Communications security: a survey of cryptography

IEE REVIEW Communications securityA survey of cryptography

H.J. Beker, B.Sc, Ph.D., A.F.I.M.A., M.I.S., and Prof. F.C. Piper, B.Sc, Ph.D., A.R.C.S., D.I.C.

Indexing terms: Telecommunication, Radiocommunication, Codes and decoding

Abstract: Our society has become highly dependent on its modern communications systems, e.g. the radio,television, telephone, telex, facsimile, high-speed datalinks etc. A high proportion of the information dis-seminated over these communications circuits is confidential in nature. In these situations the communi-cants should take steps to conceal the content of a message from not only the casual listener but also thedetermined interceptor. There is little doubt that this problem of protecting and securing communicationswill continue to grow at an increasing rate over the coming years, not only in its traditional military role butalso in the public and commercial domains. The paper considers the type of cryptographic systems availabletoday. As well as discussing the mathematical and statistical requirements of such systems, it explores how,with careful design, most of these needs can be met while the complexity of the hardware implementationis kept to a minimum.

1 Introduction

The protection and security of communications is a subjectthat has been continuously growing in importance since theintroduction of the telegraph in the mid-19th century. Ofcourse, the desire to keep messages secret has been practisedfor thousands of years. (The ancient Eygptian hieroglyphicsare a good example.) However, only with the telegraph did theart of communications, as we know it today, begin. Our societyhas become highly dependent on these communications. Aswell as the long-established types, e.g. the post and courierservices, we now have available to us many newer forms likethe radio, television, telephone, telex, fascimile, high-speeddatalinks etc.

A high proportion of the information disseminated overthese communications circuits is confidential in nature. Inmany cases an unauthorised person who had access to this in-formation, although he might find the information interesting,would gain little advantage from his knowledge. There arehowever a number of situations in which an interceptor couldbenefit immensely from the knowledge he gained by moni-toring a communications circuit. In these situations the com-municants should take steps to conceal the content of a mes-sage from not only the casual listener but also the determinedinterceptor.

There is little doubt that this problem of protecting andsecuring communications will continue to grow at an in-creasing rate over the coming years, not only in its trad-itional military role but also in the public and commercialdomains. The 'man in the street' has been made increasinglyaware of the information relating to him being communi-cated between various databanks, and a number of countriesare currently introducing legislation to govern the protectionof such information. In such situations the communicants haveno alternative but to give attention to the security of theirtransmissions.

One way in which communicants could protect thecontents of their message from an interceptor would be to usea noninterceptible means of transmission. Unfortunately themost common forms of communication do not satisfy this re-quirement. The use of a courier, although still not completelysatisfying the requirement, might go some way towards meet-ing it. However this would be very expensive, very slow andmight even be impossible if the number of messages requiringtransmission was large. The alternative is to transform the mes-

Paper 2011 A, received in final form 12th May 1982. CommissionedIEE ReviewDr. Beker is with Racal-Comsec Ltd., Milford Industrial Estate, Toll-gate Road, Salisbury, Wilts., England, and Prof. Piper is with the Mathe-matics Department, Westfield College (University of London) Kidder-pore Avenue, London NW3 7ST, England

sage, in some way, prior to transmission, to conceal its content.It is this alternative which we shall discuss.

,A system which makes it possible to disguise confidentialinformation in such a way that its meaning is unintelligibleto an unauthorised person is called a cipher system. The infor-mation to be concealed is called the plaintext (or just themessage), and the operation of disguising it is known as en-ciphering. The enciphered message is called the ciphertext orcryptogram. The person who enciphers the message is knownas the encipherer, and the person to whom he sends the cryp-togram is called the recipient or receiver. The set of ruleswhich the encipherer uses to encipher his plaintext is thealgorithm. Normally the operation of this algorithm willdepend on a key which the encipherer inputs to the algor-ithm together with his message. It is absolutely crucial thatthe recipient knows the key, and that this knowledge shouldenable him to determine the plaintext from the ciphertext.Thus the key and ciphertext must determine the plaintextuniquely. This process of applying a key to translate backfrom the ciphertext to the plaintext is known as deciphering.If a key is used in the way described above then the securityof a well designed system should not depend on keeping thealgorithm secret, but only on the key. A system which doesnoc depend on a key (or, equivalently, has only one possiblekey) is often referred to as a code.

Any person who intercepts a message being transmittedfrom the encipherer to a recipient is called, not surprisingly, aninterceptor. An interceptor will not, in general, know the key,and it is this lack of knowledge which, it is hoped, will preventhim knowing the plaintext. Cryptography is the designing ofcipher systems and cryptanalysis is the name given to theprocess of deducing the plaintext from the ciphertext withoutknowing the key. In practice the cryptanalyst will often be in-terested in deducing the key as well as the plaintext. If he issuccessful he may then be able to decipher all other commun-ications which he intercepts just as if he were the intended re-cipient. Cryptology includes both cryptography and cryp-tanlysis.

2 Some basic cipher systems

Many schoolboys play the game of sending each other 'secret'messages. To do this they usually invent a 'code' by lettingeach letter of the alphabet represent another one. This is calleda monoalphabetic cipher, and was one of the earliest typesof cipher used. Certainly monoalphabetic ciphers were usedby Julius Caesar. To obtain his key the schoolboy will writedown the alphabet and will then write by each letter the newletter which represents it in his ciphered message. This choice!of letters will be his key. Once the recipient has a copy of this

IEE PROC, Vol. 129, Pt. A, No. 6, AUGUST 1982 0143-702X182/060357 + 20 $01.50/0 357

piece of paper he can easily decipher the message. Further-more, it is clear that, if correctly deciphered, the secret mes-sage determines the plaintext uniquely. However, if, as is usu-ally the case with schoolboys, the rule for determining theallocation of letters is arbitrary, then the piece of paper onwhich the key is written is important. If it is lost or stolen therecipient will not able to decipher the message. Its mere exist-ence invites theft by anyone wishing to intercept the message.Clearly the system would be more secure if both enciphererand recipient could memorise the key. But to do this it is us-ually easier to have some rule of assigning ciphertext letters tothe plaintext alphabet.

Fig. 1 'Machine' to implement additive ciphers

As an example consider the cipher 'machine' of Fig. 1. Thisconsists of two concentric rings of which the outer one is freeto rotate. Clearly there are 26 possibilities for their relativepositions, and each one is a different key with the plaintextalphabet on the inner ring and the corresponding substitutionson the outer ring.

Monoalphabetic ciphers are often referred to as simple sub-stitution ciphers, and the ordered sequence of letters which re-presents the alphabet is called the substitution alphabet.

Monoalphabetic cipher systems offer virtually no security,and we will not discuss them in any detail. However, it is im-portant to understand why they are so ineffective. In the fol-lowing Tables we list some statistics which give the relativefrequencies of single characters, bigrams and trigrams in anumber of reasonably long passages of English text, takenfrom various newspapers and novels. The total sample contain-ed 100 362 alphabetic characters. A more complete set of stat-istics can be found in Reference 11.

Table 1 : Single character frequencies

Character

ABCDEFGHIJKLM

Relativefrequenciesof alphabeticcharacters

8.1671.4922.7824.253

12.7022.2282.0156.0946.9660.1530.7724.0252.406

Character

NOPQRSTUV

wXY

z

Relativefrequenciesof alphabeticcharacters

6.7497.5071.9290.0955.9876.3279.0562.7580.9782.3600.1501.9740.074

358

Table 1 is concerned with the frequency of single characters.Each value listed gives the number of appearances of the app-ropriate character as a percentage of the total number ofcharacters.

In Table 2 we give the bigram frequencies for alphabeticcharacters only. (Thus they represent the occurrences whenthe text is written as a continuous stream of alphabetic letterswithout spaces.) To read these tables our first character of thebigram is in the left-hand column. Thus, for example, thenumber corresponding to AC is 381, whereas that for CAis 394.

Finally in Table 3 we include a list of the 50 most frequentbigrams and trigrams (in each case for alphabetic charactersonly). The figures quoted for the bigrams are merely takenfrom Table 2.

These statistics provide a fairly reliable guide for the likelyrelative frequencies from most other long English plaintextand, as a consequence, render monoalphabetic cipher systemsvirtually useless for long messages. The reason is that a simplesubstitution merely replaces each letter with another. So, forexample, the substitute for e will occur in the ciphertextwith exactly the same frequency as e occurs in the plaintext.Thus knowledge of the statistics, plus a certain amount of'trialand error', will enable a cryptanalyst to break any cryptogramwhich is the result of applying a monoalphabetic cipher tosome English plaintext, provided, of course, that the cipher-text is long enough.

Most of the first known cipher systems were monoalpha-betic, but cryptographers soon realised the significance ofstatistics like those above. They then accepted the need touse systems in which a given ciphertext letter may representmore than one plaintext letter. Such cipher systems are calledpolyalphabetic. When devising a polyalphabetic cipher it mustnot be forgotten that the ciphertext must determine the plain-text uniquely. We cannot, for example, have an algorithm inwhich a ciphertext X represents either plaintext e or s withouthaving a rule to tell the decipherer precisely when it representse and when it represents s. It is crucial that, at each position ofthe cryptogram, knowledge of the key uniquely defines theplaintext equivalent of each ciphertext letter.

A polyalphabetic cipher may be regarded as a sequence ofmonoalphabetic ciphers which are often referred to as its sub-stitution alphabets or just its alphabets. If a polyalphabeticcipher uses a fixed number, p say, of alphabets in strict rotat-ion then we say it has period p. There are many accounts ofpolyalphabetic cipher systems and we refer the interestedreader to References 11,36, 54, 59,60, or 99.

For this paper we restrict our attention to one of the mostwidely known polyalphabetic ciphers. We then use this ex-ample to illustrate some of the techniques which make thecryptanalysis of such systems fairly straightforward. The parti-cular example is the Vigenere cipher which uses the followingencipherment array, called a Vigenere square, shown in Table4.

For a Vigenere cipher a keyword (or phrase) is chosen.If the plaintext message is longer than this keyword then thekeyword is repeated as many times as is necessary to obtaina sequence of letters which is the same length as the message.Each letter in this sequence then determines (by use of theVigenere square) the substitution alphabet to encipher theplaintext letter in the same position. Thus the period is thelength of the keyword. As an example we will take 'radio' asour keyword and codebreaking as the message. First, we writethe keyword with the plaintext beneath it:

Keyword: r a d i o r a d i o r aP l a i n t e x t : c o d e b r e a k i n g

Obeying our enciphering rule we getC i p h e r t e x t : T O G M P I EDS W E G

IEEPROC, Vol. 129, Pt. A , No. 6, AUGUST 1982

Tab

le 2

: B

igra

m fr

equ

enci

es

WX

YZ

119

11

278

24

0

0

121

0

5

0

91

32

165

0

66

474

115

285

7

48

02

40

42

0

11

1

44

0

31

0

57

18

2

15

0

0

00

19

0

80

3

4

39

0

38

26

0

79

0

124

4

119

3

392

3

23

4

11

0

11

0

0

0

00

112

0

232

4

245

0

55

0

267

0

195

4

17

01

1

10

20

1

6

0

17

1

0

0

07

141

0

20

0

0

0

38

--

To

tal o

f bi

gram

s (e

xclu

ding

all

no

nal

ph

a ch

arac

ters

) = 1

00 3

61

Table 3: 50 most frequent bigrams and trigrams

T HHEINERA NREEDUNESST

T H EINGA N DHEREREENTT H ANTHWASETH

3015300418721860141913531305118211701147

2030747667547448376353353336312

ENA TT ONTHANDOUEANGAS

FORD T HH A TSHEIONINTHISSTHERSVER

1141111711111105107010401037993968942

306304298281277274264257252249

URTlISETITARTESEHIOF

TTHTERHESEDTESTTHIHADOTHALLATI

902891858851842827805767741694

249249248244237236232218216215

ALVESALERETASHRONELI

TIOITHTINFTHASTOMEONTYOUOULOFT

684670662644634628615601594594

213212207206206202199195192191

ECRAELWARlCODEBEDTTT

ONEULDREARTHEARNGTOUNATTWITRES

584569566565563561543531517513

190189189187187184183183179175

Note, by the way, that there are two es in the plaintext, andthat they have different ciphertext equivalents. So we defin-itely do not have a monalphabetic cipher.

One of the major drawbacks in using a Vigendre ciphercomes from the fact that it has a period. For any cryptogramobtained by using a polyalphabetic cipher with period p, theciphertext obtained by taking every pth letter (e.g. the 1st,(p + l)th, (2p + l)th etc.) is the result of using the samemonoalphabetic cipher. Thus a cryptanalyst may regard theoriginal ciphertext as comprising p separate cryptograms, eachresulting from a monoalphabetic cipher. He can then use the'statistical attack' described earlier to break each one. How-ever, a Vigen&re cipher is definitely an improvement on amonoalphabetic one. The first reason for this is that the cry-ptanalyst can only split the ciphertext into its 'monoalpha-betic components' if he knows the length of the keyword.(We will say more about this later.) The second is that,,as we noted earlier, the statistical attack on a monoalpha-betic cipher only works if the crytanalyst has sufficient

ciphertext. Thus it appears that the cryptanalyst needs p timesas much ciphertext before he can start his attack. A thirdpoint, and this is very important, is that, at least at first sight,it will take the cryptanalyst p times as long to break thesystem.

In any given situation it is likely that the cryptographerwill want to estimate the length of time it will take the cry-ptanalyst to break the particular system being used. Of coursethis time will depend upon many things including, forinstance, the precise facilities available to him. The length oftime we believe our system will resist a particular attack isnormally referred to as its cover time for that attack. Differentapplications of cipher systems will require different minimalcover time. (The minimal cover time is the shortest cover timefor any conceivable attack.) For instance within a 'tactical'network a few hours, or even minutes, may be sufficient,whereas within a 'strategic' system many years may be necess-ary.

