Privacy and Authentication: an Introduction to Cryptography

Home , Adi Shamir, Cryptograph, Cryptosystem, Crypt (Unix), Dennis Ritchie, Don Coppersmith

PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979 397 Privacy and Authentication: An Introduction to Cryptography

Invited Paper

Akmct-This paper plesenfs a tutorial introductionto contempomy Data communications are even more vulnerable than voice ayptography. The basic information li~eoreticand computational telephony because, with voice the eavesdropper lacks the properties of dadd and modern cryptographic systemsare presented, ability to discern the content of a spoken message, unless a fobwed by uyptanalytic examination of seved importantsystems costly humanmonitor is employed,but if theintercepted and an exlminrtion of the apptiation of uyptography to the security of timeduring systems and computer networks. The paper concludes material is in computer readable form (e.g., Telex), no such with I guide to the cryptographic literature. limitation is imposed. It has been reported [3, p. 7651 that for some years the National Security Agency (NSA), inits operation I.INTRODUCTION Shamrock,scanned all telegraph and Telex messages passing NTIL RECENTLY, cryptography has been of interest in and outof the United States for keywords. primarily to the military and diplomatic communities. The cost of eavesdropping should continue to decline with Private individuals and even commercialorganizations time. There is at present extensive research into speech recog- haveu rarely considered it necessary to resort to encryption for nition [4], [5], and many communications will soon be carried the protection of their communications, and those that have, on digitized packet-switched networks[6]. Electronic mail have seldom done so withparticular care. Today, however, and Electronic Funds Transfer (EFT) are being developed to several factors have combined to stimulate great interest in replace their present day counterparts, and telephone verifi- commercial applications. cation of credit data is already a reality. Electronic communications are replacing paper media in a As a result, private and commercial interest in cryptography rapidlyincreasing variety of applications. The effect of this has been rising, new papers have begun toappear, and the is bothto increase theamount and variety of information National Bureau of Standards (NBS) hasadopted a crypto- available to an eavesdropper, and to make theact of eaves- graphic system [7] to be used as the federal Data Encryption dropping easier. Fortunately the same factors which promote Standard (DES) on sensitive but unclassified data. the spread of electronic communications areproducing ,a This paper is intended as an introduction to the fascinating marked decrease in the cost of cryptography. but forbiddingsubject of cryptography. Itprovides both a Where once the nation's business was conducted either by grounding in the fundamentals anda feel for the subject to personal contact or written correspondence, it is now handled anyoneinterested either indoing cryptographic research or largely over the telephone, creating the environment for a sub- employing cryptographic security. Cryptography is currently stantial wiretapping industry.The replacement of wires by an engineering subject in which there are more facts and rules microwaves has even allowed the wireman to ply his trade of thumbthan theorems or systematic developments. The without having to tap any actual wires. Finally, the introduc- text naturally reflects this quality and, of necessity, combines tion of direct long distance dialing has made it possible to a wide variety of material. identify calls of interest even when the tap is placed a long The next section surveys cryptographicfundamentals, de- way fromthe person being spied upon, because each call is fining concepts which are used and examined throughout the preceded by a digital sequence identifying the number being paper. This is followed in Section 111 by a survey of crypto- called. graphicsystems ranging from puzzle cryptographyto the It has come tolight over the past two years that the Russians DES and the new public key systems. Section IV explores the are monitoring telephones from their embassy in Washington taxonomy of cryptographic systems, providing a framework for and their consulates in other parts of the country. Microwave classifying many of the systems given as examples in the pre- antennasintercept telephone trafficdestined forsuch vital vious section. Section V covers some practical problems of ap- places as the Capitol building, and computer programs auto- plying cryptography, while Section VI reviews various applica- matically select the conversations of interest [ 1 ], [ 21. tions.The last section contains a survey of the relevant literature. Manuscript received May 22, 1978; revised November 28, 1978. This work was partially supported by the National Science Foundation under 11. CRYPTOGRAPHICFUNDAMENTALS NSF Grant ENG 10173. A. Privacy and Authentication W. Diffie was with the Department of Electrical Engineering, Stanford University and theStanford Artificial IntelligenceLaboratory, Stan- When valuable or secret data must be stored or transmitted, ford, CA. He is now with BNR, Inc., Palo Alto, CA 94304. M. E. Hellman is with the Department of Electrical Engineering, Stan- they are frequentlyprotected physically throughthe use of ford University, Stanford, CA 94305. safes, armedcouriers, shielded cables, andthe like. As elec-

