)
S10(28) to S10(47) S11(204) to S11(207)
...
S10(108) to S10(127) S11(220) to S11(223)
...
S10(208) to S10(227) S11(240) to S11(243)
S10(228) to S10(247) S11(244) to S11(247)
S10(248) to S10(255),
S11(0) to S11(11) S11(248) to S11(251)
S11(12) to S11(32) S11(252) to S11(255)

And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
encipherment, after that result has been rotated left by two bytes.
Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the
formula:

New Byte(n) = Old Byte(n) XOR


Byte(n-1) XOR
S2( Byte(n-542) + Byte(n-544) )

where the values n-542 and n-544 begin, on the first pass, as pointing into K1 to K80, and then V1 to V56, but afterwards are confined to the area from the start of
S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed S-box S2 is now used.

The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc S-type subkeys and
of the final value of S8, and this process is repeated only as many times as these processes require input.

First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order.

Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shift-register process above applied to the area from
V1 to S11(255), utilizing the following procedure (as seen in Quadibloc II and Quadibloc III):

● Each permutation is generated by the use of either 512, or, under some rare circumstances, only 256, bytes.
● A permutation is generated as follows:
❍ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0 to 255 in order. The arrays must also be able to hold the

value -1. The second and third arrays are filled with -1.
❍ For each byte used: let the value of the byte be called N, and let I be a counter which starts at 0 for the first byte, incrementing with each byte used,

and ending at 255.


❍ Then, for each byte:

■ If element N of the first array is not -1, set element N of the first array to -1, and set element I of the second array to N.

■ Otherwise, store N in the first unused position (the first position containing -1) in the third array.

❍ Once this has been done, if the third array contains any numbers other than -1, proceed as follows:

❍ If there is only one filled (not equal to -1) element in the third array, then there is only one remaining element in the first array, and one element of

the second array equal to -1, so fill the second array with the one available byte, and finish.
❍ If there are only two filled elements in the third array, take the least significant bit of the first filled element. If it is zero, fill the -1 elements of the

second array with the remaining elements of the first array in order; if it is one, do so in reverse order, and finish.
❍ If there are less than 256 filled elements in the third array, repeat them over and over to fill the array. Then, take an additional 256 input bytes (thus,

512 bytes are used except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of the third array.
❍ Now, use the third array to complete the second array by doing the following for II from 0 to 255:
■Let the value of element II of the third array be XX.
■Swap elements II and XX of the first array.
❍ Then, scan through the second array. When an element of the second array is -1, fill it with the corresponding element of the first array (if it is not

also -1) and set that element of the first array to -1.
❍ If there are any -1 elements left in the second array, fill them with the elements of the first array that are not -1 in order.

● When this procedure is completed, the contents of the second array are the desired permutation.

Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on
the initial value of S8, with numbers from 0 to 209, 46 of them twice.

These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group. The numbers
from 0 to 34 will be considered to represent triples of distinct numbers in ascending order in numerical order:

0 1 2 3 7 1 3 6 14 1 6 7 21 2 4 7 28 3 5 6
1 1 2 4 8 1 3 7 15 2 3 4 22 2 5 6 29 3 5 7
2 1 2 5 9 1 4 5 16 2 3 5 23 2 5 7 30 3 6 7
3 1 2 6 10 1 4 6 17 2 3 6 24 2 6 7 31 4 5 6
4 1 2 7 11 1 4 7 18 2 3 7 25 3 4 5 32 4 5 7
5 1 3 4 12 1 5 6 19 2 4 5 26 3 4 6 33 4 6 7
6 1 3 5 13 1 5 7 20 2 4 6 27 3 4 7 34 5 6 7

and then this sequence is repeated but with the three elements in each of the other five of the six possible orders to make all 210 combinations:

0 1 2 3 1 1 2 4 ... 34 5 6 7
35 1 3 2 36 1 4 2 ... 69 5 7 6
70 2 1 3 71 2 1 4 ... 104 6 5 7
105 2 3 1 106 2 4 1 ... 139 6 7 5
140 3 1 2 141 4 1 2 ... 174 7 5 6
175 3 2 1 176 4 2 1 ... 209 7 6 5

Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old
value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation.

Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values
taken will be LK1 and LK2.
The key-dependent byte permutations used between the mixing/whitening rounds and the regular rounds are generated as follows:

The one performed after the first mixing/whitening round is obtained by taking the bytes in the final form of S-box S8 of the form 0x, and using their least
significant nibbles to indicate which position each byte of the block will be moved to. This is the dispatch form of the permutation, which is the opposite of the one
used to describe bit and byte transpositions in the description of the Quadibloc ciphers. The one performed after the regular rounds is generated from the bytes of
the form 8x, but is in fetch form, the least significant nibble of each of these bytes indicating the source from which each byte of the result is obtained.

Key generation is now complete.

Variations of Quadibloc VI

Although Quadibloc VI would absolutely need sixteen rounds if the mixing/whitening stages were absent, that does not mean that sixteen rounds are not a good
idea in any case. With sixteen rounds, the required key material consists of:

● One hundred and sixty 32-bit subkeys, designated K1 through K160, ten of which are used for each regular round which contains two rounds of GoodStuff
encipherment;
● Sixteen banks of seven 32-bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1
through V112;
● The key-dependent S-boxes S10 and S11, each of which contains 256 random 16-bit entries;
● Two 64-bit subkeys, LK1 and LK2;
● The key-dependent S-box S8, which contains the bytes 0 to 255 in random order;
● A key-dependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements
once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the
block.

The key generation process closely parallels that for eight rounds, with small changes as follows:

Once again, we begin by filling the key-dependent S-box S11 as follows:

<key> 1 <key> 1 2 <key> 1 2 3 <key>

that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer.

Then generate initial values for subkeys K1 through K160, pooled subkeys V1 through V112, and the contents of key-dependent S-box S10 (as well as an initial
value for key-dependent S-box S8) by generating 1376 bytes

( (160*4) + (112*4) + (256*2) =


640 + 224 + 512 = 1376 )

through the degenerate MacLaren-Marsaglia procedure from Quadibloc S, and the permutation generated as its side effect is the initial value for S-box S8.

Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for
the Quadibloc S part of a round are still empty), we will encipher the contents of S-box S11 as follows:

Four entries in S-box S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment
of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys:

Subkey material Entries in S11


used enciphered

K1 to K10 S11(0) to S11(3)


K11 to K20 S11(4) to S11(7)
...
K151 to K160 S11(60) to S11(63)
V1 to V10 S11(64) to S11(67)
...
V101 to V110 S11(104) to S11(107)
V111 to V112,
S10(0) to S10(15) S11(108) to S11(111)
S10(16) to S10(35) S11(112) to S11(115)
S10(36) to S10(55) S11(116) to S11(119)
...
S10(236) to S10(255) S11(156) to S11(159)

After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated
left by two bytes.

Then, the first 160 (16-bit) entries in S11 are swapped with the first 80 (32-bit) subkeys for GoodStuff encipherment.
Starting with the first byte in K81, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 80
GoodStuff subkeys is now modified as follows:

New Byte(n) = Old Byte(n) XOR


Byte(n-1) XOR
S8( Byte(n-318) + Byte(n-320) )

Next, entries S11(80) through S11(240) in S11 are enciphered, two at a time, using the left half of a regular Quadibloc VI round as above, once again using the
subkeys in the order above for the encipherment, starting with subkeys K1 through K10, and are swapped after encipherment with the second group of 80 subkeys
for GoodStuff encipherment.

Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
encipherment, after that result has been rotated left by two bytes.

Then, the last 224 entries in S11, S11(32) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V112. This time,
the subkey material used will extend into the start of S11, as illustrated by the table below:

Subkey material Entries in S11


used enciphered

K1 to K10 S11(32) to S11(35)


K11 to K20 S11(36) to S11(39)
...
K151 to K160 S11(92) to S11(95)
V1 to V10 S11(96) to S11(99)
...
V101 to V110 S11(136) to S11(139)
V111 to V112,
S10(0) to S10(15) S11(140) to S11(143)
S10(16) to S10(35) S11(144) to S11(147)
S10(36) to S10(55) S11(148) to S11(151)
...
S10(216) to S10(235) S11(184) to S11(187)
S10(236) to S10(255) S11(188) to S11(191)
S11(0) to S11(19) S11(192) to S11(195)
...
S11(200) to S11(219) S11(232) to S11(235)

At this point, the subkey material required has caught up with the bytes we are attempting to encipher, and so we return to the beginning of the available subkey
material, as follows:

Subkey material Entries in S11


used enciphered

K6 to K15 S11(236) to S11(239)


K16 to K25 S11(240) to S11(244)
...
K46 to K55 S11(252) to S11(255)

And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
encipherment, after that result has been rotated left by two bytes.

Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the
formula:

New Byte(n) = Old Byte(n) XOR


Byte(n-1) XOR
S2( Byte(n-862) + Byte(n-864) )

where the values n-862 and n-864 begin, on the first pass, as pointing into K1 to K160, and then V1 to V112, but afterwards are confined to the area from the start
of S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed S-box S2 is now used.

The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc S-type subkeys and
of the final value of S8, and this process is repeated only as many times as these processes require input.

First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order.

Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shift-register process above applied to the area from
V1 to S11(255), utilizing the procedure for generating permutations from Quadibloc II and Quadibloc III.
Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on
the initial value of S8, with numbers from 0 to 209, 46 of them twice.

These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group.

Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old
value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation.

Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values
taken will be LK1 and LK2.

And hence ends key generation for Quadibloc VI with sixteen rounds.

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
Home Page
[Next] [Up] [Previous] [Index]

Quadibloc S
Quadibloc S is a block cipher with a 64-bit block, based on the original QUADIBLOC, but
including in its f-function one feature from Quadibloc II, while omitting the use of S-box S2
on the half of the block being modified.

The version with four rounds is being specifically proposed here. Since each f-function
involves three table lookups, even this could be considered to be comparable, at least in the
time taken, to 12-round DES. That means that six rounds (comparable to 18) would be
acceptably fast: but the four round version is being considered specifically to examine what
sort of cryptanalytic attacks are possible.

It may be that Quadibloc S with eight rounds, except for the fact of a 64-bit block size, would
be secure enough for actual use. Certainly, it should be secure with sixteen rounds, being
comparable to original QUADIBLOC. Also, a key schedule is used that should be more secure
than that of the original QUADIBLOC, but much less complicated than that of Quadibloc II.

The Rounds

Each round proceeds as follows:

A copy of the right half, which will actually be unchanged by this round, is taken.

This now describes the f-function:

The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for round 2,
to subkey 10 for round 4).

Then, each byte is replaced by its substitute in S-box 1, whose contents are given in the section
on Euler's Constant and the Quadibloc S-Boxes.

The bits of the result, considered to be numbered from 1 (most significant bit of the first,
leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the pattern in
DES, are to be transposed so that these bits are then in the order below, still labelled with their
previous positions:

1 2 27 28 21 22 15 16
9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32
25 26 19 20 13 14 7 8

The result is then XORed with the second subkey for the round. Then, S-box S1 and the bit
transposition are applied again, and the result of that is XORed with the third subkey for the
round.

Then, the four bytes of the result are replaced with their substitutes in a key-dependent S-box.
This produces the final result, which is XORed with the left half of the block. This change to
the value of the block is the end product of the round. Finally, in all rounds but the last one, the
two halves of the block are swapped.

The operation of a round of Quadibloc S is illustrated by this diagram:

The Key Schedule

The key consists of four or more bytes.

The first step of key generation is this: appended to the key, after its last byte, is a byte equal to
the inverse, the bitwise negation, or one's complement, of the XOR of all the bytes of the
original key. This ensures the key as expanded does not consist entirely of zeroes.

Bytes are then generated from the key by chain addition. This means that a byte is generated as
follows: the sum, modulo 256, of the first two bytes of the key is the generated result; and it is
also appended to the end of the key, whose first byte is then removed. (Note that the cipher
itself uses XOR only, and not addition modulo 256.)
The method of producing subkey bytes is a degenerate form of the MacLaren-Marsaglia
generator. An array with 256 byte positions, called A(0) to A(255), is filled by generating 256
bytes by means of chain addition.

Then, a subkey byte is generated as follows:

Generate two bytes by chain addition. Call these bytes p and q.

The byte to be used in a subkey is the current value of A(q).

Replace A(q) with p.

The key-dependent S-box is generated concurrently with subkey generation. Two additional
arrays, B(0) to B(255) and C(0) to C(255), are used in this process.

These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also
contains the 255 byte values in order as well.

Then, each time a value is stored in a location of A, both the 256 initial values, and the value
stored in A(q) each time a subkey byte is generated, the following procedure is performed:

Let p be the value being stored in the array A, and let q be the index in A of where it is being
stored.

If B(q) equals p, then we are finished.

Otherwise:

Store the value of B(q) in v.

Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.)

Store the value of C(p) in w.

Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed
v, the former value of B(q), in B(w) which originally contained p).

Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1,
and ending with the last (least significant) byte of subkey 12, the contents of the array B are
used as the key-dependent S-box.

Test Vectors

The following is output from a short BASIC program which implements four-round Quadibloc
S.
Keys and the block are shown as sequences of bytes, from first to last, represented as decimal
numbers from 0 to 255, for simplicity in programming.

Encipherment of an all-zero block with a four-byte all-zero key.

Subkeys for the given key are:


1 ) 98 96 250 128
2 ) 239 154 244 76
3 ) 131 160 14 28
4 ) 0 255 116 10
5 ) 215 163 226 153
6 ) 64 16 220 185
7 ) 239 162 182 164
8 ) 127 62 65 112
9 ) 102 221 47 175
10 ) 0 0 255 159
11 ) 21 0 136 184
12 ) 241 165 38 64

The key-dependent S-box contains:


255 63 67 102 181 6 238 9
231 139 89 59 13 253 208 134
66 250 230 254 241 22 246 118
75 170 236 240 200 234 195 148
46 7 74 114 131 50 68 152
92 78 100 202 117 247 227 90
73 141 218 130 164 104 201 179
15 91 228 105 84 190 43 160
21 18 26 232 58 251 83 166
169 226 199 119 177 115 244 77
111 162 137 204 8 248 189 154
38 159 187 225 132 71 39 161
165 198 217 125 110 194 41 155
11 153 51 35 86 25 184 72
252 135 101 211 235 85 23 203
167 242 5 168 120 133 172 124
31 213 107 109 223 140 149 147
122 47 245 49 20 69 237 150
210 174 196 197 138 145 193 54
206 82 99 81 17 129 126 30
188 29 171 96 144 1 128 37
123 176 14 10 143 151 219 3
142 79 16 60 45 221 182 209
76 183 34 94 27 93 70 175
121 65 61 156 19 186 173 28
214 205 103 229 2 192 52 88
56 215 108 220 157 55 243 136
44 207 42 113 180 116 249 32
33 98 106 158 212 222 163 146
185 178 112 53 4 36 62 95
57 12 87 233 239 97 127 40
216 80 224 64 24 0 48 191

Plaintext block is:


0 0 0 0 0 0 0 0

Right half after first subkey is:


98 96 250 128
Right half after first S/P stage:
42 72 142 117
Right half after second subkey is:
197 210 122 57
Right half after second S/P stage:
174 235 31 169
Right half after third subkey is:
45 75 17 181
f-function output:
247 119 250 221
Block after round 1 is:
0 0 0 0 247 119 250 221
Right half after first subkey is:
247 136 142 215
Right half after first S/P stage:
250 22 190 199
Right half after second subkey is:
45 181 92 94
Right half after second S/P stage:
43 0 180 25
Right half after third subkey is:
107 16 104 160
f-function output:
35 66 11 188
Block after round 2 is:
247 119 250 221 35 66 11 188

Right half after first subkey is:


204 224 189 24
Right half after first S/P stage:
55 146 122 31
Right half after second subkey is:
72 172 59 111
Right half after second S/P stage:
150 191 152 23
Right half after third subkey is:
240 98 183 184
f-function output:
57 217 209 76
Block after round 3 is:
35 66 11 188 206 174 43 145

Right half after first subkey is:


