2 Voturi pozitive0 Voturi negative

1.6K (de) vizualizări832 paginiFeb 06, 2010

© Attribution Non-Commercial (BY-NC)

PDF, TXT sau citiți online pe Scribd

Attribution Non-Commercial (BY-NC)

1.6K (de) vizualizări

Attribution Non-Commercial (BY-NC)

- Principles of Information Security 4th edition Whitman Chapter 1 Solutions
- Specification for Interoperable Electronic Ticketing System
- The DRM Fiasco
- cryptology1
- CISSP-CIB
- System Programming Unit-5 by Arun Pratap Singh
- Cryptography Hash Functions GP
- CryptographyNetSecurity-2008
- The Laws of Cryptography With Java Code
- Cryptographic Attack
- Military Crypt Analysis By Sreekanth Chaladi
- Real Time Projects, Live Projects, Student Projects, Engineering Projects
- sadbshf
- Tech Mahindra - Suhas Desai -Open Source _Cry-Steganography 1.0
- Introduction to Modern Cryptography
- Cryptography and Mathematics
- chapter- 5
- Cryptography, A Study on Secret Writings
- Cryptography and Data Security
- Lecture 32

Sunteți pe pagina 1din 832

A Cryptographic Compendium

This site contains a brief outline of the various types of cipher systems

that have been used historically, and tries to relate them to each other

while avoiding a lot of mathematics.

1. Introduction

2. Paper and Pencil Systems

3. Electrical and Mechanical Cipher Machines

4. Telecipher Machines

5. The Computer Era

6. Public-Key Cryptography

7. Miscellaneous Topics

Thus, although this page is about cryptography, it does not fall into

certain categories of worthwhile and helpful pages about cryptography

that are more common; it is neither:

of paper and pencil ciphers,

● a page explaining how you can obtain a copy of PGP, ScramDisk, or

Private Idaho to start protecting your own communications, or

● a page devoted to the history of cipher machines, with photographs

of various ones.

There are links to some of the pages in these categories in the Links

section of this site.

here, but the details are very limited, compared to the excellent material

available elsewhere.

This site has a great deal in common with sites of the third category, but

alas, it doesn't include any photographs. What it does have are schematic

diagrams (in my own, somewhat nonstandard symbolism, designed to be

easy to recognize at small sizes) and descriptions of the operation of many

historical cipher machines. The story of the Enigma's decryption, derived

from a multitude of secondary sources, is, I hope, explained with both

completeness and clarity here.

methods to the modern computer cipher systems, and attempts to point

out the common features that link them.

shamelessly here, and have described a series of block ciphers of my own

design (under the name of "Quadibloc"; the first one was inspired by DES

and Blowfish, although in a way it was the opposite of Blowfish, and the

others are the result of appropriating various ideas found in the AES

candidate ciphers), some paper-and-pencil fancies of mine, and a rather

elaborate fractionation scheme for converting the binary output of

modern encryption methods to letters for transmission by Morse, or base-

78 armor (more efficient than base-64, if less efficient than base-85), or

encryption by classical letter-based methods.

In only one section do I discuss, and very briefly, codes, in which words or

phrases rather than letters, bits, or digits are the unit of encipherment.

However, the word code is used legitimately in mathematics to refer to

substitutions which are non-linguistic (and hence, in cryptology, would be

called ciphers) from Morse code to Hamming code (used for error-

correction) and Huffman code (used for data compression). I have,

therefore, been unable to be rigorous about the use of the word "code" in

these pages.

[Next]

[Next] [Up/Previous/Index]

Introduction

This page is about codes and ciphers, which people use to communicate

with each other in ways that other parties cannot (it is hoped) understand.

Although secrecy in communication can precede literacy, for example by

the use of obscure allusions, a spoken language that is different from the

one commonly spoken, a jargon or cant of terms with special or secondary

meanings, or a conventionalized way of speaking such as Pig Latin, the

efflorescence of many and sophisticated methods of secret

communications waited for the development of alphabetic writing, which

allows any thought to be represented by a small number of easily

manipulated characters.

represented by other symbols; particularly in introductory books on the

subject for children, this is often illustrated by various examples that are

used today, such as Morse code, signal flags, Baudot, ASCII, or, as

illustrated below, Braille and semaphore:

And, for another even more prosaic illustration, here is the color code

used on resistors (as well as on the old mica capacitors) and the color

code, if one can call it that, of pool balls:

One early and entertaining historical survey of the use of codes and

ciphers was the book Secret and Urgent, by Fletcher Pratt, also the author

of several novels. This book came out in the same year as Elementary

Cryptanalysis, by Helen Fouché Gaines, which will be mentioned below.

The title of this book is a particularly apt description of why methods of

scrambling messages to keep them secret are used.

need to bother putting it into code or cipher.

communicated at some time when there is an opportunity to meet

privately.

Only when both conditions exist: when the contents of a message must be

kept secret, and yet the message is so urgent that the risk must be taken of

sending it by a means that may allow others to read it, would people take

the time and effort to put a message into cipher, and take the risk involved

in relying on cipher to maintain its secrecy.

Of course, today computers carry out the steps involved in enormously

complicated cipher schemes at the push of a button, so neither the effort

nor the risk looms as large as it did during most of the history of the

subject.

This site contains a brief outline of the various types of cipher systems

that have been used historically, and tries to relate them to each other

while avoiding a lot of mathematics.

The following books can be recommended for someone beginning to learn

about the subject of secret writing:

The Codebreakers, David Kahn, Macmillan (1st ed.) Simon and Schuster

(2nd ed.). This book is a fascinating history of cryptography, dealing with

the role it has played in many historical events. There are also some

nuggets of technical information not seen in other books aimed at the

general public, and there is historical information about subjects related

to secret codes, such as cable codes (which do not involve secrecy, and

were for saving money on sending telegrams).

the title Cryptanalysis to avoid confusion with a book by Abraham Sinkov

(also a good book), this book deals with pencil and paper ciphers, and is

particularly aimed at people who solve such ciphers as a hobby. It

describes a wide variety of ciphers and a multitude of solving methods.

and Louis Kruh; Artech House. This book is a gold mine of information

and was the source for much of what you will see in this web site about

cipher machines of the rotor era. It is now out of print. Unfortunately, it

was marred by a number of typographical errors. I had thought that

regrettable, but felt that this was a common occurrence in books with a

limited anticipated sale. An otherwise positive review in Cryptologia

magazine (also a significant source, particularly for my account of the

Siemens T-52) did include the comment that one might expect better than

that, and as a result my faulty memory led me to categorize the review as

"scathing", for which I apologize to its author (himself a significant source

of information for my section on the Enigma's Uhr box), Frode Weierud.

A number of the illustrations from this book were reprinted (with full

permission, of course) in the more recent book Decrypted Secrets from

Springer-Verlag.

Applied Cryptography, Bruce Schneier; John Wiley and Sons. This book

is aimed at the computer professional who needs to implement secure

systems involving cryptography. As it describes a wide selection of

algorithms and protocols, it will be of interest to anyone concerned with

cryptography in the computer era. This book is one of the most widely

available books covering the subject matter, and it is frequently cited as a

source and as an authority on the USENET newsgroup sci.crypt. The 2nd

edition is considerably expanded, with fascinating detail on a much larger

number of cipher systems.

[Next] [Up/Previous/Index]

Main Screen

[Next] [Up/Index] [Previous]

The most obvious way, perhaps, of taking text and concealing it from the prying

eyes of those who don't know your secret is by replacing each letter by something

else, like this:

----- --- ---- --- ----- --- ---

$7+Q@ ?)/ 2X3: !8J 9%6*& 15= (;4

which turns

Please send me some money

into

This is called substitution, and ciphers based on this principle date back to

ancient times.

illustrates several cipher alphabets used by the

ancient Hebrews. Three of them are based on

arrangements of the alphabet according to a

definite pattern, and these patterns can be

illustrated in terms of the 26-letter alphabet

used by the English language by showing what

the equivalent substitutions are in that alphabet:

Atbash:

A B C D E F G H I J K L M

-------------------------

Z Y X W V U T S R Q P O N

Albam:

A B C D E F G H I J K L M

-------------------------

N O P Q R S T U V W X Y Z

Atbah:

A B C D J K L M E S T U V

------- ------- - -------

I H G F R Q P O N Z Y X W

Note that all three of these are reciprocal, in

that if one letter becomes another letter, then

that other letter becomes the original letter in

turn.

The illustration also contains other information. The numerical value of each

letter is given below the name of the letter, and the original Hebrew form of the

name of the letter is also shown to the right. Also, Cryptic Script B, an alphabet

used in the writing of part of the Dead Sea Scrolls is shown (albeit imperfectly;

the symbol for Shin is only known to be used for one of the two values of that

letter, as indicated by dots, and an additional special-purpose character is not

shown.)

The other method of concealing a message is called transposition, which was also

used in ancient times, at least by the Spartans with the scytale, a baton around

which a leather belt could be wound, so that a message could be written on the

belt, crossing from one loop to the next, so that it could only be read while the

belt was so wound.

message are moved around, so that they aren't written down in order.

● Methods of Transposition

● Improving Substitution

❍ Homophones and Nomenclators

❍ Polyalphabetic Substitution

● Code Books

● Fun With Playing Cards

● Conclusions

[Next] [Up/Index] [Previous]

Table of Contents

Main Screen

Home Page

[Next] [Previous] [Up/Index]

Machines

Using machinery to automate encryption permitted ciphers to be much more

complicated than those which can reasonably be applied by hand without too

many mistakes. And this was true even though machines had to be reliable and

inexpensive, and this meant they could only carry out fairly simple operations.

(Today, of course, the microchip has changed everything immensely!)

There are several types of cipher machine that we will examine in this section;

and a few more that belong to another section, since they hint at the computer age

to follow.

❍ The Bazeries Cylinder

❍ The Reihenscheiber

❍ Cryptanalysis of the Basic Lug and Pin Machine

❍ Rotor Machine Basics

❍ Basic Principles of the Enigma

■ Indicators and Jefferys Sheets

■ The Bombe and the Diagonal Board

● Miscellaneous Machine Ciphers

❍ The Hagelin B-211

❍ Sweden's HC-9

❍ LACIDA

❍ Fantastic Rotor Machines

❍ Child's Play

Table of Contents

Main Screen

Home Page

[Next] [Up/Index] [Previous]

Telecipher Devices

This section looks at cipher machines that worked with teletypewriters.

Just as today's computers represent printed characters as 8-bit bytes using the ASCII code,

teletypewriters used a similar code for communications purposes. However, they used only

five bits per character, which conserved bandwidth, although it meant that shifting between

letters and other characters such as numbers and punctuation marks required sending

characters that indicated a shift was taking place.

Thus, we have a family of cipher machines that, before the computer age, was already

working in binary code.

Two early American attempts at a telecipher machine were not used in practice, since they

were found to be insecure. One was designed by Gilbert S. Vernam for A. T. & T., the two-

tape machine, where two punched tape loops of unequal size each provided a current

character to be XORed with the plaintext character. The other was devised by Col. Parker

Hitt, who was one of America's foremost cryptologists of the World War I era, for ITT, and

involved ten cams with 96, 97, 98, 99, 100, 101, 102, 103, 104, and 105 positions, two of

which supplied the bits to be XORed with one bit of the current plaintext character.

The XOR or exclusive-or logical operation is the simplest possible way to apply a key to a

plaintext to conceal it. This operation is also modulo-2 addition, with the very small table:

| 0 1

---+-------

0 | 0 1

1 | 1 0

If we view 0 as standing for "False", and 1 as standing for "True", then A exclusive-or B is

true if either A is true exclusively (that is, A is true and B is false), or if B is true exclusively

(B is true and A is false).

However, the machine devised by Vernam was modified to a form which was secure, and

many countries have used similar devices. Instead of increasing the number of punched tape

loops used to XOR with the plaintext, the number of key inputs was reduced from two to just

one: and that one took a key tape consisting of completely random bits, used only once.

This, the one-time tape, is again the perfect case of polyalphabeticity, which was previously

noted as the one-time pad under pencil-and-paper methods.

If anyone is unfamiliar with the alphabet used for 5-level teletypewriters, which is called the

Baudot code (although, more accurately, it is in fact derived, with slight modifications, from

the Murray code, a later 5-unit printing telegraph code, just as the code for transmitting chess

moves by telegraph is called the Uedemann code, for the first person to invent such a code,

even though the code actually used is a later one, properly known as Gringmuth notation;

also, the International Morse Code, though it has several characters in common with the code

of dots and dashes originally devised by Samuel Findley Breese Morse, is actually a revision

of his code devised by one Frederick Gerke from Austria, as I have recently learned thanks to

Terry Ritter) a table of it is given here.

(In the interests of making complete information handy, the table included is one with some

additional information from one of my USENET posts.)

International Telegraph Alphabet No. 1 was a version of Emile Baudot's original 5-unit code,

the one that included a 'letters space' and a 'figures space'. (I've seen a web site that

incorrectly claims that International Morse, formerly Continental Morse, was ITA 1.)

International Telegraph Alphabet No. 2 is what is most commonly called Baudot; it is the 5-

level code derived from the Murray code.

ITA 3 and ITA 4 are obscure, but they are both derived from ITA 2, as are a couple of other

codes.

The final code, ten bits long, is AUTOSPEC. All the codes, except for CCIR 476, are shown

in order of transmission; CCIR 476 is shown the other way around, being assumed to be sent

LSB first as is ASCII.

(ITA 2 on left,

some national

ones follow)

Space 00100 000100 1101000 1011100 0010011011

W 2 11001 011001 0100101 0100111 1100100110 W 2 w

E 3 10000 010000 0111000 1010110 1000001111 E 3 e

R 4 01010 001010 1100100 1010101 0101001010 R 4 r $

T 5 00001 000001 1000101 1110100 0000111110 T 5 t

Y 6 10101 010101 0010101 0101011 1010101010 Y 6 y ^

U 7 11100 011100 0110010 1001110 1110000011 U 7 u &

I 8 01100 001100 1110000 1001101 0110001100 I 8 i

O 9 00011 000011 1000110 1110001 0001100011 O 9 o ~

P 0 01101 001101 1001010 0101101 0110110010 P 0 p

S ' BEL 10100 010100 0101010 1001011 1010010100 S ' s "

D WRU $ 10010 010010 0011100 1010011 1001010010 D d

F % ! 10110 010110 0010011 0011011 1011001001 F % f `

G @ & 01011 001011 1100001 0110101 0101110100 G @ g }

H £ # STOP 00101 000101 1010010 1101001 0010100101 H # h {

J BEL ' 11010 011010 0100011 0010111 1101000101 J * j

K ( 11110 011110 0001011 0011110 1111011110 K ( k [

L ) 01001 001001 1100010 1100101 0100101001 L ) l ]

Z + " 10001 010001 0110001 1100011 1000110001 Z + z

X / 10111 010111 0010110 0111010 1011110111 X / x \

C : 01110 001110 1001100 0011101 0111010001 C : c ;

V = ; 01111 001111 1001001 0111100 0111101111 V = v |

B ? 10011 010011 0011001 1110010 1001101100 B ? b

N , 00110 000110 1010100 1011001 0011000110 N , n <

M . 00111 000111 1010001 0111001 0011111000 M . m >

CR 00010 000010 1000011 1111000 0001011101

LF 01000 001000 1011000 1101100 0100010111

FIGS 11011 011011 0100110 0110110 1101111011

LTRS 11111 011111 0001110 1011010 1111100000

alpha (all 0) 000000 0101001 0001111

beta (all 1) 111111 0101100 0110011

SYNC 110011

repetition 0110100 1100110

Unlike ITA 3, CCIR 476 has a pattern that relates it to ITA 2: except for the letters B and U,

whose natural codes are used for alpha and beta, those ITA 2 characters which have 4, 3, or 2

one bits set are represented by 0x0, 0x1, and 1x1 respectively, where x is the five bits of the

ITA 2 character; and 1nnnnn0 represents the characters that don't fit into this range, with

again exactly 3 of the n bits set. Note that ITA 3 is a 3 of 7 code, while CCIR 476 is a 4 of 7

code.

Perhaps this is why the newer CCIR 476 is the one US radio amateurs are permitted to use,

and do use for AMTOR, while the older ITA 3 was used for ARQ purposes originally. But

it's odd to see a new code developed to fill exactly the same purpose as an older code already

accepted as an international standard.

ITA 3 was known as, or derived from, the Moore ARQ code, also known as the RCA code. It

appears to have been the first code used for ARQ (automatic repeat request) purposes, and to

have been invented in or prior to 1946 by H. C. A. van Duuren. ITA 3 was adopted as an

international standard in 1956, according to the source which first brought him to my

attention.

AUTOSPEC repeats the five-bit character twice, but if the character is one with odd parity,

the repetition is inverted. Thus, the parity bit is transmitted with high reliability, and every

other bit of the character is effectively repeated twice. It can be thought of the result of

applying an error-correcting code with the matrix:

1 0 0 0 0 0 1 1 1 1

0 1 0 0 0 1 0 1 1 1

0 0 1 0 0 1 1 0 1 1

0 0 0 1 0 1 1 1 0 1

0 0 0 0 1 1 1 1 1 0

to 5-level characters.

The entries

F % ! and

V = ;

mean that, for F, no figures shift character is defined by ITA 2; however, the % sign is uses as

a national-use figures shift character for Britain. The U.S. figures shift character is !. For V,

however, the = sign is defined as the official figures shift character. The U.S. 5-unit

teletypewriter code, which is nonconformant to ITA 2, defines ; as the figures shift character

for V instead.

After the code bits, there are four more columns of characters, giving the characters used by

ASCII over AMTOR. The all-zeroes character is used to toggle between the ordinary

character set in the first two columns, and the auxilliary one in the second two. The ordinary

character set is that of the international version of the 5-level code, rather than the U.S.

version, but the figures shift of J, instead of being the bell, is the asterisk.

Note that there is also an official standard of very recent vintage for using lowercase with 5-

level code, which works on a different principle: a LTRS code while already in letters case is

used to toggle between upper and lower case.

This standard does not include ASCII graphics characters, but it was designed to be

compatible with the use of the all-zeroes code for supplementary alphabetic characters; these

characters could have their lower case available using their shift character in the same fashion

as LTRS is used.

This new standard works as follows: FIGS LTRS operates as a reset into upper-case mode. In

normal upper-case mode, when returning to letters case from figures case, one is returning to

upper-case letters.

When in letters case, a superfluous LTRS code switches into lower-case. This is true even

when reset into upper-case mode; but then it also clears lower-case mode, so that, whether

one is printing upper-case or lower-case, when one returns from printing figures characters to

print letters, one begins with lower-case letters.

ABC [FIGS] 1234 [LTRS] DEF [LTRS] ghi [FIGS] 1234 [LTRS] jkl

[LTRS] MNOPQ [FIGS] 1234 [LTRS] rst [FIGS][LTRS] UVW

[FIGS] 1234 [LTRS] XYZ

Essentially, toggling between upper and lower case with a superfluous LTRS is always on.

FIGS LTRS resets (to upper-case, or capitals) only the default letters case that a normal

LTRS, used for exiting figures printing, returns to. And that default flips back to lower case

the first time lower case is accessed with an (otherwise) superflous LTRS.

ABC [FIGS] 1234 [LTRS] DEF

The superfluous LTRS now switches one into lower-case mode, as well as immediately

switching to printing lower-case letters. The FIGS shift still takes you to normal figures case,

and a LTRS shift returns you to lower-case letters.

A superfluous LTRS shift changes you to printing upper-case characters, but the mode

remains lower-case mode. Thus, FIGS takes you to printing digits, and LTRS takes you to

printing in the default case for the current mode, which is lower case.

A superfluous LTRS toggles between printing upper-case and lower-case, but only moves

you from upper-case mode to lower-case mode. To change mode in the reverse direction, the

combination FIGS LTRS is required. Once that combination is used, not only do you print in

upper-case, but a LTRS shift used after printing figures will return you to the new default

case, which is again upper case.

The bits are numbered from 1 to 5, in the order in which they are transmitted. They are

normally preceded by one start bit (0) and followed by one and a half stop bits - that is, a 1

level on the wire for one and a half times the time used for transmitting a data bit. In ASCII,

the bits of a character are transmitted least significant bit first; since the 5-level code bits

don't represent codes in any kind of numerical order, sometimes bit 5 and sometimes bit 1 is

taken as the most significant bit, although the tendency has been to treat bit 5 as the MSB

because of the use of the same UART chips for ASCII and 5-level code.

And here is a graphical version, showing the standard, U.S., financial, and weather character

sets:

The top two lines show the original Murray code, from which the modern 5-level code is

derived. (The original Baudot code was completely different.) It too, like the original Baudot,

used a letters space and a figures space. I'm not sure about the functions of the line feed and

carriage return characters: one of them could be a newline, and the other might have had a

different control function. Also, in my reference, the space for the figures shift of A was left

blank. My guess is that that should have been a comma.

Incidentally, the reason that this code is not so organized that when the letters are in

alphabetical order, their codes are in binary numerical order, as is the case for ASCII, is

because the codes were chosen so that the most common letters would have codes that would

cause less wear and tear on the moving parts of teleprinters. The following chart shows the

scheme by which the codes were assigned:

lsc lf

EfprT AINO UCM KV SRH DL FG TP BW QX tiYZ

1 * * * * * * * * ** ** ****

2 * ** ** ** * * * ** * * **

.........................................

3 * ** *** ** * * * * ** * *

4 * ** ** ** * * ** * * * **

5 * * * * * * * * ** ** ****

● The Siemens Geheimschreiber T-52

● The Swedish SA-1

● An American patent

● Converter M-228

● Conclusions

Skip to Next Section

Table of Contents

Main Screen

[Next] [Up/Index] [Previous]

The era of computers and electronics has meant an unprecedented freedom for

cipher designers to use elaborate designs which would be far too prone to error if

handled by pencil and paper, or far too expensive to implement in the form of an

electromechanical cipher machine.

There are rumors that the secret cipher machines of the 1960s and beyond

involved the use of shift registers, and, more specifically, that they used nonlinear

shift registers, since it is known that a linear feedback shift register produces a

sequence which, while it has a long period and an appearance of randomness, is

not itself a secure additive key for a cipher. Since it is very difficult to guarantee

that a shift register whose feedback is nonlinear will always have a reasonably

long period, I think I will continue to doubt these rumors until the facts finally

become declassified. (However, since the mathematical theory does exist by

which the conditions for maximum period of the quadratic congruential

generator are known, I definitely could be wrong.)

However, some published papers use the term "nonlinear shift register" to

describe a stream cipher system which has a linear feedback shift register at its

heart, but which has as its output a nonlinear function of the shift register's state.

Since it is trivially possible to produce any output sequence with the same period

as the underlying LFSR in this way, (Proof: use the outputs from all the cells in

the LFSR as inputs to the address lines of a one-bit wide ROM programmed, in a

suitable order, with the desired sequence) I have no problem accepting the

existence of nonlinear shift register designs in this sense.

Publicly known designs based on shift registers instead use linear shift registers,

but do such things as combining the output from several, controlling the stepping

of one shift register with another, as was done with the pinwheels in some of the

more secure telecipher designs of the last chapter, or using one shift register to

select between the outputs of two other shift registers.

But the main thrust of the computer era has been in the development of block

ciphers, starting with the LUCIFER project at IBM, which was the direct

ancestor of DES, the Data Encryption Standard.

● LUCIFER

● The Data Encryption Standard

❍ Details of DES

❍ Variations of DES

● Something Not Quite As Different: IDEA

● Formerly Secret: SKIPJACK

● Blowfish

● My Own Humble Contribution: QUADIBLOC

❍ Description of QUADIBLOC

❍ Key Enrichment

❍ Quadibloc II

❍ Quadibloc III

❍ Quadibloc IV

❍ Quadibloc V

❍ Quadibloc VI

❍ Quadibloc S

❍ Quadibloc VII

❍ Quadibloc VIII

❍ Quadibloc IX

❍ Quadibloc X

❍ The Advanced Encryption Standard (Rijndael)

❍ Twofish (finalist)

❍ SERPENT (finalist)

❍ RC6 (finalist)

❍ DEAL

❍ MARS (finalist)

❍ SAFER+

❍ FROG

❍ LOKI-97

❍ CAST-256

❍ Magenta

❍ DFC

● Cryptanalytic Methods for Modern Ciphers

❍ Differential and Linear Cryptanalysis

● Stream Ciphers

❍ Shift-Register Stream Ciphers

■ An Illustrative Example

■ Other Constructions

■ Panama

● Conclusions

❍ Modified Panama

❍ Mishmash

Table of Contents

Main Screen

Home Page

[Next] [Up/Index] [Previous]

Public-key Cryptography

Public-key cryptography is a very novel form of cryptography that first became

known to the public during the decade of the 1970s. Not only is it novel, its very

name seems paradoxical and confusing.

messages, such as authentication, and this is especially true of public-key

cryptography, sending secret messages is still one of the things public-key

cryptography can be used for.

And if a message is secret, that means that the key to unlock it must be a secret,

or else anyone could decipher it. That is still just as true for public-key

cryptography as it is for the regular kind.

If that's the case, what does the word "public" in public-key cryptography mean?

Normally, with a conventional cryptographic system, if you know both the key

for sending a secret message, and the method of encryption in which that key is

used, then you also know everything you need to know to decipher secret

messages sent with that key and in that system. A few conventional encryption

systems are reciprocal, so that exactly the same key and procedure serves for

encryption and decryption; but in those that are not reciprocal, the key and

procedure for decryption are both still easily derived from those for encryption,

and in most cases, only one of the two differs.

A public-key cryptosystem is one where a key, useful for sending messages, can

be made public without revealing the still-secret key that allows those messages

to be read.

A two-part codebook is one where the code groups don't have the same order as

the plaintext words and phrases they represent. If you publish only the

enciphering half of such a codebook, keeping the deciphering part to yourself,

then it is easier to send coded messages to you than it is to read them.

Of course, that doesn't really provide genuine security. But it hints as to how

PKC can be possible.

Another example, one of the first PKC concepts expressed in the open literature,

goes as follows:

messages are in a cipher that can be broken, but not without some work. The

messages look something like this:

and so on.

The keys for each key number are chosen genuinely at random.

The person who wants to send you a message picks any one of your large number

of encrypted messages, and breaks it. Then, using the key found inside, he

encrypts his message to you, and the precedes it with a note saying: "I am using

key number 2126 to encrypt this message".

He only had to decrypt one of the encrypted key messages to send you a

message, but anyone who wanted to read it would have to keep decrypting all the

messages until he found the right one.

So, the principle of PKC is to find some trick that works one way without

revealing how to reverse the process. And one good place to look for tricks like

that is in higher mathematics, and each of the public-key methods we will look at

in the remainder of this section will have had a basis that came from that source.

cryptography, and is of general mathematical interest. But it is also of very

considerable practical importance.

friend who was away on vacation, if before he left you had given him a secret

key to use. You could also encrypt your E-mails to someone you hadn't met,

provided you sent him, or he sent you, a secret key by a more secure method,

such as a letter by regular mail. (Of course, letters can be read too by a

determined adversary, but exchanging keys even in this simple fashion would

keep your communications out of reach of someone who has the opportunity to

intercept your E-mail but not the contents of your mailbox.)

channel of communications for prior setup is required. Instead, encrypted

communications can be set up on an impromptu basis, entirely over an insecure

medium such as the Internet. It is not an overstatement to claim that public-key

cryptography is the factor which changed cryptography from something which

was only used by people with either a strong need for secrecy, or an interest in

cryptography itself, to something used routinely by many people for such

practical purposes as making credit-card purchases over the Internet.

If PKC did not exist, however, credit-card companies could instead have issued

secret passwords to credit-card holders. If a merchant verified a password by

comparing a one-way hash of the password and the user's account number to a

coded number on the credit card, knowing the one-way hash of the password

wouldn't enable him to create a new password to decieve other merchants. Thus,

even without public-key methods, it would be possible to avoid the requirement

that every transaction would have to be directly verified with the credit-card

company. But precautions would be needed to ensure that a hash code could not

be used in place of a password, by being inserted into a stage of the verification

process which comes after the password being converted to its hash. Including

the account number in the hash prevents making forged credit cards for someone

else's account with a different password, if the hash also involves a secret key.

cryptography: using the same operation, key E transforms plaintext to ciphertext,

key D transforms ciphertext to plaintext, but it isn't possible to find D only

knowing E; the two prime factors of the modulus used are required.

But there are other ways to send a message from one place to another without

prior exchange of a secret key.

from a private key x to a public key A^x, which has the property that two parties

can exchange public keys, and using either private key and the other public key,

it is possible to arrive at the same secret session key which no one knowing only

the two public keys can derive.

where an encryption method is used such that, after it is applied twice, the two

encryptions do not need to be removed in the exact reverse of the order in which

they were applied, but can be removed in any order. This allows one party to

send an encrypted message, and the recipient can send it back encrypted again,

and then the first party can remove his own encryption, sending it back to the

recipient as if only the recipient had encrypted it. (While there are many

encryption methods that are commutative, most, if used in this way would

provide no security whatever, because relationships between the messages sent

would reveal the secret keys used.)

● Modulus Arithmetic

● The Rivest-Shamir-Adleman (RSA) method

❍ Looking for Primes

❍ Finding d from e

❍ Factoring

❍ El Gamal

● Other Methods

● The Uses of Public-key Cryptography

● Conclusions

Next Chapter

Table of Contents

Main Screen

Home Page

[Next] [Up/Index] [Previous]

Miscellaneous Items

Computer programs that handle data encryption, such as the well-known program

PGP (Pretty Good Privacy) involve other functions besides encryption itself.

squeezes out patterns in the plaintext that might be useful to a cryptanalyst. And,

of course, it also saves bandwidth, and compression isn't going to be possible

after encryption, because encrypted texts look random.

consists of random binary bits, then if these bits are transmitted in the form of

bytes containing eight random bits each, no further compression is possible. On

the other hand, if they were transmited one bit to a byte, each byte either

containing the ASCII character "0" or the ASCII character "1", then compression

would be possible.

While that would be silly, transmitting an encrypted series of bits in the form of

printable ASCII characters only might make good sense, by making it easier to

transmit your data without problems over a network where control characters

have special meanings. Although TCP/IP was specifically designed to permit all

256 possible byte values to be transmitted transparently (the only control

character with special meaning is DLE, Data Link Escape, and two DLEs in a

row always represent a real DLE that is part of user data) binary data is usually

transmitted over the Internet in "base-64" format, where 64 printable ASCII

characters, specifically chosen not to be different in the versions of ASCII used

for different languages, and to be also present in EBCDIC, are used.

Even the case of a simple pencil and paper cipher does, in a rudimentary form,

illustrate these two additional phases of encryption.

Changing

to

WGRXT RTRVU IPQRI PVRE

First,

is changed to

PLEASESENDMOREMONEY

essential to the understanding of the text. This is a form of compression, even if it

is not lossless, and functions more by discarding information than by

compressing it. Of course, we've already seen the straddling checkerboard

principle, which does use the same basic principle (prefix-property variable-

length coding) as Huffman codes, which are a serious method of compression.

Then,

PLEASESENDMOREMONEY

is changed to

WGRXTRTRVUIPQRIPVRE

the alphabet, and nothing else.

Finally,

WGRXTRTRVUIPQRIPVRE

is changed to

for ease of reading and transmission, which illustrates the process of applying

armor to the output of an encryption process.

Finally, digital signatures need one-way hash functions. Ordinary checksums

aren't adequate, since it is possible to construct a message with a different

meaning having the same checksum as the one someone intended to sign. One-

way hash functions are similar to block ciphers in some ways, but different in

others.

Hash functions can also be used as a way of producing encryption keys from pass

phrases or from random input of imperfect quality.

● Data Compression

❍ The Representation of Speech

❍ Semi-Arithmetic Coding

❍ Character Codes

● Error-Correcting Codes

● Armor, Message Termination, and Base Conversion

❍ From 47 bits to 10 letters

❍ Armor-Related Fractionation

❍ Message Blocking

● Steganography

● One-way Hash Functions

❍ Description of SHA

● Hardware Security

❍ When Somebody's Looking Over Your Shoulder

● Key Management

❍ The IBM Key Management Scheme for DES

❍ Kerberos

❍ Key Escrow

❍ Quantum Computing

❍ Quantum Cryptography

● Cryptanalysis

❍ The Limits of Cryptanalysis

● The Ideal Cipher

● Cryptography for Content Protection

● Fallacies of Cryptography and Compression

● The Politics of Cryptography

● Conclusions for Chapter VI

Table of Contents

Main Screen

[Up]

A Cryptographic Compendium

Contents

Introduction

❍ Cryptanalyzing the Simple Substitution Cipher

❍ Methods of Transposition

❍ Improving Substitution

Checkerboard

■ Fractionated Morse, and Other Oddities

■ Polyalphabetic Substitution

❍ Code Books

❍ Conclusions

❍ Early Machine Ciphers

■ The Reihenschieber

❍ Rotor Machines - and their PURPLE cousins

■ Rotor Machine Basics

■ Isomorphs

machine

❍ Miscellaneous Machine Ciphers

■ Sweden's HC-9

■ LACIDA

■ Child's Play

3. Telecipher Machines

❍ The Lorenz Schlusselzusatz

❍ An American patent

❍ Converter M-228

❍ LUCIFER

■ Details of DES

■ Variations of DES

❍ Formerly Secret: SKIPJACK

❍ Blowfish

❍ My Own Humble Contribution: QUADIBLOC

■ Description of QUADIBLOC

■ Key Augmentation

■ Quadibloc II

■ Quadibloc III

■ Quadibloc IV

■ Quadibloc V

■ Quadibloc VI

■ Quadibloc S

■ Quadibloc VII

■ Quadibloc VIII

■ Quadibloc IX

■ Quadibloc X

■ The Advanced Encryption Standard (Rijndael)

■ Twofish (finalist)

■ SERPENT (finalist)

■ RC6 (finalist)

■ DEAL

■ MARS (finalist)

■ SAFER+

■ FROG

■ LOKI-97

■ CAST-256

■ Magenta

■ DFC

❍ Cryptanalytic Methods for Modern Ciphers

■ Differential and Linear Cryptanalysis

■ Extensions of Differential Cryptanalysis

■ The Boomerang Attack

❍ Stream Ciphers

■ An Illustrative Example

■ Other Constructions

■ Panama

■ Modified Panama

■ Mishmash

5. Public-Key Cryptography

❍ Modulus Arithmetic

■ Finding d from e

■ Factoring

■ El Gamal

❍ Other Methods

6. Miscellaneous Topics

❍ Data Compression

■ Semi-Arithmetic Coding

■ Character Codes

❍ Error-Correcting Codes

❍ Armor, Message Termination, and Base Conversion

■ From 47 bits to 10 letters

■ Armor-Related Fractionation

■ Message Blocking

❍ Steganography

❍ One-way Hash Functions

■ Description of SHA

❍ Hardware Security

■ When Somebody's Looking Over Your Shoulder

❍ Key Management

■ The IBM Key Management Scheme for DES

■ Kerberos

■ Key Escrow

■ Quantum Computing

■ Quantum Cryptography

❍ Cryptanalysis

■ The Limits of Cryptanalysis

❍ The Ideal Cipher

❍ Cryptography for Content Protection

❍ Fallacies of Cryptography and Compression

❍ The Politics of Cryptography

❍ Conclusions for Chapter VI

[Up]

[Next] [Up] [Previous] [Index]

Fractionated Morse

Morse code uses variable-length symbols made up of dots and dashes, but unlike a straddling checkerboard, the

length of a symbol is not determined by the dots and dashes within it. Instead, spaces are also needed to mark off

the symbols from each other.

But fractionation is still possible using Morse code as a basis. Elementary Cryptanalysis, by H. F. Gaines, gives a

cipher devised by M. E. Ohaver, the author of an early series of magazine columns on cryptanalysis which was

of value to her in the writing of that book, called a "mutilation" cipher, that works like this:

Split the message in Morse code into two parts; the string of dots and dashes, and a series of numbers giving the

number of dots or dashes in the representation of each letter. Then, take the numbers, divide them into groups of

n, and reverse the order of the numbers in each group. Using the now transposed numbers as a guide, turn the

string of dots and dashes back into letters.

A table of Morse code follows (and, while I'm at it, I may as well include Japanese Morse, having the data

available from one of my old USENET posts):

V ...- B8 ku

U ..- B3 u F ..-. C1 ti

(1) ..-- C9 no

A .- B2 i R .-. C5 na L .-.. B6 ka

(2) .-.- DB ro

W .-- D4 ya P .--. C2 tu

J .--- A6 wo

T - D1 mu N -. C0 ta D -.. CE ho B -... CA ha

X -..- CF ma

K -.- DC wa C -.-. C6 ni

Y -.-- B9 ke

M -- D6 yo G --. D8 ri Z --.. CC hu

Q --.- C8 ne

O --- DA re (3) ---. BF sho

(4) ---- BA ko

5 ..... 5 6 -.... 6

4 ....- 4 = -...- D2 me

(5) ...-. / -..-. D3 mo

3 ...-- 3 -..-- D5 yu

(6) ..-.. C4 to (c) -.-.. B7 ki

Inter ..-.- D0 mi Start -.-.- BB sa

..--. DF [B] ( -.--. D9 ru

2 ..--- 2 -.--- B4 e

Wait .-... B5 o 7 --... 7

(9) .-..- yi (e) --..- CB hi

+ .-.-. DD n --.-. BC shi

.-.-- C3 te (f) --.-- B1 a

.--.. ye 8 ---.. 8

(a) .--.- B0 - ---.- BD su

(b) .---. BE se 9 ----. 9

1 .---- 1 0 ----- 0

[B] small circle following kana (han-nigori).

(1) u umlaut (2) a umlaut, cedilla (3) o umlaut or other accent (4) ch, s cedilla (5) s hat (6) e primary accent

(usually acute, grave in Italian) (9) e accent grave (a) a accent (b) j hat (c) c cedilla or accent (e) z accent grave

(f) n tilde

To remove ambiguities, the Japanese syllables are preceded by the hex code, in the version of 8-bit ASCII that

includes kana, of the kana symbol represented. The symbols whose phonetic values I give as yi and ye have the

appearance, respectively:

* ********

******* *

* * *

* * * *

* * *

******* *

* *******

Since this system requires that the ciphertext letters must be able to represent all combinations of from one to

four dots or dashes, four extra symbols, used in Morse for accented letters in some languages other than English,

need to be included in the cipher alphabet.

While the original system, having only the group length as a key, may not have been all that secure, the basic

concept is clever and original. The character lengths could as easily have been transposed by means of a double

columnar transposition, and the dots and dashes could be translated to 0s and 1s, and enciphered by any

applicable method, even DES.

While I consider Ohaver's "mutilation" cipher very interesting, for the principle which it illustrates, the term

Fractionated Morse is normally used for a less elegant, but more secure, system, in which possible combinations

of three symbols from the set of dot, dash, and x, the latter standing for the space between letters, are represented

by letters. Note that combinations with two consecutive "x"s are not required, so the ciphertext uses a 22-letter

alphabet.

The letters will vary in frequency, and since two adjacent letters that would produce two consecutive "x"s do not

occur, redundancy still remains in subtle forms as well.

● 25 times 27 is one less than 26 times 26, so one could encipher bigrams (except 1 that is ignored) into

objects consisting of two symbols from a five-character alphabet and three symbols from a three-character

alphabet, and then seriate the two kinds of symbols separately, also using two tables, one 125 entries long,

and one 81 entries long, for substitution on them;

● 32 equals 27 plus 5, and 128 equals 125 plus 3, so there are two different ways to encipher a binary

bitstream as a mix of symbols from a three-character and a five-character alphabet;

● 26 to the 10th power is very slightly larger than 2 to the 47th power; this is noted in a section in the last

chapter dealing with ways of preparing a binary message for transmission as text (known as "armor"), but

even this could be made use of in an elaborate fractionation scheme.

Because there are convenient ways to convert both letters and bits to a mix of symbols from a 3-element set and

from a 5-element set, as well as an efficient way to convert from bits to letters, intriguing possibilities suggest

themselves. An elaborate fractionation scheme combining the threads mentioned here together is described later.

Enciphering Digits

One interesting way to produce a mixed fractionation scheme comes from the fact that the square of any

triangular number is the same as the sum of the cubes of the consecutive numbers which, when added, produced

that triangular number!

Making use of that fact, and since 10 is a triangular number, one can construct a table like this:

0 1 2 3 4 5 6 7 8 9

0 AAA AAB AAC * -+- -++ aca acb acc acd

1 ABA ABB ABC --- +-- +-+ ada adb adc add

2 ACA ACB ACC --+ ++- +++ baa bab bac bad

3 BAA BAB BAC CAA CAB CAC bba bbb bbc bbd

4 BBA BBB BBC CBA CBB CBC bca bcb bcc bcd

5 BCA BCB BCC CCA CCB CCC bda bdb bdc bdd

6 aaa aba daa dab dac dad caa cab cac cad

7 aab abb dba dbb dbc dbd cba cbb cbc cbd

8 aac abc dca dcb dcc dcd cca ccb ccc ccd

9 aad abd dda ddb ddc ddd cda cdb cdc cdd

As 1 cubed is just 1, and 2 cubed is 8, these symbols make up only a very small part of the square table above,

and thus this part of the table is seldom used. One way to deal with that is to change the table, so that those 9

spaces are instead filled by two symbols from the ABC set of symbols.

0 1 2 3 4 5 6 7 8 9

0 AAA AAB AAC AA AB AC aca acb acc acd

1 ABA ABB ABC BA BB BC ada adb adc add

2 ACA ACB ACC CA CB CC baa bab bac bad

3 BAA BAB BAC CAA CAB CAC bba bbb bbc bbd

4 BBA BBB BBC CBA CBB CBC bca bcb bcc bcd

5 BCA BCB BCC CCA CCB CCC bda bdb bdc bdd

6 aaa aba daa dab dac dad caa cab cac cad

7 aab abb dba dbb dbc dbd cba cbb cbc cbd

8 aac abc dca dcb dcc dcd cca ccb ccc ccd

9 aad abd dda ddb ddc ddd cda cdb cdc cdd

9 8 2 7 0 1 6 4 3 5

-------------------

A T O N E S I R

2 B C D F G H J K L M

6 P Q U V W X Y Z . /

we can encipher a sample message in this scheme, just seriating across the whole message for simplicity (in

practice, one would want to do other things):

821151349699282492016093830202775667629882114898370 straddling checkerboard

d A B C c c b C d A a d d A A c b c d c d A b c b fractionation

c B C A d d a B d A a d c A A b d a a d c B c d b encoding

a B B B a d c a B a b b C C b a b a c a B c c b

For this example, I won't worry about enciphering the last digit of the message. Padding, or another

encipherment step might take care of that.

Now, I seriate the symbols from the ABC and the abcd sets independently, retaining the type of each pair of

digits, and thus the symbols are rearranged as follows, leading to enciphered digits:

d A B B c a c B d C a c d B C d b a c d d A a a a seriation

a B C B d d b A d A c b c B A b b b d a c A a b d

a C A A a c d c C d c a A B b c c c d c B b b b

621250409618791394350978824034733881986584017071170 reconversion

One could also leave all the "d" symbols in their place, and seriate only the "abc" and "ABC" symbols as though

case did not matter - but then convert either to capital or small letters so that the type of each two digit group is

kept the same. (Some care, of course, must be taken when developing a variation so that decipherment remains

possible.) That would produce the following result:

d C A A b b b C d B c d d A B c a c d b d A c c b seriation

a A A B d d a A d A b d c B A a d c a d a C c d b

b B A C a d b a A c c c A A b b b c c c C b b b

633400125659272392307894841030671787645864228797370 reconversion

and this method has its strengths, but also its weaknesses (mainly because the "d"s remain fixed).

Giant Playfair

Another technique I once described involved first using the straddling checkerboard to encipher a message as

digits, and then to use Playfair to encipher it. But instead of using the Playfair technique over a 5 by 5 square of

letters, one uses a 10 by 10 square containing digit pairs, like the following:

68 71 07 49 76 42 54 77 21 82

02 09 98 65 70 55 17 01 50 91

33 35 30 08 62 22 97 44 06 57

64 18 78 58 96 34 11 56 52 38

95 26 86 20 27 37 93 05 14 85

63 29 39 61 87 10 88 32 00 80

31 81 16 83 24 99 67 72 13 53

89 94 47 40 25 73 04 59 84 19

03 75 28 60 12 41 43 48 66 74

79 46 36 45 51 69 23 15 92 70

Thus, the four digits 2076 would encipher to 2749 with this square.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main page

Home page

[Next] [Up] [Previous] [Index]

Armor

A number of methods are possible for converting binary bits to printable characters.

One of the simplest is to take five or six bits of binary data to select one of 32 or 64

characters. Other, more complicated schemes are possible, though.

If 85 characters can be used, then five characters are enough to represent four bytes of

random data. If 86 characters can be used, a simplified scheme can achieve the same

result, since 86 times 3 is 258, which is larger than 256. Assign not more than three of

the 256 possible values for a byte to each of the 86 allowed characters. Then, after

representing four bytes by one of those characters, one character from a set of 81 (3

times 3 times 3 times 3) can resolve which of the 256 byte values, or which of up to 3

values for the character given, is valid for each of the four bytes.

The problem of converting messages to text form for transmission over the Internet is,

of course, closely tied to the ASCII representation of characters. Here is a chart

showing the printable characters in ASCII in graphical form:

and here is an ASCII chart in text form, first just the control characters:

0 0

0 0

0 1

0000 NUL Null DLE Data Link Escape

0001 SOH Start of Header DC1 Device Control 1

0010 STX Start of Text DC2 Device Control 2

0011 ETX End of Text DC3 Device Control 3

0100 EOT End of Transmission DC4 Device Control 4

0101 ENQ Enquiry NAK Negative Acknowledge

0110 ACK Acknowledge SYN Synchronization

0111 BEL Bell ETB End of Transmission Block

1000 BS Backspace CAN Cancel

1001 HT Horizontal Tab EM End of Medium

1010 LF Line Feed SUB Substitute

1011 VT Vertical Tab ESC Escape

1100 FF Form Feed FS Field Separator

1101 CR Carriage Return GS Group Separator

1110 SO Shift Out RS Record Separator

1111 SI Shift In US Unit Separator

and now the entire 7-bit ASCII code, with only the abbreviations of the first 32 control

characters:

0 0 0 0 1 1 1 1

0 0 1 1 0 0 1 1

0 1 0 1 0 1 0 1

0000 NUL DLE 0 @ P ` p

0001 SOH DC1 ! 1 A Q a q

0010 STX DC2 " 2 B R b r

0011 ETX DC3 # 3 C S c s

0100 EOT DC4 $ 4 D T d t

0101 ENQ NAK % 5 E U e u

0110 ACK SYN & 6 F V f v

0111 BEL ETB ' 7 G W g w

1000 BS CAN ( 8 H X h x

1001 HT EM ) 9 I Y i y

1010 LF SUB * : J Z j z

1011 VT ESC + ; K [ k {

1100 FF FS , < L \ l |

1101 CR GS - = M ] m }

1110 SO RS . > N ^ n ~

1111 SI US / ? O _ o DEL Delete

The problem of transmitting data in ASCII text characters over the Internet is

complicated by the fact that some of the characters in ASCII do not have counterparts

in other data transmission codes used by some computers, such as the original version

of EBCDIC. Also, some character positions in 7-bit ASCII are used to represent

different characters in other countries. Thus, the characters in the same columns as the

letters are often used to represent accented letters; the symbol # is replaced in the

United Kingdom by the British pound sign.

In some transmissions over the Internet, a line beginning with a minus sign or hyphen

(-) runs the risk of being interpreted as a header line, indicating the MIME type of a

section of a document.

Of course, if one wishes to send a text by Morse Code, or over a 5-unit teletypewriter

link, the best way to do it would be to convert the binary data to letters from the 26-

letter alphabet, using no other characters.

I have worked out an elaborate and efficient scheme for doing this.

This scheme could also serve other purposes. Since a great many historical encryption

algorithms are aimed at the 26-letter alphabet, one could apply them to a text already

encrypted by modern methods in binary after such a conversion.

And there is an easy way to send a text composed only of uppercase letters over the

Internet efficiently, if a 78-character character set is possible. Take four letters: the first

can be encoded as three symbols from 1 to 3. Combine one such symbol with each

remaining letter to determine which character to use from a character set with 3 times

26 characters, which is 78 characters.

A section is also included here about the question of how to perform the special

processing required to end a message efficiently and securely when the length of the

original plaintext message isn't an integer number of blocks in size, whether those are

blocks used by a block cipher or blocks for the conversion process used to produce

armor for transmission. Also, since base conversion is discussed here, this spot seemed

as good as any to place a discussion of base conversion as it applies to random or

pseudorandom keystreams.

● Armor-Related Fractionation

● Tying up Loose Ends

● From 93 bits to 28 digits

● Keystream Base Conversion

● Message Blocking

● Optimized Morse Armor

Table of Contents

Main Page

[Next] [Up/Previous] [Index]

Cipher

This page is not complete. It is placed here now to reserve

space, to allow other changes to this section to take place.

Here is a short message, enciphered only by replacing each of its letters by a different letter on a

consistent basis:

NFVGX TYFWF EIFUS AXJJQ SJSNM QPMGS TJOTF IMLSS TYSJO

SLQSL LPLTF OYSHM MRSVO FP

The first step that would occur to many people would be to make use of the fact that some letters

are more common than others in English. E is the most common letter, and letters like J, Q, X,

and Z are quite rare.

And so, we count the letters in our message. This produces the following table of frequencies:

A E F G H I J L M N O P Q R S T U V W X Y

1 2 9 4 1 2 7 5 10 2 5 5 4 6 18 9 1 6 3 4 8

produced these frequencies:

B 88298 1.60 I 382552 6.92 P 102205 1.85 W 114048 2.06

C 152187 2.75 J 7112 0.13 Q 5841 0.11 X 12081 0.22

D 225040 4.07 K 33872 0.61 R 330126 5.97 Y 95514 1.73

E 711756 12.88 L 220858 4.00 S 351389 6.36 Z 3519 0.06

F 139985 2.53 M 141726 2.56 T 514613 9.31

G 103279 1.87 N 383526 6.94 U 156536 2.83

T 9.31 R 5.97 W 2.06 X 0.22

A 8.03 D 4.07 G 1.87 J 0.13

O 7.62 L 4.00 P 1.85 Q 0.11

N 6.94 U 2.83 Y 1.73 Z 0.06

I 6.92 C 2.75 B 1.60

S 6.36 M 2.56 V 0.99

18: S 7: J 3: W

10: M 6: R V 2: E I N

9: F T 5: L O P 1: A H U

8: Y 4: G Q X

Cipher: S M Y J W

---------

Plain: e t n i f

t e ffi e n ee nn t e ent t nt e i

n f e ii eie t t e i t ee nei

e e ne t t

Here, it looks like we've been luckier than we have a right to expect. With frequencies of 6.94

and 6.92 for N and I respectively, it isn't hard to imagine that I might be more common than N,

instead of N being more common than I, in the text of a particular message.

The combination t-e occurs three times from MGS, and once each from MQS and MLS, so it

seems reasonable to think that G stands for h. e-ent might be event, and -ffi-e might be office,

although it is actually hard to take seriously that W necessarily stands for f.

To make a good start on breaking a simple substitution, however, single-letter frequencies are

not enough. They might work for picking out the letters E and T in most cases, but more

information is available that can serve as a better guide.

We've seen that N and I have frequencies of 6.94 and 6.92 respectively. This is a very small

difference. But one is a consonant, and the other is a vowel. So we might expect them to behave

differently. And they do.

Next

Skip to Next Chapter

Table of Contents

Main page

[Next] [Up] [Previous] [Index]

Methods of Transposition

After looking at ciphers which can replace the letters of one's message by completely

different letters, a cipher that can't change any letters at all seems weak.

And, if your message might mention, or might not mention, someone with, say, a Q or

an X in his name, then a transposition cipher will indeed give that away, although one

could solve that by adding some garbage to the end of your message before encrypting

it. But transposition ciphers can be secure in themselves, and as well, transposition

methods are useful to know, since they can be mixed with substitution methods for a

more secure cipher.

The best known method of transposition, simple columnar transposition, works like

this:

Using a key word or phrase, such as CONVENIENCE, assign a number to each letter

in the word using this rule: the numbers are assigned starting with 1, and they are

assigned first by alphabetical order, and second, where the same letter appears twice,

by position in the word.

Then, write in the message under the keyword, writing across - but take out columns, in

numerical order, reading down. Thus:

C O N V E N I E N C E

1 10 7 11 3 8 6 4 9 2 5

---------------------------------

H E R E I S A S E C R

E T M E S S A G E E N

C I P H E R E D B Y T

R A N S P O S I T I O

N

produces

SSRO EEBT ETIA EEHS

Of course, it wouldn't be left with the spaces showing the columns that were used.

Decoding is harder - to read a message scrambled this way, you first have to count the

letters to determine, in this case, that there are 45 letters, and so the first column will

have five letters in it, and the other ones four, so that you know when to stop when

filling the letters in vertically to read them out horizontally.

Since the text being transposed is split into nearly regular divisions of almost equal

length, even double columnar transposition can be broken without recourse to multiple

anagramming: the use of several messages of the same length, enciphered in the same

key, to recover the transposition by matching together columns of letters that form

reasonable letter pairs.

a variant of columnar transposition that produces a different cipher:

C O N V E N I E N C E

1 10 7 11 3 8 6 4 9 2 5

---------------------------------

H

E R E I S A S E C R

E T M E S

S A G E E N C I

P H E R E D B Y T R A

N S P O S I T

I O N

produces

EMGEPN ANDI CT RTAHSO IEERO

Here, the first row is filled in only up to the column with the key number 1; the second

row is filled in only up to the column with the key number 2; and so on. Of course, one

still stops when one runs out of plaintext, so the eighth row stops short of the key

number 8 in this example. This method has the advantage of dividing the text being

transposed in a more irregular fashion than ordinary columnar transposition.

irregular have been used from time to time.

For example, during World War I, the French army used a transposition in which

diagonal lines of letters were read off before the rest of the diagram. Also, several

countries have used columnar transpositions in which several positions in the grid were

blanked out and not used.

in the VIC cipher can be illustrated here with the alphabet; first, knowing the number

of letters to be encrypted, the area to be filled is laid out, and then the triangular areas

on the right to be filled with plaintext last are marked out:

2 4 3 1 5

-----------

a b c d e

f g h i U

j k l V W

m n X Y Z

o p q r s

t

during the First World War.

A square grille, divided into a grid of squares, one-quarter of which are punched with

holes, is placed over a sheet of paper. The message is written on the paper through the

holes, and then the grille is rotated by 90 degrees, and then the message continues to be

written, as the grille is turned through all four possible positions.

The trick to designing such a grille is to divide the grille into quarters, numbering the

squares in each quarter so that as the grille is rotated, corresponding squares have the

same number. Then, choose one square with each number for punching.

In World War I, the Germans used turning grilles with an odd number of holes on each

side as well as with an even number; to do this, they marked the square in the centre,

which was always punched, with a black border to indicate it was only to be used in

one of the grille's positions.

Grid numbering:

1 2 3 4 5 16 11 6 1

6 7 8 9 10 17 12 7 2

11 12 13 14 15 18 13 8 3

16 17 18 19 20 19 14 9 4

5 10 15 20 X 20 15 10 5

4 9 14 19 20 19 18 17 16

3 8 13 18 15 14 13 12 11

2 7 12 17 10 9 8 7 6

1 6 11 16 5 4 3 2 1

Layout:

O - - O - O - - - 1 4 16

- - O - - - - - O 8 2

- O - - - - O - - 12 13

- - O - O - - O - 18 20 9

- - - - X - O - O X 15 5

- - - O - - - O - 19 17

O - - - - O - - - 3 14

- O - - O - - - O 7 10 6

- - O - - - - - - 11

Filling-in:

first position

T H I O - - O - O - - -

S I - - O - - - - - O

S A - O - - - - O - -

M E S - - O - O - - O -

S A G - - - - O - O - O

E T - - - O - - - O -

H A O - - - - O - - -

T I A - O - - O - - - O

M - - O - - - - - -

(this is a message that I am)

second position

t E h N i C - O - - O - - O -

s R Y i - - - O - O - - -

s P T a - - O - O - - - -

I m e N s O - - - - - O - -

G s a W g - - - O . - - O -

I e T t O - - - - O - - -

h H A a T - O - O - - - - O

t U i R a - - O - - - - O -

N m I O - - - - - O - -

(encrypting with a turni)

third position

t e h n i N c - - - - - - O - -

G s r G y R i O - - - O - - O -

s p I t a L - - - O - - - - O

i L m e E n s - O - - - O - - -

T O g s a w g O - O - . - - - -

i P e R t O t - O - - O - O - -

h h V a a I t - - O - - - - O -

D t u i E r a O - - - - - O - -

n m T H i I - - - O - O - - O

(ng grille to provide thi)

fourth position

t e S h n i n c I - - O - - - - - O

g L s r g y L r i - O - - - - O - -

U s p i t S a T l O - - - - O - O -

i l m R e e n s A - - - O - - - - O

t T o g s I a w g - O - - . O - - -

i p V e r t o t E - - O - - - - - O

h h v a E a X i t - - - - O - O - -

d t i A i M e r a - - - O - O - - -

n P m t L h i E i - O - - O - - O -

(s illustrative example)

REENS AITOG SIAWG IPVER TOTEH HVAEA

XITDT IAIME RANPM TLHIE I

There are two important uses of transposition which are connected with substitution

ciphers.

Transposition can be used to generate a scrambled order of the letters in the alphabet

for use as a substitution alphabet.

Transposition forms part of a fractionation cipher, where letters are divided into parts,

then the parts are put back together in a different order, belonging to different letters.

Next

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

Improving Substitution

A cipher based on the use of a secret alphabet is not very secure; such ciphers are

presented as puzzles in crossword puzzle magazines. To achieve security it is

required to do something better.

possibilities suggest themselves. Originally, though, the new ideas came one at a

time, separated by hundreds or thousands of years.

bigger substitution. This is divided into several cases:

❍ Use several substitutes for each letter (homophonic substitution)

(polygraphic substitution)

❍ Replace common combinations of letters, or words, or phrases, by

● Instead of using the same set of substitutes all the time, change from one

secret alphabet to another as you encipher a message (polyalphabetic

substitution).

often converted from the letters, punctuation marks, digits, and other symbols

you find on a typewriter to the binary bits of ASCII. Before that, other

representations of text were used to substitute for the printed word, such as

Morse code. The ancient Greeks used the Polybius square for signalling, by

means of which each letter was represented by two groups of from one to five

signal fires.

If a letter can be broken up into smaller pieces for purposes of signalling, those

smaller pieces can also be used in a cipher. For example, one can take the letters

of a message apart into smaller pieces, transpose the smaller pieces, and then put

the pieces back together again into letters.

This is called fractionation, and is closely related to polygraphic substitution for

two reasons; one is that both deal with different sized units - parts of letters and

letters, or letters and pairs of letters - and the other is that fractionation is

sometimes used as a method of polygraphic substitution.

● Polygraphic Ciphers and Fractionation

❍ Playfair and its Relatives

● Polyalphabetic Substitution

Next

Skip to Next Section

Chapter Start

Table of Contents

Main Page

Home Page

[Next] [Up/Previous] [Index]

One of the earliest methods used to create ciphers stronger than simple substitution was to create

cipher tables which had more than one substitute for each letter, and which had additional

substitutes for names that would be commonly used. Because of the significance given to proper

names, these systems were called nomenclators.

Some of the early nomenclators were fairly unsophisticated; the substitutes for the letter B might

be the letter M or the digit 4, written in several distinctive styles - and then the substitutes for C

might be the letter N or the digit 5, again written in distinctive styles. Thus, a cryptanalyst

willing to try a simple guess would only need to solve a Caesar cipher - a simple substitution

where the alphabet is merely displaced instead of being thoroughly scrambled - instead of facing

the full problem of finding substitutes for the full set of symbols individually.

One ingenious modern method of producing a homophonic cipher, called the Grandpré cipher,

involves choosing ten ten-letter words, which can be ordered so that their first letters form an

eleventh ten-letter word, and which collectively include all 26 letters of the alphabet.

For example:

0 1 2 3 4 5 6 7 8 9

0 S T R A T I F I E D

1 U N D E R S T O O D

2 B A R K E N T I N E

3 M A J O R I T I E S

4 A S T R O L O G E R

5 R E E X A M I N E D

6 I N V E S T M E N T

7 N E G A T I V E L Y

8 E F F E R V E S C E

9 S Q U E E Z I N G S

The advantage it has, over a more routine type of homophonic table, for example:

0,3,8 4,7 9 1 5 2 6

1,2,7,8 E T A O I N S

0,4,5 H R D L U B C

3,9 M F G J K P Q

6 V W X Y Z

is that the multiple substitutes for each letter are not closely related.

The book The American Black Chamber, by Herbert Osborn Yardley, illustrated a cipher wheel

used by the Mexican Army which could be set up to produce a homophonic cipher with a key

that could be easily changed.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

15 16 17 18 19 20 21 22 23 24 25 26 01 02 03 04 05 06 07 08 09 10 11 12 13 14

43 44 45 46 47 48 49 50 51 52 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 53 54 55 56 57 58 59 60

92 93 94 95 96 97 98 99 00 79 80 81 82 83 84 85 86 87 88 89 90 91

having four movable disks, one containing the two-digit pairs from 01 to 26, the second the

pairs from 27 to 52, the third the pairs from 53 to 78, the fourth the pairs from 79 to 99,

followed by 00 and four blank, unused spaces. The key consisted of the four two-digit pairs

aligned under the letter A, and the possible substitutes for any letter were the four (or possibly

three) two-digit pairs aligned under it. Obviously, the system would have been more secure had

the alphabet and the sequence of digit pairs been mixed.

The most important weakness of a homophonic system is that the person using it can become

lazy, and use the same substitute for a letter over and over, or use the substitutes in rotation,

rather than using them randomly.

Also, as many homophonic systems are devised by amateurs, they can have defects of one kind

or another. Helen Fouché Gaines in Elementary Cryptanalysis notes that Givierge, author of the

Cours de Cryptographie, described a homophonic system of the following kind:

E J G F D

O K M H S

P R W

---------

IT |a b c d e

AL |f g h i j

BQ |k l m n o

CN |p q r s t

u v x y z

---------

V X Y Z U

This is a type of straddling checkerboard, and we will meet a more elegant form of it later in the

section on fractionation. The word straddling refers to the fact that while most letters have a

two-letter group as their substitute, consisting of the letters indicating their row and column

(which may, incidentally, be taken in either order, as the alphabet has been split in half for this

purpose), five less-frequent letters represent each other. Thus, the presence of occasional one-

letter symbols is intended to complicate the problem for the cryptanalyst, making it difficult for

him to find out where the letter pairs that make up most of the message begin and end.

Although this cipher has many nice features, it does have a number of defects. Since the letters

that have only one letter as their substitute are, essentially, in a separate table, why use only a 25-

letter alphabet? Of course, in French, the letter W is so little used as almost not to be part of the

alphabet. But there are other defects.

● Although a group can begin with a letter from either half of the alphabet, the second letter

always has to be from the other half.

● Also, the second letter of a two-letter group can't be one of the five letters that represent

themselves, although since the first letter already indicates that there is a two-letter group,

that would not cause confusion.

Hence, this cipher omits a large number of two-letter substitutes which it could be making use

of. An improved design could be the following:

E J G F D b|M

O K U H S f|T

V W g|N

--------- p|R

IZ |r q l m x| DFOQTX v|P

AL |e u w h n| CJLNPWY y|Q

BY |c i k z a| AEGKUV

CX |o j t s d| BHIMRSZ

---------

E A C F G

I B H J L

P D O K M

Q T R N V

S U Z X W

Y

Here, six mid-frequency letters have single-letter substitutes, but these substitutes are drawn

from other letters in the alphabet.

The rest of the alphabet is divided into two halves, but once a letter is chosen to indicate either a

row or a column, the other co-ordinate of the plaintext letter is chosen from a set made from the

entire alphabet. Hence, if a letter on the left begins a two-letter group, it is ended with a letter

below; if a letter on the top begins a two-letter group, it is ended with a letter on the right.

Thus, the plaintext letter R can become ED, EO, OO, IQ, ZQ, or II.

As noted previously, the basic concepts of cryptography were slow to emerge. David Kahn's

book The Codebreakers illustrates the earliest known example of a cipher with homophones,

from the year 1401. It looked like this:

a b c d e f g h i k l m n o p q r s t u x y z

---------------------------------------------

Z y x D t s r q p o n l m k j h g f e d c b a

2 4 8 F

3 H 9 T

+ J L ~

where the capital letters stand for various special symbols (Z indicates a reverse script lowercase

z, F indicates an ff ligature, and J indicates the astrological symbol for Jupiter, for example).

To modern eyes, what is particularly striking about this cipher is that, even though the step of

improving on simple substitution by using multiple equivalents was taken, the basic cipher

alphabet itself is not thoroughly mixed, but instead varies only slightly from a simple reversed

alphabet.

Incidentally, the British publisher Hodder and Stoughton has an extensive series of books on

various subjects in a series called "Teach Yourself Books": particularly noteworthy in this series

are the instructional books for foreign languages, which the case of some languages are the only

readily available introductory book in print in English. (These are the books that used to have

yellow covers, but which changed to light blue covers some years back.) The book Codes and

Ciphers by Frank Higenbottam in this series, while a general introduction to the subject, is

distinguished by its uniquely extensive coverage of the topic of breaking messages enciphered

using nomenclators.

Next

Chapter Start

Skip to Next Section

Table of Contents

Home page

[Next] [Up] [Previous] [Index]

Instead of arbitrarily choosing a list of common words or syllables to give cipher

equivalents for, one might be able to achieve the same increased security another way,

by enciphering several letters at once using some simple system that handles all

possible combinations of two letters, or three letters.

Of course, one could just use a random list of all 676 possible combinations of two

letters, and this would give the maximum possible security for a system that handles

two letters at a time.

Or, one could even follow the lead of Giovanni Battista della Porta, and use a table

giving different symbols for every pair of letters:

This is a redrafting of the table of 400 symbols for the digraphs of a 20-character

alphabet given by Porta in his De Furtivis Literatum Notis. In the original, there are a

few typographical errors, leading to some duplicate symbols:

replacements for the first two were obvious, that for NG is somewhat arbitrary.

Naturally, since Porta was expressing the idea of a digraphic cipher in print for the first

time, he did so in a way that seems unsophisticated by modern standards.

The columns in Porta's diagram all contain characters related in shape. This makes it

easier to look up a symbol, but also gives away information. One way to retain the

advantage of easily finding a symbol, but without giving away information to the

cryptanalyst, is illustrated in the diagram above: have similar symbols arranged along

the diagonals of the diagram, and use mixed alphabets along the edges. While a

digraphic symbol cipher is something that isn't too practical, similar techniques have

been used for small code charts to make them practical and secure.

Systematic methods of enciphering several letters at once, without simply using a very

large table, will be outlined in what follows. Fractionation lends itself to many

complicated and bizarre developments, a few of which will be illustrated there.

Hopefully, all the examples that will be contained in the following pages will prove a

starting point from which you can let your imagination run wild.

pencil ciphers, because it is too complicated and prone to error. Two schemes that

actually were used, the ADFGX or ADFGVX cipher used by Germany in the First

World War, and the VIC cipher used by Reino Hayhanen while engaged in espionage

in the United States, involved substituting multiple symbols for each letter, and

transposing the letters or digits so obtained, but did not attempt to then reconstitute the

symbols back into letters.

Representing letters by five symbols from a set of two, or three symbols from a set of

three, has tended to be used mostly for steganography, as proposed by Bacon and

Trithemius. (That is, in the former case, if one does not count the use of the 5-level

code for teletypewriters.)

The Hagelin B-21 and its relatives also involved fractionation, combined with

polyalphabeticity but without transposition.

● The Bifid, the Trifid, and the Straddling Checkerboard

● Fractionated Morse, and Other Oddities

● The VIC Cipher

● Two Trigraphic Ciphers, and a Heptagraphic One

Next

Chapter Start

Skip to Next Section

Table of Contents

Main page

Home page

[Next] [Up/Previous] [Index]

Since 26 by 26 tables are awkward and bulky, and certainly impossible to memorize,

various systematic methods were developed to encipher more than one letter at a time.

Playfair

The most famous polygraphic system is, of course, the Playfair cipher, which works as

follows: given a 5 by 5 square, containing a jumbled alphabet, such as:

T X V H R

L K M U P

N Z O J E

C G W Y A

F B S D I

doing without one letter by some rule: i.e. if Q is omitted, as here, use KW to stand for

QU; or treat I and J, or U and V, as one letter.

Then, a pair of letters is converted to a ciphertext pair using one of three possible rules,

whichever one applies:

if the two letters are neither in the same row or the same column, replace each letter by

the one that is in its own row, but in the column of the other plaintext letter. Examples:

TI becomes RF, TW becomes VC, KA becomes PG, UB becomes KD, WX becomes

GV

T------>R T-->V H R

| K M U | | K | U P

| Z O J | | Z | J E

| G W Y | C<--W Y A

F<------I F B S D I

if the two letters are both in the same column, replace each one by the one below it,

wrapping around if necessary. Examples: VW becomes MS, TN becomes LC, TL

becomes LN, TF becomes LT, KB becomes ZX

T X V H R

L K M U P

N Z | J E

C G W Y A

F B S D I

it the two letters are both in the same row, replace each one by the one to the right of it,

wrapping around if necessary. Examples: TH becomes XR, KP becomes ML, NZ

becomes ZO.

T X---H R

L K M U P

N Z O J E

C G W Y A

F B S D I

Double letters aren't allowed within a single digraph, and must be split up by inserting

a letter used as a null (for example, an X) between them.

If the Playfair cipher is used on a computer, perhaps in combination with other ciphers,

it might be more convenient to make a rule for double letters, such as using the letter

that is both below and to the right of the plaintext letter, and also doubling it. Then, EE

would become CC.

Playfair has inspired some related bigraphic ciphers that, on the one hand, improve

security by involving multiple, unrelated alphabets, but on the other hand, are simpler

in that they use fewer rules than Playfair.

In the Four-Square cipher, two squares are used to find the two plaintext letters, and

two others are used to find the two ciphertext letters:

D W X Y M | E P T O L D W X Y M | E P T O L

R J E K I | C V I Y Z R J E K I | C V I Y Z

U V H P S | R M A G B U V H---------->M A G B

A L B Z N | F W J H S A L | Z N | F | J H S

G C O F T | U N D X K G C | F T | U | D X K

-----------|----------- ----|------|----|------

J T B U E | V I M A G J T | U E | V | M A G

Z H N D X | S W P O H Z H N<----------W P O H

L A F R G | U T Z K E L A F R G | U T Z K E

P M I Y C | N R D X Y P M I Y C | N R D X Y

V S K W O | B J L C F V S K W O | B J L C F

and the only rule for finding the substitute for a digraph is similar to the first rule given

for Playfair: the first letter is replaced by the letter in its row, and the second letter's

column, and so on. Thus, as the diagram above illustrates, HW becomes MN.

With only two squares, the first plaintext letter and the second ciphertext letter are

found in the square on the left, and if both plaintext letters are in the same row, each

one is replaced by the other letter. (Other rules are possible, as long as the result is a

pair of letters, the first from the square on the right, the second from the square on the

left, in the same row. For example, each letter could be replaced by the letter to the

right of, or below, the other letter in the other letter's own square.)

