cryptology, computers, and common sense

Cryptology, computers, and common sense

by G. E. MELLE~

Sperry Univac St. Paul, Minnesota

I~TRODUCTION

Wrth_that-as. .ti:tle,. the writer ought .give at once the -meaning of the final term. Here, "common sense" is used with double intent.

First, it is a caveat to the reader that a discourse on computers and cryptology in the open literature is like a "layman's guide to worldwide espionage." It simply cannot be done. Too much is unknown. Too much (because cryptographic matters are exempt from automatic declassification) will never be known.

To the extent, then, that the author of such a paper requires a degree of chutzpah to attempt it, to the same extent he may ask of his readers an apprehension of the difficulties involved, and the forebearance not to make harsh judgment of sometimes unavoidable shortcomings.

The second meaning in which "common sense" is used alludes to the opinion that cryptography, as it pertains to the needs of many commercial users, is perhaps becoming "oversold," resulting occasionally in needless expense, operational difficulties, and a false sense of security. The defense of this thesis is deferred to later parts of the paper.

SOME DEFINITIONS

Data security is that technology, the objective of which is to prevent the interception of data, whether by wiretapping, masquerading, trap-doors, or any of the many clandestine tools of the "enemy" (see below). Data security is a technology in itself, and is not dealt with in this paper.

Cryptology and cryptography are near-synonyms, the former being somewhat wider in scope. Cryptography pertains to the means used by the originator of data to prevent the message, once intercepted, from being understood by an enemy. This is the process of encryption or encryptment, its cryptographic complement, decryption or decryptment, being the process used by the intended addressee to decipher and read the message.

The over-all algorithm for encryption and decryption is the cryptosystem, while the key refers to those unique parameters employed in a specific application of the algorithm.

569

The enemy is any person or organization who takes positive action to intercept and decrypt data to which he is not legitimately -entitle(L'-'Enemy"thus--haS-a--di£f-e-r--ent- -meaning here than in a military context, the connotation of violence being absent.

Having intercepted encrypted data, the enemy's principal tool is cryptanalysis. "Enemy," "cryptanalyst," or simply "analyst" are used synonymously throughout the paper.

A code is distinguished from a cipher in that the former employs a compact group of five letters (a "pentagram"a legacy of the Morse telegraph era) to represent a message of any desired length. For example, ALOHA might mean "Shipment will be made Wednesday night." In a cipher, each element of the original message (plaintext; pt) has a counterpart in the encrypted version (ciphertext; ct). CPPLLFFQFS might represent boo k k e e per. Computer-oriented readers may appreciate the analogy that a code is to a cipher what a FORTRAN statement is to the corresponding function in assembly language. The discussion in this paper is limited to ciphers.

The paper uses the following conventions: Plaintext is represented by let t e r spa c i n g. Ciphertext appears in CAPITALS. The key, if litteral and not numerical, is in italics (underscored in figures). The conventions are useful when p I a i n t ext is added to p I a i n t ext to produce key.

Another convention is the use of the English alphabet in the examples. The reader will understand that the underlying principles apply, mutatis mutandis, to any alphabet whatsoever, from the 12-letter Hawaiian alphabet, to the 256-character ASCII set, to the n-Ietter alphabet of the reader's own invention.

TRADITIONAL CRYPTOGRAPHY

Selected bibliography

For security reasons the bibliography of cryptography is predictably meager. There is only one comprehensive tutorial work in English for the pre-computer period, Gaines' Elementary Cryptanalysis 1 Occasional tutorial articles appear in The Cryptogram,2 the periodical of the

From the collection of the Computer History Museum (www.computerhistory.org)

570 National Computer Conference, 1973

American Cryptogram Association. Specialized technical discussions of cryptographic methods are contained in The Broken SeaP and in The Shakespearean Ciphers Examined. 4

For the post-computer age, an outstanding tutorial work has been published by Sinkov,5 a master of the craft. In 1967, a remarkable book, Kahn's The Codebreakers,6 appeared. It is difficult to imagine a work on a subject as esoteric as cryptology being definitive, but within the confines of security, Kahn has succeeded. In addition to extensive historical coverage, he describes in sometimes surprising detail both past and current techniques of cryptography. Of special interest are the sections devoted to the cryptographic agencies and practices of the major powers, incl uding the United States.

Basic techniques and some functional observations

The introduction of computers into cryptotechnology has affected the practice but not the underlying principles of the craft. It ,appears useful, therefore, to review certain of these principles in order later to show how they have evolved into the age of automation, and how, to an extent, they have carried some of their weaknesses with them.

In kernel, there are just two ways of converting plaintext to cipher-text, by substitution and by transposition. Regardless of its complexity, any cryptosystem can be shown to be either an elaboration of one of these methods or a combination of both.

Substitution types

Of the substitution types, the special-case Julius Caesar is the most familiar.* Here, each letter is replaced by the letter j places further along in the normal alphabet, where j is a constant. The substitution is performed modulo n, n being the number of letters in the alphabet. In the general case of simple substitution, any letter may replace any other letter, the substitution being invariant and usually with no letter representing itself.

Simple substitution is trivial. On occasion, though, even the trivial can breed insight. Under the rules of simple substitution, there are 25! possible "keys," or roughly 1.5 X 1()25 possibilities. The magnitude of this number can be illustrated by a computer programmed to try one key each microsecond. At that rate the machine would take 1.7 X 1014 years to run through the list. Even the number needs explication. It is some 50,000 times longer than the estimated age of the Earth.

Yet most people can solve this sort of newspaper puzzle in a few minutes. Some can "sight-read" them, much as an accomplished pianist plays a piece of unfamiliar music.

* An interesting but unobtainable measure of the familiarity of the Caesar cipher would be the percentage of viewers who appreciated why, in Arthur C. Clarke's script for the motion picture, "2001: A Space Od:vsse~'." the computer was named HAL.

The moral to be gained here is that one ought not be awed solely by large numbers. When a data-encryption device is promoted as having 10XX different keys, the cautious system designer will repress the proclivity to regard this huge number as an unchallengeable figure of merit. It is not.

Simple substitution can demonstrate still another aspect of language. Consider the cipher word ABCDE. This word may be resolved into good English in more than 6000 ways (e. g., b I a c k, g h 0 s t, etc.). The cipher word AABCA, however, may be resolved into English in one and only one way. There now arises an interesting question: What is the longest simple-substitution cipher which can be constructed, which can be resolved into English in one and only one way? The answer applies, in modified form, to the security of many kinds of ciphers.