206 174 212 14
Right half after first S/P stage:
32 81 143 194
Right half after second subkey is:
53 81 7 122
Right half after second S/P stage:
110 12 227 37
Right half after third subkey is:
159 169 197 101
f-function output:
30 176 186 194
Enciphered block is:
61 242 177 126 206 174 43 145

Encipherment, with the same 32-bit key of all zeroes, of the


64-bit block
0000000000000000000000000000000000000000000000000000000000000001

Plaintext block is:


0 0 0 0 0 0 0 1

Right half after first subkey is:


98 96 250 129
Right half after first S/P stage:
26 64 140 245
Right half after second subkey is:
245 218 120 185
Right half after second S/P stage:
154 185 226 46
Right half after third subkey is:
25 25 236 50
f-function output:
170 170 4 218
Block after round 1 is:
0 0 0 1 170 170 4 218

Right half after first subkey is:


170 85 112 208
Right half after first S/P stage:
52 64 47 151
Right half after second subkey is:
227 227 205 14
Right half after second S/P stage:
39 0 195 243
Right half after third subkey is:
103 16 31 74
f-function output:
155 66 148 199
Block after round 2 is:
170 170 4 218 155 66 148 198

Right half after first subkey is:


116 224 34 98
Right half after first S/P stage:
79 157 125 61
Right half after second subkey is:
48 163 60 77
Right half after second S/P stage:
27 65 178 232
Right half after third subkey is:
125 156 157 71
f-function output:
133 17 129 166
Block after round 3 is:
155 66 148 198 47 187 133 124

Right half after first subkey is:


47 187 122 227
Right half after first S/P stage:
140 227 55 41
Right half after second subkey is:
153 227 191 145
Right half after second S/P stage:
215 41 195 194
Right half after third subkey is:
38 140 229 130
f-function output:
68 20 222 107
Enciphered block is:
223 86 74 173 47 187 133 124

Encipherment of an all-zero block with the key


00000000000000000000000000000001

Subkeys for the given key are:


1 ) 113 110 181 254
2 ) 123 250 8 142
3 ) 80 161 177 11
4 ) 56 251 144 61
5 ) 73 225 29 205
6 ) 181 16 190 1
7 ) 123 179 56 142
8 ) 222 26 255 191
9 ) 67 237 3 76
10 ) 242 175 217 77
11 ) 0 27 125 190
12 ) 222 139 114 248

The key-dependent S-box contains:


15 5 43 125 188 7 209 68
60 63 193 19 221 102 40 2
175 150 159 85 70 146 184 251
151 246 232 104 26 87 157 34
233 243 215 203 95 162 59 56
136 211 164 208 52 0 16 244
35 4 140 99 69 235 30 107
90 138 72 122 117 212 36 83
88 191 49 134 121 183 42 75
222 169 39 163 119 135 62 132
155 128 67 118 80 82 130 247
3 120 139 194 133 160 105 181
1 97 223 57 214 170 110 17
6 154 248 114 38 230 24 237
148 255 54 89 166 147 53 115
204 20 200 219 64 210 152 71
224 182 174 93 185 220 201 250
149 37 179 171 143 186 156 41
58 73 196 234 161 131 213 86
92 245 207 11 231 81 45 153
189 98 126 55 218 195 27 238
112 44 65 111 100 48 18 167
12 10 29 124 47 91 101 226
46 216 252 253 78 206 198 187
144 22 127 173 108 199 14 165
229 239 61 141 9 76 28 225
113 142 84 177 241 197 94 236
137 116 217 66 109 31 190 129
254 106 240 79 202 25 180 178
50 33 205 13 228 21 176 51
74 249 123 227 242 172 145 168
96 192 77 23 8 32 158 103

Plaintext block is:


0 0 0 0 0 0 0 0

Right half after first subkey is:


113 110 181 254
Right half after first S/P stage:
171 207 58 116
Right half after second subkey is:
208 53 50 250
Right half after second S/P stage:
181 120 192 147
Right half after third subkey is:
229 217 113 152
f-function output:
25 116 255 92
Block after round 1 is:
0 0 0 0 25 116 255 92

Right half after first subkey is:


33 143 111 97
Right half after first S/P stage:
109 240 44 94
Right half after second subkey is:
36 17 49 147
Right half after second S/P stage:
158 76 216 205
Right half after third subkey is:
43 92 102 204
f-function output:
208 133 110 9
Block after round 2 is:
25 116 255 92 208 133 110 9

Right half after first subkey is:


171 54 86 135
Right half after first S/P stage:
238 34 203 94
Right half after second subkey is:
48 56 52 225
Right half after second S/P stage:
50 141 65 164
Right half after third subkey is:
113 96 66 232
f-function output:
255 1 49 50
Block after round 3 is:
208 133 110 9 230 117 206 110

Right half after first subkey is:


20 218 23 35
Right half after first S/P stage:
130 158 232 13
Right half after second subkey is:
130 133 149 179
Right half after second S/P stage:
14 74 147 130
Right half after third subkey is:
208 193 225 122
f-function output:
113 22 106 200
Enciphered block is:
161 147 4 193 230 117 206 110

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Quadibloc VII
Quadibloc VII is an attempt to embody the principles found in the Large-Key
Brainstorm within the compass of a block cipher.

The subkey material it uses consists of:

● Two S-boxes, each containing 256 entries, each entry being 16 bits in length;
(1024 bytes)
● Thirty-two subkeys, four for each of eight rounds, each 16 bits in length; (64
bytes)
● Ninety-six subkey pools, each one containing 16 subkeys, each subkey being 16
bits in length, (3072 bytes)

for a total of 4,160 bytes of subkey material.

The Rounds

The first two rounds of Quadibloc VII look like this:


In Quadibloc VII, the 128-bit block is divided into four quarters, of 32 bits each, each
of which is further divided into two 16-bit halves. Each round of Quadibloc VII
consists of four Feistel rounds performed on each of these pairs of 16-bit halves.

The XOR of the two halves of the first 32-bit quarter after two Feistel rounds is used to
control, for each of the four Feistel rounds performed on the next quarter, which of
sixteen possible subkeys are used.

After every odd-numbered round, the eight 16-bit subblocks are permuted to the
following order (expressed in terms of a list of the sources of the subblocks after the
permutation):

7 6 1 8 3 2 5 4

thus, the left halves move to the next later quarter, and the right halves move to the
corresponding position in the other half of the entire block.

After every even-numbered round except the last, the eight 16-bit subblocks are
permuted to the following order (expressed in terms of a list of the sources of the
subblocks after the permutation):

7 4 1 6 3 8 5 2

thus, the left halves move to the next later quarter, and the right halves move to the
next earlier quarter.

This diagram illustrates, by color-coding, how the pieces of the block move during the
8 rounds of Quadibloc VII:

and here is a table showing this in text form:

(1) [2] 3 4 5 6 7 8
7 6 (1) 8 3 [2] 5 4
5 8 7 [2] (1) 4 3 6
3 4 5 6 7 8 (1) [2]
(1) 6 3 8 5 [2] 7 4
7 2 (1) 4 3 6 5 8
5 4 7 6 (1) 8 3 [2]
3 8 5 [2] 7 4 (1) 6

The paths of the first left half and the first right half are indicated by brackets. Note that
the first left half, 1, is enciphered:

with right half in rounds


2 1, 4
4 3, 6
6 5, 8
8 7, 2

thus ensuring that the blocks affect the other blocks by being enciphered with them in
the small Feistel rounds, in addition to affecting them by modifying their encipherment
through the use of the subkey pools.

The f-function is merely the XOR of the value in S10 indexed by the leftmost half of
the input with the value in S11 indexed by the rightmost half of the input.

The Key Schedule

While the round structure of Quadibloc VII is impressive, as is to be expected given the
large amount of subkey material it consumes, as there are only two S-boxes in the
cipher, both of them key-dependent, the cipher is still only as good as its key schedule.

Initially, the subkeys will be filled in the following order: first the 96 subkey pools,
then the two S-boxes (first S10, then S11, from entry 0 to entry 255 each), then the 32
fixed subkeys. And they will be initially filled by means of almost the same key
generation method as used in Quadibloc S:

The key consists of two or more bytes.