0018-9219/79/0300-0397$00.75 0 1979 IEEE 398 PROCEEDINGSIEEE, OF THE VOL. 67, NO. 3, MARCH 1979

P C SENDER ENCRYPTW SENDER _-_-______--_-_-___.._____. ___-____4 _____.._ -----I----- K K Fig. 2. The flow of informationin a cryptographic authentication Ftg. 1. The flow of information a cryptographic privacy system. in system. tronicforms of communication andstorage take over from key. The general system is aset of instructions, a piece of their predecessors, however, such measures often become in- applicable, insufficient or uneconomical, and other techniques hardware, or a computer program which is capable of encrypting the plaintext (and decrypting the ciphertext) in a variety must be employed. of ways, one of which is selected by the specific key. There Central among these techniques is cryptography: the use of is a close analogy here with a general purpose digital computer transformations of data intended to make the data useless to anda program. Thecomputer, like the general system, is one's opponents. Such transformations provide solutions to capable of a wide variety of behaviors, from which the pro- two majorproblems of datasecurity: the privacy problem, gram, like the specific key, selects one. preventing an opponent from extracting information from a More formally, a cryptographic system is a single parameter communication channel, and the authentication problem, pre- family {SK}KE of invertible transformations venting an opponent from injecting false data into the channel K or altering messagestheir so that meaning is changed. SK:9-c (2) In telephone communication the problem of authentication from a space 9 of plaintext messages to a space of ciphertext predominates, since the called party cannot determine who is C messages. The parameter or key, K, is selected from a finite calling. Eavesdropping, which requires the use of a wiretap, is set K called the keyspace. technically more difficult and legally morehazardous than It is customary to regard the general system, thatis the family calling and pretending to be someone else. In radio communi- of transformations, as public information. This is partly a cation, the situation is reversed. Eavesdropping is passive and matter of convention-that the portion that is publicly revealed involves scant legal hazard, while injection exposes the illegiti- is called the general system-and partly a reflection of a very mate transmitter to discovery and prosecution. important rule of security engineering: The security of a sys- Sometimes it is sufficient to authenticate that a message has tem should notdepend on the secrecy of somethingwhich not been modified by a third party (someone other than the cannot be easily changed if it is compromised. The general sender or receiver). At other times, it is importantfor the system is be receiver to be able to prove that he actually received the mes- usually a piece of equipment, which can replaced sage from the sender, and that he has not modified it or origi- only at considerable delay and expense, while the key is an natedit himself. Theproblem of dispute is to provide the easily changed datum such as an IBM card. recipient of a message with legal proof of the identity of the A cryptographic system is analogous to a resettable combina- sender. On channels used forelectronic funds transfer or tion lock used to secure a safe. The structure of the lock is contract negotiation, it is important to provide the electronic available to anyone who cares to purchase one. The combina- equivalent of a written signature, in order to settle any dispute tion, however, is kept secret andcan be changed whenever it is between the sender and receiver as to what message, if any, suspected of having fallen intounauthorized hands. Even was sent. thoughan opponent knows theset of all possible keys or The problems of privacy and authentication are closely re- combinations, he may still be unable to discover which one is lated and techniques for solving one can frequently be applied correct. to theother. This paper examines theproblem of privacy Despite the principle of publicity of the general system, it is first because it is the older, themore widespread, andthe still the practice of many users of cryptography to keep their systems secret. This is both because it is more difficult for an more familiar of the two. opponent to break a system with which he is unfamiliar, and B. Basic Concepts because many suppliers of cryptographic equipment are them- Fig. 1 illustrates the flow of information in a cryptographic selves espionage organizations which want to preventgood privacy system. The transmitter generatesa plaintext or un- systems from falling into the hands of their opponents. Un- enciphered message P, which is to be communicated to a legiti- fortunately, this practice has carried over into the commercial mate receiver over an insecure channel monitored by an eaves- area, making it difficult for a customer to obtain the informa- dropper. Toprevent the eavesdropper from learning the tion needed to make an intelligent choice among cryptographic contents of P, the transmitter enciphers or encrypts P with an products. invertible transformation SK toproduce the cryptogram or Since all security resides in thesecrecy of the key, it must be ciphertext C = S,(P). When the legitimate receiver obtains conveyed to the sender or the receiver over a secure key dis- C he deciphers or decrypts it with the inverse transformation tribution channel, such as courier service or registered mail, SK-' to obtain indicated by the shielded path in Fig. 1. Fig. 2 illustrateswhy a cryptographic systemcan also be si' (c)= si1(sK(P)) = .? (1) used to solve theauthentication problem. Inthis case, the the original plaintext message. opponent not onlysees all cryptograms flowing on thechannel, Thetransformation SK is chosen from afamily of trans- butcan alter them at will. The legitimate receiver protects formations known as a cryptographic system, general system, himself from being deceived by an altered or injectedmessage or merely system. The parameter that selects the individual by decrypting all the messages he receives, &d accepting only transformation to be employed is called the specific key or messages encrypted with the correct key. AND HELLMAN:DIFFIE AND AN INTRODUCTION TO CRYPTOGRAPHY 399