We will now introduce a statistical test which, provided thelength of ciphertext is large compared with p, enables a cry-ptanalyst to determine the value of p. We discuss it in somedetail because it illustrates a basic idea behind many cry-ptanalytical attacks.

If a letter is picked at random from an arbitrary sequenceof letters then, since there are 26 possibilities and each isequally likely, the probability of it being any particular letteris 1/26. Similarly, if we pick a letter from each of two arbi-trary sequences then, since the events are independent, theprobability of choosing a particular (ordered) pair of letters is(1/26)2. So if we now write the two arbitrary sequences onconsecutive lines, the probability of a chosen letter beingabove another chosen letter in a given position is (1/26)2.Thus, since there are 26 possible pairs of identical letters, theprobability that identical letters appear at a given position ofthe two sequences is 26(l/26)2 = 1/26 — 0.038.

If we now replace the arbitrary sequences of letters withEnglish plaintext, then, of course, the probabilities change.The complete list of probabilities is in Table 1 but, for in-stance, the probability of finding an a in a given position is

Table 4: Vigenere square

Plaintextabcdef

ghiik1mnoPqrstuV

wX

yz

aABCDEFGH1JKLMN0PQRSTUVwXYz

bBCDEFGH1JKLMNOPQRSTUVwXYzA

cCDEFGH1JKLMN0PQRSTUVwXYzAB

dDEFGH1JKLMNOPQRSTUVwXYzABC

eEFGH1JKLMNOPQRSTUVwXYzABCD

fFGH1JKLMNOPQRSTUV

wXYzABCDE

9GH1JKLMN0PQRSTUVwXYzABCDEF

hH1JKLMNOPQRSTUV

wXYzABCDEFG

i1JKLMNOPQRSTUVwXYzABCDEFGH

j

JKLMN0PQRSTUVwXY

zABCDEFGH1

kKLMNOPQRSTUV

wXYzABCDEFGH1J

/

LMN0PQRSTUV

wXYzABCDEFGH1JK

mMN0PQRSTUVwXYzABCDEFGH1JKL

nN0PQRSTUV

wXYzABCDEFGH1JKLM

oOPQRSTUVWXYZABCDEFGH1JKLMN

PPQRSTUV •wXYzABCDEFGH1JKLMN0

QQRSTUVwXYzABCDEFGH1JKLMN0P

rRSTU 'V

wXYzABCDEFGH1JKLMN0PQ

sSTUV

wXYzABCDEFGH1JKLMN0P0.R

f

TUVwXYzABCDEFGH1JKLMNOPQRS

uUVWXYZABCDEFGH1JKLMN0PQRST

V

VWXYZABCDEFGH1JKLMN0PQRSTU

wWXYZABCD

UJ

FGH1JKLMN0PQRSTUV

X

XYZABCDEFGH1JKLMNOPQRSTUV

w

yY

zABCDEFGH1JKLMNOPQRSTUV

wX

zZABCDEFGH1JKLMN0PQRSTUVwXY

Note that each letter in the extra column determines a row of the square, while, each row represents a simple substitution. Thus each letter deter-mines a substitution alphabet, e.g. e gives the following;

Plaintext: a b c d e f g h i j k I m n o p q r s t u v w x y zC i p h e r t e x t e q u i v a l e n t : E F G H I J K L M N O P Q R S T U V W X Y Z A B C D

360 IEE PROC, Vol. 129, Pt. A, No. 6, A UGUST1982

pa — 0.082, while the probability of getting a b is about 0.015.This means that, if we write two passages of English plaintexton consecutive lines, the probability that they will both havethe letter a in a given position is about (0.082)2, while the pro-bability of them both having b is (0.015)2. Thus, to work outthe probability of them having identical letters in a givenposition, we must evaluate 2* (px)2, which we usually denoteby xP- Taking the values from Table 1 we get xP — 0.065,which is nearly double the value of 0.038 obtained from twoarbitrary sequences of letters.

If we now replace the two passages of English plaintext bycryptograms obtained from the same substitution alphabet,then the probability of finding any given letter in any givenposition of either one of them will depend on the letter. How-ever since the same substitution alphabet was used, each letterwill have identical probabilities in the two cryptograms. Forinstance, if X is the ciphertext equivalent of a, then px willbe pa (i.e. about 0.082) in each cryptogram. This then meansthat the probability of both crytograms having an X in a givenposition is about (0.082)2. Repeating this observation for eachletter v * see that the probability of the two cryptogramshaving identical letters in a given position is merely xP> i-e. —0.065. In other words, provided the same substitution alph-abet is used, the probability of two cryptograms having identi-cal letters in a given position is the same as that for Englishplaintext and, consequently, significantly larger than thecorresponding probability for arbitrary sequences.

This observation has several important consequences. One isthat it means we have a way of getting some indication as towhether two distinct cryptograms used the same sequenceof substitution alphabets. To obtain it we simply count thenumber of coincidences in the various positions of the twocryptograms. Provided the cryptograms are sufficiently longwe would expect between six and seven coincidences perhundred letters if they used identical alphabets, but onlyabout four if they did not.

We will now assume the role of cryptanalyst, and showhow this simple observation enables us to deduce the lengthof the keyword if we know that a Vigenere cipher was used.Having written down our cryptogram once, we write it asecond time immediately under the first, except that on thesecond occasion we displace it by moving each letter one posit-ion to the right, i.e. we write the first letter underneath thesecond, the second beneath the third etc. Having written themwe count the number of coincidences between the two crypto-grams. We then repeat this operation by displacing the crypto-gram by two positions, and so on. In this way we obtain a setof statistics showing the relation between the size of dis-placement and the number of coincidences. When we have adisplacement of 1 then, for any given position, the additivecipher used in the first line is different from that used in thesecond. So if we consider the position where the cryptogramsoverlap, we have two sequences of letters with no reason toexpect a particularly high number of coincidences betweenthem. The same is true for all displacements of size less than p.However, if we have a displacement of p then, since p is theperiod, in each position where the messages overlap the lettersin both sequences are the result of using the same additivecipher. Consequently we expect significantly more coin-cidences. The same will be true for all displacements which aremultiples of p. (A little care is needed. What we would act-ually expect is for there to be a higher proportion of coincid-ences in the overlap of the two cryptograms. If we displacethe second cryptogram too far, the size of the overlap willget too small and the actual number of coincidences will de-crease.) Thus, to guess the length of the keyword, we lookat the Table relating displacements and coincidences. If, asexpected, we see significantly higher numbers for the coin-

Table 5: Displacements and coincidences

A123456789

101112131415161718192021222324252627282g303132333435363738394041

B93

14101319

CJl

91189

107

101388

1049

1184

1310101348

1212

710

78

1497847

C4.0540541.3574666.363636456621053633038.7557602.3148154.1860475.1401873.7558694.2452834.7393363.3333334.7846896.25000035647343583495457804913607844.4334g85.4455453.9800992.0000006.5326635.0505055.0761126.6326532.0512824.1237116.2176176.2500003.664921

10.0000003.7037044.2553197.48663145387103.7837844.3478262.1857923546154

A4243444546474849505152535455565758596061626364656667686970717273747576777879808182

B26

627

1098793

CJl

4979

1646

1575677967484

1173616

1963

137

C14.3646413.3333331.11731835325845.6497185.1136364.5714294.0229885.2023121.7441862.9239772.3529415.3254444.1166665.38g222g.6385542.4242423.658537g.2024544.320g883.1055g03.7500004.4025164.4303805.7324g43.8461544.51612g2.59740352287582.6315797.2847684.6666672.0134234.0540540.6802724.1095896.8965524.1666672.0979029.1548304.964539

A8384858687888990919293949596979899

100101102103104105106107108109110111112113114115116117118119120121122123

B57

CJl

4939

12143427574425

1641967

1034

1273655

11263488

C3.57142g5.0359713.6231882.9197086.6176472.2222226.7164189.022556

10.6060612.2900763.0769231.5503885.4687503.9370085.5555563.2000003.2258061.6360164.098361

13.2231403.3333330.8403367.6271195.1282056.0344838.6956522.6315793.539823

10.7142866.3063062.7272735.5045876.4814814.672897

10.3773581.0947645.7692312.91262133215697S207g28.000000

cidences at regular intervals in the displacement values, thenwe take the gap between these displacement values as indi-cating the period.

Table 5 gives an example of this relationship betweendisplacement and coincidence for the following ciphertextof 223 characters:

'OOBQBPQAIUNEUSRTEKASRUMNARRMNRROPYODEEADERUNRQLJUGCZCCUNRTEUARJPTMPAWUTNDOBGCCEMSOHKARCMNBYUATMMDERDUQFWMDTFKILROPYARUOLFHYZSNUEQMNBFHGEILFEJXIEQNAQEVQRREGPQARUNDXUCZCCGPMZTFQPMXIAUEQAREAVCDNKQNREYCFIFTAQZETQRFMDYOHPANGOLCD.

In the Table the columns headed A list the displacements,those headed B give the number of coincidences and the Ccolumns give the percentage of coincidences in the overlap.(We stopped after a displacement of 124 as we did not wantthe overlap to be less than 100 letters.) On the whole thehigher rates of coincidence occur when the displacement is amultiple of 3 which indicates a keyword of length 3. (In factthis ciphertext was obtained by using 'may' as a keyword.)

It should be clear that, unless the period is large in com-parison with the message, Vigenfre ciphers (and in fact allpolyalphabetic cipher systems which have periods) have thesame inherent weaknesses as monoalphabetic systems. All thatthey really achieve for long messages is that they increase thecover time slightly. The obvious inference from this is to say'Alright; if that is the case then why not make p large in com-parison with the messages'. Unfortunately this is not as easy asit sounds. It must not be forgotten that the key has to be sentfrom the transmitter to the receiver. So if the key (or equi-valently p is too large then nothing has been achieved. The

IEEPROC, Vol. 129, Pt. A, No. 6, AUGUST 1982 361

problem has merely been transferred from disguising the mes-sage to disguising the key. This problem has been a central onein the history of cryptography, and we will return to it later.

Before we move on we must mention two important varia-tions of the Vigenere cipher.

In the first, a keyword was chosen but the key only deter-mined the shift until all its letters had been used once. Fromthen on the plaintext itself was used to determine the shifts.As illustration we will again use 'radio' as the key to cipher'codebreaking'.

Keyword: r a d i o c o d e b r eP l a i n t e x t : c o d e b r e a k i n g

C i p h e r t e x t : TOGMPTSDOJEVA second variation was to change the square. A commonmethod of doing this was to alter the order in which theplaintext letters are written in the top row of Table 4.

There are also many other variations, none of which havesurvived. Eventually, in each case, someone would spot a flawand then be able to use statistics as a tool for cryptanalysis.

After these early 'pencil and paper' cipher systems, the nextstep in the history of cryptography was the use of mech-anical, or electromechanical, machines with so many keys thata cryptanalyst was very unlikely to find the correct one bytrial and error.

The study of these machines is a discipline in itself. Thealgorithms that they implemented were often ingenious andrelatively secure, at least until the advent of electronics in-creased the speed of trials and computations so dramatically.

To do justice to any one of these machines would requiremore space than we have available here. However, a few de-tailed descriptions and analyses of such machines do exist. Forinstance, the M209 Converter (a mechanical device used bythe US Army until the early 1950s) is described and analysedin detail in Reference 11. For further discussions of the M209we recommend References 3, 54 or 76. A similar detailedanalysis of the Enigma (one of Germany's cipher machinesduring the Second World War) can be found in Reference 59.

3 Shannon's approach

So far we have not given a formal definition of a ciphersystem. Fig. 3 illustrates the type of system we have been

discussing. (Of course, the interceptor is not part of the sy-stem. He is included in the diagram merely to show where theinterception is most likely to occur.)

But now, to discuss some of Shannon's fundamental con-tributions to cryptography we must become a little moreformal. Shannon's approach was to regard the key as deter-mining a transformation from the set of all possible messagesto the set of all possible cryptograms (called the message andcryptogram spaces, respectively). Thus, a cipher system is afinite set T of transformations from a (usually finite) set ofmessages M onto a set of cryptograms C. For each tt €E T thereis an associated probability p,- which represents the likelihoodof tt being used. Similarly, each message has an associated pro-bability which reflects the likelihood of it being transmitted.The fundamental requirement that knowledge of the crypto-gram, key and algorithm must enable the recipient to deter-mine the plaintext uniquely forces each t € T to have an in-verse such that if c = t{m) then m=t~1 (c). With this termin-ology the only difference between the recipient's and inter-ceptor's knowledge is that the recipient knows which t wasused, while the interceptor knows only the a priori prob-abilities of the various ts.

cryptogram

message ml encipheringalgorithm "algorithm

deciphering Imessage mln\nririlHm ' '

interceptor

Fig. 2 TheM209

362

[Science Museum: Crown copyright]

Fig. 3 Cipher system

Any cipher system with a finite number of messages andcryptograms may be represented pictorially in the followingway. On the left we write a column of dots; each dot repre-senting a possible message. A second column of dots, repre-senting all possible cryptograms, is written on the right. If agiven transformation t transforms message m to cryptogramc then a line labelled t is drawn from the dot of m to the dotof c. For example suppose M = {mlt m2, m3),C = {c{, c2>.c3tc4}, T= {tlt t2, ^3}where tx (ml) = c1, tY (m2) = c2 andti(m3) = c3;t2(ml) = Ci,t2(m2) = c4 andf 2 ( /n 3 ) = c2;hfai) = C4> hi^i) = ^3 and t3(m3) = cx. The diagramis shown in Fig. 4.