Another form of pencil-and-paper substitution cipher is shown in Figure 1. Figure I-A is an abbreviated version of the classic Vigenere tableau. Figure I-B is the partial tableau whiCh would be used for encrypting a message using the key rogue (resulting in a period of 5, since the same cipher alphabet comes back into play at every fifth pt letter). Figure l-C shows the encryption, using rogue of the (specially chosen) plaintext;

pt: abc d e g h j kim n 0 p q r stu v w x y z

pt:

pt:

key:

ct:

pt:

key:

ct:

ABC D E F G J K L M N 0 P Q R STU V W X y Z BCD E G H I K L M N 0 P Q R STU V W X Y Z A C D E F G H I K L M N 0 P Q R STU V W X Y Z A B

Y Z ABC D E F G H I J K L M N 0 P Q R STU V W X Z ABC D E F G H I J K L M N 0 P Q R STU V W X Y

A. The Vignere Tableau. The "keT letter" is the cipher letter under the plaintext a.

abcdefgh i j kl mnopqrstuvwxyz

R STU V W X Y Z ABC D E F G H I J K L M N 0 P Q o P Q R STU V W X Y Z ABC D E F G H I J K L M N G H I J K L M N 0 P Q R STU V W X Y Z ABC D E F U V W X Y Z ABC D E F G H I J K L M N 0 P Q R S T E F G H I J K L M N 0 P Q R STU V W X Y Z ABC D

B. The partial tableau for the keT rogue.

peter piper picked a peck of

!:~9.~~ ~~9.~~ '!:'~9.~~!: ~ Q~~'!:' ~~

G S Z Y V G W V Y V G W I E IUD V Y G BeL

pic k led pep per s

.!!~IP.2.~~ r.~~~~r.£.

J M T Y R Y H G S V J I I G C. Encr;yption usinr the keT rope.

G S Z y V G W V y V G W I E I U 0 V Y G BeL J M T Y R Y H G S V J I I r,

D. Ciphertext set up b,.. period fer cr;yptanalysis.

Figure I-Facets of Vigen ere cryptography


peter piper picked a peck of pickled peppers. Figure 1-D indicates how the cryptanalyst, by determining the period (and also having sufficient ciphertext-a matter to be discussed later), can arrange the ciphertext so as to permit the recovery of the plaintext. *

The Vigenere and its many variants (of which there are 24, some having names such as the Beaufort and St. Cyr) are susceptible to analysis both by this method, which relies on frequency counts of individual letters, bigrams, etc., and by differential methods particularly well suited for computer implementation.? . Another kind of polyalphabetic substitution is shown in Figure 2. In place of the predictable alphabets of the Vigenere kind, the cipher alphabets are randomly generated and unrelated to one another. A total of 26!, or about 4X1026

, alphabets are available,** of which just ten are used here. '-TnsteaaoT e-ricipli-eririg fIie-plalntexCbymeans'or' a

periodic key, a nonrepetitive key (in this example, pi) is used. The resulting ciphertext is secure until a persistent analyst distributes the cipher letters into ten groups, using the digits of pi as a guide. If there is sufficient ciphertext, each of the ten groups will exhibit the frequency distribution of normal English, except the set will have undergone a simple-substitution transform. All IS

lost. pt: a c d e f m n 0 p q r stu v w x y z

o K Y H F G Z D R N 0 P J A E L C Q M V W B X T U S I T L K A D Q F H N J X E ICY M G U Z V W S R 0 F B 2 L EMF R N C Y D U H J P W X Z Q B V A K T S G 0 I 3 JED Q B COl G N H Y Z SAM U V R F X W T K P L 4 J W K B H E C L Y N D F V M U R P 0 G X Z I QAT S 5 Q LNG X A F R M H U D V P K B E J S T I Z COW Y 6 G Z M AFT K Q V L Y B N S C J E P HOW X D I R U 7 T V N Z U B X SMA Y D J W R L I H E F C K G P Q 0 8 H D K 0 U P V F G R T C I E Q J L Y S X M A B N Z W 9 P W R H C JON Z M K I A B F U S X E T G Q V L D Y

A. Tableau of random alphabets.

pt: pet e r pip e r pic ked ape c k 0 f

key: 3 I 4 I 5 9 2 6 5 3 5 8 9 7 9 3 2 3, 8 4 6 2 6 ct: M D X D J U D J X V B G R Y C Q L M U K Y X T

pt: key:

pickled 4338327

pep per s

950 288 4 ct: R G D T Y R Z U X L Z U Y G

B. Encryption ueilli the key- pi.

MDXDJ UDJXV BGRYC QLMUK YXTRG DTYRZ UXLZU YGXXX

C. Ciphertext in 5-1etter groups for transmission.

Figl.lre 2-Substitution using random alphabets

* For reasons of space, this simple example must suffice to support the following premises: (1) Given sufficient ciphertext, if there is a small enough period (say 100 or less for pencil-and-paper work and several decimal orders of magnitude greater for computer analysis), the period can be recovered. (2) Even if the period is not constant, but varies by some definite rule, it can be recovered. Details may be found in references in the selected hihliography.

** More than enough to encipher everything written since the invention of writing (2 X 1015 letters is a conservative estimate of the upper bound) without repeating a single alphabet. Recalling the similar staggering statistics for simple substitution, the reader is not impressed.

Cryptology, Computers, and Common Sense 571

Key: :.!lQ5l.~ Key: ~!t.D...Q.~~

~ 5 6 4 2 I 3

PET E R Fi rst transpos i t i on T PCP F L Second transpos i-P I P E R and in termed i ate P R R E C I t i on a~d f i na I P I C K E ciphertext: D E P P P D cipher tex t: D A P E C

TPCPF LPRRE CIDEP K C P R E E K 0 F P I KEPEPE FCPEP KPEPR EOLID C K LED PPDKC PREEK EPEPE I I A 0 K E EEECR PPPAT PDKKI PEP P E

IIAOK ES S R S SPREC EIXXX

- A - B -

Figure 3-Double columnar transposition

Anticipating this contingency, the astute encryptor will not use 3.1415 ... as the invariable starting point of his key, but will begin each message at a different place in the pi sequence. If the analyst remains convinced that pi is the key, he must undertake the laborious task of checking each digit in the sequence as the potential starting point for each message. ... This--effortTs both ·time-~c-onsum-ing-and co~tiY. Both--factors work to the advantage of the encryptor. The "time factor" operates to keep the message secure long enough so that it may be out-of-date and useless when the enemy finally reads it. The "cost factor" operates such that the enemy may pay a higher price for the information than it is worth to him. Time and cost factors remain important when the scene shifts to the computer environment.