The key is expanded to prevent a key that is long and of all zeroes in whole or in part
from causing poor results as follows: a key of n bytes is expanded to one of 3n+1
bytes, the last byte of which is a byte equal to the inverse, the bitwise negation, or one's
complement, of the XOR of all the bytes of the original n byte key. The first 3n bytes
of the key alternate between a byte from each of the following sources:
● The n bytes of the original key, in order.
● One of the possible byte values, starting from 127, and incrementing by one
each time.
● The bytes of the original key, in reverse order, inverted, and with 1, 2, 3, and so
on added to them.

Thus, if the original key is 0 128 255, after expansion the key becomes 0 127 1 128 128
129 255 129 2 128.

Bytes are then generated from the key by chain addition. This means that a byte is
generated as follows: the sum, modulo 256, of the first two bytes of the key is the
generated result; and it is also appended to the end of the key, whose first byte is then
removed. (Note that the cipher itself uses XOR only, and not addition modulo 256.)

The method of producing subkey bytes is a degenerate form of the MacLaren-


Marsaglia generator. An array with 256 byte positions, called A(0) to A(255), is filled
by generating 256 bytes by means of chain addition.

Then, a subkey byte is generated as follows:

Generate two bytes by chain addition. Call these bytes p and q.

The byte to be used in a subkey is the current value of A(q).

Replace A(q) with p.

Once all the subkeys have been filled by this method, the quantity
01F253A435C607F859AA3BCC0DFE5FA0 is to be enciphered with the temporary
subkeys thus calculated, for the first four rounds of a normal Quadibloc VII
encipherment.

This output is now used as the key from which bytes are generated by chain addition. It
is expanded, but not in the same fashion as the original key: it is only doubled in
length, and the bytes of the key alternate with the bytes of the key in reverse order,
inverted (but without anything added to them). Since 32 is not a number of the form 3n
+1 (unlike 16, which is such a number), both keys are ensured to be different in length.

Then, the degenerate MacLaren-Marsaglia procedure is to be repeated, with the bytes


produced by it XORed with the subkey bytes in order.

[Next] [Up] [Previous] [Index]


Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Quadibloc VIII
Quadibloc VIII is a design reminiscent of Quadibloc II and Quadibloc III. With a
simple and uniform round structure, it still attempts to make the algorithm itself, not
just the subkeys applied, variable.

Because of the variability in the algorithm, it is not suited to smart card applications, as
it is not resistant to attacks based on timing or power consumption. Also, there could be
weak keys, both because some keys might cause short sequences in the shift registers
used for producing subkeys, and because some keys might lead to duplicate entries in
S10 and S11. The byte interchange between rounds might be questioned. However, I
am of the opinion that the same factors which seem to contribute these weaknesses also
contribute more in strength than they remove, and that the design prevents potential
weaknesses such as these from being exploitable.

It may be noted that this design has drawn inspiration from many quarters. It uses the
bit swap under mask of ICE, and the XOR with subkeys of the left-hand quarter of
each half was inspired by LOKI-97, as was the manner of minimally alternating
between two S-boxes in the f-function in the left half to avoid a rotational symmetry.
The concept of having initial and final mixing and whitening phases, even though the
phases themselves may not much resemble those of MARS, is due to that cipher, and
the notion of placing the algorithm under the control of the key owes something to
FROG. Using the initial mixing and whitening phases to vary where each bit goes in
the algorithm is somewhat similar to the method used in FROG to achieve algorithmic
variability. The basic regular round structure consists of two Feistel rounds, each one
operating between two quarters of the block within one half of the block; RC6 has a
similar basic round structure, but with one important difference: in RC6, the block,
viewed as LRLR, modifies each R portion based on a function involving both its own
L portion and the other one, so that each R portion depends on both L portions. In
Quadibloc VIII, although the block also has an LRLR form, and the first L portion is
transformed in an invertible manner that depends only on the key (instead of being left
alone as in the original Feistel structure), the first R portion depends only on the first L
portion, while the second R portion depends on both L portions, and even the second L
portion is transformed in a way that depends on the first L portion.

Overview of Quadibloc VII

Quadibloc VIII consists of sixteen rounds, with a brief whitening and mixing phase at
the beginning and end of the cipher.
For the purpose of a round, a block is divided into two halves, each half being further
subdivided into two quarters. In each half, the left quarter is used as the input to an f-
function, basically the f-function from Quadibloc S and Quadibloc II and others, and
the output is XORed with the right quarter.

Before and after being used as the input to the f-function, the left quarter is put through
one of two keyed transformations. The same is done with the right quarter before and
after being XORed with the output from the f-function.

The left quarter only, at the beginning and end of the round, is XORed with subkey
material.

For the left half only, an extra output is derived from the calculation of the f-function.
This extra output supplies bits which have a nonlinear effect on transformations applied
to the right quarter of the left half, and to both quarters of the right half.

● The Standard Rounds


● The Mixing and Whitening Phase
● The Key Schedule
● The Rationale of the Design

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up/Previous] [Index]

The Standard Rounds


The basic round of Quadibloc VIII consists of two connected Feistel rounds, each performed on one half of the
block. Every effort has been made to supply a complete description of the algorithm in the text, but reference to
the illustrations may make it easier to understand. Also, if any ambiguity is left, it should be understood that this
cipher was conceptualized according to big-endian conventions; in all cases, the leftmost bits of any byte or word
correspond to its most significant bits when it is considered as a number.

The left half


The following diagram illustrates the part of a Quadibloc VIII round that acts on the left half of the block:

The left quarter of the left half

The left quarter of the left half of the block is first modified by being XORed with a 32-bit subkey (in the case of
the first round, this is subkey 49, and the number is advanced by 2 with each round). Then it is subjected to one
of two possible transformations: either it is divided into four bytes, and each pair of bytes is enciphered through a
two small-scale Feistel rounds, using key-dependent S-box S8 as the f-function, or it is divided into two 16-bit
portions which are enciphered by two Feistel rounds.

The result of that transformation is used as the input to the f-function.

Then, the other of the two possible transformations is performed on the left quarter of the left half of the block,
and finally another 32-bit subkey is XORed with it (subkey 50 in the first round, advanced by 2 for each
succeeding round).
The two small transformations of a 32-bit quarter of the block are, in detail, as follows:

In the first transformation, numbering the bytes from 1 to 4 from left to right, first byte 2 of the block is
changed by being XORed with the byte of S8 indicated by byte 1 of the block XORed with byte 1 of the subkey,
and at the same time byte 4 of the block is changed by being XORed with the byte of S8 indicated by byte 3 of
the block XORed with byte 2 of the subkey. (These XORs, and those in the next paragraph, may be changed to
modulo-256 addition, under circumstances to be noted below.)

Subsequently, byte 1 of the block is changed by being XORed with the byte of S8 indicated by byte 2 of the
block (in its current modified state) XORed with subkey byte 3, and at the same time byte 3 of the block is
changed by being XORed with the byte of S8 indicated by byte 4 of the block (in its current modified state)
XORed with subkey byte 4.

Thus, the block is divided into two halves; each half is subjected to two Feistel rounds in place, and the input to
the f-function comes first from the byte on the left, and then in the second round from the byte on the right. The
key-dependent S-box provides the f-function.

In the second transformation, the 32-bit block is split into two 16-bit halves. Two Feistel rounds take place,
with the left half initially supplying the input to the f-function. The f-function begins with the input being
XORed to 16 bits of subkey (the left half in the first round, the right half in the second, of a 32-bit subkey); then,
the left half of the result is used to index into key-dependent S-box S10, and the right half of the result is used to
index into key-dependent S-box S11. The two items found are then added (with the left byte being the most
significant), and the result is the f-function output. The round is completed by modifying the target half of the
block by XORing it with the f-function output.

Considering 32-bit subkey 721 as being composed of bits numbered from 1 to 32 from left to right, bit 1, if it is a
1, changes all the XORs in the first transformation when it is applied to the left quarter of the left half of the 128-
bit block in the first round to additions, both those where the subkey is XORed to the index into S8, and where
the output from S8 is XORed to a byte of the block.

This is done by bits 2 through 16 in rounds 2 through 16.

Bit 17, if it is a 1, causes the second of the two transformations, the one which acts on 16-bit halves of the 32-bit
quarter, to take place first, in the first round. Bits 18 through 32 do this for rounds 2 through 16.