This formal definition of a cipher system enabled peopleto consider how to design a system to make it secure againstvarious methods of attack. [Remember that the system in-cludes not only the keys (or, equivalently, the transform-ations), but also the message and cryptogram spaces.] Ob-viously it is necessary to have enough keys that a cryptana-lyst cannot try them all. However, it is certainly not sufficientmerely to have a large number of keys. For example, if amonoalphabetic cipher system is used there are 26! possiblekeys. As soon as the cryptanalyst knows the plaintext equi-valent of any single ciphertext letter he has reduced the num-ber of possibilities to 25!. Thus this piece of information el-minates over 3.88 x 1026 keys. In this case, as we observedearlier, it is the statistics of the English language which arelikely to lead the cryptanalyst to this type of deduction and,as a result, to break the system. So, for monoalphabeticciphers of the English language, a major 'fault' in the systemlies in the choice of message space. (This is in addition to any'faults' in the key space.) We will now mention briefly a few ofthe ideas which Shannon proposed when trying to define a'good' system. We will assume that we are cryptographerstrying to design a secure system.

IEEPROC, Vol. 129, Pt. A, No. 6, AUGUST 1982

Clearly, if we are going to investigate the effect of tryingall possible transformations, we must look at what happenswhen we try to decipher using the wrong one. For any givencryptogram and transformation there are only three possib-ilities:

(a) correct decipherment(b) incorrect decipherment(c) no decipherment possible.

If (c) occurs then that particular transformation can be dis-counted. Obviously we do not want too many possibilities tobe eliminated easily, and so, from this particular point of view,we may find it desirable to have a system in which every cry-ptogram is the image of some message under every transform-ation.

If (a) or (b) occurs then, ideally, we want the cryptanalystto be unable to distinguish between them. But if we use theEnglish language, then, for messages of any reasonable length,incorrect decipherment is likely to lead to a meaningless mes-sage, and consequently the cryptanalyst is almost certain to beable to distinguish between (a) and (b). It is, of course, this factwhich is so helpful to the cryptanalyst who attacks polyalpha-betic ciphers. Once again we have an instance where a 'fault' liesin the message space. (It was this type of observation which ledShannon to define another fundamentally important concept,namely that of redundancy in a language.)

F ig. 4 Graph of exa mple

Shannon called a cipher system pure if, whenever we en-cipher with one transformation, decipher with a second andthen encipher again with a third, we can find a single trans-formation in the system which has the same effect. This pro-bably seems a somewhat obscure and/or artificial property.However it is worth noting that polyalphabetic ciphers arepure. It is also a property which enables us to introduce somevery interesting and useful concepts. Possibly the most im-portant of these is the notion of a message residue class. Forany message m the message residue class of m, which we de-note by M(m), consists of all those messages which mightbe obtained by enciphering m and then deciphering the re-sulting cryptogram using any other transformation of thesystem. Thus M(m) is the set of all messages which a cry-ptanalyst might 'confuse' with m when he tries decipheringusing all possible keys. If the system is pure then two inter-esting things happen. The first is that the message residue classof any message in M(m) is precisely M(m) again. The second isthat the sets of all cryptograms obtainable from any of themessages in the same message residue class are identical. Thus,in a pure system with equiprobable messages, a cryptanalyst willbe unable to distinguish between the messages of any givenmessage residue class. In such a system, if we arrange for

each class to be large then we will have protected ourselvesagainst the 'try all possible keys' attack. In this case thecryptogram space is also divided into similar classes, calledcryptogram residue classes, which have similar properties.

Now that we know what is meant by a cipher system (orsecrecy system), we can begin to consider the question of howmuch security a system offers. Before we do this we observethat it is possible for two different systems to be cryptana-lytically equivalent, in the sense that if one of the systems canbe broken then so can the other. We will call two cipher sy-stems R and S similar if there is a uniquely reversible trans-formation / such that R = f(S). (Thus / is a transformationfrom the message space of S to the message space of R, thecryptogram space of S to the cryptogram space of R and thetransformations of S to the transformations of R. Ifm is in themessage space of S then m and f(m) must have equal probab-ilities and, for any transformation s in S, the probability of sis the probability off(s).) Clearly if S can be broken then Rcan be broken by first breaking S and then applying the trans-formation /. Note that fl (R) = S, and so one could alsobreak S by breaking R first and then applying/"1. One simpleway to obtain two similar, but unequal, systems is to take amonoalphabetic cipher and then change it by using 26 newsymbols for the cryptogram alphabet. The cryptograms in eachcase would look different but the systems are clearly similar.

If we are going to discuss how much security a systemoffers then we need some way to measure security. It is not atall obvious what this 'measure' should be. One desirable pro-perty is that the interceptor should not be able to decipher acryptogram by trying all key possibilities. However, we havealready seen examples to show that this does not necessarilyprovide much security. One factor which is obviously relevantfor measuring the security of a system is the length of crypto-gram which must be intercepted so that, by trying all poss-ibilities, the message is uniquely obtainable. Clearly, for anycryptogram, the more meaningful messages which can be ob-tained by deciphering using every key, the harder it is for thecryptanalyst to decide which message was actually sent. Ideal-ly we would like each cryptogram to give every message whendeciphered using every key because, in this case, decipheringusing every key would give the cryptanalyst no informationwhatsoever. This leads us to introduce the concept of perfectsecrecy.

Suppose that we have a cipher system T with a finite mes-sage space M = {mlt m2,. .. , mn},a finite cryptogram spaceC = {cu c 2 , . . . , cu}and transformations tlt t2,. . . , th. Sup-pose also that, for any m{, the a priori probability of m{ beingtransmitted isp(m,). If the cryptanalyst intercepts a particularcryptogram q then for each message mt he can calculate, atleast in principle, the a posteriori probability /?y(wi,-) that mt

was transmitted. (Thus Py(m,-) is the probability that m{ wastransmitted given that Cj was received.) The system T is saidto have perfect secrecy if, for every message mt and everycryptogram cit Pj{m^ = (p/rc,). Thus, if T has perfect secrecy,the cryptanalyst who intercepts Cj has obtained no furtherinformation to enable him to decide which message wastransmitted. Clearly perfect secrecy is highly desirable. But itis not at all obvious that it can be achieved or, if it can, howwe will know we have got it. It is fairly straightforward toshow that for perfect secrecy we need the number of keys tobe at least as great as the number of possible messages. In factShannon showed that if a cipher system has the same numberof messages, cryptograms and keys then it has perfect secrecyif, and only if,

(a) there is exactly one key transforming each message toeach cryptogram

(b) all keys are equally likely.


An example of a system with perfect secrecy is given in Fig. 5.Perfect secrecy is obviously a very desirable objective. It

means that, unless he has some extra information, the crypt-analyst obtains no information whatsoever from his inter-cepted cryptogram, i.e. that the system is unbreakable. Itshould, however, be apparent that to ensure perfect secrecyin any practical cipher system (where one would presumablywant to be able to transmit a reasonable amount of infor-mation which, of necessity, means a large message space) theamount of key which must be distributed might cause enor-mous management problems. Nevertheless there are situationswhere complete secrecy is of paramount importance and then,despite the obvious problems, such systems are used. If themessage space is small then they can even be practical. Forinstance if only two messages, 'yes' and 'no' say, are necessarythen only two keys are needed to offer perfect secrecy (Fig. 6).

Fig. 5 Example of perfect secrecy

There is one particular system which offers perfect sec-recy and which deserves special mention: the one-time pad.In this system there is an upper bound, n say, on the lengthof all possible messages, and the number of keys which are allequally likely is at least as large as n. If the messagem — ml m2 ... mn is to be enciphered then a random sequ-ence kxk% ... kn is selected, with each kt having the samenumber of possibilities as each raf. (By this we mean that eachki is chosen at random and is independent of every other kj.)The enciphering is then fully described by the diagram of Fig.7.

A commonly used mixer is a modulo 26 adder. In this case,if each wf is an alphabetic character represented by one of theintegers 0—25 and each k( is also a number between 0 and 25,then the resulting cryptogram is c = clc2c-i ... where eachc,-is given by c{ = m^ + kt (mod 26).

The name 'one-time pad' is derived from the fact thatthe encipherer utilises written pads of random characters toobtain the sequence kx k2 .. . kn. Each page of the pad is usedonce and then destroyed. It should be clear that the one-timepad is unbreakable and, as we shall see, this result greatly influ-enced cryptographers in their attempts to construct secure sys-tems. Although our description is brief we cannot over em-phasise the importance of this particular system.

364

If a system is attacked by trying each key possibility onciphertext as it is intercepted then there is a standard patternto the method of obtaining the solution. It is realistic toassume that before any material is intercepted the cryptanalysthas a knowledge of the message space plus all the keys (and, ifthey are not all equally likely, the associated probabilities). Asmaterial is intercepted the cryptanalyst calculatesprobabilities, based on his cryptogram, of the various messagesand keys. As n, the number of letters in the intercepted cryp-togram, increases then the probabilities of certain message in-crease while the probabilities of most of them decrease to al-most 0. Eventually a situation is reached where one messagehas probability almost 1, while the others have probabilityvirtually 0. (For any given system the amount of cryptogramneeded before a unique solution can be obtained is called theunicity distance of the system.) For the reader who would likefurther information on Shannon's ideas, we suggest References11,23,47,56,59,96 and 97.

Fig. 6 Perfect secrecy with two messages

random sequence k̂ V.^

cryptogram

message m,^. . .mn

Fig. 7 One-time pad

4 Practical security

So far we have only discussed security under the assumptionthat the cryptanalyst has unlimited time, facilities and funds.When a system is secure under these assumptions we say thatit is theoretically secure. In reality, of course, the crypt-analyst is likely to be faced with a totally different situation.He will have to worry about all three of the above resourcesand, in a number of situations, the time taken to solve a cryp-togram will be of the utmost importance to him. We havealready mentioned the concept of cover time. In many tact-tical environments the minimum cover time needed by theencipherer is very short and, as a consequence, time-con-suming cryptanalytical techniques may be of little practicalvalue to an interceptor. Thus it may certainly be possible fora theoretically insecure system to provide adequate practicalsecurity. On the other hand it is also possible for a theor-etically secure system to be highly vulnerable when used in apractical situation. To give an example we have only to con-sider trying to actually use a one-time pad which, as we haveseen, is theoretically unbreakable. It is important to realisethat the all-embracing phrase 'theoretically unbreakable'ignores many very important practical facts. For instance inthe discussion of the one-time pad we assumed that the trans-mission of the key material was not part of the cipher system.This may have been reasonable but it must not be forgottenthat, for this particular system, the security lies in the fact thatthere is at least as much key material as message. Our dis-cussion completely ignored the practical problem of trans-mitting the immense volume of key material to the receiverand, of course, the system is only practically secure if the en-

JEEPROC, Vol. 129, Pt. A, No. 6, AUGUST 1982

cipherer can find a safe way of letting the recipient know thekey he has employed. There is no doubt that for the one-timepad the actual 'key management' is highly vulnerable, andtherefore the system is not necessarily practically secure.

To assess the practical security of a system we must havesome idea of the resources which are likely to be available toa would-be cryptanalyst. In particular we need to have someidea of the likely computing power at his disposal. Of coursethis will depend on the circumstances of the particular crypt-analyst, but it is always safest for the cryptographer to as-sume that every cryptanalyst has the best equipment at hisdisposal. Suppose, for example, that we have a system whichwe know to be breakable but would require at least 10s0

storage elements or operations. In Reference 19 it is shownmost conclusively that if a cryptanalyst needs storage for 10s0

elements to break our system then we can safely regard it asunbreakable. A similar conclusion holds if 1050 operations areneeded. In fact, given current technology, the need for farfewer than 1050 storage elements or operatio_ns will make asystem unbreakable. Even with as 'few' as 1018 necessary op-erations and an extremely fast machine capable of executingan operation in 10"9 s, the system would have a cover time ofover 30 years. (It is worth noting here that there are only31 536 000 s in a year!) If we are trying to assess the practicalsecurity of a system we must determine the number of oper-ations or storage elements needed to break it, and then decideif it provides enough cover time for our purposes. Having saidthat we must immediately point out that the number of op-erations needed is obviously dependent on the efficiency ofthe method of attack. Thus the cryptanalyst is always seekingways of reducing the number of operations, and tries to findmethods which do not entail trying every key but which elim-inate many possibilities at a time. For instance, returning tomonoalphabetic ciphers, even for fairly short cryptograms hecould try to deduce which letter represents e. By using justthe simple frequency analysis, i.e. seeing which letters occurmost often in the cryptogram, he may not be absolutely cer-tain of the letter but should be able to limit the number ofpossibilities to two or three. Merely doing this eliminates manyof the 26! possible keys in one operation. This, of course, isthe principle of practical cryptanalysis; to attempt to removelarge numbers of possibilities for the key with each single op-eration or statistical test which takes place. On the other hand,our objective as the cryptographer, is to ensure that the amountof work which the cryptanalyst needs to perform does not gettoo small even if the length of cryptogram exceeds the unicitydistance.

4.1 Shannon's five criteria

We are in a position to discuss the merits of five criteriawhich Shannon suggested should be applied [97]. It must notbe forgotten that his suggestions were made in the 1940s, andthat technology has advanced considerably since then. Hissuggested important criteria were:

(i) the amount of secrecy offered(ii) the size of the key(iii) the simplicity of the enciphering and deciphering op-

erations(iv) the propagation of errors(v) extension of the message.

Apart from (i), whose importance is obvious, we will discussvery briefly Shannon's reasons for listing these particularcriteria. The reasoning and assertions in this paragraph are asummary of Shannon's statements. The key must be keptsecret and, on occasion, may need to be memorised. Con-sequently it should be as small or simple as possible. For (iii)

we quote Shannon: 'Enciphering and deciphering should, ofcourse, be as simple as possible. If they are done manuallycomplexity leads to loss of time, errors etc. If done mechani-cally, complexity leads to large, expensive machines'. Withsome cipher systems one error occurring on a transmission canmean that when the cryptogram is deciphered whole portions,or even the complete message, are garbled. For most com-munication systems this error propagation should clearly beminimised. Finally, in some cipher systems the size of the mes-sage is increased by the enciphering process. For instance theuse of 'nulls' (i..e. adding extra meaningless characters toswamp the message statistics) causes a larger cryptogram thanmessage. Such a message extension is undesirable for mostcommunication systems.