The random-alphabet example raises an engrossing question: How much text is required in a cipher of this nature so that only one meaningful interpretation is possible? The answer is a function of (1) the amount required for the simple-substitution case, and (2) the number of alphabets used in the cipher. In general, the product of these two numbers is near the minimum amount of ciphertext necessary for cryptanalysis from an information-theoretic viewpoint.t From the viewpoint of the pencil-and-paper analyst, this amount is too low by a factor of about five, depending on the nature of the plaintext.

Transposition types

Traditional forms of the second major encryption algorithm, transposition, are illustrated in Figures 3 and 4. In Figure 3-A, the plaintext has been written out under a keyword. A transposed version is then obtained by taking the letters out by column, the order of the columns being determined by the numerical sequence of the key letters in the normal alphabet.

The ciphertext at this stage is a "simple columnar transposition," which presents little difficulty to the analyst, even though the columns are of two different lengths. In geometrical terms, simple columnar transposition is a 1-dimensional operation since the plaintext is converted in effect into a series of disjointed line segments.

t Readers familiar with Shannon's work will recognize the "unicity distance," which is treated later.



P 0 K C E P A Ciphertext: E F R E P P D T P S X X E E POKCE PAEFR EPPDT E I X X X P K PSXXE EEIXX XPKRC R C K LED C KLEDC PIPER PIXXX P I P E R P I

Figure 4-Typical route transposition

In Figure 3-B, the ciphertext of 3-A is subjected to further transposition, using the identical algorithm but a different keyword.t The final cipher has a surprisingly high resistance to analysis. Double columnar transposition is 2-dimensional in that each letter may be equated with a particular cell in an X-Y matrix.

Figure 4 illustrates another form of 2-dimensional transposition known as a "route" cipher. Here, the plaintext has been written into a 7 X 6 matrix in a counterclockwise spiral. The ciphertext is then taken out by rows. Other routes are also possible, but the example suffices to show the principle.

A cryptanalytic technique called "multiple anagramming" applies to transposition ciphers when one has two or more messages of the same length (or suspected block length). By manipulating the ciphertext of one message to produce plaintext, and carrying out the identical operations on the other message(s), if plaintext results in the other message(s) as well, the decryptment is achieved.

To close the discussion of transposition types for the present, Figure 5 shows a "3-dimensional" technique not described in any of the known literature. The example is trivial but allows elucidation of principles which relate to programming techniques of value when the general case is described for computer application.

100 101

-A- -8- -C-

-0- -E- -F-

F i ra! C i Dhectex t: PEETR PPIEE CPIRO KAEKO CPPFI CEPEK LDPER xsxXP

Figure 5-A 3-dimensional route transposition

t If the keyword for the second transposition is the same as the one used for the fi~t, the cryptosystem is known as the "U.S. Army Transposition Cipher," of World War I vintage.

Figure 5-A will be seen to be the topographical equivalent of a unit cube with X-Y-Z origin at 0,0,0; with the vertex of the major diagonal at 1,1,1, and with intermediate vertices suitably labelled (commas have been omitted in the diagram). The reader is invited to view Figure 5-A as the "shadow" of a 3-dimensional object cast on the 2-dimensional paper; the concept will be serviceable later.

Viewed as a graph in matrix terminology, there are many routes through the structure. Two kinds of route are of special interest, the ~'Hamiltonian path" and the "Hamiltonian circuit."* A Hamiltonian path is one which passes through every vertex in the graph once and only once. The Hamiltonian circuit is a special case of the path wherein the last element in the path is so located that the first element is adjacent, allowing the path to be repeated.

In Figure 5, five unit cubes have been used to transpose the plaintext. For clarity, the plaintext has been written into each cube from left to right and from top to bottom. * * The ciphertext is then read out of the cubes via a differ-

TABLE I-Hamiltonian Paths of Figure 5

5-B 5-C 5-D 5-E 5-F

100 100 100 100 100 101 110 000 101 000 001 010 010 111 001 000 000 011 110 011 010 001 001 010 010 011 101 101 000 110 111 111 111 001 111 110 011 110 011 101

ent Hamiltonian path for each cube. Figures 5-B, 5-D, and 5-F are circuits as well as paths.

Using dimensional notation, the paths of Figures 5-B through 5-F are shown in Table 1. The path sequences, it will be noted, form Gray codes. Because of the Gray-code property, all may be generated by a relatively simple software routine. Although the example here is for three dimensions, the simplicity holds for the general case of ndimensions.

CRYPTOGRAPHY IN TRANSITION

The Vernam era

For the computer-oriented, the locus classicus of modern cryptotechnology is a paper written 47 years ago by Gilbert Vernam of the Bell Telephone Laboratories.8 The paper describes (what today would be called) a binary cryptosystem suitable for use with the 5-level Baudot Teletype code, a code which still may be found in wide

* Named after Sir William Rowan Hamilton, who first described them in the mid-19th century. ** In practice, the plaintext would be entered using one path and the ciphertext read out using another. The legitimate receiver, knowing the two paths, need merely reverse the process to decrypt the message.


use today. * The two possible truth tables of the cryptosystem are shown in Figure 6, together with samples of the two possible encryptments and decryptments. The system is identical to that used in many of today's computer encryption devices, although the character length of the latter has been increased in most cases to accommodate standard data-processing character sets.

The security of the Vemam system results from the use of an apparently random key of great length. The important word here is "random." Contrast a random nonrepeating key with the predictabie, "semi-random," key of Figure 2, viz., pi. If the key were truly random, and if it were used only once, the enemy analyst would be impotent, professionally at least. * * What constitutes true randomness is a matter best left to mathematicians.