Any attempt by the eavesdropper either to decrypt a cryp- The cryptanalyst is sometimes in the even stronger position togram C to get the plaintext P, or to encrypt an inauthentic of being able to see the ciphertext corresponding to any plain- plaintext P‘ to get an acceptable cryptogram C’, without ob- text he chooses. His problem is to determine the key for later taining the key K from the key channel is called cryptanalysis. use in enciphering or deciphering other messages. This is a If cryptanalysis is impossible so that a cryptanalyst cannot chosen plaintext attack. It is sometimes appropriate to con- deduce P from C, or C’ from P‘ without prior knowledge of sider the cryptanalyst as being able to select either the cipher- the key, the cryptographicsystem is said to be secure. text or the plaintext at will. This is the even more powerful chosen text attack. C.Cryptanalytic Attacks For the purpose of certifying systems as secure, it is appro- The first step in assessing the adequacy of a cryptographic priate to consider the more formidable cryptanalytic threats, system is to classify the types of attack to which it may be as these not only give more realistic models of the working subjected. For this purpose we mustmake a more thorough environment of acryptographic system, but also make the examination of theinformation which may be available to assessment of the system’s strength easier. IBM used a chosen the cryptanalyst. plaintext attack in certifying the national DES [91. And, as Usually the worst circumstance from the point of view of will be shown inSection 111, many systems which were difficult the cryptanalyst is to have nothing available to him but the to break using a ciphertext only attack could have been ruled material he has intercepted, knowledge of the general system, out immediately under known plaintext attack or chosen text and some general knowledge of his opponent’s messages. This attack. may be limited to a knowledge of the statistical properties of Systems vulnerable to theless powerful attacks are no longer the language in use(e.g., in English, theletter E occurs 13 of interest in view of the ease with which systems resistant to percent of thetime) and a knowledge of certain probable chosen text attacks can now be constructed. Systems of World words (e.g., lettera probably ends “Sincerely yours,”). War I1 or earlier vintage were frequently insecure against even Although occasionally a cryptanalyst may be ignorant even of a known plaintext attack, andwere therefore subject to a cum- the language or system in use, this is the weakest threatto bersome set of signaling rules designed to prevent an opponent which a system is normally subjected, and any system which from gaining possession of correspondingplain and cipher succumbs toit must be consideredcompletely insecure. It texts. Examples were, “Never encipher the same plaintext in is called a ciphertext only attack. two different cryptosystems.” and “Never declassify a plaintext When cryptography is used to protect computer or business without first paraphrasing it.” Human nature being what it is, data,the cryptanalyst often knows substantialamounts of such rules were often broken, sometimeswith disastrous results. corresponding plaintext and ciphertext, making possible a known plaintextattack. The rigid structure of the formal D. Unconditional and Computational Security languages used inprogramming, or of data such as business There are two fundamentally different ways in which cryp- forms, guarantees thatthe opponent will knowmuch detail tographic systems may be secure. of the plaintext a priori. In some systems, the amount of information available to the The known plaintextattack is anatural extension of the cryptanalyst is actually insufficient to determine the encipher- use of probable words in a ciphertext only attack. In formal ing and deciphering transformations,no matter how much languages such as Algol, the almost certain and often repeated computing power the cryptanalyst has available. A system of occurrence of words like PROCEDURE and INTEGER provide a this kind if called unconditionally secure. close approximation to known plaintext in most cases. Diffie Even when theintercepted material contains sufficient in- and Hellman [8] describe howa known plaintext attack on formation to allow aunique solution tothe cryptanalytic the DES can be adapted to be a ciphertext only attack when problem, there is no guarantee that this solution can be found the plaintext is represented in ASCII. This is an illustration of by acryptanalyst withlimited computational resources.It how rigid structure in the underlying language may provide the then becomes the goal of the designer of a cryptographic sys- cryptanalyst with the equivalent of known.plaintext, and em- tem to make the encipheringand deciphering operationsin- phasizes the prudence of assuming that any system will be sub- expensive, while ensuring thatany successful cryptanalytic ject to a known plaintext attack. operation would be too complex to be economical. Whatis Many secret messages sentfor business purposes, press required is that the task of the cryptanalyst, though known to releases and product announcements, for example,are intended be achievable with a finite amount of computation, is so over- for subsequent public release. If such a messageis sent in a whelming as to exhaust the physical computing resources of system which is not secure against a known plaintext attack, the universe. We will call a task of this magnitude computa- then all messages encrypted in the same key will be compro- tionallyunfeasible, and the associated cryptographic system mised. In the past, users have tried to counter this threat by computationally secure. paraphrasing plaintexts which had been encryptedprior to While some unconditionally securesystems can be proven their release. In an English message, such as a press release, secure, the theory of computational complexity is at present paraphrasing introduces the danger that the meaning will be inadequate to demonstratethe computational infeasibility altered, while in a formalmessage, such as a program, it is next of any cryptanalytic problem. Cryptography is therefore to impossible. It is far better to design the cryptosystem to be forced to rely onthe less formalcertification process of secure against a known plaintext attack. subjecting a prospective cryptosystem to cryptanalytic assault While a known plaintext attack is not always possible, its under circumstances considered favorable to the cryptanalyst. occurrence is frequent enough that a system that succumbs to The onlyunconditionally secure system in common use is it is not considered secure. The NBS has accepted the known the one time tape, in which the plaintext is combined with a plaintext attack as appropriate in judging the security of its totally random key of the same length. Usually the plaintext DES. is represented as an n-bit binary string which is XoRed with a 400 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979