Now that we have discussed cipher systems in some detailthere appears to be a certain imcompatability between the re-quirements for each of these five criteria when our messagespace consists of a natural language. It is probably not possibleto satisfy all five, but if one is dropped it may be possible tosatisfy the other four. If, for example, we drop the first re-quirement, and are not concerned with secrecy, then anymonoalphabetic cipher will satisfy the other four. In fact wedo not need a cipher system at all. If the size of the key is notlimited then we can use the one-time pad which, if we ignorethe key management problems, we know offers perfect secrecy.

If we drop (v) and allow unlimited message extension thenwe can encipher many extra messages and use part of the keyto indicate the correct one. Such a system might even be cap-able of attaining a high level of security, although it is notclear that it could achieve our requirements for (ii) or (iii). Itis not always true that dropping (iv) is a bad thing. As weshall see there are situations where the effect of error pro-pagation ranges from being totally unacceptable to beingadvantageous.

We have deliberately avoided discussing Shannon's thirdcriterion regarding complexity. Today we have the advantagesof electronics, and do not need to bother with mechanicalmachines. This means that we now have reasonably cheapways of producing reliable yet extremely complex equip-ment for enciphering and deciphering messages. Thus Shan-non's third criterion no longer concerns us. Consequently, forthe rest of this paper we will assume the benefits offered byelectronics. We will drop Shannon's third criterion, and con-cern ourselves with constructing and examining cipher systemswhich can be cheaply and easily implemented using micro-electronics.. We should however bear in mind that the relia-bility of any equipment we might use is a fundamentalaspect of its practical security. If a particular implementationof a cipher system is unreliable, the security afforded by thesystem is almost certainly reduced quite dramatically. Theproblem of ensuring sufficient reliability is one which can besolved, and is part of the task faced by the electronics engineer.It is worth noting that it is also essential that the operation ofthe device should be as simple as possible. History shows [54]that many systems have been broken through operator error.Thus the designer must minimise the error possibilities. Toillustrate this point consider, for example, the strategic on/off-line telegraph cipher of Fig. 8. Notice the simplicity of thefront panel. For the purpose of this paper we will not concernourselves with such engineering problems.

Similarly the speech security system of Fig. 9 appears to bea straightforward telephone, and its operation is exactly as fora normal telephone except that a single extra key depression isrequired to go into a secure mode.

4.2 Designing a system

When designing any cipher system we must always assume thatany would-be cryptanalyst has as much knowledge and 'intel-


Fig. 8 Racal-Comsec MA 4240 telegraph cipher unit with telex inter-face

iligence' information as possible. It is only by making theseassumptions that we will be able to assess our cover time. Onceagain it is worth emphasising that we are prepared to acceptthat we are considering a theoretically breakable system, andour major consideration is the time needed for a cryptanalystto break it.

To assess the security of a sytem we will make the follow-ing three assumptions, which we refer to as the worst caseconditions:

(Cl) The cryptanalyst has a complete knowledge of thecipher system.

(C2) The cryptanalyst has obtained a considerable amountof ciphertext.

(C3) The cryptanalyst knows the plaintext equivalent of acertain amount of the ciphertext.

In any given situation one must attempt to realistically quant-ify what is meant by 'considerable' and 'certain'. This willdepend on the particular system under consideration.

Condition Cl implies that we believe there is no security inthe cipher system itself, and that all security must come fromthe key. Naturally the cryptanalyst's task is considerablyharder if he does not know the system used and it is now poss-ible to conceal this information to a certain extent. For in-stance, with a modern electronic system the function used forenciphering can be 'concealed' in hardware by the use ofmicroelectronics. By using large scale integration, we can 'con-ceal' the entire function within a chip about one quarter thesize of a fingernail. To actually 'open up' one of these chipsis a delicate and time-consuming process. Nevertheless it canbe done, and we should not assume that the cryptanalyst hasnot the ability and patience to do it. Similarly, any part of thefunction which is included as software within the machinecan be disguised by a carefully written program. Once again,with patience and skill, this can be uncovered. It is even poss-ible that, in some situations, the cryptanalyst will have theprecise algorithm available to him. It should be clear that,from any manufacturer's or designer's point of view, this isan essential assumption since it removes a great deal of theultimate responsibility involved in keeping a system secret.Just recently a cipher system (DES) has been introduced forwhich the algorithm has deliberately been made public. Wewill discuss this later but clearly users of DES have acceptedCl.

It should be clear that C2 is a necessary assumption. Ithas to be assumed that if a cryptanalyst can intercept one

Fig. 9 Racal-Comsec MA 4400 Secure Speech System

communication between two parties then he is likely tobe able to intercept others. Furthermore, a number of thesecommunications may have employed the same key.

C3 (in conjunction with Cl) is the basis of the knownplaintext attack, and is probably the most important andmost commonly used method of breaking ciphers. In thiscase the cryptanalyst has, possibly by guesswork, deduction,or even by 'planting' it in some way, obtained knowledgeof some of the plaintext message prior to its encipherment,and so he already knows the plaintext equivalent of part ofthe cryptogram. The cryptanalyst may, for instance, knowthat all communications between two sources begin with aparticular name and address; or even with a particular ex-pression like 'Dear John'. He may have intercepted othercryptograms between the two parties and, having brokenthem, knows the style in which they are written. Alter-natively he may have a method of 'planting' some plaintext,or of merely ascertaining the general theme of the plaintext.(This latter knowledge then tells him some particular wordsto expect in the message.)

One important question which the cryptographer mustrepeatedly ask himself is 'how difficult is it to determinepart, or all, of the message knowing the cryptogram plus asmall portion of its plaintext equivalent?'. Clearly the answerdepends on many things including the actual length of knownplaintext.

When designing a cipher system the designer has to paygreat attention to the actual use which will be made of thesystem. There are two main types of system in use today:block ciphers and stream "ciphers. We will discuss each ofthese in turn and view them in light of our worst-case con-ditions.

5 Block ciphers

When we discussed monoalphabetic ciphers we were able toillustrate one of the fundamental weaknesses which theyshare with many other systems. This is that the enciphermentof any single character uses only a small portion of the key(in this case precisely the one character which is substitutedfor it). Thus the cryptanalyst is able to determine the entirekey by finding small pieces of it, and then using these to deter-mine the rest. One desirable objective for a cipher systemmight, therefore, be to ensure that a large amount of the keyshould be used to encipher each character. It might also seemadvantageous for the cryptographer to 'spread' the statisicalstructure of the cryptogram by enciphering a number of mes-sage characters simultaneously. (These are the concepts of con-fusion and diffusion suggested by Shannon [97].)

366 IEEPROC, Vol. 129, Pt. A, No. 6, AUGUST 1982

The first objective makes the relation between a crypto-gram and the corresponding key a complex one. This, in turn,makes it difficult for statistics to pinpoint the key as havingcome from a particular area of the key space. In fact if the en-cipherment of each message character depends on virtually theentire key then this should force the cryptanalyst to discoverthe whole key simultaneously. This should involve him insolving considerably mofe complex equations than when hewas able to find the key piece by piece. The second wouldhave the effect of making the cryptanalyst need to intercept amuch larger message before he can attempt statistical decipher-ment.

key. y bits key.y bits

encipherer

Fig. 10 Block cipher system

decipherer

These latter two objectives are the principles behind thedesign of most block ciphers. In a block cipher (see Fig. 10)to encipher a message m = mxm2m^ ... msms+1 ... m2sm2s+1 ••• we first choose an integer s. We then use a key k andx transformations (usually different)f\ ,/2 , ... ,/s to encipherthe first s message characters m x m2 ••• ms (called a block) andobtain a cryptogram cxc2 — cs. Using the same key andfunctions we then encipher the next block of s messagecharacters, i.e. ms + 1 ms + 2 . .. m2s. Thus the message is en-ciphered in blocks of s, the cryptogram is produced in blocksof s, and each bit of ciphertext in a given block normallydepends on the complete corresponding plaintext block as wellas the key. The concepts of confusion and diffusion requirethat each /f be a complex function of as many of the s messagecharacters and as much of the key as possible.

As each block of message is replaced by another block, ablock cipher may be regarded as a simple substitution cipher.However, in general, this substitution cipher is considerablymore complex than the monoalphabetic ciphers discussedearlier. (In fact a monoalphabetic cipher is merely the specialcase when each block is identified with a character.)

When the block size is s there are 2s possibilities for a block.Thus we may think of our substitution cipher as a uniquely re-versible transformation form the 2s possible input messages tothe 2s possibilities for the output. Clearly we may representeach of these sets of possible blocks by the integers 0 to 2s —1.This means we may regard our transformations as having thesame message and cryptogram spaces; i.e. as being endo-morphic. When we do this, the key for our cipher merely sel-ects one of the permutations on{0,1,... ,2S— 1}. One such pos-sibility with s = 3 is shown in Fig. 11. In this example suppose,for instance, that the input is 100. Then, since 100 corre-sponds to4 , and 4 ismapped to 7, the output is 111.

Since there are 2s possible message blocks there are (2s)!possible permutations. Obviously it would be useful to have akey which enabled us to use any one of them but, as we shallsee, there will normally only be a comparatively small numberavailable to us.

In order to analyse block cipher systems we need a way todescribe them mathematically. One such way is to regard thesystem as a look-up table (or truth table), which will then en-able us to write each output as a function of the bits in thecorresponding input block. See for instance Tables 6 and 7.Table 6 is the look-up table for the permutation of Fig. 11,and Table 7 shows the truth tables for the three functions/x, /2 and / 3 which define this block cipher.

3 bits

Fig. 11 Possible permutations when s =

There are two fundamental problems with all simple sub-situation ciphers. First, they may be vulnerable to statisticalattacks involving the analysis of cipher blocks. (Such attacksare similar to those carried out on the message characters inmonoalphabetic cipher systems.) Secondly, an interceptoris often able to compile a directory of corresponding plain-text/ciphertext blocks. The size of such a directory obviouslydepends on the number of possibilities for the plaintext block,and, consequently, on the block size. Both these methods ofattack can be thwarted by making the value of s sufficientlylarge. With this in mind Meyer [73] suggests that the min-imum block size used should be equivalent to four char-acters. This means that if, for instance, an 8-bit character codeis used, s should be at least 32. But if s = 32, such a systemwould require a key space capable of producing any of the(23 2)! permutations. Clearly this is out of the question and asystem with s = 32 is impracticable unless a severe restrict-ion is placed on the available permutations. The number(232)! is so large that we obviously cannot 'handle' it. Buteven for much smaller values of s, (2s)! may still be too large.For instance, even with s = 6 we would require a 296-bit keyto be able to attain all possible permutations.

One attractive way to restrict our permutations is to useonly those which are defined by certain simple, mathematicalfunctions. When we do this, it means that any given key deter-mines a mathematical function which, in turn, gives an approp-riate permutation. There are many suitable functions and, fora discussion of some of the simpler ones, we refer the reader toReference 32.

An important example of a block cipher system is theFeistel cipher. In a Feistel cipher the block size has to be even.

Table 6: Look-up table

00001111

00110011

01010101

010110001000111100011101

m l

00001111

m2

00110011

01010101

c l

01001101

Table 7: Truth

m x

00001111

m2

00110011

tn,

01010101

tables

c2

11001010

m3

00001111

m,

00110011

01010101

c3

00101011


If we have block size In then each message block m is dividedinto two halves and written m = (m0, mx). Each key k de-fines a set of 'subkeys' kx,k2, ••• ,kh for some fixed integer h,and each subkey kt determines a transformation/^, on the setof blocks of length n into itself. Any message m is encipheredin h 'rounds' using the following rules:

At round 1 :

At round i: ,-_, = {mi.l, m,

= (pii,m2)

>nt= (w,-,

At round h : M/.-1 = ( m h . l , mh) f ih = (mh, mh + 1

where mI+1 = mi.l +/ f e . {mt) for each i. The ciphertext isthen the 2n-bit block mhmh+1.

To decipher we note that, since all addition is modulo 2,the equation mi + 1 =mi.1 + /fef(m,) can also be written asrrij. i = mi + l + fk. (m,). Thus if we reverse the two halves ofthe ciphertext block and apply the encipherment procedure,but using the subkeys, and hence the/fe. s, in reverse order, wehave

+ l, mh) -+ Mh-i = (mh,mh.l) at round 1

M,- = (mi+i , = ( m , - , / ? ? , • _ ! ) at rounds + 1 —/

M = (m2, M= = ,m0) at round h

Thus we can decipher provided that we can reproduce each/^.at the appropriate moment. It is important to note that we donot require that the functions have any special properties. Inparticular, they do not need to be reversible. Feistel ciphersutilising different functions and some of the effects of thison their security level are given in Reference 11.

Much of the recent research into block cipher systems hasbeen conducted at IBM and details will be found in their pub-lications [33, 34, 45, 72]. But there is one very importantblock-cipher system (utilising the Feistel cipher principle)which is very much in the public eye and which we mustmention. This is the Data Encryption Standard (or DES). DESis a system which uses a Feistel cipher and for which the entireenciphering algorithm is actually made public.