The f-function

The f-function used in Quadibloc VIII is essentially the same f-function as seen in Quadibloc II and Quadibloc S,
except with the use of different S-boxes and, in the case of the left half, an intermediate result is taken, which is
not the same as the one taken in Quadibloc III, which also uses an otherwise similar f-function.

The f-function consists of three general types of phase: S, for substitution, P, for bit-permutation, and X, for the
XOR of subkey material. The f-function used here is of the type XSPXSPXS. By having two full SP layers,
changing a single bit of the input always affects the entire f-function output, and therefore the avalanche property
of Quadibloc S is considerably stronger than that of DES; in return for a slower f-function, a single bit change in
the input block propagates to the whole block after only four rounds instead of eight.

The first S phase uses S-boxes 1, 1, 1, and 2 in order from left to right, and the second uses S-boxes 1, 2, 2, and 2
from left to right. S1 and S2 are as described in the description of previous ciphers in the Quadibloc series,
having been generated from Euler's constant.

The bit permutation used is a straightforwards one, where the first (leftmost) two bits of each byte remain in
position, the next two bits are rotated one byte to the right, the third pair of bits rotated 16 bits, and the last
(rightmost) two bits of each byte are rotated one byte to the left. Again, this is given in the description of the
original Quadibloc cipher.

The third S-phase replaces all the bytes with their substitutes in key-dependent S-box S8.

The subkeys XORed with the f-function input are subkeys 1, 2, and 3 in the first round, and the subkey numbers
are offset by 3 with each succeding round (thus, subkeys 4, 5, and 6 are used in round 2).

An auxilliary result is also produced from the f-function for the left half of the block. This result is the XOR of
the current values in the f-function after, of the complete f-function, in the form XSPXSPXS, the parts from the
beginning labelled XSP and the parts XSPXSP have been done.

For the remaining three quarters of the block, the auxilliary result will be used to control the order of the two
transformations applied to a single quarter, and whether, for the transformation of the first kind (which may be
done first or second) XORs or single-byte additions are used, in the fashion that subkey 721 controlled this for
the first quarter. Other bits of the auxilliary result will be used to select subkeys for use in subsequent
encipherment from a set of four possible values, and to select S-boxes from two possibilities for the f-function
used in the right half of the block.

The right quarter of the left half

First, the right quarter of the left half is subjected to one of the two available transformations. If the bits of the
auxilliary output of the f-function are numbered from 1 to 32 from left to right, bit 28, if it is 0, indicates that the
transformation of the first type, using S8 as the f-function, is done first; if it is 1, it indicates that the
transformation with a 16-bit wide f-function is done first. Bit 27 indicates, if it is a 1, that the XORs in the
transformation of the first type uses bytewise additions instead of XORs.

Bits 9 and 10 indicate, as a two bit number, bit 9 being more significant, which of the subkeys 145, 289, 433, or
577 is used for the transformation of the first type (whether it is done first or second), and bits 11 and 12
similarly indicate whether subkey 146, 290, 434, or 578 is used for the transformation of the second type. (In the
next round, and each time one progresses from one round to the next, the number of each subkey in each of these
groups of four subkeys is advanced by 9.)

After the first transformation is performed, the f-function output is XORed with the right quarter of the left half
of the block. Then, the second transformation is performed.

The right half


This diagram illustrates the part of a Quadibloc VIII round that acts on the right half of the block:
In the upper left corner of this diagram, the 32-bit auxilliary output from the f-function in the right half is shown.

As can be seen from comparing the two diagrams, the operations that take place on the right half of the block are
very similar to those which apply to the left half of the block. The main difference is that the 32-bit auxilliary f-
function output came from the left half, and it is used extensively in modifying the encipherment of the right half
(only six of its 32 bits were used to affect the transformations which applied to the right quarter of the left half).

The left quarter of the right half

Here, subkey 113 is first XORed with this quarter. This subkey number advances by 1 with each round, not by 2
as for the left half. Bit 30 of the auxilliary f-function output from the left half controls whether the transformation
of the first type (if 0) or of the second type (if 1) is done first, and bit 29, if 1, selects the use of bytewise addition
in the transformation of the first type.

Again, as before, the value between the two transformations is used as the f-function input. Bits 13 and 14 of the
auxilliary f-function output select the subkey (from 147, 291, 435, and 579) to use for the transformation of the
first type, and bits 15 and 16 select the subkey (from 148, 292, 436, and 580) to use for the transformation of the
second type.

After both transformations, subkey 129 is XORed with this quarter.

The f-function

Again, the same XSPXSPXS structure is used. For the first two S stages, S-boxes 3 and 4 in the sequence
generated from Euler's constant are used. Bits 1 through 8 of the auxilliary f-function output from the left half
determine (0=S-box 3, 1=S-box 4) which S-box is used, for the four bytes of the f-function input in order from
left to right, first in the first stage and then in the second. The third S phase again just substitutes bytes from S-
box S8.

The three subkeys used are selected (in the first round, and advanced by 9 for each succeeding round as
previously noted) from subkeys 149, 293, 437, and 581 for the first XOR, guided by bits 21 and 22 of the
auxilliary f-function output; from subkeys 150, 294, 438, and 582 (in the first round) for the second XOR by bits
23 and 24; from subkeys 151, 295, 439, and 583 (in the first round) for the third XOR by bits 25 and 26.

The right quarter of the right half

Again, here we have two transformations, with the XOR of the f-function output in the middle. Bit 32 controls
which transformation comes first, and bit 30 controls whether XOR or addition is used in the transformation of
the first type. The transformation of the first type uses, in the first round, a subkey from subkeys 152, 296, 440,
and 584, as selected by bits 17 and 18 of the auxilliary output of the f-function in the left half, and the
transformation of the second type uses a subkey from subkeys 153, 297, 441, and 585, as selected by bits 19 and
20 of the auxilliary output of the f-function from the left half.

Byte Interchange
After each round of Quadibloc VIII, except round 16, the 16 bytes of the block are rearranged from being in the
order

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

to being in the order:

16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9

[Next] [Up/Previous] [Index]

Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Mixing and Whitening


The mixing and whitening phase on entry to the cipher is illustrated below:

Since mixing consists of Feistel round operations on pairs of bytes, ICE-style bit
swapping is first applied to move half the bits from the left to the right side of that
operation (and vice versa).

Then, after two rounds of mixing, an ICE-style swap moves half the bits from the left
half of the block to the right half of the block (and vice versa), making it uncertain
whether any bit is in the left-hand side simple Feistel round or in the right-hand side
controlled Feistel round to begin with.

Finally, after two more rounds of mixing, and ICE-style swap moves bits between the
left and right quarters of each half, randomizing what side of the f-function they start
out on.
On exit from the cipher, the masks M4, M5, and M6 are applied in order, and the
Feistel rounds applied to pairs of bytes still use the left byte as input to the f-function
first, as illustrated below:

The masks are produced by applying a 4 of 8 code to subkey material, guaranteeing


that exactly four of the eight bits in any byte are swapped in each swapping step.

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

The Key Schedule


The key material used by Quadibloc VIII consists of:

● Six 64-bit swap masks, M1 through M6, each produced from 48 bits of normal subkey
material (specifically, the least significant 6 bits of each byte of 64 bits of normal
subkey material) by the use of a 4 of 8 code;
● One key-dependent S-box, S8, consisting of a permutation of the numbers from 0 to
255;
● Two key-dependent S-boxes, S10 and S11, each consisting of 256 16-bit values;
● Seven hundred and twenty-one 32-bit subkeys, organized as follows:
❍ 48 subkeys, from K1 through K48, used with the f-function in the left half;

❍ 32 subkeys, from K49 through K80, used to XOR with the left quarter of the

left half of the block at the beginning and end of each round;
❍ 16 subkeys, from K81 through K96, used as input to the transformation of the

first type applied to the left quarter of the left half of the block;
❍ 16 subkeys, from K97 through K112, used as input to the transformation of the

second type applied to the left quarter of the left half of the block;
❍ 16 subkeys, from K113 through K128, used to XOR with the left quarter of the

right half of the block at the beginning of each round;


❍ 16 subkeys, from K129 through K144, used to XOR with the left quarter of the

right half of the block at the end of each round;


❍ 144 subkeys, from K145 through K288, serving as the first of four entries in

each of nine subkey pools per round;


❍ 144 subkeys, from K289 through K432, serving as the second of four entries in

each of nine subkey pools per round;


❍ 144 subkeys, from K433 through K576, serving as the third of four entries in

each of nine subkey pools per round;


❍ 144 subkeys, from K577 through K720, serving as the fourth of four entries in

each of nine subkey pools per round;


❍ One subkey, K721, which determines the order of transformations, and the use

of XOR or byte-wide addition in the transformation of the first kind, for the
left quarter of the left half of the block in each round.