totally random key of the same length. As the name suggests, CRYPTANALYST this key is never reused. Even if the cryptanalyst could try deciphering under all 2" possible keys, he would merely see all 2" possible plaintexts, RECEIVER including not only the correct one, but also all other meaning- BH-JFf

fulplaintexts of the samelength. Because interceptingthe SOURCE #I SOURCE # 2 cryptogram does not allow the cryptanalyst to rule out any plaintext messages, helearns absolutely nothingexcept the Fig. 3. The flow of information in a public key system. length of the message. Shannon [lo1 analyzedunconditional security in more maining 3.2 bits are redundant, so = 3.2 bitslcharacter. detail. If the cryptanalyst has unlimited computing time, he Equation (3) thus predicts NO = 28 characters, in excellent has no need for computational efficiency, and can do a com- agreement with practice. plete'ryptanalysis by trying allpossible and keeping all methe Shannontheory approach to cryptography (i.e., meaningfulplaintexts which result* In a One time tape, all thatcryptanlystthe has computational meaningful messages Of the same length as the cryptogram resources) is usuallyassociated with a ciphertextonly attack, must be kept,but in other unconditionally securesystems known plaintext can be included as additional redundancy. If there may be a smaller number Of meaningful For a 1000 character message is interceptedand sequence of example,the cryptogram XMDA resulting from simplesub- 100 plaintext characters is known, then the total redundancy stitution on English can stand for any four letterword no with is not just 3200 bits, but letter repeated(e.g., TIME or FOUR, but notLOOK or HASH). As the amount of intercepted text increases a point may be (900 characters) X (3.2 bits/character) + (100 characters) reached at which a unique solution is possible. Shannon calls thistheunicity distance NO.onetime a tapeIn this never X (4.7 bitslcharacter) = 3350bits (5) happens and NO = 00 while in a simple substitution cipher NO is clearly finite. According to Friedman [1 J almost any because logz(26) = 4.7 bitsof information are known about simple substitution cryptogram of 25 characters or more can each of the 100 known characters. be brokenby a skilled cryptanalyst. Since thecryptanalyst Equation (3) indicates the value of data compression prior has limited computational abilities, he cannot try all 26! to encryption.Data compressionremoves redundancy thereby increasing the unicity distance. Theredundant information % 4 X 10% keys and must rely on suboptimal methods such as frequency analysis. Thus we canonly say that NO < 25 can be added after deciphering so the legitimate receiver sees characters. no difference.Perfect data compressionwould remove all Shannon provides a model for predicting the unicity distance redundancy and result in NO = 00 with any size key, but is prohibitivelyexpensive. Limited data compression tends to of a cipher, and the resultof this model often agrees with practice. According to this "random cipher" model increase security while also reducing transmission costs.