During World War II, several digraphic ciphers were used by the German armed

forces. All had the common feature that text was broken up by seriation before being

enciphered: that is, the message MORE TROOPS NEEDED HERE would be broken

up like this:

MORET NEEDE

ROOPS DHERE

While the seriation step is an essential part of some fractionation ciphers we will see

below, using it with a digraphic cipher has been questioned, since it allows the

cryptanalyst to pretend he is dealing with simple substitution with 26 homophones for

each letter, and therefore may make solution easier instead of harder.

worked at Bletchley Park during the war, the German army used a cipher in which the

digraphs were then enciphered using the two-square cipher. The German Navy used a

reciprocal table of digraphs, again after a seriation step, in what was called the

Dockyard cipher.

Jim Gillogly has noted that declassified NSA documents refer to another cipher of this

type, in which the digraphs were enciphered twice by means of the two-square cipher.

Since each letter enciphered the first time was then found in the square on the other

side for the second encipherment, the relation between plain and cipher digraphs was

much more complicated than in regular Playfair.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main page

Home page

[Next] [Up] [Previous] [Index]

Checkerboard

The Bifid and Trifid ciphers

The first of the three rules for Playfair encipherment changes one two-letter group, or digraph, to

another by exchanging column co-ordinates. This suggests using row and column co-ordinates in a

more general fashion. Let's take the 5 by 5 square above, but number the rows and the columns, like

this:

1 2 3 4 5

---------

1) T X V H R

2) L K M U P

3) N Z O J E

4) C G W Y A

5) F B S D I

Then, another method of encipherment would be as follows: Divide a message into groups of letters of

a fixed length, say five letters, and write the row and then the column co-ordinate of each letter

beneath it, like this:

11555 52453 41312 35544 3

14535 33435 15513 53352 5

and then, going across within each group, read the numbers in order, and turn them, in pairs, into

letters: that is, read 11555 14535 52453 33435... and turn them into the letters corresponding to 11, 55,

51, 45, 35, 52, and so on.

T I F A E B A O J E C N L I V E D A O B E

This is the Bifid cipher of Delastelle, and the general principle of this form of cipher is called

seriation. This is one of the most secure pencil-and-paper ciphers that is still used by hobbyists as a

puzzle. It isn't hard to make this kind of cipher just a little bit more complicated, and thereby obtain

one that is genuinely secure. It belongs to the class of cipher methods known as fractionation, where

letters are divided into smaller pieces, or "fractions". Just as two symbols from 1 to 5 give 25 letters,

three symbols from 1 to 3 give 27 letters; and five binary bits provide a 32-character alphabet.

The Trifid, also due to Delastelle, is the analogous cipher using a 27-letter alphabet represented by

three symbols from 1 to 3:

A 112 & 122 Y 132 E 212 V 222 P 232 X 312 J 322 G 332

K 113 B 123 H 133 Q 213 R 223 S 233 I 313 F 323 D 333

to encipher a message by seriation like this:

3132321 1223223 1222132

2313132 3311212 2133131

1333331 2321321 1233222

which again is read off horizontally after being written in vertically, yielding a cipher message like

this:

I P B Z T D U

& J D A & T T

& Q O U C S V

Representing the letters as combinations of two groups of from one to five signal fires was originally

proposed by Polybius in his Histories, as being a general method of communications, unlike ones he

noted as being previously used that depended on a small list of pre-arranged messages. It looked like

this:

with the letters of the Greek alphabet placed on five numbered tablets, and each letter being numbered

on each tablet.

Other forms of dividing a character into smaller pieces, such as ASCII or Baudot, or Morse Code (to

be seen below) were also developed to allow communications over various types of channel, as were

the signal flags used by ships, to use an example of a different type.

Some ciphers actually used by Soviet spies used a square like this:

9 8 2 7 0 1 6 4 3 5

-------------------

A T O N E S I R

2 B C D F G H J K L M

6 P Q U V W X Y Z . /

Eight of the most common letters are translated to a single digit. The two digits not used in this way

begin two-digit combinations that stand for the remaining letters. This is an example of a variable

length code with the prefix property. When it is possible to tell, from the digits one has already seen of

a symbol, whether or not one needs to include the next digit in the symbol, then spaces between the

digits of a symbol are not needed, and this is what is known as the prefix property.

At one time, telephone numbers in North America had this property, because the middle digit of an

area code was always 0 or 1, and the first three digits of a regular telephone number, also known as

the exchange, never had 0 or 1 as the middle digit. Therefore, it was possible to dial 1 plus the seven-

digit number to make a long-distance call within one's own area code, since the first three digits could

not possibly be an area code. However, the increased need for more telephone numbers made it

necessary to abandon this rule, in January 1995 and therefore when dialing a long-distance call within

one's own area code, it is now still necessary to dial the area code. This method of dealing with the

increased demand for telephone numbers had the advantage that the number of digits in a telephone

number did not have to be increased, and this avoided problems with computer data-processing

systems that allocated the fixed minimum amount of space for a telephone number, as well as limiting

the amount of alteration needed for older telephone equipment.

In Britain, on the other hand, it was necessary to lengthen every telephone number by one digit, and

this was done by inserting the digit 1 in every number in the second position on a day called "phONE

day", April 16, 1995, although permissive dialing remained in effect until April 22, 2000. A number

of other countries also modified their systems of telephone numbers during roughly the same period;

Australia began in 1996, and Finland changed over its phone system on October 12, 1996.

Since in Morse code, a dot is the letter E, and a dash is the letter T, but other Morse code symbols also

begin with a dot or a dash, Morse code is a variable-length code that does not have the prefix property,

and so spaces are required between letters in Morse code.

Of course, the second digit of a two-digit combination could also have stood, by itself, for another

letter; but because when you start from the beginning and move forwards, there is no chance of

confusion, this is a workable and usable system.

Thus, the message SENDMONEY would become 4 1 0 22 25 7 0 1 66, or, rather, 41022 25701 66

because spaces to show where the letters begin are not needed; the first digit representing a letter

determines if its substitute is one or two digits long.

More complicated codes that work this way, using only the two binary digits 0 and 1, are used as a

form of data compression. The most famous variable-length prefix-property binary codes are the

Huffman codes; but this term only applies to such a code when symbols were assigned in it by a

specific algorithm, which has been proven to be optimal, within the limitations of only considering

single-symbol frequencies, and only using this kind of code: arithmetic coding, which doesn't work in

whole bits, can be more efficient. Before Huffman's proof, codes of that nature assigned in a different

fashion, which are known as Shannon-Fano codes, were the best known.

In one case, the VIC cipher used by Reino Hayhanen (the message in that cipher on microfilm, inside

a hollow nickel, was the background to the page introducing this section) the digits produced by a

straddling checkerboard were then subjected to a form of columnar transposition which was varied by

selecting triangular areas to be filled with plaintext last.

In other cases, after the message was converted to digits, encipherment similar to the Vigenère to be

described in the next section was performed. Since Vigenère is a form of addition, doing addition on

digits is easier for most people, without special equipment, than doing it on letters.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main page

Home page

[Next] [Up] [Previous] [Index]

The VIC cipher is an intricate cipher issued by the Soviet Union to at least one of its

spies. It is of interest because it seems highly secure, despite being a pencil-and-paper

cipher. It was the cipher in which a message was written which was found on a piece of

microfilm inside a hollowed-out nickel by a newspaper boy in 1953. The workings of

this cipher were explained by Hayhaynen to FBI agents shortly after his defection to the

United States in 1957.

David Kahn described that cipher briefly in an article in Scientific American, and in full

detail in a talk at the 1960 annual convention of the American Cryptogram Association

which was later reprinted in his book Kahn on Codes.

The VIC cipher, which I will demonstrate here adapted to the sending of English-

language messages, begins with an involved procedure to produce ten pseudorandom

digits. The agent must have memorized six digits (which were in the form of a date), and

the first 20 letters of a key phrase (which was the beginning of a popular song) and must

think of five random digits for use as a message indicator.

Let the date be July 4, 1776, to give the digits 741776. (Actually, the Russians used their

customary form of dates, with the month second.) And let the random indicator group be

77651.

The first step is to perform digit by digit subtraction (without carries) of the first five

digits of the date from the indicator group:

77651

(-) 74177

---------

03584

The second step is to take the 20-letter keyphrase, and turn it into 20 digits by dividing it

into two halves, and within each half, assigning 1 to the letter earliest in the alphabet,

and so on, treating 0 as the last number, and assigning digits in order to identical letters.

Thus, if our keyphrase is "I dream of Jeannie with t", that step proceeds:

I D R E A M O F J E A N N I E W I T H T

6 2 0 3 1 8 9 5 7 4 1 6 7 4 2 0 5 8 3 9

The result of the first step is then expanded to ten digits through a process called chain

addition. This is a decimal analog of the way a linear-feedback shift register works:

starting with a group of a certain number of digits (in this case five, and later we will do

the same thing with a group of ten digits), add the first two digits in the group together,

take only the last digit of the result and append it to the end of the group, then ignore the

first digit, and repeat the process.

The 10 digit result is then added, digit by digit, ignoring carries, to the first 10 digits

produced from the keyphrase to produce a ten-digit result, as follows:

6 2 0 3 1 8 9 5 7 4

(+) 0 3 5 8 4 3 8 3 2 7

-----------------------

6 5 5 1 5 1 7 8 9 1

And these 10 digits are then encoded by encoding 1 as the first of the 10 digits produced

from the second half of the keyphrase, 2 as the second, up to 0 as the tenth.

using code: 1 2 3 4 5 6 7 8 9 0

1 6 7 4 2 0 5 8 3 9

6 5 5 1 5 1 7 8 9 1

becomes 0 2 2 1 2 1 5 8 3 1

This ten digit number is used by chain addition to generate 50 pseudorandom digits for

use in encipherment:

0 2 2 1 2 1 5 8 3 1

---------------------

2 4 3 3 3 6 3 1 4 3

6 7 6 6 9 9 4 5 7 9

3 3 2 5 8 3 9 2 6 2

6 5 7 3 1 2 1 8 8 8

1 2 0 4 3 3 9 6 6 9

The last row of these digits (which will still be used again) is used like the letters in a

keyword for transposition to produce a permutation of the digits 1 through 9 (with 0 last

again):

1 2 0 4 3 3 9 6 6 9

---------------------

1 2 0 5 3 4 8 6 7 9

and those digits are used as the top row of numbers for a straddling checkerboard:

1 2 0 5 3 4 8 6 7 9

-------------------

A T O N E S I R

-------------------

0 B C D F G H J K L M

8 P Q U V W X Y Z . /

One detail omitted is that the checkerboard actually used had the letters in the bottom

part written in vertical columns with some columns left until the end. That doesn't work

as well in an English example, as there are only two left-over spaces after the alphabet.

We are pleased to hear of your success in establishing your false identity. You will be

sent some money to cover expenses within a month.

834194810741640025044195058858096800202466734621010776047303

88580905107647004327288885808370707014643265094095348825025

854948481436468372047310953204

For the sake of our example, we will give our agent a small personal number of 8. This

number is used to work out the widths of the two transposition tableaux used to

transpose the numbers obtained above. The last two unequal digits, which in this case are

the last two digits (6 and 9) of the last row of the 50 numbers generated above, are added

to the personal number with the result that the two transpositions will involve 8+6, or 14,

and 8+9, or 17, columns respectively.

The keys for those two transpositions are taken by reading out the 50 numbers by

columns, using the 10 digits used to generate them as a transposition key. Again, 0 is

last, so given the table above:

0 2 2 1 2 1 5 8 3 1

---------------------

2 4 3 3 3 6 3 1 4 3

6 7 6 6 9 9 4 5 7 9

3 3 2 5 8 3 9 2 6 2

6 5 7 3 1 2 1 8 8 8

1 2 0 4 3 3 9 6 6 9

Our first transposition uses the first 14 digits as the key of a conventional simple

columnar transposition:

36534693233928

--------------

83419481074164

00250441950588

58096800202466

73462101077604

73038858090510

76470043272888

85808370707014

64326509409534

88250258549484

81436468372047

3109532049

Since our message consisted of ten rows of 14 digits, plus one extra row of 9 digits, it is

149 digits long. At this initial stage, one null digit is appended to the message, making it

150 digits long, so that it will fill a whole number of 5-digit groups.

Thus, with the null digit added, it gives us the intermediate form of the message:

75079700479 4027027992 90628086065 42040483240 30833654811

44818035243 4864084447 84005470562 1546580540

The fact that our message is 150 digits long was important to note, since the next step in

the encipherment, although it is also a columnar transposition, includes an extra

complexity to make the transposition irregular, and so it is necessary to lay out in

advance the space that will be used in that transposition.

The remaining 17 digits of the 31 we read out above, 9 47352 36270 39813 4, are the

key for this second transposition. The numbers, in addition to indicating the order in

which the columns are to be read out, indicate where triangular areas start which will be

filled in last.

The first triangular area starts at the top of the column which will be read out first, and

extends to the end of the first row. It continues in the next row, starting one column later,

and so on until it includes only the digit in the last column. Then, after one space, the

second triangular area starts, this time in the column which will be read out second.

Since we know that our message is 150 digits long, we know that it will fill 8 rows of 17

digits, with 14 digits in the final row. This lets us fill in the transposition block, first

avoiding the triangular areas:

94735236270398134

-----------------

09200274534686

018138480577786

8831596370253911

01830988075079700

47940

270279

9290628

08606542

040483240

94735236270398134

-----------------

09200274534686308

01813848057778633

88315963702539116

01830988075079700

47940548114481803

27027952434864084

92906284478400547

08606542056215465

04048324080540

03100846 918177284 83603475 035007668 483882424 283890960

350713758 689914050 008042900 873786014 472544860

The last digit, 6, in the date shows that the indicator group is to be inserted in the final

message as the sixth group from the end, so the message in the form in which it will be

transmitted becomes:

36178 05428 99592 53507 01440 00113 42004 74684 58426 75048

42503 10084 69181 77284 83603 47503 50076 68483 88242 42838

90960 35071 37586 89914 05000 77651 80429 00873 78601 44725

44860

Chapter Start

Skip to Next Section

Table of Contents

Main page

Home page

[Next] [Up] [Previous] [Index]

Playfair for Three

Based on the Playfair cipher, I once thought of a way to make a cipher that worked on groups of three

letters.

T X V H R

L K M U P

N Z O J E

C G W Y A

F B S D I

● If all three letters are the same, replace them by three repetitions of the letter diagonally below

and to the right of that letter. Thus: MMM becomes JJJ in the square above. Below, and to the

right, are always interpreted cyclically, so DDD becomes RRR, and PPP becomes NNN, and

even III becomes TTT.

● If two of the letters are the same, encipher the two letters as if they were part of a digraph to be

enciphered with Playfair.

❍ If the two letters are in the same row, replace each one with the letter to its right. Thus:

❍ If the two letters are in the same column, replace each one with the letter below it. Thus:

❍ If the two letters are neither in the same row nor the same column, replace each letter

with the letter that is in its own row, but in the column of the other letter. Thus: BOO

becomes SZZ, MIM becomes PSP.

● When all three letters are different, follow these rules:

❍ If all three letters are in the same row, replace each one with the letter to its right. Thus,

❍ If all three letters are in the same column, replace each one with the letter below it.

❍ If two letters are in the same row, and one of those two is in the same column as the

third letter, replace the letter that is in the same row as one other letter and the same

column as the other other letter with the letter that is in the same column as the letter

with which it shares a row, and in the same row as the letter with which it shares a

column. Replace the two other letters by each other. Thus, YUK becomes KGY, WVY

becomes HYV, POE becomes OPM, GAP becomes PKG.

❍ If two letters are in the same column, but the third letter is neither in that column nor in

the same row as either of those two letters, replace each letter by the letter which is in

its own row, but in the other column used by the three letters. Thus, TCO becomes

VWN, TAN becomes RCE, HUG becomes XKY.

❍ If two letters are in the same row, but the third letter is neither in that row nor in the

same column as either of those two letters, replace each letter by the letter which is in

its own column, but in the other one of the two rows used by the letters. Thus, NED

becomes FIJ, GAS becomes BIW, LOP becomes NME.

❍ If no two letters share either a row or column, each letter is replaced by the letter in its

own row, but in the column of the next letter of the trigram, the first letter being the

'next letter' for the last one. Thus, TOY becomes VJC, LOB becomes MZF, GET

becomes ANX.

Note that since a trigram with repeated letters always enciphers to a trigram with repeated letters, one

could use a separate square for each of the three possibilities, or even just use an arbitrary substitution

alphabet for the case of three identical letters.

If one uses a substitution where each letter of a 27-letter alphabet is replaced by three digits from 1 to

3, then the obvious method of constructing a trigraphic cipher from this is to write the equivalents of

the three letters in by columns and take them out by rows; thus, with the alphabet

A 112 & 122 Y 132 E 212 V 222 P 232 X 312 J 322 G 332

K 113 B 123 H 133 Q 213 R 223 S 233 I 313 F 323 D 333

T H E

3 1 2 X

2 3 1 L

1 3 2 Y

For 26 Letters

Let's imagine that we want to have a method that doesn't require, as the original Playfair did, inserting

a letter like X into the plaintext when a double letter occurs; we want something that can be applied

mechanically to any arbitrary input text. This would make it suitable for use as a step in encryption

performed by a computer.

For the cipher derived from Playfair, the structure of the rules provides a clue. When the extra letter

turns up, ignore it for encryption, but place it in the ciphertext without alteration, and treat two

remaining letters, if they are different, as in regular Playfair, and a single remaining letter (or two

identical remaining letters) as if they were three identical letters.

How, though, can we possibly make the cipher which requires a 27-letter alphabet work with only 26

letters?

First, choose a substitution table such that the unused letter, &, is represented by the code 333.

X 112 J 122 I 132 C 212 A 222 K 232 Y 312 T 322 V 332

H 113 M 123 O 133 S 213 Z 223 L 233 E 313 N 323 & 333

Now then, any combination that does not contain an ampersand, but which produces a combination

that does contain one, will have produced a combination that, when enciphered again, doesn't contain

an ampersand.

L O G S & G

2 1 3 S 2 3 3 L

3 3 3 & 1 3 3 O

3 3 1 G 3 3 1 G

That appears to be a trivial consequence of the fact that this cipher is reciprocal.

Since an ampersand is represented by the code 333, however, that means that whether or not a square

produces an ampersand depends only on the positions of the 3s in that square; the other two digits, 1

and 2, are irrelevant. Thus, we can do better than leaving trigrams which encipher to combinations

including an ampersand unenciphered.

Between the two encipherments, we can apply a substitution to the letters of the first result, as long as

that substitution leaves the 3s unchanged. Since this substitution operates perpendicular to the

plaintext and the ciphertext, the cipher still mixes the letters of the trigram together in this case.

111 212 113 123 131 232 311 321 133 233

112 122 123 223 132 231 312 311 233 133

121 211 213 113 231 131 321 322 313 313

122 221 223 213 232 132 322 312 323 323

211 121 331 332

212 222 332 331

221 111

222 112 333 333

L O G H & V

2 1 3 S 213 -> 113 (H) 1 3 3 O

3 3 3 & 333 -> 333 (&) 1 3 3 O

3 3 1 G 331 -> 332 (V) 3 3 2 V

Heptagraphic encryption

Having now obtained two trigraphic ciphers which both operate on trigrams of the 26-alphabet, but

which operate on different principles, one is immediately tempted to combine them to create a cipher

which will be much stronger than either one alone.

One way to do this is simply to apply both in sequence. However, inspired by recently encountering

the polymorphic block ciphers of Kostadin Bajalcaliev, I have thought of a more elaborate way of

doing this.

Let us encipher a block of seven letters at a time. Three letters are enciphered trigraphically by one of

the two systems given above, and the next three are enciphered using the other system. The seventh

letter is used to indicate which system is used.

from 1 2 3 4 5 6 7

to 4 7 1 2 3 5 6

Since it seems wasteful to leave a letter unenciphered just to use it as the source of one bit of

information, that letter could also be used to choose between twelve possibilities: there could be three

different sets of tables for one of the block ciphers, and four different sets of tables for the other. For

the one based on Playfair, it is not even necessary that the omitted letter be the same for each set of

tables.

Nonagraphic Encryption

Of course, with two different trigraphic ciphers, performing some sort of transposition between

applying them is another way to produce a very strong cipher.

Just as the trigraphic cipher based on a 27-character alphabet places digits in a square by columns, and

takes them out by rows, one could encrypt nine letters at a time by placing them in a square array, and

encrypting first the columns by one cipher, and then the rows by the other. One could even do that

twice, inspired by Square, the predecessor of Rijndael, the new Advanced Encryption Standard.

Chapter Start

Skip to Next Section

Table of Contents

Main page

Home page

[Next] [Up] [Previous] [Index]

Polyalphabetic Substitution

The idea of using substitution ciphers that change during the course of a message was a very important step forwards in

cryptography. David Kahn's book, The Codebreakers, gives a full account of the origins of this idea during the Italian

Renaissance.

The earliest form of polyalphabetic cipher was developed by Leon Battista Alberti by 1467. His system involved writing the

ciphertext in small letters, and using capital letters as symbols, called indicators, to indicate when the substitution changes,

now and then through a message. The plaintext alphabet on his cipher disk was in order, and included the digits 1 through 4

for forming codewords from a small vocabulary.

Subsequently, more modern forms were devised, which change the substitution for each letter:

● A progressive-key system, where keys are used one after the other in normal order. This was first published

posthumously, in a book by Johannes Trithemius that appeared in 1518. The key ABCD...Z was used with regular

alphabets in the form depicted therein.

● A keyword indicating the alphabets to use in turn. Although this system is what is called the Vigenère, it originated

with Giovan Batista Belaso in 1553. In 1563, Giovanni Battista Porta added the use of mixed alphabets to this system.

● The autokey system, where a key starts the choice of alphabet, but the message itself determines the alphabets to use

for later parts of the message. Although an unusable form of this was first proposed by Girolamo Cardano, it was

Blaise de Vigenère who proposed the modern form of the autokey cipher in 1585.

The following compact table provides 26 alphabets, each labelled with a letter of the alphabet:

B C D E F ZABCDEFGHIJKLMNOPQRSTUVWXY

G H I J K UVWXYZABCDEFGHIJKLMNOPQRST

L M N O P PQRSTUVWXYZABCDEFGHIJKLMNO

Q R S T U KLMNOPQRSTUVWXYZABCDEFGHIJ

V W X Y Z FGHIJKLMNOPQRSTUVWXYZABCDE

B G L Q V ABCDEFGHIJKLMNOPQRSTUVWXYZ

C H M R W BCDEFGHIJKLMNOPQRSTUVWXYZA

D I N S X CDEFGHIJKLMNOPQRSTUVWXYZAB

E J O T Y DEFGHIJKLMNOPQRSTUVWXYZABC

F K P U Z EFGHIJKLMNOPQRSTUVWXYZABCD

The A alphabet isn't shown, since in that alphabet, every letter stands for itself, and so, if nothing is done, nothing need be

looked up in the table. For any other alphabet, use the letter indicating the alphabet to find a row among the top five, and a

row among the bottom five; using those two rows, the upper row stands for plaintext, the lower for cipher.

Thus, for alphabet Q, the top row begins KLMNO... and the bottom row begins ABCDE..., and so K becomes A, Q becomes

G, and A becomes Q in that alphabet.

If you think of A as standing for zero, B for 1, up to Z for 25, this particular set of alphabets is nothing more than the modulo

26 addition of the plaintext and the key to obtain the ciphertext. Circular disks or sliding scales can be used to carry out the

addition. This, perhaps, can be more easily seen if we exhibit the Vigenère tableau in full, accompanied by the table for

modulo-26 addition:

|ABCDEFGHIJKLMNOPQRSTUVWXYZ | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

19 20 21 22 23 24 25

-+-------------------------- --

+-----------------------------------------------------------------------------

A|ABCDEFGHIJKLMNOPQRSTUVWXYZ 0| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

19 20 21 22 23 24 25

B|BCDEFGHIJKLMNOPQRSTUVWXYZA 1| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

20 21 22 23 24 25 0

C|CDEFGHIJKLMNOPQRSTUVWXYZAB 2| 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

21 22 23 24 25 0 1

D|DEFGHIJKLMNOPQRSTUVWXYZABC 3| 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

22 23 24 25 0 1 2

E|EFGHIJKLMNOPQRSTUVWXYZABCD 4| 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

23 24 25 0 1 2 3

F|FGHIJKLMNOPQRSTUVWXYZABCDE 5| 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

24 25 0 1 2 3 4

G|GHIJKLMNOPQRSTUVWXYZABCDEF 6| 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

25 0 1 2 3 4 5

H|HIJKLMNOPQRSTUVWXYZABCDEFG 7| 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

0 1 2 3 4 5 6

I|IJKLMNOPQRSTUVWXYZABCDEFGH 8| 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0

1 2 3 4 5 6 7

J|JKLMNOPQRSTUVWXYZABCDEFGHI 9| 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1

2 3 4 5 6 7 8

K|KLMNOPQRSTUVWXYZABCDEFGHIJ 10|10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2

3 4 5 6 7 8 9

L|LMNOPQRSTUVWXYZABCDEFGHIJK 11|11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3

4 5 6 7 8 9 10

M|MNOPQRSTUVWXYZABCDEFGHIJKL 12|12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4

5 6 7 8 9 10 11

N|NOPQRSTUVWXYZABCDEFGHIJKLM 13|13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5

6 7 8 9 10 11 12

O|OPQRSTUVWXYZABCDEFGHIJKLMN 14|14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6

7 8 9 10 11 12 13

P|PQRSTUVWXYZABCDEFGHIJKLMNO 15|15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7

8 9 10 11 12 13 14

Q|QRSTUVWXYZABCDEFGHIJKLMNOP 16|16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8

9 10 11 12 13 14 15

R|RSTUVWXYZABCDEFGHIJKLMNOPQ 17|17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9

10 11 12 13 14 15 16

S|STUVWXYZABCDEFGHIJKLMNOPQR 18|18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10

11 12 13 14 15 16 17

T|TUVWXYZABCDEFGHIJKLMNOPQRS 19|19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11

12 13 14 15 16 17 18

U|UVWXYZABCDEFGHIJKLMNOPQRST 20|20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12

13 14 15 16 17 18 19

V|VWXYZABCDEFGHIJKLMNOPQRSTU 21|21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13

14 15 16 17 18 19 20

W|WXYZABCDEFGHIJKLMNOPQRSTUV 22|22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

15 16 17 18 19 20 21

X|XYZABCDEFGHIJKLMNOPQRSTUVW 23|23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

16 17 18 19 20 21 22

Y|YZABCDEFGHIJKLMNOPQRSTUVWX 24|24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

17 18 19 20 21 22 23

Z|ZABCDEFGHIJKLMNOPQRSTUVWXY 25|25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

18 19 20 21 22 23 24

And, of course, instead of the modulo-26 addition table for our 26-letter alphabet, a Vigenere

table can be constructed for any alphabet. Thus, modulo-24 addition would be used for the

Greek alphabet, modulo-32 addition for the Russian alphabet, or, as shown in the picture at

left, modulo-22 addition for the Hebrew alphabet. Here, the table is written from right to left, in

the same direction as normally used for Hebrew writing.

The message "Wish you were here" can be encrypted by the three possible methods, using SIAMESE as the keyword:

Straight keyword:

Message: WISHYOUWEREHERE

Key: SIAMESESIAMESES

Cipher: OQSTCGYOMRQLWVW

Progressive key:

Message: WISHYOUWEREHERE

Key: SIAMESETJBNFTFU

Cipher: OQSTCGYPNSRMXWY

Autokey:

Message: WISHYOUWEREHERE

Key: SIAMESEWISHYOUW

Cipher: OQSTCGYSMJLFSLA

For the progressive key, the keyword, followed by the keyword advanced one position at a time through the alphabet, is

used. Just using ABCDEF... as the key would not have been unique enough to serve as a real cipher.

The table shown here can be thought of as a table for the addition of letters, which is equivalent to addition modulo 26,

where A stands for 0, B stands for 1, continuing on to Z, which would stand for 25.

The plain keyword system can be solved by the Kasiski method; look for repeated sequences of letters in a message, and

count the number of letters between them. From this, it is easy to spot common factors, and determine the length of the

keyword used. This lets one sort the letters into the ones enciphered with the same alphabet. If normal alphabets are used,

looking at the profile of the frequency count makes solution trivial.

For the other two methods, elementary cryptanalysis only allows solution for normal (or at least known) alphabets. The

progressive key case can be made to yield its period if one looks not for repeated letters, but for repeated distances in the

alphabet between adjacent letters; this subtracts out the slow movement of the keyword through the alphabet. The autokey

can basically be solved by brute-force trial on the length of its starting keyword. Of course, these systems can still be solved

with mixed alphabets, but more advanced methods are needed, involving statistics or multiple messages with the same key.

In addition to using mixed alphabets for greater security, there are other systems of historical importance.

The Gronsfeld, which added a numeric key to the plaintext, meant that there were only ten possible equivalents for each

letter, but was easier to do by hand without a table or slide or disk. The Porta system used a smaller table; the first half of the

alphabet was stationary while the second half moved, and equivalents for letters in each half of the alphabet were found in

the other half.

The table for the Porta system (converted to the modern 26-letter alphabet) is as follows:

ABCDEFGHIJKLM

-------------

AB |NOPQRSTUVWXYZ

CD |OPQRSTUVWXYZN

EF |PQRSTUVWXYZNO

GH |QRSTUVWXYZNOP

IJ |RSTUVWXYZNOPQ

K KL |STUVWXYZNOPQR

e MN |TUVWXYZNOPQRS

y OP |UVWXYZNOPQRST

QR |VWXYZNOPQRSTU

ST |WXYZNOPQRSTUV

UV |XYZNOPQRSTUVW

WX |YZNOPQRSTUVWX

YZ |ZNOPQRSTUVWXY

The Gronsfeld, and, even more easily, the Porta, because they only allow some letters, but not others, as equivalents for any

given plaintext letter, can be attacked through this weakness.

In attempting to devise a cipher that, like the Gronsfeld, lends itself to mental arithmetic, I used (for the English alphabet)

the method of representing numbers as letters that was used by the ancient Hebrews and the ancient Greeks:

A 1 J 10 S 100

B 2 K 20 T 200

C 3 L 30 U 300

D 4 M 40 V 400

E 5 N 50 W 500

F 6 O 60 X 600

G 7 P 70 Y 700

H 8 Q 80 Z 800

I 9 R 90

a) If the plaintext and key letters are in the same column, they are added:

L (30) + J (10) = M (40)

b) If the plaintext and key letters are in two different columns, their nonzero digits are added, and the letter in the third

column which contains neither key nor plaintext containing the sum is taken:

W (500) + K (20) = G (7)

If we had a 27-letter alphabet, we would only have to add that when the sum is greater than 9, subtract 9 (in the appropriate

digit place):

For the 26-letter alphabet, it's easy to modify rule (a): if the two letters are in the third column, subtract 800 instead of 900.

Rule (b) is modified in this way: always subtract 9; if the cipher letter and the key letter produce 900 as the result, use

instead the letter that would be produced by enciphering a letter with the value 900 with the key letter. Since there is no letter

with that value, when one is produced by deciphering, decipher 900 with the key to get the true plaintext letter.

Plaintext

ABCDEFGHI JKLMNOPQR STUVWXYZ

----------------------------

A|BCDEFGHIA TUVWXYZJS KLMNOPQR

B|CDEFGHIAB UVWXYZKST LMNOPQRJ

C|DEFGHIABC VWXYZLSTU MNOPQRJK

D|EFGHIABCD WXYZMSTUV NOPQRJKL

E|FGHIABCDE XYZNSTUVW OPQRJKLM

F|GHIABCDEF YZOSTUVWX PQRJKLMN

G|HIABCDEFG ZPSTUVWXY QRJKLMNO

H|IABCDEFGH QSTUVWXYZ RJKLMNOP

I|ABCDEFGHI STUVWXYZR JKLMNOPQ

K|UVWXYZBST LMNOPQRJK CDEFGHIA

L|VWXYZCSTU MNOPQRJKL DEFGHIAB

K M|WXYZDSTUV NOPQRJKLM EFGHIABC

e N|XYZESTUVW OPQRJKLMN FGHIABCD

y O|YZFSTUVWX PQRJKLMNO GHIABCDE

P|ZGSTUVWXY QRJKLMNOP HIABCDEF

Q|HSTUVWXYZ RJKLMNOPQ IABCDEFG

R|STUVWXYZI JKLMNOPQR ABCDEFGH

T|LMNOPQRJK CDEFGHIAB UVWXYZST

U|MNOPQRJKL DEFGHIABC VWXYZSTU

V|NOPQRJKLM EFGHIABCD WXYZSTUV

W|OPQRJKLMN FGHIABCDE XYZSTUVW

X|PQRJKLMNO GHIABCDEF YZSTUVWX

Y|QRJKLMNOP HIABCDEFG ZSTUVWXY

Z|RJKLMNOPQ IABCDEFGH STUVWXYZ

This table is slightly imperfect. For each of the first eighteen letters in the alphabet, when they occur in the plaintext, there is

one letter that no key letter will cause to be its ciphertext equivalent, and there is another letter that will be that plaintext

letter's ciphertext equivalent for two different key letters. However, although imperfect, it is less so than the Gronsfeld

cipher, and so the system might be of some use (although just converting to digits with a straddling checkerboard achieves

the same goal, of simplifying applying a key, without any imperfections, and considerably more simply).

It is, however, more important to recognize the names of two other systems. If Vigenère can be thought of as plaintext + key

= cipher, Beaufort amounts to key - plaintext = cipher. Since cipher = key + plaintext, Beaufort, like Porta, is reciprocal: the

same steps exactly will both encipher and decipher. Variant Beaufort is plaintext - key = cipher, and is the same as

deciphering for Vigenère.

Slides and disks are often used for the Vigenère and other polyalphabetic ciphers, particularly mixed-alphabet Vigenère.

Helen Fouché Gaines' Elementary Cryptanalysis gives a classification of mixed alphabet slides into four types:

● Type 2: Plain plaintext alphabet, mixed cipher alphabet.

● Type 3: The same mixed alphabet for plain and cipher.

● Type 4: Different mixed plain and cipher alphabets.

● Type 0a: Plain plaintext alphabet, reversed cipher alphabet.

● Type 1: Mixed plaintext alphabet, plain cipher alphabet.

● Type 2: Plain plaintext alphabet, mixed cipher alphabet.

● Type 3: The same mixed alphabet for plain and cipher.

● Type 3a: Mixed plaintext alphabet, the same alphabet in reverse for cipher.

● Type 4: Different mixed plain and cipher alphabets.

A slide of type 0a produces a reciprocal cipher, and can be used for Beaufort. The mechanical equivalent of such a slide is an

element of a Hagelin machine.

The Type 1 slide is more easily cryptanalyzed than the Type 2 or above slides since once the different alphabets have been

determined by discovering the period of the cipher by the Kasiski method (looking for repeated digrams, trigrams and above,

noting the distance between them, and looking for a common factor to most of the distances, giving greater weight to longer

repetitions) the frequency counts can be lined up, since they are displaced along the cipher slide, which in this case has the

known regular alphabet along it.

Even in the mixed-alphabet case, once the period is found, letter frequencies and bigram frequencies can be used to read the

message. For a frequent letter, whether only a few letters, or a wide variety of letters, appear before or after that letter helps

to identify whether the letter is a vowel or a consonant, or to determine exactly which letter it is.

When some alphabets are partly reconstructed, if you know that the alphabets have been produced by a slide, even one with

two mixed alphabets, there are certain logical inferences that you may be able to make that will obtain the values of

additional letters. This technique is known as symmetry of position.

Let us suppose that we know that the plaintext letters E and N become, in one alphabet, the ciphertext letters P and Q, and in

another alphabet the ciphertext letters K and V.

Since the distance between the letters E and N on the slide with the scrambled plaintext alphabet does not change, even

though it is unknown, we know from this that the letters P and Q are the same distance apart on the ciphertext slide as the

letters K and V are.

And since one goes from one alphabet generated by a slide to another by moving one of the alphabets a certain distance, one

also knows that the two equivalents for E, the letters P and K on the ciphertext slide, are the same distance apart as Q and V.

Of course, these two facts are really consequences of one another: since P-Q = K-V, then it must also be true that P-K = Q-

V, where P, Q, K, and V are now standing for unknowns in modulo-26 arithmetic.

In any event, if we then find that in a third alphabet, the plaintext letters R and T become the ciphertext letters P and K,

respectively, and if we are fortunate enough to have an alphabet in which R becomes Q, we can then conclude that T will

become V in that alphabet.

Later, when at least two alphabets are almost completely reconstructed, it may be possible to work out what alphabets were

present on the slide that generated them. This can help in continuing the solution, or in reading future messages.

QWERTYUIOPASDFGHJKLZXCVBNM abcdefghijklmnopqrstuvwxyz

BOXWITHFVEDZNLQURJGSPACKMY dkanxlqufrjgymvebwzihcopts

QWERTYUIOPASDFGHJKLZXCVBNM abcdefghijklmnopqrstuvwxyz

OXWITHFVEDZNLQURJGSPACKMYB zmclwqurvjgsbyedointfkxahp

On the left is the way the slide looks, and on the right are the alphabets as they appear to the cryptanalyst, who does not yet

know what alphabets are on the slides. Consecutive alphabets are shown; the method works for any odd shift between

alphabets except 13 (not because it's unlucky, but because it is exactly half of 26, the number of letters in the alphabet); for

an even shift, partial information about the slide is obtained: two separate 13-letter pieces.

The slides can be reconstructed because of the information the alphabets above give about them: D and Z are the equivalents

for A in the two alphabets. So, the distance between D and Z on the bottom slide must be the amount by which the slide must

be moved to get from one alphabet to the other. But that is also true of K and M, the two equivalents for B, and A and C, the

two equivalents for C, and so on.

So, we start with the letter D. The letter Z is our displacement ahead of it: here, it happens that the displacement is one, so

we'll get the exact alphabet on the slide, instead of simply an equivalent alphabet. To move another displacement forward,

we find Z as the equivalent for S in the first alphabet, and N as its equivalent in the second.

a s d f g h j k l z x c v

DZ ZN NL LQ QU UR RJ JG GS SP PA AC CK

b n m q w e r t y u i o p

KM MY YB BO OX XW WI IT TH HF FV VE ED

If the shift were three instead of one, then the alphabets would be subjected to decimation, so that instead of DZNLQ... the

first few letters after D would be in positions D..Z..N..L..Q..., but the slides would still generate the same cipher alphabets,

only after different shifts.

It is particularly because the Kasiski method of attacking the simple keyword form of the Vigenere is so powerful that other

methods, such as key progression and the autokey were originated to avoid it.

The Lanaki Classical Cryptography Course, available at The Crypto Drop Box, notes two other methods sometimes tried.

One is to repeat the letters of one's keyword an increasing number of times, with a period different from the length of the

keyword: thus, the keyword SIAMESE might be repeated with the pattern 12345, so that one's key would begin

SIIAAAMMMMEEEEESEESSSIIIIAAAAAMEESSSEEE...

and an idea suggested by W. F. Friedman is then noted, where instead of using a simple sequence like 12345, one uses the

lengths of the Morse Code symbols for the letters in a keyword to control the pattern of repetitions.

These methods don't make a truly aperiodic cipher the way the autokey does, but like the progressive-key method, they

provide a longer period. However, the presence of stretches of plaintext enciphered with the same keyletter at least seems

like a weakness.

Of course, one could take Friedman's idea, and make it more complicated (and therefore impractical for actual use!) in a

number of ways.

Let us use a Morse Code keyword of BAKER, which is, in dots and dashes,

and use two other keywords, ORANGE and CHOCOLATE, for Vigenere use.

A dot selects a letter from the first keyword, a dash selects a letter from the second keyword. And let both keywords also

experience key progression.

While this will still lead to a sequence with a finite period, the period will be a long one, and will start like this:

ORAN GE PSB O HFQ TCPI GR UDQ J HSV ERKI TW FSL J UXG TMKV YH UNL W ZIV

CHOC OL ATE D IPD PMBU FE JQE Q NCV GFKR FR ODW H GLS GSPE XI HMT H TQF

-... .- --. . .-. -... .- --. . .-. -... .- --. . .-. -... .- --. . .-.

CRAN GL ATB O HPQ PCPI GE JQQ J HCV GRKI TR ODL J ULG GMKV YI HML W ZQV

alternatively, the ends of each letter in the Morse keyword could control key progression for the first keyword, and the end

of each occurence of the whole keyword could control key progression for the second keyword, like this:

ORAN HF QTC Q KIS WFSL KU YHU O NXA KXQO ZC MZS R CFO CVTD HQ EXV G KTG

CHOC OL ATE C HOC PMBU FD IPD P MBU GEJQ EQ NCV G EJQ FROD WH FKR F ROD

-... .- --. . .-. -... .- --. . .-. -... .- --. . .-. -... .- --. . .-.

CRAN HL ATC Q KOS PFSL KD IPU O NBA GXQO ZQ NCS R CJO FVTD HH FKV G KOG

thus making use of more of the information in the Morse keyword, but, since such things are clearly impractical by hand, we

shall instead let such devices as rotor machines and the Hagelin lug and pin machine introduce complicated polyalphabetic

ciphers, as it was with such devices that such ciphers finally became usable.

Cipher disks are harder to make than slides, but they do look prettier. One type of cipher disk I invented independently looks

like this:

This disk was the best of my attempts to devise something which would be easy to use, but involve something more than just

sliding one alphabet against another. My intention was to approach the power of a rotor machine.

Essentially, the wheel is constructed from four disks, one of which has half of its outer portion removed.

On the bottom is a disk with the mixed plaintext alphabet, shown as item 1 in the diagram.

Above it is item 2, a disk with the numbers 1 through 13 repeated twice, against a backround of one color (shown here as

purple).

Then comes item 3, a disk of the same diameter, but with half of its perimeter removed to expose thirteen of the spaces on

the disk below. The half remaining has a background of a color contrasting with that disk (shown here as green), and a

mixed sequence of the numbers 1 through 13.

Finally, there is the smallest disk on the top, item 4, with the mixed cipher alphabet.

How the disks are stacked one on top of the other is illustrated by item 5 in the drawing, a view of the four disks one on top

of the other, but slightly offset to allow the perspective to be visible.

In use, one looks up a letter in the plaintext alphabet, and proceeds to the number in the next inner band. Then, starting from

the same number, against the background of the opposite color, also in that band (but on the other of the two middle disks)

one proceeds to the cipher letter on the innermost circle with the cipher alphabet. This is illustrated by item 6 in the picture.

One idea I had for making this type of device useful, by making it easier to move the disks with each letter enciphered, was

to add to each disk a rim (presumably with 26 notches or bumps around the outside, not shown for simplicity) so that the

four disks could be advanced like thumbwheels.

Versions of the disks using latticework to hold the outside rim in place, while allowing all the letters and numbers in lower

disks to be visible, are shown as items 7, 8, 9, and 10 in the diagram. Item 11 shows an oblique view of the disks stacked,

item 12 a face-on view.

One way to make use of this construction would be to have layers of cardboard between the disks, so that each rim is

individually exposed for a short distance. The 26 possible key letters would be allocated so that seven of them are used to

indicate that the lowest disk is to turn counterclockwise from 1 to 7 spaces, another 7 turn the smallest disk clockwise 1 to 7

spaces, and 6 indicate the disk shown with a purple rim is to turn counterclockwise from 1 to 6 spaces, and 6 indicate the

disk with half its periphery cut away is to turn clockwise from 1 to 6 spaces.

For use with text as a key, the letters would be allocated so that the frequent letters represented odd displacements, and were

distributed evenly among the four disks.

A version of the same device as a slide instead of a disk would look like this:

-----------------------------------------------------

F S H G Y M L Q K X O N E R Z A D I V C U T P W J B

-------------------------

------| 1 1 1 1 |--------------------

|7 4 1 6 3 5 0 1 9 2 3 2 8| 1 1 1 1

3 4 5| |6 7 8 9 0 1 2 3 1 2

------ --------------------

-----------------------------------------------------

X V I D U J C G M E Z A F T W O S H K Y P B R N Q L

-----------------------------------------------------

The Byrne Chaocipher, which was mentioned in David Kahn's The Codebreakers, was subsequently the subject of a

Cryptologia article, which indicated that the principle of this wheel may have been used before in that cipher.

Another device I designed myself in trying to produce a convenient cardboard approximation to a rotor machine is the

following slide:

The slide has a frame with an approximately rectangular pattern of holes, but with two corners clipped. Behind the frame,

there are two slides; one with slots in it that moves vertically, and a solid one that moves horizontally behind it.

The letters on the vertical slide are arranged so that as it moves up or down one position, the letters that become concealed

are rearranged and fill the spaces on the slide that now become visible, like this:

P E H S C A p e h s c a

L V F O K R Z l V F O K R Z

I B Q Y G W N I B Q Y G W N

X T M J D U X T M J D U E

C H L S P A

The same principle applies to the horizontal slide. However, since space is required for the vertical sliding alphabets, and the

spaces between the open rectangles, instead of being filled with merely one set of alphabets, it contains three interlaced

alphabets, which independently change in this way.

9 8 2 7 0 1 6 4 3 5

-------------------

A T O N E S I R

2 B C D F G H J K L M

6 P Q U V W X Y Z . /

could be used to convert letters to digits. Since it takes account of letter frequencies, the conversion is an efficient one.

This type of conversion makes the various types of polyalphabetic encipherment more convenient by hand, since the

Vigenere encryption is now simply addition (on a digit-by-digit basis, ignoring carries).

|0123456789

-+----------

0|0123456789

1|1234567890

2|2345678901

3|3456789012

4|4567890123

5|5678901234

6|6789012345

7|7890123456

8|8901234567

9|9012345678

and, as this is the table for addition modulo 10, it is not surprising that it resembles the table above for addition modulo 26,

or the equivalent Vigenère table.

So, using this conversion from letters to numbers to perform the equivalent of the examples above:

Repeating key:

W ISH Y OU W EREH ERE

603421667626015121151

439251414392514143925

---------------------

032672071918529264076

Progressive key:

W ISH Y OU W EREH ERE

603421667626015121151

439251415403625265147

---------------------

032672072029630386298

Autokey:

W ISH Y OU W EREH ERE

603421667626015121151

439251416034216676260

---------------------

032672073650221797311

so the same methods are as applicable to digits as they are to letters. However, the ease of doing addition on digits as

opposed to letters also means that the equivalent of the use of mixed alphabets is not found often with digits.

As noted in the previous section, Soviet spies using a straddling checkerboard for converting letters to digits have then often

encrypted these digits using a polyalphabetic substitution of the Vigenere type.

However, the attempt was made to use a perfect form of Vigenere encryption. (As the declassified information concerning

VENONA reveals, the attempt wasn't made quite well enough: supposed "one-time pads" were used at least twice on many

separate occasions.)

If, ahead of sending a message, you and your correspondent have arranged to share a key consisting of:

● long enough to be used only once, that is, matching in length all the messages you will be sending

then there is no way to "break" your messages by cryptanalysis. (Of course, the length and timing of messages may still give

information away.)

Why is there no way to break messages in such a case? Because, if the key is random, and if it is never used anywhere else

but with just one message, so there is no other way to get information about that key, then that key could be anything.

So any possible message having the same length as the intercepted message remains possible, because there is no way to

exclude the key that would give rise to any hypothetical message. If the key were not random, but generated by some rule,

then perhaps the key that would transform some possible plaintexts into the ciphertext actually intercepted could not have

been generated by that rule, thereby ruling out those plaintexts. If the key were used another time, then one possible text for

the first message could be ruled out because the other message would not make sense. But without either of these

opportunities, one speculative plaintext is only as good a guess as any other, and no better.

This survey of cryptographic algorithms has not gone very far, still being in its first chapter, and already we have found

perfection. But not only is quite a bit of key required, but more importantly, when that key is used up, no more secure

communications are possible using this method. And since the key is bulky, and impossible to memorize, this is only useful

where the messages are easy to intercept but the key is safe, for example, in communications, but not in protecting files on

your hard disk. Also, it can't complement public-key cryptography, since it doesn't provide a way by which encrypting a

small session key by a slow method with some useful special properties (making it possible to start communicating securely

without any advance secret exchange of a key) can protect a large message.

The one-time pad is perfect, and it is relatively easy to understand why it is impregnable. In general, it is not suitable for

everyday use, since computers make it very easy to carry out conventional encryption with methods of enormous

complexity. Such enormous complexity that there seems to be no rational reason to doubt their security. But just as there is a

tendency in some quarters to advocate the use of methods that aren't quite complex enough (for example, DES with its 56-bit

key, or other block ciphers that are only a step or two better), there is a tendency in other quarters to say that the "experts"

should not be trusted, and only the one-time system, in one of its various forms, is any good.

Incidentally, for the polyalphabetic encryption of a stream of message digits by a stream of key digits, it is not strictly

necessary to use only addition without carries. Just as either addition modulo 10 or addition modulo 26 are equally valid,

depending on whether the message is made up of digits or letters, addition modulo 100,000 is also equally valid. That is, five

message digits could be added to five key digits to produce five cipher digits using normal addition with the propagation of

carries within the five-digit group.

The one carry, though, that must be discarded is the one out of the five digits, if it is not propagated to the preceding five-

digit group. Sending the sum of 53478 and 88412 as 141890 instead of 41890 is a serious mistake, as it proves that both the

plain and key groups at that position must be larger than 41889, as neither of those five-digit groups can be larger than 99999.

One method of polyalphabetic encipherment that suffered from this error is any cipher of the Nihilist type.

A five-by-five square like that illustrated below was used to convert both a message and a key (repeatedly used, as in Porta's

cipher commonly known as the Vigenère) into a stream of digits:

1 P Z R M T

2 Y A V F I

3 O H K W N

4 G D X B U

5 S J C E L

1 2 3 4 5

However, when the stream of key digits was added to the stream of cipher digits, instead of using a modified modulo-5

tableau such as:

| 1 2 3 4 5

-------------

1 | 2 3 4 5 1

2 | 3 4 5 1 2

3 | 4 5 1 2 3

4 | 5 1 2 3 4

5 | 1 2 3 4 5

the digits were simply added by normal decimal addition without carries. Hence, while each digit which was added belonged

to a family of only five digits, the sum as transmitted could have any of nine values, (a sum of 1 could not occur) and only

one of those values, the digit 6, did not place some constraint on both the key digit and the message digit, as can be seen

from the table of that operation:

| 1 2 3 4 5

-------------

1 | 2 3 4 5 6

2 | 3 4 5 6 7

3 | 4 5 6 7 8

4 | 5 6 7 8 9

5 | 6 7 8 9 0

The actual Nihilist cipher, as described in Gaines, was even worse than this: the letters in the checkerboard square were in

their normal order, and the addition was performed with carries, to the extent that messages were sent in two-digit groups,

and three digit sums (such as 45 + 55, or 52 + 51) were sent in three digit form, preserving the carry out of the group.

However, the Russian language, before the Russian Revolution, had a thirty-six letter alphabet, and the use of a full 6 by 6

square would have improved things slightly.

Since the most natural way to apply a stream of key letters to a stream of plaintext letters is the Vigenère, and the most

natural way to apply a stream of key digits to a stream of plaintext digits is modulo-10 addition, when applying a stream of

key bits to a stream of plaintext bits, the very simple operation of modulo-2 addition, or exclusive-OR (XOR) is often used,

with the very short table:

| 0 1

-------

0 | 0 1

1 | 1 0

| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7

------------------- -------------------

0 | 0 1 2 3 4 5 6 7 0 | 0 1 2 3 4 5 6 7

1 | 1 2 3 4 5 6 7 0 1 | 1 0 3 2 5 4 7 6

2 | 2 3 4 5 6 7 0 1 2 | 2 3 0 1 6 7 4 5

3 | 3 4 5 6 7 0 1 2 3 | 3 2 1 0 7 6 5 4

4 | 4 5 6 7 0 1 2 3 4 | 4 5 6 7 0 1 2 3

5 | 5 6 7 0 1 2 3 4 5 | 5 4 7 6 1 0 3 2

6 | 6 7 0 1 2 3 4 5 6 | 6 7 4 5 2 3 0 1

7 | 7 0 1 2 3 4 5 6 7 | 7 6 5 4 3 2 1 0

the first for modulo-8 addition, and the second for an independent exclusive-OR of each of the three bits of an octal digit,

shows how these two operations differ in their algebraic structure; thus, some modern computer ciphers alternate between

XOR and addition modulo 256 or modulo 65,536 within a complicated sequence of operations to make the cryptanalyst's

path a more tangled one.

| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7

------------------- -------------------

0 | 0 1 2 3 4 5 6 7 0 | 0 1 2 3 4 5 6 7

1 | 1 2 3 0 5 6 7 4 1 | 1 2 0 4 5 6 7 3

2 | 2 3 0 1 6 7 4 5 2 | 2 0 1 5 6 7 3 4

3 | 3 0 1 2 7 4 5 6 3 | 3 4 5 6 7 0 1 2

4 | 4 5 6 7 0 1 2 3 4 | 4 5 6 7 1 3 2 0

5 | 5 6 7 4 1 2 3 0 5 | 5 6 7 2 3 4 0 1

6 | 6 7 4 5 2 3 0 1 6 | 6 7 3 0 2 1 4 5

7 | 7 4 5 6 3 0 1 2 7 | 7 3 4 1 0 2 5 6

illustrate two ways of obtaining tables that are different algebraically from either of the previous two. The first is a table of

the operation of adding the last two bits of a three-bit octal digit with modulo-4 addition, and XORing the first bit

independently. The second results from deliberately constructing a table which must be algebraically distinct from anything

like this, by beginning with a subtable for modulo-3 addition, which could not occur in a table built from exclusive-OR and

addition modulo a power of two, and then using displacements of the other five digits in the shadow of that subtable. Finally,

the remaining five by five square is filled; at first, some diagonals are filled systematically, and then the rest is filled through

trial and error, with some backtracking.

Next

Chapter Start

Table of Contents

Main page

Home page

[Next] [Up] [Previous] [Index]

Code Books

Before it became possible to build complex electrical and mechanical cipher machines,

cipher systems requiring many complex manipulations would have been impractical

and error prone.

A code book, with its long list of equivalents for thousands of words and phrases, as

opposed to the 26 letters of the alphabet, offers a degree of security without requiring a

large number of operations for each word encoded.

Codes have also been used for sending messages by telegraph at lower prices, by

representing common phrases used in business with single codegroups. Such

codebooks are arranged so that both the codegroups and their meanings are in easy-to-

find alphabetical order. A codebook arranged this way is called a one-part code.

Most (but not all) secret codebooks are called two-part codes; the codegroups are

assigned in a random order to the words encoded, and there is both an encoding

section, with the words in alphabetical order, and a decoding section, with the

codegroups in alphabetical (or numerical) order.

Thus, the decoding section of a codebook might look like this imaginary example that I

also used as the background to this page:

EZNLJ Shanghai

EZNKL OUGH

EZNLM 270 degrees

EZNMN Ship may not be

EZNNO Docking facilities

EZNOP Diesel fuel

EZNRS France

EZNST Repair-s-ed-ing

EZNTU Ship has

EZNUV Cancun

EZNVW 43 degrees

EZNYZ 500

EZNZA 23 knots

EZOAA Maintenance urgently required

EZOBB Perth

EZOCC 15 metres

EZODD Captain will be

EZOEE 23 3/4

The rationale behind the sequence of 5-letter groups shown is explained in the section

on Error-Correcting Codes.

Some codebooks assign both numeric codegroups and alphabetic codegroups to words;

the alphabetic codegroups are easier to actually transmit by Morse code, but the

numerical codegroups are easier to manipulate.

encipherment of a message that is already in code. But many nonsecret cable codes

also provided numeric codegroups. This allowed people in a specialized business to, by

agreement, use the codegroups in one section of a large codebook, which contained

words and phrases they did not use, to instead represent the words and phrases another,

shorter codebook or in a section of another codebook. All that was needed was to add

or subtract an offset from the codegroups in the other codebook to fit them into the

unused space.

To increase security, secret codebooks often included nulls, that is, codegroups which

were to be ignored upon decipherment. Also, many codebooks included more than one

substitute for the most common words or phrases.

David Kahn's book The Codebreakers is illustrated with actual pages from once-secret

codebooks, such as the British and Allied Merchant Ship code, and the Hudson code of

the American Expeditionary Force.

Another codebook illustrated was Cypher SA, the codebook of the British Navy in the

last months of World War I. Another illustration of a different part of this codebook

also appeared in David Kahn's article in the July 1966 issue of Scientific American.

This codebook was perhaps unique, in that it used a stripped-down form of the autokey

principle.

It used a considerable number of nulls, and every message had to start with a null,

because many of the most common words and phrases in the code could not begin a

message.

Each five-digit codegroup in the code was followed by one of the three letters A, B, or

C. Many of the more common words and phrases had three different substitutes,

preceded by A, B, and C in order, and the one to be used was determined by which

letter had followed the previous codegroup.

Some of the most common words and phrases were also homophones in the ordinary

sense; instead of merely having one set of three substitutes, they might have had three

sets of substitutes, so that for each letter ending the previous word, there would still be

three arbitrary choices for the codegroup to use.

Since what we have is essentially three different codes, A, B, and C, although these

codes are the same in part, determined for each group by the codegroup enciphered

before, Cypher SA is properly classed as a form of autokey.

With many codes, a form of polyalphabetic substitution is used. In addition to the two-

part codebook, with numerical equivalents for the words or phrases to be sent, a second

book, filled with random numbers, is required. This second book's contents are called

the additive. A random starting point in the book is chosen for each message, and that

starting point is sent at the beginning of the message. Then, the numbers in the book

are added to the codegroups from the codebook before transmission. Always, carries

past the start of a codegroup are discarded; almost always, all carries are ignored, the

individual digits being added in isolation. This is the decimal equivalent of doing an

XOR instead of addition.

superencryption, are used. For example, a short table giving subsitutes for pairs of

digits can be used, either on the codegroups, or just on the group which gives the

starting point of the additive.

When a long running key is used for Vigenere encryption, but that key is re-used,

Kerchoffs superimposition can be used to align different messages encrypted with the

same key. The messages are slid against each other, and positions that provide a high

number of coincidences, particularly those involving groups of consecutive characters,

are chosen.

For breaking codes used with additives, Kerchoffs superimposition is usually used in a

more sensitive form, as improved by W. F. Friedman. The kappa test compares the

proportion of coincidences that would be found, in the Vigenere case, between two

sequences of random letters, which would be exactly 1/26, and between two normal

plain-language texts. That is higher, because the letters are not all equal in frequency.

That figure equals the sum of the squares of the probabilities of all the plaintext

symbols; the chance of an A in the first message times the chance of an A in the second

message, plus the chance of a B in the first message times the chance of a B in the

second, and so on. The same applies to two strings of random groups of five digits,

which would have one group in 100,000 matching by chance, and two coded messages

without an additive applied. If two messages are aligned so that their additives

coincide, as far as coincidences between them at that position are concerned, it is as if

no additive was applied.

The following illustates why the random kappa is always smaller than the plaintext

kappa:

--------------------- ----------------------

|----| | |---------| |

|----| | |---------| |

|---------- | |---------| |

| |----| | |---------| |

| |----| | |--------------- |

| ----------- | | |----| |

| |----| | | |----| |

| |----| | | --------- |

| ----------| | |--| |

| |----| | ------|

| |----| | |--|

--------------------- ----------------------

The square of a number gains size from both of its factors, so taking size from a

smaller number squared and giving it to a larger one causes that size to be placed more

advantageously; therefore making all the numbers equal minimizes the sum of the

squares.

Next

Skip to Next Chapter

Table of Contents

Home page

[Next] [Up] [Previous] [Index]

To accompany the recent novel Cryptonomicon, Bruce Schneier, author of Applied

Cryptography, developed a cipher using the 52 playing cards and two jokers called

Solitare, which is described on the Counterpane web site.

This has been an inspiration to both myself and others; for example, Paul Crowley has

developed another cipher using playing cards called Mirdek.

The basic cycle that takes a deck that has already been scrambled to produce a

keystream operates as follows:

Step 1: From the prepared deck (the order of the cards in it is the key), turn up, and

deal out face up in a row, successive cards until the total of the cards (A=1, J=11,

Q=12, K=13) is 8 or more.

Step 2: If the last card dealt out in Step 1 is a J, Q, or K, take its value, otherwise take

the total of the values of the cards dealt out in Step 1. (This gives a number from 8 to

17.) In the next row, deal out that many cards from the top of the deck.

Step 3: Deal out the rest of the deck under that row, in successive rows that begin on

the left, and end under the lowest card in the top row, the next lowest card in the top

row, and so on, in rotation. A red card is lower than a black card of the same

denomination, and when there are two cards of the same color and denomination, the

first one in the row is considered lower.

These first three steps may lead to a layout which looks like this:

7S QH

3D 6S 3C 2D QD 4S 8S JS JD 10H QC 8H

5H AC 6D KS

10C

QS 9D 5D

2H 3S KD JH 2S 9C

9H 6H

8C 2C 7H JC 4C 8D 3H KC 7D 6C AH 4H

5C 10D 10S 7C 9S KH 4D

AD 5S AS

Step 4: Take the cards dealt out in Step 3, and pick them up by columns, starting with

those under the lowest card in the row dealt out in Step 2. The top card in the column is

to be on the bottom of a pile of face up cards, and the first column picked up is to be on

the bottom of the re-assembled deck.

Step 5: Place the cards dealt out in Step 2 (the last one on the bottom) in face-up form

on top of the re-assembled deck, and then the cards dealt out in Step 1, again, the last

one on the bottom of a face up pile put on top of the re-assembled deck.

Step 6: Turn the deck of cards over to face-down position to repeat Step 1.

Thus, these steps would cause the following new order of the deck to result from the

layout above:

KS JH JC 7C 5H 10C QS 2H 9H 8C 5C AD 6D

5D KD 7H 10S AS 9C 8D KH AC 9D 3S 6H 2C

10D 5S 4H 3H 4D 6C 7D KC 2S 4C 9S AH 8H

QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S

And the cards that were at the beginning of the deck, and thus controlled the

transposition, are now at the end of the deck, and will be subject to the next

transposition instead of controlling it.

Looking at the cards from the top of the deck, ignore all J, Q, and K cards; take the first

other card, from A to 10, and count down that many cards to find a card from A to 10.

Do the same from the bottom of the deck. The last digit of the sum of the values of

those two cards is the keystream digit.

Applying this to the scrambled deck obtained above (which is cheating a bit, since in

practice the transposition has to be done three times), it works this way:

KS JH JC 7C 5H 10C QS 2H 9H 8C 5C AD 6D

(7) 1 2 3 4 5 6 7*

5D KD 7H 10S AS 9C 8D KH AC 9D 3S 6H 2C

10D 5S 4H 3H 4D 6C 7D KC 2S 4C 9S AH 8H

QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S

7* 6 5 4 3 2 1 (7)

the two selected cards are the ace of diamonds and the ten of hearts, so the keystream

digit is a 1.

This way, people don't have to memorize a bridge ordering of the suits, and they use a

straddling checkerboard to allow false addition to apply the key, instead of trying to do

Vigenere or modulo-26 arithmetic in their heads.

By limiting the mental arithmetic required, I'm trying to make my method simpler.

However, the way in which the cards are rearranged is more complex; the cards are

dealt out in a layout, not merely manipulated in a straight line, and thus the result looks

somewhat more like a game of solitare. In the novel, the cipher Solitare was based on a

computer stream cipher; my method for using playing cards is instead based on an old

pencil-and-paper cipher.

The method of transposition used is the one given by General Luigi Sacco, that breaks

up a block into uneven units, and which perhaps has some advantages over ordinary

columnar transposition.

Of course, some of the rules used mean that there are biases in the transposition; if

every card had a distinct value, the order of the columns would be slightly more

random, and the rule intended to limit the row size to 17 instead of 21 makes 11, 12,

and 13 more likely row lengths. Note that Step 4 is set up to make the scrambling

invertible, so I did accept some good advice from Bruce Schneier's Solitare. The well-

known reason for this is noted elsewhere on this site: a non-invertible transformation

risks shrinking the state space of the thing transformed. That is: the fact that the

transformation is invertible is no guarantee of a long or maximal period. But if every

possible ordering of the deck is possible at the start, then every possible ordering of the

deck remains possible after 20, 30, or 2000 iterations of an invertible transformation. If

two orderings of the deck both transformed to the same ordering of the deck, then the

transformation would not be invertible. On the other hand, with a non-invertible

transformation, the number of possible orderings can continue to shrink as the

transformation is repeated.

2C ... KC, the procedure to obtain a scrambled deck order from a keyphrase is as

follows:

Divide the keyphrase into parts that are eight or more letters in length as follows: first,

use all the words that are eight or more letters long in the phrase, then, go through the

phrase, and, using only the shorter words, take as many words as needed at a time to

reach eight or more letters. When the last part is formed, and there are less than eight

unused letters in the key phrase, include them in the last part.

Then, take these parts of the keyphrase, and use them in pairs.

First, for each part, imagine the word as standing above the columns of cards, and then

perform Step 3 and Step 4 of the normal cycle, but on the entire deck.

Example:

Phrase: THE QUICK BROWN FOX JUMPED OVER THE LAZY DOG

THEQUICK

BROWNFOX

JUMPEDOVER

THELAZYDOG

So, the first two parts lead to the deck being scrambled as follows:

T H E Q U I C K

7 4 2 6 8 3 1 5

AS 2S 3S 4S 5S 6S 7S

8S 9S 10S

JS QS KS AH 2H 3H

4H 5H

6H 7H 8H 9H 10H JH QH KH

AD 2D 3D 4D

5D

6D 7D 8D 9D 10D

JD QD KD AC 2C 3C 4C

5C 6C 7C

8C 9C 10C JC QC KC

Since the first card of a column is placed on the bottom when the cards are face up, and

the first column picked up is at the bottom of the cards when they are face up, they will

be on the top when the deck is in normal face-down order, and so this step leads to the

cards being in the order:

7S QH 4C 3S 10S KS 8H 3D 8D KD 7C 10C 6S

3H JH 3C KC 2S 9S QS 5H 7H 2D 7D QD 6C

9C KH 4S AH 9H 4D 9D AC JC AS 8S JS 4H

6H AD 5D 6D JD 5C 8C 5S 2H 10H 10D 2C QC

Now, the deck is then laid out like this for the second part:

B R O W N F O X

1 6 4 7 3 2 5 8

7S

QH 4C 3S 10S KS 8H

3D 8D KD 7C 10C

6S 3H JH

3C KC 2S 9S QS 5H 7H

2D 7D

QD 6C 9C KH

4S AH 9H 4D 9D AC JC AS

8S

JS 4H 6H AD 5D 6D

JD 5C 8C 5S 2H

10H 10D 2C

QC

7S QH 3D 6S 3C 2D QD 4S 8S JS JD 10H QC

8H 5H AC 6D KS 10C QS 9D 5D 2H 3S KD JH

2S 9C 9H 6H 8C 2C 7H JC 4C 8D 3H KC 7D

6C AH 4H 5C 10D 10S 7C 9S KH 4D AD 5S AS

Then, each of the two parts is used to scramble half of the deck again; the

transpositions above depended on the order of letters in each part, but this step will

instead depend on which letters are present.

Go through the alphabet, from A through Z, as you take cards from the top of the deck.

When you reach a letter that is part of the current part of the keyphrase, that card

completes the current pile you are making. The next card starts a new pile. Z always

completes the last pile, even if it is not present.

Then put the piles back together, but in the reverse order in which they were obtained.

Thus, the first part, THEQUICK, divides the first half of the deck like this:

A B C

7S QH 3D

D E

6S 3C

F G H I

2D QD 4S 8S

J K

JS KD

L M N O P Q

10H QC 8H 5H AC 6D

R S T

KS 10C QS

U

9D

V W X Y Z

5D 2H 3S KD JH

5D 2H 3S KD JH 9D KS 10C QS 10H QC 8H 5H

AC 6D JS KD 2D QD 4S 8S 6S 3C 7S QH 3D

Then, the second half, BROWNFOX, is applied to the second half of the deck.

When there is an odd part of the key phrase, then the deck is transposed with that part,

and only its first half is mixed again.

Once the entire keyphrase is applied to the deck of cards, the deck is then subjected to a

non-invertible triple cut, as follows:

From each end of the deck, a card with a value from A to 10 is located, by the

procedure used to find the keystream numbers in normal encipherment. Then, starting

from the top of the deck when it is face down, which we will assume is placed on the

left, additional cards are counted from that card according to its value: one more card if

it is an ace, two more if it is a deuce, and so on, but this time, face cards are not ignored.

The procedure is repeated from the other keystream card, again counting inwards. If

cards are left, these stay in the middle, and those from the bottom of the deck to the end

of the count are placed on the left-hand side.

Using the previous example of obtaining a keystream digit to illustrate how this works:

KS JH JC AH 5H 10C QS 2H 9H 8C//KC AD 6D

(1) 1* 1 2 3 4 5

5D KD 7H 6C AS 9C 8D 5C AC 9D 3S 6H 2C

7D 5S 3H 10D 4D 9S 10S//2S 4C 4H KH 7C 8H

7 6 5 4 3 2

QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S

1 7* 6 5 4 3 2 1 (7)

the pairs of slashes indicate the points at which the deck will be cut, ending up in the

order 2S...7S, KC...10S, KS...8C from the order above.

Finally, the cards are laid out according to the word spacing of the keyphrase:

T H E

2S 4C 4H

Q U I C K

KH 7C 8H QC 10H

B R O W N

JD JS 8S 4S QD

F O X

2D 3C 6S

J U M P E D

3D QH 7S KC AD 6D

O V E R

5D KD 7H 6C

T H E

AS 9C 8D

L A Z Y

5C AC 9D 3S

D O G

6H 2C 7D

T H E

5S 3H 10D

Q U I C K

4D 9S 10S KS JH

B R O W N

JC AH 5H 10C QS

F O X

2H 9H 8C

repeated until the deck is all laid out, and then they are picked up in face up form with

the last column, and its top card, on the bottom.

In the example, that leads to the cards ending up in this order when turned face down:

6D 10H QD AD JH QS QC 4S KC 6C 3S KS 10C

4H 8H 8S 6S 7S 7H 8D 9D 7D 10D 10S 5H 8C

4C 7C JS 3C QH KD 9C AC 2C 3H 9S AH 9H

2S KH JD 2D 3D 5D AS 5C 6H 5S 4D JC 2H

Next

Table of Contents

Main page

[Next] [Up] [Previous] [Index]

This first chapter has touched on the major basic elements that apply to any form of

encryption.

Its treatment of them has been brief, almost to the point of being perfunctory.

Encyclopedia articles and inexpensive books cover this territory fairly well. The more

recent methods of encryption are covered in more specialized publications; that, and a

fascination with their intricacies, has led me to cover them in more detail.

Because most methods of substitution require some sort of chart or table (the Gronsfeld

was specifically designed to avoid this problem), or a slide or disk for polyalphabetics,

transposition ciphers were quite popular with armies as field ciphers.

complicated combination of transposition and substitution, some simple ciphers

combining both are breakable.

During World War I, for a short time Germany used Vigenere encipherment with key

ABC (and, later, with key ABCD - but only for deceptive transmissions and not

important messages) followed by a simple columnar transposition.

For puzzle-solving purposes, the "Nicodemus" cipher breaks a message into complete

rectangular blocks, which are transposed by exactly the same keyword as was

previously used to encipher them in Vigenere. Thus, the enciphered message consists

of groups of plaintext letters encrypted in Vigenere with the same key, which can, of

course, be exploited by the cryptanalyst.