The development leading to DES started in 1973 with theinitiation of a search for a common method of encryptionwhich could be economically employed in a variety of com-puter security applications. The NBS wanted the method ofencryption selected as a standard to be amenable to varioustypes of equipment built by many vendors of computer andterminal equipment. They also required that all informationrelating to this project should be publicly available. Their firstsearch was unsuccessful, but the second, begun in August 1974,produced an algorithm which showed sufficient merit to war-rant further consideration. After undergoing US Governmentreview for acceptability as a federal standard this algorithmwas published for public comment in March 1975. (The patentsfor the algorithm are held by IBM, and the terms and conditionsof the agreement by IBM to grant nonexclusive royalty-freelicences under these patents are given in Reference 83). Afterthe publication many comments both for and against wereforthcoming.

The DES has had a very mixed reception. It poses two con-troversial questions. The first is whether or not there should bea 'standard'. The next is, given that there is one, should it bethe DES? This second question relates to the security level at-

tained by the DES. We will consider each of these issues inturn and try to present some relevant points for each 'side' inthe controversy. However, we do not intend to make mayjudgment on either question.

The idea of a standard in cryptography is revolutionary.The reader will recall that, when we discussed our worst-caseconditions for the cryptographer, we assumed that the crypt-analyst knew all about the system used. In particular it wasassumed that he knew the algorithm, and all equipment shouldbe designed under this assumption. However, prior to DES, weknow of no publication containing a complete algorithm forpractical usage. In fact, despite making the assumptions claimedabove, most cryptographers went to great lengths to try toconceal the details of their algorithm. The DES is the first ex-ample where an algorithm has actually been published and the'world' has been challenged to break it. In trying to break theDES the cryptanalyst will have to solve numerous nonlinearsystems of equations over GF (2). Although there is no knowngeneral solution that can be effected in reasonable time, it is,as far as we know, absolutely impossible to guarantee that thisparticular instance is not solvable in a reasonable time. Con-sequently there is always a danger, probably very small, thatsomeone will find a way to break the system. If the standardis accepted on a nationwide (or even worldwide) basis, andsomeone does find a solution, then the standard will have tobe changed. This will be a mammoth and exceedingly ex-pensive task.

There is another obvious disadvantage to a standard. If astandard is widely used then the cryptanalyst knows that, bybreaking it, he will gain access to many users' messages. Thus,if he finds a method of attack which works, it will be worthhis while to implement it almost no matter what the cost. If,on the other hand, he were trying to break a cipher system ad-opted by a single user he might consider certain implement-ations too expensive. The adoption of a standard also focusesthe attention of all cryptanalysts on the same system, andmust therefore increase the chances of it being broken.

One of the main advantages associated with the existence ofa standard relates to the cost for the user. If a chip, or set ofchips, is designed to implement the standard, then they can beproduced in sufficient quantity that the cost to the user willbe low. However, we must point out that, in practice, the al-gorithm is only a comparatively small part of a system, and sothe overall savings will not be as significant as it might appear.Despite this, the existence of a standard might considerablyincrease the number of users of cipher systems. The reason issimple. Throughout history there have been many examples ofcustom built systems which have been very insecure. Thuspeople who do not have the resources and /or ability to assesssystems may be reluctant to use them. Unless they have a greatdeal of confidence in the designers of their systems, thesepeople may feel much more inclined to use a standard whichmany people have both used and studied. Another obvious ad-vantage of using the standard is the compatibility which can beattained between various systems. Although, as we have saidbefore, the risk remains that if one network is broken thenthey all are. There are a number of recent publications [11,59, 75, 79, 80] that describe the DES algorithm and, ratherthan include a detailed description here, we refer the reader tothese.

With something as revolutionary as the DES it is hardlysurprising that there was, and still is, a wide spectrum of publicopinion. After considering the various reactions to their pro-posals, NBS held two workshops to consider DES. Accordingto Davis [22] both workshops resulted in a consensus thatthe DES was satisfactory as a cryptographic standard for thenext 10—15 years. Given that a standard is to be used, theblock-cipher system's great versatility makes it very useful. It


can be configured in a number of different ways to satisfydifferent types of application. A more detailed account canbe found in References 11, 59 or 89.

In practice, when using any block cipher system a numberof message characters will be enciphered simultaneously anddependency. One consequence of this is that, at the receiver,each part of the message depends on a number of ciphertextcharacters. This in turn means that if one single ciphertextcharacter is erroneously transmitted it is likely to cause errorsin the decipherment of many message bits. (This effect of oneerror causing many more is called error propagation)

There are many consequences of error propagation. Forinstance, formatting information etc. may be lost. Anotherconsequence is that the receiver is likely to realise that anerror has occurred. In certain situations error propagationis a boon. One example is a computer network where infor-mation is entered on a remote terminal, enciphered for trans-mission to the main processor, deciphered at the processor andthen stored in a file. In this situation it is quite likely that theinformation will not be examined for a long time, and it iseven conceivable that the original source of information willhave disappeared before then. Thus, any errors in the datahave to be deleted and corrected before filing. (We shouldpoint out that in such systems, error protection will almost cer-tainly be provided so that the advantage of an error pro-pagating system is not as necessary as might at first appear.)

6 Stream ciphers

The propagation of errors is often considered a disadvantage,and there are many situations in which an occasional error willdo no harm. For instance if the message is a passage ofEnglish then there is sufficient redundancy in the language toensure that a few wrong letters will probably not be sufficientto prevent the receiver from interpreting correctly. A secondsituation is that of enciphering digital speech. For example16 k bit delta-modulated speech can withstand error rates, inthe transmission path, of even 10%. Thus the use of an errorpropagating cipher system when a bad transmission channelexists might result in a useable channel becoming totally un-useable. The effect of this, in radio applications, is a signifi-cant drop in the range of the radio.

The stream cipher is one in which errors are not propag-ated. It is characterised by the fact that the enciphermentof each bit of data is independent of the rest of the message.

Apart from Shannon's work the most significant factors inthe development of the design of cipher systems were the ad-vent of the computer and then, in the 1960s, the expandinguse of microelectronics. (It is worth noting that it was theneed to break a cipher system during the Second World Warthat led to the development of Colossus, one of the first dedi-cated calculating machines that we now know simply as com-puters.) They meant that a whole new range of functions wereavailable to the cryptographer. But they also compelled him toincrease his mathematical knowledge. Many of these newfunctions can only be expressed in terms of a mathematicallanguage which is considerably more advanced than any of themathematical knowledge previously required.

The development of the stream cipher was greatly influ-enced by the fact that Shannon had proved the one-time padto be unbreakable. Many cryptographers felt that if they couldemulate the one-time-pad system in some way then theywould have a system with a guaranteed high security level.They were also encouraged by the fact that since the 1920smany of the mechanical and electromechanical machines hadoperated in a way similar to the one-time pad, in the sense thatthey produced long sequences of displacements which were app-lied, character by character, to the plaintext message. However,

there was one fundamental difference. Unlike the situation forthe one-time pad, a sequence produced by one of these mach-ines was not random; in fact it was completely determined bythe key. Once the key had been set up, the sequence, althoughmost certainly as long as the message, was completely pre-determined. Nevertheless, by careful choice of the algorithm,it was possible to produce a sequence which appeared to berandom, i.e. a sequence in which there was no obvious relationbetween the elements. It was argued by many cryptographersthat such a system would be highly secure. We shall see laterthat this is not necessarily the case.

key

algorithminfinite

sequence

ciphertext

data /plaintext /

Fig. 12 Stream cypher

The above ideas led to the introduction of the streamcipher, illustrated in Fig. 12. This is a system in which the keyis fed to an algorithm which uses the key to generate an infin-ite sequence. (The algorithm is usually referred to as the se-quence generator or keystream generator.) In all practical casesof cipher systems the algorithm is an example of a finite statemachine.

In current cipher equipment the stream cipher is undoubt-edly the most common system used. Consequently we willconsider in some detail the various properties such a systemmust exhibit to be secure against our worst-case conditions.We re-emphasise that a stream cipher is not error propagating.Although, occasionally, error propogation may be desirable, itis usually a disadvantage and, for this reason, stream ciphersprovide probably the most important method of modern en-cipherment. Since the majority of such systems employ electro-nic techniques, both the plaintext and the infinite sequencenormally use a binary character set.

One way of viewing a stream cipher system is as a poly-alphabetic cipher whose periodicity is governed by the se-quence which the algorithm produces. In this context it isimportant to realise that, although the sequence has infinitelength, this does not mean that the polyalphabetic ciphercannot have finite period. The infinite sequence may havethe property that it is merely numerous repetitions of a finitesequence. If this occurs then we say that it is periodic. Wecall a shortest repeated sequence a cycle, and the length of acycle is the period of the infinite sequence. If we representthe sequence s0SiS2s3 ... by (st), then if (st) has period p weknow sm = sm +p for every m.

If the period of our output sequence is small then thesystem will have the same type of drawbacks as the VigenSrecipher with short keyword discussed earlier. It is essentialfor security that our output sequence should have a largeperiod, and that the period should, as an absolute minimumbe at least as long as any message to be enciphered. For thisreason we need theorems which will tell us when the outputsequence has a guaranteed minimum period. A second require-ment for our output sequence, again based on our experiencein attempting to cryptanalyse Vigenere-type ciphers, is that itshould appear to be random, and thus not allow the cryptana-lyst to use any known statistical analysis of the language ofthe system. Thus two aims when designing a cipher system are:

(Al) The input sequence must have a guaranteed minimumlength for its period. (We will then only encipher messageswhich are shorter than this value.)

(A2) The ciphertext must appear to be random.


6.1 Randomness

Our first problem is to decide what we mean by randomness.Before attempting to give a formal definition we will try to de-cide what we want our randomness properties to indicate.Gearly no periodic sequence is truly random. In cryptographyit is unpredictability rather than randomness which is normallyrequired. We want to know that if a cryptanalyst interceptspart of the sequence he will have no information on how topredict what comes next. Again this is, strictly speaking, im-possible for any periodic sequence, since as soon as he knowsa complete cycle the cryptanalyst knows the entire sequence.Nevertheless, it is not unreasonable to try to ensure that, if asegment of ciphertext which is considerably shorter than theperiod is intercepted, no further information is imparted. Asequence satisfying these general properties is normally calleda pseudorandom sequence. We point out that this concept is asimportant for block ciphers as stream ciphers.

To attempt a definition of randomness we introducemore terminology and define the statistical concepts of runsand autocorrelation functions. If (st) is any binary sequencethen a run is a string of consecutive identical sequence ele-ments which is neither preceded nor succeeded by the samesymbol. Thus, for example, 0111001 begins with a run of 1zero contains a run of 3 ones and a run of 2 zeros and thenends with a run of 1 one. A run of zeros is called a gap whilea run of ones is a block.

Suppose that (st) is a binary sequence of period p. For anyfixed a, we compare the first p terms of (st) with its trans-late (st+a). If A is the number of positions in which these twosequences agree, and D ( =p —^4) is the number of positions inwhich they disagree, then the autocorrelation function C(a)is defined by

C{a) =A -D

Clearly C{a + p) = C(a) for all a, and so it suffices to con-sider those a satisfying 0 < a < p. When a = 0 we have in-phaseautocorrelation. In this case, clearly, A = p and/) = 0, so thatC(0) = 1. For a ^ O we have out-of-phase autocorrelation.

The following three randomness postulates for a binarysequence of period p were proposed by Golomb [41].

(Rl) If p is even then the cycle of length p shall containan equal number of zeros and ones. If p is odd then the num-ber of zeros shall be one more or one less than the number ofones.

(R2) In the cycle of length p, half the runs have length 1,a quarter have length 2, an eight have length 3 and, in general,for each / for which there are at least 2I + 1 runs, 1/21 of theruns have length /. Moreover, for each of these lengths whichare greater than one, there are equally many gaps and blocks.

(R3) The out-of-phase autocorrelation is a constant.

The 'classical' way of attempting to obtain a truly randomsequence is to flip a 'perfect coin', and record whether itcomes down heads or tails. In this context, Golomb gave thefollowing interpretation of his postualtes: 'In flipping a'perfect coin', Rl is the postulate that heads and tails occurabout equally often, and R2 is the assertion that after a runof n heads (tails) there is a fifty-fifty chance that it will endwith the next coin flip. Finally R3 is the notion of inde-pendent trials — knowing how the toss came out on a previoustrial gives no information for the current trial'.

For this paper we will accept Golomb's postulates asbeing a reasonable requirement for a random binary sequence,and call a sequence satisifying them a 'PN-sequence'.

From our earlier discussions we know that, if they are tobe used as enciphering sequences in a stream cipher system,

our sequences must resemble a random sequence. In practicethe sequences used in cipher systems have large periods. Aperiod of less than 1010 is rarely used, and periods as long as10s0 are not uncommon. Although knowledge of propertiesof the entire sequence is crucial, and gives us confidence in thesystem, it tells us little about small sections of the sequence.But if an interceptor does obtain some of our ciphertext itwill almost certainly be a relatively small section. Thus it is im-portant to apply statistical test to sections of our sequence,and to check that they also appear to be random. This type ofrandomness is often referred to as 'local randomness'. Thereare many popular tests for local randomness; we will list five.

Our aim is now merely to describe five particular tests, andgive an indication of their usefulness. In practice the five testsmight be combined to form part of a computer package, andwe would expect our sequence to pass all five. But we mustdecide what we mean by 'pass'. To do this we establish statist-ical values corresponding to truly random sequences, and thenset a pass mark. As an illustration, suppose our pass mark is tobe 95%. This means that a given sequence passes the test if itsvalue lies in the range in which we would expect 95 % of alltruly random sequences. It is usual to denote the pass mark as(100— a) %, where a is called the significance level of the test.

Throughout the following discussions we will assume that asample of n bits of our sequence contains n0 zeros and «iones.