Vernam obtained his lengthy key by using two pt1P:~_he~~p~per tape loops of character length i and k, where j and k are mutually p~i-~e. The -e~cipher~e~t equation is thus: ct i=pti8;Jj/J:)k i • For each cycle of the j tape, the k tape advances one character, yielding a total key length of jxk. Typical values for j and k during the '20s were 775 and 776, for an over-all key length of 601,400 characters. In a similar but computer-based system today, using magnetic tape for key storage, j = (5 X lOS) and k=[(5XI06 )+1] are attainable values, for a total key of the order 2.5 X 1013

•

N umbers of this magnitude appear irresistible to advertising managers for computer cryptosystems. The reader, however, may now be more suspicious than stunned, possibly as the result of previous examples. His suspicion is not unfounded.

An example may serve to demonstrate one of the characteristics of this kind of cipher. The example is artificial only in the sense that it compresses into a brief interval data which normally could be acquired only after the interception of considerable ciphertext. The phenomenon itself, owing to the nature of language, is certain to occur.

In Figures 7 -A, 7 -B, and 7 -C, the same plaintext, bar g e, has coincided with the same ji key, 1 blpt, but with three different k i keys, c, m, and y. Three dif-

pt o ,

o raT key ,I, 0 Encrypt:

pt: "0 0 ° = a (!) key: '0" 0 = f

ct: 0IiI0 = C Decrypt:

ct: O! ! ! ° = C (!) Key: _'_0_' _'_0 = i

pt: , , 0 0 ° = a

- A -

pt o ,

, OITO Key ,10 , Er.crypt:

pt: , , 0 ° 0 = a Ell ~ey: _, _0_'_'_0 = i

Cl: , ° ° 0 , = Z

Decrypt:

ct:!COO!=z (D Key: _, _0_'_' _0 = i

pt: , , ° 0 0 = a

- B -

Figure 6-Basics of Baudot cryptography

* In 1925, the then-Captain William F. Friedman invented a bit-transposition device (the equivalent of a plugboard) to increase the security of the system. The transposition was invariant until manually changed.

** The enemy, however, wins a point in that the truly random key must somehow be transmitted to the legitimate receiver (who cannot generate it himself, obviously, it being a one-of-a-kind sort of thing. This transmission gives rise to opportunities for interception, theft, and bribery.


A:

j i ~ey:

k i key:

c t i : B:

pt2: j i key:

ki+x key:

ct2:

c: pt3:

j i key: Ki+y key:

ct3: D:

c t I :

Eli ct2: key a :

E: ct I :

Eli ct3: keYb:

o 1001 I a 11000 r 01010 9 0101 I e 10000

1 a I 00 I 12. 100 I I 1. a 100 I E a I 101 t 0000 I

~ QlJlQ. ..£ QlJlQ ~ Q!JJQ ..£. Q..!JJ.Q c a I I I a S 10 I 00 H OO! a I P a I I a I =. a I 000 l' -I I-I-I-r

b 100 I I a I 1000 r a 10 109 a 10 I I

1. a I 00 I 12. I CO I I 1 a I 00 I 2. a I I a I m 00 I I I :1 00 I I I '1l 00 I I I m 00 I I r Q I I 101 I a I 100 # 00 100 T 0000 I

e 10000

.!. 00001 :rl 00 III ---F 10 II a

b 1001 I a 11000 r 01010 9 0101 I e 10000

1. a I 00 I 12. 100 I I 1. a 100 I £. a I 101 i 0000 I y i a i a i y I a I a I L.!.QJ.Ql ..J....!.Q.!Q.L 1..lQlQ..L V 0iITI K ITIiO F 10110 B 10011 # 00100

S 10 100 H 00 I a I P a I 101 :0 a I 000 of I I I I I Q 11101 I 01100 # 00100 T 00001 F 10110

1. 01001 1. 01001 1. 01001 lOIOOI 1. 01001

S 10100 00101 P 01101 = 01000 ~ I I I I I V a I I I I K I I I 10 F 101 lOB 100 I I # 00 100 t llOTTt TTOT1-1' !"rO] I of- 110-11 t ITol1

Control Functions: 1- FIGS Shift oE- Carriage Return 0 Blank v LTRS Shift == Line Feed # Space

Figure 7-Recovery of minor cycles from Vernam cipher

ferent ciphertexts result: SHP == 1 (ct l ); QI#TF (ct2), and VKFB# (ct3).

In Figure 7 -D, Ctl is added (vectorially)* to ct2; in Figure 7 -E, ct l is added to Ct3' In each instance, a constant 1 and 1 respectively, results. We shall refer to these constants as ka and k b •

The ka and kb are compound k~ys. ka is the sum of k i

and ki-rx. yielding 1. kb is the sum of k i and kid. yielding ~. The appearance of these constant sequences signals the

discovery of one of the minor cycles of which the complete (jXk) cycle is comprised. Each minor cycle is initiated by the stepping of the k tape. Having found sufficient minor cycles with the identical compound key, the analyst may now apply the periodic technique of Figure 1, the Vigenere example. Ironically, the rigor of Boolean algebra ensures that the Baudot cipher alphabets are as immutable and predictable as those of the Vigenere.

Boolean rigor leads to a second weakness of this kind of cryptosystem: If any part of the key is used to encipher as few as two plaintext messages, the messages can be "lined up" by a technique known as the index of coincidence.** Figures 8-A and 8-B show just a portion of two such messages. In practice, much more text is needed in order to line the messages up.

The analyst then proceeds to add ct 1 to Ct2 as shown in Figure 8-C, to produce the compound key, ke" Assume the analyst suspects the word n u m b e r is probably contained in one of the plaintexts. To test the assumption, he tries each k(' letter as the starting point of the word n u m b e r, reading the resultant diagonals to see if a

* Throughout the remainder of the paper, the process of addition refers specifically to vector addition unless otherwise stated.