Claude Shannon, the father of information theory, who also contributed to the theory of

chess-playing computers, wrote a paper in The Bell System Technical Journal the title

of which was The Communications Theory of Secrecy Systems in which he noted that

the two basic elements of a cipher system are confusion and diffusion.

This has influenced the design of some cipher systems. A preliminary sketch of the

design of IBM's LUCIFER block cipher, appearing in Scientific American embodied

these elements in almost a pure form. (The actual LUCIFER cipher as implemented

was quite different, although it also embodied those elements, but in a less

straightforward way.)

Generally, confusion is understood as substitution, and diffusion is understood as

transposition.

These terms are, however, general and inclusive. Based on the specific methods of

attaining security found in the actual pencil-and-paper systems we've met so far, I feel

it is warranted to take the dangerous step of moving to a more specific and concrete

division of the operations within a cipher system.

The danger is that it could limit the imagination of cipher designers by being more

concrete. But since the terms 'confusion' and 'diffusion' are tending to be identified with

the simplest forms of substitution and transposition, it seems to me that more detail

might instead stimulate cipher designers to consider more options.

Confusion

replacing symbols by other symbols.

Diffusion

moving of plaintext symbols to other positions within the ciphertext.

Convolution

the achievement of diffusion by means of confusion; the effect of performing

diffusion on a finer scale than confusion. This refers to what happens in

polygraphic and fractionation systems.

Alternation

changing, from one portion of the ciphertext to the next, of the rules for

confusion and/or diffusion.

Indirection

placing elements in a cipher 'behind' other elements so that their effects are

harder to analyze.

With this division, more of the methods actually used suggest themselves. Also, a

measure of quality can perhaps be noted. For confusion and diffusion, bigger seems to

be better. For alternation, the complexity of the scheme of alternation, its

unpredictability, is the measure of quality.

Associated with these goals are specific means, such as substitution for confusion.

If we view a message as an array of symbols, where P(n) is the n-th element of the

plaintext message P, and C is the ciphertext message, one can illustrate the various

techniques by formulas.

Substitution (Confusion)

Transforming a message by replacing the values of its elements according to

some rule; for example, C(i)=S(P(i)) over all i in the message, where S is a

substitution table indexed over the elements of the alphabet used.

Transposition (Diffusion)

Transforming a message by placing its elements in different locations within the

message; for example, C(T(i))=P(i) over all i in the message, where T is a

transposition table indexed over all the character positions in the message.

Fractionation (Convolution)

Transforming a message from being expressed in a number of symbols of one

alphabet to a different number of symbols in an alphabet of a different size,

combined with transpositions and substitutions on those alphabets. Such a

transformation might have a form such as C(i/2) = S(P(i)*N+P(i-1)) where i

starts as 2 and goes over all the even-numbered characters of the original

message, and N is the number of characters in the original alphabet. Its inverse

would be P(2i) = SL(C(i)) and P(2i-1) = SR(C(i)), where SL and SR are

substitutions such that mapping the characters c of the original alphabet to pairs

( SL(c), SR(c) ) is bijective; that is, different inputs become different outputs in

both directions. This is most useful when substitutions are applied to the

message with the larger alphabet size and fewer characters, and transpositions

are applied to the message with the smaller alphabet size and more characters.

Polyalphabeticity (Variation)

Applying a different substitution rule to different characters of the message.

Thus, C(i)=S(P(i),i) where the output of the substitution is a function of the

character's position in the message as well as the particular character.

Causing the rule of encipherment for a part of a message to depend on another

part of the same message. C(i)=S(P(i)+P(i-1)) is a classic form of autokey,

which requires adding a dummy P(0) character to the start of the message. This

results in encipherment differing from one message to another.

Indirection involves preparing things like substitution tables in ways that are ciphers in

their own right; hence, it isn't found very much in simple paper-and-pencil ciphers,

where the amount of work to be done must be kept limited. The methods used for

forming substitution alphabets from a keyword by means of a transposition block, such

as the Ohaver method, noted previously, involve indirection in a sense, but only once

during a message. So there is no basic pencil-and-paper technique which is an effective

example of indirection. However, later on we will see the rotor machine SIGABA,

which may be considered the classic illustration of indirection.

[Next] [Up] [Previous] [Index]

Next

Table of Contents

Main page

[Next] [Up/Previous] [Index]

This section looks at some of the simpler ciphers involving mechanical aid to the

cryptographer. Cipher disks or slides are left in the pencil-and-paper section, but the

Wheatstone cryptograph (a set of geared cipher disks which achieved polyalphabeticity

by using plain and cipher alphabets of different lengths) would go here if it were

covered.

● The Kryha Cryptograph

● The Hill Cipher

● The RED Machine

● The Reihenschieber

● The A-22 Cryptograph

Next Section

Chapter Start

Skip to Next Chapter

Table of Contents

Home Page

[Next] [Up/Previous] [Index]

Although originally invented much earlier, by Thomas Jefferson, this type of cipher

machine became generally known after its later re-invention by Commandant Etienne

Bazeries, who wrote a book about cryptology which recommended this device.

About 20 or 30 disks, each with a different scrambled alphabet on the edge, and with a

hole in the centre so they can all be stacked on a common axle, make up the device. The

disks can be numbered on one side, and the order in which they are stacked can be used

as a key that can easily be changed.

To encipher a message, rotate the disks so that its letters line up in one row, and take the

letters in any other row as the encrypted message. Decipherment is possible, because it is

easy to pick out one row of plaintext among 24 others of gibberish that are possible.

This is quite a secure cipher device, especially considering that it doesn't involve a lot of

fancy technology. Since every letter in a block is displaced through a different alphabet,

and every block has a different displacement, it is even possible to mistakenly assume

that it is unbreakable.

However, it isn't unbreakable. Like the Enigma, which we will meet later, no letter can

represent itself. This allows probable plaintext to be positioned against intercepted

messages.

The main attack against this type of cipher is the de Viaris method. If the alphabets on

the cylinder are poorly chosen, it may be that the fifth letter clockwise from E, for

example, can never be some letters, and is one particular letter several times. Thus, an

opponent who has a copy of the cylinder itself and some plaintext may be able to

identify the displacement for a block - and, with that, then determine the order of the

disks.

The alphabets on the M-94, a version of the Bazeries cylinder made from aluminum, and

used by the U.S. during the Second World War, were chosen to be part of a Latin square

to be more resistant to a de Viaris attack. A Latin square is an N by N square containing

the numbers from 1 to N, each N times, so that no number occurs twice in either the

same row or the same column. For example,

1 2 3 4 5

3 1 4 5 2

2 5 1 3 4

5 4 2 1 3

4 3 5 2 1

1 2 3 4 5

2 3 4 5 1

3 4 5 1 2

4 5 1 2 3

5 1 2 3 4

is also a Latin square, and is obviously not a good type of sequence for a cylinder cipher,

as every cylinder has the same alphabet, only shifted by one, there is more to choosing a

good set of alphabets for a cylinder than simply using a Latin square.

Ideally, if one were using 25 cylinders for a 26-character alphabet, one would like a

sequence such that, if one aligns any one letter to form a solid row of that letter, then the

remaining 25 letters on the 25 cylinders are, in each case, a Latin square. Then, for each

displacement, and each letter, all substitutes would be equally possible. I do not know

whether or not it is possible to fulfill this condition.

Even when the de Viaris attack is not possible, cylinder ciphers can be broken. During

World War II, the U.S. used an improved version of the cylinder cipher. Strips instead of

disks were used (which, of course, makes no difference in itself), and there were 100 of

them to choose from. The cipher procedure involved choosing 30 strips, but breaking up

the message into blocks of only 15 letters long.

Despite all this, and the fact that they did not have a captured specimen of the device to

work with, cryptanalysts in Nazi Germany were able to break messages enciphered with

the M-138-A.

If one does not have a copy of the device, and in any case the strips or disks used have

been made resistant to the de Viaris attack, it is still possible to attack a Bazeries cylinder

if one has several hundred messages, all sent with the same key.

Using the kappa test (the fact that two unrelated plaintexts will have more identical

characters in corresponding positions than two sequences of random letters, which will

have one coincidence for every 26 letters), one can group together messages with the

same displacement from the row with the plaintext message.

Once this is done, and if one had enough messages to work with, frequency counts can

be used for each position.

After the war, a further improvement was made to the strip cipher. In addition to a daily

order for the strips, keylists also gave a table with a column number (or a blank) under

each of the 26 letters. A random set of five letters was chosen for each message; the

column numbers in the frame corresponding to these letters were not used to encipher

that message. These were called "Channel Elimination Numbers", and the numbers

where the numbers of positions in the frame, not strips. (Since which strip went in which

column was also part of the same daily key, this was important operationally - for ease of

sending different messages, each with its own indicator, during the one day, not

cryptographically.)

As this essentially varied the key for every message, it prevented the statistical attack

outlined above.

The Bazeries cylinder relies on the input plaintext being plaintext, with some

redundancy, so that it can be found. Of course, if one allows expanding the text with an

extra letter, or using a pre-arranged scheme to pick the ciphertext row, variations of the

cipher method can be designed without this limitation, and therefore useful for the

subsequent encipherment of ciphertext.

The following diagram, showing a different kind of strip used for this type of

encipherment:

retains the limitation, while reducing it somewhat. The plaintext SEND MONEY is

being enciphered to the numerical ciphertext 345589628759, and its redundancy is being

reduced in the process by the same amount as a straddling checkerboard would do so.

The principle involved is that a plaintext letter, if found on the right side of the strip, is

represented by that single strip; otherwise, two strips, the first with the symbol > or >>

on the right-hand side, and the second with the plaintext letter in the first, or second,

column on the left-hand side are aligned to represent that letter.

Such a method, though, is only practical if, at least with practice, the row containing

plaintext "leaps out" at the eye of the decipherer.

In the diagram above, the first row contains the nonsense string OGOSRIERH, while the

second one contains the desired plaintext SENDMONEY, and the third contains

YORNEPCF, but that does seem to take some effort to see.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

The Kryha cryptograph had a number of variations. It had two disks, each with a

scrambled alphabet that could be changed by the user. One disk moved for each letter

enciphered. The movement was controlled by a pinwheel; if there were, on the

pinwheel at one place, five teeth out followed by one pushed in, then that caused the

moving disk to move five places forwards for one letter.

An earlier model used a fixed gear, which caused the following movements, in order:

7 6 7 5 6 7 6 8 6 10 5 6 5 7 6 5 9

a keyword and mixed alphabets. Although it took W. F. Friedman only a few hours to

solve a message enciphered on one of these machines, the principles required are

already beyond those normally dealt with in books on cryptanalysis aimed at amateurs

and beginners.

Minutes" (the title of the chapter in Machine Cryptography and Modern Cryptanalysis

by C. Deavours and L. Kruh discussing the Kryha machine) appears to have been the

fixed-gear version, since Friedman was not given the machine to examine, he did not

have the opportunity to solve its cipher even more quickly, as in that case, only 17

trials would have been needed to sort the letters of the test message into

monalphabetically-enciphered groups.

Next

Chapter Start

Skip to Next Section

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

This cipher was once implemented in the form of a machine using gears and chains like

those used with bicycles. That, and the fact that it is impractical for hand use, while it

predates the computer age, has caused me to put it in this section, although the

appropriateness of this choice is also doubtful.

2x + y = a

x - y = b

and you want to find out what x and y are in terms of a and b.

That last step may seem trivial, but it is included for completeness.

You can make a chart to save you copying the letters x, y, a, and b every time you

perform a step:

x y a b

-------------

2 1 | 1 0

1 -1 | 0 1

and the rows of this chart can be treated like the equations were. In this case, one might

proceed as follows:

x y a b

-------------

2 1 | 1 0 2x + y = a

1 -1 | 0 1 x - y = b

3 0 | 1 1 3x = a + b

1 -1 | 0 1 x - y = b

3 0 | 1 1 3x = a + b

-3 3 | 0 -3 -3x + 3y = -3b

3 0 | 1 1 3x = a + b

0 3 | 1 -2 3y = a - 2b

Of course, the last step of multiplying each row by 1/3rd (or, equivalently, dividing

each row by 3) is still to be taken. I've avoided it here, to omit dealing with fractions.

If one works with numbers in modular arithmetic, particularly if the modulus is not a

prime number, the rules change slightly.

If you add or subtract a multiple of one of the equations from another, you can still use

any multiple, since a multiple of zero is the same as doing nothing, and so since that

does not destroy information, neither will using a number that is not relatively prime to

the modulus.

When multiplying a single row by a number, however, you cannot use a number unless

it is relatively prime to the modulus. The Hill Cipher deals with modulo-26 arithmetic,

and so in addition to zero, 13 and all the even numbers are disallowed for this

manipulation.

Enciphering in the Hill Cipher is the same as finding a and b given x and y, where x

and y are numbers from 0 to 25 substituted for two letters of a digraph being

enciphered, and deciphering is solving for x and y given a and b.

Note that not all systems of linear equations can be solved, and you must choose one

that has an inverse. One way to do this is by performing the manipulations allowed for

finding an inverse on a square with zeroes everywhere except along the diagonal, since

this will always result in a square that can be brought to that form by these same

manipulations.

Also, the square formed by the coefficients of this kind of equation is called a matrix.

The act of finding a and b for x and y, using the original form of the equations which

directly give a and b as functions of x and y, thought of as an operation using the

square of numbers we began with in the x and y columns (called a matrix) is called

multiplying the vector (x,y) by the matrix to get the vector (a,b). The square

representing x, y, and z or a, b, and c on one side of a set of equations, with a 1 at the

start of the first row, in the second place in the second row, and so on, with zeroes

everywhere else, is called the identity matrix, since if a=x, b=y, c=z, then finding a, b,

and c for x, y, and z gives you the same numbers.

The linearity in the Hill cipher is its weak point. So a scrambled alphabet for

converting letters to numbers needs to be used, and it is important to remember that

that scrambled alphabet is a very important part of the key.

Next

Chapter Start

Skip to Next Section

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

A rotor machine usually uses a disk with 26 contacts arranged in a circle on each side.

When the rotor moves, the contacts on both sides of it advance.

A rotor which had 26 contacts in a circle on one side, and a spindle with 26 contact

strips on the other side, is always sure, when it moves, to take each letter to a different

substitute. Such a rotor is called a half-rotor, and the Hagelin B-211, which we will

meet later, uses such rotors as well.

The Japanese cipher machine which was codenamed RED by American codebreakers

behaved as if it consisted of two half-rotors, one with 20 contacts for 20 consonants,

and one with 6 contacts for 6 vowels, counting Y as a vowel. This property allowed

encrypted text to be pronounceable, thus allowing use of the commercial telegraph

system.

This division of the alphabet was perpetuated in the PURPLE machine, which was a

weakness of that machine, although it at least had a plugboard so that the six letters

handled by themselves could be any six letters.

Also, while American codebreakers built their own RED work-alikes that really did

have two half-rotors, the actual machine used by the Japanese had only one half-rotor;

the spindle had all 26 strips, and the wheel face had two sets of 60 contacts, one wired

with the same scramble of 20 characters repeatedly, and the other wired with the same

scramble of the other 6 characters repeatedly.

The 60-contact wheel usually moved one step for each character enciphered, but not

always. Its motion was controlled by a 47-position gear or pinwheel. Only eleven of the

teeth could be disabled, including four adjacent pairs of teeth.

When an enabled tooth is active, the rotor advances one position for the letter currently

enciphered.

When a disabled tooth is encountered, the rotor also advances one position, but the 47-

position gear continues to advance for the current letter. Thus, occasionally the rotor

will move two or even three positions when a letter is enciphered, but it will always

move exactly 47 positions for each cycle of the 47-position gear. That cycle will take

less than 47 letters, one less for every disabled tooth.

[Next] [Up] [Previous] [Index]

Next

Chapter Start

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

Reihenschieber

This device really belongs among the paper-and-pencil systems. But it is placed here in consideration of the fact

that, briefly, from 1958 to 1960, it was considered adequate to safeguard even top secret material.

The Reihenschieber resembled a slide rule in shape. Ten square sticks, taken from a set of 26, were placed in it, and

a grille slid along the device.

The 26 sticks that came with the device were each labelled with a letter of the alphabet. Which ten sticks to use in

the device was determined by the daily key, a sequence of ten different letters. Each stick had ten dimples on each

of its four sides, which allowed it to be placed between the Reihenschieber's rails in ten positions. These were

determined by another daily key, this time of ten digits. The ten digits (with the last one repeated to make an

eleventh digit) were used to encipher a five letter area indicator, which was sent with the message, repeated twice

using the same method that the digits the Reihenscheiber generates are used to encipher messages: each digit

indicates the column in a table containing the enciphering alphabet, and in addition the following digit, depending

on whether it is low (0-4) or high (5-9), selects one of two tables.

The sticks were printed with random sequences of digits, interspersed with the odd dot. The dots were ignored when

encountered, being present to make the sequence of digits produced by the device irregular. To the left of these

digits, there was an expanse with some letters and blank spaces; this expanse contained each of the 26 letters once

in an area 10 characters long on the four sides of the stick. The ten letters, generated from the ten digit key called

the "message key", were placed in a line, and thus these 10 letters specified both the horizontal placement and the

side which was to be uppermost, for each stick.

A frame that held grilles on the front and back (the strips were also printed with digits on the back) slid along the

device like the cursor on a slide rule. With each month's supply of key material, three sets of grilles were supplied,

each for use for a period of 10 or 11 days. As the strips ran along the device, going from left to right, the numbers

the device produced were those read out from the grille vertically, first from top to bottom, and then from the

leftmost column to the rightmost column. After reading out the digits shown at one slide position, the slide was

flipped over to read the numbers showing on the back as well before the slide was advanced along the ruler for the

next group of numbers. The grilles had 10 columns; the article which is my source claims they had 25 holes, but

gave an example with 26.

The grille could be slid through 52 positions, labelled first with the lowercase alphabet and then the uppercase

alphabet. The first position used was the one with the lowercase letter corresponding to the last letter of the

enciphered area indicator as used to slide and rotate the ten sticks.

____________ ______________

______| |___________________________|

/ | | |_

| | | abcdefghijklmnopq| ----------

---------------| |---------------------------| | - -|

|X u ae l pr| | 1701.5433.626.90512.3| | |7| |4|

---------------| |---------------------------| |- - - -|

|E i qj| |ooo 849.216.55.1034.2| |6| |.| |

-------------| |---------------------------| |-- -- - |

|G m uwi o| |o 65.20473.12.9.14516| ||4| |.||3||

-------------| |---------------------------| | - - - -- |

|P a| |ooooooo 9.250.3961490| | |0| |7| |

------------| |---------------------------| |- - - - -|

|V oi u xm| |oo 131.6150492.747318| |9| |2| |5|

--------------| |---------------------------| |-- - --|

|A py x q r| | 24619.43.529.6565.34| ||.| |5||.||

--------------| |---------------------------| | -- - -- |

|W hwm z| |oooo 5.1693.40453.112| | |.| |3| |

------------| |---------------------------| |- - - - |

|C i eqrl| |oo 87.21295.306172.91| |4| |3| |

------------| |---------------------------| |- - -- -|

|T c| |oooooooo .40541.331.6| | |1||.||8|

-----------| |---------------------------| | - -- - --|

|J u mtnw| |oooo 259.10129.6542.3| ||8||4| |1||

-----------| |---------------------------|_ | - - - |

| | | abcdefghijklmnopq| ----------

\______| |___________________________|

|____________| |______________

and in the position shown, the encipherer would read off the digits 6944870142537331458 for use in enciphering.

The slide continues on like this:

_____

|_____________________________________

| \

-- |IJKLMNOPQRSTUVWXYZ |

-| |----------------------------------------

|4| |802.1221607.435549.2076.24391462 EF|

-| |--------------------------------------------

| |.4335.20623.49.17029.33406.415.3307. EF|

- | |--------------------------------------------

Also, the four sides of one of its sticks would have looked something like this:

---------------------------------------------------------------------------

|A py x q r oooooooooo 24619.43.529.6565.3471.52.403569.19382.1

---------------------------------------------------------------------------

|A u mvjo zt oooooooooo .95190.317.45602.12995.138.440.27061.630

---------------------------------------------------------------------------

|A ek lbd c s oooooooooo 437.1512.44691.703977.69.405631.29331.95

---------------------------------------------------------------------------

|A nh gfi aw oooooooooo 2026.19.5113.4072.6198.20541.35622.9271.

---------------------------------------------------------------------------

The A at the left end indicated which square stick it was; on the other end, a code of two capital letters indicated

which set of sticks a stick belonged to. There are 52 usable positions for the grille; as the grille is 10 columns wide,

and there are 10 possible horizontal positions for the slide, the area of numbers and dots is 52 + 9 + 9 or 70

characters long.

Thus, the Reihenschieber did not encipher text directly. It simply was used to generate a stream of digits, which was

used as a key.

The digits were used to encipher text using a table of twenty alphabets, organized as two tables of ten alphabets.

One digit was used per letter to be enciphered; the digit picked one of the alphabets from a table; which table was

decided by whether the next digit (which will later be used to encipher another letter) was high (5-9) or low (0-4). A

new set of tables was provided each month.

My source for the information in this section is an article from the April 1996 issue of Cryptologia. The author,

Michael van der Meulen, had also done a few previous articles on German paper-and-pencil systems.

The Reihenschieber as described here is certainly an interesting and unusual type of device. It is possible that the

old cipher device known as Ducros' Scotograph was somewhat similar to this, rather than being a variant of the

Bazeries cylinder as usually thought. And a device of this type has the potential to be quite secure.

But the Reihenschieber as described here seems to have some flaws that reduce its potential security.

● The grille has more than 10 holes. Although the dots on the sticks help, this still means that digits will repeat

at almost regular intervals.

● Of the forty possible positions for each stick, only 26 are ever used. This would not be a problem if the sticks

were frequently replaced, but they are part of the "hardware" of the device.

● The "area key" is the only thing that varies the keying of one day's messages using the same key list. There

is no indicator that varies randomly with each message.

● There is no reason for the message key not to consist of eleven digits, even if the last one need only be either

0 or 5. Or, for that matter, why not twelve digits, so that the starting position of the grille can be derived

separately.

If one is ambitious, one might even advocate using a monthly table with 100 alphabets, and using two digits to

encipher every letter, rather than using 20 alphabets (a number less than 26, and therefore also dangerous).

Next

Chapter Start

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

This cipher machine was a simple one of purely mechanical construction, but it

produced a cipher with a long period.

A drum, containing 29 mixed cipher alphabets, advanced two positions each time the

machine was used to encipher a letter.

An alphabet in normal order contained the plaintext letters. A window high enough to

expose two of the alphabets on the drum was present on the device. The plaintext

alphabet was moved in an irregular sequence to cover either the top or the bottom

alphabet of the two on the drum that were behind the window, but whether the normal

alphabet was the high one or the low one, it was always the one used for plaintext.

Thus, the movement of the bar with the plaintext alphabet simply controlled which of

two of the 29 cipher alphabets would be used at each step.

The irregular movement of this bar was controlled in two steps. First, a 25-pin

pinwheel advanced with each letter enciphered. Active pins on this pinwheel advanced

a chain with a variable number of links; some of those links were shaped to call for the

plaintext alphabet bar to be in its lower position, some were shaped to call for it to be

in its higher position.

Unfortunately, the cipher produced by this machine as described so far is quite weak; if

one knows that an A-22 has been used, one simply divides the encrypted message into

groups of 29 letters. Then, for each column of letters at that spacing, only two

alphabets are used, and this fact diminishes the benefit of the elaborate mechanism

devoted to alternating between those two. Instructions provided with the machine,

however, suggested advancing it two or three steps after enciphering some letters;

those who went to this extra effort would have obtained a greater degree of security.

Next

Chapter Start

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

Although the Swiss firm founded by Boris Hagelin has manufactured, and continues to

manufacture, many kinds of cipher machine, the words "Hagelin machine" will

normally inspire thoughts of their unique lug and pin based machines.

The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the

C-38, used by the U.S. Army as the M-209, six pinwheels, with 17, 19, 21, 23, 25, and

26 positions on them, can be set by the user with an arbitrary series of pins that are

active. For every letter enciphered, all the pinwheels rotate one space.

The combination of active and inactive pins is presented to a cage with 27 sliding bars.

Each bar has two sliding lugs on it, which can be placed either in a position where it is

inactive, or in a position corresponding to any of the pinwheels, so that it will slide the

bar to the left, if the pin currently presented by that pinwheel is active.

The number of lugs sticking out rotates the cipher alphabet against the plaintext

alphabet. The two alphabets used are just the regular alphabet, and the alphabet in

reverse order, from Z back to A. This meant that encipherment was reciprocal,

although the machine still had a switch to select encipherment or decipherment: this

determined if the machine printed its output in five letter groups, or if it translated one

letter, chosen by the user, to a space.

The C-52, a postwar version of the Hagelin lug and pin machine, added an extra five

sliding bars to the cage that, instead of moving the cipher alphabet, caused the stepping

of the pinwheels to be irregular. The first pinwheel always moved, but the remaining

five pinwheels only moved when their corresponding bars were slid to the left. The six

pinwheels were labelled A, B, C, D, E, and F from left to right; bar 1 controlled

pinwheel B, bar 2 pinwheel C, and so on.

Also, on the C-52 the lugs could be moved from bar to bar, and the six pinwheels were

chosen from a set with lengths 25, 26, 29, 31, 34, 37, 38, 41, 42, 43, 46, and 47. Using

the pinwheels with lengths 34, 38, 42, 46, 25, and 26 allowed one to achieve

compatibility with the C-36: provided one also turned off the irregular pinwheel

stepping feature.

The alphabet always started from its normal position, instead of the position last used,

before being rotated by the projecting slide bars. This was perhaps the machine's main

weakness, as it made attacks based on frequency counts of displacements possible, but

it was perhaps unavoidable, since there was always a slight possibility of occasional

mechanical errors. Particularly as the machines were often used on battlefields.

In setting the lugs on the sliding bars, it was important to put many lugs for some

pinwheels, and few lugs for others, so as to get an even distribution of displacements:

basically, although some bars with two lugs active were desirable for irregularity, the

arrangement needs to approximate a binary coding of the active pins - that is, one

pinwheel might have only one lug facing it, another two, another four, and another

about eight, and another about thirteen or so.

For the C-52, in setting up lugs on the first five bars, it was important to ensure

frequent movement of the pinwheels.

Next

Chapter Start

Skip to Next Section

Table of Contents

Home Page

[Next] [Up/Previous] [Index]

and Pin Machine

Although the Swiss firm founded by Boris Hagelin has manufactured, and continues to

manufacture, many kinds of cipher machine, the words "Hagelin machine" will

normally inspire thoughts of their unique lug and pin based machines.

The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the

C-38, used by the U.S. Army as the M-209, six pinwheels, with 17, 19, 21, 23, 25, and

26 positions on them, can be set by the user with an arbitrary series of pins that are

active. For every letter enciphered, all the pinwheels rotate one space.

The combination of active and inactive pins is presented to a cage with 27 sliding bars.

Each bar has two sliding lugs on it, which can be placed either in a position where it is

inactive, or in a position corresponding to any of the pinwheels, so that it will slide the

bar to the left, if the pin currently presented by that pinwheel is active.

In this section, we will examine how messages sent on the original C-38 machine could

be cryptanalyzed, in the simplest case. That is, I will assume that a large number of

intercepts for a given day (or whatever period intervenes between key changes) are

available, and that the message indicator, giving the initial positions of the pinwheels,

is not encrypted (or, which is the same thing in practice, any method of encryption used

for the pinwheel position has been revealed to the cryptanalyst by some other method

of intelligence).

The first thing to do is to find a pair of messages that have pinwheel settings that

overlap. To find overlaps, the first step is to convert a pinwheel setting into a number in

the sequence of pinwheel positions that the machine experiences. (Note that when the

machine was improved to have an irregular pinwheel motion, this approach could not

be used; overlaps could still be found, but then one would have to perform kappa tests

on every pair of messages, a tedious process requiring automated assistance.)

Such conversion relies on the Chinese Remainder Theorem: given a series of integers,

such as a, b, and c, which are all relatively prime to one another, the remainder of a

number after division by a, b, and c is sufficient to uniquely identify that number if it is

known to be within a range of length a times b times c.

Thus, for example, the numbers 1 through 15 have different remainders modulo 3 and

modulo 5:

1 | 1 1 6 | 0 1 11 | 2 1

2 | 2 2 7 | 1 2 12 | 0 2

3 | 0 3 8 | 2 3 13 | 1 3

4 | 1 4 9 | 0 4 14 | 2 4

5 | 2 0 10 | 1 0 15 | 3 0

How can we quickly convert a pair of remainders to the number it is associated with,

without performing a table lookup? Basically, we can take one remainder as is; the

remainder modulo 5 tells us something we will need to know to find the number. But

we then want to use the other remainder, the one modulo 3, to tell us how many times a

whole 5 needs to be added to this remainder.

How might we do this? Looking at the way the groups of five numbers start, it seems

that the difference between the two numbers might be considered. That difference is:

1 | 1 1 0 6 | 0 1 -1 11 | 2 1 1

2 | 2 2 0 7 | 1 2 -1 12 | 0 2 -2

3 | 0 3 -3 8 | 2 3 -1 13 | 1 3 -2

4 | 1 4 -3 9 | 0 4 -4 14 | 2 4 -2

5 | 2 0 2 10 | 1 0 1 15 | 3 0 3

From this, it can be seen that if we take the difference modulo 3, it nicely separates the

numbers into three groups of five, but we have to shift to starting with 0, as is only to

be expected, since the remainders modulo 15 run from 0 to 15.

Thus, the rule, which can be applied repeatedly to convert a group of several

remainders to a remainder modulo their product, is:

Given two prime numbers, A and B, where A is less than B, and the remainders

modulo those primes, a and b, of an unknown number, the remainder of that number

modulo AB is determined as follows:

● Divide k by the value of B modulo A, and call the result m.

● The remainder of our number modulo AB is b plus m times B.

Once we have found two overlapping messages, the second step is to solve for the

plaintext of those messages over the extent of the overlap. Because the machine

produces successive shifts of a known alphabet, we know that the distance between two

ciphertext letters at a given position corresponds to the distance between the two

plaintext letters they represent, so for each position, we have only 26 out of 676

possibilities to consider for two letters. (Remember, the plaintext alphabet and the

cipher alphabet are the normal alphabet and the reversed alphabet, and the distances

between letters must be considered in their own alphabets.) Eliminating pairs which

have an uncommon letter in either position narrows down the possibilities for each

letter in each message.

For a machine like the Sigaba, which produces a different alphabet for each letter, an

attack at a "depth of two" is probably impossible without much additional information.

Having some plaintext and corresponding ciphertext, we can derive from that the series

of displacements generated by the operation of the lugs and pins over the part of the

sequence of pinwheel positions in question.

At this stage, one can apply sophisticated techniques, which have been described

elsewhere, to attempt to reconstruct the lug and pin settings of the machine. In order

that different combinations of active and inactive pins will tend to produce different

numbers of shifted lugs (different displacements of the alphabet), the lugs need to be

distributed among the positions corresponding to pinwheels in a manner that assigns

different weightings to the different pinwheels, resembling, but not identical to, the

weighting of binary numbers (16, 8, 4, 2, 1). Thus, if one looks for large displacements

and how they alternate with small ones, one may find a pattern that indicates where the

lugs are on at least one pinwheel.

The third step is to find messages which have an almost overlap. A list of all the

pinwheel positions in the overlap will help with this; it can be compared to the start and

end pinwheel positions of other messages (and middle positions, if the other messages

are long enough, and the overlap is short enough). An almost overlap is a span of

letters in a message where the positions of five of the six pinwheels have matching

positions to the pinwheels enciphering the (full) overlap sequence with which it is

being compared.

Since each pinwheel contributes only a single bit of input to the cage which determines

the displacements (note that for a computer version of this type of cipher, which

XORed together whole bytes in lists of differing length as input to an S-box, this would

not work), half the time, the displacement would match that of the displacement in the

message with which the almost overlap exists. So, a trial decipherment can be made

using those displacements, and it should not be hard to pick out the half of the letters

that are right. This gives information on whether a pin in one position on a pinwheel

has the same active or inactive state as a pin somewhere else.

Multiple almost overlaps involving the same odd pinwheel allow reconstruction of the

pinwheel; so does the fact that an extra active pin results in an increased displacement

(although there are exceptions to that rule once the cage has more than 25 lugs in it).

Constructing a table with 64 entries (corresponding to the combinations of active and

inactive pins) giving displacements is sufficient to read messages, although it is

doubtless possible to reconstruct the lug settings from the displacement table.

Next

Chapter Start

Skip to Next Section

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

The rotor machine is what many people will think of when they think of a cipher

machine. And the most straightforward type of rotor machine is the one invented by

Edward Hebern, in the United States.

Here's a very crude artistic impression (in ASCII-Art, yet!) of what this beautifully-

made machine looked like:

___

___ '-.

_ ___ '-. \

_ o\_____ ___ '-. \ |______

_ \ | ___ '-. \ | _/\

_ o\ | ___ '-. \ | _/ _ |

/ \ ___ '-. \ | _/ _/o\ \

| O | ___ '-. \ | _/ _/o | |

_/| |.-' '-. \ | _/ _/o o \ \

_/ / \ | _/ _/o o o | |

/_______| |_____ _/ _/o o o _/ _/ === ===

| .-. | /o o o _/ _/ === === ===

| /-. )_________ \ \ o o _/ _/ === === ===|

| ( )________ \ | | o _/ _/ === === ===| |

| \_________ \ ) \ \o _/ _/|=== === ===| |_|

| | ( ) | |/ _/|__|| || || |_|

| .-. | |'-' \ _/|____||__||__||_|

| ( ) _|____|_ | | | |___|

| '-' \ / | |_____|---

| \_____======O===========O/

|________________________________|/

The Japanese cipher machine the American solvers of which called it PURPLE didn't

have any rotors in it, but instead used telephone stepping switches. However, in some

ways, it was still closely related to a rotor machine, and so it will be discussed here as

well.

While the term code as distinct from cipher sometimes refers to a substitution on words

and phrases as distinct from one on letters or digraphs, and sometimes (as in "Morse

code", "Hamming code", or "Huffman code") seems to be applicable to any fixed

substitution, forcing me to employ it somewhat loosely, I have been fastidious in

restricting the use of the term "rotor machine" to cipher machines with wired rotors,

which operate by changing a substitution produced by wires inside the rotor to its

contacts when the rotor is rotated. Other cipher machines, operating on different

principles, but with rotating parts (such as the Hagelin lug and pin machines, or the

Lorenz SZ-40) which operate on entirely different principles, have occasionally been

referred to in print as "rotor machines". I wish to disparage this trend, as it would make

the term "rotor machine" much less useful, by causing it no longer to refer to a family

of cipher machines which all are based on a common cryptographic principle.

● The Interval Method

● The Isomorph Attack

● PURPLE, CORAL, and JADE

Chapter Start

Skip to Next Section

Next Chapter

Table of Contents

Home Page

[Next] [Up/Previous] [Index]

A rotor is a small disk of insulating material, with perhaps 26 equally-spaced electrical contacts

in a circle on each side. The contacts on one side are connected to the contacts on the other side

in a scrambled order.

In Hebern machines, the contacts on the rotors were simply flat circles of metal; the machine

had ball contacts on springs to make contact with them. This allowed the rotors to be put in

upside down, for more possible keys. The Enigma, on the other hand, was built more cheaply;

the rotors had plain metal contacts on one side, and spring contacts on the other. This almost

halved the number of contacts needed, provided you didn't decide to use a new set of rotors.

A rotor provided a changing scrambled alphabet, by (you guessed it!) rotating. A rotor with 26

contacts on each side, each corresponding to a letter of the alphabet, that changed E to M before

rotating would now change D to L (or F to N, depending on the direction in which it rotated),

while E could become any other letter, depending on the way the different wire went that was

now brought into position to encipher it.

Note that the example given had the rotor moving "backwards" by default. If the rotors are

labelled with letters going in the same direction as the use of the input contacts, and they

advance so that the next letter in the alphabet becomes visible at a fixed position, the result will

be to move the contacts on the rotor to the input contacts corresponding to the previous letter

from the ones to which they were previously connected.

The five rotors on a Hebern machine came close to moving like the wheels of an odometer.

However, they did not move precisely in this way. There were fast rotors, which moved once for

every letter enciphered, medium rotors, which moved once for every 26 letters, after a carry

from the fast rotors, and there were slow rotors, which moved once after 650 (rather than 676)

letters were enciphered. And there could also be rotors that didn't move at all, except that they

could be set by hand before encipherment began. Some versions of the five-rotor Hebern

machine had control levers, which determined which rotors moved each way.

The 'carries' between rotors were handled by ratchet gears that were at the two ends of the shaft

carrying the rotors. The reason for the slow rotors moving after every 650 letters was because

the machine was designed to avoid having the slow rotor moving at exactly the same time as the

medium rotor, since having all the rotors move together seemed like a weakness.

A good picture of a Hebern rotor machine appears in the July, 1966 issue of Scientific American,

which has an article on cryptology by David Kahn.

The following diagram may illustrate a little about how a rotor machine works:

In the first section, we see the keyboard connected to a set of contacts, arranged in a circle,

forming the input to the first rotor. Often, the contacts are arranged so that the contacts on the

circle are in alphabetical order; the early commercial Enigmas were wired so that the contacts

matched the keyboard arrangement instead.

In the second section, I attempt to illustrate that the contacts on both sides of a rotor are

connected so that each contact on one side is connected to one contact on the other side, but in a

scrambled way.

In the third section, I follow the fate of the letter E through three rotors, before and after the one

in the middle advances one step. The path of electricity through the first rotor stays the same;

but the movement of the second rotor has brought a second wire into contact with the electricity;

the wire formerly used is shown as a dotted line in its new position. The third rotor has not

moved, but since the electrical current has left the second rotor from a different contact, a

different wire in that rotor is used also, the old one also shown as a dotted line, but this time in

the same position.

One late rotor machine design that has become known to the public is that of the Hagelin HX-

63, which was offered for sale in the early 1960s, but was quickly phased out by electronic

cipher devices.

It had nine rotors, each with 41 contacts. As it enciphered a 26-letter alphabet, wires looped 15

of the rotor bank's output contacts back to its input.

There were two plugboards with the machine; one scrambled the 26 plaintext letters on input,

and another scrambled the 15 loopback connections. (It is somewhat surprising that a plugboard

scrambling the plaintext on input was chosen over one scrambling the ciphertext on output: it

would seem the latter would provide better protection against cryptanalysis, for the same reason

that a Type II slide is to be preferred over a Type I slide.)

The following diagram illustrates the wiring of an HX-63, showing the wires that are looped

back and the plugboards:

It is described as having a "very irregular" motion of the rotors, and each rotor had a set of 41

switches the setting of which would vary the effective wiring of that rotor.

Although I do not know what wiring scheme was chosen for those switches, one possibility

might be something like this:

Friedman Squares and Symmetry of Position for Rotors

The alphabets produced by a single rotor in its various positions can be shown in a tableau

similar to those used for Vigenere; such a table would look like this:

Rotor

position Plaintext

| A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

-----------|-----------------------------------------------------

A | L N K Y U W Z J X H E I A O G S P V C T D R B Q F M

B | M J X T V Y I W G D H Z N F R O U B S C Q A P E L K

C | I W S U X H V F C G Y M E Q N T A R B P Z O D K J L

D | V R T W G U E B F X L D P M S Z Q A O Y N C J I K H

E | Q S V F T D A E W K C O L R Y P Z N X M B I H J G U

F | R U E S C Z D V J B N K Q X O Y M W L A H G I F T P

G | T D R B Y C U I A M J P W N X L V K Z G F H E S O Q

H | C Q A X B T H Z L I O V M W K U J Y F E G D R N P S

I | P Z W A S G Y K H N U L V J T I X E D F C Q M O R B

J | Y V Z R F X J G M T K U I S H W D C E B P L N Q A O

K | U Y Q E W I F L S J T H R G V C B D A O K M P Z N X

L | X P D V H E K R I S G Q F U B A C Z N J L O Y M W T

M | O C U G D J Q H R F P E T A Z B Y M I K N X L V S W

N | B T F C I P G Q E O D S Z Y A X L H J M W K U R V N

O | S E B H O F P D N C R Y X Z W K G I L V J T Q U M A

P | D A G N E O C M B Q X W Y V J F H K U I S P T L Z R

Q | Z F M D N B L A P W V X U I E G J T H R O S K Y Q C

R | E L C M A K Z O V U W T H D F I S G Q N R J X P B Y

S | K B L Z J Y N U T V S G C E H R F P M Q I W O A X D

T | A K Y I X M T S U R F B D G Q E O L P H V N Z W C J

U | J X H W L S R T Q E A C F P D N K O G U M Y V B I Z

V | W G V K R Q S P D Z B E O C M J N F T L X U A H Y I

W | F U J Q P R O C Y A D N B L I M E S K W T Z G X H V

X | T I P O Q N B X Z C M A K H L D R J V S Y F W G U E

Y | H O N P M A W Y B L Z J G K C Q I U R X E V F T D S

Z | N M O L Z V X A K Y I F J B P H T Q W D U E S C R G

Just as a Vigenere table has a regularity, in that it shows the same alphabet in its rows (and

columns) repeatedly, only shifted, here a regularity is visible as well, but it is subtler: the

diagonals of this square are shifted regular alphabets.

mixed-alphabet slides. Since this table also has regularities, the same technique can be adapted

to its structure.

In a mixed-alphabet Vigenere, if the letters A and B become Q and V in one alphabet, and T and

R in another, then Q and V are separated by the same distance as T and R in the cipher alphabet.

In a rotor machine where the entry rotor is the fast rotor, the principle is the same, except now if

the fast rotor has moved one position between the two alphabets, the comparison would be

between A and B becoming Q and V in one position, and Z and A becoming T and R in the

other position.

So in this case, the two mixed alphabets being considered are the one provided by the fast rotor,

and the one provided by the other rotors. The shifts of the fast rotor need to be compensated for

in the input. Similarly, if the output rotor were the fast rotor, the shifts would be adjusted for in

the ciphertext letters.

What about the case when the input and output permutations to a rotor are both unknown? For

example, when the fast rotor is in the middle of a stack of five rotors. At first, it might seem

hopeless to apply symmetry of position to that case, because there seems no way to tell when an

input or output in one case involves the same wire in the moving rotor or not as in another case.

But there is a way to apply symmetry of position in this case, given enough text with

overlapping key settings. Incidentally, if the entry and exit alphabets of the rotor machine as a

whole are known, in the case we are considering, where rotor 3 is the fast rotor, positions where

rotors 1, 2, 4, and 5 are all displaced by the same amount, the known plaintext, known

ciphertext, and fast rotor position can all be translated to permit including known plaintext from

such a key setting for comparison.

One thing is assumed to be known, the position of the rotor being examined, which advances

one step each time while the other rotors do not move.

With nearly complete alphabets, some progress can definitely be made in this case.

Another possibility does not produce certain results, only probable relationships.

Suppose that in position 1 of the rotor under study, plaintext A becomes ciphertext B; in position

7 of the rotor under study, plaintext C becomes ciphertext B; in position 11 of the rotor under

study, plaintext C becomes ciphertext D; and in position 14 of the rotor under study, plaintext A

becomes ciphertext D.

This creates a closed cycle of equivalents, separated by a given pattern of rotor displacements.

If we also knew that in position 2 of the rotor under study, plaintext W became ciphertext X; in

position 8 of the rotor under study, plaintext Y became ciphertext X; in position 12 of the rotor

under study, plaintext Y became ciphertext Z; and in position 15 of the rotor under study,

plaintext W became ciphertext Z, then we might think it likely that the two structures

correspond, and the same rotor wires are involved in corresponding steps of the two cases.

If so, then W precedes A, and Y precedes C, on the input side of the rotor, and X precedes B,

and Z precedes D, on the output side of the rotor, by exactly one position in each case.

Since all our elementary facts about the rotors are of the form perm(e-7)=R-7, that is, a

relationship between one plaintext letter and its equivalent for one particular rotor position, there

is no way to directly amass equations that can be used to solve for any direct facts about the

structure of the rotor as an unknown; instead, differences and patterns have to be relied upon.

Symmetry of Position is a technique that is used to reconstruct rotor wirings when a large

amount of information is available about the alphabets produced by a rotor. But how does one

get started attacking ciphertext produced by a rotor machine?

Let us assume the simplest case, where one knows the initial positions of the rotors for each

message, and where the fast rotor is the exit rotor. However, we can allow an unknown

assignment of the exit contacts from the rotor bank to the display or printer of the rotor machine,

and we will assume that only ciphertext is available.

With the exit rotor the fast rotor, one has stretches, 26 letters long, where the fast rotor, in its

different positions, is the only thing enciphering monalphabetically enciphered text. But each

stretch deals with text enciphered in a different monalphabetic cipher, so how can that help us?

The chance that two texts, enciphered independently, will have the same letter at any given

position, is 1/26. Two plain-language texts, or two texts enciphered in an identical manner by

means of a polyalphabetic cipher, will have a greater number of coincidences; aligning

messages on the basis of single letter coincidences is called the kappa test. But let us assume we

do not have any overlapping rotor settings to help us. How can the principle of the kappa test

help us?

Monalphabetically enciphered texts, even if they are not enciphered by the same monalphabetic

cipher, still have one thing in common: they have an uneven frequency distribution. In English,

the letter E makes up 12% of an average text, and the letter T makes up 9%. Twelve percent of

26 is just over three.

Thus, one can take our stretches of 26 enciphered letters, and compare them with each other.

When we find coincidences, it is likely that the monalphabetic substitutions which provided the

inputs to the fast rotor in both cases used the same letter or letters as substitutes for one or more

high-frequency plaintext letters.

Thus, in the ideal case, by coincidences we might find a number of stretches with many

coincidences with each other, and in each of the 26 positions in a stretch, the letter involved in

the most coincidences would be the substitute provided by the fast rotor for the particular letter

that, for most of those stretches, was the substitute for plaintext E produced by the rest of the

rotor machine.

Since there are several high-frequency letters in English, the result is not likely to be that easily

obtained; instead, there will be many possibilities, and the technique of symmetry of position,

above, will be one of the things used to narrow down the possibilities.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

If you could rotate only one side of a rotor, then you would be guaranteed that for each of the 26 possible positions, every

input letter would be connected to a different output letter. A special kind of rotor, called a half-rotor, can do this, by

having contacts in a circle on one side, and bands around an axle on the other side. But this kind of rotor is bulky and

expensive compared to a normal rotor. To ensure that moving a rotor through its possible positions will produce 26

alphabets that are as different as possible, a method called the interval method can be used in wiring rotors.

Edward Hebern originated this method himself; this perhaps is less surprising than it seems (one would, perhaps, have

expected the master cryptologist W. F. Friedman to come up with it, for example) when one considers that his first rotor

machine, made for use by users in the commercial world, only had one rotor in it.

Finding an interval method rotor sequence is related to solving the Eight Queens problem, except in this case the problem

involves a chessboard that allows one to move off any edge and then back on on the opposite edge, and the "queens" can

only move and capture along one diagonal, the same diagonal for all of them. A perfect solution is possible only on a board

of odd order; seven queens on a 7x7 board, nine queens on a 9x9 board, but for this modified problem, there is no solution

for eight pieces.

A simple proof of this fact depends on properties of triangular numbers. The nth triangular number is (n^2+n)/2. If n is an

odd number, this is a multiple of n, but if it is an even number, this is an odd multiple of n/2.

On both sides of a rotor, one wire is connected to each contact. So, if the wires are connected to each contact on the

opposite side, the sum of the displacements must be equal to zero, modulo the size of the rotor, since the wires are still

connected to contacts with the same numbers, contact 1 through contact n. If one tries to use all possible displacements

from 1 to n, (or from 0 to n-1, if you prefer) then for even n, the sum will be wrong.

From: 1 2 3 4 5 6 7 8 9

To: 5 4 3 2 1 9 8 7 6

(Difference: 4 2 0 7 5 3 1 8 6)

An interval method wiring for an even number of contacts will have exactly one possible difference omitted, and one

repeated twice. Fortunately, while the above example of an interval method sequence is highly symmetrical, there are many

possible arrangements that satisfy the interval criterion, and most appear almost random.

Here is another example of an interval method wiring, this time for a 26-contact rotor:

From: A B C D E F G H I J K L M N O P Q R S T U V W

X Y Z

To: L N K Y U W Z J X H E I A O G S P V C T D R B

Q F M

(Difference: 11 12 8 21 16 17 19 2 15 24 20 23 14 1 18 3 25 4 10 0 9 22 5

19 7 13)

Here, only the difference of 6 is omitted, and only the difference of 19 occurs twice.

Note that it is the alphabet used for constructing an example of a Friedman square on the previous page.

of the whole rotor of the whole rotor

and one side by

itself

1-contact rotors: - 1 1

2-contact rotors: 1 2 2

3-contact rotors: - 1 3

4-contact rotors: 1 4 16

5-contact rotors: - 3 15

6-contact rotors: 4 24 144

7-contact rotors: - 19 133

8-contact rotors: 32 256 2,048

9-contact rotors: - 225 2,025

10-contact rotors: 464 4,640 46,400

11-contact rotors: - 3,441 37,851

12-contact rotors: 8,768 105,216 1,262,592

13-contact rotors: - 79,259 1,030,367

14-contact rotors: 227,008 3,178,112 44,493,568

15-contact rotors: - 2,424,195 36,362,925

16-contact rotors: 7,814,144 125,026,304 2,000,420,864

17-contact rotors: - 94,471,089 1,606,008,513

where the number of odd-contact rotors in the third column is from integer sequence A006717 in the Handbook of Integer

Sequences, while the number of even-contact rotors is calculated by my own computer program. Note that, in the case of 2-

contact rotors, one does not multiply by n (which is 2) going from the second to the third column, because in that case the

arrangements are symmetric.

The same type of backtracking algorithm as is used to solve the Eight Queens problem was used in my program to generate

the numbers for even-contact rotors, but instead of trying various permutations of the output contact numbers from 1 to n, I

instead tried permutations of the set of intervals I was using. This let me exploit a symmetry (instead of considering all

possibilities for the duplicated and omitted intervals, I only needed to work with one), and divide the number of

arrangements I generated by n, as well as reducing the number of levels the program went through to build an arrangement

by one, since the two duplicate intervals of zero were fixed by an outer loop.

Next

Chapter Start

Skip to Next Section

Table of Contents

Return to Home Page

[Next] [Up] [Previous] [Index]

Isomorphs

It is possible to break even the complicated cipher produced by a rotor machine.

Especially when only one rotor moves with every letter enciphered, that rotor is at

either the input or output end of the rotor machine, and no other rotor moves more

often than once every 26 letters.

Of course, having some cribs, that is, plaintext for a number of cipher messages, will

be helpful. As will cracking the 'indicator system', that is, the method by which the

sender notifies the recipient of the starting positions of the rotors for each message.

When only one rotor moves, and the rest of the machine stands still, and the moving

rotor is on the outside, then the only difference between the cipher applied for one such

period of 26 letters and any other is a monalphabetic substitution.

With enough overlapping cribs, one may be able to reconstruct little pieces of the fast

rotor relative to more than one of the monalphabetic substitutions produced by the

others, and it may even be possible to link these pieces together. As soon as it becomes

possible to nullify the effect of the fast rotor, messages become almost trivial to solve.

If you know the wiring of all the rotors, and you have some known plaintext, and the

fast rotor is on the outside, the procedure is to try each rotor, in all 26 rotational

positions as the fast rotor (this amounts to 130 trials for a machine with five rotors)

until you find one that produces a monalphabetic result. If the fast rotor is on the output

side, you use it to decipher the ciphertext. If it is on the input side, you use it to

encipher the plaintext. Either way, if the plaintext and ciphertext are made to match, so

that repeated letters in both match up, you have found an isomorph.

Note that while frequent or complicated rotor movement can make it impossible to

mount an isomorph attack, having the fast rotor in the middle of the rotor stack makes

such an attack more difficult, since one has mixed alphabets to deal with, and these will

not be the same in all messages, it does not make attacks based on this principle

completely impossible.

Next

Chapter Start

Skip to Next Section

Table of Contents

Return to Home Page

[Next] [Up] [Previous] [Index]

The Japanese cipher machine which the American cryptanalysts codenamed CORAL is

perhaps the easiest to understand of the three.

All three machines were built from common telephone stepping switches. These

switches had six input wires. Each wire was connected to a wiper, and each wiper

could make contact with one of twenty-five terminals. All six wipers moved together,

and each one had its own set of 25 terminals to contact.

A solenoid controlled the movement of the wipers. When a current pulse was fed to it,

the wipers advanced one position, except that, if the wipers were already at position 25,

a spring caused the wipers to go back to the first position. Thus, although the 25

terminals were arranged in a semicircle, the switch acted as though they formed a full

circle, with stepping in only one direction.

In CORAL, a stack of five stepping switches did the same job as a rotor would do in a

Hebern rotor machine. 26 input wires carried current to 26 outputs, in 25 different

ways. The alphabets for each of the 25 wiper positions, unlike the alphabets for the

different positions of a rotor, were completely independent and unrelated.

JADE was just about the same as CORAL, except that it was used to encipher

messages written with the Japanese katakana syllabary, which has 48 symbols. Thus, it

added a shift key to the keyboard. The shifts weren't enciphered; only a 25-symbol

alphabet was, giving equivalents to the 48 kana and the two diacritical marks used with

katakana.

PURPLE, the earliest of the three machines, had a somewhat stranger structure. A

plugboard selected 20 letters of the alphabet to be enciphered through banks of four

stepping switches. The other six letters were enciphered by means of only one stepping

switch. This division of the alphabet was easily detected through frequency counts, and

was perhaps the most serious weakness of the machine. (Another very serious

weakness, and also a strong contender for the title of "most serious", was the fact that

the stepping switch banks were, for obvious reasons, not removable, so one could never

perform the operation equivalent to changing the rotor order.)

attempts, with many parts omitted, to illustrate how PURPLE worked. The plugboard

reassigned letters for both input and output. The stepping switches only have fifteen

tick marks around them - representing the 25 contacts each wiper actually has. For only

one wiper position for each switch or bank of ganged switches, the scrambled

arrangement in which the wires are connected to corresponding wires in the next stage

are shown. However, the 20 versus 6 division is easily visible in the diagram, as is the

general arrangement of the device.

Next

Chapter Start

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

The Enigma

In 1974, the British government permitted the disclosure of the story of the

decipherment of the German Enigma cipher machine in World War II. That the Enigma

had been broken by the Allies in World War II, however, was not in fact secret up until

that time; the account of the capture of the German U-505 submarine in David Kahn's

book The Codebreakers from 1967 notes not only that a German cipher machine was

captured along with its monthly keys, but that messages on machines of this type were

already being read, "with the help of a mass of machinery that filled two buildings".

Also, the book "The Broken Seal" by Ladislas Farago referred to a meeting between

British and U.S. representatives to discuss a swap of American information on

PURPLE for British information on the Enigma (the Americans were generous, but

went away empty-handed at the time, but Britain very shortly thereafter relented, as

later revealed). But only after 1974 did the details of this cryptanalytic feat emerge.

Despite some continued secrecy, it can fairly be said that the cryptanalysis of the

Enigma is the only case in which not merely the story of an isolated cryptanalytic

success, but instead the ongoing saga of coping with changes in a cipher system, has

become public.

Because of the intense concern in the United States about whether or not the Japanese

bombing of Pearl Harbor could somehow have been prevented, it was officially

revealed quite shortly after the war that cryptanalysts working for the U. S.

Government and Armed Forces had solved both Japanese codes and Japanese ciphers,

including the cipher produced by the so-called "PURPLE machine".

Had this not been the case, perhaps this would have been kept secret for the same

amount of time as the British success in cracking the cipher of the Enigma machine, as

a result of the normal reticence of nations concerning matters relating to an activity of

such high sensitivity.

As well, given the role of Polish nationals in the early part of the Enigma story, a

genuine concern to avoid any of them still residing in Poland being summoned for, at

the least, debriefing, may well have been a consideration. As to the sale of used

Engimas, I would think that the rule of caveat emptor, rather than any imputation of

fraud, would be applicable.

Starting with the commercial Enigma C, the Enigma differed from other rotor

machines (although, later, the British Typex and a commercial machine from Ottico

Maccina Italiana were based on it) in that the electrical signal for a plaintext letter did

not just go in one end of the rotor stack and out the other, but also was sent back to go

through the rotors the other way by a reflecting rotor.

This strengthened the cipher in some ways, but also gave it important weaknesses. And

it also meant that quite a number of unique cryptanalytic techniques were developed

for the Enigma which were specific to it. In comparison, CORAL, although a more

difficult target, would still be approached with almost the same techniques as would be

used against a Hebern rotor machine, with the exception that the unrelated nature of the

alphabets provided by a stepping switch increased the amount of text required for

applying those techniques.

● The Uhr Box

● The Enigma A and Enigma B

● Relatives of the Enigma

● Cryptanalysis of the Enigma

❍ Cliques on the Rods

Chapter Start

Table of Contents

Return to Home Page

[Next] [Up/Previous] [Index]

The Enigma had a stack of three or four normal rotors, not in principle unlike those in a Hebern machine.

They had 26 contacts in a circle on each side, those on one side were connected in a scrambled order to

those on the other, and the rotors moved to vary their effects on the alphabet.

There was a mechanical difference: the rotors had plain contacts on one side, and spring-loaded contacts on

the other. A Hebern machine had only plain contacts on its rotors, and the machine itself therefore needed

twice as many spring-loaded contacts as a permanent part of the machine. This cut total costs for an Enigma,

but it meant that rotors were more expensive, and indeed during the war, the German forces kept on using

their old rotors, only gradually adding the odd new one to the set.

In addition to the contacts and the wires between them, a rotor often has two other parts of significance to

the cipher it will generate which are often overlooked. Like the wheels in an odometer or a mechanical

adding machine, rotors in some rotor machines include what is essentially a gear with one tooth to cause the

next rotor to move one position forwards at one point in its own rotation. Some rotor machines, of course,

use completely different principles to move the rotors; the Hebern machine did use this principle, but still

kept that part of the gearing physically separate from the rotor itself. Also, the rotor has to be labelled, so

that there is some way of recording and communicating the starting position in which the rotors of a rotor

machine are to be set. Otherwise, the two parties to a communication will be unable to set up their machines

the same way. On the Hebern machine, the rotor itself was marked.

In the Enigma, a movable alphabet ring was labelled with the letters identifying rotor positions. The rotor

itself, of course, was marked so that alphabet ring settings could be written down too. The ratchet wheel,

which determined when one rotor would cause the next slower one to advance, was attached to the alphabet

ring. This is quite important to note, as it determined how methods of exploiting the Enigma's indicator

method would work, and how the Bombe had to be designed.

But the main distinguishing feature of the Enigma was its reflecting rotor. Instead of plaintext going in one

end with ciphertext coming out the other, the reflecting rotor, with the 26 contacts on one side connected to

each other in a scrambled fashion, caused the electrical signal to go through the rotors a second time in the

opposite direction, coming out on the same side it came in, but at a different contact.

This meant two contacts on the entrance side of the rotor stack were "live". Instead, therefore, of the switch

operated by a typewriter key on the Enigma merely connecting the battery to the proper contact of the

outermost rotor, it instead took the contact of that rotor, and disconnected it from the lamp under the same

letter as well as connecting it to the battery.

As an extra security feature, the Enigmas used by German forces during World War II included a plugboard.

The wires leading from the lamps and keyboard to the rotors were all cut, and then wired to a socket that

acted like the socket for a phone plug. If nothing was plugged in, the two wires to the plug were connected

together. If a plug was inserted, the two wires were not connected to each other, instead, each one was

connected to one of the two contact points in the plug.

Although a commercial Enigma, modified by Polish cryptanalysts to match a military Enigma, used phone

plugs, the plugs in the plugboard of the actual Enigma had two prongs, but they still functioned electrically

in the same way as phone plugs.

So, think of 26 phone plug sockets, and a set of ten wires, with a phone plug at each end, with the tip at one

end wired to the shaft at the other end, and you will have an accurate electrical picture of the plugboard of

the Enigma.

| | |

----- ----------| ----------| ----------|

| --||- -----||----------||- -|------

| / || \ / || || \ / | |

| | -||--\- ---||- ----||- \ --/--|----- |

| | / || \ / || \ / || \ \| / | ||

| || -||- ------||----- ---||--\-\- _-|---- ||

| ||| || \ / || \ / || _-\|\-- | |||

| ---||---- ---||------ -||- \ ----|--- |||

| || || \ / || \ / || |\ | ||||

| | -||------ _-||--_ ----||--_ | ----|-- ||||

| | || _--\-- || ---/-_ || -|--_ | |||||

| --||-- ----||------ -||---- --|- |||||

----- ----------| ----------| ----------| ||||||

Slow | Medium | Fast | ||||||

||||||

---------------------------- ||||||

| | | | | | | ||||||

- | | | | | | ||||||

--- ( ) (*) ( ) ( ) ( ) ( ) Lamps ||||||

- | | | | | | ||||||

--- | | | | | | ||||||

| | | | | | | ||||||

--------|---|---|---|---|---|- ||||||

| | | | | | | | | | | | ||||||

I I / I I I Keyboard ||||||

| | | | | | ||||||

| | | | | | ||||||

|_ _| | | | | ||||||

_X_ I I I I Plugboard ||||||

| | | | | | ||||||

| | | | | ------------- |||||

| | | | ------------------ ||||

| | | ----------------------- |||

| | ---------------------------- ||

| --------------------------------- |

--------------------------------------

To make it simple to understand the principle which allows pressing a key on the Enigma to light the lamp

to which the key is connected through the rotors, but not the lamp connected to the key itself, the wires have

been colored red and blue, depending on whether they are at a positive or negative potential (I've chosen the

battery orientation in the diagram arbitrarily for clarity, and do not claim it matches that of the actual

Enigma) and wires carrying current are shown in a lighter red or blue, and, where convenient, are shown

thicker, with little yellow arrowheads showing the direction of current.

The Germans themselves broke messages transmitted by Republican forces during the Spanish Civil War on

conventional Enigma machines without plugboards. And it was the plugboard, more than anything else, that

convinced them that the Enigma was unbreakable.

The rotor wirings of the Naval Enigma, most of which were also used by the Wehrmacht, were:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

for "carry":

I : E K M F L G D Q V Z N T O W Y H X U S P A I B R C J Q

II : A J D K S I R U X B L H W T M C Q G Z N P Y F V O E E

III : B D F H J L C P R T X V Z N Y E I W G A K M U S Q O V

IV : E S O V P Z J A Y Q U I R H X L N F T G K D C M W B J

V : V Z B R G I T Y U P S D N H L X A W M J Q O F E C K Z

* VI : J P G V O U M F Y Q B E N H Z R D K A S X L I C T W MZ

* VII : N Z J H G R C X M Y S W B O U F A I V L P E K Q D T MZ

* VIII : F K Q H T L X O C B J S P D Z R A M E W N I U Y G V MZ

B : Y R U H Q S L D P X N G O K M I E B F Z C W V J A T

C : F V P J I A O Y E D R Z X W G C T K U Q S B N M H L

* Beta: L E Y J V C N I X W P B Q M D R T A K Z G F U H O S

* Gamma: F S O K A N U E R H M B T I Y C W L Q P Z X V G J D

* B : E N K Q A U Y W J I C O P B L M D X Z V F T H R G S

* C : R D O B J N T K V E H M L F C W Z A X G Y I P S U Q

The first five regular rotors, and the two reflecting rotors above were used in both the Wehrmacht and the

Navy. Only the Navy used the last three regular rotors, numbers 6 through 8, and two thin rotors, one

reflecting, to replace the reflecting rotor. The rotors only used in the Naval Enigma are marked with an

asterisk.

Each rotor, other than the reflecting rotor, is described this way: the line at the top with the letters in order

from A to Z indicates the contact which is on the side of the rotor facing the wires from the keyboard and

lamps, and the table entry indicates the contact on the side facing the reflecting rotor connected to that

contact, when the alphabet ring is in the A position, and A is the letter showing through the window at the

top of the machine.

While this form of the Enigma was used by the Wehrmacht, and by the Navy with improvements, other

forms of the Enigma were used during the war by other military and governmental organizations within

Nazi Germany.

One of the most famous is the Abwehr Enigma, which used rotors with 11, 15, or 17 notches, but which had

no plugboard. Its keyboard had numerals and punctuation marks on the keys above the letters. The Mil Amt,

which succeeded the Abwehr, used a machine with a set of six rotors, all with nine notches.

The Railway Enigma was an Enigma with a typewriter keyboard entrance permutation, like the commercial

Enigma C and Enigma D.

Although the Army and Navy continued to use their original rotors throughout the war, each of the other

groups using Enigmas used their own rotor wirings. This was a natural security precaution. Probably the

reason that other Enigma machines used did not have plugboards is also because security kept groups using

Enigma machines from knowing about the Enigmas used by other groups: it may well be that the different

Enigmas were made in separate factories. However, the Mil Amt seems to have learned the same lesson as

was used in the Naval Enigma, by switching to rotors all having the same notches.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

The Uhr box was a replacement for the patch cords that were plugged into the Enigma's

plugboard. Each day, the relationship between the alphabet and the contacts on the

Enigma's rotors was changed in accordance with the daily key by plugging in the patch

cords as it specified.

Uhr box, by Frode Weierud from Switzerland in clearing up some of the details about

how it worked. The facts he provided allowed me to propose a tentative reconstruction

of how the Uhr box might have been wired internally.

By using the cords coming out of the Uhr box instead, it became convenient to change

the plugboard setting more often, because it could be changed just by turning the knob

on top of the Uhr box. The knob had forty settings, numbered from 0 to 39. These

settings were indicated by a two letter code, given by a sticker on the lid of the Uhr box.

When set to setting 0, the Uhr box acted like a set of ordinary patch cords. Of the

twenty plugs coming out of the Uhr box, ten were painted white, and ten were painted

red. The plugs in the two groups were numbered from 1 to 10, and the pairs of one red

plug and one white plug both bearing the same number each behaved like a patch cord

in setting 0.

Even in other settings, although the connections between the input of one plug and the

output of another plug were now scrambled, it was still true that the input of any red

plug was always connected to the output of a white plug, and the input of any white

plug was always connected to the output of a red plug.

Because patch cords always connected their input and output to the output and input on

the other end, they produced a reciprocal permutation of the alphabet. The Uhr box

allowed this to be avoided. This didn't change the fact that the Enigma's cipher was

reciprocal, since the permutations of the Enigma's individual rotors weren't reciprocal

either, but the cipher of the Enigma as a whole was still reciprocal, since the reflecting

rotor caused the electrical signal from the keyboard to the glowlamps to go through

each rotor twice, first one way, and then the other. The same thing was true of the Uhr

box.

But the fact that ordinary patch cords produced a permutation which was reciprocal on,

as it were, a second level did prove helpful to British cryptanalysts. For one thing, it

permitted an adjunct to the Bombe called the 'diagonal board' which allowed it to be

both more versatile and more effective.

Based on these facts concerning the Uhr box, I had suspected that it may have been

wired as follows:

The knob on the Uhr box would have turned what was, essentially, a reflecting rotor

with 40 contacts.

ABCDABCDABCD... over and over again.

The contacts marked A would all have wires connecting them to the contacts marked

C, but in scrambled order. Similarly, the contacts marked B would all be connected to

the contacts marked D, again in a scrambled order.

The contacts in the box which connected to this movable reflecting rotor would also be

divided into four groups, which we can also think of as being labelled

ABCDABCDABCD... and so on.

The input contacts from the red plugs would be connected to the contacts marked A,

and since these were always to be connected to the output contacts of the white plugs,

those would be connected to the contacts marked C.

Similarly, the input contacts from the white plugs could go to the contacts marked B,

and the output contacts from the red plugs to the contacts marked D.

The order in which the plugs were connected to the contacts would match the

scrambled wiring in the 40-contact reflecting rotor, so that when it was set to position

0, the desired objective of emulating plain patch cords would be achieved.

It would be possible, although unnecessary, for all the input contacts, for example,

from the patch cord plugs to be wired in numerical order around the circle.

The following diagram may make the description of my tentative reconstruction of the

Uhr box clearer:

However, a paper in the July 1999 issue of Cryptologia has now explained the actual

workings of the Uhr box, and it differed somewhat from my tentative reconstruction.

Instead of having 40 contacts, the reflecting rotor that was the heart of the Uhr box had

80 contacts, of which only 40 were used at any one time.

The contacts on the reflecting rotor were in two consecutive rings of 40 contacts, and

either the even or odd ones were used in any position. Thus, the contacts on the Uhr

box were in two rings of 20.

The outer ring was wired to the red plugs, and the inner ring was wired to the white

plugs. In both rings, the even-numbered contacts of the Uhr box were wired to the thick

pin of the two pins on the plugs. The wires from the red plugs were wired to these

contacts in order, but those from the white plugs were wired in a scrambled fashion.

Essentially, therefore, the Uhr box worked somewhat like my hypothetical

reconstruction, except that it had two sets of scrambled wirings, each one of which

could be rotated to only half as many positions.

However, there was another peculiarity of the wiring of the Uhr box that led to a

weakness.

Although the wires from the white plugs were not wired to the Uhr box contacts in

order, they were wired to those contacts in pairs. This meant that of the two wirings in

the reflecting rotor, one, in order to allow the zero setting to emulate ordinary

plugboard wires, had to take pairs of contacts (with a contact in between belonging to

the other wiring) to pairs of contacts in the other ring, reversing the two elements in the

pair (so as to take a large pin from a red plug to a small pin on a white plug and vice

versa). This meant that every fourth setting of the Uhr box behaved like a set of

conventional plugboard wires.

A diagram of the actual Uhr box may help to make its design clearer:

in this diagram, only the wires in the rotor are shown that are in the set used in the zero

position, which reflect the flaw in the device that makes every fourth setting (every

second setting using that set of wires) reciprocal. The Uhr box is shown here set in the

zero position. Because of the extra complexity of inner and outer contacts, a more

schematic diagram, rather than one showing the rotor contacts in a circle, is given.

While the Uhr box did not do much by itself, only providing a fixed substitution that

did not change during a message, this kind of design illustrates how one could, for

example, build an interesting type of rotor machine for a 26-letter alphabet using

especially-wired 52-contact rotors. The idea of wiring a rotor with a number of contacts

that is a multiple of the size of the alphabet used, so that it acts like two different rotors

that are used alternately, also will surface in the Hagelin B-21, which we will meet

later.

Another enhancement used on some Enigmas late in the war was a reflecting rotor that

could be completely rewired by the user based on a daily key.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

The very first cipher machines sold under the Enigma trademark were rotor machines,

but they did not have the reflecting rotor that made the Enigma so unique.

Also, they both looked like very large typewriters, and printed their output rather than

merely indicating letters with glowlamps. The Enigma B used the normal 26-letter

alphabet, while the Enigma A had a 28-letter alphabet, including three accented letters

for the German language, but omitting one letter of the alphabet not often used in

German.

Instead, they had four rotors, used once in normal fashion, controlled by four cams,

with 11, 15, 17, and 19 positions. These cams all moved one position with every letter

enciphered, and a raised tooth on any one cam caused the rotor corresponding to that

cam to advance one step.