6.1.1 Frequency test: This is perhaps the most obvious of thetests, and is applied to ensure that there is roughly the samenumber of zeros and ones. For this we merely compute

Clearly, if n0 = nx then x2 = 0, and the larger the value ofX2 the greater the discrepency between the observed and theexpected frequencies. To decide if the value obtained is goodenough for the sequence to pass we merely have to compareour value with a table of the x2 distribution, for one degreeof freedom. (Such tables are commonly available and give thevalues of x2 corresponding to the various significance levels.)For instance if we have decided on a 5% significance level wefind from standard tables that the values of x2 is 3.84. So,quite simply, if our value is no greater than 3.84 the sequencepasses. Otherwise we must reject it. (We might also decide tofail our sequence if the value of x2 is 0. Being too 'good' canbe suspicious!)

6.1.2 Serial test: The serial test is used to ensure that the tran-sition probabilities are reasonable, i.e. that the probability ofconsecutive entries being equal or different is about the same.This will then give us some level of confidence that each bit isindependent of its predecessor. Suppose 01 occurs n0l times,10 occurs «i0 times, 00 occurs «oo times and 11 occurs nn

times. Then n0l + «OO = «o or n0 — I, nlQ + nn = nx or«! — 1 and «10 + «oi + «oo + nn = n— 1. (Note the — 1occurs because in a section of length m there are only m — 1transitions.) Ideally we want n0l = nl0 = n ^ = nn —(n - l)/4. Good [42] has shown that n

TZT i i <•"«? - \ i(nd2

n i j = 0 j - 0 n /=o

+

is approximately distributed as x2 with two degrees of freedom.

6.1.3 Poker test: For any integer m there are 2m differentpossibilities for a section of length m of a binary sequence. In


this test we partition our sequence into blocks (or 'hands')of size m, and then we count the frequency of each type ofsection of length m in our sequence. If the frequencies are/ o . / i . - - - , / 2 m - i then

i=o m

where [n/m] means the largest integer which is not bigger thann/m. Then, as before, we evaluate

=4- iF iwi=o

and then compare our value with the table for x2 having2 m — 1 degrees of freedom to see if we have a 5% significancelevel.

We can apply this test many times for different values of m.However, in certain circumstances some values of m may bemore relevant than others. Suppose, for example, that if oursequence 'passes' we want to use it for encipherment of datathat are converted to binary using IT A 2. (IT A 2 stands forthe International Telegraph Alphabet No. 2, and is an agreedstandard code for converting teleprinter characters to 5-bitbinary words - see, for instance, Reference 11.) Suppose alsothat the cipher will be reconverted to alphanumeric charactersusing ITA 2 before transmission. Then, in this case, as ITA 2is a 5-bit code, we may be especially interested in the pokertest form = 5.

There is a variation of the poker test which is occasionallyuseful. In this variation we evaluate the numbers xQ,xx, . . .,xm where, if m is the block length, x, is the number of ra-bitblocks having / ones and n—i zeros. We may then apply the x2

with m degrees of freedom, where

F th

6.1.4 Autocorrelation test: Suppose the sequence of n bitswhich we wish to test for randomness properties is au.. .,an. Then set

n-d

J.= iClearly

= £ at =

If the sequence has n0 zeros and ny ones which are randomlydistributed, the expected value of A {d) (d =£ 0) is

This enables us to use standard hypothesis testing techniquesto decide whether or not we believe our sequence has a'random' distribution.

6.1.5 Runs test: For the runs test we divide the sequence intoblocks and gaps. We let rOi be the number of gaps of lengthi,and ru be the number of blocks of length i. If rQ and rx arethe number of gaps and blocks, respectively, then

i- n i= n

ro = Z few and r, = £ ru

Using the notation of the test, it is easy to see n01 = r0 or

IEEPROC, Vol. 129, Pt. A, No. 6, AUGUST 1982

lo c ks (o r 'h ands' ) l,«oo =«0 ~^o a n d « n =nl — rl.We would not be applying this test if the sequence had not

already passed the serial test, and so we know that the totalnumbers of gaps and blocks are within acceptable limits. Wenow expect about half the gaps (or blocks) to have length 1,a quarter to have length 2 and so on (see Golomb's post-ulate R2). We will not worry about the precise statistical testwhich should now be used, but refer the interested reader toMood [74].

6.2 Shift registers

Now that we have stated some requirements for a ciphersystem to be considered secure in a practical sense, we must goon to investigate how the encipherment algorithm for such asystem might be implemented. As we said earlier, apart fromDES most of the current cipher systems which are availablecommercially are based on stream ciphers. Although the se-quence which is added to the plaintext is generated in variousways, nearly all the methods employ shift registers. One of themain reasons for this is that they are v ily obtainable andcomparatively inexpensive. Another is that, although not easy,some techniques do exist for the analysis of the mathematicaland statistical properties of the sequences which they gener-ate.

An w-stage shift register consists of n binary storage ele-ments s0, s ! , . . . , sn_! called stages, connected in series. Thecontents of the stages change in time with a clock pulse ac-cording to the following rule: if sf (f) denotes the content of Stafter the rth time pulse, then s,- {t + 1) = si + 1 (f) for / = 0,... . n -^ands , , - ! (f+ 1) = f{s0 (f),*i (0. - Ai-i ('))• Thefunction / is called the feedback functiqn of the register. If,for any t, we "write % = s0 (t), then we say that the registergenerates the sequences (st). Clearly st = s0 (0 for all / satis-fying 0 < / < / ? — 1, and the sequence (st) is completely deter-mined by s0,Si , . . . ,sn_j and the feedback function/.

Iff {so (t),sl (0, . . • ,sB +

n - i( 0 }= 2CiSt(t)(mod2),with

i=oeach ct equal to 0 or 1, then the shift register is said to havelinear feedback. The constants c0,cx, ••• ,cn-\ are called thefeedback coefficients. This can be represented by the diagramin Fig. 13, where ct = 1 stands for a closed connection and ct

= 0 for an open one.

Y1 |

c

So Si S2

Fig. 13 Linear-feedback shift register

The content of a shift register, regarded either as a binarynumber or an w-bit binary vector, is called its state. Clearlyevery state has a unique successor. If all the ct are zero then,regardless of the initial state of the shift register, after the nthclock pulse each stage s,- will contain 0 and will remain thisway. Thus to keep the shift register active, at least one of thect must be 1. Let / be the least value of i such that ct = 1.and suppose / > 1. Then the (mod 2) sum of the contents ofSj, Sj + 1 , . . . , Sn _ j is fed back into Sn - l t and the contents ofiS0, S l t . . . , 5y_! contribute nothing to the action of theshift register. So after the yth clock pulse, the state of theshift register will be independent of s0 (0), sx ( 0 ) , . . . ,5/_j (0), and we are essentially only using n—j positons of

371

the machine. To eliminate this possible degeneracy we willassume henceforth that/ = 0, that is c0 = 1 .

f

then we have a maximum length cycle and each of these sequ-ences of maximum period is called an m-sequence. Clearly all

If we let s(t) denote the binary vector {sQ (/)> si (0> . . . , possible register contents except 00 . . . 0 will occur once) y {0 (), : ( ) , ,s n -1 ( 0 } , then the action of the shift register may be describedby the matrix equation

s(t+ 1) = s(t)M

where

M =

0 e o o c01 0 0. . .0 cx

0 1 0... 0 c2

0 0 1 cn-i

Since we are assuming c0 = 1, the matrix M is nonsingular.This means, of course, that we can now always deduce sit)from sit +1) , and that, apart from the initial state, each statenow has a unique predecessor as well as a unique successor.Since there are only 2n possible states, a repetition must occuramong the first 2" + 1 states. As soon as this repetition occursthe sequence of state vectors will continue to repeat itself.Although there are 2n possible states, the nonsingularity of Mguarantees that, provided the initial state is not all zeros, theall-zero vector will not occur as a state. This discussion formsthe basis of a proof for Result 1.

Result 1The succession of states of an w-stage shift register with linearfeedback is periodic with period p < 2 n — 1.

Before proceeding, let us illustrate the action of a shiftregister with an example. This will also estabilish that, at least insome cases, a period of 2" — 1 can be achieved.

If we have a 5-stage shift register with feedback functions0 + s3 then it can be depicted as shown in Fig. 14.

If the initial state, i.e. when t = 0, is 01010 then whent = 1 the new state will be 1010 /(0, 1,0, 1,0). But /(0,1,0, 1, 0) = 1 and so, when t = 1, the state is 10101. Thesequence of states is given in Table 8.

If we let so,Si,s2, , sn-i,n-i sn + 1denote the suc-

cessive contents of So, it is clear that we get an infinite binarysequence which satisfies

n = \fort = 0 ,1 ,2 ,

Such an equation is called a linear recurrence relation of ordern and the infinite binary sequence (Sf) = So, su s2, . i • iscalled a linear recurring sequence.

Such a sequence ist) may also be thought of as the 'output'of the shift register and may be said to be 'generated' by thatshift register. At any given time the state of the shift registerrepresents a section of the sequence. Clearly, from Result 1,is t) is periodic with period p < 2 n — 1. For an w-stage shiftregister, the 2n different initial states will give rise to 2n

periodic sequences. Suppose one such sequence has period p.Then the first p terms

S o ,S2, . . . ,Sp-p-i

will be called a cycle of length p. The different starting pointsof a cycle (p altogether) give rise to different periodic se-quences, which are all translates of each other.

The initial state 00 . . . 0 corresponds to a cycle of length1 and the resulting sequence is called the null sequence, orzero sequence, denoted by (0). The remaining 2n — 1 se-quences will be distributed among cycles of various lengths. Ifthese 2" — 1 sequences all he on one cycle of length 2n — 1,

372

among the first 2n — 1 states of the shift register during thegeneration of an m-sequence.

DefinitionAssociated with the linear recurrence of order n

st+n c x cist*i t = 0 , 1 , 2 , . . .»=o

is the characteristic polynominalf(x) defined by

fix) = l

(remembering that c0 = 1). Consequently we may identify ashift register with the characteristic polynominal fix) and weshall refer to the sequence and cycles generated by fix). Ofcourse different initial states of the shift register will give riseto different periodic sequences.

-o-

Fig. 14 Shift register in example

The aggregate of all infinite binary recurring sequences(Sf) generated by a given fix) is called the solution space offix), and is denoted by £l(f). Thus £l(f) consists of 2" sequ-ences corresponding to all 2n initial states. With the obviousdefinitions of addition and scalar multiplication, £2 if) is an n-dimensional vector space over GF(2).

There are a number of very useful results relating propertiesof the characteristic polynomial with the period of the sequence.If the reader is not familiar with the terminology then heshould not concern himself too much with the precise resultsstated below. The important point to appreciate, given inResult 4, is that we have a means of ensuring that the se-quence our shift register produces has period 2n — 1. Thereexist [85] comprehensive lists of primitive polynomialsthat may be used for the feedback function.

Result 2Suppose fix) is a polynomial over GF(2) with exponent e.Then the period of any sequence (sf) in Sl(f) divides e.

Result 3Suppose fix) is an irreducible polynomial over GF(2) with ex-ponent e. Then the period of any non-null sequence (s,) in

(/)

Result 4Suppose fix) is a polynomial over GF(2) with /(0) = 1.Then £2(/) contains a sequence of period 2" — 1 if, and only

Table 8: Succession of states

f = 01234567

0101010101010111011101110111011101110110

t = 89

101112131415

01100 t =11000100010001100111011111111111110

IEEPROC, Vol. 129

1617181920212223

Pt

1110011001100110011001101110101010001001

A, No. 6,

t = 24 1001025 0010026 0100027 1000028 0000129 0001030 0010131 01010etc.

AUGUST 1982

if, fix) is primitive. [Note that this could be restated as everynon-null sequence in ft(/) has period 2" — 1 if, and only if,fix) is primitive.]

As a consequence of these results we know that, by takingany primitive polynomial as our characteristic polynomial, wewill obtain an m -sequence by choosing any nonzero initialstate.

If we have any m-sequence (with period 2n — 1) then it canbe shown that any generating cycle, i.e. any 2n — 1 consecutiveentries, contains precisely 2n ones and 2n — 1 zeros. Further-more its out of phase autocorrelation is always —1/(2" —1).These facts, plus other simple statistical tests, suggests that anm-sequence is reasonably 'pattern-free' and suitable for use asa foundation for generating the 'random sequence' referred toearlier. In fact it can be shown [11, 41] that an m-sequence isa PN-sequence.

Despite the fact that it may have period 2n — 1, any se-quence generated by an w-stage register shift with linear feed-back is completely determined by its characteristic polynomialf(x) and any one of its state vectors. Thus the entire sequenceis known once we know the n feedback constants and any nconsecutive entries of the sequence. But, as we have alreadyseen, the feedback constants are the coefficients of a linearrelation of order n which is satisfied by the sequence ist).This leads to Result 5.

Result 5An m-sequence (st) of period 2" — 1 is completely determinedby any 2n consecutive entries.

If the known entries are sr, s r + 1 , . . . , s r + 2 r ,_1 , then allthat is involved in determining the feedback constants (andhence the entire sequence) is the inversion of the nonsingularmatrix

sr . . . sr+„ _ j

a routine operation unless n is very large. But there are manypractical snags (not to mention the cost ) in trying to use verylarge shift registers. So, for our particular problem, the use of ashift register with linear feedback is not satisfactory. If wewish to use shift registers in the generation of our sequencethen we must try to remove the 'linearity' from the system. Itis important to make one further important observation. Ifiut) is any binary sequence with periodp then (ut) can be gen-erated by a p-stage shift register with initial state u0, u t , . . . ,Up _ j and characteristic polynomial xp + 1. In other words anyperiodic binary sequence is a linear shift register sequence.However in Result 5 the n is the size of the shift register, andso, for any given sequence, one measure of its suitability is thesize of the smallest shift register which can generate it with alinear feedback function. This size is called the linear equi-valence of the sequence and what the cryptographer wants isto use one (or many) 'small' shift registers to obtain a se-quence whose linear equivalence is large enough so that Result 5does not bother him. It must be stressed, however, that havinga sequence with a large linear equivalence is necessary, but notsufficient, for a good sequence generator. There are manyexamples of weak systems which have high linear equivalences.There are so many ways of attempting to generate sequenceswith the right properties that we cannot possibly discuss themall. Instead we refer the reader to Reference 11 which containsa discussion of many different techniques. Also of interest areReferences 10, 43, 46, 53, 55, 78, 82,86, 87,93,94 and 105.We give an example of just one possibility. This is the methodcalled multiplexing. We must emphasise that, in practice, anysystem used would be far more complex than anything that we

can exhibit here. However, our example will serve as an illus-tration of the type of results which can be proved.