*'" The index of coincidence was discovered by WiHiam F. Friedman and published in "The Index of Coincidence and Its Applications in Cryptographic Analysis," Riverbank Publications, No. 22, Geneva, II: Riverbank Laboratories, 1922. The method is described in Kahn (op. cit., pp. 376-385).



pt I: - - - pet e r pip e r pic ked ape c k Q f - - -

G) key: =- =- =- rI2 ~ i £ i 1. iii. 9. ~ ! g J!.. SO .e 1.. ~ !L 1 ~ J. !!. .:. .:. : c tl: - - - R T of- Q 0 F BON X J Y C J K + X J S E V R R - - -

pt2 : G) key:

ct2 :

c t I : G) ct2:

keyc:

- A -

---repIYillessagenumberseven------mzj p I t++fqxwO#cpvxllkz I u---~~=PTX~UUVG~HITINA[KlQECKwJ:::

- B -

- - R T t Q 0 F BON X J Y C J K f X J S E V R R -- - P T X II U U V G~tl U L N A L K + Q E C K'vI J - --

-I']Ol 'I! +I.!d.~# Qi!.!d. =E-~ t Lr!!.# ~~Q.~-

- C -

keyc: - - - m 0 i w oj, r u wild n u :; E- X t i ill H k z b e - - -n ::~::t-;;--;:-~;ijf~~oj©#zmct~axyT:=-: u ---tuehofOhacjOs®gqs,a-pvi-m ___ omgkap,koytof-vf@nYOowfsx

- - - s b f r i w v r x t y v t z II@' s x P~Oo-e - xeulvjils~fiadmz®xsctoO-r - prnbYOfbcaif~=qu«-®cs'wj-

- 0 -

Figure 8-Probable word solution of Baudot cipher

reasonable plaintext sequence emerges (Figure 8-D). With luck and persistence, he finally obtains c ked a p. The tongue-twister recognized, the analyst tries peterpiperpi(ckedap) against ke, and with much gratification obtains rep I y m e s sag e (n u m b e r) as the counterpoised plaintext. *

Extending the messages in the other direction, the analyst is aided by another phenomenon. The SEV of ct 1

is the s e v of pt2 and the ECK of ct2 is the e c k of pt1.** So long as the two ciphertexts continue to share the

common key, the messages may be recovered by the nearmechanical process of assuming a letter-by-Ietter continuation in one plaintext and seeing if it results in an acceptable continuation in the other.

If the two preceding examples have produced further skepticism in the reader regarding those cryptosystems, the security of which is attributable solely to their having keys of length 10:Lt, they have served their purpose.

The Shannon era

Kahn declares Friedman's discovery of the index of coincidence is "the most important single publication in cryptology."*** The practitioner is likely to agree. The theoretician may justifiably nominate Shannon's analysis of secrecy systems for the honor.9

The text, tightly knit in the manner of mathematical exegesis, admits of no easy summary. The writer faced with space limitations has open only a few options if his intent is to induce the reader to consult the original. The strategy selected here is to limit the discussion to just one

* We have omitted the binary operations involved in this procedure, those in Figure 7 being deemed sufficient to show the principle. The full 5-level Baudot code can be found in many standard electrical engineering references by the painstaking reader who wishes to test the operation for himself. ** Again, the reminder, the examples have been contrived to show

variow; ront.ingencieR in a Rhort c;pace-**" Kahn, op. cit., p. 376.

topic, the "unicity point" or "unicity distance." (Shannon uses the terms interchangeably.)

Earlier in the paper the question was raised: What is the longest simple-substitution cipher that has only one meaningful resolution? In essence, this length is Shannon's unicity distance. But the value depends on the cryptosystem. For simple substitution, it is 27 letters. For the Vigenere example of Figure 1, it is 10 letters (or 2d, where d is the period length). For the random-alphabet example of Figure 2, it is 270 letters (equivalent to ten simple substitutions). For a periodic cipher of random alphabets and unknown key, the unicity distance is 53d, and so on.

In the course of developing his thesis, Shannon proves the unicity distance for a cipher which employs a random key, never repeated, is infinite. The cipher cannot be solved.

If, then, an impregnable cipher does exist, why is it not universally employed? The answer is logistics. To the originator of voluminous plaintext, the generation and testing of a truly random key, plus the expense of distributing it (and the dangers accompanying the distribution as mentioned earlier), and the coordination of its use to ensure its one-time-only employment, add substantially to the user's cost. Only the more affluent governments, and then only for the most sensitive texts, can afford it.

CRYPTOGRAPHY IN THE AGE OF AUTOMATION

Those aspects of pre-computer cryptography which have now been covered are essential if the unfamiliar reader is to understand what has occurred now that the computer is a commonplace tool of the cryptologist. Except for algebraic cryptography, a genre not previously described, the reader will see that though the language and the claims have changed, there is at least some justification for maintaining the skeptical attitude of the aphorism, Plus ca change, plus c'est la meme chose.

Algebraic cryptography

The seeds of modern algebraic cryptography were planted more than 40 years ago in two papers by L. S. Hill. 10. 11 To one not mathematically trained, the procedures are complicated, even arcane. Mathematicians (one is told) perceive an inscape of excellence unrivaled by competing schemes. The discussion has been postponed till now because in the absence of edp equipment, the encryption and decryption tasks entailed high cost and time factors for the legitimate users, even if calculating machines were employed. *

* Hill patented an unwieldy mechanical device which could operate on up to six letters ("hexagrams") per cycle. Computers permit polygrams of any size to be processed, at least in theory. Programmers familiar with the demands matrix algebra place on machine time will see that a practical limit exists. The limit is set by the acceptable trade-off between cost fact()1" and the degree of s(>('urity Ql?sireri, both ;ncrea~iT1g exponentially with polygram size.


Figure 9 is a simplified example of one algebraic method, adapted from Davis. 12 The example consists of a matrix of order 3, which serves as the key, and a column vector, which is the plaintext. For encryptment, the numerical equivalent in the standard alphabet is substituted for the plaintext letters.

The encryptment algorithm is shown in detail in Figure 9-A. The operations involved in enciphering the plaintext pet appear in Figure 9-B. For the remainder of the plaintext, only the skeleton of the encipherment is given. Figure 9-G is the resulting ciphertext.

Among others, the chief disadvantage of the method is that the encipherment process involves five steps per letter, or a total of 15 steps per 3-letter pt group. The number of steps per pt group grows quadratically with polygram size according to the formula, S=n2+(n -1), where S is the number of steps and n is the number of letters in ihe-polygram~--- ... -.. . . - _ .. - .-

Encryption:

('" kl2 k13) (") (kll P, · K21 P2 + k31 P3) (:~) k21 k22 k23 P2 kl2

PI

+ k22

P2

+ k32 P3 =

k31 k32 k33 P3 kl3

PI

+ k23 P2

+ k33P3

- A -

0 8

;) ('"(PI) ("' 16 • 8x5 + 3,2:) to) 5( e) 8x 16 + 5x5 + 2x20 = 193

2 20( t) 3x 16 + 2x5 + Ix20 78

- B -

(': 8

:) r") ('"2\ (: 8 ~) ( 8( ill (255)

5 18(" < 162) \16(P) = 154

2 16( p) 67 2 1/ 5(e) 61

- C - - D -

(14 8 3) (8("\ (30"\ /,4 8 3\ / 3(0'\ ("'\ \~

5 2 16(P»)=\240) \~ 5 2 ) \ I ( k ) ) = 89 )

2 I 8( i) 94 2 I 5(e) 36

- E -

ct: 324 193 78 262 161 67 255 154 61 304 240 94 145 89 36

- G -

Figure 9-Elementary algebraic cryptography

An advantage which offsets the main disadvantage is also evident. Although the first 3- letter pt groups contain the letters p e, there is no indication of this in the ciphertext. Similarly, the reversal i p and p i in groups 3 and 4 is concealed. The principle applies regardless of polygram size. Thus if just one letter in an n-Ietter polygram differs from another n-Ietter polygram, the ciphertext will conceal the fact that all but (n -1) letters are identical. The phenomenon denies the analyst the use of one of his more powerful tools, the analysis of repetitions in the ciphertext.