Occasionally, none of the four rotors would advance between letters, and this probably

made the machine appear weak. However, this kind of irregular rotor movement does

eliminate the isomorph method of attack, and therefore this kind of design appears to

be quite promising. Since, however, it was cams and not user-settable pinwheels that

were used, an adversary knowing the sequence of raised teeth on each cam would no

doubt have been able to develop alternative methods of attack on this system.

Had the machine had five rotors instead of four, then the thirty-two possible rotor

motions would have exceeded the number of letters in the alphabet. With four rotors,

there were at most only sixteen possible alphabets the machine could present at each

step, and this could also be exploited.

A machine with ten pinwheels, all of different sizes, with the XOR from two pinwheels

controlling each of five rotors? Such a machine might well have been very strong.

However, the search for the ultimate in irregular rotor movements was pursued in a

different direction by the Americans, resulting in an even stronger machine, the

SIGABA, which we will meet later.

Another variation of the Enigma was the one used by the Abwehr. It was an Enigma

without a plugboard, but the rotors had a large number of notches, so that the slower

rotors still moved fairly often.

contributions by former cryptanalysts at Bletchley Park, published by Oxford

University Press) entitled "The Abwehr Enigma", it was observed that multinotched

rotors created a serious difficulty for the cryptanalyst, but not quite as serious as that

created by the plugboard. It was seen as peculiar - but fortunate - that the Germans did

not get the idea of putting both improvements on the same Enigma. As at that time,

thanks to the book Machine Cryptography and Modern Cryptanalysis by Cipher A.

Deavours and Louis Kruh, it was already public knowledge that the British were doing

exactly that: the Typex, which we will meet in the next section, used extra entrance

rotors as a non-reciprocal plugboard (thus also gaining the advantages of the Uhr box)

and highly multinotched rotors, this comment was worth a raised eyebrow when I first

encountered it.

It may also be noted that the Abwehr Enigma's reflecting rotor moved as the slowest

rotor during encipherment. Also, like the commercial pre-war Enigma C and D, in

addition to not having a plugboard, the keyboard and lamps were connected to the

rotors following the layout of the typewriter keyboard rather than in alphabetical order;

thus, an Abwehr Enigma had the rotating reflecting rotor, and the multiple notches on

the rotors, as its only changes from the commercial model Enigma. With one other

minor, but interesting, addition: this version of the Enigma also had digits and

punctuation marks printed above the letters on both the keyboard and the lampboard.

Next

Chapter Start

Skip to Next Section

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

Despite the fact that the Enigma never enciphered a letter as itself, thereby making it easy to align

probable plaintext with an intercept, several other rotor machines were based on the Enigma.

W. F. Friedman devised Converter M-325. It was similar to the Enigma, except that the rotor nearest

the reflecting rotor, rather than the rotor farthest from it, was the fast rotor. This produced a machine

that did not need a plugboard to be reasonably secure.

The British cipher machine during World War II was the Typex. Its rotors were notched several times

for frequent and irregular motion. Three rotors moved, and the farthest of them from the reflecting

rotor was still the fast rotor. But there were two other rotors beyond the fast rotor, and they acted as a

plugboard replacement.

Some models of the Typex had two concentric sets of 26 contacts. According to those who have had

the opportunity to examine surviving specimens of this machine, they were not used for the obvious

purpose of providing a return path for electrical current, thus allowing the unique weaknesses of the

Enigma design to be avoided.

Despite this, I still wonder; there is a simple way, using dummy rotors connected by cables, to turn a

SIGABA into a plain Hebern machine. As the SIGABA and the Typex were made to interoperate by

means of accessories which turned them into the "Combined Cipher Machine", it makes sense to

conclude that the second set of contacts was used as a return path on the Typex, since then suitably

wired rotors with some sets of contacts wired without scrambling could allow Hebern type operation

of such a machine as well, thus facilitating this particular method of interoperation. Although the fact

that the fast rotor is on the entrance side (like an Enigma, unlike an M-325) makes it more difficult to

turn a Typex into a Hebern machine with the fast rotor in the middle, it is not impossible: an

auxilliary wiring harness, with dummy rotors, is also required as with the SIGABA, and the reflecting

rotor is one of those that has to be replaced. The following diagram shows a principle that may have

been used:

As the details of the actual CCM are available, no doubt I will soon be hearing if my reconstruction is

near the mark or not. As only three rotors aren't much, the actual CCM may have been somewhat

more complicated, for example by including entry and exit plugboards to replace the two stators in a

real Hebern five-rotor machine.

As the Typex is said to have very closely resembled the Enigma, I had assumed that it had a "650

break" as well, and this would have further complicated interoperation with the SIGABA. However,

since the Typex used heavily multinotched wheels, such a gearing arrangement would have shortened

its period considerably, so perhaps that problem did not arise. (It's even possible there was a lever

somewhere to choose with!)

On some later models of the Typex, the two entrance rotors also moved. This is merely a speculation

on my part, but one simple way in which they could have been caused to move is this: the entrance

rotor would be the slow rotor, the next one the medium, and the same notches in the wheels that

caused the regular carry would also cause movement of the wheels on the entrance side, but the

ratchet wheels would be displaced. So, if the positions B, G, J, M, O, R, T, V, and X caused the

original medium wheel to move when the fast wheel reached them, and the original slow wheel to

move when the medium wheel reached them, then perhaps the positions Z, E, H, K, M, P, R, T, and

V, each two positions earlier, would cause movement on the other side of the fast rotor. Or another

row of notches could be present on the wheels, and the number of notches in that row could very well

be even, since the ordinary rotor motion would already be providing the maximum period. No such

motion, however, unlike the original motion with those two rotors as stators, or better yet a motion

resembling that of the Converter M-325, would allow easy interoperation with a SIGABA using

dummy rotors by emulating a Hebern machine, basically the lowest common denominator of the two

machine types.

Some time after World War II, Switzerland, which had been using a version of the Enigma for its

own communications, designed its own significantly improved cipher machine based on the Enigma,

the NEMA (for Neue Maschine, not National Electrical Manufacturers Association). Recently, a

computer program simulating its operation, accompanied by a description of the machine, became

available. One of the program's authors, Frode Weierud, has a forthcoming article in Cryptologia

about the machine.

It used lamps to indicate the letters it produced as output, and physically it looked like a metal box

with a sloped front in which a typewriter keyboard was sunk. Recently, examples have become

available on the open market, at prices considerably below those of World War II Enigmas.

The device had four rotors, plus a reflecting rotor, all of which (including the reflecting rotor) moved

during encipherment. However, it had the appearance of having ten (rather thin) rotors. This was

because each rotor was manually adjusted by means of a flange on its left with 26 segments labelled

with the letters of the alphabet, and bore on its right a ring of appearance similar to that flange, but

which contained a notched gear. Each rotor's movement was controlled by the ring to its right; when a

notch on the ring came into position, its corresponding rotor did not advance for the current letter

being enciphered. In addition, the ring on the entrance rotor, towards the right of the rotor bank, was

distinctively colored (it was red) and had a second notched gear on it. This gear, when a notch on it

came into position, prevented the second and fourth rotors, and their corresponding rings, from

moving. Usually, all the rings would move with every character enciphered.

Thus, the NEMA had a period of 17,576 letters, each ring-rotor pair having a period of 676. If the red

ring had stopped only two other rings, and not their corresponding rotors as well, the period could

have been 26 times longer. In any case, it has a large number of initial settings, and a very irregular

rotor movement, bettered only by that of the SIGABA (although the Enigma A and Enigma B also

had a rotor movement that is more irregular than usual). Note that the diagram, for simplicity, shows

the mechanics of the rotor movement by lines which may suggest electrical wires; actually, the result

was achieved mechanically. Also note that the wheels with notched gears, although concentric on the

same shaft as the rotors, are shown in the diagram in a row below the rotors, using the usual diagram

symbol for pinwheels.

And, during the sixties, an Italian firm, O.M.I., offered a version of the Enigma with seven rotors. But

it embodied an ingenious idea for providing security in a machine sold openly without requiring

customers to rewire their rotors. The rotors came in two pieces, both with scrambled wiring, that the

customer could interchange and rotate to form the rotor set to use.

It would be a little harder to do this with rotors of the Hebern type, if one wished to take full

advantage of the fact that both sides of these rotors are identical, but it could still be done using

androgynous connectors positioned in alignment with the centers of the contacts, as shown below:

An interesting web site in Germany, which no longer exists, described several cipher machines from

behind the Iron Curtain. Three of them were described in enough detail (which I tried to make out as

best I could, not understanding German) that I found their mention of interest.

The T217, or ELBRUS, is an electronic cipher machine, having at least a superficial external

resemblance to the early electronic cipher machines used by the United States (as those machines are,

as far as I know, still classified, I have no knowledge of whether the resemblance is more than

superficial). A linear-feedback shift-register generator feeds a longer shift register, and bits from that

are selected under the control a key cassette to go into combinatorial logic to produce bits for stream

cipher use.

The M105 uses a principle I don't quite understand yet: 5-level code characters are converted to a 12-

bit form, then XORed with a key tape, then converted back down to 5-bit form. It isn't quite clear to

me how transformations more involved than an XOR can actually be accomplished by this principle,

particularly when decoding is also performed by precisely the same method. However, such a

machine could work by cheating; for example, the 5-bit character

abcde

could be converted to

abcde0000000

to be enciphered, and then the 12-bit result of being XORed with the key tape could be converted to 5

bits by taking the first 5 bits, performing a nonlinear operation controlled by the last 2 bits, and then

XORing with the second 5 bits. To decipher using the same key tape, the 5-bit ciphertext character

pqrst

00000pqrst00

before the XOR with the key tape. Even something like that, particularly if a plugboard can be used to

scramble the 12 bits from the key tape, might not be entirely silly. Also, if the nonlinear transform

controlled by the last 2 bits leaves something invariant, that, rather than 0, could be put in the last 2

bits. For example, if the last 2 bits are used to choose between different ways of transposing the 5 bits

of a character, for encryption the parity of the plaintext character could be placed in one, or both, of

those bits before the XOR, affecting which bit transpose is used.

For decryption, the parity of the ciphertext character after being XORed with the five bits for that

purpose on the tape, XORed with the parity of the five bits that will later be XORed to form the

plaintext character, will produce the parity of the plaintext character before the bit transpose (affected

by that parity) is known.

And, finally, the M125, or the Fialka, is described on his site, which is why I am mentioning his site

on this page: it is a variation of the Enigma.

It enciphers a 31-character alphabet. A punched card is used to perform the function of the Enigma

plugboard, but for only of 30 of the 31 symbols enciphered. The punched card has been described to

me as square, with two centering holes, and with the regular punched holes only below a diagonal on

the card. This suggests to me that each hole position controls a double-pole double-throw (DPDT)

switch, determining if two lines in a folded crossbar pattern are crossed.

There are 10 highly multinotched rotors, and they have fixed contacts on one side and spring-loaded

contacts on the other, like those of the Enigma.

Now, these 10 rotors all have 31 contacts on each side. There is also a reflecting rotor, but how can a

reflecting rotor with an odd number of contacts work?

One contact of the reflecting rotor, instead of being connected to another contact, is connected to a

circuit that causes the machine to encipher the input letter as itself. Note, however, that the machine's

cipher is fully reciprocal.

Like the Typex, we have an Enigma with both multinotched rotors and a plugboard; British

cryptanalysts working on the Abwehr Enigma on the one hand, and the Army and Navy Enigmas on

the other saw that to be an effective combination. This may not be terribly surprising, as there was

Soviet penetration of the British Ultra effort during World War II. The patch panel, like the Uhr Box,

avoids the problem of the plugboard substitution being reciprocal in itself.

Although the machine is connected to 5-level tape equipment, instead of enciphering normal 5-level

code (leaving, perhaps, the all-zeroes character unenciphered) the German-language version of this

device omits the letters W, X, and Y, and uses J to represent the space (thus printing a space when

deciphering, and a J when enciphering), leaving room for the digits from 2 through 9 in the character

set. As Russian has a 32-letter alphabet, presumably the original Russian-language version did not

include digits in its character set.

My initial attempt to reconstruct the Fialka from the information I had found resulted in a somewhat

different machine, with its own features of interest.

In the a block diagram I saw, there were three signals going from the reflecting rotor to a transistor

symbol. I thought that perhaps this meant that three contacts were wired in a loop, with diodes going

from one to the next, in rotation. As a DC current is used to go from the keyboard to the rotors and

back to the output mechanism, this can mean that A becomes B, B becomes C, and C becomes A.

(However, there is nothing to prevent the current from going through two diodes in a row. This can be

avoided by the use of resistors or multiple diodes, and a suitable choice of voltage threshold, or by a

simple transistor circuit.)

That would mean the cipher of the machine as a whole would not be quite reciprocal, but no letter

could represent itself. The easiest way to reverse the action of such a circuit during decipherment

would be simply to reverse the polarity of DC current through the machine.

The fact that the punched-card "plugboard" affected only 30 of the machine's 31 characters was

baffling to me, and implied some sort of external constraint. As I assumed a simple crossbar

arrangement for card sensing, to minimize parts count, the fact that a standard 80-column card has

over 900 holes in it meant that it could indeed control a 30 by 30 crossbar patch panel. (One needs

961 hole positions for a 31 by 31 crossbar patch panel!) The diagram shows a possible arrangement

for the crossbar circuitry that uses the first 75 columns of the card, and which, by taking into account

the zone and digit positions of the card, allows key cards to be produced with conventional punched

card equipment, using only &, -, /, and the digits and the upper-case letters.

Perhaps the construction I reached through speculation will be helpful to amateur builders intending

to build a replica of the Fialka at home, but with the use of more standard parts, even if it departs

from the historical reality.

The following diagram is provided for those who aren't familiar with the code used on the 80-column

punched card:

Gordon Welchmann, the inventor of the diagonal board, has commented that it would have been

possible, but difficult, to design an Enigma that did not have the feature of being unable to encipher a

letter as itself.

Obviously, the simplest method to avoid this problem with the Enigma would be to revert to sending

the signal through the rotors in only one direction, as with the Enigma A and Enigma B, or as with the

original Hebern machine. But if one wanted to avoid having to switch a large number of wires when

changing from encipherment to decipherment, or if one felt it useful to have the signal going through

the rotors twice instead of just once, how would an Enigma not having this problem be designed?

One can begin by merely changing the labels which are over the indicating light bulbs. If the light

bulb that is on the circuit with the Q key is now labelled B instead of Q, then it is B that the letter Q

will not be enciphered as.

But then one would have to have one wiring for encipherment, and a different wiring, either selected

by a large and complex switch, or by constructing enciphering Enigmas and deciphering Enigmas.

One way to avoid the problem would be to replace the plugboard of the Enigma with two

switchboards, one connecting the keys to the machine, and one connecting the lamps to the machine.

Then one could select any wiring configuration for encipherment, and its counterpart, with lamp and

key wirings exchanged, for decipherment.

Could a suitable choice of new labels for the light bulbs allow a simpler solution, one that involved a

lesser change to the way the Enigma worked? One possibility would be, given the keys are connected

to the rotor contacts in alphabetical order, to label the light bulb connnected to the A key with N, the

light bulb connected to the B key with O, and so on. Then, if the setting rings are labelled with two

alphabets similarly displaced, in contrasting colors, and the gear teeth by which one ring advances the

next are so arranged that if a tooth is at one position, there is also a tooth at the position diametrically

opposite (shortening the period, because all the rotors must now have an even number of teeth), one

could indeed have a machine that behaved almost exactly like the Enigma.

However, the fact that the letter A can now never be represented by N, instead of never by A, is just a

fixed substitution that would soon be discovered, and then it would cause no real difficulties for the

cryptanalyst. A normal Enigma plugboard would not change this: and the sockets on it would also

have to be labelled in two colors, as the plugboard wiring would have to be displaced 13 positions to

decipher.

Another thought would be, instead of having two switchboard-type plugboards, where a set of 26

sockets is matched by 26 plugs from within the Enigma, to have a second plugboard of the regular

Enigma type in a single Enigma. In addition to the one between the rotors and the lamps and keys

both, the additional plugboard would be between the lamps and the keys. The reciprocal nature of the

plugboard substitution would not be a problem, and would in fact allow the same wiring to serve for

encryption and decryption. This arrangement is illustrated below:

However, it wouldn't quite work as illustrated. Although the rotor substitution and the plugboard

substitution are both reciprocal, that does not mean that they commute. But a more complicated

wiring based on this principle would be possible, such as placing the rotors on the lamp side for

decipherment; this would require a bank of 26 relays to simulate the effect of the switches in the

keyboard.

One simple way to make this work, with some limitations, is this: for encipherment, use only the

plugboard between the lamps and keyboard. For decipherment, also use the regular plugboard, and

wire it in the same way as the plugboard between the lamps and keyboard. This works because

plugboard wirings are reciprocal.

The basic problem of this sort of arrangement is that the rotors are connected to the keyboard and not

the lamps in an Enigma, hence a permutation between the keyboard and lamps disrupts the

relationship between the rotor contacts and the lamps and keys that makes decipherment possible

when it is reversed for decipherment. Could an Enigma be modified so that the rotors were connected

to the lamps? Yes, if each lamp were shorted with a diode:

This diagram shows the flow of electricity in an Enigma. On the left, a simplified diagram of the

Enigma is shown. Wires at a positive potential are red, wires at a negative potential are blue, and

wires carrying current are shown thicker with yellow symbols indicating the direction of current.

On the right, the arrangement involving diodes needed to allow the rotors to be connected to the lamp

side of a modified Enigma is illustrated. Current that pressing a key allows to flow goes first through

the shorting diode belonging to the lamp with the same letter, then through the rotors, and on its

return trip lights the correct lamp, since it is going the other way, and cannot be shorted by that lamp's

diode.

Suitable switching circuitry, allowing either arrangement to be selected, and reversing other

connections, would allow a two-plugboard Enigma of the type shown above to even have an Uhr box

connected at either or both plugboards.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

The story of the cryptanalysis of the Enigma is perhaps the only story of military

cryptanalysis ever recounted where a detailed view was given of that cryptanalysis on

an ongoing basis, over multiple revisions and modifications of the cipher system under

attack.

The cryptanalytical methods used are sorted by type in the following sections, and thus

a more chronological summary may help to make the story more understandable.

Initially, the Enigma was without a plugboard. The method of "cliques on the rods"

was used against it at this stage; this was a version of the isomorph attack against a

Hebern machine, modified as required for the Enigma.

Next, a plugboard was used, but only three cords were plugged into it, affecting only

six of the twenty-six letters. A common ground setting was used to encipher the

starting setting which operators were supposed to choose at random; this setting was

enciphered twice. Here, the tables generated by the cyclometer were used: the doubly-

enciphered indicator meant that if one message had A as its first letter and Q as its

fourth, A as the first letter of the message always implied Q as the fourth. Thus, the

relation between the first and fourth letters of a day's intercepts defined an alphabet,

and the same was true of the second and fifth letters and the third and sixth. The

characteristics of these alphabets allowed those tables to pinpoint the day's ground

setting.

Then, instead of a ground setting, a setting picked also at random, and sent in the clear,

was used. This nine-letter indicator was attacked on the basis of watching for cases

where corresponding letters in the doubly-enciphered indicator, now the fourth and

seventh, fifth and eighth, and sixth and ninth letters of the message, were the same. The

original Polish Bombe, and also the perforated sheets, were used at this stage.

When the number of rotors in the rotor set was increased to five from three, the British

took over from the Poles, and relied mainly on the perforated sheets.

When the rotor starting position for an individual message was enciphered only once,

the Turing Bombe, soon augmented by the diagonal board, allowed decrypting Enigma

messages to continue.

On the Naval Enigma, eight rotors as well as a split reflecting rotor were used. This

was dealt with by aligning messages to find key overlaps; from this, and a study of the

indicators, constraints on the possible rotor orders were found, allowing the Bombe to

still be used.

Near the end of the war, the Uhr box and a rewirable reflecting rotor were used in some

places. The Uhr box merely required giving up the diagonal board. The reflecting rotor

required a major redesign of the Bombe, but decoding continued.

● Indicators and Jefferys Sheets

● The Bombe and the Diagonal Board

Next Section

Chapter Start

Table of Contents

Home Page

[Next] [Up/Previous] [Index]

Before the plugboard was added to the Enigma, the fact that the fast rotor was on the

side opposite the reflecting rotor meant that it was vulnerable to an isomorph attack.

But the isomorph attack had to be modified from that used on a Hebern machine, in the

obvious way.

Both the probable plaintext and the ciphertext had to be put through the fast rotor, and

it was the two results that had to match, that is, be monalphabetic encipherments of one

another, having repeated letters in the same places.

Since a rotor can be in 26 different positions, changing both the input and output

letters, one needs 26 different strips. Each strip shows, for one particular input letter,

the possible output letters for each position of the rotor.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

E K M F L G D Q V Z N T O W Y H X U S P A I B R C J

E J K C H...

and the strip for the letter B would contain the sequence

K L D I...

since in the A position of the rotor, A becomes E, the A strip begins with E. When the

B contact, that takes B to K in the A position, is moved back to the A position, then it

will take A to the letter before K, or J. Similarly, when the C contact is moved two

positions back, its destination, the M contact, is moved two places back to K. Of

course, the strips might also be prepared for the rotor moving the other way, with the

letters in reverse order.

The strips will have their sequences of letters repeated twice; one chooses the strips

which correspond to plaintext and ciphertext, and puts them next to one another, but

staggered, because the fast rotor is always moving one step for every letter. Then, the

rows across, between the strips, show the possible encipherments of the plaintext or

ciphertext letters for every starting position of the fast rotor.

Strips with the rotor outputs on them were aligned to produce the results, and thus the

method was called "La Méthode des Bâtons" in French, and in Britain the strips were

called rods, with the repeated letters that matched up called cliques.

The sequence of 26 letters that a rotor would produce from a given letter in different

positions cannot be a scrambled alphabet, with no letter repeated, for reasons seen in

the previous section on the interval method. In the colorful terminology of Bletchley

Park, the duplicated letter on a rod resulting from two wires producing the same

displacement was called a "beetle", and the result of two wires having exactly opposite

displacements was called a "starfish", as recently revealed in papers by C. H. O'D.

Alexander available on Frode Weierud's web page. These papers note, among other

things, that the rods were sometimes used against Enigmas with plugboards as well, in

cases where the indicators could not be interpreted. (Two of the papers, about

something called JNA-20, appear to be about PURPLE or CORAL, even though they

still use the term "Stecker" in reference to its plugboard.)

Next

Chapter Start

Skip to Next Section

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

As is recounted in the several books and articles recounting the story of the Enigma,

the Germans used two very dangerous indicator systems with it.

First, they started the Enigma, for a given day, with a fixed secret setting, called the

ground setting or Grundstellung. At this setting, the actual starting rotor setting was

repeated twice and enciphered.

Then, still before the war started, while only the Poles were breaking the Enigma, a

change was made. Instead of a secret ground setting, a starting point was picked by the

user at random, and started the message in the clear. Then the starting rotor setting used

for the message itself was again repeated twice and enciphered.

In both cases, the relationship between the two repetitions of the rotor start position

gave too much away.

In the first case, since one had many messages for a given day, all with the same

ground setting, one could look at the alphabet formed by combining that produced by

the machine at the ground setting with that produced three letters later. This alphabet

was visible in the clear: if a message began VBT RSQ, then V became R in that

compound alphabet.

Essentially, tables could be made of the distinguishing features of the alphabets created

at each starting position. And alphabets had such features, even after the plugboard was

used. These were visible when an alphabet was reduced to 'cycle form': if V becomes

R, then what does R become, and how many steps does it take to get back to V? Any

scrambled alphabet basically divides the alphabet into pieces of various sizes, and

those sizes aren't changed by the plugboard. The cyclometer, used to create these

tables, will be described along with the Bombes in the next section.

The three alphabets derived from a day's intercepts (or three months' intercepts,

actually) had, when reduced to cycle form, some very special properties. Although they

were formed by comparing two encipherments at positions separated by 3, they could

also be thought of, since decipherment and encipherment were the same, as the results

of applying the encipherments at those two positions, one after the other.

This has the following curious result:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

U V T X R W M I H Z Q P G S Y L K E N C A B F D O J

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

G K R P S Y A J M H B Q I U W D L C E V N T O Z F X

In the pair of reciprocal alphabets shown above, A becomes U, and then U becomes N.

So, in the compound alphabet, A becomes N. Note that U also becomes A in the first

alphabet, and N becomes U in the second, but these don't connect, so the compound

alphabet is not reciprocal.

becomes (R, then) C, C becomes (T, then) V, V becomes (B, then) K, K becomes (Q,

then) L, L becomes (P, then) D, D becomes (X, then) Z, Z becomes (J, then) H, H

becomes (I, then) M, and M becomes (G, then) A.

(a n e c v k l d z h m)

What happens if we follow the fate of the letter U, which becomes A in the first

alphabet, just as A became U?

becomes J. In starting with the middle letter of each two-step substitution, we simply

go through exactly the same cycle, but in reverse. So we have a second cycle of exactly

the same length, with the letters:

(u g i j x p q b t r s)

Because this sequence consists of the middle letters, taken in reverse order, of the

previous cycle, the individual substitutions can be found at one of the positions these

two sequences have when slid against each other after one is reversed:

A N E C V K L D Z H M

U S R T B Q P X J I G

A N E C V K L D Z H M

G U S R T B Q P X J I

Because at that stage poorly chosen rotor starting positions, both consisting of adjacent

letters on the keyboard, and also consisting of the same letter repeated three times,

were common, it was possible to eliminate ambiguity in aligning the cycles and

determine the rotor starting positions, without as yet knowing either the alphabet ring

settings, the rotor order, or even the wiring of any rotors.

Knowing the letters visible in the little windows on the enemy's Enigma was an

accomplishment, but by itself it did not let you read any messages. The Poles did know

the rotor wirings of the Enigma, though. They had not captured a machine, and doing

so in peacetime would have made it obvious that one was missing. Instead, a spy had

given the French, and the French had given them, keys for a period and some matching

plain and enciphered messages, from which they laboriously reconstructed the rotor

wirings and internal connections of the Enigma.

In addition to knowing the initial rotor settings, applying the pencil-and-paper method

noted above provides you with six successive alphabets produced by the Enigma. At

this stage, only a limited number of letters are modified by the plugboard, and the

Enigma had only three rotors to insert in any of six different orders.

If, for the encipherment of the first six letters after the ground setting, the medium rotor

did not move, these alphabets are produced from an inner alphabet, produced by the

medium, slow, and reflecting rotors, at six consecutive positions of the fast rotor.

The grille or slotted sheet method involved sheets with the successive alphabets

produced by one rotor printed on them, which were slid over a piece of paper on which

these six alphabets were written.

If it weren't for the plugboard, negating the fast rotor would produce six identical

alphabets: even with the plugboard, the right position produced six alphabets with

many letters in common, and from the similarities and differences, both the plugboard

settings and the inner permutation could be determined.

The initial rotor settings are known in terms of where the alphabet rings are; now the

ground setting is known in terms of the positions of the rotors themselves. Still more

work needs to be done to read messages: the original Polish Bombe automated that

next step.

Arbitrary Ground Settings

Since the ratchet that allowed one rotor to move the next slower rotor and the alphabet

ring which was used to refer to rotor positions were fixed together, in the second

system it was often possible to determine, since the Enigma's original five rotors all

had their one carry in different positions, which rotor was the fast rotor.

Among the many indicators for a day, there would be some with repeated letters. And

there would be some with the starting positions given in the clear possibly adjacent to

each other. Which positions are adjacent depends on when carries occur. And if the

same letter becomes first N and then V three letters later, and then fails to change from

N to V when it is apparently in the same two positions, then one is mistaken about

when the medium rotor moved.

Combinations where the same letter becomes the same letter in the same message, in

two positions three places different could not always occur, and these indicators, called

"females", eliminated possible indicator settings.

Also useful to Bletchley Park at this stage were "Herivel tips", which were the result of

Enigma operators choosing, after setting up their machine for the day, to use as their

first setting the position of the rotors as they stood, or possibly moving them only a few

places, from the position after setup which meant the rotors were near their initial

positions, and the setting sent in the clear would give away the alphabet ring settings

(either by itself, or in combination with the arbitrary ground settings of other operators

making the same mistake).

The perforated sheets were one set of 26 square sheets, with punched holes, for each

possible rotor order. They were used when the ground setting was sent in the clear,

followed by two encipherments of the current setting. Each sheet corresponded to the

position of one of the wired rotors (in Poland, apparently the slow one) and the rows

and columns on the sheets corresponded to the positions of the other two rotors. The

rows and columns, except the first one, were repeated twice. A hole was punched in a

sheet whenever a letter would be enciphered to itself by an Enigma with that position

of the three rotors plus an Enigma with the fast rotor three places further ahead.

Since a rotor order is assumed by one's choice of perforated sheet set to use, one can

exclude all indicators in which the medium rotor moved. This is because the ratchet

wheel and the alphabet ring are attached to each other. In practice, unless there is other

information available, one needs to try all 60 rotor orders. And, yes, one also needs to

try 26 stacks of sheets for each rotor order. However, 1560 trials is not an

unmanageable brute-force search, even by manual methods.

One finds numerous indicators with repeated letters in the same position, and places,

one on top of each other, alphabet sheets so staggered as to match the relative

displacements of the ground settings for the different messages. Then, a hole through

the stack of alphabet sheets indicates which position of the wired rotors corresponds to

each of the ground settings.

During the war, the double encipherment of the indicator was eventually abolished.

This increased the reliance of cryptanalysts on a large piece of electrical machinery, the

Bombe. But for a period of time before it became available messages were still

deciphered, as the result of the continuation of the practice of choosing adjacent

keyboard letters, then called "cillies" by the British, (well, they were silly) even if

settings consisting of three identical letters were by then suppressed.

With the Naval Enigma, instead of switching to a single encipherment of the initial

rotor position, the use of a common ground setting was revived; however, the

indicators recieved an additional layer of encryption; the two repeated encipherments

of the initial rotor setting were enciphered by means of a table of digraphs.

If the enciphered starting setting was ABC DEF, then the digraphs that would be

enciphered in the table would be AY BD CE XF where X and Y represent two

additional letters chosen by the encipherer at random; that is, the starting setting was

staggered like this:

A B C X

Y D E F

This would have made the indicators useless for cryptanalysts, except that the digraph

table was not itself part of the daily key. Instead, for one period, a set of nine digraph

tables were used, and only which one was to be used was part of the key that changed

each day. As copies of the digraph tables (which were, for convenience, reciprocal)

were captured, the result was merely that all nine possibilities had to be checked. With

a common ground setting, as noted above if letter 1 was A and letter 4 was D once,

then letter 4 had to be D whenever letter 1 was A, and so one would normally be able,

with 27 messages, to swiftly determine the right table to use.

Had this method been used with the later indicator method used by the other services,

an arbitrary ground setting and a single encipherment, considerably more work would

have been multiplied by a factor of nine, even using the digraph tables that had been

captured. Had the digraph tables been changed more often, that too would have

diminished the usefulness of the indicators, but by then the advanced Bombes in use

eliminated the need to break the indicator system; it would have meant more work, but

their Engima messages would not have become inviolate.

Next

Chapter Start

Skip to Next Section

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

The Bombe

The Bombe, in its various forms, was a device containing multiple sets of Enigma

rotors that rotated quickly to try all possible positions of the rotors.

Because the Enigma had a plugboard, and because no simple relay circuit would

recognize valid German-language text, even having a device of that nature did not

make it trivial to crack the Enigma machine's cipher. Thus, the Bombe came in

different forms during the life of the cryptanalytic effort against the Enigma.

The Cyclometer

The cyclometer was the first modified Enigma mechanism used in cracking Enigma

ciphers, but it was used to prepare tables in advance, rather than working on

information from a specific day's intercepts.

It consisted of two sets of Enigma rotors connected so as to face one another, and

positioned so that the fast rotor was three positions different in the two sets, the other

rotors being in the same position. A keyboard and lights was also connected to the 26

wires between the rotor sets. A key did not disconnect the light corresponding to it.

The rotors were manually stepped. For each position, one depressed a key, and noted

how many lights lit up, and then depressed a key corresponding to a light that hadn't

yet lit up for that position, until all the letters were divided into groups of different size.

The table thus generated was useful when the indicators of the Enigma were

enciphered twice according to a common ground setting for the entire day.

From the messages intercepted, one could form alphabets based on the indicators.

Since the ground setting was always the same, if the first letter of the starting setting

chosen by the operator was A, the same two alphabets would be applied to it at the

ground setting position and the position three letters later, and so if the indicator was

X-- Q-- for one message, it would be in the form X-- Q-- for every message where A

was the first letter of the starting setting.

The pattern of that alphabet which would survive changes in the plugboard settings was

its cycle decomposition. That is, an alphabet might be made up of three letters that

stayed the same, two pairs of letters swapped with each other, one group of three letters

in which each letter was replaced by the next one, and so on.

The characteristics of the three alphabets produced from a days indicators would match

three consecutive alphabets in the table produced by the cyclometer, unless the ground

setting was chosen so that the medium rotor moved during the first six letters.

The original form of the Bombe was designed back when the Enigma only had a set of

three rotors to interchange, and when only three wires were connected to the

plugboard, affecting only six out of 26 letters.

It was used against the doubly-enciphered indicator system of the Enigma during the

period when ground settings were chosen at random by the operator, and sent in the

clear with each message.

If one has two "females", indicators where one letter is repeated in the two

encipherments of the actual rotor starting position, and furthermore, they result in the

same letter and are in different positions, which was a common enough occurence

given the volumes of traffic in use, one could proceed as follows:

Connect a voltage to that contact on four rotor sets. Take these in two pairs, each pair

with positions offset by three, and if both pairs, at the same time, produce the same

output letter (that is, both sets in each pair produce the same letter, but the two pairs

may produce a different one) then one has found the right starting position.

This won't work, however, if the letter found in the ciphertext was changed by the

plugboard. The actual machine had six rotor sets, and could take advantage of finding

the same letter in all three possible positions.

The Turing Bombe exploited the fact that messages sent by the Enigma often included

long stretches of probable plain text, particularly the titles, spelled out in full, of

military officers. Since the Enigma never enciphered a letter to itself, it was possible to

find possible exact alignments for such likely phrases, or "cribs".

Let us suppose that, comparing some probable plaintext to matching ciphertext, we find

the following:

The 4th letter of the crib was a plaintext E that was enciphered to N.

The 8th letter of the crib was a plaintext E that was enciphered to X.

The 19th letter of the crib was a plaintext N that was enciphered to X.

These encipherments form a loop. For some position of the rotors, N becomes E at that

position, and then for the position four steps later, E becomes X, and a further 11

positions later, X goes back to E.

Since the Enigma has a plugboard, instead of N, E, and X, one can only say with

certainty that "some letter" becomes "some other letter", which then becomes "yet

another letter", which then goes back to "the first letter".

So, a Turing Bombe worked this way: the three rotors plus the reflecting rotor of an

Enigma were replaced by seven rotors, with a conventional rotor imitating the

reflecting rotor in the middle. For the loop in the example, one would have three such

sets (machines would be working in parallel for every possible rotor order, so as to

avoid taking time to re-order rotors: in fact, one complete set of all 60 orders

constituted a single Bombe at this point) positioned so that when one set was at the

position it was in for the 4th letter of the crib, the next was in the position 4 steps later,

and the next was in the position 15 steps later.

Each set of rotors was connected to the next set by 26 wires in parallel. A voltage was

applied to one of the wires at one point. That wire was chosen to be the wire for the

actual letter found in the crib, so that if that letter was not changed by the plugboard,

the actual closed loop in the crib would be the only part of the circuit reached by the

voltage, and so each of the 26-wire links would have only one live wire.

Otherwise, when the correct position was reached, even if all 25 other wires in each

link were reached by voltage, the actual closed loop would, being closed, be isolated,

and not get voltage.

So a relay circuit checked the 26 wires at one point in the loop, and halted the Bombe

whenever not all 26 wires had voltage (presumably ignoring the times when the rotors

were between positions).

If the notches that caused one wheel to move the next slower wheel had been fixed to

the rotor body, the Turing Bombe would have been simpler to understand, and would

always have worked, since then for any position of the wired rotors, the position of the

rotors a certain number of steps later would be known.

Since the notches were in fact fixed to the alphabet wheel, what was done instead was

to perform the carry from the fast wheel to the medium wheel, and one from the

medium wheel to the slow wheel, at only one position in the apparatus, with

corresponding wheels in all rotor sets linked together. If only the fast wheel was

displaced between rotor sets, the machine worked if the medium wheel did not move

anywhere inside the crib.

One could also displace the medium wheel by one place in some rotor sets to try

different assumptions about where the medium wheel moved.

It might be noted that, since we don't care which letter our test letter was taken to by

the plugboard, a relative displacement of the whole rotor set would make no difference.

Since the reflecting rotor could not even be moved to alternate positions by hand,

however, different rotor positions were absolute, not relative. But if the reflecting rotor

had been settable, the Bombe would not have had to run 26 times longer.

In the example, only a single closed loop was taken from a crib. In fact, a single closed

loop would have stopped the Turing Bombe with too many false alarms, and thus this

Bombe had more than three rotor sets, and was used with cribs that gave more than one

loop, with the loops connected to each other.

The Turing Bombe, as noted, simply looked for cases where some letter became some

other letter, and so on. But the cribs also included information about which letter

became which other letter. Despite the plugboard, there was a way to make use of this

information, and that way was the diagonal board.

Let us begin with the simple 3-letter loop used as an example above: N becomes E

becomes X becomes N.

Let us suppose that E was not modified by the plugboard, for ease of understanding,

and so we apply our voltage to the wire corresponding to E at the point corresponding

to where we encountered E in the plaintext and ciphertext.

On the other hand, X might have been affected by the plugboard. If so, E will become

some other letter, which will become either N or some other letter, which becomes E

again.

This means that X and N were switched by the plugboard, and so this N had better

become an X at the point N is expected. Otherwise, an impossible plugboard

arrangement is required, and so the apparent successful hit is a false alarm.

The diagonal board was used to cover all the possibilities of an inconsistency like this.

It was a square matrix of sockets, wired so that column P in the Q row was wired to

row P in the Q column, for every two different letters in addition to P and Q.

The 26 wires for any position in a crib were also connected to the row of the diagonal

board corresponding to the plaintext and/or ciphertext letter that was seen at that

position of the crib. Current going through the wire for that actual letter was not

connected anywhere, but current for a different letter was connected to the row for that

different letter being seen, at the position where the original letter would be actually

encountered.

This provided additional connections. Yet, if the voltage entered the setup at the correct

position, the closed circuit was not extended to other wires; so, if the voltage entered at

another position, the closed circuit still recieved no voltage.

Thus, the Bombe still worked as before, except that it automatically ignored many of

the false alarms for which it had previously stopped.

An additional device attached to the Turing Bombe to eliminate additional false alarms

performed the following function:

When not all the wires were live, if all the wires but one were live, the voltage was

redirected to that one wire.

Then, all the different letters of the crib were scanned, to ensure that no two letters in

the crib (including both its plaintext and ciphertext forms) which were different would

have had to have been brought to the same letter, instead of to different letters, by the

plugboard for the current bombe position to be valid.

Autoscritcher

Annals of the History of Computing, the equipment used for dealing with the rewirable

reflecting rotor has been unveiled as well, at least in part.

For this device, a crib is required where, at several positions, the same plaintext letter

has become the same ciphertext letter.

A Bombe with sets of the three regular rotors only is used to find positions consistent

with this. As the letters can be displaced by the plugboard, all possible pairs of

plaintext and ciphertext letters are tried by external circuitry for each position of the

fast rotor. However, a very good crib is needed for there to be enough detectable

inconsistencies for such an approach to be useful; the article itself notes that the

description must still be incomplete.

Incidentally, I recently found that this page has a very good description of how the

Bombe worked as well.

Next

Chapter Start

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

M-134-C, and CSP-889

During World War II, the United States used a rotor machine which was so well

designed that it appears to be immune to any kind of cryptanalysis other than a brute

force attack, offering security somewhat comparable to that which DES very much

later made available in the civilian sector. (Since writing these words, I have noted that,

if one had over a dozen messages enciphered at the same initial rotor setting, which

would be unlikely in practice, it is possible to compare different alphabets produced by

the machine and obtain at least some information about the rotor wirings. From there,

the technique used by Frank Rowlett against the M-228 might allow further progress.)

This machine was originally called the ECM Mark II within the predecessor of the

NSA that developed it. The ECM Mark I was a machine developed by Edward Hebern,

and the ECM Mark III was a machine that, like the Mark II, had irregular rotor

movement, but which achieved it by a simpler system. Edward Hebern was involved

with the development of both the ECM Mark I and the ECM Mark III, while the ECM

Mark II, our present subject, was developed entirely within the U.S. Government. Its

basic principles were originiated within the Army Security Agency, but its the ECM

Mark II itself, in its specific form, was developed within the U.S. Navy.

The basic principle of the SIGABA that made it so strong is the use of additional

rotors, rather than gears, to control the movement of the rotors used to encrypt a

message.

As this excellent design has, very recently, been declassified in its entirety, it has

become possible for you and I to examine and admire it.

The SIGABA contains fifteen rotors, ten of which are conventional 26-contact rotors,

and five of which are smaller rotors with only 10 contacts on each side. These rotors

are divided into three groups.

Five 26-contact rotors, called cipher rotors, encipher or decipher the message being

transmitted in the same way as the rotors in a regular Hebern rotor machine. Any of

them can move after a letter is enciphered; their motion is controlled by electrical

signals.

Another five 26-contact rotors are called control rotors. On the input side, the four

contacts (corresponding to the letters F, G, H, and I) get electricity. On the output side,

the contacts are wired together in nine bunches of various sizes, as follows:

1 B 4 FGH 7 PQRST

2 C 5 IJK 8 UVWXYZ

3 DE 6 LMNO 9 A

electromechanical means are also used to move them, for reasons of parts commonality

or due to patent considerations): the middle one moves one space for every letter

enciphered; the one after it (closer to the output side) moves once for every 26 letters,

and the one before the middle rotor moves once for every 676 letters. When a rotor

changes from the letter O to the letter N is when a carry takes place to the next slower

rotor.

The five 10-contact rotors are called the index rotors. They are only set by hand before

starting to use the machine. Nine of their ten inputs are connected to the nine bunches

of contacts which take the output of the control rotors, and the numbers of the bunches

in the table above show which contact recieves the signal from that bunch. Their ten

outputs are connected together in five pairs, each of which supplies the signal which

controls the advance of the cipher rotors.

Because exactly four inputs to the control rotors recieved a live signal, at most four of

the cipher rotors could step after any letter was enciphered. Since no signal was ever

thrown away, although the number of live signals could be reduced if two were both

wired together, at least one of the cipher rotors had to step each time.

When using the machine, the ten 26-contact rotors were first set to their starting

positions, which were the ones marked by the letter O instead of the ones marked with

the letter A that one might expect, usually with the aid of an automatic feature in the

machine. It could also be done by hand, but if the user was not careful, one of the

control rotors, particularly one of the two on the outside, could be left in a halfway

position, preventing the cipher rotors from ever moving.

The index rotors, however, were set by hand. Setting them was in a sense easier, or at

least less problematical, and for each day there were three different settings for them,

for three different levels of security classification of the message being sent. The order

of the index rotors apparently was at one time changed each day, but during World War

II the procedure was changed to always leave these rotors in order.

The wiring of the index rotors (or at least a wiring used at one time with the index

rotors) is known, and is as follows:

Input

0 1 2 3 4 5 6 7 8 9

Rotor -------------------

1 7 5 9 1 4 8 2 6 3 0

2 3 8 1 0 5 9 2 7 6 4

3 4 0 8 6 1 5 3 2 9 7

4 3 9 8 0 5 2 6 1 7 4

5 6 4 9 7 1 3 5 2 8 0

These rotors are all wired by the interval method. In addition, it is always the interval -

3 that is duplicated (and therefore the interval +2 that is omitted). And furthermore, the

two wires with interval -3 both always start from two contacts which have exactly one

contact between them.

This means that they all belong to one class of the classes into which a program I wrote

to count the number of interval method wirings for rotors of even size divided the

possible wirings into. As it turns out, rotor wirings recorded for the 26-contact rotors of

machines Edward Hebern made for the U.S. Navy to test had the same structure, which

has led me to suspect that this may also have been true of the 26-contact rotors of the

SIGABA, no actual specimens of which (the wirings, not the rotors) have been

preserved. However, the actual wirings of two rotors for SIGCUM, a telecipher

machine, which were recovered by Frank Rowlett during tests of its security have

survived, and have recently been disclosed, and these rotors were not wired according

to the interval method. Since SIGCUM was manufactured by the same contractor as

SIGABA, and it was also contemporary with the later period of the use of SIGABA,

this seems to be more conclusive.

The keyboard on the SIGABA had a row of digits like the keyboard on a regular

typewriter. While the SIGABA didn't encipher messages containing digits, the keys for

the digits 1 through 5 were used, when the machine was switched to a setup mode, to

advance the control rotors. When sending a message, the operator first picked five

letters at random, which were sent with the message as an indicator. Then, starting

from the OOOOO position, using the 1 to 5 keys, the control rotors were moved to

spell out the five letter indicator, starting with the first control rotor (which the 1 key

moved). Although the mechanical gears that usually moved the control rotors were not

active during this setup mode, each time a number key was pressed, the cipher rotors

moved based on the electrical signal travelling through the control and index rotors in

the same way as during normal encipherment. Thus, the indicator specified a position

for the cipher rotors as well as for the control rotors, but the starting position of the

cipher rotors was, in effect, well encrypted.

When messages were enciphered, the space bar could be used on the keyboard, and

caused the letter Z to be enciphered; on the other hand, the Z key as well as the X key

both caused the letter X to be enciphered. Also, the machine inserted a space after

every five letters enciphered for ease of reading for transmission. For decryption, Z

printed as space, thus restoring the spaces in the original message.

In the postwar period, the CSP-889, as the SIGABA was known in the Navy, was

replaced by a modified version, the CSP-2900. This had some interesting differences.

Six, rather than four, inputs to the control rotors were live. These corresponded to the

letters D, E, F, G, H, and I. Since this meant that all five cipher rotors could move at

the same time, cipher rotors 2 and 4 were changed to move backwards when they

moved, so that if all the rotors moved, they still wouldn't all move in step.

The outputs of the control rotors were now gathered in ten bunches instead of nine, and

the largest connected together only four contacts, not six. Also, three control rotor

outputs were left unused, instead of none, as before. Since the number of discarded

outputs was less than six, it was still true that at least one rotor would always move.

0 UV 4 FGH 8 WXYZ

1 B 5 IJK 9 A

2 C 6 LMNO

3 DE 7 ST not connected: PQR

This diagram is modified to illustrate the newer form of the ECM Mark II:

Machines of the ECM Mark II type used for a communications link between the

President of the U.S. and the Prime Minister of the U.K., which was called "POTUS-

PRIME", were operated in a fashion that produced additional security. The five cipher

rotors were set by hand, and apparently so were the control rotors, and the settings for

the cipher and control rotors were taken from a list of thirty five-letter groups for use as

either of cipher rotor settings and control rotor settings, with a three-letter codeword

which was pronounceable and had error-correction properties, for each one. (The two

three-letter codewords were combined into a single six-letter group for transmission.)

Thus, the idea of increasing the SIGABA key length by using a ten-letter indicator was

indeed considered, and it was used, along with the other possible way of achieving

ultimate rotor security, a codebook for message indicators, where circumstances

warranted the extra effort.

This link was used during World War II, and the British were not allowed access to the

American cipher machines at their end at that time.

The SIGABA, or the Electric Code Machine Mark II, was developed before World

War II by people from both the U.S. Army and the U.S. Navy. The story of its

development is a somewhat complicated one. The basic idea of electrically-controlled

rotors was originated by W. F. Friedman, who implemented it in the original M-134

machine, which had five rotors that enciphered text, the motion of which was

controlled by a paper tape. A plugboard was included to vary which channel of the

paper tape controlled which rotor. Frank Rowlett then came up with what could be

considered the core concept of the SIGABA: the idea of using rotors to control the

rotors that enciphered text.

At the time, the U.S. Army had limited funding for the development of new cipher

machines, and thus Friedman and Rowlett embodied this new principle in an add-on

device, called the M-229 or SIGGOO, that connected to the M-134. The M-229 had

three rotors. A six-position switch controlled how these rotors moved (shown as a

plugboard with three plugs and sockets in the diagram). Five inputs to these three

rotors, having the role of the control rotors in the SIGABA, were live. The outputs

were connected together in two groups of five and three groups of four. Here is a

diagram of the combined M-134 and M-229:

Meanwhile, this new idea was conveyed to the cryptological department of the U.S.

Navy as well. Laurence F. Safford and Donald J. Seiler developed the Electric Code

Machine Mark II (Mark I was the Hebern rotor machine) which was essentially the

SIGABA in its final form there. For a period during this development, Army-Navy

collaboration was disrupted by other factors, but when channels were reopened, the

Army group recognized that the ECM Mark II was a superior embodiment of their

ideas, and were happy to accept it as a cipher machine for use by both services.

The source for most of the information on this page is the U.S.S. Pampanito web site,

which has an entry in my Links section.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

This section looks at a number of cipher machines which are more secure than the

relatively simple devices examined in the first section of this chapter, but which still

can be dealt with in less space.

● Sweden's HC-9

● LACIDA

Next

Skip to Next Section

Skip to Next Chapter

Chapter Start

Table of Contents

Home Page

[Next] [Up/Previous] [Index]

The Hagelin B-21 makes an interesting use of half rotors for encipherment. It uses a 25-

letter alphabet, and the row and column co-ordinates of each letter are enciphered

separately.

For enciphering, co-ordinate signals entered on the spindle side of a half-rotor with ten

positions. Essentially, it worked like two separate half-rotors with five inputs and

outputs: the odd contacts were wired one way to the five contact strips on the output

side, and the even contacts were wired another way.

shows how such a half rotor works: the five contact strips on the spindle side are shown

in yellow. Five wires in blue proceed to the rotor side; then these five wires are

connected in a random order to one group of five rotor contacts by green wires, and to

another group by purple wires.

The B-21 had pinwheels of sizes 17, 19, 21, and 23. These advanced one step for each

letter enciphered. An OR (not an XOR), between two pinwheels caused each half rotor

to move one step if the result was a 1.

The B-211, in addition to printing its output on a strip of paper, had two plugboards

with five plugs and five sockets to scramble the five outputs taken from the half rotors.

The arrangement of the B-211 is illustrated below:

The French military used a variation of the B-21 which had a second pair of half rotors.

The extra pair of half-rotors had fifteen rather than ten positions.

Next

Chapter Start

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

The HC-9

The HC-9 is a handheld mechanical cipher machine used by the Swedish armed forces

during the postwar era.

and the original version of the Hagelin lug and pin machine are the only secure modern

cipher machines that are both very compact and of all-mechanical construction.

It behaves as if it contained five pinwheels, of sizes 29, 31, 33, 34, and 35. Each

"pinwheel" advances one space for every letter enciphered, and their outputs are used

to select one of sixteen cipher alphabets as follows: four bits are formed from the five

bits presented by the five sequences by taking the XOR of each pair of adjacent bits.

This result is treated as a four-bit number. Thus, the XOR of the bits from the 29-bit

and 31-bit sequences controls displacing the list of alphabets by eight places.

But instead of pinwheels, the sequences are supplied by a punched card, which sits in

the device and whose large round holes are sensed by little metal fingers inside the

device.

Another replaceable card inside the device gives the sixteen alphabets in use. These

alphabets were all chosen to be reciprocal in practice for ease of use.

Next

Skip to Next Chapter

Chapter Start

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

LACIDA

LACIDA, a rotor machine developed in Poland, uses conventional rotors, like a Hebern

machine. However, it is unusual in that its moving rotors come in three different sizes;

with 24, 31, and 35 contacts.

These rotors each move one step with every character enciphered, thus providing a

period of 24*31*35, or characters.

The input alphabet consists of the alphabet with the letters Q and V omitted; the output

alphabet uses all the letters, and all the digits except zero.

The conversion between 24 contacts and 31 contacts, and the conversion between 31

contacts and 35 contacts, are claimed, in the accounts I have read, to be accomplished

by stators: rotors that don't move during encipherment, but which can be set initially to

any position. (The rotors and stators are marked with the alphabet from A to Z, and at

most 26 initial positions are used with any rotor.) In addition, an extra 35 contact rotor

is used as a stator on exit. Originally, I thought that rather odd, as it seemed to require

rotors made of rubber, but because mechanically, the rotors are similar to those of the

Enigma, in that they contain one set of spring-loaded contacts, and a flange that serves

as a gear, upon further reflection I realized that the conversion stators were possible,

and would probably be achieved by placing the teeth on their gear flange at somewhat

irregular positions.

Next

Skip to Next Chapter

Chapter Start

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

Here, we have met a series of cipher systems that are fascinating in their intricacy. Most of them, however, share

many common features.

The Hill Cipher and the Bazeries Cylinder are the unusual members of this group in that they deal with several

characters at once.

Putting them aside, the other designs reflect the relative difficulty of incorporating any kind of memory in a simple

electrical or mechanical device.

Rotor machine usage illustrates an elaboration of the concept of a key to a cipher system. In addition to a general

method of enciphering, cipher systems require a key that is easily changed. This allows many messages to be sent in

a given system, while the number of messages enciphered in exactly the same way is kept limited by varying the key.

In the case of rotor machines, the key is split up into three parts, which are treated differently.

There are the rotor wirings. These are difficult to change, but they are worth keeping secret, and do need to be varied

periodically.

The order of rotors in the machine, and other settings depending on the type of the machine (index rotor settings in

the SIGABA, plugboard and alphabet ring settings in the Enigma) are changed perhaps each day, on the basis of a list

of daily keys which is distributed once a month.

The initial setting of rotors for a given message is also a part of the key. This part, however, is sent with the message,

perhaps in some way encrypted, as it is chosen randomly for each message by the operator of the rotor machine. (It is

often termed a message indicator, which is prefixed to a message along with a system indicator which identifies the

particular type of cipher used or the particular family of keys used.)

This same kind of multi-level key structure can be found in modern block ciphers, despite the fact that they operate

on very different principles. The contents of S-boxes can be thought of as at least potentially subject to change, and

therefore as corresponding to rotor wirings. The key proper is secret, and must be somehow distributed like a rotor

order. For many block cipher modes, an initialization vector is required, which functions like a message indicator.

Thus, rotor ciphers illustrate how care must be taken, for a system that will be used widely, to limit the number of

messages that will be sent with the same key, and to vary as much of the key as often as is feasible. So, the parts of

the key that are harder to vary are varied less often.

The different strengths of the different types of rotor cipher also teach us something about good cipher design.

The fact that the SIGABA stands head and shoulders above the other devices here illustrates the importance of

allowing elements in a cipher design to have the power to scramble the plaintext, and yet having these elements do so

in an indirect way, so that even with matching plaintext and ciphertext, their values are hard to determine.

The Enigma and the Bazeries cylinder shared a very serious weakness; since no letter can represent itself, it is easy to

align probable plaintext with enciphered messages. One apparently simple way to eliminate this weakness would be

to use columnar transposition on the ciphertext produced by such a device.

While that would create a very strong cipher, since the ciphertext produced by a Bazeries cylinder, let alone an

Enigma, is so scrambled that it would seem there would be little in the way of clues for breaking the transposition

cipher, such methods do not tend to be often used. That is because a pencil and paper transposition cipher is tedious

to perform, thus negating the advantage of using a machine for cryptography in making encryption quick and

efficient. Also, encrypted messages are often sent over the radio in Morse code. The problems caused by garbled

letters are magnified by a cipher of this type. However, as long as cipher letters are transmitted in five-letter groups,

and the total number of letters in a message is sent with every message, a garbled letter in the ciphertext would still

imply only one garbled letter in the plaintext, so such a method is not completely impractical.

For two of the systems covered in this chapter, an interesting question arises for the first time. For the Bazeries

cylinder, instead of a random arrangement of letters on the disks, a Latin square is used to improve resistance to the

de Viaris attack. For rotor machines, rotors wired according to the interval method may be used, to maximize the

variety in the alphabets produced by each rotor as it rotates.

The question arises: is good better than random? One way to look at it is to view any constraints on permutations as

part of the system of a cipher, part of what is needed for it to work properly; and to compare the cipher in that form to

one without the constraint, to evaluate whether a larger choice of keys, or the possibility of a design weakness

without the constraint, is a more serious problem.

While these examples seem to be ones in which the use of an optimum sequence is justified, there can be cases where

the reverse is true.

Sometimes, fairly poor sequences are used for paper-and-pencil digraph encipherment tables. Instead of an

arrangement of all 676 digraphs, one winds up performing an encipherment which is equivalent to reversing every

pair of letters, and then alternating between two cipher alphabets.

Obviously, a random table of digraphs is much better than this. One might not be sacrificing much if one used a table

that was reciprocal, since otherwise one would need two tables, one for enciphering and one for deciphering.

The advantage of a random table is that changing one cipher letter almost always changes both cipher letters.

It is possible to use a special form of table where changing one cipher letter is guaranteed to change both cipher

letters:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A aa xe bq wx hn qs my cm jn td zc yr di sl vw nz gu ck ep lo fj kf pb ut rg iv

B qc bb xf cr ax io rt ny dn ko ue zd ys ej tm wa oz hv dl fq mp gk lg vu sh jw

C mh rd cc xg ds bx jp su oy eo lp vf ze yt fk un ab pz iw em gr nq hl wv ti ka

D im ni se dd xh et cx kq tv py fp mq wg zf yu gl vo bc qz ja fn hs or aw uj lb

E ps jn oj tf ee xi fu dx lr uw qy gq nr ah zg yv hm wp cd rz kb go it ba vk mc

F ju qt ko pk ug ff xj gv ex ms va ry hr os bi zh yw in aq de sz lc hp cb wl nd

G iq kv ru lp ql vh gg xk hw fx nt wb sy is pt cj zi ya jo br ef tz md dc am oe

H ne jr lw sv mq rm wi hh xl ia gx ou ac ty jt qu dk zj yb kp cs fg uz ed bn pf

I vz of ks ma tw nr sn aj ii xm jb hx pv bd uy ku rv el zk yc lq dt gh fe co qg

J hi wz pg lt nb ua os to bk jj xn kc ix qw ce vy lv sw fm zl yd mr eu gf dp rh

K fv ij az qh mu oc vb pt up cl kk xo ld jx ra df wy mw ta gn zm ye ns hg eq si

L ot gw jk bz ri nv pd wc qu vq dm ll xp me kx sb eg ay na ub ho zn yf ih fr tj

M yg pu ha kl cz sj ow qe ad rv wr en mm xq nf lx tc fh by ob vc ip zo ji gs uk

N zp yh qv ib lm dz tk pa rf be sw as fo nn xr og mx ud gi cy pc wd jq kj ht vl

O kr zq yi rw jc mn ez ul qb sg cf ta bt gp oo xs ph nx ve hj dy qd ae lk iu wm

P bf ls zr yj sa kd no fz vm rc th dg ub cu hq pp xt qi ox wf ik ey re ml jv an

Q sf cg mt zs yk tb le op gz wn sd ui eh vc dv ir qq xu rj px ag jl fy nm kw bo

R gy tg dh nu zt yl uc mf pq hz ao te vj fi wd ew js rr xv sk qx bh km on la cp

S ln hy uh ei ov zu ym vd ng qr iz bp uf wk gj ae fa kt ss xw tl rx ci po mb dq

T dj mo iy vi fj pw zv yn we oh rs jz cq vg al hk bf gb lu tt xa um sx qp nc er

U tx ek np jy wj gk qa zw yo af pi st kz dr wh bm il cg hc mv uu xb vn rq od fs

V wo ux fl oq ky ak hl rb za yp bg qj tu lz es ai cn jm dh id nw vv xc sr pe gt

W xd ap vx gm pr ly bl im sc zb yq ch rk uv mz ft bj do kn ei je oa ww ts qf hu

X eb fc gd he if jg kh li mj nk ol pm qn ro sp tq ur vs wt au bv cw da xx yy zz

Y rl sm tn uo vp wq ar bs ct du ev fw ga hb ic jd ke lf mg nh oi pj qk yz zx xy

Z ck dl em fn go hp iq jr ks lt mu nv ow pa qb rc sd te uf vg wh ai bj zy xz yx

The digraphs in this table form a Graeco-Latin square of order 26. Something that Euler conjectured was impossible.

A Graeco-Latin square of order 6 is impossible. For larger numbers of the form 4n+2 for some integer n, a special

construction is required to create Graeco-Latin squares, which was only discovered in 1960. The square shown above

is, of course, constructed according to the method given in the original paper by Bose, Shirikande, and Parker.

While the Graeco-Latin square above could be dressed up to make it look more random, by applying a simple letter

substitution to its contents (three letters are special, but they don't have to be x, y, and z) and rearranging rows and

columns, it would seem that choosing such a square, instead of a random one, for a digraphic substitution would not

be a sensible idea.

However, as a mixing step, perhaps even an unkeyed mixing step, inside a block cipher with a long key in other

areas, Graeco-Latin squares may still be useful. This, in fact, is the subject of a patent for a technique called Balanced

Block Mixing, held by Terry Ritter. Also note that odd order, or order 4n, both allow a much larger number of

Graeco-Latin squares than order 4n+2.

Next, we can look at some elaborate rotor machine designs that combine the principles and original ideas of the rotor

machine designs we have examined in this chapter.

● Child's Play

● Irregular Rotor Movement

Next

Chapter Start

Table of Contents

Main Page

[Next] [Up/Previous] [Index]

Of course, many different encryption principles have been seen in the devices covered in this chapter. One could

imagine combining many of these techniques in a single elaborate device, such as the following:

The heart of this device is two pairs of two half rotors, each pair with one with five inputs and ten outputs and

one with five inputs and fifteen outputs, as in the improved French version of the B-211.

The coordinates for each letter of the alphabet are varied by preceding and following that part of the device by

three conventional rotors. Almost conventional, that is, since these rotors all have two duplicate concentric sets

of wiring, so that each letter is connected to its home in both row and column. Note that since these rotors have

26 positions, one letter bypasses the B-21 -like part of the device.

And to top it all off, these six rotors are advanced by means of a SIGABA-like setup. Obviously too bulky and

expensive to build out of real electromagnetic components, and yet fascinating.

Here is an example of an interesting rotor machine design using some of the ideas suggested by the design of the

Uhr Box:

The arrangement for rotor motion is of interest. With each letter enciphered, a pinwheel is used to select whether

rotor 2 or rotor 4 moves. Rotor 3 moves whenever a notch on either of those rotors is advanced, and then it

advances rotor 5, which advances rotor 1, normally. Given multinotched rotors, this produces a fairly irregular

movement with only one pinwheel.

However, the main unusual feature of the design is the way the rotors are wired.

As may not be readily apparent from the diagram, unless you are familiar with the conventions I've used in

previous diagrams in this chapter, the rotors have two concentric rings of 26 contacts on each side.

● The 26 contacts in the outer ring on one side are connected in a jumbled fashion to the 26 contacts in the

outer ring on the other side.

● The 26 contacts in the inner rings are divided into 13 odd contacts and 13 even contacts. The 13 odd

contacts in the inner ring on one side are connected in a jumbled fashion to the 13 odd contacts in the

inner ring on the other side, and the same applies to the 13 even contacts on both sides.

The middle rotor connects the 26 contacts in the outer ring on one side to the 13 odd contacts of the inner rings

on both sides, and the 26 contacts in the outer ring on the other side to the 13 even contacts of the inner rings on

both sides.

Plaintext enters through the contacts on the outer ring on the left side of the rotor stack, and ciphertext leaves

through the contacts on the outer ring on the right side.

On each side of the rotor stack, a plugboard controls the reflection of the odd contacts of the inner ring to the

even contacts of the inner ring.

When a letter is enciphered, its signal first passes through the outer rings of rotors 1 and 2 in a normal rotor

machine fashion.

Then, rotor 3 sends the signal through the inner rings, either of rotors 2 and 1 or of rotors 4 and 5, through their

odd (or even) contacts, to be reflected back through the even (or odd) contacts of rotors 1 and 2 or rotors 5 and 4.

And then rotor 3 takes the reflected signal, and sends it through the outer rings of rotors 4 and 5 to continue in a

normal rotor machine fashion.

There is some potential for additional flexibility in the design; for example, it would still work if the two

plugboards were cross-wired (but not if they were merged into one), and the specially-wired rotor used as rotor 3

does not absolutely have to be in the central position.

In the section on the Enigma, I noted that if one shorted the indicator lights with diodes, it would be possible to

attach the rotors to the lamps instead of the keys. This would allow one to design an Enigma in which the rotors

could be switched from being connected to the keys or the lamps, so that a plugboard could be placed between

the keys and the lamps. In this way, enciphering and deciphering would both be possible, but a letter could

represent itself.

This diagram illustrates how this principle could be taken to its ultimate conclusion. On the left hand side of the

keyboard and lampboard, a letter is being shown as being enciphered, and on the right hand side a letter is shown

as being deciphered. Note how the polarity needs to be taken into account in enciphering mode, so that the

diodes across the lamps do not prevent normal Enigma-like operation.

Here are a couple of other attempts to construct elaborate rotor machines combining principles we've seen in

previous examples. The first also uses rotors with two concentric rings of 26 contacts, but this time the two sets

of contacts are wired differently, not in parallel.

The cipher rotors act a bit like those in the Enigma; the plaintext letter causes electricity to go from left to right,

and then the signal returns, going right to left, to produce the ciphertext letter. However, the returning signal uses

the second set of contacts, and so the cipher is not reciprocal.

The general structure of the machine is like the SIGABA; but the extra set of contacts in the control rotors is

used to provide an ever-changing "reflecting rotor" for the cipher rotors.

The following (originally done for use as a background, with different colors) illustrates a double-sized

SIGABA. However, five of the signals controlling the ten cipher rotors are created somewhat differently, using a

method from a rotor-based telecipher machine, the SIGCUM, which we will encounter later.

The five new control signals have some poor properties, but they nicely complement the SIGABA-type ones,

since they have an exact 50% probability of being active.

Changing the wiring a bit (and making more rotors electrically controlled) gives us this:

While it has the drawback that the SIGABA-style superior control rotors may occasionally remain immobile,

because only the SIGCUM-style ones have unused output contacts, this design causes five of the ten cipher

rotors to be controlled by a set of control rotors (the SIGABA-style ones) that are themselves controlled by

control rotors (the SIGCUM-style ones) also used to directly control the other five cipher rotors. Not explicit in

the diagram is a timing issue requiring a more basic redesign; in the original SIGABA, the cipher rotors move in

response to the control rotor position at one time, and the control rotors advance at another time, requiring two

clock phases; as the SIGABA-style control rotors can't move simultaneously with either the SIGCUM-style

control rotors or with the cipher rotors, we now need three clock phases.

which is simply how I, and perhaps others, imagined the SIGABA might have worked after reading a brief

description of it by David Kahn from about 1980, and seeing the first pictures of it that were released some years

later. Since the actual design didn't involve the five ten-contact rotors moving, this design would have been even

more expensive to build.

Next

Chapter Start

Skip to Next Chapter

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

Child's Play

The M-134 and the M-229, as described in the section on the SIGABA rotor machine,

have suggested to me the idea of a very flexible style of rotor machine, one which

could even be used, if made from plastic, as an educational children's toy!

As a toy, the heart of it would be three rotor machines of the type diagrammmed below.

These machines consist of a bank of five rotors. At each end, there is a plugboard like

that of the Enigma, but using standard phono plugs. Beyond the plugboard, on each

side, there is a 26-contact connector used to connect a keyboard and a lampboard, only

one of each being included in the set. The keyboard would also have a 26-contact

connector; plugging the lampboard into that connector would allow the Enigma to be

simulated.

The machine would use rotors that have plastic slip rings on the outside with bumps to

control rotor motion, signalling a carry from one rotor to the other. The rotors and the

rings would both be reversible.

● Six randomly wired rotors in two sets of three identical rotors, numbered from 1

to 2. (grey)

● Six randomly wired rotors in three sets of two identical rotors, numbered from 3

to 5. (grey)

● Ten randomly wired rotors, each of which is different, numbered from 6 to 15.

(grey)

● Five rotors wired by the interval method, each of which is different, numbered

from 16 to 20. (red)

● Three identical reflecting rotors, which have no contacts on one side, but which

otherwise fit in the same space as a regular rotor. (green)

● Three rotors with a symmetrical wiring that produces the same permutation

going through the rotor as is provided by reflection in the reflecting rotor. (blue)

● Six rotors in two sets of three identical rotors, wired so as to be mirror images of

the grey rotors numbered 1 and 2, also numbered from 1 to 2. (purple)

All the slip rings would have only one bump on one side. They would have multiple

bumps on the other side, and there they would differ.

● Five identical slip rings, with three bumps on the other side. (yellow)

● Five slip rings, with five bumps on the other side, each one having a different

arrangement, and numbered from 1 to 5. (green)

● Five identical slip rings, with seven bumps on the other side. (blue)

As noted, the plugboards on the device use phono plugs, and work like that on the

Enigma, so that straight-through wiring is the default when no plugs are inserted.

The cables provided with the machine will have the forms illustrated in this diagram:

Although it may not be obvious, the first cable crosses over the two parts of the

contact. The complement of cables would be:

● 52 cables with phono plugs at both ends, with crossover wiring like those of the

Enigma. (grey)

● 52 cables with phono plugs at both ends, and parallel wiring. These will

primarily be used when connecting different machines together. (red)

● 93 cables with a phono plug at one end, accompanied by a socket for a banana

plug, and a stackable banana plug (like the ones on cables made by Pomona

Electronics) on the other end. These allow arbitrary permutations to be set up.

93 is 78 plus 18, so that one set is provided for each machine, plus six extra for

the wheel advance section, with its smaller plugboard using the same connector.

The kit would include plans for many projects, starting with a Hebern rotor machine,

going on to an Engima, and then the SIGABA, and even a small Turing bombe for use

against a two-rotor Enigma. (Maybe that would require some additional pieces not

mentioned here. And, of course, I'd have to come up with a way to manufacture an

economical diagonal board.)

U. S. Patent 6097812 has recently been granted on the design used in the M-138 (and

M-138-T2 and M-138-A) cipher machine, and this design combines the M-138 with

the M-228 and M-229, and hence is likely to be affected by this patent.

Next

Skip to Next Chapter

Chapter Start

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

In this chapter, we have seen some examples of rotor machines with very irregular rotor movements.

The SIGABA achieved very irregular rotor movement by a uniquely strong method, using the changing jumbled

maze of wires in a part equivalent to a complete conventional rotor machine to supply electrical signals

controlling the seemingly random stepping of rotors in what amounted to a second conventional rotor machine for

enciphering the letters of the text.

The Swiss NEMA cipher machine achieved irregular rotor movement by accompanying each rotor with an

adjacent rotating ring, which had notches on it that inhibited that rotor's movement. The rings always moved,

except for two rings that were sometimes prevented from moving by a second set of notches on the first rotor's

ring.

Also, U. S. Patent 4,143,978, filed on May 4, 1938, but only issued on March 13, 1979, with inventors Bern

Anderson and Donald J. Seiler, describes a machine which made use of five pinwheels with 25 positions to control

the five rotors with 26 positions. This patent appears to be for the ECM Mark I, which was the design which

preceded the ECM Mark II, also known as the SIGABA.

And, of course, the Enigma A and Enigma B had a very irregular rotor movement at the dawn of the rotor era, by

having each rotor controlled by its own cam, and each cam having a number of positions relatively prime to all the

others. Had the cams been resettable pinwheels, the design would have been quite impressive indeed.