No = H(K )/D (3) E. PublicSystems Key The difficulty of distributing keys has been one of the major where H(K) is the entropy of the key (usually this is just the limitations on the use of conventional cryptographic technol- length of the key measured in bits or logz of the number of ogy. In order for the sender and receiver to make use of a keys) and D is the redundancy of the language measured in physically secure channel such as registered mail for key dis- bits per character. (e.g., in English Q is always followed by U tribution, they must be prepared to wait while the keys are so the U is redundant). sent,or havemade prior preparation for cryptographic The reader is referred to Shannon's paper I1 01 or a more communication. recent presentation by Hellman 1121 for a complete deriva- In the military, 'the chain of command helps to limit the tion,but an intuitive feel can be obtained byrewriting (3) number of user-pair connections, but even there, the key dis- as the requirement for a unique solution tribution problem has been a major impediment to the use of H(K) < ND. (4) cryptography. This problem will be accentuated in large commercial communication networks where the numberof possible H(K) represents the number of unknowns in a binary repre- connections grows as (n2 - n)/2 if n is the number of users. sentation of the key, and in a loose sense ND represents the A system with one million usershas almost 500 billion possible number of equations available for solving for the key. When connections,and the cost of distributingthis many keys is the number of equations is smaller than the number of un- prohibitive. knowns, a unique solution is not possible and the system is Section V-A discusseskey management for conventional unconditionallysecure. When thenumber of equationsis cryptographicsystems in more detail, but atthis point we larger thanthe number ofunknowns, as in (4), aunique introduce a new kind of cryptographic system which simplifies solution is possible and the system is nolonger unconditionally the problem of key distribution. Diffie and Hellman [ 151 and, secure (although it may still be computationally secure). independently, Merkle [ 16 J have suggested that it is possible Ina one time pad, H(K) =W, so by (3) NO = 00. Ina to dispense with the secure key distribution channel of Figs. 1 simple substitution, H(K)= log2 (26!) = 88.4 bits, so to and 2, andcommunicate securely over the insecure channel calculate No we mustfind D. Eachcharacter could convey without any prearrangement. As indicated in Fig. 3, two way as much as logz 26 = 4.7 bits if all strings of characters were communication is allowedbetween thetransmitter and re- possible.Since spelling and gramatical rules rule outmost ceiver, but the eavesdropper is passive and only listens. Sys- strings, in an averagesense [ 131, [ 141 onlyabout 1.5 bits tems which allow this are called public key systems, in con- of information areconveyed by eachcharacter. The re- trast to conventional systems. DIFFIE AND HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY 401