Figure 10 shows the decryption process for the ciphertext of Figure 9-G. Only the first 3-letter group is deciphered; the others follow the same paradigm.

The decryption key matrix, it will be noted, is not the same as the encryption matrix. The disparity may appear to add to the security of the cipher but the inference is misleading. The decryption matrix is merely the inverse


Decrypt ion:

('" k i 2 ki3\ fC I \ (k II C I + k21 c2 + k31 c3 \ (PI I k21 k22

K23) \:;) \k 12 CI + ~22c2 + K32 C3) = : °2

k31 k32 k33 K 13c I + k23 c2 + k33c3 V3/

- A -

(: -2 ,\ f2:) (I x324 + -2x193 + IX7~\ f'6(P~

-:) \I~: -2x324 + 5xl93 +-4x78 = 5(e)

-4 \ I x324 + -4x193 + 6X7~) \20(t)

- B -

Figure 10-Algebraic cryptography decipherment

of the encryption matrix, a familiar mathematical procedure.

Commerci.a.lciphersy-sl.ems

Algebraic cryptography aside, most commercial cryptosystems depend on means for generating a key which to the casual observer appears random but is in truth only pseudorandom. The commercial systems take the form of both hardware and software. The two kinds may conveniently be discussed together because whatever can be performed by hardware may be emulated by software. Indeed, some systemf employ software at the computer site and hardware at the remote terminals.

The first algorithms for generating pseudorandom keys for computer use appeared in the '50s. The resulting key was fully deterministic, derived by a method identical or similar to the binary equivalent of the decimal example shown in Table II. The procedure begins by selecting a number, say 6378, squaring it, and then proceeding as the table indicates. *

The operation yields the sequence 7-8-8-2-5-8-4-5-5-0-1-9-2-1-1-4-5-7. The series is apparently random but wholly determined.

Today, the most commonly encountered commercial cryptosystem is the "shift register." Despite design variations, the principles and more importantly the results are identical: Shift registers are pseudorandom key generators, but of a kind different than that illustrated in Table II.

TABLE II-Generation of Pseudorandom Key

Operation Product Key Sequence

6378X6378 40678884 788 788X6378 5025864 258 258X6378 1645524 455 455X6378 2901990 019 019X6378 121182 211 211 X 6378 1345758 457

* A curious sidelight of the era was the discovery and promulgation of a rather small set of numbers, favored because they produced long pseudorandom sequences. Analysts presumably concealed their delight.



1 Q

~

1 Q.

t

1

PSEUDORANDOM KEY

GENERATOR

o T '0 X B L K I K • H 0 H ~n

-A-

1 @ 0 ____ T

g @ T----_____ , ! @ ,~ _____ 0

1 @ 0--- x

p @ 1 @ 1<.

c @ !;.

@ 1 .i e x etc B @ Q.

1. @ B L d @ t g e L K = • @ 1

.e. = ~ @ K I a @ .i

1. £ t

1<. , 9. ;0

Q.

e e e @

e

I K • Etl 1 K II = P @ h II H e e 1. H o c @ £ 0 H k e t

-8-

Figure II-Simplified shift-register operation

The key generated by a shift register is (in all cases worthy of consideration) not deterministic but Markovian. A brief quote from Fellerl3 succinctly states the process: "If two independent systems subject to the same transition probabilities happen to be in the same state, then all future probabilities relating to their future developments are identical." *

In the case of the shift register, the two "independent systems" are the pseudorandom key from the key generator and the stream of the plaintext; designers may validly dispute the term "independent" as applied to the key generator. We retain it for the sake of the following example.

Figure 11 shows a simplified shift-register system. For clarity, the operations use Baudot encipherment (truth table of Figure 6-A).

The action is portrayed in medias res, since initial start-up conditions are unique and at most occur once per message. A comparison of Figure 11 and Figure 7 will reveal that in both cases a compound key is used to encipher the plaintext. In Figure 7, the final key is the sum of ji and k i- In Figure 11, the final key, kbi' is the sum of kai (the current output of the key generator) and cti - l , the cipher counterpart of pti - l , the last-enciphered plaintext letter. The compound key is formed by feedback from the ciphertext output stage. Feedback in one form or another (and it is usually more complex than shown here) is an essential feature of shift registers.

Figure 11-A portrays the case cti=ptJ3) kbi (that is, T=pffii); simultaneously, k bi+l is being formed by the process, Kbi+l=kaifficti (that is, b=dffiT). The equations are rearranged slightly in Figure 11-B to show the formation of the successive kbi~n and at the same time the inter-

* Fl'llpl', 'W cit, P ·121)

relationship of the two streams. In order to start the sequence in Figure 11-B, we have assumed ct i - l was D and kai was i; the assumption also explains why kbi = i in Figure 11-A. As so many things are, the process is hard to explain but relatively easy to implement. The explanation has succeeded if designers who initially objected to the term "independent" are now modified.

Figure 11-C, in turn, shows the formation of the successive ct i+ n • Readers still with us will see that in Figure 11-A, the pt stream and the ct stream appear in proper superposition.

In practice, the commercial shift register is frequently a cascaded series of binary stages. The maximum length of the pseudorandom key cycle is (2n -1), where n is the number of stages. A common length for the shift register is 20 stages, yielding a key cycle of 1,048,575 bits.