Descriptions of a later rotor machine imply that it achieved irregular rotor stepping based on a principle we will

see later in the descriptions of the Siemens T-52d and T-52e Geheimschreiber telecipher machines:

Given three or more pinwheels or cams, each of which produces a sequence of binary bits as it rotates, bits from

each pinwheel (perhaps sensed at a different position on the cam than the bits used for the purpose of

encipherment) could be used to control the movement of other pinwheels.

Although this seems like a compromise of the potential security of a rotor machine, using the rotors to step

themselves instead of having a separate set of pinwheels or cams to control stepping has the major advantage of

making it simpler to set up the machine for an encipherment.

But if one tries to do this in the simplest way, just using one pinwheel to cause another to step, what is there to

prevent all the pinwheels from coming to a position where they are producing a zero value for their stepping

output, so that they will all stay in one position thereafter?

The Siemens Gehemschreiber prevented this by a scheme that looked something like this, illustrated with five

cams labelled A, B, C, D, and E:

A steps if D or (not E)

B steps if E or (not A)

C steps if A or (not B)

D steps if B or (not C)

E steps if C or (not D)

In this illustration, the output from each cam forces the stepping of one other cam, and the complement of that

output forces the stepping of a third cam. This ensures that some stepping will always take place.

In this case, as the bits from the cams are also used to encipher a binary signal by being XORed with it, active and

inactive positions on the cams need to be close to equal in number. Since each cam steps based on the OR of two

inputs, this means that the cams step about 3/4 of the time.

Since outputs from those cams are used for encipherment as well, they should step almost all the time. While

occasional failures to step can make the bit sequence irregular, bits that do not change also allow plaintext patterns

to be visible.

The Lorenz Schlusselzusatz, which used two sets of five pinwheels, one which always moved, and another set

which moved, or remained still, in unison, half the time either way, based on a more conventional scheme

involving control from two other pinwheels, was cryptanalyzed with the aid of the early electronic calculating

device COLOSSUS partly because the patterns of the constantly moving pinwheels were visible when the other

ones did not move. (The fact that 5-level teleprinter code is designed so that 0 bits strongly outnumber 1 bits, to

prevent mechanical wear and tear and to make paper tape less fragile, also was an important factor.)

In a rotor machine, however, moving even one rotor completely scrambles the cipher alphabet it provides. If each

rotor moved with probability 1/2, then each new alphabet would be from the largest and most uncertain possible

set of alternatives.

Could the principle used in the T-52 be modified to produce movement with probability 1/2, and yet still ensure

continual movement which will not cease to involve any of the rotors?

The first scheme I came up with to do this is illustrated by the following diagram:

It may be easier to understand with the diagram shown below and to the right:

Using seven rotors in this example, I first start with four live inputs,

which are turned into eight outputs having a 50-50 chance of being

live by being redirected by the active teeth on four of the rotors.

This is shown in the diagrams above and to the right by a red wire,

carrying a live input from the power supply, being switched to four of

eight wires by four switches, each controlled by a rotor. In the

diagram to the right, this is the first layer of the circuit, shown in the

leftmost column.

Then, six of these eight signals, in pairs from different rotors, are

swapped (or not) under the control of three other rotors.

in the switch under one of the first four rotors.

The swapping and the selection is always done under the control of a

rotor which was not involved in determining if either signal used as

input was live. The color scheme in the diagrams is chosen to make

that clear. In the diagram to the right, this is the second layer of the

circuit, shown in the middle column.

The seven output signals then control the stepping of the rotors.

Again, as the colors help to make visible, each signal is directed to a

rotor that had no part in its creation, in either the first or the second

layers.

under the control of rotor 6. The two resulting signals control the

movement of rotors 4 and 7.

Dark Blue: Two signals controlled by rotors 3 and 4 are then swapped

under the control of rotor 5. The two resulting signals control the

movement of rotors 1 and 6.

Purple: Two signals controlled by rotors 1 and 3 are then swapped under the control of rotor 7. The two resulting

signals control the movement of rotors 2 and 5.

Gray: Two signals controlled by rotors 2 and 4 then have one signal selected from them under the control of rotor

1. The resulting signal controls the movement of rotor 3.

This basic principle, with little change, would work with any odd number of rotors, starting with five.

The specific arrangement in the diagrams shown above was selected to minimize wire crossings in the original

(horizontal) diagram, so that it would be as legible as possible, and, with the rotors labelled in order from left to

right as A, B, C, D, E, F, and G is:

B steps if ((not C) and G) or ((not A) and (not G))

C steps if ((not D) and A) or ((not B) and (not A))

D steps if (B and F) or (A and (not F))

E steps if ((not C) and (not G)) or ((not A) and G)

F steps if (D and (not E)) or (C and E)

G steps if (B and (not F)) or (A and F)

where the control signal different from the others is the one stepping rotor C.

Since we start with eight signals, four of which are active, and swap them in pairs, only in one case selecting only

one of two signals to use, half the time four rotors will advance, and the other half of the time three rotors will

advance.

With an even number of rotors, of course, the same principle could be applied even more simply, without the need

for one control signal to be different from the others.

But many other arrangements are also possible. An arrangement based on a slightly different principle is shown

here:

Here, each rotor is controlled by the OR of the AND of two independent inputs, so, based on each rotor having

half of its teeth present and half of them absent, causing each signal and its complement to be active half the time,

the chance of any one rotor moving on average is 7/16 rather than 1/2.

We start by creating seven signals. To ensure that at least one rotor will always move, two of them are the signal

from one rotor and its complement; the other five are the signals from five other rotors.

Then, we change these seven signals into fourteen signals, by switching them to one of two destinations, and the

output from each of the seven rotors is used to perform one such switch.

Finally, the wired-OR of two of these signals controls one rotor that had no direct part in creating it.

Here, from one to six rotors will always move, creating more possibilities for the next rotor position. However, as

we will see at the start of the following chapter, a 3 out of 7 code contains 35 entries, so with seven rotors rather

than five, having only 3 or 4 rotors move each time already creates more than twice as many possibilities as are

needed.

The actual arrangement in the diagram shown, again chosen for clarity, with the rotors labelled as A, B, C, D, E,

F, and G from left to right, is:

B steps if (C and E) or (F and (not A))

C steps if (D and F) or ((not A) and (not B))

D steps if (E and G) or (A and (not C))

E steps if (F and A) or (B and (not D))

F steps if ((not A) and B) or (C and (not E))

G steps if (A and C) or (D and (not F))

While these arrangements will certainly produce rotor movements that seem jumbled and unpredictable, it is not

immediately clear how long the period of such rotor motions might be; it might be only a few times larger than the

number of positions on a rotor.

Here is an example of a slightly more complicated setup, based on the same general principles.

Essentially, the wiring is the same as the first example, (although the ordering of the connections has been

changed slightly, as indicated by the reversal of the colors green and blue in one portion of the diagram) but in

addition, one signal is created using the scheme in the second example, and a switch controlled by rotor 4

determines whether that signal, shown in dark green, or the normal signal following the pattern of the first

example, shown in purple, is fed to rotor 5.

The first three sections show the switches which operate as in the first example.

Section 1 shows the four switches which, given the live signal as input, produce eight outputs, four of which are

active.

Section 2 shows six switches, wired so as to swap three pairs (shown by blue, green, and purple wires) of signals

from the first four switches.

Section 3 shows one switch, which selects between the two remaining signals from the first four switches to

provide the seventh output signal.

The next two sections show the new wiring which creates an alternate signal that can be used to step rotor 5,

following the principle shown in the second example.

Section 4 shows two switches, fed the live input, which produce two outputs, each of which may be active or not.

Section 5 shows two switches, fed those two outputs, producing two outputs which are only have as likely to be

active, and which are then joined by a wired-OR.

Section 6 shows one switch, which selects between the output from section 5 or one of the outputs from section 2.

Again, labelling the rotors from left to right as the letters A through G, the logic of the wiring in the diagram is

equivalent to:

B steps if (C and G) or (A and (not G))

C steps if (B and (not A)) or (D and A)

D steps if ((not B) and E) or ((not A) and (not E))

E steps if (( (C and (not G)) or (A and G) ) and (not D)) or

((((not F) and B) or (G and C) ) and D)

F steps if ((not B) and (not E)) or ((not A) and E)

G steps if ((not D) and (not F)) or ((not C) and F)

Note that the signal controlling the stepping of rotor E is a function of whether an active or inactive tooth position

is found on all six other rotors.

One could even use, with a suitable rearrangement of rotor assignments in one case, the complete wiring

arrangements of both the first and second examples, with their outputs connected together in a wired-OR, and a

single switch controlling whether the live input goes to the first or second circuit. However, even if the first or

second examples would prove too simple, such a drastic remedy should not be required. Instead, the example

above should be sufficiently complex to correct the problem, because although only the stepping of rotor 5 (or E)

is made more complex in this example, it in turn affects the stepping of all the other rotors.

Other arrangements, based on the more conventional scheme of moving rotors like the wheels on an odometer,

which guarantees the maximum possible period, could be produced which also result in a fairly irregular

movement of the rotors.

Incidentally, before proceeding, it is very important to clarify the difference between the situation which I have

denoted in my schematic diagrams by and the situation which I denote by in a diagram. In the first

case, a tooth on one rotor causes another rotor to move only once, when the first rotor moves into the position

distinguished by that tooth. In the second case, a tooth on one pinwheel, or cam, or even a rotor, causes the next

one to move with the encipherment of each letter for as long as the first pinwheel remains in the position

associated with that tooth.

While the first type of movement is usually accomplished mechanically, the control rotors of the SIGABA and the

rotors of the M-228 and M-229 moved this way under electrical control. The second type of movement seems like

an obvious consequence of electrical control: a wheel that is in different positions turns a switch on and off

depending on what position it is in. So how can the first type of movement also be electrical?

This diagram illustrates the difference between the arrangements required for the two types of motion. The large

teeth shown in green correspond to the 26 normal positions of the rotor, where a tooth may be either present or

absent. The small teeth shown in red are located between rotor positions, so that a tooth, if present, will move

across the sensing position as the rotor advances from one position to the next.

For the first type of motion, pulses occur when the rotor that is their source is moving, and so it is reasonable that

another rotor would move when a pulse of electricity is switched on. Making a rotor move only one step per pulse

seems like only a small mechanical detail.

For the second type of motion, instead of an elaborate approach involving storing the

signals sensed from the rotors in a buffer, what is necessary is, first of all, that the

live inputs to the circuit are actually timing pulses, and, so that the rotors will not

move while their positions are being sensed, rotors should move just after the

trailing edge of a pulse. This can be achieved by having the pulse go through a

solenoid, pulling a lever back which is then restored to its original position by a

spring after the pulse ends, with a rachet mechanism causing the lever to advance the

rotor it controls only on its return journey: this is a very common and standard

mechanical arrangement, illustrated in the diagram at left. Since the device also

supplies a gentle push to the sawtooth gear when moving in the "wrong" direction, a

conventional ratchet mechanism, which is not shown in the illustration, is also

required to keep that gear moving only one way (although in some cases, friction

may be sufficient).

For the other case, the same mechanical arrangement could be used, although in that case, having the rotor

advance on the leading edge of the pulse would be appropriate, as it would avoid unnecessary delay. This would

involve reversing the positions of the electromagnet and the spring in the diagram above, and in that case, the

spring would not have to be as strong, since it would only return the mechanism to position instead of also having

to push on the gear. A similar mechanism, rather than a small motor, is likely to be found in those quartz clocks

and quartz watches that have hands instead of a numeric display.

Now that this is clarified, let us examine a more complicated design based on the first type of rotor motion.

Instead of having just one notch or tooth on a rotor, any number of teeth that is relatively prime to the number of

positions on the rotor, if used in an odometer-style arrangement, would still produce a maximal period, since when

one rotor returns to its original position, the rotor it advances will be in a spot from which it will only return to its

original position at the same time that the rotor preceding it returns to its original position after being advanced 26

times if it is a 26-position rotor, even if it has also passed through its original positions at different times several

times before then.

Another thing that would not interfere with a maximum period would be for a rotor participating in such an

arrangement to also be advanced any number of times for each revolution of a rotor which preceded the rotor

directly controlling it. All such advances would ultimately cancel out, being a multiple of 26 or other rotor size,

over a full revolution of the rotor immediately preceding the rotor.

One important thing, to avoid problems with a mechanical version of this design, and to ensure that maximum

period is achieved, is that the teeth used to advance a later rotor must never be in the same position as the teeth

used to advance the next rotor.

Of course, to achieve both a guaranteed long period, and a more irregular sequence of motions, one could combine

both types of rotor motion, the first type, or transition-driven advance, and the second type, or state-driven

advance, in a single design.

Thus, we might have two groups of rotors, ABCDE and GHIJK, which are connected for state-driven advance,

and in addition, rotor E might drive rotor F, and rotor F might drive rotor G, using transition-driven advance.

Is it possible to combine a guarantee of long period with irregular rotor movement from the same source?

Obviously, one could use five cams to produce an irregular motion, and another five cams to produce motion with

a period equal to the product of their lengths. But can things be arranged so that the period is guaranteed to reflect

all the items used, and yet the motion is irregular as well? Already, we've seen in my example of a transition-

driven design with extra further forward carries one way to do this, but while the period is guaranteed, the motion

is only irregular to a limited extent.

Would the SIGABA have a guaranteed period of 26 to the tenth power if it were modified as shown in this

diagram:

Here, all ten of the rotors are shown as being advanced by a conventional rotor mechanism, in addition to the

cipher rotors being advanced by the unique control signals of the SIGABA. Instead of showing an OR gate

controlling input to the rotor stepping mechanism, two separate symbols for rotor advance are shown, one behind

the other. This indicates that, to ensure maximum period, I think it would be necessary to use different clock

phases for the two types of rotor advance, so that it would be possible, if both systems of rotor advance would

cause a rotor to advance, for that rotor to step twice. However, when one rotor advances due to a control signal, it

would also have to cause conventional carries. But this separation of phases would then occur without (a certain

kind of) special effort, since the control rotors cannot be moving when the cipher rotors are moving in response to

the control signals which have passed through their wiring.

One way that it seems obvious it is safe to combine transition-driven and state-driven rotor advance would be

through something like this:

Here, superimposed on a conventional transition-driven odometer-like rotor advance, earlier rotors are also

driving later rotors, further down the chain, but based on their state, not on transitions. Again, it seems that over a

full cycle of transition-driven advances, the extra state-driven advances should cancel out, not affecting the overall

period, even if they provide additional movement in the interim.

Next

Chapter Start

Table of Contents

Main Page

This page is about a dark and mysterious subject. (Or, more

accurately, and for fairness' sake, a subject with a dark and mysterious

reputation.) A subject that is fascinating both for the air of mystery

that has surrounded it, and because of the complexities and intricacies

which are unavoidably part of its subject matter.

A Cryptographic Compendium

This series of pages has information about a large number of cipher systems. So far, the

coverage of cryptanalysis is quite limited, though.

Direct link to start

things described on this page are, of course, secret

today, although some were secret until fairly recently.

breaking ciphers; it is mostly concerned with the various

kinds of ciphers people have used. Except where

unavoidable, the use of mathematics has been kept to a

strict minimum. It begins with ciphers that only require

pencil and paper to apply, and it continues with

electrical and mechanical cipher machines of the type

used during World War II, both the rotor machines and the

machines used with teletypewriters. Then, it continues on

into the computer age, with a discussion of block ciphers

like DES and then proceeds further, attempting to make

understandable the advanced topic of public-key

encryption which has made the use of encryption practical

under circumstances where it had never been practical

before. Finally, it addresses other miscellaneous topics

relating to cryptography, such as data compression and

key management.

This site now contains a very useful table of powers of integers that uses frames.

Although there is no space for an archived version of the entire site, there is one, which

may not be fully up to date at any given time, at this location.

I have many interests, such as old science-fiction TV shows, and easy listening music

from Tin Pan Alley.

Items covering a number of other topics as well are at the following location:

http://members.xoom.com/quadibloc/index.html

At that site are charts for some methods of storing Chinese characters. Here in this site,

you can find a space habitat design, a discussion about going to Mars, a tall building

design, a page about signal flag systems as used by ships, a map projection, several

topics concerning mathematics: (an explanation of the mathematical notion of infinity,

a discussion of Gödel's proof and the halting problem, an explanation of two famous

equations, a diagram of the rotations of a dodecahedron, a page about pentagonal

tilings, a page about Archimedian solids, a little page about the fourth dimension), an

attempt to explain the Einstein-Podolsky-Rosen experiments, and a discussion of the

Eldredge-Gould theory of punctuated equilibria some color charts, an example of a

computer architecture, a discussion of the musical scale, a couple of comments about

chess, and three pages about calendars: (perpetual calendars for the Gregorian calendar

which show not only the day of the week, but also the position of the day in the

Chinese sexagesimal cycle of days, a luni-solar calendar, and a simplified calendar

proposal), and, finally, a page containing some handy unit conversions.

Links to Other Sites Other Topics

Pages

Needless to say, any trademarks referenced are the property of their respective owners,

and are used here only for purposes of identification.

As this series of web pages contains some ideas and speculations about how to design

and implement ciphers, readers are notified that I am not engaging in providing

professional advice in these pages, and are advised to seek the direct advice of a

competent professional before embarking on projects using cryptography.

[Next] [Up/Previous] [Index]

The Lorenz SZ-40 and SZ-42 cipher machines were widely used by German forces

during World War II. It was primarily to break this machine's cipher that the British

devised what is now considered the world's first electronic computing machine, the

once-secret COLOSSUS.

It had twelve pinwheels, all of which could have all their pins set by the user. Ten of

these pinwheels formed two groups of five, and one wheel from each group inverted its

corresponding plaintext bit when a pin was active on it.

The wheels of the first group had sizes 41, 31, 29, 26, and 23. Those of the second

group had sizes 43, 47, 51, 53, and 59.

Two additional wheels were of size 37 and 61. The wheels of the first group, and the

wheel with 61 positions, advanced one position with every letter enciphered. When the

current pin on the 61-position wheel was active, the wheel with 37 positions advanced

one space. When the current pin on the 37-position wheel was active, then the wheels

of the second group advanced one space.

Although the SZ-40 appears to be a simple design, and a very similar design proposed

by Col. Parker Hitt, but without the feature that the stepping of five wheels was

irregular, was shown to be insecure, the British found breaking SZ-40 messages to be a

more difficult problem than breaking Enigma messages. Some cribs were available that

helped them to break into the system; part of the difficulty seems to have come from

the limited availability of resources, and another part from the lack of captured

equipment and tables: for example, the list giving numbers representing wheel settings

was never captured, while the bigram tables for the Enigma were.

HEATH ROBINSON and COLOSSUS, have been described to a limited extent in the

open literature. A paper by F. L. Carter, in "Cryptography and Coding", the

proceedings of the 6th IMA International Conference, from December, 1997, gave

significant additional details of how COLOSSUS was used.

HEATH ROBINSON, named after a British cartoonist who, like Rube Goldberg in the

U.S., was famous for his drawings of elaborate contraptions (although the styles of the

two artists were very different), worked by comparing the holes punched in two paper

tapes, one containing an intercepted message, and one containing a reproduction of part

of the sequence of bits the pinwheels of an SZ-40 might be expected to generate. The

tapes were padded with nulls to make them of relatively-prime length, and HEATH

ROBINSON indicated at what point in the motions of both tapes a correlation between

the two was found. This required the two tapes to move synchronously, and so the

sprocket holes had to be used, which limited the speed at which the tapes could move.

stream cipher output, or the portion thereof used for testing (such as the output of the

five always-moving wheels) electronically. This way, the tapes could be moved on

pulleys, at very high speeds, without any problems. A glass mask with lens-shaped

patterns was used so that the light shining through the round holes on the paper tape

would produce an approximation to a square wave. Thus, the paper tape, in addition to

supplying input data, actually supplied the clock signal for COLOSSUS' internal logic.

Apparently, in generating the pattern which a second paper tape provided on HEATH

ROBINSON, COLOSSUS was capable of some sort of conditional branching, on

which its claim (having been first installed in December 1943) to being the first

electronic computer rests.

The paper by Carter sheds considerable light on the cryptanalytic principles behind

COLOSSUS. The 5-level code used for teletypewriters was designed to minimize

mechanical wear and tear; hence, the codes for the most frequent letters E and T, as

well as the code for the space, consisted of a single 1 bit and four zeroes. This meant

that zeroes predominated in the plaintext, and in addition, it meant that for any two

characters in succession, corresponding bits in them were more likely than not to be the

same. (Of course, this characteristic of the plaintext was weaker than the higher

frequency of zeroes.)

Since one set of pinwheels in the SZ-40 did not advance with every character

enciphered, this meant that when two succeeding cipher characters had a corresponding

bit that changed, then it was likelier than not that the fast pinwheel for that bit was at a

point where two adjacent pins were in different positions, and when two succeeding

cipher characters had a corresponding bit that stayed the same, then the probability that

the fast pinwheel had two similar pins was also increased. (Since the slow pinwheels

did move half the time, this correlation was again weakened, but it still existed.)

Because the pin settings for the fast pinwheel were chosen so that like and unlike pairs

of pins were as close to being equally likely as possible, it was not possible in practice

to correlate a single pinwheel at a time, but correlations involving pairs of pinwheels

were easier. (At first, this appears odd, since, the fast wheels all having relatively prime

periods, they are independent. However, since all the slow pinwheels either move or

not at the same time, a search for correlations in two wheels at once could improve its

effectiveness by giving more weight to an observation in one wheel which takes place

when another wheel is in the more common change or no-change state for its part of

the period of that fast wheel.) An abbreviated notation was used to specify types of

tests to be run with COLOSSUS: one test was a simple correlation on two particularly

favored pinwheels; other tests searched for common pairs of characters, such as space-

figures shift, or figures shift-period. In some messages, doubled letters were quite

common, and there was a test that looked for them as well.

There is also a paper by W. T. Tutte, one of the cryptanalysts who worked on messages

enciphered by the Schlusselzusatz at Bletchley Park, now available on the site of Frode

Weierud that details the early days of the cryptanalysis of the Schlusselzusatz,

codenamed Tunny by the British. That source notes the following:

Originally, the machine was used with a 12-letter indicator, which contained initial

positions for all twelve pinwheels without encryption (e.g. under a "ground setting").

Each letter stood for an initial position, and the wheels had only 25 positions which a

letter could indicate, except, of course, for the wheel with only 23 positions.

The initial analysis which allowed the British to determine the basic principles of the

Sclusselzusatz was aided by the reciept of some pairs of messages enciphered with the

same starting positions, including one re-encipherment of a long message with changes

in word spacing and punctuation with exactly the same indicator.

In 1943, the Germans switched to using a number as an indicator, which was assumed

to signify a 12-letter combination from a list. Later, they switched from changing

pinwheel settings once a month to changing them each day, and they also modified the

machine so that the wheels in the second group, instead of having their irregular

motion controlled only by the 37 and 61 pinwheels, had that motion depend on a

function of the pinwheels that moved with each character, or on the previous plain text

(thus employing the autokey principle). However, the five wheels that stepped with

every character continued to do so, and although the five slow wheels were controlled

differently, they still either all moved or all stayed still, so the existing cryptanalytic

approaches remained valid.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

Error-Correcting Codes

After text has been compressed, and even more so after it has been encrypted, the resulting output is random in appearance.

This makes it easy to make mistakes in handling it, and hard to see errors if they are introduced through electrical noise on a

communications link or any similar cause.

Thus, even if redundancy is removed as far as is possible before encryption by means of data compression, after encryption is

complete, it becomes desirable to put redundancy back in, to give resistance to errors.

There are mathematical techniques, given an arbitrary text, to add more symbols to it in a way that gives resistance to a

specific number of errors. Since they depend only on the input text, if the ciphertext is used as input, this kind of added

redundancy does not help the cryptanalyst, except by giving both him and the legitimate recipient a copy of the ciphertext that

is more likely to be accurate.

Thus, telegraph codes were designed so that an error in a single letter of a codeword, or switching two adjacent letters in a

codeword, would not result in another valid codeword, by the use of tables such as this:

AA AB AC AD AE AF AG AH AI AJ AK AL AM AN AO AP AQ AR AS AT AU AV AW AX AY AZ A&

BB BC BD BE BF BG BH BI BJ BK BL BM BN BO BP BQ BR BS BT BU BV BW BX BY BZ B& BA

CC CD CE CF CG CH CI CJ CK CL CM CN CO CP CQ CR CS CT CU CV CW CX CY CZ C& CA CB

DD DE DF DG DH DI DJ DK DL DM DN DO DP DQ DR DS DT DU DV DW DX DY DZ D& DA DB DC

EE EF EG EH EI EJ EK EL EM EN EO EP EQ ER ES ET EU EV EW EX EY EZ E& EA EB EC ED

FF FG FH FI FJ FK FL FM FN FO FP FQ FR FS FT FU FV FW FX FY FZ F& FA FB FC FD FE

GG GH GI GJ GK GL GM GN GO GP GQ GR GS GT GU GV GW GX GY GZ G& GA GB GC GD GE GF

HH HI HJ HK HL HM HN HO HP HQ HR HS HT HU HV HW HX HY HZ H& HA HB HC HD HE HF HG

II IJ IK IL IM IN IO IP IQ IR IS IT IU IV IW IX IY IZ I& IA IB IC ID IE IF IG IH

JJ JK JL JM JN JO JP JQ JR JS JT JU JV JW JX JY JZ J& JA JB JC JD JE JF JG JH JI

KK KL KM KN KO KP KQ KR KS KT KU KV KW KX KY KZ K& KA KB KC KD KE KF KG KH KI KJ

LL LM LN LO LP LQ LR LS LT LU LV LW LX LY LZ L& LA LB LC LD LE LF LG LH LI LJ LK

MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ M& MA MB MC MD ME MF MG MH MI MJ MK ML

NN NO NP NQ NR NS NT NU NV NW NX NY NZ N& NA NB NC ND NE NF NG NH NI NJ NK NL NM

OO OP OQ OR OS OT OU OV OW OX OY OZ O& OA OB OC OD OE OF OG OH OI OJ OK OL OM ON

PP PQ PR PS PT PU PV PW PX PY PZ P& PA PB PC PD PE PF PG PH PI PJ PK PL PM PN PO

QQ QR QS QT QU QV QW QX QY QZ Q& QA QB QC QD QE QF QG QH QI QJ QK QL QM QN QO QP

RR RS RT RU RV RW RX RY RZ R& RA RB RC RD RE RF RG RH RI RJ RK RL RM RN RO RP RQ

SS ST SU SV SW SX SY SZ S& SA SB SC SD SE SF SG SH SI SJ SK SL SM SN SO SP SQ SR

TT TU TV TW TX TY TZ T& TA TB TC TD TE TF TG TH TI TJ TK TL TM TN TO TP TQ TR TS

UU UV UW UX UY UZ U& UA UB UC UD UE UF UG UH UI UJ UK UL UM UN UO UP UQ UR US UT

VV VW VX VY VZ V& VA VB VC VD VE VF VG VH VI VJ VK VL VM VN VO VP VQ VR VS VT VU

WW WX WY WZ W& WA WB WC WD WE WF WG WH WI WJ WK WL WM WN WO WP WQ WR WS WT WU WV

XX XY XZ X& XA XB XC XD XE XF XG XH XI XJ XK XL XM XN XO XP XQ XR XS XT XU XV XW

YY YZ Y& YA YB YC YD YE YF YG YH YI YJ YK YL YM YN YO YP YQ YR YS YT YU YV YW YX

ZZ Z& ZA ZB ZC ZD ZE ZF ZG ZH ZI ZJ ZK ZL ZM ZN ZO ZP ZQ ZR ZS ZT ZU ZV ZW ZX ZY

M N O P Q R S T U V W X Y Z & A B C D E F G H I J K L AA BB CC

DD EE FF GG HH II JJ KK LL MM NN OO PP QQ RR SS TT UU VV WW XX YY ZZ

N O P Q R S T U V W X Y Z & A B C D E F G H I J K L M A& BA CB

DC ED FE GF HG IH JI KJ LK ML NM ON PO QP RQ SR TS UT VU WV XW YX ZY

O P Q R S T U V W X Y Z & A B C D E F G H I J K L M N AZ B& CA

DB EC FD GE HF IG JH KI LJ MK NL OM PN QO RP SQ TR US VT WU XV YW ZX

P Q R S T U V W X Y Z & A B C D E F G H I J K L M N O AY BZ C&

DA EB FC GD HE IF JG KH LI MJ NK OL PM QN RO SP TQ UR VS WT XU YV ZW

Q R S T U V W X Y Z & A B C D E F G H I J K L M N O P AX BY CZ

D& EA FB GC HD IE JF KG LH MI NJ OK PL QM RN SO TP UQ VR WS XT YU ZV

R S T U V W X Y Z & A B C D E F G H I J K L M N O P Q AW BX CY

DZ E& FA GB HC ID JE KF LG MH NI OJ PK QL RM SN TO UP VQ WR XS YT ZU

S T U V W X Y Z & A B C D E F G H I J K L M N O P Q R AV BW CX

DY EZ F& GA HB IC JD KE LF MG NH OI PJ QK RL SM TN UO VP WQ XR YS ZT

T U V W X Y Z & A B C D E F G H I J K L M N O P Q R S AU BV CW

DX EY FZ G& HA IB JC KD LE MF NG OH PI QJ RK SL TM UN VO WP XQ YR ZS

U V W X Y Z & A B C D E F G H I J K L M N O P Q R S T AT BU CV

DW EX FY GZ H& IA JB KC LD ME NF OG PH QI RJ SK TL UM VN WO XP YQ ZR

V W X Y Z & A B C D E F G H I J K L M N O P Q R S T U AS BT CU

DV EW FX GY HZ I& JA KB LC MD NE OF PG QH RI SJ TK UL VM WN XO YP ZQ

W X Y Z & A B C D E F G H I J K L M N O P Q R S T U V AR BS CT

DU EV FW GX HY IZ J& KA LB MC ND OE PF QG RH SI TJ UK VL WM XN YO ZP

X Y Z & A B C D E F G H I J K L M N O P Q R S T U V W AQ BR CS

DT EU FV GW HX IY JZ K& LA MB NC OD PE QF RG SH TI UJ VK WL XM YN ZO

Y Z & A B C D E F G H I J K L M N O P Q R S T U V W X AP BQ CR

DS ET FU GV HW IX JY KZ L& MA NB OC PD QE RF SG TH UI VJ WK XL YM ZN

Z & A B C D E F G H I J K L M N O P Q R S T U V W X Y AO BP CQ

DR ES FT GU HV IW JX KY LZ M& NA OB PC QD RE SF TG UH VI WJ XK YL ZM

& A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AN BO CP

DQ ER FS GT HU IV JW KX LY MZ N& OA PB QC RD SE TF UG VH WI XJ YK ZL

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z & AM BN CO

DP EQ FR GS HT IU JV KW LX MY NZ O& PA QB RC SD TE UF VG WH XI YJ ZK

B C D E F G H I J K L M N O P Q R S T U V W X Y Z & A AL BM CN

DO EP FQ GR HS IT JU KV LW MX NY OZ P& QA RB SC TD UE VF WG XH YI ZJ

C D E F G H I J K L M N O P Q R S T U V W X Y Z & A B AK BL CM

DN EO FP GQ HR IS JT KU LV MW NX OY PZ Q& RA SB TC UD VE WF XG YH ZI

D E F G H I J K L M N O P Q R S T U V W X Y Z & A B C AJ BK CL

DM EN FO GP HQ IR JS KT LU MV NW OX PY QZ R& SA TB UC VD WE XF YG ZH

E F G H I J K L M N O P Q R S T U V W X Y Z & A B C D AI BJ CK

DL EM FN GO HP IQ JR KS LT MU NV OW PX QY RZ S& TA UB VC WD XE YF ZG

F G H I J K L M N O P Q R S T U V W X Y Z & A B C D E AH BI CJ

DK EL FM GN HO IP JQ KR LS MT NU OV PW QX RY SZ T& UA VB WC XD YE ZF

G H I J K L M N O P Q R S T U V W X Y Z & A B C D E F AG BH CI

DJ EK FL GM HN IO JP KQ LR MS NT OU PV QW RX SY TZ U& VA WB XC YD ZE

H I J K L M N O P Q R S T U V W X Y Z & A B C D E F G AF BG CH

DI EJ FK GL HM IN JO KP LQ MR NS OT PU QV RW SX TY UZ V& WA XB YC ZD

I J K L M N O P Q R S T U V W X Y Z & A B C D E F G H AE BF CG

DH EI FJ GK HL IM JN KO LP MQ NR OS PT QU RV SW TX UY VZ W& XA YB ZC

J K L M N O P Q R S T U V W X Y Z & A B C D E F G H I AD BE CF

DG EH FI GJ HK IL JM KN LO MP NQ OR PS QT RU SV TW UX VY WZ X& YA ZB

K L M N O P Q R S T U V W X Y Z & A B C D E F G H I J AC BD CE

DF EG FH GI HJ IK JL KM LN MO NP OQ PR QS RT SU TV UW VX WY XZ Y& ZA

L M N O P Q R S T U V W X Y Z & A B C D E F G H I J K AB BC CD

DE EF FG GH HI IJ JK KL LM MN NO OP PQ QR RS ST TU UV VW WX XY YZ Z&

A miniature version of such a code construction table is shown in The Codebreakers by David Kahn, but here I've put the last

two letters of the codeword in alphabetical order in the rows of the square on the lower right, since a code compiler would

want to generate codewords in alphabetical order. The row of the top square, and the column of the square on the lower right,

which contain digraphs beginning with &, are omitted, since those are unused if codewords from a 26-letter alphabet are

wanted.

Valid codewords consist of two letters from the top, a letter from the lower left, and two letters on the lower right, such that

the single letter shares the same column as the pair of letters from the top and the same row as the pair of letters from the

lower right. The use of an extra dummy letter & is required to avoid codewords differing only by a swap of two adjacent

letters. The middle square can start with any letter; here it is started with M to indicate that this feature can be used to produce

codewords different from those in someone else's code.

For example, given a string of bits, a single bit which contains the parity of that string of bits can be appended to it. In that

case, if the result is transmitted, and exactly one bit is in error in what is recieved, the parity will be wrong, and the fact that an

error has taken place will be detected.

Another simple example would be to transmit one's message three times. For every group of three corresponding bits from the

three copies of the message, if exactly one error takes place in communications, that error can be corrected, because of the

three recieved copies of that bit, two will be correct, and only one will be wrong.

These are the two trivial examples of perfect codes: adding a parity bit, and repeating each bit a certain number of times.

If we confine ourselves to the even parity form of a parity bit, both these codes can be represented by matrices:

A parity bit:

1 0 0 0 0 0 0 0 1

0 1 0 0 0 0 0 0 1

0 0 1 0 0 0 0 0 1

0 0 0 1 0 0 0 0 1

0 0 0 0 1 0 0 0 1

0 0 0 0 0 1 0 0 1

0 0 0 0 0 0 1 0 1

0 0 0 0 0 0 0 1 1

Triple repetition:

1 1 1

In general, matrix multiplication works like this: introduce the numbers which are the elements of the vector being multiplied

from the left, starting with the first one on the top; for each bit in that row, calculate the product of the number introduced

from the side with the number in the matrix; then, after all the products have been calculated, total them down the columns to

obtain the output.

For error-correcting codes illustrated by matrices, it is the bits of the message that are introduced from the left. Then, an AND

is performed (rather than a multiplication) between them and the bits of the matrix, and the results are accumulated by an

XOR going down the columns (rather than addition).

1 0 0 0 1

1 --> 1 0 0 0 1

0 1 0 0 1

0 --> 0 0 0 0 0

0 0 1 0 1

1 --> 0 0 1 0 1

0 0 0 1 1

1 --> 0 0 0 1 1

-------------------

1 0 1 1 1

As this is a code applied to a binary signal, all arithmetic is done modulo 2 (hence, 1+1+1 = 1 instead of 3).

Just using parity bits can allow correcting errors. One way to do this is to have both a parity bit for each byte of data, and a

parity byte that results from the XOR of all the data bytes. If there is one error, the byte it is in is indicated by the parity bit for

that byte, and the bit it is in is indicated by which byte of the final parity byte shows the wrong parity.

A simple way to obtain row and column parity for a sequence of characters on a computer would be to add three parity

characters to a line of 49 7-bit characters on this basis:

● With each character read, modify the three accumulators as follows:

❍ XOR the character to the first accumulator, and rotate it right one bit.

❍ XOR the character to the second accumulator, and rotate it left one bit.

❍ XOR the character to the third accumulator, and after every seven characters, rotate it right one bit.

This would allow one single-bit error in a line to be found and therfore corrected, as follows:

33333X3-----*------*------*------*------*------*- ==?

----2-13333*3*----2-1----2-1----2-1----2-1----2-1 ===

1--2---1--2---*33*3331--2---1--2---1--2---1--2--- ?==

-12-----12-----12----3**3333-12-----12-----12---- ===

-21-----21-----21-----21----3**3333-21-----21---- ===

2--1---2--1---2--1---2--1---2--1---*33*3332--1--- =?=

----1-2----1-2----1------1-2----1-2----1-23333*3* ===

The X is at the only point where the three lines of bits marked by 1, 2, and 3 all coincide. Note that the asterisks mark points

where two of them cross. Assuming the shifts after a byte is XORed in even take place after the last byte, the question marks

indicate where the three parity characters would show the wrong parity if there was an error at the point marked by the X.

It is easier to do this for 7-bit characters because 7 is an odd number, but it can also be done for 8-bit bytes, simply by rotating

only one accumulator by one bit for each byte, and not rotating one accumulator at all, as follows:

33313333---1-------1-------1-------1-------1-------1-------1---- ==?

----1---3333*333----1-------1-------1-------1-------1-------1--- ===

22222*2222222*22*****X**22222*2222222*2222222*2222222*2222222*22 =?=

------1-------1-------1-333333*3------1-------1-------1-------1- ===

-------1-------1-------1-------13333333*-------1-------1-------1 ===

1-------1-------1-------1-------1-------*33333331-------1------- ?==

-1-------1-------1-------1-------1-------1------3*333333-1------ ===

--1-------1-------1-------1-------1-------1-------1-----33*33333 ===

However, approaches based only on using parity bits are unsophisticated, and more efficient ways of correcting and detecting

multiple errors can be found if more sophisticated codes are used.

Another class of error-correcting codes are called Hamming codes. No longer trivial, these codes are also perfect, which

means they add exactly enough redundancy to a group of input bits to detect and correct a certain number of errors.

Note that this perfection applies to one particular situation, where errors occur randomly among bits. Where there is a

tendency for bits close together in a message to be in error together, this being called a burst error, other strategies are needed.

One common way of dealing with this is simply to apply conventional error-correcting codes to widely-separated bits at equal

intervals in a message. This, or the strategy of applying the error-correcting code first, and then spreading out the bits of each

output group, is called interleaving.

In a Hamming code, after the group of bits being encoded, the extra parity bits are formed by allocating every combination of

those bits with two or more of them equal to 1 to each bit position in the input. Hence, changing one bit in the input always

changes at least three bits in the word with error-correction added. Since no two rows in the error-checking part of the matrix

are identical, changing two bits in the input still results in a three-bit change at least; thus, the number of bits difference (or the

Hamming distance) between possible outputs (valid codewords) is a minimum of three.

A parity bit can be added to a Hamming code; the result is another perfect code, this time with a four-bit change resulting

from any change in the input.

The Hamming distance between valid codewords tells us how much error-checking we have. If there is no error-checking

added, each different input still gives a different output, for a distance of 1. If the distance is 2, one error can be detected, as is

the case for the code that just adds one parity bit. If the distance is 3, as for repeating a bit three times, or the basic Hamming

code without a parity bit added, one error can be corrected.

The error-correcting capabilities of an error-correcting code are given by the Hamming distance between codewords, but it is

possible to choose how to make use of them. For example, if we repeat every bit three times, we can either choose to accept

011 as standing for 1, hence correcting one error when it occurs, but being fooled if two errors happen, or we can choose to

discard it, accepting only 000 and 111. Thus, a Hamming distance of 3 can be used either to correct one error, or to detect two

errors. A distance of 4, such as obtained by a Hamming code with a parity bit, or by repeating a bit four times, allows

correcting one error and detecting two errors, or detecting up to three errors.

1 0 0 0 0 1 1

0 1 0 0 1 0 1

0 0 1 0 1 1 0

0 0 0 1 1 1 1

1 0 0 0 0 0 0 0 0 0 0 0 0 1 1

0 1 0 0 0 0 0 0 0 0 0 0 1 0 1

0 0 1 0 0 0 0 0 0 0 0 0 1 1 0

0 0 0 1 0 0 0 0 0 0 0 1 0 0 1

0 0 0 0 1 0 0 0 0 0 0 1 0 1 0

0 0 0 0 0 1 0 0 0 0 0 1 1 0 0

0 0 0 0 0 0 1 0 0 0 0 0 1 1 1

0 0 0 0 0 0 0 1 0 0 0 1 0 1 1

0 0 0 0 0 0 0 0 1 0 0 1 1 0 1

0 0 0 0 0 0 0 0 0 1 0 1 1 1 0

0 0 0 0 0 0 0 0 0 0 1 1 1 1 1

1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1

0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1

0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0

0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1

0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0

0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0

0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1

0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0

0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0

0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0

0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1

0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1

0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1

0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 1 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 1 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 1 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1 1 0 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 1 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1

Since a Hamming code, as shown, can only correct one error, decoding is simple:

● Take the data portion of the recieved codeword (the portion that should just contain the unmodified input data), and

place it through the Hamming code again. If there is a perfect match between the error-checking part of the recieved

block and the error-checking part of the one now generated, or if there is no more than one bit difference, the data as

recieved is assumed to be correct.

● If there are two or more bits of difference, find the row in the matrix where those bits are 1 bits in the error checking

part. The data bit which is passed through by a 1 on the diagonal in the data part of the matrix is the one in error.

This, of course, assumes that the transmitted block actually was subjected to no more than one error. When a parity bit is

added to the Hamming code, decoding is modified slightly:

● If parity is correct, decode the first part of the block, but accept the result only if no errors are found. (In this case, the

block is assumed to have been recieved correctly.)

● If parity is wrong, decode the first part of the block, and accept the result if either no errors are found (here, the error is

assumed to be in the parity bit itself), or if one error is found (and therefore corrected).

These are just one particular form for each of the three Hamming codes shown. Rearranging the rows or columns, or certain

other modifications, will not change the ability of the code to be used to detect or correct errors. Replacing one row of the

matrix by the XOR of itself and another row is allowed, because that will result in the matrix generating exactly the same set

of codewords, but they will be generated in some cases for different inputs.

There are a number of other codes used for error detection and correction. Examples of codes used in the same kind of form as

used with Hamming codes include Hadamard codes and Reed-Muller codes. These codes all add slightly more redundancy

than is required for the error-checking they seek to attain.

1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0

1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1

1 1 0 0 1 1 0 0 0 0 1 1 0 0 1 1

1 0 0 1 1 0 0 1 0 1 1 0 0 1 1 0

1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1

1 0 1 0 0 1 0 1 0 1 0 1 1 0 1 0

1 1 0 0 0 0 1 1 0 0 1 1 1 1 0 0

1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1

These codes are obtained by a procedure similar to that used to create fractal designs:

1 1 1 1

1 1 1 0 1 0

1 0 - becomes -->

1 1 0 0

1 0 0 1

applied as many times as desired, and then the result has its complement appended to it. Mariner 9 used the code of this type

that occupies a 32 by 64 matrix. This method only generates Hadamard codes of orders which are powers of 2. Hadamard

codes and matrices of many other orders which are multiples of 4 are also known, and it is conjectured, but not yet proven,

that one exists for every such order. These Hadamard codes are obtained by other, more difficult methods.

Only one other perfect code for binary signals is known, the binary Golay code. It takes a 12-bit input, and adds 11 error-

checking bits to it. Like the Hamming codes, an extra parity-check bit can be added, and the code remains perfect.

A modified form of the Golay code with parity bit added, so that the parity bit is no longer explicitly visible, is shown in a

book by two of the three co-authors of the Handbook of Applied Cryptography, and an equivalent form, modified by some

rearrangement of rows and columns (to obtain a shifting of the cyclic 11 by 11 portion of the error-checking matrix, and to put

the row and column of 1 bits in a more conventional position) is shown here:

1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1

0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 1 1

0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 1 0 1

0 0 0 1 0 0 0 0 0 0 0 0 1 0 1 1 1 0 0 0 1 0 1 1

0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 1 0 0 0 1 0 1 1 1

0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 0 0 1 0 1 1 0 1

0 0 0 0 0 0 1 0 0 0 0 0 1 1 0 0 0 1 0 1 1 0 1 1

0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 1 0 1 1 0 1 1 1

0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 1 1 0 1 1 1 1

0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 0 1

0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 1 0 1 1 1 0 0 1

0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 0

In this code, the minimum Hamming distance between valid codewords is eight; without the parity bit, it would be seven.

A distance of seven allows either correcting three errors, correcting two errors and detecting four errors, correcting one error

and detecting five errors, or detecting six errors.

A distance of eight allows either correcting three errors and detecting four errors, correcting two errors and detecting five

errors, correcting one error and detecting six errors, or detecting seven errors.

Examine the error-checking portion, the second square half, of the matrix for the Golay code shown above. The right and

bottom edges consist of all ones except for a zero where they meet.

The remaining 11 by 11 square consists of the sequence 10110111000 repeated in every row, but shifted one space to the left

in each row. This sequence contains exactly six one bits, an even number.

The matrix is symmetric, hence unchanged when flipped around the diagonal running from the top left to the bottom right.

Hence, the fact that every row contains an odd number of 1 bits, the last row ANDed with any other row produces a row with

six one bits, and any two of the first 11 rows, when combined by an AND, produces a rotated version of one of the following

strings:

10110111000 and 01101110001 = 00100110000 (3 bits)

10110111000 and 11011100010 = 10010100000 (3 bits)

10110111000 and 10111000101 = 10110000000 (3 bits)

10110111000 and 01110001011 = 00110001000 (3 bits)

10110111000 and 11100010110 = 10100010000 (3 bits)

10110111000 and 11000101101 = 10000101000 (3 bits)

10110111000 and 10001011011 = 10000011000 (3 bits)

10110111000 and 00010110111 = 00010110000 (3 bits)

10110111000 and 00101101110 = 00100101000 (3 bits)

10110111000 and 01011011100 = 00010011000 (3 bits)

preceded by a single 1 bit, means that, using modulo 2 arithmetic, the error-checking matrix in the code as represented here is

its own inverse. (If it weren't for that extra zero, a different decoding matrix would be required, and a slightly more

complicated version of the decoding procedure given below would be required.) Because of the symmetry around the

diagonal, this is true both in the usual convention for matrix multiplication (numbers go in from the top, and come out on the

right) and the one used for error-correcting codes (numbers go in from the left, and come out on the bottom). For more

information on matrix multiplication, see the section concerning the Hill Cipher.

This helps to make it practical to check a codeword formed by this code, and then transmitted, for errors. The following

procedure will find the correct original 12-bit input if there were three or fewer errors in the transmitted 24-bit block, or it will

fail if there were four errors. (With more than four errors, of course, it can be fooled.)

● First, take the first half, and put it through the code, to see what the codeword would have looked like, if the first half

containing the actual data happens to be perfectly without error. Since we are able to correct up to three errors, if the

error-checking part of this result differs by no more than three bits from what was recieved, all the errors (if any)

happened in the error-checking part, so the data as recieved can be accepted.

● Second, take the second half, and put it through the code. Since the error-checking part of the matrix is its own inverse,

the error-checking half of the result will be what the data was supposed to have been, if the error-checking half of the

block was recieved perfectly without error. If that result differs by no more than three bits from what was recieved in

the data portion of the block, then the data as recovered from the error-checking part can be accepted.

● Third, consider the possibility that there were errors in both the data and error-checking part of the block. With three

errors it is possible that there could be one error in one of the two parts of the block, and two errors in the other part.

So, decoding continues by a limited amount of trial and error. Here, we will assume that exactly one bit in the data

portion of the block is in error. Thus, we will take the data portion of the block, and for each of the 12 bits of it in turn,

we will invert that bit, put the result through the code, and compare the error-checking portion of the result with that

recieved. If the result is two or fewer errors in the error-checking portion then the right bit has been found, and the data

portion with the bit you flipped is correct.

● Fourth, assume that exactly one bit in the error-checking portion of the block is in error, and for each of the 12 bits in

the error-checking portion, invert that bit, apply the code to the result, and compare the error-checking portion of the

output to the data portion of the recieved block. If two or fewer errors are found, then the data calculated from the error-

checking portion with one flipped bit contains the correct data.

Another perspective on the binary Golay Code, which I also found understandable, is contained in this thesis. In the form of

the Golay Code given above, eleven rows are cyclic, and one special, in the error-checking matrix; in the form discussed in

that thesis, all twelve rows are equivalent, but as they relate to the faces of a dodecahedron, there is no way to put them in a

cyclic order.

1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 1 1 1 1

0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 1 1 1 1

0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 0 0 1 1 1

0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 1 1

0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 0 1 1 1 0 0 1

0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 0 1 1 1 0 1

0 0 0 0 0 0 1 0 0 0 0 0 1 0 1 1 1 0 1 0 1 1 0 0

0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 1 1 1 0 1 0 1 1 0

0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 1 1 1 0 1 0 1 0

0 0 0 0 0 0 0 0 0 1 0 0 1 1 1 0 0 1 1 1 0 1 0 0

0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 1 0 0 0 1 1 0 1 0

0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 0 0 0 0 0 1

Each of the twelve rows and columns of the error-checking part of the matrix corresponds to a face of the dodecahedron, and

it contains a zero for every pair of faces that are next to one another. (A face is not considered to be next to itself.) This is still

a Golay code, with the same error-correcting property of a Hamming distance of 8 between codewords, and not only is the

error-checking matrix symmetric, but once again it is its own inverse as shown here. Because of the dodecahedral symmetry,

once again, it is only necessary to AND one row of the matrix with the eleven other rows to establish that. For example, row 1

shares four bits with rows 2 to 11, and two bits with row 12.

But being self-dual is not a necessary property of a Golay code; either example of a Golay code given here would still be a

Golay code if the error-checking matrix were reflected left to right, since the error-checking properties would be identical, but

then that matrix would not be its own inverse.

This site contains a link to a paper in DVI format giving eight different constructions of the binary Golay code.

(Unfortunately, you may have difficulty in viewing documents in DVI format on your system.)

And here is an example of a form of the Golay code, again one that generates 24-bit output, with the parity bit concealed, that

may have actually been used in the transmission of information; it is part of an unofficial draft standard for automatically

establishing radio links, and thus it may have been taken from previous actual practice or standards:

1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1

0 1 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 0 1 0 0 1 0

0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 1 0 1 0 1 1

0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 0 1 1 1 0 1 1 0

0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 0 0 1

0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 0 1

0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 1

0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0

0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0

0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0

0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1 0 1

0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1 1

The error-checking part of the matrix is not symmetric along the main (upper left to lower right) diagonal, and its transpose is

shown as being used in decoding. Also, it is said to have been generated from the polynomial

11 9 7 6 5

x +x +x +x +x +x+1

Each column has seven ones in it, so when multiplied by its transpose, there will be a 1 in every position on the diagonal in

the result. Any two distinct columns have either four or two ones in common, (as I had to verify by brute force with a short

BASIC program) and so the transpose of the error-checking part of the matrix is indeed also the inverse of that part.

Despite the fact that each column and row contains seven ones, the error matrix can't be produced simply by rearranging rows

and columns of the one produced from the dodecahedron. This can be shown because the columns corresponding to opposite

faces can be identified (no zeroes in the same row), and two non-opposite faces must be adjacent to two other faces, and those

two faces must be adjacent to three other (than the first two: those two faces may be adjacent to each other if the two non-

opposite faces were not adjacent) faces each, two from each group of which are opposite to two from the other group (which

is the point at which it breaks down if you start with the first two columns).

Error-checking in this case involves the use of the inverse of the error-checking part of the matrix, but otherwise the algorithm

is the same as the one given above.

The field of error-correcting codes, like the field of data compression, is still a very active one, with new research being done

and patents being issued on new methods.

In the 1970s, a set of error-correcting codes called "Fire codes" were developed. One of the simplest of these could be used as

a direct replacement for a parity bit, used with each character in many existing systems, providing error correction instead of

just the detection of erroneous characters.

Data * - - - - - - - * * - - * - - - - * - - *

bits - * - - - - - - * - * - - * - - - * - - *

- - * - - - - - * - - * - - * - - * - - *

- - - * - - - - * - - - * - - * - * - - *

- - - - * - - - * - - - - * - - * * - - *

- - - - - * - - * - - - - - * - - X - - *

- - - - - - * - * - - - - - - * - * * - *

- - - - - - - * * - - - - - - - * * - * *

Parity = = = = = = = = P = = = = = = = = ! = = !

Each parity bit is the XOR of parity for the data byte with which it is associated and parity for staggered bits from the eight

previous bytes. Essentially, it is a clever way to obtain the same results as are provided by the use of row and column parity

bits. (After the last byte of data, one extra byte, with the extra parity bit, is needed to provide parity for all the remaining

diagonals.)

More complicated forms involved XORing these parity bits with the parity of another group of eight bits, staggered by being

from bytes separated by a larger distance.

A very recent exciting development in error-correcting codes is the class of codes known as "Turbo Codes". These codes are

based on the principle of applying two error-correcting codes to the data bits, but with different interleaving. Just as

interleaving by itself turns a burst error into scattered individual-bit errors, which error-correcting codes can deal with more

easily, using two different interleaving schemes on the data being transmitted reduces to a very small value the chance that

any bit will be unrecoverable due to an excessive number of random errors in both of the error-correcting code blocks in

which it is found. (The same principle can also be applied to continuous error-correcting codes as well as block codes.)

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

Geheimschreiber T-52

This teletypewriter enciphering machine was bulky and expensive and complicated.

Swedish cryptanalysts under Arne Beurling cracked the cipher of the simplest variant

of this machine, the T-52a and T-52b.

The British never achieved a regular penetration of T-52 messages. It now appears that,

at least during the war, that the only T-52 messages they deciphered were messages

that belonged to pairs sent with the same key, but they were able to determine how the

T-52 worked from those messages.

One part of the reason for this is that many messages encrypted by the T-52 were sent

over land lines, which the Swedes, but not the British, had the opportunity to intercept.

But another reason was that the T-52 was used to encrypt high-level strategic traffic for

the Luftwaffe, which also sent similar messages using Enigmas. Thus, attacking the T-

52 was lower in priority than attacking the Lorenz Schlusselzusatz, which was used to

encrypt high-level strategic traffic for the German Army, or Heer, which, although it

did use Enigmas for tactical messages, did not generally use them for messages with

information of strategic importance.

It may also be noted that the final version of the machine, the T-52e, which included

two improvements which previously appeared separately in the T-52c and T-52d,

seems to be a very secure design, although the use of cams instead of resettable

pinwheels was a serious flaw.

Ten wheels, in this machine cams whose pattern of 0 and 1 positions could not be

modified, of sizes 73, 71, 69, 67, 65, 64, 61, 59, 53, and 47, which were called A, B, C,

D, E, F, G, H, and K respectively, provided the raw material for this machine's cipher.

In additon to having their states sensed at the primary tap point, producing the output

that was XORed with the plaintext characters or controlled their shuffling, they were

also sensed at a point 25, 24, 23, 23, 22, 22, 20, 20, 18, and 16 positions earlier,

respectively.

This additional position controlled the movement of the wheels, so that they stepped in

an irregular fashion.

The way in which the wheels stepped can best be explained by an oversimplified form

of that motion. Each wheel moved unless both of two possible conditions was met, in

which case it was prevented from moving: In the simplified model:

A B C D E F G H J K

if

~C C ~E E G ~G J ~J A ~A

and

~B ~D D F ~F ~H H K ~K B

Note that the twenty conditions involved both the extra tap on each wheel and its

inverse, and no wheel controlled itself. Since every wheel had to be either 1 or 0, and

the condition was OR for movement, at least five of the ten wheels had to move with

this arrangement, so although the wheels controlled each other, they could not get stuck

in a state where they never stepped.

Mechanically, this worked as follows: both the plus and minus connections to an

electromagnet were controlled by relays, so the electromagnet was energized only if

the relays at both ends allowed current to flow. The magnets were interposer magnets:

if active, they prevented the cam they controlled from moving.

From the main sensing position on the cams A through K, ten signals were derived,

labelled 1, 3, 5, 7, 9, and I, II, III, IV, and V, that performed the actual operation of

modifying the plaintext to produce the ciphertext.

I through V were XORed with bits 1 through 5 of the plaintext character. Then bits in

the character were swapped: 1 caused (if its value was 1 instead of 0) bits 1 and 5 to be

swapped; signals 3, 5, 7, and 9 swapped bits 4 and 5, 3 and 4, 2 and 3, and finally 1 and

2.

First, bits A through K were exchanged, by a simple plugboard on the T52a, T52b, and

T52d, and by a set of switches that performed the same function as a plugboard on the

T52e, and by an elaborate set of five switches with eight positions on the T52c. Then,

in the T52c and the T52e, the ten signals went into a bank of relays, so that each of the

signals, 1 through 9 and I through V, that performed the actual encipherment was the

XOR of several cam outputs.

Circles, except when they are sockets or plugs for a plugboard, are XOR gates. The

rectangles are AND gates. The black and white hourglasses are inverters. The wide

white hourglasses swap the two inputs from the top to form the two outputs at the

bottom depending on the input from the side. The logic being relay logic, wired-OR is

present.

The T52e, shown here, included all the features that this telecipher acquired over its

development. The extra features, over and above a simple set of ten cams controlling

XORs and swaps of plaintext bits, are divided into two groups; one group was also

present only on the T52c, and the other group was also present only on the T52d.

The relay bank was also present in the T52c, but it was wired differently. The T52c

also had a means of altering the order in which cam outputs went to the relay bank, but

instead of a plugboard, it was a set of five eight-position switches, each one controlling

three swaps of the cam signals.

The T52d did not have those features, but it did have cam stepping logic; again, that

logic was somewhat different from that of the T52e.

follows:

3 6 9 12 15

2 5 8 11 14

1 4 7 10 13

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

-----------------------------------------------------

P 0 0 0 0 1 0 0 0 1 1 0 1 1 1 1

S 0 1 0 1 0 0 0 1 1 1 1 0 0 0 0

T 1 0 0 0 0 1 1 0 1 1 1 1 0 1 0

U 0 0 1 0 1 1 1 1 0 0 0 0 1 0 0

W 0 1 1 1 0 1 1 1 1 0 1 0 0 0 1

X 1 0 1 1 1 0 0 0 0 1 0 0 0 1 1

Y 1 1 0 1 1 1 0 1 0 0 0 1 1 0 1

Z 1 1 1 0 0 0 1 0 0 0 1 1 1 1 0

The T52d and T52e are shown here in the "ohne Klartextfunktion" mode. They also

had a feature where the third bit of a plaintext character, after a delay, was introduced

into the cam stepping logic, which was also changed in that mode. This limited

autokey, or "clear text function", caused serious problems of garbling in practice, and

was therefore little used.

However, that does not prevent me from including diagrams of the T52d and T52e in

this mode, particularly as the stepping logic is somewhat more symmetrical in this

mode in both cases.

then, the T52d "mit Klartextfunktion".

[Next] [Up] [Previous] [Index]

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

This telecipher device combines some of the features of the SZ-40 and T-52, in a

design that is secure yet economical.

The device has two sets of five pinwheels, of lengths 19, 21, 23, 25, and 26. ( Toby's

Cryptopage, now available again after a hiatus, also discusses the TA-1, a later version

with larger pinwheels of lengths 26, 29, 31, 33, and 35.) The pins are pushed in or

pulled out by the user, and the five bits of each plaintext character are modified by

being subjected to an exclusive-OR operation with the current pin of the corresponding

pinwheel from each of the two sets.

The first set of pinwheels steps one position for every character enciphered. An

additional position on the pinwheels, besides the one used to XOR the plaintext, is

sensed (two positions earlier). That alternate output, from all five pinwheels, is XORed

together, creating a single bit; if 0, the second set of pinwheels steps only once; if 1,

they step twice.

The second set of pinwheels is also sensed at the same alternate position, and the

output from all of them is combined by XOR. This time, the result, if 1, causes the

entire output ciphertext character to be inverted.

This design allows two identical modules to be used in the device, thus making

manufacture more economical. It achieves irregular stepping, but only ten, not twelve,

pinwheels are required.

The source for the information on this page is the home page of Torbjörn Andersson,

entitled Toby's Cryptopage, which has an entry in my Links section. It is well worth a

visit, and includes original photos of many of the machines discussed here; not just the

SA-1, but also the T-52 and the B-211.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

An American Patent

U. S. Patent 4157453 is one of the few patents that were secretly issued to people

working for the NSA or one of its predecessor agencies that has now been publicly

issued in normal fashion, many years later.

It was filed on October 10th, 1944, but issued on June 5th, 1979. The inventor was Leo

Rosen, known to history as the one who had the inspiration to realize that the Japanese

cipher machine codenamed PURPLE used telephone stepping switches.

This patent refers only to scrambling the order of bits in a teletypewriter signal, without

inverting any bits. However, in addition to shuffling the bits within a single character,

as the T-52 did, this device moved bits between characters.

Originally, I was only able to see the claims of this patent, but the text of it has since

become available. It turns out that it referred to buffering two or four 5-level-code

characters, recieved serially, in banks of relays, transposing the stored bits, and then

transmitting the result. Given the technology of the time, commutator switches were

used to access relays serially; today, a designer thinking of how to perform such an

operation would no doubt think of shift registers.

Having just seen a brief description of the purpose of the invention, I had supposed that

this patent could have been for a system that was actually applied to a combined time

and frequency division voice scrambler, with its application disguised for security.

However, as a telecipher device, one of the simplest ways in which to accomplish this

kind of scrambling would be to do the following: use pinwheels to scramble the bits

within a character; then, subject these bits to a fixed pattern of delays, so that they are

distributed among two to five different characters; then, perform a second pinwheel-

controlled scramble of the bits within each character.

To decipher, one first inverts the second scramble. Then, one delays the bits in a

complementary fashion to that used for enciphering: if bits 1 to 5 are subject to delays

0 1 0 1 0 on enciphering, then use delays 1 0 1 0 1 on deciphering, for a net delay of

every bit by 1 character; if bits 1 to 5 are subject to delays 0 1 2 3 4 on enciphering, use

delays 4 3 2 1 0 for deciphering, for a net delay of 4 characters. Then, invert the first

scramble, with the pinwheels controlling it offset so that their scramble is delayed to

match the net delay of the enciphering delay stage and its deciphering complement.

[Next] [Up] [Previous] [Index]

Next

Skip to Next Chapter

Chapter Start

Table of Contents

Home Page

[Next] [Up] [Previous] [Index]

This machine is described in an article in a recent issue of Cryptologia magazine,

which also provides accompanying information of historical and human interest.

The original version supplied thirteen live inputs to the input rotor. Five outputs from

the other end were XORed to the five bits of a teletypewriter character. The rotors

advanced conventionally for each character enciphered, and had only one carry

position. Like the SIGABA, the letter O, and not A, indicated the zero position of the

rotors. The five rotors included one that moved for every letter enciphered, and one that

moved only when that first rotor completed a full rotation and so on, like an odometer,

but with one difference: which rotor moved with which frequency could be chosen

arbitrarily. The original Hebern machine had three classes of rotor movement, and it

too allowed the selection of how the individual rotors moved, but in a less

straightforwards manner.

Since 13 inputs out of 26 were live, each bit of the five outputs had a 50-50 chance of

being live, but not all 32 combinations of all five outputs were equally likely: five ones

or five zeroes were the least likely, and 2 or 3 of each was the most likely.

This simple design was found to be insecure, after being put into use, for a particular

case of operator error. A considerably revised version served for some time, and its

description is as follows:

In the revised version, there were only five live inputs to the input rotor. Fifteen

outputs from the other end were wired together in five groups of three to provide the

five output bits. This gave each bit a probability of about 48.846%, or exactly 381/780,

of being a one.

In the original design, all five rotors moved in the conventional manner of wheels on an

odometer, except that the position of the rotor that moved with every character

enciphered, and the position of each rotor that moved when another rotor completed a

full circle, could be set arbitrarily. In the revised design, three rotors moved in that

way, and two other rotors had movements called fast bump and slow bump that

depended on the bits the rotors generated.

If bit 1, bit 3, and bit 5 of the generated bits (to be XORed with the plaintext to create

ciphertext) were all ones, the slow bump rotor would advance for the next character. If

bit 2 and bit 4 were both 1, the fast bump rotor would advance. In addition, the slow

bump rotor skipped an extra position when it reached O, as well as stepping the slow

rotor (if the slow rotor was also at O; this may have been a misprint for 'slow bump',

since that won't happen very often).

The bump rotors meant that extra parts did have to be added to the machine to effect

the conversion; it was not a simple case of rewiring. Even the early version of the

machine appeared to be highly secure at first glance, which makes Frank Rowlett's feat

of establishing its weaknesses impressive.

An issue of Cryptologia some years previous to the issue in which SIGCUM or the M-

228 was described, quoted a government memo which referred to the M-294. This

machine was very similar to the SIGABA, except that the five "cipher rotors" supplied

a bitstream to encipher a teletypewriter message; presumably using an arrangement

similar to that seen here. Such a device would certainly provide a method of

encipherment for teletypewriter messages of impressive security. SIGNIN was an

alternative designation for the M-294. The M-138 and M-138-A, indirect predecessors

of the SIGABA, were rotor machines, of the Hebern type, acting upon the 26 letters of

the alphabet, but with the motions of their five rotors controlled by a paper tape; in a

way, these machines were the exact inverse or complement of SIGCUM.

Frank B. Rowlett passed away on June 29, 1998, at the age of 90.

Next

Chapter Start

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

In some ways, the cipher systems outlined in this chapter are disappointing, compared

to what we had seen in the previous chapter.

electromechanical devices, and it may also involve the psychological effect of

overconfidence in the security of a system based on new and unfamiliar principles.

The M-228 is an exception to both halves of this generalization; it is secure, but it isn't

entirely new, being largely based on a rotor mechanism.

Of course, it is true that I could have described the T-52 in more detail (at least in

words, for those who cannot recieve the schematic diagrams included in that section,

which do accurately describe it). It is certainly very complex. But the complexity and

expense of the machine are beyond those of the SIGABA, while the security may well

be less even than that of the Enigma. (Yes, it was broken less often than the Enigma;

but there were fewer intercepts, and the more restricted distribution of the machine

makes it likely that it was more carefully used.) Had the routing of signals to the

various inversion and swapping relays changed with every character, instead of merely

being a static part of the key, the system might have been significantly more secure. Of

course, even more important would be the change to pinwheels instead of cams.

It is interesting that one wire in the Swedish SA-1 seems to hold the key to the security

of that machine. That wire is the one from the first pinwheel bank which controls the

stepping of the second pinwheel bank. But can something that contains only a single bit

of information per five-bit character really provide security?

The M-228 is interesting, and as noted in the section on it, apparently a newer machine

existed that was like a SIGABA, except that the cipher rotors were used to encipher

teletypewriter signals in the fashion of the M-228.

illustrates an interesting idea for taking that concept even further. The cipher rotors

work like the old M-228, in order to XOR the message with unbiased individual bits.

The control rotors are also simplified, so that they can produce five extra signals, which

are also XORed with the message.

This appears to strengthen the machine, since bits from two essentially independent

sources are XORed with the plaintext. Can we be sure that the bits from the cipher

rotors completely mask those from the control rotors, though, or could this design have

a weakness, by offering a "window" to the control rotors?

Next

Chapter Start

Table of Contents

Main Page

[Next] [Up/Previous] [Index]

One could perhaps quarrel with the title of this section. What about Playfair, or

the Hill cipher? But LUCIFER, part of an experimental cryptographic system

designed by IBM, was the direct ancestor of DES, also designed by IBM.

Like DES, LUCIFER was an iterative block cipher, using Feistel rounds. That is,

LUCIFER scrambled a block of data by performing an encipherment step on that

block several times, and the step used involved taking the key for that step and

half of that block to calculate an output which was then applied by exclusive-OR

to the other half of the block. Then, the halves of the block were swapped, so that

both halves of the block would be modified an equal number of times.

described in an article in the journal Cryptologia by Arthur Sorkin. An article in

Scientific American discussed plans for LUCIFER on a more general level, and

described what was essentially a different kind of block cipher.

implemented in terms of operations on one byte of the right half of the message

at a time. However, I will describe LUCIFER here in the same general fashion

that DES is described.

Subkey generation

Each round uses a 72-bit subkey. The subkey for the first round consists of the

first byte of the key repeated twice, followed by the next seven bytes of the key.

Rotate the key left by seven bytes, then generate the subkey for the next round.

The f-function

XOR the right half of the block with the last eight bytes of the subkey for the

round.

Based on the bits of the first byte of the subkey for that round, swap nibbles in

the eight bytes of that result for those bytes which correspond to a 1 bit.

Use S-box 0 for the most significant nibble of each of these eight bytes, and S-

box 1 for the least significant nibble of each byte:

Input: 0 1 2 3 4 5 6 7

S-box 0 output: 12 15 7 10 14 13 11 0

S-box 1 output: 7 2 14 9 3 11 0 4

Input: 8 9 10 11 12 13 14 15

S-box 0 output: 2 6 3 1 9 4 5 8

S-box 1 output: 12 13 1 10 6 15 8 5

Permute the 64 bits of the result, numbered from 0 (for the most significant bit)

to 63 (for the least significant bit), by the following permutation:

10 21 52 56 27 1 47 38 18 29 60 0 35 9 55 46

26 37 4 8 43 17 63 54 34 45 12 16 51 25 7 62

42 53 20 24 59 33 15 6 50 61 28 32 3 41 23 14

58 5 36 40 11 49 31 22 2 13 44 48 19 57 39 30

LUCIFER has sixteen rounds. In each round, the f-function is calculated using

that round's subkey and the left half of the block. The result is then XORed to the

right half of the block, which is the only part of the block altered for that round.

After every round except the last one, the right and left halves of the block are

swapped.

Comments

Although LUCIFER has a larger block and key size than DES, it is considerably

more vulnerable to attacks from differential cryptanalysis, and is also weak due

to the regular nature of its key schedule.

However, this does not mean that the LUCIFER algorithm is useless. If a

reasonably good stream cipher is used both before and after LUCIFER, its

weaknesses essentially become irrelevant, and its strengths are still present. It

might indeed be argued that this kind of precaution ought to be used with DES as

well.

[Next] [Up/Previous] [Index]

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page Home Page

[Next] [Up] [Previous] [Index]

You may remember that when the Data Encryption Standard was first presented,

there was a great deal of controversy. Since then, much of the dust has settled.

We know now for sure that the key was much too short. (Since that was written,

we learned that it was really much too short, thanks to this project.)

systems is not a reasonable alternative. Instead, just encrypt the key that way, and

use a conventional cryptosystem, but a better one than just plain DES, for the

message.

It's clear that the secret the NSA asked IBM not to reveal was the method of

differential cryptanalysis. Since the S-boxes were not optimized against linear

cryptanalysis, this proves that IBM didn't know about that attack back then.

Although the fact that the NSA did certify the design as secure might suggest that

the NSA didn't have that technique either, the inference is not really warranted:

the NSA is, after all, an agency noted for its reticence.