Two basic approaches have been suggested to this problem. It is possible, and often desirable, to encipher with D and In public key distribution the sender and receiver are able to decipher with E. For this reason, we will usually refer to EK agree on a key for use in a conventional cryptographic system. as the public key and DK as the private key, instead. Even though the eavesdropper hears all exchanges, he is unable In the short time since public key cryptosystems were first to compute the key, and thus cannot understand any of the proposed [ 151 several approaches have been discovered [ 171 - conversation that follows. A public key distribution system is [191. described in Section 111-K. Thesecond approach is through public key cryptosystems, which separate the keys used F. Digital Signatures for enciphering and deciphering. Examples of such systems are examined in Sections 111-L and 111-M. A seconddifficulty which haslimited the application of The reason that keys must be so carefully protected in con- conventionalcryptography is its inability to dealwith the ventional cryptographic systems is thatthe enciphering and problem of dispute.Conventional authentication systems, deciphering functions are inseparable. Anyone who has access as shownin Fig. 2, canprevent thirdparty forgeries, but to the key inorder to encipher messages can also decipher cannotsettle disputesbetween the sender and receiver as messages. If the enciphering and decipheringcapabilities are to what message, if any, was sent. separated, privacy can be achieved without keeping theen- In current commercial practice,the validity of contracts cipheringkey secret, because it can no longer be used for and agreements is guaranteed by handwritten signatures.A deciphering. signed contract serves as proof of an agreement which the The newsystems must be designed so that it is easy to holder can present in court if necessary, butthe use of generatea random pair of inverse keys E, for enciphering, signaturesrequires the transmission and storage of written and D, for deciphering, and easy to operate with E and D, documents which is a major barrier to more widespread use but computationally infeasible to compute D from E. of electronic communicationsin business. A public key cryptosystem is a pair of families {EK}KE{K} The essence of a signature is that although only one person and {DK)KE{~}of algorithmsrepresenting invertible trans- can produce it, anybody can recognize it. If there is to be a formations purely digital replacement for this paper instrument,each user must be able to produce messages whose authenticity can be EK : {MI {MI (6) - checked by anyone, but which could not have been produced DK : {MI - (7) by anyone else, especially the intended recipient. In a conventional system the receiver authenticates any message he receives on a finite message space {M}, such that: from the sender by deciphering it in a key which the two hold 1) For every K E {K}, DK is the inverse of EK. That is for in common. Because this key is held in common, however, the any K and anyM, DKEK(M) = M. receiver has the ability to produce any cryptogram that could 2) For every K E {K} and ME{M}, the values EK(M) have been produced by the sender and so cannot prove that and DK(M) are easy to compute. the sender actually sent a disputed message. 3) For almost every K E {K}, any easily computed algorithm The public key cryptosystems discussed in the previous sub- equivalent to DK is computationally infeasible to derive from section provide a direct solution to the signature problem, if EK . they satisfy condition 1 ’). Systems which almost satisfy con- 4) For every K E {K}, it is feasible to generate the inverse dition 1 ’) are also usable [ 181 . pair EK and DK from K. If user A wishes to send a signed message M to user B, he The third property allow a user’s enciphering key EK to be operates on it with his private key DA to produce the signed made public without compromising the security of his secret message S = D, (M). DA was used as A’s deciphering key decipheringkey DK. Thecryptographic system is therefore when privacy was desired, but is now used as his “enciphering” split into two parts, a family of enciphering transformations, or “signing” key. When user B receives S he can recover M by and a family of deciphering transformations in sucha way that operating on S with A’s public key EA. given a member of one family it is infeasible to fiid thecorre- B saves S as proof that user A sent him the particular message sponding member of the other. M. If A later disclaims having sent this message, B can take S The fourth property guarantees that there is a feasible way to a judge who obtains EA from the public fide and checks that of computing corresponding pairs of inverse transformations EA(S) = M is a meaningful message with A’s name at the end, when no constraint is placed on what either the enciphering or the proper date and time, etc. Only user A could have gener- deciphering transformation is to be. In practice, the crypto- ated S because only heknows DA , so A will be held responsible equipment must contain a’true random number generator(e.g., for having sent M. a noisy diode) for generating K, together with an algorithm for This technique provides unforgeable, message dependent, generating the EK-DK pair from K. digital signatures, but allows any eavesdropper to determine A system of this kind greatly simplifies the problem of key M because only the public information EA is needed to recover distribution. Each user generates a pair of inverse transforma- M from S. To obtain privacy of communication as well, A can tions, E and D. He keeps the deciphering transformation D encrypt S with B’s public key and send EB(S) instead of S. secret, and makes the enciphering transformation E public by Only B knows DB, so only he can recover S and thence M. placing it in a public directory, similar to directory assistance. B still saves S as proof that user A sent him M. Anyone can now encrypt messages and send them to the user, but no oneelse can decipher messages intended for him. 111. EXAMPLESOF SYSTEMSAND SOLUTIONS If instead of to conditions lt4) above, the set of transformations satisfy So far we have discussed cryptography abstractly with few 1 ’) For every K E {K},EK is the inverse of DK. That is for examples of specific cryptographic systems. In this section we any K and anyM, EKDK(M)= M. restore the balance by examining in detail a number of exam- 402 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979

ples representative of the variety of cryptographic systems key used in transforming the plaintext, and thus the plaintext presently or formerly in use, or of those planned for use in the itself, can be recovered from the cryptogram alone. future. In each case we will describe theoperation of the Substitutionand transposition, although of little use by system, and where possible we will outline its cryptanalysis. themselves, are important components in more complex cipher More thoroughtreatments of classical cryptanalysiscan be systems, some of which will be treated in detail later in this found elsewhere [ 201 -[ 221. section.