Let SRI and SR2 be two shift registers with m and nstages, respectively ( r a > l , n > l ) , such that each has alinear feedback function. We denote the stages of SRI byAo, . . . ,Am-i and those of SR2 by 2?0,• • • , Bn - x - Further-more we let aj(t) and bjit) denote the contents of A,- and Bjat time t. To define a multiplexed sequence we assume thatboth shift registers have primitive characteristic polynomials,i.e. that SRI generates a binary sequence iat) of period 2m —1 and SR2 generates a binary sequence ibt) of period 2" — 1.A multiplexer is a device used to produce a sequence, whichwe call a multiplexed sequence, related to the states of SRIand SR2 in the following way. We first choose an integer kin the range 1 < k < m. We can only choose k = m if 2m —1 < n, and if k ¥= m then k must also satisy 2fe < n. Havingchosen k we now choose k stages aXi, ax^, . . . , aXk of SRIand, for convenience, we assume 0 < x 1 < x 2 < • • < * f t *m — 1. At any time t, the binary fctuple {aXi (t), ax (t), . . . ,aXkit)} is interpreted as the binary representation of a naturalnumber which we denote by Nt. Clearly, 0<Nt<2k — 1,but if k = m then, since the binary mtuple (0, 0, . . . , 0) isnever a state, we can improve the inequality slightly to 1 <Nt < 2m — 1. If k < m we choose an injective mapping 6:{0, 1, . . . , 2fe - 1} -»• {0, 1, . . . , n - 1), whereas if k = mwe choose an injective mapping 0: {1, 2, . . . , 2fe — I}-*-{0, 1, . . . , n — 1}. (Note that the restrictions on k guaranteethe existence of such a mapping.) With these choices ofk, xit x2, • • • , xk and 0 we define a new sequence (ut), calleda multiplexed sequence, by ut = bd(Nt)(t). Basically all thatthe multiplexer does is pick one of the stages of SR2 at eachtime t, namely Bd^Nf). But, for any t and any i, bt(t) = b0

(t + i) = bt+i which means ut = bt+e(Nt) f°r every t. Thisis such an important concept that it is worth including asmall example. The following is an illustration of a multi-plexed sequence with m = 3 and n = 4 and is shown in Fig. 15.

We will assume that the initial state of SRI is 100 andthat of SR2 is 1000. For this example we take k= 2, xy =0, x2 = 1 and let 0 be the mapping {0, 1, 2, 3}-» {0, 1, 2, 3}given by 0(0) = 2, 0(1) = 3, 0(2) = 0,0(3) = 1.

The first seven states of each register are

SRI100001010101011111110

SR21000000100110111111111101101

From this we see that No = 2, Nt = 0, N2 = 1, N3 = 2,N< = 1, N5 = 3 and N6 = 3. Thus d(N0) = 0, 0(A^i) =2, d(N2) = 3, d(N3) = 0, 6(N4) = 3, 0(W5) = 1, 6(N6) =1 and, finally, u0 = bo(0) = 1, ux = b2(l) = 0, u2 = b3(2)= 1, M3 = b o ( 3 ) = O, «4 = * 3 ( 4 ) = I,u5 = &i(5)= 1 andu 6 = b 1 ( 6 ) = l .

Straightforward computation gives the first 120 terms of(ut) as: 1 0 1 0 1 1 1 1 0 1 0 0 0 0 0 0 1 0 1 1 1 1 1 1 1 0 10 0 0 0 0 1 1 1 1 0 0 0 1 1 1 1 1 0 1 1 0 1 1 1 1 1 1 0 1 10 0 0 0 0 0 0 1 0 1 0 1 0 0 0 1 0 0 0 0 0 1 1 1 1 0 1 1 1 0 10 1 0 0 1 1 1 0 1 0 0 1 0 1 1 0 1 1 0 1 0 1 1 1 1 0 1 0 0 00 0.

In any multiplexed sequence each entry depends on theprevious states of both registers. So as soon as the two statesrepeat simultaneously the multiplexed sequence must begin torepeat itself. Thus we have Result 6.


Result 6The multiplexed sequence is periodic with period p < (2m —

) ( " ) )Note that in the example p = 105 = (23—1) (24 - 1 ) .A great deal is known about the period of multiplexed

sequences, and, more importantly, about their linear equival-ences. We will restrict our attention to the situation where themultiplexed sequence is longer than that which can be obtainedfrom either register. For reasons which we will not even beginto explain this means we will assume n^m.

The following result shows precisely when p is as-largeas possible.

SRI SR2

multiplexeroutput

Fig. 15 Example of multiplexed sequence

Result 7\in*m and (2m - 1 , ( 2 n - l)/{2<m-n> - 1})=1 then theperiod of a multiplexed sequence is km (2m — 1, 2n — 1).So, in particular, if (m, n) = 1 the period is (2m — 1) (2" — 1).

Result 7 is rather powerful and a little surprising. It doesnot depend on either characteristic polynomial, the value of kor the choice of 6. If we write p = 2 m — 1 and e = 2n — 1then one example of the type of result obtainable with respectto randomness is Result 8.

Result 8If (m, n) - 1 the mean value of the out-of-phase auto-correlation is

p-e

e(pe — 1 pe

Since (l /e2) — (l/pe) is small this is encouraging, but, ofcourse, the mean itself gives no information about specificvalues of c(a).

It is desirable to have c(a) close to zero for all a in therange 1 < a < pe — 1. It is fairly straightforward to show thatif n is large in comparison with m then C(a) ^— 1/(2" — 1)for most values of a.

We are now in the situation where we can generate a se-quence with a large period and with reasonable statistical pro-perties. However we do not yet know if it is suitable as abuilding block for our 'random' sequence. To help decide thiswe need to know its linear equivalence. An example of thetype of result that can be obtained is Result 9.

Result 9If (m, ri) = 1 the linear equivalence d of a multiplexed sequ-ence is related to the k stages selected from SRI in the follow-ing way:

(a) d < n { S ( " 1 }if i < k < m - 1, with equality if

k = l, 2, m — 1 or if the k stages are spaced at equal intervals(b)d = n(2m-l)ifk = m

It should be noted that if the k stages are unevenly distri-buted then equality need not occur in (a). Although Result 9does not tell us d for all possible situations it does mean that,by suitable choices of m, n and k, we can use two linear shiftregisters to obtain a sequence of controllable linear equivalence,

i.e. one for which we know precisely the length of the smallestlinear register that might produce this. Of course, in practice,many more results concerning the nonlinearity of this systemare necessary. Details of the results in this Section can befound in References 11 and 53.

7 Public-key cryptology

The security of the early 'pencil and paper' cipher systems was,as we have seen, minimal, and relied on the secrecy of both theJiey_and^the enciphering algorithm. As systems improved it be-came feasible to allow the cyptographer to make assumptionsAl, A2 and A3. In particular this meant that the designer as-sumed that his algorithm was known, and that all security laywithin the key. Although not easy, it was certainly possible todesign systems which had a good chance of remaining secureunder these assumptions. However, any system discussed sofar, whether good or bad, has had the requirements that, priorto the transmission of each message, the sender and receivermust have agreed on the key, and that this key must remainsecret. These requirements pose many problems. For instance, aswe saw in the case of the one-time pad, if the key is too largethen transmitting it and keeping it secret is just as great a pro-blem as disguising a message. Although we have not discussedit in this paper, the general problems of key managementmust not be underestimated.

As recently as 1976, Diffie and Hellman [24] suggested away of overcoming some of these problems. They observedthat the key is essentially in two (not, of course, unrelated)'halves'; the encipherment key and decipherment key. Al-though the decipherer needs to know the key used by the enci-pherer, there is no reason whatsoever why the enciphererneeds to know the decipherment key. In the systems whichthey proposed, called public-key cryptosystems, they suggestthat, as well as the enciphering algorithm, the enciphermentkey should also be made public. In the systems which wehave discussed so far, knowledge of the encipherment key andprocedure would enable a cryptanalyst to deduce the de-cipherment key. For a public-key system we require a situ-ation where given the encipherment procedure and key, and,perhaps, even the decipherment procedure, it is impossible,or at least computationally unfeasible, to deduce the de-cipherment key. Once we have such a system, then anyonewishing to use it will be assigned an encipherment key whichwill be published in a public directory. Anyone wishing tosend a message to one of the users will merely consult the dir-ectory to see which encipherment key he should use. In thisway any user, who will of course have his own secret decipher-ment key, will be able to decipher any cryptogram withouteven needing to know the identity of the sender.

The idea of a public-key system is both ingenious and revol-utionary. It has not as yet been largely adopted in practice,but a number of suggestions for possible systems have beenpublished. Two of the most realistic are due to Merkle andHellman [70] and Rivest, Shamir and Adleman [92]. Theformer system is based on the famous knapsack problem. Thisproblem has been shown to be NP-complete, which impliesthere is no known polynomial time solution. We will not discussit here but refer the interested reader to References 11 and 38.The security of the second system, called the RSA system, liesin the difficulty of the problem of factoring large integers.This is another example of a problem with no known poly-nomial time solution. In order to present some of the evidenceto support the claim that a public-key system might work, wewill say a little about the RSA system. However, since so muchof the recent literature on cryptology is devoted to public-keysystems [1,2, 11, 14,20,21,24,40,49, 59,61,62,68,89,91,98, 100-102] , we will be very brief.


For the RSA system the public encipherment key is a pairof positive integers h and n. Before encipherment each messagemust be divided into blocks which can be encoded as an inte-ger between 0 and n — 1. (One typical coding system is simplyto put a = 01, b = 02, . . . , y = 25, z = 26.) Each block mt

of the message is then enciphered by raising it to the hthpower (modulo n). Thus, if c{ is the corresponding cipher-text block, c,- is the integer between 0 and n — 1 satisfyingc£ = m* (mod n). To decipher we raise ct to another power dsuch that mi = cf (mod n). Thus in order to obtain an RSAsystem we must be able to generate triples of integers h, dand n such that h and d have the required properties modulon; namely if y =xh (mod n) thenx =yd (mod «). The securitythen relies on the fact that knowledge of h and n will not en-able a cryptanalyst to determine d. One obvious requirementthen is that the integers must be large.

In the proposed system n is the product of two large primesp and q. We will not discuss the problem of finding largeprimes but stress that, although n is made public, p and q mustbe kept secret. For reasons which we will not explain, h ischosen to be a large random integer satisfying {h, (p — 1)(q — 1) } = 1 and d is then computed so that dh = 1 {mod (p— 1) {q — 1) }. Any values tor n, h and d chosen in this way willwork, and it should be clear that there are many choices for nand, for any given n, many choices for h. However, for anygiven h and n, d is unique. It is also true, although again weoffer no justification, that the implementation of the encipher-ment and decipherment procedures is reasonably straight-forward.

From the last paragraph it is clear that knowledge of p, qand h would enable a cryptanalyst to determine d, and so tobreak the system. But, as we have stressed, it is extremelyunlikely that a cryptanalyst would be able to determine p andq from n. It is not, unfortunately, certain that it is necessaryfor him to factor n before he can break the system. There are anumber of papers which discuss the security of the RSAsystem and in Reference 49 there is even a suggestion for apossible cryptanalysis algorithm. (It is worth noting that thismethod actually attempts to decipher cryptograms withoutdetermining the deciphering key.) Further research is con-tinuing to determine the level of security offered by theRSA system, and other public-key systems. It certainly ap-pears promising and highly likely that public-key systemswill be adopted for some cryptological applications.

8 Acknowledgments

We would like to thank the British Science Museum for Fig. 2and Racal-Comsec Ltd. for Figs. 8 and 9. We would also like tothank Racal-Comsec Ltd. and Westfield College for their sup-port in the preparation of this article.

9 References*

1 ADLEMAN, L.M., and RIVEST, R.L.: 'How to break the Lu-Leepublic-4cey cryptosystem' (MIT Lab. for Comp. Sci., 1979)

2 ARAZI, B.: 'A trapdoor multiple mapping', IEEE Trans., 1980,IT-26, pp. 100-102.

3 BARKER, W.G.: 'Cryptanalysis of the Hagelin Cryptograph' (Aeg-ean Park Press, 1977)

4 BEKER, H.J.: 'Cryptographic requirement for digital secure speechsystems', Elect. Eng., 1980, 52, pp. 37-46

5 BEKER, H.J.: 'Cryptography for radio communications appli-cations', Comms. Eng. Int., 1980, 2, pp. 36-41

6 BEKER, H.J.: 'Security in an electronic fund transfer system',Inform. Privacy, 1980, 2,185-189

7 BEKER, H.J.: 'Cryptography - what is a cipher system', NewElectron., 1980,13, (23), pp. 29-31

8 BEKER, H.J.: 'Cryptography - modem cipher systems',ibid., 1980,13, (24), pp. 29-33

* A more complete bibliography of cryptological books and papers canbe found in Reference 11.