And there is also a result showing that DES with all sixteen subkeys specified

independently is not much stronger than a cipher with a 65-bit key.

DES is designed for implementation in hardware, and even includes some steps

which do not appear to strengthen the cipher at all but which are hard to perform

in software. If, however, DES had been a secret algorithm, these extra steps

would have helped to make it harder to determine the algorithm by analysis.

algorithm here, although it appears in many other sources; the official standard is

even available from the NIST web server.

Feistel rounds.

[Next] [Up] [Previous] [Index]

Details of DES

Variations of DES

Next Section

Chapter Start

Skip to Next Chapter

Table of Contents

Main Page

Home Page

[Next] [Up/Previous] [Index]

Standard

In my description of LUCIFER, I numbered bits from 0 to 127 or from 0 to 63;

here, bits will be numbered from 1 to 64 or from 1 to 32. In both cases, the

lowest-numbered bit is the MSB of the first character, and the highest-numbered

bit is the LSB of the last character; that is, big-endian (68000-like and not 8086-

like) conventions are observed throughout.

First, for no particularly good reason (except, just possibly, to group together the

most and least significant bits of uncompressed text characters) the bits of the

block are transposed according to the following permutation:

58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4

62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8

57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3

61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

follows: if the permutation begins 58 50 42..., that means that the first bit of the

output came from bit 58 of the input, the second bit of the output came from bit

50 of the input, and so on.

For 16 rounds, the left half, or the first 32 bits, is modified by being XORed with

a 32 bit result calculated from the right half of the block in its current state and

the subkey for that round. After each of the first 15 rounds, the halves are then

swapped.

The f-function

This calculation, known as the f-function, proceeds as follows:

The 32-bit right half of the block is expanded to 48 bits by means of this, the

expansion permutation:

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13

12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25

24 25 26 27 28 29 28 29 30 31 32 1

The eight groups of four bits in the right half are each made the middle four bits

of a group of six bits in the result, and they are joined, on each side, by the bits

that were adjacent to them originally. Those two outer bits are, in a way,

supplementary to the four bits in the middle, since the S-box tables contain four

encodings of the middle bits, in which every different value has a different result,

selected by the two outer bits.

32 5 1 2 3 4 4 9 5 6 7 8

to allow the S-boxes to be laid out more simply, provided that one generated and

stored the subkeys with the same change in the order of their bits.)

After the right half of the block has been expanded to 48 bits, it is XORed with

the current round's 48-bit subkey. The result is then used as the input to eight

lookup tables, with a six bit input and a four bit output.

Bit |Bits 2, 3, 4, and 5 form:

1 6 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

|-----------------------------------------------

0 0 |14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

0 1 | 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

1 0 | 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

1 1 |15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

7 12 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

|-----------------------------------------------

0 0 |15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10

0 1 | 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5

1 0 | 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15

1 1 |13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

13 18 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

|-----------------------------------------------

0 0 |10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8

0 1 |13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1

1 0 |13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7

1 1 | 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

19 24 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

|-----------------------------------------------

0 0 | 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15

0 1 |13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9

1 0 |10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4

1 1 | 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

25 30 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

|-----------------------------------------------

0 0 | 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9

0 1 |14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6

1 0 | 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14

1 1 |11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

31 36 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

|-----------------------------------------------

0 0 |12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11

0 1 |10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8

1 0 | 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6

1 1 | 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

37 42 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

|-----------------------------------------------

0 0 | 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1

0 1 |13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6

1 0 | 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2

1 1 | 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

43 48 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

|-----------------------------------------------

0 0 |13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7

0 1 | 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2

1 0 | 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8

1 1 | 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

Then, the 32 bit result formed by the output of the eight S-boxes above in turn is

subjected to the following permutation, P:

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10

2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

One round of DES, with the f-function shown in detail, is illustrated by the

following diagram, accompanied by another diagram giving an overview of the

whole block cipher:

Round:

Overview:

normally use, for the S-boxes, a table with 32-bit entries showing each four-bit

output as it looks after going through permutation P.

After the sixteen rounds of DES are complete, the left and right halves of the

block together, not swapped in the last round, are then subjected to the inverse of

the initial permutation, which takes the bits from 1 to 64 of the block, and puts

them in the final result in this order:

40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31

38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29

36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27

34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25

Subkey generation

The 56-bit key used by DES is, when in standard format, stored in eight bytes, in

which the least significant bit of each byte is used for parity! Thus, the

permutation, called Permuted Choice 1, which divides the 56-bit key into two 28-

bit halves, acts on bits 1 through 7, 9 through 15, 17 through 23, and so on.

First half:

57 49 41 33 25 17 9 1 58 50 42 34 26 18

10 2 59 51 43 35 27 19 11 3 60 52 44 36

Second half:

63 55 47 39 31 23 15 7 62 54 46 38 30 22

14 6 61 53 45 37 29 21 13 5 28 20 12 4

Like the initial permutation and inverse initial permutation, permuted choice 1 is

irrelevant to the strength of DES, except insofar as it makes things awkward for

general-purpose computers. On the other hand, the permutation P is vitally

necessary to the cryptographic strength of DES.

The two 28-bit quantities are then subjected to successive circular left shifts of

different sizes before the subkey for each round is determined from them. These

circular left shifts, one of which is applied before the first subkey is taken, are in

order of the following sizes:

1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Note also that to decrypt, the only alteration in the DES algorithm is that the

subkeys are used in reverse order.

The 48-bit subkey for each round is extracted from the two 28-bit quantities, the

first consisting of bits 1 to 28, and the second of bits 29 to 56, by the following

permutation, Permuted Choice 2:

14 17 11 24 1 5 3 28 15 6 21 10

23 19 12 4 26 8 16 7 27 20 13 2

41 52 31 37 47 55 30 40 51 45 33 48

44 49 39 56 34 53 46 42 50 36 29 32

Note that, since only 48 bits are produced, some numbers from 1 through 56 are

absent. This permutation is important to the strength of DES. (Also, if the

implementation is modified to simplify the arrangement of the S-boxes, as noted

in the preceding parenthetical note, then this permutation is the one that must be

changed correspondingly, to 14 5 17 11 24 1, 3 10 28 15 6 21, and so on. Also,

likely the subkeys would be stored in 8-byte spaces, with each byte containing

only six bits of the subkey.)

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page Home Page

[Next] [Up] [Previous] [Index]

Variations of DES

DES, being the best known of a whole class of ciphers, has inspired many

suggestions for variations of it.

The initial permutation and inverse initial permutation, and perhaps also

permuted choice 1, could be removed, to obtain a cipher of equivalent intrinsic

strength, but simpler to perform on a computer.

The sixteen subkeys could be supplied directly as a key, instead of being derived

from a short 56-bit key. However, a result reported in Bruce Schneier's book

Applied Cryptography shows that the strength of that is only a slight

improvement on that of regular DES, essentially equivalent to using a 65-bit key.

If the eight S-boxes are moved, from their regular positions so that the order in

which they are applied to the successive six-bit groups of their input is 2, 4, 6, 7,

3, 1, 5, and 8, without altering the permutation P, DES remains highly resistant to

differential cryptanalysis, but becomes resistant to linear cryptanalysis as well.

(Any re-ordering of the S-boxes in which S-boxes 1, 7, and 4 are consecutive and

in that order can make DES very weak against differential cryptanalysis, as noted

in Biham and Shamir's original paper on differential cryptanalysis.)

RSA Data Security has recommended DESX, which is simply DES strengthened

by performing an XOR against additional key bits at the beginning and at the end

of encipherment.

One way in which DES might be strengthened by a simple modification that has

occurred to me is this: retain the initial and inverse initial permutations, but

perform them after rounds 4 and 12 of the cipher respectively. This way, they are

contributing something to its strength. Perhaps it would even be possible to use a

112-bit key, as follows: for the first 56 bits, generate the regular key schedule,

and use it during rounds 1 through 4 and 13 through 16. For the last 56 bits, use

the decrypting key schedule from those bits during rounds 5 through 12. Unlike

DESX, though, this kind of modification is only applicable if one is performing

DES encryption in software, not when using existing DES hardware.

Another possible way of using a 112-bit key would be by enhancing DES with an

idea I use in QUADIBLOC: use 32 subkeys, by applying the f-function twice,

first to the right half of the block, then to the first f-function output, before

XORing the result to the right half. This propagates changes in the block more

quickly.

Also, it would seem to me that one could obtain a very strong cipher by

alternating pairs of rounds of DES with rounds of SAFER, a block cipher based

on very different principles.

A more economical way to realize increased strength would be, perhaps, to take

the variation suggested above, with IP after round 4, and IIP after round 12, and

apply, before and after each of these permutations a user-supplied substitution,

part of the key, acting on the eight bytes of the block. The inverse of this

substitution would be used on deciphering. Since differential cryptanalysis

depends on substitutions being known, this would seem to improve the strength

of the cipher against that kind of attack; and, since a random substitution on the

possible byte values from 0 to 255 takes quite a bit more than 56 bits to describe

it, key size is also increased. Applying the substitution at the beginning and end

of the block cipher would probably be advisable as well; this would increase the

amount of this extra key that is actually used, and it would protect all sixteen,

rather than just the middle eight, rounds of the block cipher from outside scrutiny.

Next

Chapter Start

Table of Contents

Main Page Home Page

[Next] [Up] [Previous] [Index]

Routine)

This algorithm is of interest for several reasons. It is designed for use in software.

Unlike DES, or even IDEA, it does not divide the block into parts of which some

parts affect others; instead, the plaintext is directly changed by going through S-

boxes, which are replaced by their inverses for decryption.

Description of SAFER

SAFER uses eight rounds. The first step for a round is to apply the first subkey

for the round to the eight bytes of the block. The operation by which each byte of

the subkey is applied to each byte of the block depends on which byte is used: the

sequence is

Then, the S-box is used. Those bytes to which the subkey was applied by an

XOR go through the regular S-box; those bytes to which it was applied by

addition go through the inverse S-box.

The S-boxes:

The regular box represents 45 raised to successive powers modulo 257 (with the

modulo 257 result then squeezed into a byte by being taken modulo 256):

120 3 135 164 184 56 207 63

8 103 9 148 235 38 168 107

189 24 52 27 187 191 114 247

64 53 72 156 81 47 59 85

227 192 159 216 211 243 141 177

255 167 62 220 134 119 215 166

17 251 244 186 146 145 100 131

136 209 153 203 140 132 29 20

129 151 113 202 95 163 139 87

60 130 196 82 92 28 232 160

223 12 26 142 222 224 57 252

32 155 36 78 169 152 158 171

242 96 208 108 234 250 199 217

137 254 122 93 73 201 50 194

249 154 248 109 22 219 89 150

68 233 205 230 70 66 143 10

30 65 98 41 46 14 116 80

2 90 195 37 123 138 42 91

240 6 13 71 111 112 157 126

121 48 104 54 117 125 228 237

128 106 144 55 162 94 118 170

197 127 61 175 165 229 25 97

34 245 231 115 35 33 200 5

225 102 221 179 88 105 99 86

15 161 49 149 23 7 58 40

Since the second S-box is the inverse of the first, it can be thought of as

containing logarithms base 45 modulo 257, although, given the intractability of

the discrete logarithm problem, it is not calculated that way directly, but is

instead just the inverse of the preceding one:

16 18 159 228 105 186 173 248

192 56 194 101 79 6 148 252

25 222 106 27 93 78 168 130

255 171 182 71 68 1 172 37

201 250 142 65 26 33 203 211

13 110 254 38 88 218 50 15

34 140 99 231 197 225 115 198

175 36 91 135 102 39 247 87

244 150 177 183 92 139 213 84

202 245 209 23 123 147 131 188

189 82 30 235 174 204 214 53

8 200 138 180 226 205 191 217

208 80 89 63 77 98 52 10

72 136 181 86 76 46 107 158

210 61 60 3 19 251 151 81

117 74 145 113 35 190 118 42

95 249 212 85 11 220 55 49

22 116 215 119 167 230 7 219

164 47 70 243 97 69 103 227

12 162 59 28 133 24 4 29

238 141 83 75 161 154 193 14

122 73 165 44 129 196 199 54

43 127 67 149 51 242 108 104

94 153 124 20 134 207 229 66

184 64 120 45 58 233 100 31

146 144 125 57 111 224 137 48

Then the second subkey for the round is applied to the block. This time, the

sequence of operations complements that used previously:

Then, the different bytes are mixed together without using a bit transpose.

Instead, arithmetic is used.

The first byte is replaced by twice the old first byte plus the old second byte. The

second byte is replaced by the old first byte plus the second byte. Only the last

eight bits of the sums are kept, of course.

This same method of combining the bytes is applied to the third and fourth bytes,

the fifth and sixth bytes, and the seventh and eighth bytes.

Then the bytes are interchanged; after the interchange, the order of the bytes

becomes

1 3 5 7 2 4 6 8

The mixing is performed on pairs of bytes again, and then the interchange, and

then the mixing.

After the eighth round, an extra subkey is applied in the same way as the first

subkey of each round.

Decryption

Unlike most other block algorithms, SAFER is inverted by doing the reverse of

each step, in reverse order, without the possibility of achieving the same result

merely by some alteration of the subkeys used.

The reverse of the method of mixing pairs of bytes is this: to get the old first

byte, subtract the new second byte from the new first byte. The old second byte is

the new second byte minus the old first byte, which is the same as twice the new

second byte minus the new first byte.

Subkey generation

In the original version of SAFER, the first 64-bit subkey was the key itself. To

generate successive subkeys, the individual bytes of the key were given a circular

left shift of 3 bits between the rounds, and the current result is then XORed with

a fixed constant for each round.

16733B1E8E70BD86

477E2456F1778846

B1BAA3B7100AC537

C95A28AC64A5ECAB

C66795580DF89AF6

66DC053DD38AC3D8

6AE9364943BFEBD4

9B68A0655D57921F

715CBB22C1BE7BBC

63945F2A61B83432

FDFB1740E6511D41

8F29DD0480DEE731

7F01A2F739DA6F23

FE3AD01CD1303E12

CD0FE0A8AF82592C

7DADB2EFC287CE75

1302904F2E723385

8DCFA981E2C4272F

7A9F52E115382BFC

42C708E409555E8C

The first several constants are given, enough for up to 10 rounds. Originally, six

rounds were proposed for SAFER, but this was increased to 8. The constants are

also derived mathematically.

SAFER SK

A new version of SAFER, SAFER SK, has a more secure key schedule.

The 64-bit key is expanded by one byte, that byte being the XOR of all the

previous bytes. For generating the first subkey, that byte is ignored; for the

second, where the key would have been used, one instead takes the eight bytes

starting with the second byte of the nine-byte expanded key; for the second, start

with the third, and after the ninth go back to the first; and so on.

SAFER SK-40

A 40-bit version of SAFER-SK also exists, with the starting nine-byte expanded

key beginning with bytes 1 to 5 being the 40-bit key, and the remaining bytes

being, in order:

byte 1 xor byte 4 xor byte 5 xor 66

byte 2 xor byte 3 xor byte 5 xor 36

byte 2 xor byte 4 xor 24

The 128-bit key schedule, both for SAFER and SAFER-SK, consists of using the

first subkey and the other odd subkeys from the sequence generated from the

right half of the key, and the second and the other even subkeys from the

sequence generated from the left half of the key.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page Home Page

[Next] [Up] [Previous] [Index]

Algorithm)

IDEA, unlike the other block cipher algorithms discussed in this section, is patented by

the Swiss firm of Ascom. They have, however, been generous in allowing, with

permission, free noncommercial use of their algorithm, with the result that IDEA is

best known as the block cipher algorithm used within the popular encryption program

PGP.

The IDEA algorithm is interesting in its own right. It includes some steps which, at

first, make it appear that it might be a non-invertible hash function instead of a block

cipher. Also, it is interesting in that it entirely avoids the use of any lookup tables or S-

boxes.

IDEA uses 52 subkeys, each 16 bits long. Two are used during each round proper, and

four are used before every round and after the last round. It has eight rounds.

The plaintext block in IDEA is divided into four quarters, each 16 bits long. Three

operations are used in IDEA to combine two 16 bit values to produce a 16 bit result,

addition, XOR, and multiplication. Addition is normal addition with carries, modulo

65,536. Multiplication, as used in IDEA, requires some explanation.

modulo n is also not invertible whenever it is by a number which is not relatively prime

to n. The way multiplication is used in IDEA, it is necessary that it be always

invertible. This is true of multiplication IDEA style.

The number 65,537, which is 2^16+1, is a prime number. (Incidentally, 2^8+1, or 257,

is also prime, and so is 2^4+1, or 17, but 2^32+1 is not prime, so IDEA cannot be

trivially scaled up to a 128-bit block size.) Thus, if one forms a multiplication table for

the numbers from 1 through 65,536, each row and column will contain every number

once only, forming a Latin square, and providing an invertible operation. The numbers

that 16 bits normally represent are from 0 to 65,535 (or, perhaps even more commonly,

from -32,768 to 32,767). In IDEA, for purposes of multiplication, a 16 bit word

containing all zeroes is considered to represent the number 65,536; other numbers are

represented in conventional unsigned notation, and multiplication is modulo the prime

number 65,537.

Description of IDEA

Let the four quarters of the plaintext be called A, B, C, and D, and the 52 subkeys

called K(1) through K(52).

Multiply the new value of F by K(6). Add the result, which is also the new value of F,

to E.

Change both A and C by XORing the current value of F with each of them; change

both B and D by XORing the current value of E with each of them.

Swap B and C.

Repeat all of this eight times, or seven more times, using K(7) through K(12) the

second time, up to K(43) through K(48) the eighth time. Note that the swap of B and C

is not performed after round 8.

The intricacies of IDEA encryption may be made somewhat clearer by examining the

following diagrams:

Details: Overview:

Decryption

How can the round in IDEA be reversed, since all four quarters of the block are

changed at the same time, based on a function of all four of their old values? Well, the

trick to that is that A xor C isn't changed when both A and C are XORed by the same

value, that value cancels out, no matter what that value might be. And the same applies

to B xor D. And since the values used are functions of (A xor C) and (B xor D), they

are still available.

This cross-footed round, rather than a Feistel round, is the most striking distinguishing

factor of IDEA, although its use of multiplication, addition, and XOR to avoid the use

of S-boxes is also important.

Those that are added are replaced by their two's complement. Those that are multiplied

in are replaced by their multiplicative inverse, modulo 65,537, in IDEA notation when

used to change blocks directly, but those used to calculate the cross-footed F-functions

are not changed. Keys XORed in would not need to be changed, but there aren't any

such keys in IDEA. Due to the placement of the swap, the first four keys for decryption

are moved somewhat differently than the other keys used for the same operation

between rounds.

KD(1) = 1/K(49)

KD(2) = -K(50)

KD(3) = -K(51)

KD(4) = 1/K(52)

and they do not quite follow the same pattern as the remaining subkeys which follow.

The following is repeated eight times, adding 6 to every decryption key's index and

subtracting 6 from every encryption key's index:

KD(5) = K(47)

KD(6) = K(48)

KD(7) = 1/K(43)

KD(8) = -K(45)

KD(9) = -K(44)

KD(10) = 1/K(46)

Subkey generation

The 128-bit key of IDEA is taken as the first eight subkeys, K(1) through K(8). The

next eight subkeys are obtained the same way, after a 25-bit circular left shift, and this

is repeated until all encryption subkeys are derived.

This method of subkey generation is regular, and this may be a weakness. However,

IDEA is considered to be highly secure, having stood up to all forms of attack so far

tried by the academic community.

Chapter Start

Skip to Next Section

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

Skipjack

Skipjack, the originally secret algorithm associated with the infamous Clipper chip, was

declassified on Tuesday, June 23, 1998, and appeared as a .PDF document at the NIST web

site the following morning.

The basic round type of Skipjack forms another alternative, alongside those offered by SAFER

and IDEA, to the Feistel round structure seen in DES, LUCIFER and Blowfish, among other

block ciphers. In each round, one of four quarters of the block is subjected to four Feistel

rounds on a small scale, and one other quarter is modified by being XORed with the round

number and the quarter that went through the mini-Feistel cipher, either before or after that

step. No bit transposes are required in Skipjack, making it efficient to implement on a general-

purpose computer.

Skipjack has 32 rounds. These rounds are of two types, A and B. A type A round proceeds as

follows:

The first quarter of the block (called W1) is enciphered by the "G permutation", which is

actually a four-round Feistel cipher. The result, and the round number (where round numbers

go from 1 through 32), are XORed with the fourth quarter of the block (W4). Then each

quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to W4, and W4

back to W1.

The second quarter of the block (W2) is XORed with the round number and the first quarter of

the block (W1). Then the first quarter of the block is enciphered by the "G permutation".

Again, each quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to

W4, and W4 back to W1.

The rotation of quarters of the block is not omitted after the last round. The 32 rounds of

Skipjack consists of eight type A rounds, eight type B rounds, eight type A rounds, and eight

type B rounds. Note that by having a type A round first, and a type B round last, the form of

the first quarter on the "inside" is XORed with one of the other quarters in the first and last

rounds.

Permutation G is a four-round Feistel cipher, involving dividing its 16-bit input into two 8-bit

halves. Like DES, the left half of the block is not changed in each round, but acts as input to

the f-function, the output of which is XORed to the right half. Unlike DES, the two halves are

swapped after the last round (as the algorithm has only four rounds, all four iterations of the f-

function can be illustrated, going alternately from right to left, and then from left to right; in

that form, no swaps at all are required).

The f-function of the G permutation is as simple as one might expect for an f-function only 8

bits wide: the input is first XORed with the current round's subkey, and then the result is

substituted according to a lookup table, called F.

The subkeys for G, each one byte long, are simply four consecutive bytes of the 80-bit key.

The first four bytes are used in the first round, the next four bytes in the second, the last two

bytes followed by the first two bytes in the third, and so on.

which illustrates the first 12 rounds of Skipjack. The first round, of type A, is shown with the

G function illustrated in full. The next seven rounds, also of type A, are shown with the G

function indicated by a box marked with a G. Then the last four of the twelve rounds shown, of

type B, are showed the same way. There are dotted lines dividing the rounds in the diagram.

Instead of rotating the quarters of the block, the functions move between columns; since the

last rotation is not skipped, this illustration will show, if continued to include all 32 rounds, the

quarters ending up in their proper places without any final rotation being required.

The S-box of Skipjack, called F, which is the heart of the f-function of the Feistel mini-cipher

that is the G permutation, is as follows:

a3 d7 09 83 f8 48 f6 f4 b3 21 15 78 99 b1 af f9

e7 2d 4d 8a ce 4c ca 2e 52 95 d9 1e 4e 38 44 28

0a df 02 a0 17 f1 60 68 12 b7 7a c3 e9 fa 3d 53

96 84 6b ba f2 63 9a 19 7c ae e5 f5 f7 16 6a a2

39 b6 7b 0f c1 93 81 1b ee b4 1a ea d0 91 2f b8

55 b9 da 85 3f 41 bf e0 5a 58 80 5f 66 0b d8 90

35 d5 c0 a7 33 06 65 69 45 00 94 56 6d 98 9b 76

97 fc b2 c2 b0 fe db 20 e1 eb d6 e4 dd 47 4a 1d

42 ed 9e 6e 49 3c cd 43 27 d2 07 d4 de c7 67 18

89 cb 30 1f 8d c6 8f aa c8 74 dc c9 5d 5c 31 a4

70 88 61 2c 9f 0d 2b 87 50 82 54 64 26 7d 03 40

34 4b 1c 73 d1 c4 fd 3b cc fb 7f ab e6 3e 5b a5

ad 04 23 9c 14 51 22 f0 29 79 71 7e ff 8c 0e e2

0c ef bc 72 75 6f 37 a1 ec d3 8e 62 8b 86 10 e8

08 77 11 be 92 4f 24 c5 32 36 9d cf f3 a6 bb ac

5e 6c a9 13 57 25 b5 e3 bd a8 3a 01 05 59 2a 46

163 215 9 131 248 72 246 244 179 33 21 120 153 177 175 249

231 45 77 138 206 76 202 46 82 149 217 30 78 56 68 40

10 223 2 160 23 241 96 104 18 183 122 195 233 250 61 83

150 132 107 186 242 99 154 25 124 174 229 245 247 22 106 162

57 182 123 15 193 147 129 27 238 180 26 234 208 145 47 184

85 185 218 133 63 65 191 224 90 88 128 95 102 11 216 144

53 213 192 167 51 6 101 105 69 0 148 86 109 152 155 118

151 252 178 194 176 254 219 32 225 235 214 228 221 71 74 29

66 237 158 110 73 60 205 67 39 210 7 212 222 199 103 24

137 203 48 31 141 198 143 170 200 116 220 201 93 92 49 164

112 136 97 44 159 13 43 135 80 130 84 100 38 125 3 64

52 75 28 115 209 196 253 59 204 251 127 171 230 62 91 165

173 4 35 156 20 81 34 240 41 121 113 126 255 140 14 226

12 239 188 114 117 111 55 161 236 211 142 98 139 134 16 232

8 119 17 190 146 79 36 197 50 54 157 207 243 166 187 172

94 108 169 19 87 37 181 227 189 168 58 1 5 89 42 70

This was double-checked by looking at the inverse of this S-box generated by the same

program that converted what I typed from hexadecimal to decimal, as the S-box is a straight

permutation of the numbers from 0 to 255. In the original document in its electronic form,

lowercase c and e are sometimes difficult to distinguish.

For decipherment, each round is replaced by a corresponding deciphering round, and these

rounds are, of course, executed in the reverse of the enciphering order.

The first quarter, W1, is XORed with W2 and the round number (rounds now counting down

from 32 to 1). Then the second quarter, W2, is subjected to the inverse of the G permutation.

Then, each quarter is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to

W2, and W4 to W3.

The second quarter, W2, is subjected to the inverse of the G permutation. The third quarter,

W3, is then XORed with the round number and the changed value of W2. Again, each quarter

is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to W2, and W4 to

W3.

The deciphering equivalent of the G permutation involves using the four subkeys in reverse

order - and reversing the roles of the right and left halves of the 16-bit quarter block.

Comments

devices using that algorithm for use by the U.S. Government. Some people have called

attention to the fact that only a short time previously, government spokespersons were saying

that the disclosure of that algorithm would harm national security.

However, I have noted that the inconsistency involved may be more apparent than real.

Between the statements cited, and the declassification of SKIPJACK, a paper was published by

an academic researcher noting that Feistel ciphers of a particular type, specifically those in

which the f-function was itself a series of Feistel rounds, could be proven to be immune to

differential cryptanalysis.

SKIPJACK, although not precisely of that type, is closely related: one of the four subblocks

undergoes Feistel rounds, but in addition to the result being used, as an f-function output, on

another subblock, the subblock is also retained in its modified state.

Also, note that SKIPJACK consists of eight type A rounds, followed by eight type B rounds

twice, instead of sixteen type A rounds and then sixteen type B rounds. Since the type A

rounds are appropriate for the beginning of the cipher, and the type B rounds are appropriate

for its end, it might seem at first that this weakened the cipher. However, the boomerang

attack, which was discovered after the declassification of SKIPJACK, allows differential

cryptanalysis to be done independently on the first and last half of a block cipher; thus, if

SKIPJACK were composed of two halves, each with one type of round, it could have been

attacked as if it consisted of only a single type of round.

It may also be noted that a recent book, Top Secret Intranet, reveals that SKIPJACK was

considered adequate to safeguard information classified SECRET but not information

classified TOP SECRET. This appears to refer to early 1999, and may still be the case as of

this writing (May 1999). Also, note that SKIPJACK has an 80-bit key, the key-length limit for

exportable ciphers is 40 bits, and some suppliers of encryption equipment to the U.S.

government have advertised their equipment provides a 120-bit key or a 160-bit key. This may

be because 40 is a multiple of both 8 and 10, and 2^10 equals 1024, which is just over 1000.

Thus every 40 bits in a key can have just over a trillion possible values, making it easy to

express the number of possible keys in decimal terms.

One notes that the key consists of 10 bytes, which is a number of the form 4n+2. While it

might not increase the security of SKIPJACK to do so, if there are no subtle traps in the

structure of SKIPJACK, which appears to have a simple and uniform structure, it might be

possible to use a key composed of the next such number of bytes with it: 14 bytes. That is an

interesting possibility, because such a key would be a 112-bit key, exactly twice as long as the

key used in DES.

Chapter Start

Skip to Next Section

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

Blowfish

The Blowfish program was developed by author and computer security and

cryptography consultant Bruce Schneier. Blowfish is a cipher based on Feistel

rounds, and the design of the f-function used amounts to a simplification of the

principles used in DES to provide the same security with greater speed and

efficiency in software. The block ciphers Khafre and CAST have somewhat

similar rounds.

The main claim to fame of Blowfish, however, is in its method of key scheduling.

The round keys, and the entire contents of all the S-boxes, are created by multiple

iterations of the block cipher. This enhances the security of the block cipher,

since it makes exhaustive search of the keyspace very difficult, even for short

keys.

Description of Blowfish

Unlike DES, Blowfish applies the f-function to the left half of the block,

obtaining a result XORed to the right half of the block. Originally, I had said that

this departure from convention may cause confusion in reading the description of

Blowfish. However, upon further reflection, I think that it is really DES that is

creating confusion; the time sequence of events should move from left to right

(particularly in a design that is otherwise big-endian); this is generally what

happens in more recent designs, such as the AES candidates, and particularly in

ciphers with unbalanced Feistel rounds.

Blowfish consists of sixteen rounds. For each round, first XOR the left half of the

block with the subkey for that round. Then apply the f-function to the left half of

the block, and XOR the right half of the block with the result. Finally, after all

but the last round, swap the halves of the block. There is only one subkey for

each round; the f-function consumes no subkeys, but uses S-boxes which are key

dependent.

After the last round, XOR the right half with subkey 17, and the left half with

subkey 18.

The f-function

Blowfish uses four S-boxes. Each one has 256 entries, and each of the entries are

32 bits long.

To calculate the f-function: use the first byte of the 32 bits of input to find an

entry in the first S-box, the second byte to find an entry in the second S-box, and

so on. The value of the f-function is ((S1(B1) + S2(B2)) XOR S3(B3)) + S4(B4)

where addition is performed modulo 2^32.

Decryption

Decryption is the same as encryption, with the 18 subkeys used in reverse order.

At first, this seems unbelievable (although not quite as bad as understanding

decryption of IDEA), because there are two XOR operations following the last

use of the f-function, and only one preceding the first use of the f-function.

However, if you modify the algorithm so that use of subkeys 2 through 17 takes

place before the output of the f-function is XORed to the right half of the block,

and is done to the same data before that XOR, although that means it is now on

the right half of the block, since the XOR of the subkey has been moved before a

swap of the halves of the block, you have not actually changed anything since the

same information is XORed to the left half of the block between each time it is

used as input to the f-function. In fact, you can even move the XOR still earlier,

before the preceding swap of block halves. Once you do that, you have the exact

reverse of the decryption sequence.

Subkey generation

Begin by initializing subkeys 1 through 18, followed by elements zero through

255 of the first S box, then elements zero through 255 of the second S box, all the

way to element 255 of the fourth S box, with the fractional part of pi. The most

significant bit of the fractional part of pi becomes the most significant bit of the

first subkey.

Then, take the key, which may be of any length up to 72 bytes, and, repeating it

as often as necessary to span the entire array of 18 subkeys, XOR it with the

subkey array contents.

Then execute the Blowfish algorithm repeatedly, with an initial input of a 64-byte

block of all zeroes as plaintext input. After each execution, replace part of the

subkeys or S boxes with the successive outputs of Blowfish, in the same order as

the digits of pi in binary (or hexadecimal) form were placed in them; after the

first iteration, replace subkeys 1 and 2; after the tenth iteration, replace the first

two entries (0 and 1) in S-box 1; and so on.

For each iteration of Blowfish in key generation, also use the output of the

preceding iteration as input. (The original description of Blowfish in the April

1994 issue of Dr. Dobb's Journal could be interpreted to imply that zero should

be used as input for every iteration. As the later iterations only change individual

S-box entries, this could lead to large stretches of identical data in the S-boxes,

and is thus a misreading of the directions, not a slightly different original form of

the algorithm.)

Thus, loading Blowfish with a new key takes as much time as encrypting 521

blocks ((256*4+18)/2) in Blowfish. This gives Blowfish an extra 9 bits of

security against a brute force search for keys shorter than maximum length,

which makes the 32-bit, instead of 40-bit limit for export versions of Blowfish

reported by one individual just about exactly right. (Seems you just can't fool the

NSA.)

Chapter Start

Skip to Next Section

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

Implementable BLOck Cipher)

QUADIBLOC is a little block cipher that I developed myself. It was designed to be

very easy to implement, so that any obstacles to the distribution of program source

would not be too great an inconvenience for people using it. It uses a modified Feistel

round; when the left-hand half is modified by the f-function of the right-hand half,

instead of merely performing an XOR, the left-hand half first goes through an S-box,

then is XORed with the f-function output, and then goes through an S-box again. The

main security feature of QUADIBLOC that is of interest is that the f-function is

iterated twice, thus accelerating the propagation of changes in the plaintext block

through the entire ciphertext block.

64, QUADIBLOC-40, QUADIBLOC-320, QUADIBLOC-640, QUADIBLOC 96,

QUADIBLOC 99, QUADIBLOC SE, QUADIBLOC-320SE, Quadibloc II, Quadibloc

III, Quadibloc III SC, Quadibloc III MD, Quadibloc III SD, Quadibloc IV, Quadibloc

V, Quadibloc VI, Quadibloc VII, Quadibloc VIII, Quadibloc IX, Quadibloc X, and

Quadibloc S, but except for requiring that these terms be used only to designate the

block ciphers described here, as they are described, the QUADIBLOC block cipher is

freely available for anyone to use, although I do not warrant them as free from patent

problems.

● Description of QUADIBLOC

❍ Euler's Constant and the QUADIBLOC S-boxes

● The QUADIBLOC FAQ (includes funny stuff)

● Key Augmentation

● Quadibloc II

● Quadibloc III

● Quadibloc IV

● Quadibloc V

● Quadibloc VI

● Quadibloc S

● Quadibloc VII

● Quadibloc VIII

❍ The Standard Rounds

❍ The Key Schedule

❍ The Rationale of the Design

● Quadibloc IX

● Quadibloc X

Next Chapter

Chapter Start

Table of Contents

Main Page

Home Page

[Next] [Up/Previous] [Index]

Description of QUADIBLOC

The intent of the following proposed block cipher is to provide a cipher which is at

least as secure as DES, and possibly somewhat more secure, which is reasonably

efficient when implemented in software, and is furthermore easy to implement.

Changes required for QUADIBLOC 99, which corrects known weaknesses in the

original QUADIBLOC (QUADIBLOC 96), are indicated in highlighted boxes.

Two S-boxes, taking 8 binary inputs uniquely to 8 binary outputs, are used, as well as

the inverse of the second S-box. The S-boxes are constructed from Euler's constant

(.57721...) as follows:

start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place

Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is

decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for

each iteration. The iteration where Number of choices is 2 is the last iteration.

During each iteration, multiply ACC by Number of choices. Leave the fractional part

of the result in ACC; swap

A( Number of choices )

and

This generates S-box 1; repeat the procedure with the contents remaining in ACC to

obtain S-box 2. (ACC must be long enough to hold Euler's constant to sufficient

precision to support both applications of the procedure.)

The S-boxes are given on the page entitled Euler's Constant and the Quadibloc S-boxes.

In QUADIBLOC 99, a third S-box, generated by continuing the process, is also used.

In addition, the following 4 of 8 code for the numbers 0 to 63 is used during subkey

generation:

given the 6 bits abcdef, in the output word, let c stand for 01 if the bit c is 0, or 10 if the

bit c is 1, and let DD stand for 0011 if the bit d is 0, or 1100 if the bit d is 1, then

010def becomes DDef

011def becomes deFF

100def becomes dEEf

101def becomes DefD

110def becomes DeDf

111def becomes dEfE

55 56 59 5A 65 66 69 6A 95 96 99 9A A5 A6 A9 AA

35 36 39 3A C5 C6 C9 CA 53 5C 63 6C 93 9C A3 AC

4D 4E 71 72 8D 8E B1 B2 17 1B 27 2B D4 D8 E4 E8

1D 1E 2D 2E D1 D2 E1 E2 47 4B 74 78 87 8B B4 B8

The cipher is an iterative block cipher, with 16 rounds and 48 subkeys, and uses Feistel

rounds: half the block is used to encipher the other half in each round. It operates on a

64-bit block, and has a 160-bit key.

Initially, the first 4 bytes of data to encrypt are taken as the left half, and the last 4

bytes are taken as the right half.

A copy of the right half, which will actually be unchanged by this round, is taken.

The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for

round 2, to subkey 46 for round 16).

In QUADIBLOC 99, the fourth byte is instead replaced by its substitute in S-box 2.

The bits of the result, considered to be numbered from 1 (most significant bit of the

first, leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the

pattern in DES, are to be transposed to lie in the following positions:

1 2 27 28 21 22 15 16

9 10 3 4 29 30 23 24

17 18 11 12 5 6 31 32

25 26 19 20 13 14 7 8

Note that this arrangement posesses a great deal of symmetry: only ONE version of S-

box 1, with 256 32-bit entries is needed to perform both the S-box substitution, and the

subsequent permutation, in a single step for efficiency on a computer without hardware

instructions for bit transposition. And, since no bits change their position within a byte,

a slower implementation, using S-box 1 with single byte entries, and doing the

transposition using masking, is also possible.

In QUADIBLOC 99, the symmetry of the bit transposition remains, but one expanded

version of S-box S2 is also required.

The 32 transposed bits are now XORed with the round's second subkey.

In QUADIBLOC 99, the value generated at this point is also retained, and is called

the intermediate result of the f-function.

Each byte of the result is again replaced by its substitute in S-box 1, and the bits of the

result are transposed as before.

In QUADIBLOC 99, in the second part of the f-function, the second and third bytes

are instead replaced by their substitutes in S-box 2.

The result is XORed with the round's third subkey. This produces the output of the f-

function.

Applying the f-function output to alter the left half of the block:

In a QUADIBLOC 99 type A round, the first (leftmost) half of the intermediate result

of the f-function is used to control an ICE-style swap of bits between the halves of the

left half of the block at this time: each bit in that 16-bit quantity which is 1 indicates

that corresponding bits in the two halves of the 32-bit left half of the block are to be

swapped.

In QUADIBLOC 99, S-box 3 is used for this purpose.

In a QUADIBLOC 99 type B round, the first (leftmost) half of the intermediate result

of the f-function is used to control an ICE-style swap of bits between the halves of the

left half of the block at this time: each bit in that 16-bit quantity which is 1 indicates

that corresponding bits in the two halves of the 32-bit left half of the block are to be

swapped.

The result is XORed with the result of the f-function applied to the right half.

In a QUADIBLOC 99 type B round, first the second and third bytes of the left half of

the block are swapped, and then the second (rightmostmost) half of the intermediate

result of the f-function is now used to control another ICE-style swap of bits between

the halves of the left half of the block: each bit in that 16-bit quantity which is 1

indicates that corresponding bits in the two halves of the 32-bit left half of the block

are to be swapped.

In a QUADIBLOC 99 type A round, first the second and third bytes of the left half of

the block are swapped, and then the second (rightmostmost) half of the intermediate

result of the f-function is now used to control another ICE-style swap of bits between

the halves of the left half of the block: each bit in that 16-bit quantity which is 1

indicates that corresponding bits in the two halves of the 32-bit left half of the block

are to be swapped.

Round: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Type: A A B B A A B B B B A A B B A A

Except for the four middle rounds, this ensures that the ICE-style bit transpositions

alternate with the byte substitutions using S-box 3.

The swap:

the left half for the next round is the unchanged right half from the previous round;

the right half for the next round is the modified left half, after the XOR and the two

substitutions, subjected to a circular left shift of 8 bits (which can be carried out by

moving whole bytes, of course).

In QUADIBLOC 99, the swap is performed in all rounds except round 16 only. The

bit transpose after round 8 is removed as not having as much effectiveness as was

hoped for, and instead the ICE-style bit swap is added to every round. The circular left

shift of 8 bits is no longer part of the swap, and is replaced by the exchange of two

bytes preceding the last bit swap.

After round 8:

Subject the bits of the block, numbered from 1 to 64, from left to right, to the following

(reciprocal) bit transpose:

1 34 11 44 21 54 31 64 9 42 3 36 29 62 23 56

17 50 27 60 5 38 15 48 25 58 19 52 13 46 7 40

33 2 43 12 53 22 63 32 41 10 35 4 61 30 55 24

49 18 59 28 32 6 47 16 57 26 51 20 45 14 39 8

Each byte of the right half of the result is replaced by its substitute in S-box 2.

99, and a simple swapping of halves takes place instead.

Nothing happens: the result at that point, without further swapping, is the output of the

cipher.

QUADIBLOC 96 (from 1 to 7, or 9 to 15), to help make the description clearer:

And these are the corresponding diagrams for QUADIBLOC 99:

For a type B round:

Some comments at this stage:

a) every bit of the f-function output depends on every bit of the right half of the block,

thus making propagation very rapid, and

b) the first half of the f-function can be thought of as substituting for the absence of an

expansion permutation and auxilliary S-box inputs as found in DES.

boxes 1 and 2 are unchanged.

b) after every round except rounds 8 and 16, the modified left half from one round

becomes the right half for the next, and the unmodified right half receives a right

circular shift of 8 bits before becoming the left half for the next round, and

In QUADIBLOC 99, the swap of the second and third bytes in the left half of the

block is changed to take place after the first ICE-style swap and before the first use of

S-box 3. Also, now the ICE-style swap that occurs first uses the second (rightmost)

half of the intermediate result of the f-function as input, and the ICE-style swap that

occurs second uses the first (leftmost) half of the intermediate result of the f-function

as input.

c) the 16 groups of three subkeys for the 16 rounds are used in reverse order, but the

three subkeys within each group are still used in the same order.

The bit transpose with partial substitution between rounds 8 and 9 is intended to create

a 'wall' between the first 8 and the last 8 rounds that will make the cipher much harder

to analyze and solve.

The bit transpose has been removed since the boomerang attack has cast some doubts

on its efficacy.

Subkey generation:

The 160-bit key shall be expanded to 176 bits by applying the 4 of 8 bit code specified

above to each group of 6 bits in the last 48 bits of the key, thus expanding these 48 bits

to 64 bits. (This is done to prevent weak keys.)

In QUADIBLOC 99, the last 64 bits of the 160-bit key shall be used, reduced to 48

bits by ignoring the most significant two bits of each byte, as input to the 4 of 8 bit

code. This avoids having to perform unnecessary shift operations. Then, the 160-bit

key will be expanded to the following: the first 96 bits of the original 160-bit key, the

64 bits generated from the 4 of 8 code, and the last 64 bits of the original 160-bit key

XOR the first 64 bits of the original 160-bit key (so that the expanded key does not

contain both the original form, and the 4 of 8 encoding, of the same bits) to produce

an expanded key that is 224 bits long.

The first 128 bits of the result shall be divided into four 32-bit blocks, which shall be

called, from left to right, P, Q, R, and S.

P, Q, and R will be taken as the three subkeys for the current round, subject to an XOR

to be subsequently described.

Then, P, Q, and R shall be shifted left n bits, and S shall be shifted left 3n bits, with the

first n bits of P, then the first n bits of Q, then the first n bits of R being shifted into S,

while the bits shifted out of S into P, Q, and R will alternate, one bit at a time, into

these three registers/locations.

Before:

P) P1 P2 ... P32

Q) Q1 Q2 ... Q32

R) R1 R2 ... R32

S) S1 S2 ... S32

and after:

Q) Q7 Q8 ... Q32 S2 S5 S8 S11 S14 S17

R) R7 R8 ... R32 S3 S6 S9 S12 S15 S18

S) S19 S20 ... S32 P1 P2 ... P6 Q1 Q2 ... Q6 R1 R2 ... R6

5, 6, 5, 5,

7, 7, 7, 7,

7, 8, 7, 7,

5, 6, 5, 5.

Each of the 48 subkeys thus generated will now be XORed with the leftmost 32 bits of

T, where T begins as the last 48 bits of the expanded key, and is given a right circular

shift of 17 bits after each use.

In QUADIBLOC 99, a right circular shift of 11 bits will be used after generating all

but the last of the 27 subkeys used by the first nine rounds, and then a right circular

shift of 17 bits will be used afterwards. Since the expanded key is 224 bits long, rather

than 176 bits long, T will be 96 bits long and will initially contain the last 96 bits of

the expanded key.

Next

Chapter Start

Skip to Next Section

Table of Contents

Main Page

Home Page

[Next] [Up/Previous] [Index]

Boxes

The initial values of the subkeys and S-boxes in Blowfish are based on pi. To dispel

worries about S-boxes with a designed-in weakness in my amateur designs, I have chosen

a standard mathematical constant as their source.

constant, also known as gamma. Its value is .57721 56649 01532 86060 65120 90082...

Euler's constant is defined as the limit, as n tends to infinity, of the sum of 1 + 1/2 + 1/3

+ ... up to 1/n, minus the natural logarithm of n, normally written:

n

/ ____ \

| \ 1 |

lim | > --- | - ln(n)

n -> infinity | /___ i |

\ i=1 /

Since

_n

/

| 1

| ---, dx = ln(n)

| x

_/

1

that is, the integral from 1 to n of 1/x with respect to x is the natural logarithm of n, the

following diagram illustrates what Euler's constant is in graphical form:

Allowing the graph to continue on indefinitely to the right, the boxes shown which are

divided into green and gray areas have a total overall area of 1. (Note that the vertical

scale in the graph is exaggerated compared to the horizontal scale for clarity.) Euler's

constant, .57721 56649... is the total of the areas of the gray parts of the boxes.

Because only scaling makes the shape of the graph of 1/x from 1 to 2 different from the

graph of 1/x from 2 to 4, or the graph of 1/x from 4 to 8, the following diagram:

illustrates a way in which it is possible to derive a formula for Euler's constant that would

only involve calculating the natural logarithm of 2.

(i+1)

infinity 2

____ ____

\ \ 1 1

gamma = (1 - ln(2)) + > (1 - ln(2)) - > --- - ---

/___ /___ i j

i = 1 i 2

j = 2 +1

By superimposing the areas from 1 to 2, from 2 to 4, and 4 to 8 after adjusting them to fit,

one sees that another series for Euler's constant, not involving any logarithms, is possible,

as it is (1/2 - 1/3) + 2 * ((1/4 - 1/5) + (1/6 - 1/7)) + 3 * ((1/8 - 1/9) + (1/10 - 1/11) + (1/12 -

1/13) + (1/14 - 1/15)) + ..., or, in other words:

(i+1)

infinity 2 - 1

____ ____

\ \ (j-1) 1

gamma = > i * > (-1) * ---

/___ /___ j

i = 1 i

j = 2

Euler's constant is more difficult to calculate than the square root of 2, e, or pi, and it is

less well understood. Mathematicians have not yet proven which of rational, algebraic, or

transcendental it is.

The S-boxes constructed from Euler's constant (.57721 56649...) for use in the Quadibloc

series of block ciphers are derived as follows:

start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place

Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is

decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for each

iteration. The iteration where Number of choices is 2 is the last iteration.

During each iteration, multiply ACC by Number of choices. Leave the fractional part of

the result in ACC; swap

A( Number of choices )

and

This generates S-box 1; repeat the procedure with the contents remaining in ACC to

obtain S-box 2. (ACC must be long enough to hold Euler's constant to sufficient precision

to support both applications of the procedure.)

A BASIC program to generate these S-boxes is given here. And this BASIC program

produced the DATA statements it required from a file containing the value of Euler's

constant.

Here are the S-boxes thus produced. S-boxes from 1 through 4 are used in several of the

ciphers in the Quadibloc series. S-boxes 5 and 6 are combined into one S-box with 512

entries, called S5, in Quadibloc II and III, and similarly S-boxes 7 and 8 become S6 and S-

boxes 9 and 10 become S7. S-box 11 is used under the name S9 in Quadibloc III.

S-box 1 is:

192 207 17 58 52 112 227 221

122 94 60 10 153 245 195 194

50 135 133 186 183 1 177 132

48 126 125 12 137 104 105 77

167 46 228 74 201 5 68 165

0 204 212 254 97 65 14 113

134 171 72 151 169 19 211 71

168 209 238 43 83 84 53 101

187 214 145 231 172 210 36 175

76 38 7 79 156 100 222 103

4 95 217 127 152 198 32 128

70 96 13 131 41 39 250 205

91 102 61 241 22 73 247 28

20 136 33 56 93 108 193 182

233 213 47 11 16 188 224 240

106 208 2 140 230 82 166 99

54 190 243 253 181 255 138 237

111 219 49 220 143 142 161 162

251 226 239 180 98 130 107 24

119 78 146 123 88 45 120 118

57 21 15 234 150 40 64 35

154 25 29 139 114 59 144 215

87 26 37 248 75 86 202 197

34 163 206 44 69 173 81 92

216 31 159 62 27 244 30 232

179 80 218 66 129 148 225 246

252 170 174 8 200 124 18 203

191 189 116 3 67 242 229 141

199 117 121 89 157 42 51 115

85 160 235 109 158 178 176 223

249 155 184 185 63 149 110 23

S-box 2 is:

187 91 192 149 175 80 48 231

19 23 210 35 104 31 72 111

180 20 79 100 45 173 240 113

63 236 201 69 118 181 248 185

115 62 29 166 253 67 60 41

247 124 101 24 135 87 221 144

197 188 93 65 123 142 207 195

105 53 163 145 190 18 130 76

233 251 146 161 193 211 10 235

83 14 174 96 27 151 126 112

43 34 117 157 56 5 219 22

155 4 213 186 245 66 214 196

246 64 49 147 71 61 133 37

12 227 121 17 68 143 165 176

191 232 8 116 238 59 184 102

224 138 170 11 39 205 36 244

183 140 217 228 237 209 212 42

177 77 208 78 25 242 15 50

114 81 97 0 154 13 216 2

119 152 250 88 220 171 127 103

1 21 74 70 252 200 92 156

73 32 226 95 150 99 167 122

182 84 47 136 3 162 125 139

98 153 158 134 172 239 168 178

85 194 249 51 128 33 38 223

107 254 141 241 148 46 120 198

137 75 132 108 58 243 225 204

89 129 131 16 203 255 44 86

160 189 230 106 215 55 222 229

94 164 82 202 26 179 6 7

199 90 30 54 57 40 109 28

206 9 110 52 218 234 169 159

S-box 3 is:

85 233 210 135 201 79 5 239

53 11 150 105 141 198 219 234

195 60 127 143 165 42 64 121

255 18 78 132 251 159 213 245

230 106 40 175 153 20 81 23

212 217 147 74 240 174 171 97

89 26 187 115 38 220 51 249

73 7 86 24 82 16 164 250

179 123 107 49 194 154 204 94

66 118 231 183 22 113 192 188

180 167 29 119 46 96 117 28

35 114 186 197 138 191 52 122

247 19 103 6 31 102 227 254

145 246 148 12 156 144 189 8

61 33 13 58 36 216 41 68

185 63 69 178 228 172 125 142

59 243 75 235 202 221 80 151

120 226 21 155 93 32 25 209

57 9 168 30 116 252 56 203

128 146 163 205 95 157 222 177

244 190 130 17 242 87 161 83

27 139 44 62 50 4 54 65

225 72 88 3 232 104 136 10

48 109 206 218 126 112 43 90

229 133 14 110 100 162 158 211

152 2 92 176 199 207 1 84

34 173 214 170 223 77 184 67

129 149 182 196 45 200 160 47

224 39 238 208 124 70 137 193

15 71 111 237 76 131 0 248

236 241 181 140 91 108 55 134

S-box 4 is:

177 84 61 1 228 251 219 60

64 103 34 164 4 0 106 17

120 53 118 204 127 100 27 231

93 26 146 133 72 195 240 202

12 209 236 245 247 149 32 212

47 70 135 158 79 230 76 223

9 125 99 31 16 136 77 147

189 40 188 90 210 159 21 48

74 145 179 132 14 20 55 243

24 39 222 134 38 19 232 119

206 124 168 142 211 171 249 36

15 121 163 187 161 97 215 203

71 201 92 113 128 153 181 167

244 126 58 214 208 250 186 226

111 162 183 199 140 175 110 213

50 139 154 94 174 68 207 11

89 248 166 157 82 115 160 98

180 221 112 235 25 182 169 194

116 28 5 8 2 229 176 88

130 66 192 42 13 86 73 59

225 7 52 18 57 205 234 237

178 255 143 218 114 95 29 109

242 33 129 122 155 35 80 191

238 67 101 137 138 216 108 85

253 152 3 123 217 190 96 197

198 148 200 75 10 233 30 37

41 227 6 254 252 83 43 220

104 49 239 196 45 65 172 105

165 91 150 184 44 173 107 22

62 46 144 170 117 78 151 87

141 81 23 156 224 241 54 193

S-box 5 is:

90 43 170 153 221 213 140 178

93 145 46 135 10 72 229 102

249 74 254 149 192 45 225 245

94 105 128 206 114 162 23 233

117 7 83 169 31 143 109 230

100 91 34 6 223 240 30 210

86 2 98 147 77 204 188 106

103 244 177 27 184 112 191 9

18 58 68 198 138 251 253 12

200 42 78 176 20 234 150 144

116 146 8 164 88 32 222 59

186 175 47 194 195 141 127 41

155 255 1 28 24 217 252 165

154 21 243 92 70 212 139 205

131 166 196 111 173 123 118 209

183 125 197 220 126 136 69 26

48 216 52 85 242 132 35 36

3 163 219 99 33 211 236 39

179 187 115 110 56 14 66 142

79 121 171 108 208 50 60 13

215 51 181 53 199 167 201 180

133 84 62 113 157 226 40 159

239 214 29 119 231 97 81 57

190 227 168 189 76 11 107 185

38 25 4 63 71 237 182 151

137 80 246 232 174 202 134 203

193 49 250 120 101 96 75 152

73 64 89 124 44 238 148 65

247 15 61 158 235 19 156 129

67 95 54 228 0 87 17 161

241 37 248 172 130 55 104 82

S-box 6 is:

94 5 244 127 104 115 192 77

217 63 119 245 61 72 222 118

75 234 37 167 134 19 243 210

204 60 195 34 151 229 116 130

32 176 165 197 38 152 41 180

20 249 83 31 46 117 103 87

92 71 108 214 253 144 190 102

10 129 91 8 160 207 157 223

232 153 247 159 12 36 163 27

49 121 79 138 64 219 53 203

42 200 250 137 47 62 107 23

246 67 17 248 142 135 139 154

218 59 68 70 224 97 233 81

45 24 28 25 202 251 169 74

184 14 51 85 1 239 255 21

133 111 120 43 128 215 96 2

227 35 16 30 122 238 193 40

84 126 56 150 211 26 50 146

236 100 44 206 182 158 162 18

76 252 54 145 125 155 156 73

186 183 11 6 15 9 3 140

172 171 48 13 185 164 105 143

78 228 141 39 213 194 90 209

230 254 113 4 95 168 55 147

123 65 175 109 93 196 7 110

149 212 221 201 57 181 148 216

166 240 191 136 241 179 170 52

173 225 98 131 101 33 187 208

231 242 66 161 189 58 198 86

178 188 177 80 29 220 235 22

199 88 174 112 106 89 114 226

S-box 7 is:

47 205 57 244 111 228 245 221

142 51 237 73 164 190 201 225

74 227 36 251 41 83 8 70

79 222 61 189 224 239 97 139

107 130 48 211 213 55 123 160

161 162 75 105 175 19 148 30

42 33 88 219 134 118 143 66

45 63 0 29 103 67 252 247

174 159 220 178 92 236 22 132

231 12 125 170 49 255 155 169

109 65 56 209 6 181 235 198

136 131 101 197 233 15 230 117

241 217 184 7 163 116 31 153

223 108 194 216 166 114 187 112

16 102 113 104 27 14 86 229

87 11 154 183 214 218 106 40

80 90 64 146 185 119 151 254

91 100 238 126 243 226 172 77

191 68 26 145 52 9 23 179

99 95 206 165 173 4 207 137

122 176 144 13 17 46 1 98

96 158 72 127 28 208 18 35

177 71 60 167 232 249 58 133

32 78 82 203 25 24 21 69

10 85 89 196 202 152 147 157

62 215 246 248 93 210 44 212

34 5 128 149 110 200 193 76

250 192 59 199 124 20 138 115

120 50 53 43 234 84 141 180

135 204 240 150 94 2 3 121

38 156 140 37 81 129 171 186

S-box 8 is:

48 41 50 44 67 166 237 62

107 68 54 175 28 133 190 214

4 159 108 242 23 207 130 136

36 119 150 110 168 201 156 85

183 189 184 11 239 45 60 140

84 72 249 30 243 158 81 42

29 202 144 90 241 80 135 111

94 212 55 160 38 32 164 122

114 31 224 149 103 97 210 174

177 227 179 181 165 216 252 82

14 232 208 34 18 52 57 71

33 198 217 219 22 121 147 43

151 228 88 167 132 251 63 78

236 255 92 86 253 3 100 188

66 199 235 154 112 248 102 53

21 77 49 197 233 139 6 105

83 218 99 186 220 185 254 91

245 157 176 128 240 178 10 75

0 129 155 24 238 7 117 51

120 123 182 143 191 116 8 196

19 250 27 126 73 39 162 247

76 141 244 221 35 15 37 204

234 205 246 58 95 173 206 187

65 215 172 40 16 69 109 192

124 56 152 26 46 93 145 148

118 195 115 203 223 225 64 131

231 229 134 163 125 98 226 213

161 17 9 25 87 230 138 153

2 61 1 137 70 13 89 106

47 113 222 104 209 200 96 101

59 171 146 74 193 5 180 127

S-box 9 is:

15 68 182 65 146 189 179 18

253 219 154 42 135 164 74 196

136 229 197 161 4 224 120 238

145 239 103 168 235 245 152 93

62 46 226 91 173 77 22 109

94 95 209 87 86 246 8 122

128 104 64 81 198 236 78 26

1 99 194 180 0 240 125 204

144 175 60 14 176 25 31 222

70 170 167 237 215 142 149 254

20 181 107 36 41 92 72 166

126 255 249 52 214 150 40 7

247 193 234 67 33 210 242 50

248 250 206 133 102 163 199 2

84 134 127 49 243 244 96 132

55 129 39 165 138 117 32 82

160 47 35 216 148 195 218 225

66 156 183 101 76 71 24 124

251 11 153 230 90 211 158 200

85 98 221 233 241 6 69 227

190 207 10 61 73 187 157 123

37 185 100 28 118 16 56 106

51 188 27 131 13 169 17 9

139 21 205 88 29 141 231 108

110 162 54 45 159 111 48 232

114 155 113 203 140 75 208 97

79 223 202 115 53 177 30 217

178 220 38 130 172 192 119 171

3 43 184 112 105 12 212 57

58 19 151 89 252 213 228 116

201 44 34 147 191 5 137 23

S-box 10 is:

40 51 68 43 192 3 233 179

48 105 33 16 118 6 227 28

231 8 154 168 181 97 223 221

188 209 76 64 27 131 210 13

35 134 164 222 244 145 206 199

243 10 158 239 15 121 171 238

34 162 205 84 90 9 234 99

19 253 207 218 0 178 115 137

170 196 42 155 212 143 119 148

106 104 24 177 140 255 144 120

60 54 110 185 50 91 78 191

111 159 240 47 160 70 22 39

215 59 128 65 112 204 186 216

125 250 195 138 245 247 5 96

92 242 163 77 141 146 55 83

167 224 30 153 252 190 46 103

203 241 208 152 114 52 85 32

219 74 26 200 14 101 20 117

193 214 249 95 67 89 135 94

156 124 72 236 169 56 183 123

166 2 98 237 172 57 217 61

41 189 113 194 136 226 248 63

108 17 180 184 69 44 66 116

37 175 228 130 4 127 53 49

71 235 75 29 81 100 109 211

157 93 246 23 187 86 79 45

102 149 1 176 198 232 165 73

62 147 107 142 87 88 225 182

213 38 197 58 21 82 201 229

12 151 220 122 129 31 202 7

133 139 36 25 174 254 251 173

S-box 11 is:

199 56 32 25 229 72 190 163

2 12 221 242 154 188 113 0

233 173 251 207 243 231 107 6

16 184 91 50 162 94 51 230

205 30 165 210 187 74 129 232

178 150 177 105 22 156 213 215

235 14 90 203 59 85 183 139

70 212 64 247 180 120 218 240

220 73 110 62 27 39 245 49

175 79 15 238 40 78 86 111

98 169 33 17 167 228 181 253

24 75 61 117 115 35 66 224

126 19 182 193 31 11 47 109

136 255 159 138 96 89 160 10

80 151 121 20 246 143 155 206

82 171 186 164 114 57 119 161

102 241 124 249 26 5 71 192

141 101 9 99 174 84 77 145

236 131 53 103 88 58 118 127

48 87 147 223 152 123 132 252

211 166 29 28 36 13 237 202

63 122 69 4 217 197 201 148

254 60 200 208 95 54 7 130

92 112 222 239 1 204 67 191

194 248 8 142 157 44 34 189

41 225 100 176 23 97 93 198

42 140 116 250 133 106 128 196

81 104 144 137 125 65 83 37

18 68 172 135 3 21 214 43

46 170 219 108 158 244 209 134

227 226 76 168 185 55 153 149

Next

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

Variations of QUADIBLOC

QUADIBLOC-80

Using QUADIBLOC with the initial key formed by concatenating the 80-bit key with

its inverse (one's complement, bitwise negation), encipher the following:

1) Expand the first 18 bits of the key to 24 bits using the 4 of 8 bit code in

QUADIBLOC; repeat these as often as required to XOR with the last 64 bits of the

key. (Yes, 2 bits are used twice.)

2) Take the first 64 bits of the key; XOR with the 24 bits formed by expanding the last

18 bits of the key, repeated starting from the right.

3) Form a 48-bit string by XORing the first 40 bits + 00000000 with 00000000 + the

last 40 bits; convert that to 64 bits using the 4 of 8 bit code on all of it.

Using the 192 bits which result from these three block encryptions, convert to a 160-bit

key as follows:

concatenate the 64 bits of 1) enciphered with the 64 bits of 2) enciphered and the first

(leftmost, most significant) 32 bits of 3) enciphered,

and XOR these 160 bits with the last 32 bits of 3) enciphered, repeated five times.

QUADIBLOC-64

Expand a 64-bit key to an 80-bit key by converting the first 48 bits of the key to 64

bits, using the 4 of 8 bit code. This, concatenated with the last 16 bits, makes 80 bits.

Then XOR the 64 bit key with that, repeated 2 and 1/2 times. (The last one-half uses

the first 32 bits.)

QUADIBLOC-40

Expand the 40-bit key to an 80-bit key by concatenating it with its inverse.

Produce a 160-bit key from this as outlined for QUADIBLOC-80.

Expand the 40-bit key to 52 bits by converting the first 36 bits to 48 bits using the 4 of

8 bit code. XOR the 52 bit result (48 expanded bits + 4 original bits) starting with a

whole block on the left repeatedly with the 160-bit result to get the 160-bit key to use.

QUADIBLOC-320

The first half is used to generate subkeys normally, and so is the second half. First-half

subkeys are used in rounds 1, 2, 5, 6, 9, 10, 13, and 14; second-half subkeys are used in

rounds 3, 4, 7, 8, 11, 12, 15, and 16.

QUADIBLOC-640

The key is divided into four quarters, each of which is used to generate subkeys

normally, and the subkeys generated from the first quarter are used in rounds 1, 2, 9,

and 10; from the second in 3, 4, 11, and 12; from the third in 5, 6, 13, and 14; and from

the fourth in 7, 8, 15, and 16.

Enhanced QUADIBLOC

S-box 2, in QUADIBLOC, is used only when enciphering, and its inverse is used when

deciphering. Since this S-box gets changed anyways, Enhanced QUADIBLOC is

QUADIBLOC changed in that S-box 2 is part of the key, and supplied by the user,

instead of being the fixed value shown in the definition of QUADIBLOC.

Chapter Start

Skip to Next Section

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

1) Why is this bozo cluttering up my computer with a 12K file?

the third edition of Schneier.

- Ease of implementation,

- Security, and

The primary goal, ease of implementation, was addressed by keeping the size and

number of S-boxes in the cipher to a minimum. Ease of implementation and efficiency

were also promoted by keeping the few bit transposes in the cipher simple. Because of

the order of the goals, security was obtained by performing part of the F-function

twice, rather than relying on fancier S-boxes, and a full bit-transpose was included

ONCE in the cipher.

distributing the source, I'll NEED to implement it at least once in order to generate test

vectors. Which everyone else will probably want before they try their hands at it.

QUADIBLOC-640 can have its effective key size shortened by from 32 to 64 bits

through a meet-in-the-middle attack.

Since Quadibloc uses one S-box all the way across in the F-function, if Quadibloc had

weak keys (which, fortunately, it doesn't) it would have a rotational symmetry for all

rotations of a multiple of 8 bits applied to the two halves of the block together. The

permutation after round 8 also limits the damage this would do.

It probably has much worse ones than that, but I don't have the prestige to get Eli

Biham et al to do my work for me... .

Does doing an XOR after the substitution and P-permutation in the F-function leak key

bits?

Should an odd value, instead of 8 bits, be used for the circular shift done along with the

swap of halves?

The F-function is more complicated than that of DES in some ways, but unlike that of

DES, it isn't a one-way hash; it's invertible.

The P-permutation, and the "wall" permutation used after round 8, are both regular.

Additional notes:

The use of a single S-box all the way across in the f-function also means that if

characteristics are found for applying differential cryptanalysis, it is easier to use them

in successive rounds. However, the fact that the S-box has 256 entries, the fact that the

f-function is doubled, and the use of S-box 2 on the left half, all make a differential

attack unlikely.

The use of a permutation after round 8 is not as total an obstacle to analysis as I had

originally thought. It is no hindrance whatever to the boomerang attack, discussed in

the section on differential cryptanalysis. However, in addition to a permutation, I also

put the right half of the block through S2 both before and after (the left half goes

through S2 anyways). Thus, it does not appear at this time that the boomerang attack

requires immediate alterations to the QUADIBLOC design.

I can think of two obvious improvements that I avoided for the sake of ease of

implementation.

- Replace the swap plus circular shift with a straight swap, but in ALL 16 rounds, after

the XOR, and before the second use of S-box 2, do a right circular shift of 12 bits on

the left half of the block.

DES could be made TOTALLY insecure by stripping just TWO elements from it:

- remove the expansion permutation, changing all the S-boxes to have 4 inputs as well

as 4 outputs;

Quadibloc relies on the fact that it uses a simple S-box followed by a regular P

permutation, and repeats that process twice. The first application substitutes for the

expansion permutation, as well as providing some security of its own.

In addition, after round 8, a non-keyed scramble that makes every bit of the block

depend on every other bit is applied, in hopes of frustrating analysis. S-box 2 gets extra

use here, but the bit transpose differs from the rest of the cipher.

The key is expanded slightly, from 160 bits to 176 bits, using a 4 of 8 code. The 4 of 8

code is not intended to have any security properties, since it would not contribute to the

security of the cipher if it were more random. What it DOES do is eliminate weak keys,

like all zeroes or all ones.

Also, by XORing key material before AND after the use of S box 1, complementation

properties are eliminated.

DES has a 56 bit key, 48 bits of which are used in each round.

Quadibloc has a key of 160 bits. This is expanded to 176 bits; then, 128 bits are used in

each round to generate an effective round subkey which is 96 bits in length.

DES uses engineered S-boxes with auxiliary inputs from adjacent nibbles for

heightened nonlinearity, and an irregular bit transpose P. The S-boxes are based on

multiple permutations of (0..15). The key material is applied by an XOR prior to using

the S-boxes.

regular bit transpose. But this is applied twice, and key material is XORed three times,

at the start, in the middle, and at the end.

DES simply XORs the f-function output with the left half.

Quadibloc uses a second S-box before and after the XOR with the f-function output.

Thus, plaintext actually goes through an S-box, which seems intuitively more

satisfying.

How should I know? After all, it is secret, and I have had no access to

the secret.

available information.

claimed for Skipjack: no 'weak keys', and freedom from

complementation properties.

Quadibloc has only 16 rounds, not 32 as for Skipjack.

minimal size.

Quadibloc was designed in one weekend by one person with neither any

particularly relevant academic credentials nor relevant cryptanalytic

experience (hey, I do have an M.Sc. in Nuclear Physics!). Skipjack was

designed by the top cryptographers and cryptanalysts in the U.S.,

entrusted with guarding the nation's security.

You and I don't get to make use of Skipjack without key escrow,

Quadibloc doesn't have this problem.

(Note that, since this was written, Fortezza PCMCIA cards without key

escrow were made available to the public in the U. S., which was an

interesting, and perhaps even amusing, development in the ongoing

Clipper Chip saga.)

insignificant that it will never recieve any such review.

At present, I no longer have the excuse I began that section with, as Skipjack has now

been declassified. (I write these words as part of the update of these pages to include its

description!)

Skipjack has a regular key schedule, which would seem to open up the possibility of

related-key attacks; Quadibloc has an irregular one, based on that of DES.

Quadibloc's f-function has two stages to it, which was an apparent innovation at the

time. However, Skipjack's G permutation is actually a four-round miniature block

cipher with a 16-bit block.

expanding the key size to 160 bits; they do not explode the work factor in the way

Blowfish does to handicap attempts at brute-force searching. This was done

deliberately, both for ease of implementation, and in hopes that Quadibloc-40 might be

approved for export, thus giving U.S. software authors a royalty-free alternative.

The natural key size of Quadibloc is only 160 bits, while Blowfish makes full use of a

key up to 384 bits in length.

On the other hand, the added complexity of the F-function may be to the credit of

Quadibloc. On balance, though, it may be fair to say that the advantages of Blowfish

over Quadibloc in security are of a sort likely to have real- world value, while the

advantages of Quadibloc are of a more theoretical nature.

Very little.

Possible results:

Not worried. Saddam Hussein has already heard of IDEA, Triple-DES, Blowfish...if

the NSA thinks I have endangered U.S. national security, then they've done so, by

choosing to live in a fool's paradise.

Probability slightly lower than that of one of the primes in your RSA modulus actually

being a Carmichael number.

is an extension of differential/linear cryptanalysis

The intent of boring the world with yet another block cipher should, however, be stated.

Due to restrictions on source code export, (which may not apply to us lucky Canadians)

I have chosen to lead the way in showing that a secure algorithm can be designed to be

so simple to implement that coding it is trivial, and does not depend on giant S-boxes

or difficult mathematics which requires access to a reference source code

implementation.

Also, Quadibloc illustrates techniques that could be applied to other ciphers. Doubling

the F-function is possible in Blowfish quite simply (you will need more pi); and it

could even be done in DES, with more violence to the key schedule. (In fact, it is

probably one of the more secure ways to create a 112-bit key DES variant.)

Next

Start of Section

Skip to Next Section

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

Key Augmentation

The key schedule of QUADIBLOC, while designed to avoid weak keys, and resist

related-key attacks, is still something of an afterthought compared to the rest of the

cipher.

A procedure to add 64 bits to the key of any variant of QUADIBLOC, and improve its

key schedule (which may be applied repeatedly, even to the extent of modifying the

key for every block enciphered, causing QUADIBLOC to act as sort of a stream

cipher) is described here.