The key, which must be a multiple of 32 bits in length, is expanded into four different strings
of bytes as follows:

1. The first string consists of the key, with the one's complement of the modulo 256 sum
of all the bytes in the key appended.
2. The second string consists of the bytes in the key in normal order, alternating with the
one's complement of the bytes of the key in reverse order.
3. The third string consists of the bytes of the key in normal order, alternating with
consecutive numbers starting with 1, and with the bytes of the key in reverse order,
except that the last byte this would produce (a copy of the first byte of the key) is
omitted.
4. The fourth string consists of the bytes of the first half of the key, alternating with the
one's complement of the bytes of the second half of the key, alternating with
consecutive numbers starting with 128, alternating with the one's complement of the
bytes in the first half of the key in reverse order, but with the last byte this would
produce omitted.

Thus, four strings of different length are produced, and the bytes of the key are distributed
through these strings with different spacings. Also, no string can be all zeroes.

For example, given a key consisting of eight bytes with the values 1 2 3 4 5 6 7 8, the four
strings will be

1 2 3 4 5 6 7 8 219

1 247 2 248 3 249 4 250 5 251 6 252 7 253 8 254

1 1 8 2 2 7 3 3 6 4 4 5
5 5 4 6 6 3 7 7 2 8 8

1 251 128 250 2 252 129 249 3 253 130 248 4 254 131

Each of these four strings is used to produce bytes by chain addition. A cycle of chain
addition proceeds as follows: The modulo-256 sum of the first two bytes of the string is
calculated. This value is the current output from the process. The string is modified by having
its first byte removed, and the calculated sum appended to the end of the string.

A source of subkey bytes is set up as follows:

● 256 bytes are produced by chain addition from the first string. These fill 256-byte
buffer 1. 256 bytes are produced by chain addition from the second string. These fill
256-byte buffer 2.
● When bytes are produced, the four strings, from first to fourth, will be rotated between
the designations of string A, B, C, and D in the following pattern, which repeats for
each four bytes generated:
❍ A: first, B: second, C: third, D: fourth

❍ A: second, B: first, C: third, D: fourth

❍ A: first, B: second, C: fourth, D: third

❍ A: second, B: first, C: fourth, D: third

● To produce a byte of subkey material, string B is subjected to chain addition, and the
value it produces is used as an index into buffer 1. The value in buffer 1 at that point
is removed, and called output X. String A is subjected to chain addition, and the value
it produces replaces the value removed from buffer 1. (This is, of course, the classic
MacLaren-Marsaglia technique.) Similarly, string D is subjected to chain addition,
and the value it produces is used as an index into buffer 2. The value at this point is
removed, and becomes output Y, and is replaced by the output from subjecting string
C to chain addition.
● The XOR of outputs X and Y is used as the desired byte of subkey material.

At this point, the bytes of subkey material are subjected to a further operation during key
revision, to be described below.

The required subkey material is produced from this byte generator as follows:

● 1024 bytes are generated, to form the contents of S10 and S11.
● A permutation of the bytes from 0 to 255 is produced from generator output, in a
fashion to be described below, and this permutation will be called P.
● 2884 bytes are generated, forming the 721 32-bit subkeys.
● Another permutation of the byte values from 0 to 255 is produced. This permutation is
called Q. The S-box S8 can now be calculated, and satisfies the equation Q(S8(x)) = P
(x). Thus, it is produced by applying the inverse of Q to P.
● Six groups of eight bytes are calculated. The first two bits of these bytes are ignored;
the last six bits are used to index into the 4 of 8 code used with Quadibloc, and thus
the masks M1 through M6 are formed. (The original bytes used as input to the 4 of 8
code must be retained if a subsequent key revision phase is to be performed.)

The first byte generated is always used to fill the leftmost byte of a multi-byte subkey.

Here is the 4 of 8 code used for producing the masks:

55 56 59 5A 65 66 69 6A 95 96 99 9A A5 A6 A9 AA
35 36 39 3A C5 C6 C9 CA 53 5C 63 6C 93 9C A3 AC
4D 4E 71 72 8D 8E B1 B2 17 1B 27 2B D4 D8 E4 E8
1D 1E 2D 2E D1 D2 E1 E2 47 4B 74 78 87 8B B4 B8

The basic procedure for generating a permutation, used to produce permutations P and Q
from generator output, is, as used with Quadibloc II, the following:

● Begin with three arrays of 256 numbers, the first of which is filled with the numbers
from 0 to 255 in order. The arrays must also be able to hold the value -1. The second
and third arrays are filled with -1.
● For each of 256 bytes produced by the generator: let the value of the byte be called N,
and let I be a counter which starts at 0 for the first byte, incrementing with each byte
used, and ending at 255.
● Then, for each byte:
❍ If element N of the first array is not -1, set element N of the first array to -1,

and set element I of the second array to N.


❍ Otherwise, store N in the first unused position (the first position containing -1)

in the third array.


● Once this has been done, if the third array contains any numbers other than -1,
proceed as follows:
● If there is only one filled (not equal to -1) element in the third array, then there is only
one remaining element in the first array, and one element of the second array equal to -
1, so fill the second array with the one available byte, and finish.
● If there are only two filled elements in the third array, take the least significant bit of
the first filled element. If it is zero, fill the -1 elements of the second array with the
remaining elements of the first array in order; if it is one, do so in reverse order, and
finish.
● If there are less than 256 filled elements in the third array, repeat them over and over
to fill the array. Then, generate an additional 256 bytes (thus, 512 bytes are used
except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them
with the bytes of the third array.
● Now, use the third array to complete the second array by doing the following for II
from 0 to 255:
❍ Let the value of element II of the third array be XX.

❍ Swap elements II and XX of the first array.

● Then, scan through the second array. When an element of the second array is -1, fill it
with the corresponding element of the first array (if it is not also -1) and set that
element of the first array to -1.
● If there are any -1 elements left in the second array, fill them with the elements of the
first array that are not -1 in order.

Whether the procedure finishes after 256 bytes, or after 512 bytes, from the generator are
used, the contents of the second array when the procedure is concluded are the permutation
produced.

Key Augmentation

There are ten intermediate results within a round that can be used for key augmentation.
These are:

1. The left quarter of the left half of the block, after being subjected to the first of the two
possible alternate operations, and as serves as the input to the f-function;
2. The intermediate result of the left half f-function after the first S-P layer, and before
the XOR of the second subkey input to the f-function;
3. The intermediate result of the left half f-function after the second S-P layer, and
before the XOR of the thirs subkey input to the f-function;
4. The left half f-function output;
5. The right quarter of the left half of the block, after being subjected to the first of the
two possible alternate operations, and before being XORed with the f-function output;
6. The left quarter of the right half of the block, after being subjected to the first of the
two possible alternate operations, and as serves as the input to the f-function;
7. The intermediate result of the right half f-function after the first S-P layer, and before
the XOR of the second subkey input to the f-function;
8. The intermediate result of the right half f-function after the second S-P layer, and
before the XOR of the thirs subkey input to the f-function;
9. The right half f-function output;
10. The right quarter of the right half of the block, after being subjected to the first of the
two possible alternate operations, and before being XORed with the f-function output;
After a key is set up using the key schedule as previously described, the 721 32-bit subkeys
can be modified through key augmentation steps.