Some commercial shift registers provide the capability of allowing the user to change the feedback connections, and thus alter the pseudorandom key stream. Different key streams obtained in this way are usually referred to as "codes." An article by Twiggl4 treats the design logic of these devices. Interestingly, a complementary article by Meyer and Tuchman l5 outlines a method of attack on the ciphertext of such systems based on the recovery of just a small part of the key stream.

Another method of attack is that of Figure 8. It is applicable when two messages enciphered with the same key can be lined up. If the user varies the initial setting of a given code for each message, the enemy must intercept considerable traffic in that code before he can achieve this felicitous condition. (It is appropriate to suggest here that the user never let his line go "dead." Meaningless character streams should fill the void between legitimate messages, to prevent the enemy from detecting the start and end points of messages.)

In the absence of a definitive comparison of off-theshelf commercial cryptosystems, let the writer nominate his own candidates for the top and bottom rungs of the security ladder-both, of course, a matter of personal opinion.

Of the systems examined, the top rung is occupied by the IBM Feiste;/Notz/Smith system.* The design is too complex for explanation here, though on the other hand the user interface is admirably simple.**

The apparently unchallengeable occupant of the bottom rung of the security ladder is the not-inexpensive "XYZ" system. The "black box" is furnished with a twocode "module," although users may purchase additional modules up to a total of more than 8 million codes. The key length is not revealed. However, it is irrelevant. To simplify operation by the user, the system is reset anew for each message to exactly the same place in the keying cycle.

* Girdansky, op. cit., pp. 6-12.

** As the poet-author of Ecclesiastes asked, "Is there a thing of which it is said 'Lo, this is new?'" The Feistel/NotziSmith method incorporates a programmable version of Friedman's bit-transposition scheme referrcd to carlier.


The delighted analyst may now return to the example of Figure 2 and the accompanying text, where the fallacy of beginning each message at an invariant starting point is explained.

A polydimensional transposition cipher

The following cipher is described not for the usual reason (i.e., the amateur cryptologist has devised still another "unbreakable" system) but because it posesrather, may pose-a challenge to the theoretical mathematician. The cipher is an (unbounded) extension of the 3-dimensional system of Figure 5. The extension will be described first. The challenge follows shortly.

The reader was asked to view Figure 5-A as the shadow Of~L3-dimensiort~IJ~!!h~~_~~1Qn.lh~_2~gjP1ensiQnalI>_@~.r. In the same way, without trying to visualize the object itself, the reader may consider the graph in Figure 12-A

1100

- A -

ct = REPEE PTERD CIPKI P

- C -

- B -

Figure 12-A 4-dimensional route transposition

as the shadow of a 4-dimensional hypercube, or tesseract, as it would appear in 2-dimensional space.

Paralleling the example of Figure 5-B, the plaintext pet e r pip e r pic ked has been written into Figure 12-B from left to right and from top to bottom (although, as with Figure 5, in practice a Hamiltonian path should be used). The ciphertext has been taken out by a path which is also a circuit.

The tesseract, the vertices of which are identified in vector notation, exhibits the same property as the cube. All Hamiltonian paths and circuits form Gray codes. This characteristic holds for the general case of the n-dimensional hypercube. The reader may test this for himself by tracing paths and circuits in the 6-dimensional hexact (or rather its shadow) in Figure 13, the largest hypercube which may reasonably be drawn in the available space.

The reason for surmising that the polydimensional transposition may be usable as a secure commercial cryptosystem is based chiefly on the evidence in Table III. Note the rate of growth of the number of paths with increasing dimension. The table ends at dimension 4 because it was estimated that three months of continuous


Figure 13-Hypercube of dimension 6 (Hexact)

computation on the UNIVAC 1107 would be required to list exhaustively the paths and circuits for the 5-dimensional pentact if the program prepared specifically to count Hamiltonians for the n-dimensional case were used.

Other grounds for giving the system further consideration include: (1) The routine which generates the Hamiltonian paths is relatively simple and makes but slight demands on high-speed memory. (2) If successive blocks of plaintext are encrypted and decrypted by paths which vary in pseudorandom manner, multiple anagramming as a cryptanalytic tool is defeated. (3) Different sets of paths can be dedicated to individual remote sites, thus preventing sites from reading traffic not intended for them. This capability does not exist in some current commercial systems.

One advantage to the legitimate user is that he need not generate all possible paths for a hypercube of dimension (say) 20.* He need generate only a few thousand or tens of thousands-a relatively simple task. The enemy on the

T ABLE III-Hamiltonian Paths and Circuits of the n-dimensional Unit

U nit Dimension

o 1 2 3 4 5

Hamiltonian Paths Hamiltonian Circuits

o 0 o 0 2 2

144 96 91,392 43,008

* A 20-dimensional hypercube may seem to imply that the ciphertext must comprise blocks of more than a million characters each. The inference is not true because all vertices need not be filled-a complication easily programmable but which adds substantially to the enemy's work factor.



other hand must try all paths-and the trend of the data for dimension 20 indicates this is impossible.

This is where the challenge to the reader enters: What is the generating function for the number of Hamiltonian paths and circuits for the general case of the n-dimensional hypercube? A respectable amount of effort by qualified mathematicians, supplemented by inquiries by the writer, has failed to unveil it. One is tempted to suspect that for the 20-space hypercube, the number of Hamiltonian paths is of the order 1 OXXX. *

A CRYPTOGRAPHIC SCENARIO

Till now, the emphasis of the paper has focused on the means available to the enemy to "read the mail" of the cryptouser. This stress may have given the user qualms about the security of his communications, an uneasiness which may have some slight justification in fact. But in practice, the defenses of the user (in the specific area of cryptography) surpass the weapons of the enemy to an overwhelming degree. (We speak here of nongovernmental users and enemies.)

Let the hypothesis be made that MSI is a large international corporation which maintains extensive digital links among many transcommunicating data banks holding information of a most sensitive nature. MSI is continually reminded of its vulnerability by the many vendors of commercial cryptosystems. But MSI's manager of telecommunications has not yielded to the suasions of any one vendor and has adopted a cryptosystem which admits not only of frequent and easy change of key but of the basic system itself.

The enemy is IPF, MSI's largest competitor and rumored to budget a sizable amount each year for industrial espionage. Regard first the probable strategy of IPF in allocating its espionage fund:

• Planting persons on MSI's payroll appears to be the tactic with the greatest potential payoff, and thus may account for the largest share of the funds available.

• Bribing MSI employees and its vendors, the tactic which judgment would seem to rank in second place, consumes another share of the budget.