First, the key to be augmented is to be used normally to generate the 48 32-bit long

subkeys used by QUADIBLOC.

schedule of subkeys in place. (The encrypted result is to be made available externally

by hardware implementations of QUADIBLOC, to allow iterated key augmentation

with a single 64-bit key supplement.) However, both the encrypted result of the

QUADIBLOC encipherment, and the 32-bit output of the f-function in each round of

that encipherment, are to be retained (in internal storage).

The second subkey for each round is to be replaced by the previous value of the first

subkey for the previous round. The second subkey for round 1 is to be replaced by the

previous value of the first subkey of round 16.

The third subkey for each round is to be replaced by the previous value of the second

subkey that round.

The first subkey for each round is to be replaced by the previous value of the third

subkey for that round.

Then, the saved f-function values are to be applied by being XORed with subkeys (the

result replacing the former value of the subkey) in the following sequence:

The f-function for round:

9 7 11 5 13 3 15 1 16 2 14 4 12 6 10 8

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

The left half of the result of the QUADIBLOC encryption is to be XORed with the

second subkey for the first round.

The right half of the result of the QUADIBLOC encryption is to be XORed with the

third subkey for the ninth round.

Three key augmentations will ensure that every subkey is XORed with one f-function

output; twenty-four key augmentations will ensure that every subkey is XORed with

one of the halves of an encryption result.

the plain form described here, key augmentation adds at least 64 bits to the length of

the key. Some block ciphers include a process like key augmentation, but with a fixed

input value, as a standard step in the key generation process to improve the quality of

the key schedule.

augmentation, after generating the initial key schedule from the 160-bit key, perform

three iterated key augmentations, the latter two using as their input value the output

value from the previous one, and the first one using the constant value

55330FAACCF05533

Key Extension

In addition to key augmentation, the use of a longer key can be permitted by the use of

the following operation, intended to be applied after key augmentation has been

applied to a previous set of subkeys.

In key extension, a new 160-bit key is used to generate subkeys in the normal fashion,

but the resulting subkeys are then XORed to the existing subkeys instead of replacing

them.

Thus, an alternative variant of QUADIBLOC with a 320-bit key can be achieved by:

● Using the first 160 bits as a key to generate an initial set of subkeys.

● Performing closed key augmentation.

● Performing key extension with the remaining 160 bits of the key.

● Performing closed key augmentation.

with closed key augmentation will be known as QUADIBLOC SE (96 or 99).

Next

Start of Section

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

Quadibloc II

Although this expanded version of Quadibloc is a cipher with a 128 bit block size, I am not trying to detract from

the importance of the candidate ciphers for the AES process. Prior to the deadline for a submission, I had

considered a few designs, but I had nothing that I was quite satisfied with. Precisely because the other designs

were now available to examine, I was able to find the "missing pieces" needed to complete a design.

This design allows key lengths of 128, 192, or 256 bytes, and in fact also allows keys of any length in the

sequence starting 128, 144, 160, 176... provided that the key is not longer than 36 bytes times the number of

rounds. The number of rounds can be 8, 12, 16, 20, 24, 28, 32, 36..., any multiple of 4 greater than or equal to 8.

One round of Quadibloc II takes perhaps 7 1/2 times as long as a round of DES, although a more optimistic

estimate might be 3 3/4 times as long. Thus, 8-round Quadibloc II might manage to take less than 6 times as long

as DES even with the initial estimate, and that would make Quadibloc II more efficient than Triple-DES. (The

estimate is based on the fact that a round of DES requires eight fetches of a 32-bit quantity from a table; a round

of Quadibloc II requires 24 fetches of a 32-bit quantity, and 24 fetches of an 8-bit quantity.)

This design also begins life with an unfair advantage: it partly results from the inspiration provided by the

various AES candidates, and has, in fact, swiped good ideas from two or three of them at least. In any case, this

design is proposed not as something that would have been a potential candidate were it not too late, but instead,

particularly in its 32-round form, as something for those people who want a very secure block cipher without

concern for efficiency.

Instead of two S-boxes, this design uses ten S-boxes generated from Euler's constant, by repeating the following

process, the same one as used in the original QUADIBLOC:

● Load Euler's constant into a very long multi-precision register which is simulated by an array.

● Repeat the following for each S-box to be created.

● Load an array with the numbers from 0 to 255 in order. A pointer to an element of the array is set to point

to the first element in the array, and is called TARGET.

● Repeat the following for each of the integers from 256 down to 2; call the current integer SIZE.

● Multiply the contents of the multi-precision register by SIZE. Leave the fractional part of the result in the

multi-precision register; call the integer part of the result CHOICE. (CHOICE will be an integer from 0 to

SIZE minus one.)

● Swap the elements TARGET and TARGET + CHOICE in the 256-element array. (If CHOICE is zero, do

nothing for this step.)

● Proceed to the next number from 256 down to 2.

● The 256-element array now contains a complete S-box. Save or print out its contents.

● Proceed to the next S-box to be generated.

As previously noted, I chose Euler's constant instead of, say, pi, because the mathematical theory behind Euler's

constant is more complicated than that behind pi, which in turn is somewhat more complicated than e, the base of

the natural logarithms.

The first four of these S-boxes are likely to be stored as arrays of 256 32-bit words, with the bits spread out

reflecting the P permutation, which is again the same one as used in QUADIBLOC, and is as follows:

The bits

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

become

1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24

17 18 11 12 5 6 31 32 25 26 21 22 13 14 7 8

and this permutation is to be interpreted according to the following convention: the numbers in the bottom

sequence identify the source of each bit in the permuted result in order.

The round structure of Quadibloc II uses essentially the same f-function as was used in QUADIBLOC, with one

addition: after the second substitution/permutation layer, and the third XOR of subkey material, the 32-bit

subblock then goes through a key-dependent S-box. No permutation follows this S-box.

Three out of four 32-bit subblocks are used as input to f-functions. The f-function of the first subblock is used to

supply additional inputs both to the other two f-functions and to the application of their outputs to the fourth

subblock, which they modify.

There are other things going on in the round, and there are some minor changes to the f-function as well. The

following diagram shows how the main part of a round proceeds:

The dotted lines show a part of the round which is required if less than 32 rounds are used, but which, involving

as it does use of intermediate results from the f-function might produce some theoretical advantages if omitted.

Before the regular rounds of Quadibloc II begin, and after they end, there is an additional phase of extra

manipulations the purpose of which is to make life more difficult for the cryptanalyst. This phase is shown in the

following diagram which gives an overview of Quadibloc II:

The wide boxes are the key-dependent byte permutations; the fixed permutations that take place between regular

rounds are shown as wire crossings.

Initially, the block is divided into 16-bit units, which undergo substitution by means of a miniature block cipher

of four Feistel rounds with the key-dependent S-box S8 as the f-function. First the leftmost byte in each pair of

bytes is used to index into S8, finding the byte to XOR with the rightmost byte, and then it is done in the reverse

direction, and so on, alternating for four rounds.

Then, each half of the block undergoes two rounds of Feistel encryption with a simplified f-function having only

one S/P (substitution/permutation) layer. For faster diffusion, each f-function output is, in two of the rounds,

XORed with the two subblocks in the other half of the block, and in the other two used to control swapping bits

bitween those two subblocks, in the fashion pioneered by ICE. This operation is illustrated below:

The f-function consists of:

● Use S-boxes S1, S2, S3, and S4 in order to substitute for each of the bytes in the result.

● Use the QUADIBLOC P-permutation to transpose the bits.

Four rounds are performed. In each round, the f-function of one subblock is XORed to the other subblock in the

same half of the block. In the outer two rounds, that output is also XORed to the two subblocks in the other half;

in the inner two rounds, it is used to control the swapping of bits between those two subblocks, a 1 bit

corresponding to a bit position where swapping occurs, as was done in the block cipher ICE. The four subblocks

are chosen in order, from left to right, as the input to the f-function.

Then, the bytes of the block are again rearranged according to a key-dependent permutation. A similar

transformation takes place at the end. (MARS, of course, uses a different round structure before and after the

main part of the cipher, but here the main idea swiped, but placed in a new form, is the idea of FROG. Instead of

making the targets of XORs key-dependent, a key-dependent rearrangement of the bytes before a series of XORs

achieves the same thing with a simpler key setup.)

The changes required to decipher in Quadibloc II are hinted at by the following diagram:

The initial and final miniature Feistel rounds need not be changed. The degenerate rounds with a short f-function

have to operate on the four subblocks in reverse order, as well as using the subkeys in reverse order. The regular

round experiences these changes: the steps changing the fourth subblock need to be reversed as well as being

done in reverse order: thus, the substitution layers use the inverses of S7, S6, and S5; and the XOR/plus stages

take the f-function of the third subblock first, then that of the second; also, more subtly, the order in which the

two intermediate results of the f-function of the first subblock are XORed to the second and third subblocks are

reversed.

The first four S-boxes generated above are called S1 through S4, and function as S-boxes with 8 inputs and 8

outputs in the first f-function. But in the next two f-functions, they are combined in pairs to form S-boxes with 9

inputs and 8 outputs. This is shown on the diagram: S1/S3 is an S-box that acts like S1 when the extra input is

zero, and like S3 when the extra, most significant or leftmost, input is one.

S-boxes S1, S2, S3, and S4 are as given in the page on Euler's Constant and the Quadibloc S-boxes.

The Rounds

In detail, the round proceeds in this manner; and hopefully the diagram above will enable you to follow the

lengthy description below:

● The first subblock is used as input to the first f-function, calculated as follows:

❍ The first subkey for the round is XORed to it.

❍ The four bytes of the current value are substituted using S1, S1, S2, and S2, from left to right.

(Note that this method of avoiding cyclic symmetry, with a bare minimum of S-boxes, comes from

LOKI 97.)

❍ The result is permuted by the QUADIBLOC permutation P. (This permutation is simple and

uniform, to minimize storage needed to hold the S-box outputs after permutation for a common

optimized implementation of ciphers like this and like DES: this is one way in which I am

specifically differing from LOKI 97.)

❍ The current subblock value is the first intermediate value from the first f-function, and is used

later.

❍ The second subkey for the round is XORed in.

❍ The current value's four bytes are substituted in S-boxes S3, S4, S3, and S4 from left to right.

❍ This result is now the second intermediate value from the first f-function.

❍ The four bytes of the result are substituted by means of the key-dependent S-box, S8.

❍ The result is the output of the first f-function. Its bits are considered to be numbered from 1 to 32

from left (MSB of first byte) to right (LSB of last byte), and they will be used individually in

groups of four in what follows.

● The first subblock remains unchanged going into the next round, although an f-function was calculated

from it.

● The second subblock is modified: its new value will be itself XORed with the XOR of the two

intermediate results from the first f-function. The third subblock is also modified in this same way.

However, the input to the second f-function is the second subblock XORed with the first intermediate

result only, and the input to the third f-function is the third subblock XORed with the second intermediate

result only. This can be achieved as follows:

❍ XOR the second subblock with the first intermediate result.

❍ XOR the third subblock with the first intermediate result. (Note that this method of applying the

intermediate results to the middle subblocks is similar to the ingenious technique of applying key

material in LOKI 97. Here, the intent is twofold: to conceal the f-function input, and to minimize

the risk of attack created by the additional use of intermediate f-function results in the round.)

● The second f-function is calculated using its input and the fourth, fifth, and sixth subkeys for the round. It

differs from the first f-function in these particulars:

❍ The intermediate results are not saved.

❍ The first S-box stage consists of placing all four bytes of the current result into the compound S-

box S1/S3. For each byte, the corresponding bit from bits 1 to 4 of the first f-function output

indicate whether that S-box acts like S-box S1 for that byte or like S-box S3.

❍ The second S-box stage consists of placing all four bytes of the current result into the compound S-

box S2/S4. For each byte, the corresponding bit from bits 5 to 8 of the first f-function output

indicate whether that S-box acts like S-box S2 for that byte or like S-box S4.

● The third f-function is calculated using its input and the seventh, eighth, and ninth subkeys for the round.

It is very similar to the second f-function, but the S-boxes are again slightly different, as follows:

❍ As with the second f-function, the intermediate results are not saved.

❍ The first S-box stage consists of placing all four bytes of the current result into the compound S-

box S1/S4. For each byte, the corresponding bit from bits 9 to 12 of the first f-function output

indicate whether that S-box acts like S-box S1 for that byte or like S-box S4.

❍ The second S-box stage consists of placing all four bytes of the current result into the compound S-

box S2/S3. For each byte, the corresponding bit from bits 13 to 16 of the first f-function output

indicate whether that S-box acts like S-box S2 for that byte or like S-box S3.

● The fourth subblock is the one that undergoes the most thorough modification, the change that is the point

of the round. (The changes to the second and third subblocks were an afterthought that may create the risk

of a weakness in the cipher, but which were necessary to make it possible that the cipher could be secure

after only eight rounds, instead of thirty-two, as might be needed if only one subblock were modified in

each round.) This modification proceeds as follows:

❍ The four bytes of the subblock are substituted for using S-box S5, with bits 17 through 20 of the

first f-function output used as the most significant bit of the S-box input for each byte (that

switches between two different permutations of the numbers 0 through 255).

❍ The output of the second f-function is applied to the result. Bits 29 through 32 of the first f-

function output determine if each byte of the second f-function output is XORed (0) or added (1).

❍ The four bytes of the subblock are substituted using S-box S6, with bits 21 through 24 of the first f-

function output supplying the most significant bit of S-box input associated with each byte.

❍ The output of the third f-function is applied to the result. Bits 29 through 32 of the first f-function

output determine if each byte of the second f-function output is added (0) or XORed (1). (This use

of an addition or an XOR followed by its opposite is, of course, reminiscent of SAFER.)

❍ The four bytes of the subblock are now substituted using S-box S7, with the most significant bit of

each S-box input coming from bits 25 through 28 of the first f-function output.

This involved procedure constitutes the round. After each round except the last, a step corresponding to the swap

of left and right halves of the block in DES is performed. Here, however, the movement of individual bytes is

involved.

Bytes

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

become

15 16 8 11 13 1 9 10 2 14 5 6 7 4 3 12

5 10 15 16 9 14 3 12 13 6 7 4 1 2 11 8

if that is not the case (but the number of rounds must still be a multiple of 4, and must be at least 8). Both byte

permutations are presented as a series of 16 numbers giving the number of the source byte for each byte in the

result in order.

It might be noted that some time before I designed Quadibloc II, the idea of using different operations in a block

cipher, based on a data-dependent result in the cipher, played an important role in the block cipher "Anigma"

designed by Kostadin Bajalcaliev.

Key Generation

Each round of Quadibloc II requires nine 32-bit subkeys. In addition, the extra scrambling phases at the

beginning and end of the cipher require four subkeys each. Thus, 8-round Quadibloc II uses 80 subkeys, from K1

to K80, requiring 320 bytes of RAM.

The key for Quadibloc II must be at least eight bytes, or 64 bits, long, and may be any whole number of bytes up

to twice the length of the total size of the subkeys plus sixteen bytes, or 128 bits. Many maximum-length keys

will lead to duplicate internal key states of the cipher, of course; this maximum is an absolute maximum, beyond

which some bits of the key will simply be ignored in the keying process.

As well, S8, the key-dependent S-box, is subkey material, and requires an additional 256 bytes of RAM. This

total requirement of 576 bytes of RAM is the amount of storage needed for a key after key generation, which

may have to be non-volatile in some applications; additional RAM is of course also needed for scratchpad

storage in calculations, particularly during key generation.

Note: the bytes of S8 are stored as single bytes; they do not need to be expanded to four-byte entries to speed up

a permutation, as is true of the fixed S-boxes S1 through S4, and the inverse of S8 is not required for

deciphering, unlike S-boxes S5 through S7; the S-box requiring the least storage was chosen as the key-

dependent one. (Having a key-dependent S-box, of course, is a way to achieve a high degree of resistance to

differential and linear cryptanalysis.)

K1 K2 K3 K4

K5 K8 K11 K6 K9 K12 K7 K10 K13

K14 K17 K20 K15 K18 K21 K16 K19 K22

K23 K26 K29 K24 K27 K30 K25 K28 K31

...

K68 K71 K74 K69 K72 K75 K70 K73 K76

K77 K78 K79 K80

and so on; thus the subkeys are filled for one round before going on to the next, but the first subkey for each f-

function is filled before the second subkey for each f-function, and so on.

The subkeys for the degenerate rounds are just filled in numerical order, the first four at the start, and the last

four at the end.

First, the actual key is placed directly into the subkeys. It must consist of a whole number of bytes, and be at

least eight bytes long, for the rest of the procedure to work.

Fill A1, A2, A3, and B1, B2, B3, B4, and B5 with the first eight bytes of the key in order. Initialize the variable

Q to be zero.

Split the key into two pieces as follows, where L is the number of bytes in the key:

● If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining

bytes of the key. Then increase each piece in length by one byte by appending the one's complement of

the first byte in the piece to it.

● If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the

second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by

appending the one's complement of the first two bytes in the piece to it.

● If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and

the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by

appending the one's complement of the first two bytes in the piece to it.

In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In

the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case,

the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of

the two pieces of the key are relatively prime, and uniquely identify the length of the original key.

Each group of bytes is then used as the initial contents of a shift register, which operates as follows:

The sum of the first and third bytes in the shift register is XORed with the second-last byte in the shift register.

The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all

other bytes being moved to the next earlier place, the first byte being discarded.

For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by

carrying out the following instructions:

For each of the numbers 0 to 4, do the following:

● Replace that number by its substitute in S-box 5a (that is, the first half of S-box 5, an S-box with 8 bits of

input as well as 8 bits of output, created by setting the MSB of the input to 0).

● Add the contents of A2 to the result, modulo 256.

● Replace that number by its substitute in S-box 5b (the second half of S-box 5).

● Add the contents of A3 to the result, modulo 256.

Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to

them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are

cumulative.)

Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above.

Add Q to that byte. Put that byte through the following process:

● Replace that number by its substitute in S-box 6a (the first half of S-box 6).

● XOR the result with the contents of B2.

● Replace that number by its substitute in S-box 6b (the second half of S-box 6).

● Add the contents of B3 to the result, modulo 256.

● Replace that number by its substitute in S-box 7a (the first half of S-box 7).

● XOR the result with the contents of B4.

● Replace that number by its substitute in S-box 7b (the second half of S-box 7).

● Add the contents of B5 to the result, modulo 256.

The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the

variable Q.

One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through

B5 have already been changed) as follows: increment A2. If A2 wraps around, being incremented from 255 to

zero, increment A1. If A1 wraps around, increment A3.

● Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure:

❍ Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey

K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting

where one has left off for subsequent permutations.

❍ Each permutation is generated by the use of either 512, or, under some rare circumstances, only

256, bytes. Note that 8-round Quadibloc II only has 320 bytes of subkey; (4 bytes times 9 subkeys

times 8 rounds, plus 8 additional subkeys for the start and finish); and therefore additional bytes

need to be generated for this version of Quadibloc II and other versions without a sufficiently large

number of rounds. The SIGABA-like procedure used initially to extend the key is used for this, but

with some modifications. In this case, A1 through B5 are filled with the last eight subkey bytes

(the first eight contain the first eight bytes of the key, which were previously used to fill A1

through B5, which would cause the generation process here to partially repeat the operations of the

earlier generation process), and the input byte to the process is obtained from a single shift register,

similar in form to each of the two shift registers using pieces of the original key, which initially

contains all of the subkeys, including the last eight bytes.

❍ A permutation is generated as follows:

■ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0

to 255 in order. The arrays must also be able to hold the value -1. The second and third

arrays are filled with -1.

■ For each byte used: let the value of the byte be called N, and let I be a counter which starts

at 0 for the first byte, incrementing with each byte used, and ending at 255.

■ Then, for each byte:

■ If element N of the first array is not -1, set element N of the first array to -1, and set

■ Otherwise, store N in the first unused position (the first position containing -1) in the

third array.

■ Once this has been done, if the third array contains any numbers other than -1, proceed as

follows:

■ If there is only one filled (not equal to -1) element in the third array, then there is only one

remaining element in the first array, and one element of the second array equal to -1, so fill

the second array with the one available byte, and finish.

■ If there are only two filled elements in the third array, take the least significant bit of the

first filled element. If it is zero, fill the -1 elements of the second array with the remaining

elements of the first array in order; if it is one, do so in reverse order, and finish.

■ If there are less than 256 filled elements in the third array, repeat them over and over to fill

the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when

the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of

the third array.

■ Now, use the third array to complete the second array by doing the following for II from 0

to 255:

■ Let the value of element II of the third array be XX.

■ Then, scan through the second array. When an element of the second array is -1, fill it with

the corresponding element of the first array (if it is not also -1) and set that element of the

first array to -1.

■ If there are any -1 elements left in the second array, fill them with the elements of the first

● The three permutations obtained in this manner are used to generate a key dependent S-box as follows:

❍ For N from 0 to 255:

❍ Set A to be element N of the first permutation; set B to be element N of the second permutation,

❍ Set element A of the S-box to equal C.

The key-dependent byte transpositions used at the beginning and end of the cipher are derived from the key-

dependent S-box S8 as follows: the first permutation consists in taking bytes 0, 1, ... 16 to the bytes indicated by

the least significant nibbles of the S-box entries in S8 of the form 0x in hexadecimal, taken in the order they are

found. Note that this builds up the permutation in "dispatch" form, while all the fixed permutations in this

description of Quadibloc II are given in "fetch" form. The second permutation is built up from the bytes of the

form 1x in hexadecimal. The third one, which takes place after the rounds are completed, is the inverse of the one

built up from the bytes of the form 9x in hexadecimal, and the fourth one is the inverse of the one built up from

the bytes of the form 8x in hexadecimal.

Then, the actual key sequence used for encipherment is generated by the following procedure:

Using the last 128-bits of the key, if the key is 128 bits long or more, or the key repeated as many times as

required to fill a 128-bit block otherwise (starting from the beginning, not the end and working backwards) as the

plaintext block, encipher it using the initial key schedule generated above, but with the following modifications.

The intermediate results of all three f-functions are saved. The following nine 32-bit words are produced from

each round of the encipherment process:

● The first intermediate result of the first f-function XOR the final value of the fourth subblock

● The second intermediate result of the first f-function

● The first f-function output

● The first intermediate result of the second f-function XOR the initial value of the fourth subblock

● The second intermediate result of the second f-function

● The second f-function output

● The first intermediate result of the third f-function

● The second intermediate result of the third f-function

● The third f-function output

Also, the degenerate rounds produce their f-function outputs as well, so exactly one 32-bit output is produced for

every subkey.

After each round of the encipherment process which is used to generate the final subkeys, the nine words above

are XORed to nine subkeys. The four f-function outputs of the degenerate rounds are also used, so the number of

words used equals the number of subkeys; each set of four degenerate rounds is treated as a single round in that

the four results are not applied to the subkeys until the set of four rounds has been performed completely. The

sequence of subkeys to which they are applied is as follows (reading across):

K79 K75 K66 ... K48 K39 K30 K21 K12

K78 K74 K65 ... K47 K38 K29 K20 K11

K77 K73 K64 ... K46 K37 K28 K19 K10

K72 K63 ... K45 K36 K27 K18 K9

K71 K62 ... K44 K35 K26 K17 K8 K4

K70 K61 ... K43 K34 K25 K16 K7 K3

K69 K60 ... K42 K33 K24 K15 K6 K2

K68 K59 ... K41 K32 K23 K14 K5 K1

thus, first the last subkey of each round is modified, then the second-last subkey of each round, and so on. The

subkeys are modified before the encipherment is completed, but only after each round is completed. The subkeys

used in the degenerate rounds are placed in the sequence as well as possible. The intermediate values applied are

taken from those generated by the subkeys in their numerical order.

Once the subkeys have been modified in this manner, if the size of the key was greater than the total size of the

subkeys, any remaining bytes in the key are to be XORed with the subkeys that are now present, using the same

order as was used for initially filling the subkey space,

K1 K2 K3 K4

K5 K8 K11 K6 K9 K12 K7 K10 K13

...

et cetera.

Allowing the key to be larger than the total size of the subkeys, of course, doesn't make sense after a point; but if

the excess is small, the main result is to make it possible for the same set of subkeys to be accompanied by

different values of the key-dependent S-box S8.

Then, the same procedure used to generate the initial value of S8 from the initial subkeys is applied to the final

subkeys. Since the subkeys may not have enough bytes in them to supply the permutation-generating process, the

SIGABA-like procedure of generating additional bytes is used again, as done previously for generating the initial

value of S8. Once again, A1 through B5 are filled from the last eight subkey bytes, and the earlier subkey bytes

are divided into two almost equal parts as was done with the key previously.

The generated result, however, is not used as the final value of S8. Instead, each element of S8 is replaced by the

value it points to in this result; that is, for N from 0 to 255, S8(N) becomes R(S8(N)). (Thus, S8 depends on both

the old and new subkeys, and doesn't relate to the current subkeys in a simple way.)

The new value of S8 is also used as the old value was above to provide the four key-dependent byte

transpositions which begin and end the cipher.

One may, if one wishes, see the view of the subkeys (other than those of the degenerate rounds) as belonging to a

rectangular prism of 32-bit words, accessed in three different directions, as evocative of Rijndael.

If you have time to encipher your data with 40 rounds of Quadibloc II, I have a variation for you. A diagram

giving an overview of this variation is provided.

First, the tiny Feistel rounds, the key-dependent byte permutation (derived from

the 0x bytes), the initial degenerate four-subkey series of rounds, and another

key-dependent byte permutation (derived from the 1x bytes), then a second layer

of tiny Feistel rounds, another key-dependent byte permutation (derived from

the 4x bytes), another series of four degenerate rounds, and another key-

dependent byte permutation (derived from the 5x bytes).

Then, four rounds of Quadibloc II, with the byte interchange after the first three

rounds following the pattern for a multiple of four rounds that is not a multiple

of 16 rounds.

Now, the whitening sequence is repeated, again first with a series of miniature

Feistel rounds.

Then, another key dependent byte permutation, derived from the elements of S8

in the form 2x.

(7x).

Thirty-two rounds of Quadibloc II, but with the additional XORs of the second

and third subblocks with the two intermediate values from the f-function of the

first subblock omitted. Byte interchange after the first 31 of these rounds is as

for a multiple of 16 rounds.

Key-dependent byte permutation, the inverse of the one derived from the

elements of S8 of the form Fx.

Key-dependent byte permutation, the inverse of the one derived from the elements of S8 of the form Bx.

Four rounds of Quadibloc II.

The final three-step whitening sequence, plus the tiny Feistel rounds, and byte transpositions, all repeated twice.

Byte transpositions are the inverses of those derived from the elements of S8 in the forms Dx, Cx, 9x, and 8x.

By restricting the perhaps dangerous - but diffusion-enhancing - XOR of intermediate results to the outer eight

Quadibloc rounds, one has a diffusing outer part and a secure core. This, of course, comes even closer to the

design of MARS.

Note that for this variation, when the keys are initially filled, the thirty-two subkeys for the four sets of

degenerate rounds stand outside the sequence; sixteen at the start, and sixteen at the end, and when the keys are

modified, the subkeys for the first four degenerate rounds are at the left of the top four rows, those for the last

four at the right of the bottom two rows.

K1 K2 K3 K4

K5 K6 K7 K8

K9 K12 K15 K10 K13 K16 K11 K14 K17

K18 K21 K24 K19 K22 K25 K20 K23 K26

K27 K30 K33 K28 K31 K34 K29 K32 K35

K28 K39 K42 K37 K40 K43 K38 K41 K44

K45 K46 K47 K48

K49 K50 K51 K52

K53 K56 K59 K54 K57 K60 K55 K58 K61

...

K332 K335 K338 K333 K336 K339 K334 K337 K340

K341 K342 K343 K344

K345 K346 K347 K348

K349 K352 K355 K350 K353 K356 K351 K354 K357

...

K376 K379 K382 K377 K380 K383 K378 K381 K384

K385 K386 K387 K388

K389 K390 K391 K392

and the order for adjusting the keys from f-function outputs and intermediate results is:

K392 K388 K348 K344 K384 K375 K366 K357 K340 ... K26 K17

K391 K387 K347 K343 K383 K374 K365 K356 K339 ... K25 K16

K390 K386 K346 K342 K382 K373 K364 K355 K338 ... K24 K15

K389 K385 K345 K341 K381 K372 K363 K354 K337 ... K23 K14

K380 K371 K362 K353 K336 ... K22 K13

K379 K370 K361 K352 K335 ... K21 K12 K52 K48 K8 K4

K378 K369 K360 K351 K334 ... K20 K11 K51 K47 K7 K3

K377 K368 K359 K350 K333 ... K19 K10 K50 K46 K6 K2

K376 K367 K358 K349 K332 ... K18 K9 K49 K45 K5 K1

shows how the basic Quadibloc II round can be modified to double the size of the S-boxes in the f-functions for

the second and third subblocks; one S-box, made from S-boxes 1 through 4 is used, so two extra nonlinearity bits

are used as input. This function uses all 32 nonlinearity control bits produced as the output of the f-function of

the first subblock.

Instead of using S-boxes S5 through S7 singly, they are used in pairs on the fourth subblock, and so the extra

nonlinearity bits required here are doubled as well. An additional 32 nonlinearity control bits are created from the

XOR of one intermediate result from the f-function of the second subblock and the other intermediate result from

the f-function of the third subblock. As switching between addition and XOR for applying the f-function outputs

directly to the fourth subblock requires only one bit per byte, the remaining four bits are used to switch the

addition operation to a subtraction operation.

The other major modification in this extended variant of the basic round is to use S8 in the same method as used

in the initial whitening phase to promote diffusion within the fourth subblock.

However, I find the following variation on the basic Quadibloc II round even more interesting:

Here, two other intermediate values in the f-function of the first subblock are used to form a 32-bit value used for

an ICE-style interchange between the f-functions of the second and third subblocks. The interchange takes place

just before S8 is applied, thus ensuring it significantly alters the f-function outputs applied to the fourth subblock.

As well, a micro-Feistel layer is used, as in the doubled nonlinearity variant, but this time to modify the first

subblock, so that all four subblocks are changed, and changed in a key-dependent way by every round (the

changes to the first three subblocks depend on the first subblock as well as the key, while those to the fourth

subblock depend on all of the first three subblocks).

with its corresponding round of type B:

which adds some additional operations to the round structure. Not wishing to give up being endian-neutral,

instead of throwing in a Pseudo-Hadamard Transform between the second and third subblocks, I used an XOR

but used S8 to avoid it cancelling out. The intent is merely to have an alteration to those subblocks that is slightly

more involved than a simple XOR of intermediate f-function results from the first subblock, but a little bit of

propagation between bytes is achieved by displacing bytes before the second XOR.

Also added is an interaction, taken from the block cipher 3-Way, between three of the subblocks. This places a

very small (3 bits input and output) nonlinear S-box in the cipher that operates on corresponding bits in the three

subblocks. Since it either operates on all but the first subblock, or all but the fourth subblock, two round types

were required to make the cipher equally secure against attacks from either direction. (The deciphering form of

the round could also be used, but that of course creates the slim possibility of some rounds partly undoing the

work of other rounds.)

Since each bit of the output is the bit of the input XOR a function of the other two bits that is 1 most of the time,

the identities of the bits are in a sense preserved; thus, it does not appear that the apparent danger of information

leaking past the involved transformation of the fourth subblock is a genuine concern. In addition, the type A

rounds are used at the beginning, and the type B rounds at the end, so that any leakage is towards the inside of

the block cipher rather than towards the outside.

Since the first subblock is aloof from the values and changes in the other three subblocks, the interaction between

the last three subblocks does not prevent the round from being invertible, even though it happens after the XOR

of intermediate results from the f-function of the first subblock. The interaction between the first three subblocks

does not prevent the round from being invertible, because the operations taking place before it are all self-

contained.

In analyzing Quadibloc II, it may be interesting to examine how it could be attacked if part of the internal key is

known. If S8 is known, Quadibloc II becomes a more conventional block cipher. Is the conventional part of it

still reasonably strong? If the conventional subkeys, but not S8, are known, but not the intermediate subkey

values, can part of the generation of S8 still be retraced? With only a small part of the internal operations of the

cipher controlled by the secret part of the key, can cryptanalysis trace enough to obtain information about S8?

Next

Start of Section

Skip to Next Chapter

Skip to Next Section

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

Quadibloc III

Quadibloc III is an extension of Quadibloc II which uses a different type of block cipher as its inner core. It too

uses a 128-bit block size. Unlike Quadibloc II, which, at least with only eight full rounds, is not too much slower

than a typical AES candidate (although it isn't fully clear to me if eight rounds is enough for security), Quadibloc

III, while secure, is clearly too slow and complicated to be useful for practical purposes. Its value is that it

illustrates a number of concepts which may be useful in ciphers of a more practical size.

Here is a diagram giving an overview of the structure of Quadibloc III, to accompany a description of its rounds:

follows:

using the key-dependent S-box S8 as their f-

function, transforming 16-bit subkeys of the

block.

● Key-dependent permutation (derived from the

0x elements of S8) of the bytes in the block.

● Four simple rounds, using a single-level f-

function, that are aimed at obtaining high

diffusion, and which use 32-bit subkeys K1

through K4.

● Key-dependent permutation (derived from the

1x elements of S8) of the bytes in the block.

● Eight normal Quadibloc II rounds, each of

which uses nine subkeys, the first using

subkeys K5 through K13, the last using subkeys

K68 through K76.

● Key-dependent permutation (derived from the

2x elements of S8) of the bytes in the block.

● Two rounds of a form of Mishmash, whose

large quantity of subkeys is generated after the

contents of S10 and S11, and by the same

process. These rounds use fixed Quadibloc

subkeys for one half of the block, the subkeys

being K77 through K88 for the encipherment of

that block, and K89 through K100 for the f-

functions applied to the intermediate f-function

results, for the first Mishmash round, and K101 through K124 for the second Mishmash round.

● Key-dependent permutation (derived from the 3x elements of S8) of the bytes in the block.

● Sixteen rounds in which the block is enciphered as follows:

❍ one 16-bit subblock is enciphered by four Feistel rounds, using S8 as the f-function, but this time

❍ the results of the XOR are used as intermediate results, and are fed into the S-box S9.

❍ The four S9 outputs produce a 32-bit result whose first 16 bits are the first four bits of each of their

outputs, and whose last 16 bits are the last four bits of each of their outputs.

❍ This result is then enciphered by means of four Feistel rounds, where the f-function consists of first

XORing in a 16-bit half of a subkey, then using the two bytes of the result to index into two key-

dependent S-boxes, S10 and S11, which each take an 8-bit input and give a 16-bit output. The sum

of the two outputs is XORed with the other half of the 32-bit block.

❍ The 32-bit result of this process is used as a 32-bit subkey was used initially to encipher a further

16 bits of the block, and this continues until the entire 128-bit block has been enciphered in 16-bit

pieces.

These sixteen rounds each use fifteen subkeys; the first one uses subkey K125 to supply the four bytes

used for enciphering the first 16-bit subblock, and then subkeys K126 through K139, two at a time, for

enciphering the 32-bit intermediate results from enciphering one subblock to produce the 32-bit input to

use to encipher the next one, and the last one uses subkeys K350 through K364.

● Then, the preceding steps are done in reverse order, with the key-dependent byte permutations now being

the inverses of the ones derived from the Bx, Ax, 9x, and 8x elements of S8, and with the two Mishmash

rounds using subkeys K365 through K412, the eight normal Quadibloc II rounds using subkeys K413

through K484, and the set of four degenerate rounds using subkeys K485 through K488.

The following diagram illustrates the method used for the middle 16 rounds of Quadibloc III:

Using four eight-bit subkeys (derived from a single 32-bit subkey, to remain within the overall structure derived

from Quadibloc II), four Feistel rounds are used to encipher a 16-bit subblock; in the first round, the right half is

XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the f-function

alternates from right to left to left to right, and in the two outer rounds, the subkey is XORed and the f-function

output added, and in the two inner rounds, the subkey is added and the f-function output XORed.

The four intermediate results of the f-functions, derived before S8 substitution, are used to index into the fixed S-

box S9. The S-box outputs are used to form a 32-bit word consisting of the first nibbles of the four substituted

results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of the

previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a left-to-

right round of this cipher, by means of a twist upon entry and exit from the horizontal Feistel rounds.)

The resulting 32-bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses

wide key-dependent S-boxes in the f-function. Here, four 16-bit subkeys are used, and so they are derived from

two 32-bit regular subkeys.

The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in in-place format, and

the first round goes from right to left (or, in the diagram, top to bottom).

If the first set of four Feistel rounds operating on a 16-bit subblock is denoted by 1, the second by 2, and angle

brackets are used to show how one round provides the subkey input for the next, the pattern of rounds used in

this phase is as follows:

< 7 < 6 < 5 < 4 < 3 < 2 < 1 8 <

8 < 7 < 6 < 5 < 4 < 3 < 2 < 1

> 7 > 8 1 > 2 > 3 > 4 > 5 > 6 >

< 1 8 < 7 < 6 < 5 < 4 < 3 < 2 <

< 2 < 1 8 < 7 < 6 < 5 < 4 < 3 <

< 3 < 2 < 1 8 < 7 < 6 < 5 < 4 <

< 4 < 3 < 2 < 1 8 < 7 < 6 < 5 <

< 5 < 4 < 3 < 2 < 1 8 < 7 < 6 <

< 6 < 5 < 4 < 3 < 2 < 1 8 < 7 <

The S-box S9 is fixed, and is generated by continuing the process used for generating S-boxes 1 through 7 from

Euler's constant to generate one more permutation of the numbers 0 through 255, therefore this S-box is the one

designated S11 on the page entitled Euler's Constant and the Quadibloc S-Boxes.

The concept of a cipher called Mishmash is noted in the conclusions section of this chapter, to which reference

may be required.

The left half of the block (in the second round, the right half) is enciphered using four rounds of Quadibloc. The

intermediate results, after XORing in the second of the three subkeys, of each of the four f-function outputs are

then subjected to the Quadibloc f-function again, with another twelve subkeys, and the four 32-bit outputs are

XORed together.

The 32-bit result controls the encipherment of the right half of the block. The right half of the block is enciphered

by cipher steps 1 through 5. The first 25 bits of the 32-bit result is divided into five 5-bit values, indicating for

each of the five cipher steps, in order of their numeric labels, which of 32 sets of subkey material is used for

them.

The last 7 bits of the 32-bit result indicates the order in which the five cipher steps take place. Values 0 through

119 of these seven bits give the 120 permutations of the numbers from 1 through 5 in numerical order, as shown

in the following table:

1 12354 25 21354 49 31254 73 41253 97 51243

2 12435 26 21435 50 31425 74 41325 98 51324

3 12453 27 21453 51 31452 75 41352 99 51342

4 12534 28 21534 52 31524 76 41523 100 51423

5 12543 29 21543 53 31542 77 41532 101 51432

7 13254 31 23154 55 32154 79 42153 103 52143

8 13425 32 23415 56 32415 80 42315 104 52314

9 13452 33 23451 57 32451 81 42351 105 52341

10 13524 34 23514 58 32514 82 42513 106 52413

11 13542 35 23541 59 32541 83 42531 107 52431

12 14235 36 24135 60 34125 84 43125 108 53124

13 14253 37 24153 61 34152 85 43152 109 53142

14 14325 38 24315 62 34215 86 43215 110 53214

15 14352 39 24351 63 34251 87 43251 111 53241

16 14523 40 24513 64 34512 88 43512 112 53412

17 14532 41 24531 65 34521 89 43521 113 53421

19 15243 43 25143 67 35142 91 45132 115 54132

20 15324 44 25314 68 35214 92 45213 116 54213

21 15342 45 25341 69 35241 93 45231 117 54231

22 15423 46 25413 70 35412 94 45312 118 54312

23 15432 47 25431 71 35421 95 45321 119 54321

and the remaining values give the following eight preferred orders once again:

120 31425

121 32415

122 51423

123 52413

124 31524

125 32514

126 41523

127 42513

Only one pool of 32 subkey values is used by all four Mishmash rounds in the cipher (which is different from the

Mishmash concept described in the conclusions section), despite the danger that a subkey may be used more than

once.

1. Two rounds of DES. Two 48-bit subkeys are the subkey material this uses.

2. Two rounds of Quadibloc. Six 32-bit subkeys are the subkey material this uses.

3. Four rounds of SKIPJACK. Sixteen 8-bit subkeys are the subkey material this uses.

4. One round of SAFER. Two 64-bit subkeys are the subkey material this uses.

5. Two rounds of GoodStuff. This consists of two rounds, similar to the middle rounds of this cipher, but

acting on only four 16-bit subblocks each. The ordering of the operations is 1234 followed by 4321 (not

3214). This uses fourteen 32-bit subkeys as subkey material.

In the Mishmash rounds, the final interchange is not omitted after the DES and Quadibloc rounds, since they are

part of an ongoing block cipher. This is true also of the Mishmash concept, as can be seen from the diagrams,

which show the ciphers in in-place form.

The four Skipjack rounds are type A in the first two Mishmash rounds in the cipher, and type B in the last two. In

addition, the SAFER rounds in the last two Mishmash rounds are rounds of SAFER decryption instead of

SAFER encryption, for the same reason.

Subkey Generation

Subkey generation for Quadibloc III follows the same general scheme as for Quadibloc II; initial subkeys are

generated using a method similar to the one used in Quadibloc II, but somewhat more elaborate.

Fill A1, A2, and A3; B1, B2, B3, B4, and B5; and C1, C2, C3, C4, and C5 with the first thirteen bytes of the key

in order. Initialize the variable Q to be zero.

Split the key into two pieces as follows, where L is the number of bytes in the key:

● If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining

bytes of the key. Then increase each piece in length by one byte by appending the one's complement of

the first byte in the piece to it.

● If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the

second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by

appending the one's complement of the first two bytes in the piece to it.

● If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and

the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by

appending the one's complement of the first two bytes in the piece to it.

In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In

the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case,

the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of

the two pieces of the key are relatively prime, and uniquely identify the length of the original key.

Each group of bytes is then used as the initial contents of a shift register, which operates as follows:

The sum of the first and third bytes in the shift register is XORed with the second-last byte in the shift register.

The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all

other bytes being moved to the next earlier place, the first byte being discarded.

For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by

carrying out the following instructions:

● Replace that number by its substitute in S-box 5a (that is, the first half of S-box 5, an S-box with 8 bits of

input as well as 8 bits of output, created by setting the MSB of the input to 0).

● Add the contents of A2 to the result, modulo 256.

● Replace that number by its substitute in S-box 5b (the second half of S-box 5).

● Add the contents of A3 to the result, modulo 256.

Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to

them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are

cumulative.)

Once that has been done, using the modified values of B1 through B5, we once again use the numbers 0 to 4 in

order as inputs as we do the following:

● Replace that number by its substitute in inverse S-box 7b (the inverse of the second half of S-box 7).

● XOR the result with the contents of B2.

● Replace that number by its substitute in inverse S-box 5b (the inverse of the second half of S-box 5).

● Add the contents of B3 to the result, modulo 256.

● Replace that number by its substitute in inverse S-box 7a (the inverse of the first half of S-box 7).

● XOR the result with the contents of B4.

● Replace that number by its substitute in inverse S-box 5a (the inverse of the first half of S-box 5).

● Add the contents of B5 to the result, modulo 256.

Modify the variables C1 through C5 by adding the results of this process for the numbers 0 to 4, respectively, to

them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are

cumulative.)

Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above.

Add Q to that byte. Put that byte through the following process:

● Replace that number by its substitute in S-box 6a (the first half of S-box 6).

● XOR the result with the contents of C2.

● Replace that number by its substitute in S-box 6b (the second half of S-box 6).

● Add the contents of C3 to the result, modulo 256.

● Replace that number by its substitute in S-box 7a (the first half of S-box 7).

● XOR the result with the contents of C4.

● Replace that number by its substitute in S-box 7b (the second half of S-box 7).

● Add the contents of C5 to the result, modulo 256.

The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the

variable Q.

One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through

B5 have already been changed) as follows: replace A1 with the former contents of A2; replace A2 with the

former contents of A3; and replace A3 with the former contents of A3 XOR the current output byte (also stored

in Q).

After generating the first 440 regular 32-bit subkeys, initial values of the remaining subkey material is generated

in the following order:

● first, initial subkeys K441 through K488 (which will later be used for subkeys with different numbers),

(192 bytes)

● then the contents of key-dependent S-box S8, (from 1536 to 2304 bytes are used to produce this, since it

is generated from three permutations which require either 512 or 768 bytes to produce)

● then the 256 16-bit entries for each of S10 and S11; (1024 bytes)

● then the Mishmash subkeys; 32 sets of two 48-bit subkeys for the DES rounds, (384 bytes)

● 32 sets of six 32-bit subkeys for the Quadibloc rounds, (768 bytes)

● 32 sets of sixteen 8-bit subkeys for the Skipjack rounds, (512 bytes)

● 32 sets of two 64-bit subkeys for the SAFER rounds, (512 bytes)

● 32 sets of fourteen 32-bit subkeys for the GoodStuff rounds. (1792 bytes)

● An additional 2304 bytes of subkey material to be used later. (2304 bytes)

All the subkey material thus generated, except the material used to produce S-box S8, is retained in order in an

array for later modification.

● Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure:

❍ Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey

K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting

where one has left off for subsequent permutations.

❍ Each permutation is generated by the use of either 512, or, under some rare circumstances, only

256, bytes.

❍ A permutation is generated as follows:

■ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0

to 255 in order. The arrays must also be able to hold the value -1. The second and third

arrays are filled with -1.

■ For each byte used: let the value of the byte be called N, and let I be a counter which starts

at 0 for the first byte, incrementing with each byte used, and ending at 255.

■ Then, for each byte:

■ If element N of the first array is not -1, set element N of the first array to -1, and set

element I of the second array to N.

■ Otherwise, store N in the first unused position (the first position containing -1) in the

third array.

■ Once this has been done, if the third array contains any numbers other than -1, proceed as

follows:

■ If there is only one filled (not equal to -1) element in the third array, then there is only one

remaining element in the first array, and one element of the second array equal to -1, so fill

the second array with the one available byte, and finish.

■ If there are only two filled elements in the third array, take the least significant bit of the

first filled element. If it is zero, fill the -1 elements of the second array with the remaining

elements of the first array in order; if it is one, do so in reverse order, and finish.

■ If there are less than 256 filled elements in the third array, repeat them over and over to fill

the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when

the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of

the third array.

■ Now, use the third array to complete the second array by doing the following for II from 0

to 255:

■ Let the value of element II of the third array be XX.

■ Then, scan through the second array. When an element of the second array is -1, fill it with

the corresponding element of the first array (if it is not also -1) and set that element of the

first array to -1.

■ If there are any -1 elements left in the second array, fill them with the elements of the first

● The three permutations obtained in this manner are used to generate a key dependent S-box as follows:

❍ For N from 0 to 255:

❍ Set A to be element N of the first permutation; set B to be element N of the second permutation,

❍ Set element A of the S-box to equal C.

Only the first 440 subkeys, each 32-bits long, which are the first subkey material generated by this method, are

modified by the key augmentation technique of performing an initial encipherment, and XORing subkeys with

intermediate results. Because some of the rounds do not produce intermediate results suitable for this use, the key

augmentation step undergoes an important change. Instead of modifying the 440 subkeys by performing a normal

Quadibloc III encipherment, and using its intermediate results, a modified encipherment, using only normal

rounds found in Quadibloc II is used.

The modified encipherment consists of one group of four degenerate rounds, forty-eight normal Quadibloc II

rounds, and one more group of four degenerate rounds. This arrangement uses exactly 440 subkeys. Four key-

dependent byte permutations are used, from 0x, 1x, and inverse 9x and 8x; only one unkeyed whitening step,

followed by the 0x permutation, begins the cipher; the 1x permutation follows the first group of four degenerate

rounds, preceding the first conventional Quadibloc II round.

The subkeys are initially filled in the following order, consistent with Quadibloc II practice:

K1 K2 K3 K4

K5 K8 K11 K6 K9 K12 K7 K10 K13

K14 K17 K20 K15 K18 K21 K16 K19 K22

...

K428 K431 K434 K429 K432 K435 K430 K433 K436

K437 K438 K439 K440

and are modified during key enrichment in the following order (although the subkeys are aligned in columns to

illustrate their pattern, the order used is that found by reading across):

K439 K435 ... K21 K12

K438 K434 ... K20 K11

K437 K433 ... K19 K10

K432 ... K18 K9

K431 ... K17 K8 K4

K430 ... K16 K7 K3

K429 ... K15 K6 K2

K428 ... K14 K5 K1

Bytes for use in the 48 additional subkeys, S10 and S11, and in Mishmash, are generated during the initial part of

subkey generation, even though these parts of the cipher aren't used in key-enrichment; then, during the key-

enrichment phase, nine bytes of output from the same shift register process as was used to fill all the subkey

material with its initial values, but modified in an analogous fashion to that used for Quadibloc II (the last 13

bytes of the 440 regular subkeys are used to fill A1 through C5, and one shift register, rather than two, is used,

consisting of the rest of the subkey material), are used to modify eight bytes in this additional subkey material.

This is done as follows: the first byte determines the use of the next eight bytes; if its most significant bit is a 1,

the next byte is XORed to the previously generated byte, if its most significant bit is a 0, the next byte replaces

the corresponding previously generated byte, and so on through the bits of the first byte and the bytes following.

The additional subkey material being modified in this step consists of 7488 bytes. For the purpose of an

additional operation to be performed concurrently with the XOR or replacement of these bytes in groups of eight

using generated bytes in groups of nine, these bytes are to be considered as 20 blocks of 256 bytes each, plus 64

extra bytes.

The additional manipulation to be performed consists of two steps. Only during the processing of the second

through the 19th of the 20 complete blocks are both steps done; one is done during the processing of the first

block.

For each of the first 256 generated bytes of the 288 generated bytes required to modify the 256 bytes of the

current block, the next block is modified as follows:

Letting c be a counter, 0 for the first generated byte, and incremented by one as we change to use each additional

generated byte, and letting n be the value of the current generated byte, we swap byte c and byte n of the next

block.

This only requires the existence of a following block, and is therefore done when the current block is any block

from the first through the nineteenth.

For each of the last 256 generated bytes of the 288 generated bytes we use in modifying the 256-byte current

block, immediately following the use of that same byte for modifying the next block during the period when both

operations overlap, we modify the preceding block as follows:

Letting c be a counter, 0 for the first generated byte used by this step, the 33rd of the 288 generated bytes for the

current block, and letting n be the value of the current generated byte, we let p be the value of byte c of the next

block, and let q be the value of byte n of the previous block.

We then swap bytes p and q of the previous block. Letting k be the XOR of the values of the two bytes so

swapped, byte n of the previous block is then modified by being XORed with byte k of the next block.

This requires both a preceding and a following block, and is done for the second block through the nineteenth.

Performing these transposition steps on the subkey material helps to destroy any pattern it might contain.

As many of the last 2304 bytes of subkey material as required are used to generate a permutation following the

steps used for generating the initial value of S8. The generated result, however, is not used as the final value of

S8. Instead, each element of S8 is replaced by the value it points to in this result; that is, for N from 0 to 255, S8

(N) becomes R(S8(N)). (Thus, S8 depends on both the old and new subkeys, and doesn't relate to the current

subkeys in a simple way.)

Then, the 488 subkeys required for Quadibloc III are produced from the 440 subkeys generated normally and the

48 additional ones by using the 48 additional subkeys in order as the ones for the f-functions that are used to

modify the f-function results before being XORed together in the Mishmash rounds.

Hence,

● subkeys K441 through K452 are moved to subkeys K89 through K100,

● subkeys K89 through K100 are moved to subkeys K101 through K112,

● subkeys K453 through K464 are moved to subkeys K113 through K124,

● subkeys K101 through K352 are moved to subkeys K125 through K376,

● subkeys K465 through K476 are moved to subkeys K377 through K388,

● subkeys K353 through K364 are moved to subkeys K389 through K400,

● subkeys K477 through K488 are moved to subkeys K401 through K412,

● and, finally, subkeys K365 through K440 are moved to subkeys K413 through K488.

Note that implementations need not actually move the subkeys around, but merely need to ensure that each

encipherment step uses the correct subkeys from those stored in memory.

Specific named variations of Quadibloc III are provided here to broaden its range of applicability.

The first variation is Quadibloc III SC (Short Cycle). This version retains the complexity of Quadibloc III, but

eliminates the large number of rounds of the GoodStuff kind in the middle of the cipher. Instead, only two such

rounds are retained, with the following arrangement:

8 < 7 < 6 < 5 < 4 < 3 < 2 < 1

This, by reducing the amount of required subkey material from 488 subkeys to 278, and hence the key

augmentation phase of key generation is modified as follows: eight regular Quadibloc II rounds are used, the first

10 words of S10 are also modified, and there is no shifting of subkeys out of numerical order, as was required to

exclude a particular 48 subkeys from key augmentation in the normal version. The unkeyed whitening step, and

the initial and final byte transposes (0x and 8x) are also retained in the modified encipherment.

The next variation is Quadibloc III MD (Maximum Dispersion). This version adds eight 64-bit words of subkey

material to what is used by the cipher. They are not used during the modified encipherment cycle performed for

key augmentation, but they are generated initially, like other parts of the subkey material not then used. They are

generated immediately after the 32 extra normal subkeys which are modified after, instead of during, key

augmentation, and immediately before calculating S-box S8. Otherwise, since the key schedule is only

lengthened, key augmentation is not otherwise modified for this variation.

These 64-bit words are used to perform an ICE-style interchange of the left and right halves of the block,

immediately after the first four key-dependent byte interchanges derived from S-box S8 and immediately before

the last four such byte interchanges. A 1 bit corresponds to a bit to be interchanged, and the words are used in

order during encipherment.

Finally, Quadibloc III SD (Short/Dispersive) combines the modifications in Quadibloc III SC and Quadibloc III

MD. As it has 294 32-bit words of normal subkey, the key augmentation phase of its key generation is based on a

modified encipherment involving a byte transpose based on the 0x row of S8, an unkeyed whitening step, a set of

four degenerate rounds, a byte transpose based on the 1x row of S8, eight normal Quadibloc II rounds, the 9x

transpose, four degenerate rounds, inverse whitening, and the 8x transpose. The first two words of S10 are also

included in the key augmentation for this variation.

A variation in the round structure, like those illustrated for Quadibloc II, will also be illustrated here, but in this

case it is for the Mishmash portion of the cipher.

This diagram gives an overview of the Mishmash rounds as modified. Instead of placing the intermediate results

of the four QUADIBLOC 96 rounds on the left side through an additional QUADIBLOC f-function, these results

are used to produce a 32-bit result by means of the 32-bit Feistel structure used within the GoodStuff portion of

the cipher. This reduces the number of additional subkeys required for this part of the cipher to 8 from 48, but the

strength of the modified cipher appears fully satisfactory.

Another variation on Quadibloc III uses the modified Mishmash rounds described above, but in addition changes

the order of the rounds in line with insights that have come out of looking at how some differential attacks,

including the boomerang attack work. The idea is that parts of the cipher that are analytically simple are put on

the outside, and parts that are harder to analyze, but possibly leaving room for new probing attacks, are put in the

center. A diagram giving an overview of the variation, accompanied by its description, are below:

using the key-dependent S-box S8 as their f-

function, transforming 16-bit subkeys of the

block.

● Key-dependent permutation (derived from the

0x elements of S8) of the bytes in the block.

● Four simple rounds, using a single-level f-

function, that are aimed at obtaining high

diffusion, and which use 32-bit subkeys K1

through K4.

● Key-dependent permutation (derived from the

1x elements of S8) of the bytes in the block.

● Two rounds in which the block is enciphered as

follows:

❍ one 16-bit subblock is enciphered by

function, but this time preceded by the

XOR of a subkey byte;

❍ the results of the XOR are used as

S-box S9.

❍ The four S9 outputs produce a 32-bit

four bits of each of their outputs, and

whose last 16 bits are the last four bits of

each of their outputs.

❍ This result is then enciphered by means

function consists of first XORing in a 16-

bit half of a subkey, then using the two

bytes of the result to index into two key-

dependent S-boxes, S10 and S11, which

each take an 8-bit input and give a 16-bit

output. The sum of the two outputs is

XORed with the other half of the 32-bit

block.

❍ The 32-bit result of this process is used

encipher a further 16 bits of the block,

and this continues until the entire 128-bit block has been enciphered in 16-bit pieces.

These two rounds each use fifteen subkeys; the first one uses subkey K5 to supply the four bytes used for

enciphering the first 16-bit subblock, and then subkeys K6 through K19, two at a time, for enciphering the

32-bit intermediate results from enciphering one subblock to produce the 32-bit input to use to encipher

the next one, and the second one uses subkeys K20 through K34.

● Key-dependent permutation (derived from the 2x elements of S8) of the bytes in the block.

● Eight normal Quadibloc II rounds, each of which uses nine subkeys, the first using subkeys K35 through

K43, the last using subkeys K98 through K106.

● Key-dependent permutation (derived from the 3x elements of S8) of the bytes in the block.

● Four rounds of a form of Mishmash, whose large quantity of subkeys is generated after the contents of

S10 and S11, and by the same process. These rounds use fixed Quadibloc subkeys for one half of the

block, the subkeys being K107 through K118 for the encipherment of that block, and K119 through K120

for the Feistel rounds with a 32-bit block using S-boxes S10 and S11 that modify its intermedate results,

for the first Mishmash round, and the remaining Mishmash rounds use subkeys K121 through K162.

● Then, the preceding steps are done in reverse order, with the key-dependent byte permutations now being

the inverses of the ones derived from the Bx, Ax, 9x, and 8x elements of S8, and with the eight normal

Quadibloc II rounds using subkeys K163 through K234, the two GoodStuff rounds using subkeys K235

through K264, and the set of four degenerate rounds using subkeys K265 through K268.

The 268 subkeys required, plus the first 20 32-bit words of the S-box S11, are modified after initial subkey

generation by key augmentation through 32 normal Quadibloc II rounds with no degenerate rounds, (and two

byte transposes, based on the 0x and 8x rows, instead of four, and two unkeyed whitening steps, as for the

regular cipher) and there is no shifting of subkeys out of numerical order, as was required to exclude a particular

48 subkeys from key augmentation in the normal version.

Next

Start of Section

Skip to Next Chapter

Table of Contents

Main Page Home Page

[Next] [Up] [Previous] [Index]

Quadibloc IV

Quadibloc IV is a block cipher with a 128-bit blocksize with a simpler design than that

of either Quadibloc III or even Quadibloc II. It has 32 rounds, numbered from 1 to 32,

each using three 32-bit subkeys.

It uses the S-boxes S1, S2, and S3 (S3 is only used during key generation) derived

from Euler's constant, as listed in the description of Quadibloc II.

It attempts - despite the fact that A xor B and B xor A are the same thing - to use a

strategy derived from hash functions to produce a secure f-function; the quantity

XORed to the first subblock in each round is the XOR of two f-functions, one which

uses a subblock as input, and two subkeys as keys, and one which uses a subkey as

input, and two subblocks as keys.

The Rounds

The 128-bit block is considered to be divided into four 32-bit subblocks, B1 through

B4. The leftmost subblock, B1, is the only one modified in a round. It has two

quantities XORed to it:

● An f-function, using B2 as input, with the first two subkeys for the round as

keys, using S1 as the S-box.

● An f-function, using the third subkey for the round as input, with B3 and B4 as

keys, using S2 as the S-box.

The f-function is essentially the basic Quadibloc f-function: XOR the input and the first

key, substitute the bytes in the S-box, and then perform the following regular

permutation of the bits:

1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24

17 18 11 12 5 6 31 32 25 26 19 20 13 14 7 8

Then, XOR the input and the second key and again perform the S and P steps. In

Quadibloc IV, no third key is used.

The diagram illustrates the way in which the subblocks are interchanged after a typical

round:

3 4 2 1

After round 4 and after round 28, the bytes of the 128-bit block are interchanged in the

following order:

1 14 11 8 5 2 15 12 9 6 3 16 13 10 7 4

After round 16, the four subblocks are interchanged in this order:

3 2 1 4

After the other rounds whose numbers are divisible by 4, the four subblocks are

interchanged in this order:

3 1 4 2

Hence, if one numbers the subblocks on entry to round 5 as 1, 2, 3, and 4, the orders in

which they appear from round 5 to round 28 are as follows:

1 2 3 4 3 4 2 1 2 1 4 3 4 3 1 2

1 4 2 3 2 3 4 1 4 1 3 2 3 2 1 4

1 3 4 2 4 2 3 1 3 1 2 4 2 4 1 3

1 4 3 2 3 2 4 1 4 1 2 3 2 3 1 4

1 2 4 3 4 3 2 1 2 1 3 4 3 4 1 2

1 3 2 4 2 4 3 1 3 1 4 2 4 2 1 3

Because of the byte interchange after rounds 4 and 28, the first and last four rounds

function as a whitening phase of the block cipher.

Key Generation

Two shift registers, one 64 bytes in length and one 65 bytes in length, are used to

generate subkeys, and are loaded with the key, which can be from 2 to 63 bytes in

length, as follows:

❍ The 64-byte shift register is loaded with the key, followed with the one's

needed to fill it.

❍ The 65-byte shift register is loaded with the bytes of the key in reverse

order, followed by the one's complement of the key (in normal order),

followed by as many repetitions of the key as are needed to fill its first

64 bytes, followed by the one's complement of the first byte of the key.

● If the key is from 33 to 63 bytes in length:

❍ The 64-byte shift register is loaded with the first half of the key

(including one more byte than the second half, if the number of key bytes

is odd), followed by the one's complement of the first half of the key and

as many repetitions of the first half of the key as are needed to fill it.

❍ The 65-byte shift register is loaded with the second half of the key,

followed by the one's complement of the second half of the key, and as

many repetitions of the second half as are needed to fill its first 64 bytes,

followed by the one's complement of the first byte of the second half of

the key.

Initial values of subkey bytes are generated from these two shift registers as follows:

Take the 49th byte, add the 33rd byte, and XOR the 64th byte. Find the substitute for

the result in S-box S3. XOR the 3rd byte, and add the 1st byte.

The result will be the new first byte of the shift register, the other bytes being advanced

one place, and the old 64th byte being discarded.

Take the 23rd byte, add the 65th byte, and XOR the 11th byte. Find the substitute for

the result in S-box S3. Add the 50th byte, and XOR the 1st byte.

The result will be the new 65th byte of the shift register, the other bytes being moved to

the next earlier place, and the old 1st byte being discarded.

The byte of the subkey generated from this step is the generated new first byte of the

first shift register, replaced with its substitute from S-box S3, XORed with the

generated new 65th byte of the second shift register.

Once all 96 subkeys have been filled with their initial values, key augmentation takes

place. A normal encipherment cycle is performed, enciphering the 128-bit block

A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A

but after each round, the four intermediate values generated in the round are applied as

follows:

1. The output of the SP operation following the use of the first subkey for the

round;

2. The output of the SP operation following the use of the second subkey for the

round;

3. The output of the SP operation following the use of the third subblock;

4. The output of the SP operation following the use of the fourth subblock;

Intermediate values 1, 2, and 4 of each round are XORed to the subkeys after the round

is over, and the order in which the subkeys is modified is:

K2 K5 K8 K11 K14 ... K95

K3 K6 K9 K12 K15 ... K96

and then, intermediate value 3 from the round is added, using byte-wide addition (as

well as creating no endian confusion, this is sure to be implementable, even on systems

that support only 16-bit arithmetic with no way to disable integer overflow exceptions)

to the following subkeys in this order:

As this block cipher was designed using design principles from hash functions, it

seemed appropriate to specify a mode in which it could be used to generate a hash of a

file. However, only the simplest mode is specified here, generating a 128-bit hash,

which is not considered adequately long to obtain collision resistance.

One iteration of the cipher will be used to hash a block consisting of 32 32-bit words,

or 128 bytes. The string of bits to be hashed will be converted to a whole number of

blocks by having a 1 appended to it, and then the result will be filled out with zeroes to

fill the last block.

A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A

The subkeys for the encipherment will be supplied by the block to be hashed as follows:

Both subkeys

and subkeys

will be supplied from the bytes of the block, taken in groups of four, in order. (The first

byte is the leftmost byte of the word.)

Subkeys

K1: 243F6A88 K4: 85A308D3 K7: 13198A2E K10: 03707344

K13: A4093822 K16: 299F31D0 K19: 082EFA98 K22: EC4E6C89

K25: 452821E6 K28: 38D01377 K31: BE5466CF K34: 34E90C6C

K37: C0AC29B7 K40: C97C50DD K43: 3F84D5B5 K46: B5470917

K49: 9216D5D9 K52: 8979FB1B K55: D1310BA6 K58: 98DFB5AC

K61: 2FFD72DB K64: D01ADFB7 K67: B8E1AFED K70: 6A267E96

K73: BA7C9045 K76: F12C7F99 K79: 24A19947 K82: B3916CF7

K85: 0801F2E2 K88: 858EFC16 K91: 636920D8 K94: 71574E69

which are the hexadecimal digits in the fractional portion of pi (also used as the starting

value of the S-boxes and subkeys in Blowfish, although it uses 784 of them, not just 32

of them).

After each block is hashed, the input to the encryption cycle is XORed with the output

to produce the current value of the hash, which will be the input to the next encryption

cycle.

A Variation of Quadibloc IV

subkeys, an additional 1536 to 2304 bytes are generated to create S8 in the same

fashion as the initial value of S8 was generated in Quadibloc II and Quadibloc III. This

key-dependent S-box is not modified again after key augmentation, and it is used to

perform a substitution on the four bytes of the two f-function outputs after the second

SP portion. This modification makes Quadibloc IV considerably more secure against

differential and linear cryptanalysis.

Next

Start of Section

Skip to Next Chapter

Skip to Next Section

Table of Contents

Main Page Home Page

[Next] [Up] [Previous] [Index]

Quadibloc V

Quadibloc V is a straightforward and simple member of the Quadibloc family of ciphers. It operates on a 128-bit

block, and has a key which must consist of number of bytes that is a multiple of four and which is equal or

greater than 8. It uses S-box S1 derived from Euler's constant, as used in other ciphers of the Quadibloc series,

and it uses one key-dependent S-box, called S2, which has 16 entries, each 64 bits long.

It has four rounds, and each round uses 72 bytes of subkey material. The halves of the block are swapped after

each of the first three rounds.

As encipherment and decipherment are different, and as the f-function only diffuses half of the information in the

left half of the block, it might seem that there are opportunities for cryptanalysis. But what happens to the right

half of the block, and the use of a key-dependent S-box, even if only a minimal one, appears to close any such

opportunities. Also, the key schedule seems to be secure, although it too is greatly simplified over that of

Quadibloc II or III.

The Rounds

The bytes in the left half of the block are used in pairs to generate bytes the nybbles of which are then used to

select two entries from S-box S2.

One copy of the second byte in the pair is XORed with a byte of subkey material; the next copy has the next byte

of subkey material added to it. Then both copies are replaced by their corresponding entries in S-box S1. The

first byte in the pair first has the first copy of the other byte, as modified, added to it. This intermediate result is

retained for later use. Then it is replaced by the entry it now selects in S-box S1. Finally, the second copy of the

other byte, as modified, is XORed to it.

The first and second nybbles of this resulting byte are used to index to two elements of S-box S2. The entry

chosen by the second nybble of a byte then has its halves swapped. The intermediate result saved for later use is

also split into two nybbles, each used to index an element from S-box S2. The one chosen by the first nybble is

rotated 16 bits left, and the one chosen by the second nybble is rotated 16 bits right.

These elements of S-box S2 are XORed with the right half of the block at various times.

This portion of the cipher uses the first eight subkey bytes for the round.

First, the bytes in the right half of the block are modified by going through tiny Feistel rounds, similar to

permutation G of SKIPJACK, but here using S-box S1 as the f-function. First, each pair of bytes goes through

two rounds of this, first the left-hand byte modifying the right-hand byte, then the right-hand byte modifying the

left-hand byte. Two subkeys are used to perform these two rounds for one pair of bytes, then the next two

subkeys are used for two rounds for the next pair of bytes, as is visible from the numbering in the diagram.

● the one from the first nybble of the byte generated from the first pair of bytes in the left half of the block

● the one (with its halves swapped) from the last nybble of the byte generated from the last pair of bytes in

the left half of the block

● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the

second pair of bytes in the left half of the block

● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the

third pair of bytes in the left half of the block

Then, two more tiny Feistel rounds are applied to each pair of bytes in the right half, and then the bytes are

interchanged as follows:

1 4 3 6 5 8 7 2

and then another two tiny Feistel rounds are applied. Note that this interchange, applied three times, ensures that

each even byte is paired with each odd byte for four tiny Feistel rounds during this process.

● the one from the first nybble of the byte generated from the second pair of bytes in the left half of the

block

● the one (with its halves swapped) from the last nybble of the byte generated from the third pair of bytes in

the left half of the block

● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the first

pair of bytes in the left half of the block

● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the

last pair of bytes in the left half of the block

are XORed to the right half of the block in its present state.

Then, another four tiny Feistel rounds with a byte interchange in the middle.

● the one from the first nybble of the byte generated from the third pair of bytes in the left half of the block

● the one (with its halves swapped) from the last nybble of the byte generated from the second pair of bytes

in the left half of the block

● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the last

pair of bytes in the left half of the block

● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the

first pair of bytes in the left half of the block

Then, another four tiny Feistel rounds with a byte interchange in the middle.

● the one from the first nybble of the byte generated from the last pair of bytes in the left half of the block

● the one (with its halves swapped) from the last nybble of the byte generated from the first pair of bytes in

the left half of the block

● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the third

pair of bytes in the left half of the block

● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the

second pair of bytes in the left half of the block

And now, two tiny Feistel rounds are applied to each pair of bytes in the right half of the block. Finally, the bytes

are interchanged as follows:

1 3 5 7 2 4 6 8

This final interchange sorts the odd and even bytes into groups, so that pairs will later be made on a different

basis.

The key material used during encipherment consists of a 512 byte key-dependent S-box S2, and 288 bytes of

subkey material.

● The key is split into two parts, the first having one byte less than half the bytes in the key, and the second

having the remaining bytes.

● Bytes of subkey material are alternately filled from each half of the key.

● Each time one returns to the first byte of a part of the key, after using the last byte previously, one adds 1

to a constant (initially zero) which is added to each byte as it is taken.

100 080 020 140 120

161 120 002 101 202 081 162 021

003 141...

Using this initial subkey material, a block is enciphered consisting of the first sixteen bytes of the key, or, if the

key is shorter than sixteen bytes, the key followed by the key with each byte XORed with 1, followed by the key

XORed with 2 if necessary, all the bytes then replaced with their substitutes in S-box S1.

Each round of encipherment produces eight 64-bit intermediate results: an intermediate result is obtained by

taking the current value of the right half of the block after each pair of tiny Feistel rounds, except that in the case

of those rounds followed by XORing in S-box S2 entries, the intermediate value is taken after that XOR.

After each round is completed, and five rounds are performed, rather than the four used for normal encipherment,

the fifth using the same subkeys as the first, the intermediate results are used to modify the subkeys.

The first 36 of the 40 intermediate results generated are XORed with the subkey material, in the following order:

1 K1 K2 ... K8

2 K73 K74 ... K80

3 K145 K146 ... K152

4 K217 K218 ... K224

5 K9 K10 ... K16

6 K81 K82 ... K88

...

36 K281 K282 ... K288

In addition, each byte of all but the first eight intermediate results (leaving the last 32 intermediate results, which

amount to 256 bytes) is used to modify the 512-byte S-box S2, as follows:

● The S-box S2 is to be considered as consisting of two halves, each 256 bytes in length, called H0 and H1.