9 BEKER, H.J.: 'Digital secure speech systems', Proc. IERE, 1981,50, pp. 237-246

10 BEKER, H.J., and PIPER, F.V.: 'Shift register sequences'. Pro-ceedings of 8th British comb, conference, 1981, pp. 56—79

11 BEKER, H.J., and PIPER, F.C.: 'Cipher systems : the protectionof communications' (Northwood Books, 1982)

12 BENTON, J.B.: 'Economics and use of electronic fund transfer',Telecommunications, 1978,12, (5), pp. 35-41

13 BIRDSALL, T.G., and RISTENBATT, M.P.: 'Introduction to linearshift-register generated sequences'. University of Michigan Re-search Institute, 1958, Technical report 90

14 BLAKLEY, B.,and BLAKLEY, G.R.: 'Security of number theoreticpublic4cey cryptosystems against random attack, I, II and HI',Cryptologia, 1978, 2, pp. 305-321: 1979, 3, pp. 29-42 and105-118

15 BRANSTAD, D.K.: 'Draft guidelines for implementing and usingthe NBS Data Encryption Standard' (NBS, 1975)

16 BRANSTAD, D.K.: 'Encryption protection in computer data com-munications'. Proceedings of 4th data communications symposium,Quebec City, Canada, 1975

17 BRANSTAD, D.K., (Ed.): 'Computer security and the Data Encryp-tion Standard'. Proceedings of the conference at Gaitherburg, Mary-land, 1977

18 BRUNNER, E.R.: 'Speech security systems today and tomorrow'(Gretag Ltd. publication, 1980)

19 DAVIES, D.W.: ' Limits to computation '. Note from NPL, 198020 DAVIES, D.W., and PRICE, W.L.: "The applications of digital sig-

natures based on public-key cryptosystems'. NPL report DNACS39/80,1980

21 DAVIES, D.W., PRICE, W.L., and PARKIN, G.I.: 'An evaluation ofpulic-key cryptosystems'. NPL Report CTU 1, 1980

22 DAVIES, R.: "The Data Encryption Standard in perspective', IEEEComms, Soc. Mag., 1978, 16, (6), pp. 5-10

23 DEAVOURS, C.A.: 'Unicity points in cryptanalysis', Cryptologia,1977,1, pp. 46-68

24 DIFFIE, W., and HELLMAN, M.E.: 'New directions in crypto-graphy', IEEE Trans, 1976, IT-22, pp. 644-654

25 DIFFIE, W., and HELLMAN, M.E.: 'A critque of the proposed DataEncryption Standard', Comm. ACM, 1976,19, pp. 164-165

26 DIFFIE, W., and HELLMAN, M.E.: 'Cryptanalysis of the NBS DataEncryption Standard'. Stanford University report MEH—76-2,1976

27 DONN, E.S.: 'Secure your digital data', Electron Eng., 1972, pp.5-7

28 EHRSAM, W.F., MATY AS, S.M., MEYER, C.H., and TUCHMAN,W.L.: 'Cryptographic key management scheme for implement-ing the Data Encryption Standard', IBS Syst. J., 1978, 17, pp. 106-125

29 ERICKSON, C: 'Encryption - an ancient art enhanced by LSI',FairchildJ. Semiconductor, 1979, 7, pp. 4-11

30 EVANS, A., KANTROWITZ, W., and WEISS, E.: 'A user authen-tication scheme not requiring secrecy in the computer', Comm.ACM, 1974,17, pp. 437-442

31 FEISTEL, H.: 'Cryptographic coding for data-bank privacy'. IBMT.J. Watson Research Center, Research Report RC-2827, 1970

32 FEISTEL, H.: *Cryptography and computer privacy', ScientificAmerican, 1973, 228, pp. 15-23

33 FEISTEL, H.: 'Block cipher cryptographic system'. US Patent3798359,1974

34 FEISTEL, H., NOTZ, W.A., and SMITH, J.L.: 'Some cryptographictechniques for machine-to-machine data communications', ProcIEEE, 1975, 63, pp. 1545-1554

35 FRIEDMAN, W.F.: 'Military cryptanalysis' (US Government Print-ing Office, 1944)

36 GAINES, H.F.: 'Cryptanalyis, a study of ciphers and their solution'(Dover, 1956)

37 GALLOIS, A.P.: 'Communication privacy using digital techniques',Electronics & Power, 1976,22, pp. 777-780

38 GAREY, M.R., and JOHNSON, D.S.: 'Computers and intractability:a guide to the theory of NP-completeness' (W.H. Freeman & Co.,1979)

39 GEBLER, P.: 'Implementations of the DES algorithm', Electr.Prod. Design, 1980, pp. 52-54

40 GOETHALS, J.M., and COUVREUR, C : 'A cryptanalytic attackon the Lu-Lee public-key cryptosystem', Phillips J. Res., 1980, 35,pp. 301-306

41 GOLOMB, S.W.: 'Shift register sequences' (Holden-Day, 1967)42 GOOD, I.J.: 'On the serial test for random sequences', Ann. Math.

Statist., 1957, 28, pp. 262-26443 GREEN, D.H., and DIMOND, K.R.: 'Polynomial representation of

non-linear feedback shift registers', Proc. IEE, 1970, 117, (1), pp.56-60

44 GREEN, D.H., and DIMOND, K.R.: 'Non-linear product-feedbackshift registers', ibid., 1970, 117, (4), pp. 681-686

IEE PROC, Vol. 129, Pt. A, No. 6, AUGUST 1982 375

45 GROSSMAN, E.K., and TUCKERMAN, B.: 'Analysis of a Feistel-like cipher weakened by having no rotating key'. IBM Thomas J.Watson Research Center Report, 1977

46 GROTH, E.J.: 'Generation of binary sequences with controllablecomplexity', IEEE Trans., 1971, IT-17, pp. 288-296

47 HELLMAN, M.E.: 'The information theoretic approach to crypto-graphy', Stanford University Report, 1974

48 HELLMAN, M.E.: 'Results of an initial attempt to cryptanalysethe NBS Data Encryption Standard'. Stanford University ReportSEL 76-042,1976

49 HERLESTAM, T.: 'Critical remarks on some public-key crypto-systems', BIT, 1978, 18, pp. 493-496

50 HINDON, H.J.: 'Cipher-shifters fight it out', Electronics, 1979,pp. 81-82

51 HOUGHTON, M.R.: 'An introduction to electronic fund transfertechniques', Commun, Int., 1980,17, pp. 32-33

52 JAYANT, N.S., McDERMOTT, B.J., CHRISTENSEN, S.W., andQUINN, A.M.S.: 'A comparison of four methods for analog speechprivacy', IEEE Trans., 1981, COM-29, pp. 18-23

53 JENNINGS, S.M.: 'A special class of binary sequences'. Ph.D.thesis, University of London, 1980

54 KAHN, D.: "The codebreakers : the story of secret writing' (Mac-millan, New York, 1967)

55 KEY, E.L.: 'An analysis of the structure and complexity of non-linear binary sequence generators', IEEE Trans,., 1976, IT-22,pp. 732-736

56 KHINCHIN, A.I.: 'Mathematical foundations of information theory'(Dover Publications, 1957)

57 KIRCHHOFER, K.H.: 'Secure voice communication-cryptophoning',Int. Def. Rev., 1976

58 KNUTH, D.E.: "The art of computer programming. Vol. 2: semi-numerical algorithms' (Addison-Wesley, 1973)

59 KONHEIM, A.G.: 'Cryptography: a primer' (John Wiley & Sons,1981)

60 KULLBACK, S.: 'Statistical methods in cryptanalyis' (AegeanPark Press, 1976)

61 LeVEQUE, W.J.: 'Fundamentals of number theory' (Addison-Wesley, 1977)

62 LU, S.C., and LEE, L.N.: 'A simple and effective public-key crypto-system', Comsat. Tech. Rev., 1979, 9, pp. 15-24

63 MACKINNON, N.R.F.: 'The development of speech encipherment',Radio & Electron. Eng., 1980,50, pp. 147-155

64 MACWILLIAMS, F.J., and SLOANE, N.J.A.: 'The theory of error-correcting codes' (North-Holland Publishing Co., 1978)

65 MASSEY, J.L.: 'Shift register synthesis and BCH decoding', IEEETrans., 1969, IT-15, pp. 112-127

66 MATYAS, S.M., and MEYER, C.H.: 'Generation, distribution andinstallation of cryptographic keys', IBM Syst. J., 1978, 17,pp. 126-137

67 McCALMONT, A.M.: 'Communications security for voice techniquessystems and operations', Telecommunications, 1973, pp. 35-42

68 McELIECE, R.J.: 'A public-key cryptosystem based on algebraiccoding theory'. DSN Report 42-44,1978

69 MEIER, P.: 'Die menschliche spracke digital analysiest und optischdargestellt' (Folge XVII, Krieg im Aether, 1978)

70 MERKLE, R.C., and HELLMAN, M.E.: 'Hiding information andsignatures in trapdoor knapsacks', IEEE Trans, 1978, pp. 525-530

71 MEYER, C.H., and TUCHMAN, W.L.: 'Pseudorandom codes becracked', Elec. Des., 23, 1972

72 MEYER, C.H.: 'Design considerations for cryptography'. AFIPSConference Proceedings 42,1973, pp. 603-606

73 MEYER, C.H.: 'Enciphering data for secure tranmission', Comput.Des., 1974, pp. 129-134

74 MOOD, A.M.: 'The distribution theory of runs', Ann. Math. Statist.,1940,11, pp. 367-392

75 MORRIS, R., SLOANE, N.J.A., and WYNER, A.D.: 'Assessmentof the National Bureau of Standards proposed Federal Data Encry-ption Standard', Cryptologia, 1977,1, pp. 281-306

76 MORRIS, R.: 'The Hagelin cipher machine (M-209). Reconstruct-ion of the internal settings', ibid., 1978, 2, pp. 267-289

77 MORRIS, R.: 'The Data Encryption Standard - retrospective andprospects', IEEE Comms. Soc. Mag., 1978,16, pp.11-14

78 MYKKELTVEIT, J.: 'Non-linear recurrences and arithmetic codes',Inform. & Control, 1977, 33, pp. 193-209

79 National Bureau of Standards: 'Encryption algorithm for computerdata protection: requests for comments'. Federal Register, 1975,12134

80 National Bureau of Standards: 'Notice of a proposed Federal In-formation Processing Data Encryption Standard'. Federal Register,1975, No. 12607

81 NEEDHAM, R.M., and SCHROEDER, M.D.: 'Using encryption forauthentication in large networks of computers', Comm. ACM, 1978,pp. 993-999

82 NYFFELER, P.: 'Binaere Automaten und ihre Linearen Rekurs-ionen'. Ph.D. thesis University of Bern, 1975

83 Official Gazette of the US Patent and Tradmark Office, 13th May1975 and 31st August 1976

84 PEASE, D.L.: 'EFT systems are evolving ', Telecommunications,1978,12, pp. 51-64

85 PETERSON, W.W., and WELDON, E.J.: 'Error correcting codes'2ndEdn. (MIT Press, 1972)

86 PLESS, V.S.: 'Mathematical foundations of interconnected J-Kflip-Hops', Inform. Control, 1976 30, pp. 128-142

87 PLESS, V.S.: 'Encryption schemes for computer confidentiality',IEEE Trans., 1977, C-26,1133-1136

88 PRATT, F.: 'Secret and urgent' (Blue Ribbon Books, New York,1942)

89 'Telecommunications: Interoperability and security requirements foruse of the Data Encryption Standard in data communications sy-stem'. Proposed Federal Standard 1026, 1980

90 RIVEST, R.L.: 'Remarks on a proposed cryptanalytic attack on theMIT public-key cryptosystem'. Cryptologia, 1978, pp. 62-65

91 RIVEST, R.L.: 'Critical remarks on 'Critical remarks on some pub-lic-key cryptosystems' by T. Herlestam', BIT, 1979, 19, pp. 274-275

92 RIVEST, R.L., SHAMIR, A., and ADLEMAN, L.: 'A method forobtaining signatures and public-key cryptosystems', Comm. ACM,1978, 21, (2)

93 RONSE, C: 'Non-linear shift registers : A survey'. MBLE ResearchReport R430,1980

94 RUBIN, F.: 'Decrypting a stream cipher based on J-K flip-flops',IEEE Trans., 1979, C-28, pp. 483-487

95 SELMER, E.S.: 'Linear recurrence relations over finity fields'. Uni-versity of Bergen, 1966

96 SHANNON, C.E.: 'A mathematical theory of communication', BellSyst. Tech. J, 1948, 27, pp. 379-423 and 623-656

97 SHANNON, C.E.: 'Communication theory of secrecy systems',ibid., 1949, 28, pp. 656-715

98 SIMMONS, G.J., and NORRIS, M.J.: 'Preliminary comments on theMIT public-key cryptosystem', Cryptologia, 1977, pp. 406-414

99 SINKOV, A.: 'Elementary cryptanalysis, a mathematical approach'(Random House, New Mathmatical Library No. 22,1968)

100SOLOVAY, R., and STRASSEN, V.: 'A fast Monte-Carlo testfor primality', SIAMJ. Computing, 1977,6, pp. 84-85

101 SMITH, D.R., and PALMER, J.T.: 'Universal fixed messages andthe Rivest-Shamir-Addleman cryptosystem', Mathematika, 1979pp. 44-52

102 WILLIAMS, H.C., and SCHIMID, B.: 'Some remarks concerningthe MIT public-key cryptosystem',BIT, 19, 1979, pp. 525-538

103YASAKI, E.K.: 'Encryption algorithm: Key size is the thing',Datamation, 1976, 22, pp. 164-166

104ZIERLER, N.: 'Linear recurring sequences', /. Soc. Ind. Appl.Math., 1959, 7, pp. 31-48

105ZIERLER, N., and MILLS, W.H.: 'Products of linear recurringsequences',/. Algebra, 1973, 27, pp. 147-151


Communications security: a survey of cryptography

Documents

Transcript of Communications security: a survey of cryptography