• Of the money allotted to wire-tapping, bugging, and digital eavesdropping, the two former activities probably receive priority.

What resources are on hand for the manager of the IPF digital wire-tap fund? (We will grant him the knowledge of which data links carry the information of most value.)

An obvious first need is a cryptanalytic staff. The staff must be familiar not only with cryptanalysis and with the protocols of digital communication. but must also be

* In light of our previous skepticiE'm concerning large numbers. no guarantee is implied or should be inferred regarding the security of the system based on this number alone.

criminally inclined. While there does exist a pool of government-trained analysts with the first two qualifications, it is unlikely they would participate in illegal activities unless they have greatly changed their lifestyles since receiving their clearances.

But let's grant the manager his staff. Next he needs a fairly sophisticated data-processing system which stresses mass storage for recording the intercepted bit streams.

Let's grant these facilities also, though by now the manager has probably exceeded his budget wh.ich was severely limited in the first place. What of the tIme and cost factors? We assume MSI keeps its lines active in the absence of genuine message traffic. Then not only is it perversely difficult to locate the (enciphered) mes~ages themselves it is often a stupendous task merely to Identify the sys~em in use. And by the time the key for a given message has been discovered, the plaintext may refer to a division of MSI which had been sold two weeks ago. MSI's telecommunications system, then, appears reasonably secure from cryptanalytic attack. However, this conclusion is drawn with the emphatic qualification that it pertains to the state of the art as it exists today.

It may be instructive, though, to view the situation from the eyes of MSI's manager of telecommunications. He has wisely initiated cryptographic procedures which offer high theoretical and practical security. But unfortunately he must delegate responsibility for day-to-day operations to an army of programmers, operators, and clerks. All have many admirable qualities. Also, they are variously careless; forgetful; malicious; indifferent; hurried, and possessed of all the usual failings of humanity in general. As a result, MSI's manager is frequently confronted with such situations as:

• A site transmitting in one cryptosystem to a second site currently set up to receive in another system.

• Plaintext somehow evading the cryptoroutine and going out on the line en clair.

• The same message transmitted repeatedly in the same system with but slight variation in key.

• Messages (the more important ones) vanishing in a void, never to be seen in plaintext form again.

Sometimes, the manager must yearn for an unlimited budget which would allow him to install the most sophisticated equipment available, and hire and train persons of only the highest caliber and personal integrity. The system would then work perfectly. One fervidly hopes his dream is not shattered, as shattered it might be, by the following quotation:

Security Note: I had asked that a cable from Washington to New Delhi summarizing the results of the aid consortium be repeated to me through the Toronto Consulate. It arrived in code; no facilities existed for decoding. They brought it to me at the airport-a mass of numbers. I asked if they assumed I could read it. They said no. I asked how the,V


managed. They said when something arrived in code, they phoned Washington and had the original message read to them. 16

CONCLUSION

Inevitably, at various places in the preceding discourse, the feisty reader has objected, "Ah, but what the writer alleges is a weakness may be offset easily by adding the X complication." Just so. But the analyst has at hand the X' countermeasure which negates or ameliorates the X factor. To which the reader may reply, "Yes, but a Ytype strategy will nullify the X' remedy, and thus be a countercountermeasure." About this time, the analyst dusts off his y' technique, the countercountercountermeasure. And so on. The situation is reminiscemar-the ECM, EC"CM,----~;-. ;-splral~Wlritethe cryptographic and electronic countermeasure chains may not be infinite, they appear surely to be unbounded. One must cut the cord somewhere. Here.

ACKNOWLEDGMENTS

The writer is grateful to Jon Tempas of Univac who wrote the program for counting the Hamiltonians of the ndimensional unit, and for preparing an analysis of how, and in how many ways, the n-dimensional hypercube may be dissected into its component (n - m) hyperflats. He is also beholden to those friends in the American Cryptogram Association who unknowingly lent their noms de chiffre to some of the examples in the paper. To another group he is obligated for anecdotal material. ~or should one be neglectful of one's teachers, especially those who awakened an interest in language, even if foreign;


regrettably, as a whole, these have fallen on hard times of late.

REFERENCES

1. Gaines, Helen Fouche, Elementary Cryptanalysis, American Photographic Publishing Company, 1943. Reprinted under the title, Cryptanalysis, Dover Publications, New York, 1956.

2. The Cryptogram, published Bimonthly by The American Cryptogram Association, Rogot, E. & E. 9504 Forest Road, Bethesda, Md. 20014.

3. Farago, Ladislas, The Broken Seai: The Story of "Operation Magic" and the Pearl Harbor Disaster, Random House, New York, 1967.

4. Friedman, William F. and Elizabeth S., The Shakespearean Ciphers Examined, Cambridge University Press, London and New York,1957.

5. Sinkov, Abraham, Elementary Cryptanalysis-A Mathematical Approach, Random House, New York, 1968.

6; Kafln:;--D-aViQ,Tne--eoa-evtea1i"ers;-Tne Mac-mittan -C-6mpany~-~ew-York,1967.

7. Girdansky, M. B., Data Privacy-Cryptology and the Computer at IBM Research, IBM Research Reports, Vol. 7, No.4, 1971.

8. Vernam, G. S., "Cipher Printing Telegraph Systems," Journal of the AlEE, Vol. XLV, February, 1926.

9. Shannon, C. E., "Communication Theory of Secrecy Systems," Bell System Technical Journal, Vol. 28, October, 1949.

10. Hill, Lester S., "Cryptography in an Algebraic Alphabet," American Mathematical Monthly, Vol. 36.

11. Hill, Lester S., "Linear Transformation Apparatus," American Mathematical Monthly, Vol. 38.

12. Davis, Philip J., The Mathematics of Matrices, Balisell Publishing Company, Waltham, Mass., 1965.

13. Feller, William, An Introduction to Probability Theory and Its Applications, John Wiley & Sons, Vol. I, 3rd ed., 1968, New York.

14. Twigg, Terry, "~eed to Keep Digital Data Secure?," Electronic Design, Vol. 23, November 1972.

15. Meyer, C. H., Tuchman, W. L., "Pseudorandom Codes Can Be Cracked," Electronic Design, Vol. 23, November 1972.

16. Galbraith, John Kenneth, Ambassador's Journal, Houghton Mifflin Company, Boston, Mass., 1969 (p. 115; used bypermission).


cryptology, computers, and common sense

Documents