H0(n) is the (n+1)th byte of H0; that is, H0(0) is the first byte of H0.

● Let the byte being used to modify the S-box have the value X.

● Let a counter, initially equal to 0, and increasing by 1 each time be noted by N. This counter will run from

0 to 255 as the process below takes place.

● Let W=N xor X.

● Let P=H0(W) xor X and Q=H1(W) xor X

● In all cases, first modify H1(P) by XORing it with H0(P) and with X, then modify H0(Q) by XORing it

with H1(Q) and with X.

● Modify H0(X) by XORing it with Q and with W, and modify H1(X) by XORing it with P and with W.

● If N and X are not equal, swap H0(N), H0(X), H1(N), and H1(X) as follows: H0(N) is replaced by H0(X),

which is replaced by H1(N), which is replaced by H1(X), which is replaced by the former value of H0(N).

Variations

If one wishes to use Quadibloc V with eight rounds, then the key augmentation step of the key schedule is

modified as follows:

The encipherment step used to generate intermediate results now runs for nine rounds. All intermediate results

are used to XOR with subkey bytes, and the order is similar to that for the four-round version: first, an XOR is

done to the first eight bytes in each of the eight rounds, then the next eight bytes in each of the eight rounds. The

ninth round uses the subkeys for the first round.

The last 512 bytes so generated, which involve all but the first eight intermediate results, are used to carry out the

modification of the S-box S2, but this time twice.

With sixteen rounds, the key augmentation step will involve encipherment with eighteen rounds, the last two

using the subkeys of the first two rounds. Again, all intermediate results are used to XOR with subkey bytes. The

last 1024 bytes generated, which exclude the first sixteen intermediate results (or those from the first two rounds)

are used to modify S-box S2 four times.

Next

Start of Section

Skip to Next Chapter

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

Quadibloc VI

Quadibloc VI attempts to achieve the attractive characteristics of Quadibloc III, but with fewer rounds. The main intention in the design of Quadibloc VI is to

make a block cipher that has the advantages of a stream cipher.

A typical block cipher subjects each block of data it enciphers to a series of manipulations, with the only variation in these manipulations due to the variable and

secret key being that the data, while being manipulated, occasionally has subkey material XORed to it. Perhaps addition will also be used.

A stream cipher can resist analysis by applying different key material to the encipherment of each byte or block it encounters.

Thus, the Mishmash encipherment method used within Quadibloc III imitates a stream cipher, by choosing subkeys from a pool to encipher one half of a block, the

choice being determined by the other half of the block. This principle is employed here as well, but with a simpler structure.

Quadibloc VI uses the same fixed S-boxes S1 and S2 derived from Euler's constant as QUADIBLOC and other ciphers in the Quadibloc series, whose contents

have been listed in previous sections.

Description of Mixing/Whitening

The first step in encipherment, when a 128-bit block is submitted to Quadibloc VI, is to ensure that every bit in the block affects, or potentially affects, every bit in

every other block, through a short series of mixing and whitening transformations, as shown in the diagram below:

First, the bytes, by pairs, go through four mini-Feistel rounds, using the key-dependent S-box S8 as the f-function.

Then, using 64-bit subkey LK1, the two halves of the block have selected corresponding bits swapped, in the manner originated by the block cipher ICE.

Then, to bring bytes that have not yet influenced each other into contact, the bytes are transposed so that after transposition, the bytes in order came from the

following positions, from 1 to 16, as indicated by the numbers below:

1 13 2 14 3 15 4 16 5 9 6 10 7 11 8 12

Once this is done, another four mini-Feistel rounds with the key-dependent S-box S8 used as the f-function are performed on adjacent pairs of bytes.

Then, once again bytes are moved to bring bytes that had not affected one another into contact. As a possible transposition to do so here is the one used previously,

it is applied once again.

Then, a completely unkeyed step is used for the final merging of bytes, a set of Pseudo-Hadamard Transforms applied to pairs of bytes.

Finally, the bytes in the block are transposed according to a key-dependent byte transposition derived from the contents of key-dependent S-box S8.

In a regular round of Quadibloc VI, the leftmost six bytes of the block are enciphered by means of two rounds of the GoodStuff method, which proceeds as follows:

Using four eight-bit subkeys (derived from a single 32-bit subkey), four Feistel rounds are used to encipher a 16-bit subblock; in the first round, the right half is

XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the f-function alternates from right to left to left to right, and in

the two outer rounds, the subkey is XORed and the f-function output added, and in the two inner rounds, the subkey is added and the f-function output XORed.

The four intermediate results of the f-functions, derived before S8 substitution, are used to index into the fixed S-box S2. The S-box outputs are used to form a 32-

bit word consisting of the first nibbles of the four substituted results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of

the previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a left-to-right round of this cipher, by means of a twist

upon entry and exit from the horizontal Feistel rounds.)

The resulting 32-bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses wide key-dependent S-boxes in the f-function.

Here, four 16-bit subkeys are used, and so they are derived from two 32-bit regular subkeys.

The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in in-place format, and the first round goes from right to left (or, in the

diagram, top to bottom).

The following diagram illustrates the operations that take place during a regular round of Quadibloc VI upon the leftmost eight bytes of the block:

The first six bytes are subjected to encipherment according to the GoodStuff algorithm, first in one direction, and then in another.

The final f-function outputs in the Feistel rounds applied to the 32 bit quantity that serves as subkeys for the 16-bit Feistel rounds in each of the GoodStuff

encipherments are XORed to the last two of the first eight bytes. Before, between, and after these XORs, those two bytes are modified using the same type of mini-

Feistel round as was used in the initial mixing/whitening phase.

Note that the first and last f-function (or S-box S8) outputs are XORed together to produce one byte of output.

This byte is used to control the encipherment of the other half of the block, which is enciphered using the modification of the original QUADIBLOC round used in

Quadibloc S, to be described in the next section. A Quadibloc S round is illustrated below:

The single byte of output has 256 possible values. 7 times 6 times 5 is 210, which is less than 256, therefore this byte can be used to choose three distinct subkeys

from a pool of seven subkeys to be used as the three subkeys for the Quadibloc S round.

After the first three regular Quadibloc IV rounds in a group of four, the bytes are interchanged according to the following pattern, where each number denotes the

position of a byte in the source to the permutation, the numbers being in the order of the bytes upon] output:

3 4 5 6 7 8 1 2 13 14 15 16 9 10 11 12

The intent of this is to have the two bytes in the first half which are enciphered differently take on four different values, while the halves of the second half are

swapped each time.

After every group of four regular Quadibloc IV rounds except the last four, the halves of the block are swapped.

It is assumed that a mere eight rounds of Quadibloc IV will suffice. At least sixteen rounds, however, would be absolutely required were it not for the initial

mixing and whitening rounds. This is because four rounds are, in a sense, really only one round.

Finally, using 64-bit subkey LK2, the operations of the mixing/whitening rounds are performed in reverse order. The Pseudo-Hadamard Transform is replaced by

its inverse, and so are the two fixed byte permutations. But the groups of four mini-Feistel rounds stay the same (instead of being inversed by having left and right

bytes switched), and the ICE-style swap is its own inverse.

The steps involved in the final mixing/whitening step may be made clearer by this diagram:

Although, when compared with the method for generating the key schedule for Quadibloc II and Quadibloc III, many shortcuts are taken in the method used for

Quadibloc VI, it will be seen that key generation for Quadibloc VI is still long and complicated.

Quadibloc VI with eight regular rounds uses the following subkey material:

● Eighty 32-bit subkeys, designated K1 through K80, ten of which are used for each regular round which contains two rounds of GoodStuff encipherment;

● Eight banks of seven 32-bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1

through V56;

● The key-dependent S-boxes S10 and S11, each of which contains 256 random 16-bit entries;

● Two 64-bit subkeys, LK1 and LK2;

● The key-dependent S-box S8, which contains the bytes 0 to 255 in random order;

● A key-dependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements

once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the

block.

For what follows, the first three items in the list above are to be considered to be stored in order contiguously in memory.

that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer.

Then generate initial values for subkeys K1 through K80, pooled subkeys V1 through V56, and the contents of key-dependent S-box S10 (as well as an initial

value for key-dependent S-box S8) by generating 1056 bytes

320 + 224 + 512 = 1056 )

through the following procedure: take a copy of the key, and appended to that copy, after its last byte, is a byte equal to the inverse, the bitwise negation, or one's

complement, of the XOR of all the bytes of the original key. This ensures the key as expanded does not consist entirely of zeroes.

Bytes are then generated from the key by chain addition. This means that a byte is generated as follows: the sum, modulo 256, of the first two bytes of the key is

the generated result; and it is also appended to the end of the key, whose first byte is then removed. (Note that the cipher itself uses XOR only, and not addition

modulo 256.)

The method of producing subkey bytes is a degenerate form of the MacLaren-Marsaglia generator. An array with 256 byte positions, called A(0) to A(255), is

filled by generating 256 bytes by means of chain addition.

The initial value for the key-dependent S-box S8 is generated concurrently with subkey generation by means of the use of two additional arrays, B(0) to B(255)

and C(0) to C(255).

These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also contains the 255 byte values in order as well.

Then, each time a value is stored in a location of A, both the 256 initial values, and the value stored in A(q) each time a subkey byte is generated, the following

procedure is performed:

Let p be the value being stored in the array A, and let q be the index in A of where it is being stored.

Otherwise:

Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.)

Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed v, the former value of B(q), in B(w) which originally contained p).

Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1, and ending with the last (least significant) byte of subkey 12, the

contents of the array B are used as the key-dependent S-box.

Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for

the Quadibloc S part of a round are still empty), we will encipher the contents of S-box S11 as follows:

Four entries in S-box S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment

of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys:

used enciphered

K11 to K20 S11(4) to S11(7)

...

K71 to K80 S11(28) to S11(31)

V1 to V10 S11(32) to S11(35)

...

V41 to V50 S11(48) to S11(51)

V51 to V56,

S10(0) to S10(7) S11(52) to S11(55)

S10(8) to S10(27) S11(56) to S11(59)

S10(28) to S10(47) S11(60) to S11(63)

...

S10(108) to S10(127) S11(76) to S11(79)

After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated

left by two bytes.

Then, the first 80 (16-bit) entries in S11 are swapped with the first 40 (32-bit) subkeys for GoodStuff encipherment.

Starting with the first byte in K41, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 40

GoodStuff subkeys is now modified as follows:

Byte(n-1) XOR

S8( Byte(n-158) + Byte(n-160) )

Next, the second 80 entries in S11 are enciphered, S11(80) through S11(159), two at a time, using the left half of a regular Quadibloc VI round as above, once

again using the subkeys in the order above for the encipherment, starting with subkeys K1 through K10, and are swapped after encipherment with the second group

of 40 subkeys for GoodStuff encipherment.

Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous

encipherment, after that result has been rotated left by two bytes.

Then, the last 112 entries in S11, S11(144) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V56. This time,

the subkey material used will extend into the start of S11, as illustrated by the table below:

used enciphered

K11 to K20 S11(148) to S11(151)

...

K71 to K80 S11(172) to S11(175)

V1 to V10 S11(176) to S11(179)

...

V41 to V50 S11(192) to S11(195)

V51 to V56,

S10(0) to S10(7) S11(106) to S11(199)

S10(8) to S10(27) S11(200) to S11(203)

S10(28) to S10(47) S11(204) to S11(207)

...

S10(108) to S10(127) S11(220) to S11(223)

...

S10(208) to S10(227) S11(240) to S11(243)

S10(228) to S10(247) S11(244) to S11(247)

S10(248) to S10(255),

S11(0) to S11(11) S11(248) to S11(251)

S11(12) to S11(32) S11(252) to S11(255)

And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous

encipherment, after that result has been rotated left by two bytes.

Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the

formula:

Byte(n-1) XOR

S2( Byte(n-542) + Byte(n-544) )

where the values n-542 and n-544 begin, on the first pass, as pointing into K1 to K80, and then V1 to V56, but afterwards are confined to the area from the start of

S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed S-box S2 is now used.

The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc S-type subkeys and

of the final value of S8, and this process is repeated only as many times as these processes require input.

First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order.

Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shift-register process above applied to the area from

V1 to S11(255), utilizing the following procedure (as seen in Quadibloc II and Quadibloc III):

● Each permutation is generated by the use of either 512, or, under some rare circumstances, only 256, bytes.

● A permutation is generated as follows:

❍ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0 to 255 in order. The arrays must also be able to hold the

value -1. The second and third arrays are filled with -1.

❍ For each byte used: let the value of the byte be called N, and let I be a counter which starts at 0 for the first byte, incrementing with each byte used,

❍ Then, for each byte:

■ If element N of the first array is not -1, set element N of the first array to -1, and set element I of the second array to N.

■ Otherwise, store N in the first unused position (the first position containing -1) in the third array.

❍ Once this has been done, if the third array contains any numbers other than -1, proceed as follows:

❍ If there is only one filled (not equal to -1) element in the third array, then there is only one remaining element in the first array, and one element of

the second array equal to -1, so fill the second array with the one available byte, and finish.

❍ If there are only two filled elements in the third array, take the least significant bit of the first filled element. If it is zero, fill the -1 elements of the

second array with the remaining elements of the first array in order; if it is one, do so in reverse order, and finish.

❍ If there are less than 256 filled elements in the third array, repeat them over and over to fill the array. Then, take an additional 256 input bytes (thus,

512 bytes are used except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of the third array.

❍ Now, use the third array to complete the second array by doing the following for II from 0 to 255:

■Let the value of element II of the third array be XX.

■Swap elements II and XX of the first array.

❍ Then, scan through the second array. When an element of the second array is -1, fill it with the corresponding element of the first array (if it is not

also -1) and set that element of the first array to -1.

❍ If there are any -1 elements left in the second array, fill them with the elements of the first array that are not -1 in order.

● When this procedure is completed, the contents of the second array are the desired permutation.

Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on

the initial value of S8, with numbers from 0 to 209, 46 of them twice.

These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group. The numbers

from 0 to 34 will be considered to represent triples of distinct numbers in ascending order in numerical order:

0 1 2 3 7 1 3 6 14 1 6 7 21 2 4 7 28 3 5 6

1 1 2 4 8 1 3 7 15 2 3 4 22 2 5 6 29 3 5 7

2 1 2 5 9 1 4 5 16 2 3 5 23 2 5 7 30 3 6 7

3 1 2 6 10 1 4 6 17 2 3 6 24 2 6 7 31 4 5 6

4 1 2 7 11 1 4 7 18 2 3 7 25 3 4 5 32 4 5 7

5 1 3 4 12 1 5 6 19 2 4 5 26 3 4 6 33 4 6 7

6 1 3 5 13 1 5 7 20 2 4 6 27 3 4 7 34 5 6 7

and then this sequence is repeated but with the three elements in each of the other five of the six possible orders to make all 210 combinations:

0 1 2 3 1 1 2 4 ... 34 5 6 7

35 1 3 2 36 1 4 2 ... 69 5 7 6

70 2 1 3 71 2 1 4 ... 104 6 5 7

105 2 3 1 106 2 4 1 ... 139 6 7 5

140 3 1 2 141 4 1 2 ... 174 7 5 6

175 3 2 1 176 4 2 1 ... 209 7 6 5

Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old

value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation.

Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values

taken will be LK1 and LK2.

The key-dependent byte permutations used between the mixing/whitening rounds and the regular rounds are generated as follows:

The one performed after the first mixing/whitening round is obtained by taking the bytes in the final form of S-box S8 of the form 0x, and using their least

significant nibbles to indicate which position each byte of the block will be moved to. This is the dispatch form of the permutation, which is the opposite of the one

used to describe bit and byte transpositions in the description of the Quadibloc ciphers. The one performed after the regular rounds is generated from the bytes of

the form 8x, but is in fetch form, the least significant nibble of each of these bytes indicating the source from which each byte of the result is obtained.

Variations of Quadibloc VI

Although Quadibloc VI would absolutely need sixteen rounds if the mixing/whitening stages were absent, that does not mean that sixteen rounds are not a good

idea in any case. With sixteen rounds, the required key material consists of:

● One hundred and sixty 32-bit subkeys, designated K1 through K160, ten of which are used for each regular round which contains two rounds of GoodStuff

encipherment;

● Sixteen banks of seven 32-bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1

through V112;

● The key-dependent S-boxes S10 and S11, each of which contains 256 random 16-bit entries;

● Two 64-bit subkeys, LK1 and LK2;

● The key-dependent S-box S8, which contains the bytes 0 to 255 in random order;

● A key-dependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements

once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the

block.

The key generation process closely parallels that for eight rounds, with small changes as follows:

that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer.

Then generate initial values for subkeys K1 through K160, pooled subkeys V1 through V112, and the contents of key-dependent S-box S10 (as well as an initial

value for key-dependent S-box S8) by generating 1376 bytes

640 + 224 + 512 = 1376 )

through the degenerate MacLaren-Marsaglia procedure from Quadibloc S, and the permutation generated as its side effect is the initial value for S-box S8.

Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for

the Quadibloc S part of a round are still empty), we will encipher the contents of S-box S11 as follows:

Four entries in S-box S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment

of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys:

used enciphered

K11 to K20 S11(4) to S11(7)

...

K151 to K160 S11(60) to S11(63)

V1 to V10 S11(64) to S11(67)

...

V101 to V110 S11(104) to S11(107)

V111 to V112,

S10(0) to S10(15) S11(108) to S11(111)

S10(16) to S10(35) S11(112) to S11(115)

S10(36) to S10(55) S11(116) to S11(119)

...

S10(236) to S10(255) S11(156) to S11(159)

After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated

left by two bytes.

Then, the first 160 (16-bit) entries in S11 are swapped with the first 80 (32-bit) subkeys for GoodStuff encipherment.

Starting with the first byte in K81, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 80

GoodStuff subkeys is now modified as follows:

Byte(n-1) XOR

S8( Byte(n-318) + Byte(n-320) )

Next, entries S11(80) through S11(240) in S11 are enciphered, two at a time, using the left half of a regular Quadibloc VI round as above, once again using the

subkeys in the order above for the encipherment, starting with subkeys K1 through K10, and are swapped after encipherment with the second group of 80 subkeys

for GoodStuff encipherment.

Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous

encipherment, after that result has been rotated left by two bytes.

Then, the last 224 entries in S11, S11(32) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V112. This time,

the subkey material used will extend into the start of S11, as illustrated by the table below:

used enciphered

K11 to K20 S11(36) to S11(39)

...

K151 to K160 S11(92) to S11(95)

V1 to V10 S11(96) to S11(99)

...

V101 to V110 S11(136) to S11(139)

V111 to V112,

S10(0) to S10(15) S11(140) to S11(143)

S10(16) to S10(35) S11(144) to S11(147)

S10(36) to S10(55) S11(148) to S11(151)

...

S10(216) to S10(235) S11(184) to S11(187)

S10(236) to S10(255) S11(188) to S11(191)

S11(0) to S11(19) S11(192) to S11(195)

...

S11(200) to S11(219) S11(232) to S11(235)

At this point, the subkey material required has caught up with the bytes we are attempting to encipher, and so we return to the beginning of the available subkey

material, as follows:

used enciphered

K16 to K25 S11(240) to S11(244)

...

K46 to K55 S11(252) to S11(255)

And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous

encipherment, after that result has been rotated left by two bytes.

Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the

formula:

Byte(n-1) XOR

S2( Byte(n-862) + Byte(n-864) )

where the values n-862 and n-864 begin, on the first pass, as pointing into K1 to K160, and then V1 to V112, but afterwards are confined to the area from the start

of S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed S-box S2 is now used.

The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc S-type subkeys and

of the final value of S8, and this process is repeated only as many times as these processes require input.

First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order.

Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shift-register process above applied to the area from

V1 to S11(255), utilizing the procedure for generating permutations from Quadibloc II and Quadibloc III.

Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on

the initial value of S8, with numbers from 0 to 209, 46 of them twice.

These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group.

Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old

value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation.

Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values

taken will be LK1 and LK2.

And hence ends key generation for Quadibloc VI with sixteen rounds.

Next

Start of Section

Skip to Next Chapter

Table of Contents

Main Page

Home Page

[Next] [Up] [Previous] [Index]

Quadibloc S

Quadibloc S is a block cipher with a 64-bit block, based on the original QUADIBLOC, but

including in its f-function one feature from Quadibloc II, while omitting the use of S-box S2

on the half of the block being modified.

The version with four rounds is being specifically proposed here. Since each f-function

involves three table lookups, even this could be considered to be comparable, at least in the

time taken, to 12-round DES. That means that six rounds (comparable to 18) would be

acceptably fast: but the four round version is being considered specifically to examine what

sort of cryptanalytic attacks are possible.

It may be that Quadibloc S with eight rounds, except for the fact of a 64-bit block size, would

be secure enough for actual use. Certainly, it should be secure with sixteen rounds, being

comparable to original QUADIBLOC. Also, a key schedule is used that should be more secure

than that of the original QUADIBLOC, but much less complicated than that of Quadibloc II.

The Rounds

A copy of the right half, which will actually be unchanged by this round, is taken.

The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for round 2,

to subkey 10 for round 4).

Then, each byte is replaced by its substitute in S-box 1, whose contents are given in the section

on Euler's Constant and the Quadibloc S-Boxes.

The bits of the result, considered to be numbered from 1 (most significant bit of the first,

leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the pattern in

DES, are to be transposed so that these bits are then in the order below, still labelled with their

previous positions:

1 2 27 28 21 22 15 16

9 10 3 4 29 30 23 24

17 18 11 12 5 6 31 32

25 26 19 20 13 14 7 8

The result is then XORed with the second subkey for the round. Then, S-box S1 and the bit

transposition are applied again, and the result of that is XORed with the third subkey for the

round.

Then, the four bytes of the result are replaced with their substitutes in a key-dependent S-box.

This produces the final result, which is XORed with the left half of the block. This change to

the value of the block is the end product of the round. Finally, in all rounds but the last one, the

two halves of the block are swapped.

The first step of key generation is this: appended to the key, after its last byte, is a byte equal to

the inverse, the bitwise negation, or one's complement, of the XOR of all the bytes of the

original key. This ensures the key as expanded does not consist entirely of zeroes.

Bytes are then generated from the key by chain addition. This means that a byte is generated as

follows: the sum, modulo 256, of the first two bytes of the key is the generated result; and it is

also appended to the end of the key, whose first byte is then removed. (Note that the cipher

itself uses XOR only, and not addition modulo 256.)

The method of producing subkey bytes is a degenerate form of the MacLaren-Marsaglia

generator. An array with 256 byte positions, called A(0) to A(255), is filled by generating 256

bytes by means of chain addition.

The key-dependent S-box is generated concurrently with subkey generation. Two additional

arrays, B(0) to B(255) and C(0) to C(255), are used in this process.

These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also

contains the 255 byte values in order as well.

Then, each time a value is stored in a location of A, both the 256 initial values, and the value

stored in A(q) each time a subkey byte is generated, the following procedure is performed:

Let p be the value being stored in the array A, and let q be the index in A of where it is being

stored.

Otherwise:

Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.)

Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed

v, the former value of B(q), in B(w) which originally contained p).

Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1,

and ending with the last (least significant) byte of subkey 12, the contents of the array B are

used as the key-dependent S-box.

Test Vectors

The following is output from a short BASIC program which implements four-round Quadibloc

S.

Keys and the block are shown as sequences of bytes, from first to last, represented as decimal

numbers from 0 to 255, for simplicity in programming.

1 ) 98 96 250 128

2 ) 239 154 244 76

3 ) 131 160 14 28

4 ) 0 255 116 10

5 ) 215 163 226 153

6 ) 64 16 220 185

7 ) 239 162 182 164

8 ) 127 62 65 112

9 ) 102 221 47 175

10 ) 0 0 255 159

11 ) 21 0 136 184

12 ) 241 165 38 64

255 63 67 102 181 6 238 9

231 139 89 59 13 253 208 134

66 250 230 254 241 22 246 118

75 170 236 240 200 234 195 148

46 7 74 114 131 50 68 152

92 78 100 202 117 247 227 90

73 141 218 130 164 104 201 179

15 91 228 105 84 190 43 160

21 18 26 232 58 251 83 166

169 226 199 119 177 115 244 77

111 162 137 204 8 248 189 154

38 159 187 225 132 71 39 161

165 198 217 125 110 194 41 155

11 153 51 35 86 25 184 72

252 135 101 211 235 85 23 203

167 242 5 168 120 133 172 124

31 213 107 109 223 140 149 147

122 47 245 49 20 69 237 150

210 174 196 197 138 145 193 54

206 82 99 81 17 129 126 30

188 29 171 96 144 1 128 37

123 176 14 10 143 151 219 3

142 79 16 60 45 221 182 209

76 183 34 94 27 93 70 175

121 65 61 156 19 186 173 28

214 205 103 229 2 192 52 88

56 215 108 220 157 55 243 136

44 207 42 113 180 116 249 32

33 98 106 158 212 222 163 146

185 178 112 53 4 36 62 95

57 12 87 233 239 97 127 40

216 80 224 64 24 0 48 191

0 0 0 0 0 0 0 0

98 96 250 128

Right half after first S/P stage:

42 72 142 117

Right half after second subkey is:

197 210 122 57

Right half after second S/P stage:

174 235 31 169

Right half after third subkey is:

45 75 17 181

f-function output:

247 119 250 221

Block after round 1 is:

0 0 0 0 247 119 250 221

Right half after first subkey is:

247 136 142 215

Right half after first S/P stage:

250 22 190 199

Right half after second subkey is:

45 181 92 94

Right half after second S/P stage:

43 0 180 25

Right half after third subkey is:

107 16 104 160

f-function output:

35 66 11 188

Block after round 2 is:

247 119 250 221 35 66 11 188

204 224 189 24

Right half after first S/P stage:

55 146 122 31

Right half after second subkey is:

72 172 59 111

Right half after second S/P stage:

150 191 152 23

Right half after third subkey is:

240 98 183 184

f-function output:

57 217 209 76

Block after round 3 is:

35 66 11 188 206 174 43 145

206 174 212 14

Right half after first S/P stage:

32 81 143 194

Right half after second subkey is:

53 81 7 122

Right half after second S/P stage:

110 12 227 37

Right half after third subkey is:

159 169 197 101

f-function output:

30 176 186 194

Enciphered block is:

61 242 177 126 206 174 43 145

64-bit block

0000000000000000000000000000000000000000000000000000000000000001

0 0 0 0 0 0 0 1

98 96 250 129

Right half after first S/P stage:

26 64 140 245

Right half after second subkey is:

245 218 120 185

Right half after second S/P stage:

154 185 226 46

Right half after third subkey is:

25 25 236 50

f-function output:

170 170 4 218

Block after round 1 is:

0 0 0 1 170 170 4 218

170 85 112 208

Right half after first S/P stage:

52 64 47 151

Right half after second subkey is:

227 227 205 14

Right half after second S/P stage:

39 0 195 243

Right half after third subkey is:

103 16 31 74

f-function output:

155 66 148 199

Block after round 2 is:

170 170 4 218 155 66 148 198

116 224 34 98

Right half after first S/P stage:

79 157 125 61

Right half after second subkey is:

48 163 60 77

Right half after second S/P stage:

27 65 178 232

Right half after third subkey is:

125 156 157 71

f-function output:

133 17 129 166

Block after round 3 is:

155 66 148 198 47 187 133 124

47 187 122 227

Right half after first S/P stage:

140 227 55 41

Right half after second subkey is:

153 227 191 145

Right half after second S/P stage:

215 41 195 194

Right half after third subkey is:

38 140 229 130

f-function output:

68 20 222 107

Enciphered block is:

223 86 74 173 47 187 133 124

00000000000000000000000000000001

1 ) 113 110 181 254

2 ) 123 250 8 142

3 ) 80 161 177 11

4 ) 56 251 144 61

5 ) 73 225 29 205

6 ) 181 16 190 1

7 ) 123 179 56 142

8 ) 222 26 255 191

9 ) 67 237 3 76

10 ) 242 175 217 77

11 ) 0 27 125 190

12 ) 222 139 114 248

15 5 43 125 188 7 209 68

60 63 193 19 221 102 40 2

175 150 159 85 70 146 184 251

151 246 232 104 26 87 157 34

233 243 215 203 95 162 59 56

136 211 164 208 52 0 16 244

35 4 140 99 69 235 30 107

90 138 72 122 117 212 36 83

88 191 49 134 121 183 42 75

222 169 39 163 119 135 62 132

155 128 67 118 80 82 130 247

3 120 139 194 133 160 105 181

1 97 223 57 214 170 110 17

6 154 248 114 38 230 24 237

148 255 54 89 166 147 53 115

204 20 200 219 64 210 152 71

224 182 174 93 185 220 201 250

149 37 179 171 143 186 156 41

58 73 196 234 161 131 213 86

92 245 207 11 231 81 45 153

189 98 126 55 218 195 27 238

112 44 65 111 100 48 18 167

12 10 29 124 47 91 101 226

46 216 252 253 78 206 198 187

144 22 127 173 108 199 14 165

229 239 61 141 9 76 28 225

113 142 84 177 241 197 94 236

137 116 217 66 109 31 190 129

254 106 240 79 202 25 180 178

50 33 205 13 228 21 176 51

74 249 123 227 242 172 145 168

96 192 77 23 8 32 158 103

0 0 0 0 0 0 0 0

113 110 181 254

Right half after first S/P stage:

171 207 58 116

Right half after second subkey is:

208 53 50 250

Right half after second S/P stage:

181 120 192 147

Right half after third subkey is:

229 217 113 152

f-function output:

25 116 255 92

Block after round 1 is:

0 0 0 0 25 116 255 92

33 143 111 97

Right half after first S/P stage:

109 240 44 94

Right half after second subkey is:

36 17 49 147

Right half after second S/P stage:

158 76 216 205

Right half after third subkey is:

43 92 102 204

f-function output:

208 133 110 9

Block after round 2 is:

25 116 255 92 208 133 110 9

171 54 86 135

Right half after first S/P stage:

238 34 203 94

Right half after second subkey is:

48 56 52 225

Right half after second S/P stage:

50 141 65 164

Right half after third subkey is:

113 96 66 232

f-function output:

255 1 49 50

Block after round 3 is:

208 133 110 9 230 117 206 110

20 218 23 35

Right half after first S/P stage:

130 158 232 13

Right half after second subkey is:

130 133 149 179

Right half after second S/P stage:

14 74 147 130

Right half after third subkey is:

208 193 225 122

f-function output:

113 22 106 200

Enciphered block is:

161 147 4 193 230 117 206 110

Next

Start of Section

Skip to Next Section

Skip to Next Chapter

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

Quadibloc VII

Quadibloc VII is an attempt to embody the principles found in the Large-Key

Brainstorm within the compass of a block cipher.

● Two S-boxes, each containing 256 entries, each entry being 16 bits in length;

(1024 bytes)

● Thirty-two subkeys, four for each of eight rounds, each 16 bits in length; (64

bytes)

● Ninety-six subkey pools, each one containing 16 subkeys, each subkey being 16

bits in length, (3072 bytes)

The Rounds

In Quadibloc VII, the 128-bit block is divided into four quarters, of 32 bits each, each

of which is further divided into two 16-bit halves. Each round of Quadibloc VII

consists of four Feistel rounds performed on each of these pairs of 16-bit halves.

The XOR of the two halves of the first 32-bit quarter after two Feistel rounds is used to

control, for each of the four Feistel rounds performed on the next quarter, which of

sixteen possible subkeys are used.

After every odd-numbered round, the eight 16-bit subblocks are permuted to the

following order (expressed in terms of a list of the sources of the subblocks after the

permutation):

7 6 1 8 3 2 5 4

thus, the left halves move to the next later quarter, and the right halves move to the

corresponding position in the other half of the entire block.

After every even-numbered round except the last, the eight 16-bit subblocks are

permuted to the following order (expressed in terms of a list of the sources of the

subblocks after the permutation):

7 4 1 6 3 8 5 2

thus, the left halves move to the next later quarter, and the right halves move to the

next earlier quarter.

This diagram illustrates, by color-coding, how the pieces of the block move during the

8 rounds of Quadibloc VII:

(1) [2] 3 4 5 6 7 8

7 6 (1) 8 3 [2] 5 4

5 8 7 [2] (1) 4 3 6

3 4 5 6 7 8 (1) [2]

(1) 6 3 8 5 [2] 7 4

7 2 (1) 4 3 6 5 8

5 4 7 6 (1) 8 3 [2]

3 8 5 [2] 7 4 (1) 6

The paths of the first left half and the first right half are indicated by brackets. Note that

the first left half, 1, is enciphered:

2 1, 4

4 3, 6

6 5, 8

8 7, 2

thus ensuring that the blocks affect the other blocks by being enciphered with them in

the small Feistel rounds, in addition to affecting them by modifying their encipherment

through the use of the subkey pools.

The f-function is merely the XOR of the value in S10 indexed by the leftmost half of

the input with the value in S11 indexed by the rightmost half of the input.

While the round structure of Quadibloc VII is impressive, as is to be expected given the

large amount of subkey material it consumes, as there are only two S-boxes in the

cipher, both of them key-dependent, the cipher is still only as good as its key schedule.

Initially, the subkeys will be filled in the following order: first the 96 subkey pools,

then the two S-boxes (first S10, then S11, from entry 0 to entry 255 each), then the 32

fixed subkeys. And they will be initially filled by means of almost the same key

generation method as used in Quadibloc S:

The key is expanded to prevent a key that is long and of all zeroes in whole or in part

from causing poor results as follows: a key of n bytes is expanded to one of 3n+1

bytes, the last byte of which is a byte equal to the inverse, the bitwise negation, or one's

complement, of the XOR of all the bytes of the original n byte key. The first 3n bytes

of the key alternate between a byte from each of the following sources:

● The n bytes of the original key, in order.

● One of the possible byte values, starting from 127, and incrementing by one

each time.

● The bytes of the original key, in reverse order, inverted, and with 1, 2, 3, and so

on added to them.

Thus, if the original key is 0 128 255, after expansion the key becomes 0 127 1 128 128

129 255 129 2 128.

Bytes are then generated from the key by chain addition. This means that a byte is

generated as follows: the sum, modulo 256, of the first two bytes of the key is the

generated result; and it is also appended to the end of the key, whose first byte is then

removed. (Note that the cipher itself uses XOR only, and not addition modulo 256.)

Marsaglia generator. An array with 256 byte positions, called A(0) to A(255), is filled

by generating 256 bytes by means of chain addition.

Once all the subkeys have been filled by this method, the quantity

01F253A435C607F859AA3BCC0DFE5FA0 is to be enciphered with the temporary

subkeys thus calculated, for the first four rounds of a normal Quadibloc VII

encipherment.

This output is now used as the key from which bytes are generated by chain addition. It

is expanded, but not in the same fashion as the original key: it is only doubled in

length, and the bytes of the key alternate with the bytes of the key in reverse order,

inverted (but without anything added to them). Since 32 is not a number of the form 3n

+1 (unlike 16, which is such a number), both keys are ensured to be different in length.

produced by it XORed with the subkey bytes in order.

Next

Start of Section

Skip to Next Chapter

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

Quadibloc VIII

Quadibloc VIII is a design reminiscent of Quadibloc II and Quadibloc III. With a

simple and uniform round structure, it still attempts to make the algorithm itself, not

just the subkeys applied, variable.

Because of the variability in the algorithm, it is not suited to smart card applications, as

it is not resistant to attacks based on timing or power consumption. Also, there could be

weak keys, both because some keys might cause short sequences in the shift registers

used for producing subkeys, and because some keys might lead to duplicate entries in

S10 and S11. The byte interchange between rounds might be questioned. However, I

am of the opinion that the same factors which seem to contribute these weaknesses also

contribute more in strength than they remove, and that the design prevents potential

weaknesses such as these from being exploitable.

It may be noted that this design has drawn inspiration from many quarters. It uses the

bit swap under mask of ICE, and the XOR with subkeys of the left-hand quarter of

each half was inspired by LOKI-97, as was the manner of minimally alternating

between two S-boxes in the f-function in the left half to avoid a rotational symmetry.

The concept of having initial and final mixing and whitening phases, even though the

phases themselves may not much resemble those of MARS, is due to that cipher, and

the notion of placing the algorithm under the control of the key owes something to

FROG. Using the initial mixing and whitening phases to vary where each bit goes in

the algorithm is somewhat similar to the method used in FROG to achieve algorithmic

variability. The basic regular round structure consists of two Feistel rounds, each one

operating between two quarters of the block within one half of the block; RC6 has a

similar basic round structure, but with one important difference: in RC6, the block,

viewed as LRLR, modifies each R portion based on a function involving both its own

L portion and the other one, so that each R portion depends on both L portions. In

Quadibloc VIII, although the block also has an LRLR form, and the first L portion is

transformed in an invertible manner that depends only on the key (instead of being left

alone as in the original Feistel structure), the first R portion depends only on the first L

portion, while the second R portion depends on both L portions, and even the second L

portion is transformed in a way that depends on the first L portion.

Quadibloc VIII consists of sixteen rounds, with a brief whitening and mixing phase at

the beginning and end of the cipher.

For the purpose of a round, a block is divided into two halves, each half being further

subdivided into two quarters. In each half, the left quarter is used as the input to an f-

function, basically the f-function from Quadibloc S and Quadibloc II and others, and

the output is XORed with the right quarter.

Before and after being used as the input to the f-function, the left quarter is put through

one of two keyed transformations. The same is done with the right quarter before and

after being XORed with the output from the f-function.

The left quarter only, at the beginning and end of the round, is XORed with subkey

material.

For the left half only, an extra output is derived from the calculation of the f-function.

This extra output supplies bits which have a nonlinear effect on transformations applied

to the right quarter of the left half, and to both quarters of the right half.

● The Mixing and Whitening Phase

● The Key Schedule

● The Rationale of the Design

Next

Start of Section

Skip to Next Chapter

Table of Contents

Main Page

[Next] [Up/Previous] [Index]

The basic round of Quadibloc VIII consists of two connected Feistel rounds, each performed on one half of the

block. Every effort has been made to supply a complete description of the algorithm in the text, but reference to

the illustrations may make it easier to understand. Also, if any ambiguity is left, it should be understood that this

cipher was conceptualized according to big-endian conventions; in all cases, the leftmost bits of any byte or word

correspond to its most significant bits when it is considered as a number.

The following diagram illustrates the part of a Quadibloc VIII round that acts on the left half of the block:

The left quarter of the left half of the block is first modified by being XORed with a 32-bit subkey (in the case of

the first round, this is subkey 49, and the number is advanced by 2 with each round). Then it is subjected to one

of two possible transformations: either it is divided into four bytes, and each pair of bytes is enciphered through a

two small-scale Feistel rounds, using key-dependent S-box S8 as the f-function, or it is divided into two 16-bit

portions which are enciphered by two Feistel rounds.

Then, the other of the two possible transformations is performed on the left quarter of the left half of the block,

and finally another 32-bit subkey is XORed with it (subkey 50 in the first round, advanced by 2 for each

succeeding round).

The two small transformations of a 32-bit quarter of the block are, in detail, as follows:

In the first transformation, numbering the bytes from 1 to 4 from left to right, first byte 2 of the block is

changed by being XORed with the byte of S8 indicated by byte 1 of the block XORed with byte 1 of the subkey,

and at the same time byte 4 of the block is changed by being XORed with the byte of S8 indicated by byte 3 of

the block XORed with byte 2 of the subkey. (These XORs, and those in the next paragraph, may be changed to

modulo-256 addition, under circumstances to be noted below.)

Subsequently, byte 1 of the block is changed by being XORed with the byte of S8 indicated by byte 2 of the

block (in its current modified state) XORed with subkey byte 3, and at the same time byte 3 of the block is

changed by being XORed with the byte of S8 indicated by byte 4 of the block (in its current modified state)

XORed with subkey byte 4.

Thus, the block is divided into two halves; each half is subjected to two Feistel rounds in place, and the input to

the f-function comes first from the byte on the left, and then in the second round from the byte on the right. The

key-dependent S-box provides the f-function.

In the second transformation, the 32-bit block is split into two 16-bit halves. Two Feistel rounds take place,

with the left half initially supplying the input to the f-function. The f-function begins with the input being

XORed to 16 bits of subkey (the left half in the first round, the right half in the second, of a 32-bit subkey); then,

the left half of the result is used to index into key-dependent S-box S10, and the right half of the result is used to

index into key-dependent S-box S11. The two items found are then added (with the left byte being the most

significant), and the result is the f-function output. The round is completed by modifying the target half of the

block by XORing it with the f-function output.

Considering 32-bit subkey 721 as being composed of bits numbered from 1 to 32 from left to right, bit 1, if it is a

1, changes all the XORs in the first transformation when it is applied to the left quarter of the left half of the 128-

bit block in the first round to additions, both those where the subkey is XORed to the index into S8, and where

the output from S8 is XORed to a byte of the block.

Bit 17, if it is a 1, causes the second of the two transformations, the one which acts on 16-bit halves of the 32-bit

quarter, to take place first, in the first round. Bits 18 through 32 do this for rounds 2 through 16.

The f-function

The f-function used in Quadibloc VIII is essentially the same f-function as seen in Quadibloc II and Quadibloc S,

except with the use of different S-boxes and, in the case of the left half, an intermediate result is taken, which is

not the same as the one taken in Quadibloc III, which also uses an otherwise similar f-function.

The f-function consists of three general types of phase: S, for substitution, P, for bit-permutation, and X, for the

XOR of subkey material. The f-function used here is of the type XSPXSPXS. By having two full SP layers,

changing a single bit of the input always affects the entire f-function output, and therefore the avalanche property

of Quadibloc S is considerably stronger than that of DES; in return for a slower f-function, a single bit change in

the input block propagates to the whole block after only four rounds instead of eight.

The first S phase uses S-boxes 1, 1, 1, and 2 in order from left to right, and the second uses S-boxes 1, 2, 2, and 2

from left to right. S1 and S2 are as described in the description of previous ciphers in the Quadibloc series,

having been generated from Euler's constant.

The bit permutation used is a straightforwards one, where the first (leftmost) two bits of each byte remain in

position, the next two bits are rotated one byte to the right, the third pair of bits rotated 16 bits, and the last

(rightmost) two bits of each byte are rotated one byte to the left. Again, this is given in the description of the

original Quadibloc cipher.

The third S-phase replaces all the bytes with their substitutes in key-dependent S-box S8.

The subkeys XORed with the f-function input are subkeys 1, 2, and 3 in the first round, and the subkey numbers

are offset by 3 with each succeding round (thus, subkeys 4, 5, and 6 are used in round 2).

An auxilliary result is also produced from the f-function for the left half of the block. This result is the XOR of

the current values in the f-function after, of the complete f-function, in the form XSPXSPXS, the parts from the

beginning labelled XSP and the parts XSPXSP have been done.

For the remaining three quarters of the block, the auxilliary result will be used to control the order of the two

transformations applied to a single quarter, and whether, for the transformation of the first kind (which may be

done first or second) XORs or single-byte additions are used, in the fashion that subkey 721 controlled this for

the first quarter. Other bits of the auxilliary result will be used to select subkeys for use in subsequent

encipherment from a set of four possible values, and to select S-boxes from two possibilities for the f-function

used in the right half of the block.

First, the right quarter of the left half is subjected to one of the two available transformations. If the bits of the

auxilliary output of the f-function are numbered from 1 to 32 from left to right, bit 28, if it is 0, indicates that the

transformation of the first type, using S8 as the f-function, is done first; if it is 1, it indicates that the

transformation with a 16-bit wide f-function is done first. Bit 27 indicates, if it is a 1, that the XORs in the

transformation of the first type uses bytewise additions instead of XORs.

Bits 9 and 10 indicate, as a two bit number, bit 9 being more significant, which of the subkeys 145, 289, 433, or

577 is used for the transformation of the first type (whether it is done first or second), and bits 11 and 12

similarly indicate whether subkey 146, 290, 434, or 578 is used for the transformation of the second type. (In the

next round, and each time one progresses from one round to the next, the number of each subkey in each of these

groups of four subkeys is advanced by 9.)

After the first transformation is performed, the f-function output is XORed with the right quarter of the left half

of the block. Then, the second transformation is performed.

This diagram illustrates the part of a Quadibloc VIII round that acts on the right half of the block:

In the upper left corner of this diagram, the 32-bit auxilliary output from the f-function in the right half is shown.

As can be seen from comparing the two diagrams, the operations that take place on the right half of the block are

very similar to those which apply to the left half of the block. The main difference is that the 32-bit auxilliary f-

function output came from the left half, and it is used extensively in modifying the encipherment of the right half

(only six of its 32 bits were used to affect the transformations which applied to the right quarter of the left half).

Here, subkey 113 is first XORed with this quarter. This subkey number advances by 1 with each round, not by 2

as for the left half. Bit 30 of the auxilliary f-function output from the left half controls whether the transformation

of the first type (if 0) or of the second type (if 1) is done first, and bit 29, if 1, selects the use of bytewise addition

in the transformation of the first type.

Again, as before, the value between the two transformations is used as the f-function input. Bits 13 and 14 of the

auxilliary f-function output select the subkey (from 147, 291, 435, and 579) to use for the transformation of the

first type, and bits 15 and 16 select the subkey (from 148, 292, 436, and 580) to use for the transformation of the

second type.

The f-function

Again, the same XSPXSPXS structure is used. For the first two S stages, S-boxes 3 and 4 in the sequence

generated from Euler's constant are used. Bits 1 through 8 of the auxilliary f-function output from the left half

determine (0=S-box 3, 1=S-box 4) which S-box is used, for the four bytes of the f-function input in order from

left to right, first in the first stage and then in the second. The third S phase again just substitutes bytes from S-

box S8.

The three subkeys used are selected (in the first round, and advanced by 9 for each succeeding round as

previously noted) from subkeys 149, 293, 437, and 581 for the first XOR, guided by bits 21 and 22 of the

auxilliary f-function output; from subkeys 150, 294, 438, and 582 (in the first round) for the second XOR by bits

23 and 24; from subkeys 151, 295, 439, and 583 (in the first round) for the third XOR by bits 25 and 26.

Again, here we have two transformations, with the XOR of the f-function output in the middle. Bit 32 controls

which transformation comes first, and bit 30 controls whether XOR or addition is used in the transformation of

the first type. The transformation of the first type uses, in the first round, a subkey from subkeys 152, 296, 440,

and 584, as selected by bits 17 and 18 of the auxilliary output of the f-function in the left half, and the

transformation of the second type uses a subkey from subkeys 153, 297, 441, and 585, as selected by bits 19 and

20 of the auxilliary output of the f-function from the left half.

Byte Interchange

After each round of Quadibloc VIII, except round 16, the 16 bytes of the block are rearranged from being in the

order

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9

Next

Start of Section

Skip to Next Chapter

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

The mixing and whitening phase on entry to the cipher is illustrated below:

Since mixing consists of Feistel round operations on pairs of bytes, ICE-style bit

swapping is first applied to move half the bits from the left to the right side of that

operation (and vice versa).

Then, after two rounds of mixing, an ICE-style swap moves half the bits from the left

half of the block to the right half of the block (and vice versa), making it uncertain

whether any bit is in the left-hand side simple Feistel round or in the right-hand side

controlled Feistel round to begin with.

Finally, after two more rounds of mixing, and ICE-style swap moves bits between the

left and right quarters of each half, randomizing what side of the f-function they start

out on.

On exit from the cipher, the masks M4, M5, and M6 are applied in order, and the

Feistel rounds applied to pairs of bytes still use the left byte as input to the f-function

first, as illustrated below:

that exactly four of the eight bits in any byte are swapped in each swapping step.

Next

Start of Section

Skip to Next Chapter

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

The key material used by Quadibloc VIII consists of:

● Six 64-bit swap masks, M1 through M6, each produced from 48 bits of normal subkey

material (specifically, the least significant 6 bits of each byte of 64 bits of normal

subkey material) by the use of a 4 of 8 code;

● One key-dependent S-box, S8, consisting of a permutation of the numbers from 0 to

255;

● Two key-dependent S-boxes, S10 and S11, each consisting of 256 16-bit values;

● Seven hundred and twenty-one 32-bit subkeys, organized as follows:

❍ 48 subkeys, from K1 through K48, used with the f-function in the left half;

❍ 32 subkeys, from K49 through K80, used to XOR with the left quarter of the

left half of the block at the beginning and end of each round;

❍ 16 subkeys, from K81 through K96, used as input to the transformation of the

first type applied to the left quarter of the left half of the block;

❍ 16 subkeys, from K97 through K112, used as input to the transformation of the

second type applied to the left quarter of the left half of the block;

❍ 16 subkeys, from K113 through K128, used to XOR with the left quarter of the

❍ 16 subkeys, from K129 through K144, used to XOR with the left quarter of the

❍ 144 subkeys, from K145 through K288, serving as the first of four entries in

❍ 144 subkeys, from K289 through K432, serving as the second of four entries in

❍ 144 subkeys, from K433 through K576, serving as the third of four entries in

❍ 144 subkeys, from K577 through K720, serving as the fourth of four entries in

❍ One subkey, K721, which determines the order of transformations, and the use

of XOR or byte-wide addition in the transformation of the first kind, for the

left quarter of the left half of the block in each round.

The key, which must be a multiple of 32 bits in length, is expanded into four different strings

of bytes as follows:

1. The first string consists of the key, with the one's complement of the modulo 256 sum

of all the bytes in the key appended.

2. The second string consists of the bytes in the key in normal order, alternating with the

one's complement of the bytes of the key in reverse order.

3. The third string consists of the bytes of the key in normal order, alternating with

consecutive numbers starting with 1, and with the bytes of the key in reverse order,

except that the last byte this would produce (a copy of the first byte of the key) is

omitted.

4. The fourth string consists of the bytes of the first half of the key, alternating with the

one's complement of the bytes of the second half of the key, alternating with

consecutive numbers starting with 128, alternating with the one's complement of the

bytes in the first half of the key in reverse order, but with the last byte this would

produce omitted.

Thus, four strings of different length are produced, and the bytes of the key are distributed

through these strings with different spacings. Also, no string can be all zeroes.

For example, given a key consisting of eight bytes with the values 1 2 3 4 5 6 7 8, the four

strings will be

1 2 3 4 5 6 7 8 219

1 1 8 2 2 7 3 3 6 4 4 5

5 5 4 6 6 3 7 7 2 8 8

1 251 128 250 2 252 129 249 3 253 130 248 4 254 131

Each of these four strings is used to produce bytes by chain addition. A cycle of chain

addition proceeds as follows: The modulo-256 sum of the first two bytes of the string is

calculated. This value is the current output from the process. The string is modified by having

its first byte removed, and the calculated sum appended to the end of the string.

● 256 bytes are produced by chain addition from the first string. These fill 256-byte

buffer 1. 256 bytes are produced by chain addition from the second string. These fill

256-byte buffer 2.

● When bytes are produced, the four strings, from first to fourth, will be rotated between

the designations of string A, B, C, and D in the following pattern, which repeats for

each four bytes generated:

❍ A: first, B: second, C: third, D: fourth

● To produce a byte of subkey material, string B is subjected to chain addition, and the

value it produces is used as an index into buffer 1. The value in buffer 1 at that point

is removed, and called output X. String A is subjected to chain addition, and the value

it produces replaces the value removed from buffer 1. (This is, of course, the classic

MacLaren-Marsaglia technique.) Similarly, string D is subjected to chain addition,

and the value it produces is used as an index into buffer 2. The value at this point is

removed, and becomes output Y, and is replaced by the output from subjecting string

C to chain addition.

● The XOR of outputs X and Y is used as the desired byte of subkey material.

At this point, the bytes of subkey material are subjected to a further operation during key

revision, to be described below.

The required subkey material is produced from this byte generator as follows:

● 1024 bytes are generated, to form the contents of S10 and S11.

● A permutation of the bytes from 0 to 255 is produced from generator output, in a

fashion to be described below, and this permutation will be called P.

● 2884 bytes are generated, forming the 721 32-bit subkeys.

● Another permutation of the byte values from 0 to 255 is produced. This permutation is

called Q. The S-box S8 can now be calculated, and satisfies the equation Q(S8(x)) = P

(x). Thus, it is produced by applying the inverse of Q to P.

● Six groups of eight bytes are calculated. The first two bits of these bytes are ignored;

the last six bits are used to index into the 4 of 8 code used with Quadibloc, and thus

the masks M1 through M6 are formed. (The original bytes used as input to the 4 of 8

code must be retained if a subsequent key revision phase is to be performed.)

The first byte generated is always used to fill the leftmost byte of a multi-byte subkey.

55 56 59 5A 65 66 69 6A 95 96 99 9A A5 A6 A9 AA

35 36 39 3A C5 C6 C9 CA 53 5C 63 6C 93 9C A3 AC

4D 4E 71 72 8D 8E B1 B2 17 1B 27 2B D4 D8 E4 E8

1D 1E 2D 2E D1 D2 E1 E2 47 4B 74 78 87 8B B4 B8

The basic procedure for generating a permutation, used to produce permutations P and Q

from generator output, is, as used with Quadibloc II, the following:

● Begin with three arrays of 256 numbers, the first of which is filled with the numbers

from 0 to 255 in order. The arrays must also be able to hold the value -1. The second

and third arrays are filled with -1.

● For each of 256 bytes produced by the generator: let the value of the byte be called N,

and let I be a counter which starts at 0 for the first byte, incrementing with each byte

used, and ending at 255.

● Then, for each byte:

❍ If element N of the first array is not -1, set element N of the first array to -1,

❍ Otherwise, store N in the first unused position (the first position containing -1)

● Once this has been done, if the third array contains any numbers other than -1,

proceed as follows:

● If there is only one filled (not equal to -1) element in the third array, then there is only

one remaining element in the first array, and one element of the second array equal to -

1, so fill the second array with the one available byte, and finish.

● If there are only two filled elements in the third array, take the least significant bit of

the first filled element. If it is zero, fill the -1 elements of the second array with the

remaining elements of the first array in order; if it is one, do so in reverse order, and

finish.

● If there are less than 256 filled elements in the third array, repeat them over and over

to fill the array. Then, generate an additional 256 bytes (thus, 512 bytes are used

except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them

with the bytes of the third array.

● Now, use the third array to complete the second array by doing the following for II

from 0 to 255:

❍ Let the value of element II of the third array be XX.

● Then, scan through the second array. When an element of the second array is -1, fill it

with the corresponding element of the first array (if it is not also -1) and set that

element of the first array to -1.

● If there are any -1 elements left in the second array, fill them with the elements of the

first array that are not -1 in order.

Whether the procedure finishes after 256 bytes, or after 512 bytes, from the generator are

used, the contents of the second array when the procedure is concluded are the permutation

produced.

Key Augmentation

There are ten intermediate results within a round that can be used for key augmentation.

These are:

1. The left quarter of the left half of the block, after being subjected to the first of the two

possible alternate operations, and as serves as the input to the f-function;

2. The intermediate result of the left half f-function after the first S-P layer, and before

the XOR of the second subkey input to the f-function;

3. The intermediate result of the left half f-function after the second S-P layer, and

before the XOR of the thirs subkey input to the f-function;

4. The left half f-function output;

5. The right quarter of the left half of the block, after being subjected to the first of the

two possible alternate operations, and before being XORed with the f-function output;

6. The left quarter of the right half of the block, after being subjected to the first of the

two possible alternate operations, and as serves as the input to the f-function;

7. The intermediate result of the right half f-function after the first S-P layer, and before

the XOR of the second subkey input to the f-function;

8. The intermediate result of the right half f-function after the second S-P layer, and

before the XOR of the thirs subkey input to the f-function;

9. The right half f-function output;

10. The right quarter of the right half of the block, after being subjected to the first of the

two possible alternate operations, and before being XORed with the f-function output;

After a key is set up using the key schedule as previously described, the 721 32-bit subkeys

can be modified through key augmentation steps.

00FF0F0F333355550123456789ABCDEF

using Quadibloc VIII, normally, but during each round retain the ten intermediate results

listed above. After the round is concluded, XOR the ten intermediate results, in the order

given, with ten successive subkeys, starting with subkey K145 in the first round. Thus, the

ten intermediate results from the first round are XORed with subkeys K145 through K154,

the ten intermediate results from the second round are XORed with subkeys K155 through

K164, and so on.

After the block encryption is complete, move the subkeys backwards 160 positions in the list

of subkeys. Thus, the former subkeys K1 through K160 become subkeys K562 through

K721; the former subkeys K161 through K721 become subkeys K1 through K561.

Although five key augmentation steps are required to modify all the subkeys, a single key

augmentation step ensures that subkeys K1 through K144, as well as K721, are among the

160 subkeys modified by being XORed with intermediate results, these subkeys being the

most critical, as they are the ones not contained in a group of four subkeys, any one of which

may be used in a given encipherment.

Quadibloc VIII with one key augmentation step is to be called Quadibloc VIII A1, and with

five key augmentations steps, the other standard number, Quadibloc VIII A5.

With 721 regular subkeys, including the 1024 bytes contained in the two key-dependent S-

boxes S10 and S11, which are the equivalent of 256 additional subkeys, in what is modified

by key augmentation is not, in fact, impractical.

A modified key augmentation step proceeds exactly as a regular key augmentation step,

except that the buffer moved backwards by 160 subkeys now consists of the 721 subkeys K1

through K721 followed by the 256 entries in S-box S10, where each consecutive pair of

entries forms a subkey, the earliest entry being leftmost, followed by the 256 entries in S-box

S11 in the same form.

Seven key augmentation steps are now required to modify all the subkey material now

exposed to change, and this leads to the variant of Quadibloc VIII to be called Quadibloc

VIII M7. (Alternating regular and modified key augmentation rounds is possible; any pattern

of the form aMMaaaaa where M is a modified key augmentation round, and a is either

regular or modified key augmentation, will result in all the subkey material being fully

modified.)

Also, Quadibloc VIII M3 is sufficient to modify the fixed subkeys K1 through K144, the

subkey K721, and all of S10 and S11. (Again, Quadibloc VII A M2 would suffice for this as

well.)

Key Revision

Because modifying the other portions of subkey material is not simple enough to be done

during a process such as key augmentation, a further process of subkey modification is

provided, called key revision. A key revision step, which is optional, may only be performed

immediately following a key augmentation step. The 128-bit output from the block

encipherment performed to provide a key, which is then used as input to a slightly modified

version of the normal initial key generation process for Quadibloc VIII.

The key used as input for the modified key generation process is the following:

● For the first key revision step, the key is the 160-bit quantity consisting of the 128-bit

block cipher output from the immediately preceding key augmentation step, followed

by its first (leftmost) 32 bits repeated, unless the original key was 160 bits long, in

which case the 128-bit block cipher output is used without being lengthened;

● For the second key revision step, the key is the 192-bit quantity consisting of the 128-

bit block cipher output from the immediately preceding key augmentation step,

followed by its first (leftmost) 64 bits repeated, unless the original key was 192 bits

long, in which case the 128-bit block cipher output is used without being lengthened;

● For the third key revision step, the key is the 224-bit quantity consisting of the 128-bit

block cipher output from the immediately preceding key augmentation step, followed

by its first (leftmost) 96 bits repeated, unless the original key was 224 bits long, in

which case the 128-bit block cipher output is used without being lengthened;

● For the fourth key revision step, the key is the 256-bit quantity consisting of two

repetitions of the 128-bit block cipher output from the immediately preceding key

augmentation step, unless the original key was 256 bits long, in which case the 128-bit

block cipher output is used without being lengthened;

● For the fifth key revision step, the key is the 288-bit quantity consisting of two

repetitions of the 128-bit block cipher output from the immediately preceding key

augmentation step, followed by its first (leftmost) 32 bits repeated, unless the original

key was 288 bits long, in which case the 128-bit block cipher output is used without

being lengthened;

and so on. This ensures that, if multiple key revision steps are performed, each key revision

step uses a key which is different in length both from the original key and from the key used

in all other key revision steps.

With this key, the procedure for initial Quadibloc VIII is followed, except for these changes:

Since a value for the S-box S8 now exists, the bytes generated by the subkey byte generator

are additionally subjected to the following encipherment step before being used, and the

bytes being used begin with that corresponding to the third byte of output from the original

subkey byte generator:

For each byte of output from the original subkey byte generator, the preceding two bytes of

output are enciphered using a two-round Feistel cipher which uses S8 as the f-function. First,

a counter, initialized at 1 and incrementing by 1 is is XORed with the eldest byte, the result

being used to index into S8, and the value found in S8 is XORed with the immediately

preceding byte, modifying it. Then, a counter, initialized at 0 and incrementing by 1, except

that the value 255 is skipped, is XORed with the immediately preceding byte, as modified,

and the result is used to index into S8, and the value found in S8 is XORed with the eldest

byte, modifying it.

The current byte is then used to produce the byte to be used in subkey generation as follows:

● The modified eldest byte is added to it, modulo 256.

● It is replaced by its substitute from S8.

● The modified immediately preceding byte is added to it, modulo 256.

● It is replaced by its substitute from S8.

Thus, the keystream is enciphered in essentially a simple form of CFB mode, except that the

block cipher used is really a stream cipher, since its subkeys are continually changing.

The subkey bytes thus generated are used to modify the existing key schedule, instead of to

replace it, as follows:

● The first 1024 bytes generated are XORed with the contents of S10 and S11.

● A permutation called P is again produced from generator output.

● The next 2884 bytes generated are XORed with the bytes of the 721 32-bit subkeys.

● A permutation called Q is again produced from generator output.

● Six groups of eight bytes are calculated. These are XORed with the raw mask value,

before 4 of 8 coding, left by either the original key schedule or by the previous key

revision step, and then subjected to 4 of 8 coding to provide the six 64-bit mask values

M1 through M6.

● The permutations P and Q are then used to produce the new S8 permutation, S8'(x),

from the previous one, S8(x), such that the following equation is true: S8'(Q(x))=S8(P

(x)). This can be done as follows: for each byte x from 0 to 255, use x as an index into

P; use the result as an index into S8; store the result in the location within S8' found

by using x as an index into Q.

Quadibloc VIII with one key augmentation step, followed by one key revision step, is to be

called Quadibloc VIII A1 R; Quadibloc VIII with seven modified key augmentation steps,

the last of which is followed by a key revision step, is to be called Quadibloc VIII M7 R;

Quadibloc VIII with seven modified key augmentation steps, each of which is followed by a

key revision step, is to be called Quadibloc VIII MR7. Quadibloc VIII with five key

augmentation steps, the last of which is followed by a key revision step, is to be called

Quadibloc VIII A5 R; Quadibloc VIII with five key augmentation steps, each of which is

followed by a key revision step, is to be called Quadibloc VIII AR5.

The key schedule of Quadibloc VIII A1 R should be entirely satisfactory; the more lengthy

variants should not be required for security, although Quadibloc VIII M7 R has, at least, the

argument in its favor that its key schedule tends towards that of Blowfish (which, of course,

however, used only the result of a complete encipherment to modify subkeys, rather than

intermediate results within each round).

Next

Start of Section

Skip to Next Chapter

Table of Contents

Main Page

[Next] [Up] [Previous] [Index]

Design Rationale

Quadibloc VIII was designed to be a strong cipher not only against attacks which are

currently understood, but also to be likely to be resistant against attacks which might be

discovered in the future. It has been designed very conservatively; a full 16 rounds

have been used, despite the fact that each round is considerably more elaborate than a

single round in more conventional block ciphers: thus, its security does not depend on

the merit of the somewhat unconventional measures I have included in the algorithm in

hopes of achieving a very high level of security.

Such things as medical records, or other information related to the personal privacy of

individuals, may be required to remain confidential for 50 or even 100 years. Because

the speed and power of computers has been increasing at a fast pace for some time, it is

very difficult to make a firm prediction of how powerful computers might be at such a

distant time.

Although some fundamental physical limits, as well as physical laws which even limit

the performance of quantum computers, do appear to imply that one can specify a key

size that will leave one's messages forever immune to brute-force searching, it is even

harder to predict what new and surprising discoveries may be made in the field of

mathematics or in cryptanalysis that may allow attacks taking less time than a brute-

force search (trying every possible key).

Hence, I felt that it was justified to attempt to design a cipher which, while remaining

constrained to some extent to operate within limits at least comparable with those of

more conventional designs, was still aimed at providing a very high level of security

without attempting to justify the security aimed at as necessary. As with all the ciphers

in the Quadibloc series, ease of implementation is another important consideration, and

it is execution speed which has taken a back seat.

The most important step taken in the design of Quadibloc VIII to achieve the apparent

potential for very high security was to, in every round, subject the 32-bit quarters of the

block to two different transformations, making it variable which of those two

transformations occurred first. As well, in one of those transformations, whether XOR

or modulo-256 addition is used is variable.

This does create vulnerability to attacks based on monitoring the power consumption of

a device carrying out this algorithm. Simultaneously (in hardware) or in a fixed order

(in software) carrying out both possible operations, the one used and the one not used,

is a measure that could be used to avoid this.

To achieve greater resistance to differential and linear cryptanalysis, key-dependent S-

boxes are used. With the contents of the S-boxes unknown, characteristics cannot be

found for the f-function in the normal manner used for simple differential

cryptanalysis. This increases the amount of memory required to carry out the

algorithm, again limiting its usefulness. The multi-stage nature of the f-function, in

addition to giving this cipher a strong avalanche characteristic, also improves resistance

to differential and linear cryptanalysis.

There are three basic possible ways in which weak keys could occur in the algorithm:

● A key could cause one or more of the four chain addition sequences used to

generate subkey material to have a short period;

● The key-dependent S-box S8, or either of the key-dependent S-boxes S10 and

S11, might, by accident, consist of bytes in an ordering that is, or that

approaches, a linear or affine function of its input;

● The key-dependent boxes S10 and S11 might contain duplicate entries.

But I tend to view the threat from at least the second and third of these as negligible.

With 16 rounds, and an f-function that has not one, but two SP stages based on fixed S-

boxes, as well as the fact that there are two different groups of key-dependent S-boxes,

both of which act on the entire block in every round, it should not be possible for an

attacker to effectively exploit, or detect, a weakness in any one key-dependent S-box

should it occur.

Some of the individual steps in the algorithm can also be further examined:

Algorithmic Variability

In each round, the algorithm can take one of 16 shapes by the interchange of two

transformations applied to the 32-bit quarters of the block. In addition, there are 16

possibilities of using either XOR or bytewise addition in one of those transformations.

These 256 possibilities in each round are the product of four possibilities for the

leftmost quarter of the block, which are key-dependent, and 64 possibilities for the

remaining three quarters of the block, which are data-dependent.

It might be suggested that more of the variability in the algorithm ought to be key-

dependent, since in this way, it could be said that only 2^32 different algorithms are

used, and this number is susceptible to brute-force search, if there were some rapid way

to solve the rest of the cipher.

not appear to be a strong objection.

If one ignores the choice between four subkeys in various portions of the round, and

the extra algorithmic variation caused by switching between addition or XOR, and only

counts the sixteen possibilities in each round, for each of the four quarters of the block,

of doing either of two 32-bit transformations first, then the key-dependent part of that

involves only 2^16 possibilities. While it might be possible to simply ignore them, by

trying an attack based each possibility, as there are 2^48 possibilities for the data-

dependent part of that, it would seem that a conventional differential attack (actually,

that is a misnomer, as other aspects of the design would require some extension to the

original techniques of differential cryptanalysis) would require one to compare known

plaintext-ciphertext pairs where the same one of the 2^48 possible algorithms was used.

accident is less than one in 2^48, even this is not totally impossible, and the identity of

the pairs in which it is seen would then provide additional information.

Byte Interchange

As noted in the description of the algorithm, after each round of Quadibloc VIII, except

round 16, the 16 bytes of the block are rearranged from being in the order

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9

This particular rearrangement was carefully designed. It has the following properties:

● It is a cyclic permutation of the numbers from 1 to 16; hence, each byte of the

block will be moved to each of the possible positions during the 16 rounds of

the cipher.

● Each byte continuously alternates between being in the left and the right

quarters of either half. That is, if a byte is in the left quarter of one half in one

round, it will be in the right quarter of either the same half, or the other half, in

the next round.

● The alternation between halves, if only odd numbered rounds or only even

numbered rounds are considered, (or if only rounds where the byte is in the left

quarter of its half, or only rounds where the byte is in the right quarter of its half

are considered, which is equivalent from the preceding property) follows the

pattern R L L R L R R L or a cyclic permutation thereof.

Since the main feature of the cipher is a Feistel round within each half of the block,

parts of the block alternate regularly between being on the left and right sides of the f-

function as in any normal Feistel cipher.

An irregular pattern of alternation between left and right halves of the block is used, so

that for each round, bytes will be brought together in different combinations.

Thus, let us consider byte 5, and where it appears in odd-numbered rounds only, when

it is on the right quarter in its half, and thus on the recieving end of the f-function. Let

us depict, with the bytes identified by their positions in round 1, the input and output of

the f-function, but rotating both by corresponding amounts so that byte 5 appears first

on the right quarter, so we see what it looks like from the viewpoint of byte 5.

12 10 9 1 5 16 14 15 Round 3: left half

12 1 10 3 5 6 15 16 Round 5: right half

4 1 3 10 5 8 6 16 Round 7: left half

3 2 1 4 5 6 8 7 Round 9: right half

10 12 1 9 5 14 15 16 Round 11: right half

1 12 3 10 5 15 16 6 Round 13: left half

4 10 3 1 5 6 8 16 Round 15: right half

While this only brings the bytes together in four distinct possible configurations,

although in different orders in each of the two times, that is still about as irregular as is

possible given that the only device available in this uniform and consistent permutation

between rounds to bring different bytes together is dispatching them to the other half of

the block for differing periods of time.

These are the positions of the bytes in the 16 rounds of Quadibloc VIII:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9

9 1 12 10 14 15 5 16 4 11 3 2 6 8 7 13

13 16 14 15 2 11 12 9 6 7 5 8 10 1 3 4

4 9 2 11 8 7 14 13 10 3 12 1 15 16 5 6

6 13 8 7 1 3 2 4 15 5 14 16 11 9 12 10

10 4 1 3 16 5 8 6 11 12 2 9 7 13 14 15

15 6 16 5 9 12 1 10 7 14 8 13 3 4 2 11

11 10 9 12 13 14 16 15 3 2 1 4 5 6 8 7

7 15 13 14 4 2 9 11 5 8 16 6 12 10 1 3

3 11 4 2 6 8 13 7 12 1 9 10 14 15 16 5

5 7 6 8 10 1 4 3 14 16 13 15 2 11 9 12

12 3 10 1 15 16 6 5 2 9 4 11 8 7 13 14

14 5 15 16 11 9 10 12 8 13 6 7 1 3 4 2

2 12 11 9 7 13 15 14 1 4 10 3 16 5 6 8

8 14 7 13 3 4 11 2 16 6 15 5 9 12 10 1

round Feistel cipher between 16-bit subblocks and a pair of two-round Feistel ciphers

between 8-bit bytes, the mixing and whitening phase of the cipher is designed to ensure

that without knowledge of the key, it is not possible to determine the path of a single

bit through the cipher.

But does this provide blanket protection against differential and linear cryptanalysis?

No, I cannot claim that. But because differential and linear cryptanalysis attacks are

often only small improvements on brute-force cryptanalysis, even making them only

slightly more difficult is worthwhile.

The example given in David Kahn's book The Codebreakers of an amateur cipher that

might be wrongly claimed unbreakable may indic

## Mult mai mult decât documente.

Descoperiți tot ce are Scribd de oferit, inclusiv cărți și cărți audio de la editori majori.

Anulați oricând.