A key augmentation step consists of the following:

With the subkey array in whatever state is to be subjected to augmentation:

Encrypt the 128-bit block

00FF0F0F333355550123456789ABCDEF

using Quadibloc VIII, normally, but during each round retain the ten intermediate results
listed above. After the round is concluded, XOR the ten intermediate results, in the order
given, with ten successive subkeys, starting with subkey K145 in the first round. Thus, the
ten intermediate results from the first round are XORed with subkeys K145 through K154,
the ten intermediate results from the second round are XORed with subkeys K155 through
K164, and so on.

After the block encryption is complete, move the subkeys backwards 160 positions in the list
of subkeys. Thus, the former subkeys K1 through K160 become subkeys K562 through
K721; the former subkeys K161 through K721 become subkeys K1 through K561.

Although five key augmentation steps are required to modify all the subkeys, a single key
augmentation step ensures that subkeys K1 through K144, as well as K721, are among the
160 subkeys modified by being XORed with intermediate results, these subkeys being the
most critical, as they are the ones not contained in a group of four subkeys, any one of which
may be used in a given encipherment.

Quadibloc VIII with one key augmentation step is to be called Quadibloc VIII A1, and with
five key augmentations steps, the other standard number, Quadibloc VIII A5.

Modified Key Augmentation

With 721 regular subkeys, including the 1024 bytes contained in the two key-dependent S-
boxes S10 and S11, which are the equivalent of 256 additional subkeys, in what is modified
by key augmentation is not, in fact, impractical.

A modified key augmentation step proceeds exactly as a regular key augmentation step,
except that the buffer moved backwards by 160 subkeys now consists of the 721 subkeys K1
through K721 followed by the 256 entries in S-box S10, where each consecutive pair of
entries forms a subkey, the earliest entry being leftmost, followed by the 256 entries in S-box
S11 in the same form.

Seven key augmentation steps are now required to modify all the subkey material now
exposed to change, and this leads to the variant of Quadibloc VIII to be called Quadibloc
VIII M7. (Alternating regular and modified key augmentation rounds is possible; any pattern
of the form aMMaaaaa where M is a modified key augmentation round, and a is either
regular or modified key augmentation, will result in all the subkey material being fully
modified.)

Also, Quadibloc VIII M3 is sufficient to modify the fixed subkeys K1 through K144, the
subkey K721, and all of S10 and S11. (Again, Quadibloc VII A M2 would suffice for this as
well.)

Key Revision

Because modifying the other portions of subkey material is not simple enough to be done
during a process such as key augmentation, a further process of subkey modification is
provided, called key revision. A key revision step, which is optional, may only be performed
immediately following a key augmentation step. The 128-bit output from the block
encipherment performed to provide a key, which is then used as input to a slightly modified
version of the normal initial key generation process for Quadibloc VIII.

The key used as input for the modified key generation process is the following:

● For the first key revision step, the key is the 160-bit quantity consisting of the 128-bit
block cipher output from the immediately preceding key augmentation step, followed
by its first (leftmost) 32 bits repeated, unless the original key was 160 bits long, in
which case the 128-bit block cipher output is used without being lengthened;
● For the second key revision step, the key is the 192-bit quantity consisting of the 128-
bit block cipher output from the immediately preceding key augmentation step,
followed by its first (leftmost) 64 bits repeated, unless the original key was 192 bits
long, in which case the 128-bit block cipher output is used without being lengthened;
● For the third key revision step, the key is the 224-bit quantity consisting of the 128-bit
block cipher output from the immediately preceding key augmentation step, followed
by its first (leftmost) 96 bits repeated, unless the original key was 224 bits long, in
which case the 128-bit block cipher output is used without being lengthened;
● For the fourth key revision step, the key is the 256-bit quantity consisting of two
repetitions of the 128-bit block cipher output from the immediately preceding key
augmentation step, unless the original key was 256 bits long, in which case the 128-bit
block cipher output is used without being lengthened;
● For the fifth key revision step, the key is the 288-bit quantity consisting of two
repetitions of the 128-bit block cipher output from the immediately preceding key
augmentation step, followed by its first (leftmost) 32 bits repeated, unless the original
key was 288 bits long, in which case the 128-bit block cipher output is used without
being lengthened;

and so on. This ensures that, if multiple key revision steps are performed, each key revision
step uses a key which is different in length both from the original key and from the key used
in all other key revision steps.
With this key, the procedure for initial Quadibloc VIII is followed, except for these changes:

Since a value for the S-box S8 now exists, the bytes generated by the subkey byte generator
are additionally subjected to the following encipherment step before being used, and the
bytes being used begin with that corresponding to the third byte of output from the original
subkey byte generator:

For each byte of output from the original subkey byte generator, the preceding two bytes of
output are enciphered using a two-round Feistel cipher which uses S8 as the f-function. First,
a counter, initialized at 1 and incrementing by 1 is is XORed with the eldest byte, the result
being used to index into S8, and the value found in S8 is XORed with the immediately
preceding byte, modifying it. Then, a counter, initialized at 0 and incrementing by 1, except
that the value 255 is skipped, is XORed with the immediately preceding byte, as modified,
and the result is used to index into S8, and the value found in S8 is XORed with the eldest
byte, modifying it.

The current byte is then used to produce the byte to be used in subkey generation as follows:

● It is replaced by its substitute from S8.


● The modified eldest byte is added to it, modulo 256.
● It is replaced by its substitute from S8.
● The modified immediately preceding byte is added to it, modulo 256.
● It is replaced by its substitute from S8.

This is as illustrated below:

Thus, the keystream is enciphered in essentially a simple form of CFB mode, except that the
block cipher used is really a stream cipher, since its subkeys are continually changing.

The subkey bytes thus generated are used to modify the existing key schedule, instead of to
replace it, as follows:

● The first 1024 bytes generated are XORed with the contents of S10 and S11.
● A permutation called P is again produced from generator output.
● The next 2884 bytes generated are XORed with the bytes of the 721 32-bit subkeys.
● A permutation called Q is again produced from generator output.
● Six groups of eight bytes are calculated. These are XORed with the raw mask value,
before 4 of 8 coding, left by either the original key schedule or by the previous key
revision step, and then subjected to 4 of 8 coding to provide the six 64-bit mask values
M1 through M6.
● The permutations P and Q are then used to produce the new S8 permutation, S8'(x),
from the previous one, S8(x), such that the following equation is true: S8'(Q(x))=S8(P
(x)). This can be done as follows: for each byte x from 0 to 255, use x as an index into
P; use the result as an index into S8; store the result in the location within S8' found
by using x as an index into Q.

Quadibloc VIII with one key augmentation step, followed by one key revision step, is to be
called Quadibloc VIII A1 R; Quadibloc VIII with seven modified key augmentation steps,
the last of which is followed by a key revision step, is to be called Quadibloc VIII M7 R;
Quadibloc VIII with seven modified key augmentation steps, each of which is followed by a
key revision step, is to be called Quadibloc VIII MR7. Quadibloc VIII with five key
augmentation steps, the last of which is followed by a key revision step, is to be called
Quadibloc VIII A5 R; Quadibloc VIII with five key augmentation steps, each of which is
followed by a key revision step, is to be called Quadibloc VIII AR5.

The key schedule of Quadibloc VIII A1 R should be entirely satisfactory; the more lengthy
variants should not be required for security, although Quadibloc VIII M7 R has, at least, the
argument in its favor that its key schedule tends towards that of Blowfish (which, of course,
however, used only the result of a complete encipherment to modify subkeys, rather than
intermediate results within each round).

[Next] [Up] [Previous] [Index]

Next
Start of Section
Skip to Next Chapter
Table of Contents
Main Page
[Next] [Up] [Previous] [Index]

Design Rationale
Quadibloc VIII was designed to be a strong cipher not only against attacks which are
currently understood, but also to be likely to be resistant against attacks which might be
discovered in the future. It has been designed very conservatively; a full 16 rounds
have been used, despite the fact that each round is considerably more elaborate than a
single round in more conventional block ciphers: thus, its security does not depend on
the merit of the somewhat unconventional measures I have included in the algorithm in
hopes of achieving a very high level of security.

Such things as medical records, or other information related to the personal privacy of
individuals, may be required to remain confidential for 50 or even 100 years. Because
the speed and power of computers has been increasing at a fast pace for some time, it is
very difficult to make a firm prediction of how powerful computers might be at such a
distant time.