A. Substitution C. Polyalphabetic Ciphers The simplest encryptiontechnique: simple substitution is In an effortto defeat frequency analysis, cryptographers widely used as a puzzle. The key is a permuted alphabet (e.g., developed substitution ciphers in which several different sub- BWEKQFMWALUCONPHSIDXTRGZJ) the letters of which stitutionalphabets were used periodically to encipherthe are substituted for those of the normal alphabet. Using this message. Forexample, if 5 alphabets areused, lettersnum- alphabet: A is replaced by B, B is replaced by W,C is replaced bered 5n +i areenciphered in the ith alphabet (e.g., letters by E, etc. If word divisions are preserved, theplaintext numbered 1, 6, 11, 16, . . . are enciphered in the first alphabet). message A frequency count, either onindividual letters or letterpairs, THE QUEEN HAS GIVEN BIRTH TO A HEALTHY SIX is nowmuch flatter and provides few clues. Thisbarrier POUND BOY. blocked a general solution of polyalphabetic ciphers for over 300 years 123, p. 2071,until the appearancein 1863 of a is transformed into book by a Prussian officer, Friedrich Kasiski. DVQ HXQQO VBI MYTQO WYSDV DN B VQBUDVZ IYG Kasiski’s approach is to determine the period by first looking PNXOK WNZ. for repeated groups of three or more ciphertext letters, which usually occur due to a frequent plaintext trigram (which may As is well known to puzzle solvers, simple substitution ciphers or may not be a word by itself)such as THE(4.5-percent on short alphabets such as Roman or ASCII offer little pro- probability) or ING (1.2-percent probability), occurring twice tection to the underlying plaintext. Substitution cryptograms inthe same phase. Forexample, if theplaintext message can be solved by making frequency tables of letters, letter pairs “THEY ARE NOT THERE.” is enciphered using five alphabets, (digrams), and letter triples (trigrams). In these tables the high the two occurrences of THE will result in identical ciphertext frequencies of such letters as E and T, the low frequencies of since they are 10 = 2 X 5 characters apart. The cryptanalyst Q and Z, and the frequent association of vowels with conso- then counts the numberof characters between repeated groups. nants areconspicuous. These allow the identification of the The period will divide all these numbers,except for a few plaintext letterscorresponding to the letters in thecryptogram. that were not caused by repeated plaintext groups. Factoring Similar results may be obtained by scanning the ciphertext for thenumbers of charactersbetween repeated groups, and evidence of pattern words considered likely to be in the plain- looking for a frequentlyrepeated factor usually identifies text.Frequent words suchas “EVERY,” “THAT,” and the period rather rapidly. “LOOK” are conspicuous because of their repeated letters. The assumed period n is checked by making afrequency As the alphabet size is increased, these techniques become count on every nth ciphertext letter. This is done for each of more and more expensive to apply. If instead of ASCII with the n possible phases. If each of the n frequency counts thus its 128 7-bit characters, we hadchosen the set of all 32-bit obtained has the highly nonuniform distribution characteristic words, the compilation of a frequency table would have re- of a monoalphabetic substitution theassumed period is correct. quired an unreasonable amount of effort. Unfortunately, the This is because the periodic use of alphabets consists precisely compilation of such a cipher is also prohibitively expensive. in enciphering every nth letter in thesame alphabet. Thepermuted alphabet, like the frequency table, is232 or Once the period has been determined, the problem can be aboutfour billion wordsin length. Substitution ciphers on solved as a set of n differentsimple substitutions. Examples large “alphabets” do not, therefore, allow all possible permu- are worked out infull detail in [23, pp. 209-2131 and [20, tations, in order to limit the key to a more reasonable size. ch. 31. The DES of Section 111-1 is a good example. If a plaintext is enciphered with a periodic polyalphabetic cipher, and the resulting cryptogram is superenciphered with a B. Transposition second periodic polyalphabetic cipher with a different period, In transposition, the positions of the plaintext letters in the the period of the resulting cipher will usually be much longer message rather than the letters of the alphabet are permuted. than the period of either component. If the two periods, 81 As an example, if the above message is broken into five char- and Q2, are relatively prime (have no common factor) then the acter groups (including spaces) and the letters in each group resu1tin.g period will be 111 X 122. Cryptanalysis of such mul- rearranged according to thepermutation (i z) (i.e., the tiple loop Vigenere systems is more difficult, but can still be third character of each group is written first, the first charac- accomplished [ 241. ter is written second, etc.) the cryptogram becomes