Although some fundamental physical limits, as well as physical laws which even limit
the performance of quantum computers, do appear to imply that one can specify a key
size that will leave one's messages forever immune to brute-force searching, it is even
harder to predict what new and surprising discoveries may be made in the field of
mathematics or in cryptanalysis that may allow attacks taking less time than a brute-
force search (trying every possible key).

Hence, I felt that it was justified to attempt to design a cipher which, while remaining
constrained to some extent to operate within limits at least comparable with those of
more conventional designs, was still aimed at providing a very high level of security
without attempting to justify the security aimed at as necessary. As with all the ciphers
in the Quadibloc series, ease of implementation is another important consideration, and
it is execution speed which has taken a back seat.

The most important step taken in the design of Quadibloc VIII to achieve the apparent
potential for very high security was to, in every round, subject the 32-bit quarters of the
block to two different transformations, making it variable which of those two
transformations occurred first. As well, in one of those transformations, whether XOR
or modulo-256 addition is used is variable.

This does create vulnerability to attacks based on monitoring the power consumption of
a device carrying out this algorithm. Simultaneously (in hardware) or in a fixed order
(in software) carrying out both possible operations, the one used and the one not used,
is a measure that could be used to avoid this.
To achieve greater resistance to differential and linear cryptanalysis, key-dependent S-
boxes are used. With the contents of the S-boxes unknown, characteristics cannot be
found for the f-function in the normal manner used for simple differential
cryptanalysis. This increases the amount of memory required to carry out the
algorithm, again limiting its usefulness. The multi-stage nature of the f-function, in
addition to giving this cipher a strong avalanche characteristic, also improves resistance
to differential and linear cryptanalysis.

There are three basic possible ways in which weak keys could occur in the algorithm:

● A key could cause one or more of the four chain addition sequences used to
generate subkey material to have a short period;
● The key-dependent S-box S8, or either of the key-dependent S-boxes S10 and
S11, might, by accident, consist of bytes in an ordering that is, or that
approaches, a linear or affine function of its input;
● The key-dependent boxes S10 and S11 might contain duplicate entries.

But I tend to view the threat from at least the second and third of these as negligible.
With 16 rounds, and an f-function that has not one, but two SP stages based on fixed S-
boxes, as well as the fact that there are two different groups of key-dependent S-boxes,
both of which act on the entire block in every round, it should not be possible for an
attacker to effectively exploit, or detect, a weakness in any one key-dependent S-box
should it occur.

Some of the individual steps in the algorithm can also be further examined:

Algorithmic Variability

In each round, the algorithm can take one of 16 shapes by the interchange of two
transformations applied to the 32-bit quarters of the block. In addition, there are 16
possibilities of using either XOR or bytewise addition in one of those transformations.

These 256 possibilities in each round are the product of four possibilities for the
leftmost quarter of the block, which are key-dependent, and 64 possibilities for the
remaining three quarters of the block, which are data-dependent.

It might be suggested that more of the variability in the algorithm ought to be key-
dependent, since in this way, it could be said that only 2^32 different algorithms are
used, and this number is susceptible to brute-force search, if there were some rapid way
to solve the rest of the cipher.

However, data-dependence does seem to be stronger than key-dependence, so this does


not appear to be a strong objection.

If one ignores the choice between four subkeys in various portions of the round, and
the extra algorithmic variation caused by switching between addition or XOR, and only
counts the sixteen possibilities in each round, for each of the four quarters of the block,
of doing either of two 32-bit transformations first, then the key-dependent part of that
involves only 2^16 possibilities. While it might be possible to simply ignore them, by
trying an attack based each possibility, as there are 2^48 possibilities for the data-
dependent part of that, it would seem that a conventional differential attack (actually,
that is a misnomer, as other aspects of the design would require some extension to the
original techniques of differential cryptanalysis) would require one to compare known
plaintext-ciphertext pairs where the same one of the 2^48 possible algorithms was used.

Of course, as long as a characteristic is strong enough that its chance of occurring by


accident is less than one in 2^48, even this is not totally impossible, and the identity of
the pairs in which it is seen would then provide additional information.

Byte Interchange

As noted in the description of the algorithm, after each round of Quadibloc VIII, except
round 16, the 16 bytes of the block are rearranged from being in the order

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

to being in the order:

16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9

This particular rearrangement was carefully designed. It has the following properties:

● It is a cyclic permutation of the numbers from 1 to 16; hence, each byte of the
block will be moved to each of the possible positions during the 16 rounds of
the cipher.
● Each byte continuously alternates between being in the left and the right
quarters of either half. That is, if a byte is in the left quarter of one half in one
round, it will be in the right quarter of either the same half, or the other half, in
the next round.
● The alternation between halves, if only odd numbered rounds or only even
numbered rounds are considered, (or if only rounds where the byte is in the left
quarter of its half, or only rounds where the byte is in the right quarter of its half
are considered, which is equivalent from the preceding property) follows the
pattern R L L R L R R L or a cyclic permutation thereof.
Since the main feature of the cipher is a Feistel round within each half of the block,
parts of the block alternate regularly between being on the left and right sides of the f-
function as in any normal Feistel cipher.

An irregular pattern of alternation between left and right halves of the block is used, so
that for each round, bytes will be brought together in different combinations.

Thus, let us consider byte 5, and where it appears in odd-numbered rounds only, when
it is on the right quarter in its half, and thus on the recieving end of the f-function. Let
us depict, with the bytes identified by their positions in round 1, the input and output of
the f-function, but rotating both by corresponding amounts so that byte 5 appears first
on the right quarter, so we see what it looks like from the viewpoint of byte 5.

1 2 3 4 5 6 7 8 Round 1: left half


12 10 9 1 5 16 14 15 Round 3: left half
12 1 10 3 5 6 15 16 Round 5: right half
4 1 3 10 5 8 6 16 Round 7: left half
3 2 1 4 5 6 8 7 Round 9: right half
10 12 1 9 5 14 15 16 Round 11: right half
1 12 3 10 5 15 16 6 Round 13: left half
4 10 3 1 5 6 8 16 Round 15: right half

While this only brings the bytes together in four distinct possible configurations,
although in different orders in each of the two times, that is still about as irregular as is
possible given that the only device available in this uniform and consistent permutation
between rounds to bring different bytes together is dispatching them to the other half of
the block for differing periods of time.

These are the positions of the bytes in the 16 rounds of Quadibloc VIII:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9
9 1 12 10 14 15 5 16 4 11 3 2 6 8 7 13
13 16 14 15 2 11 12 9 6 7 5 8 10 1 3 4
4 9 2 11 8 7 14 13 10 3 12 1 15 16 5 6
6 13 8 7 1 3 2 4 15 5 14 16 11 9 12 10
10 4 1 3 16 5 8 6 11 12 2 9 7 13 14 15
15 6 16 5 9 12 1 10 7 14 8 13 3 4 2 11
11 10 9 12 13 14 16 15 3 2 1 4 5 6 8 7
7 15 13 14 4 2 9 11 5 8 16 6 12 10 1 3
3 11 4 2 6 8 13 7 12 1 9 10 14 15 16 5
5 7 6 8 10 1 4 3 14 16 13 15 2 11 9 12
12 3 10 1 15 16 6 5 2 9 4 11 8 7 13 14
14 5 15 16 11 9 10 12 8 13 6 7 1 3 4 2
2 12 11 9 7 13 15 14 1 4 10 3 16 5 6 8
8 14 7 13 3 4 11 2 16 6 15 5 9 12 10 1

Mixing and Whitening

In addition to complicating analysis by swapping the two basic operations of a two-


round Feistel cipher between 16-bit subblocks and a pair of two-round Feistel ciphers
between 8-bit bytes, the mixing and whitening phase of the cipher is designed to ensure
that without knowledge of the key, it is not possible to determine the path of a single
bit through the cipher.

But does this provide blanket protection against differential and linear cryptanalysis?
No, I cannot claim that. But because differential and linear cryptanalysis attacks are
often only small improvements on brute-force cryptanalysis, even making them only
slightly more difficult is worthwhile.

The example given in David Kahn's book The Codebreakers of an amateur cipher that
might be wrongly claimed unbreakable may indic