ETQ HEU NESHG AEI NVRBHTIO A TE LAHYTS H D. Running Key Cipher IOPXDUB NXOXXY. In an effort to remove the weakness of periodic polyalpha- beticciphers, cryptographersturned to running key ciphers In the case of transpositions, frequency tables of letter pairs which are aperiodic polyalphabetics. The key is typically the and triples reveal the breakup of common letter pairs, such as name of a readily available book, together with a page, line, the T and H of THE, allowing the plaintext tobe reconstructed and column number (e.g., Proceedings of the IEEE, October by seeking permutations which rejoin them. In this way the 1976, p. 1488, line 4, column 19). To encipher the message DIFFIE AND HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY 403

“THIS MATERIAL IS ENCIPHERED IN A RUNNING KEY.” are highly probable. Calculation shows that these three pairings we write the message and the text of the book (“on a non- account for 64 percentof the occurrencesof ciphertext M. At interfering basis over the Defense Satellite . . .”) one above the the other extreme only0.1 percent of the time that ciphertext other as shown below and add them mod-26, by regarding A M occurs does it stand for thepair Q-W. The ten lowest prob asO,Basl,*--,Zas25. ability pairs (Q-W, W-Q, Z-N, N-Z, K-C, C-K, J-D, D-J, X-P, and P-X) account for only 2 percent of the occurrences of Plaintext: ciphertext M. THIS MATERIAL IS ENCIPHERED IN A RUNNING KEY. Therefore, while there are 26 possible pair substitutesfor Key : each letter of the ciphertext, and26” possible pairs of message and key to try on ann letter cryptogram, mostof these can be ONAN ONINTERF ER INGBASISOV ER T HEDEFEN SES. tentatively discarded withoutintroducing too great anerror Ciphertext: into the solution. The cryptanalyst substitutes the several highest probability HUIF ANBRKMRQ MJ MAIJPZMJSY ME T YYQRNRT CIQ. pairs that correspond to each ciphertext letter and attempts Spaces are usually deleted from the ciphertext to hinder cryp- to find adjacent pairs which have a high digram probability. tanalysis. Decryption is carried out by subtractingthe key He then tries extending this path to produce good trigrams, from the ciphertext mod-26. etc. Although a Kasiski solution is no longer possible due to the The fact that running key ciphers can be solved is proof that aperiodic selection of the 26 alphabets used (one for each of English is at least 50-percent redundant, since two n character the 26 possible values of the runningkey), Bazeries [23, p. texts(the plaintext and the running key) can be recovered 2461 solved running key ciphers in the late 1890’s. Friedman from a single n character string (thecryptogram). This ob- published a solution in 1918 [ 251 and added additional tech- servation leads to an obvious, butlittle used methodfor niques in his Military Cryptanalysis [ 221 . There are two basic strengthening a running key cipher: use two or moresuccessive approaches. Themore powerful of thetwo depends on the encipherments with differentrunning keys. Since English is cryptanalyst knowinga probable word, one which probably about 75-percent redundant [ 131, [ 141, four encipherments occurs in the plaintext. In military communications the words would be secure against all attacks. There cannot be a way for BATTALION, COMPANY, ATTACK, etc., are probable. In a the cryptanalyst to recover the plaintext since, by symmetry, message relating to bidding on oil leases, probable words are he could then also recover the four runningkeys, implying OFFSHORE, COMPETITION, LEASES, etc. Lacking even that English is at least 80-percent redundant. this, thecryptanalyst can use common words orgroups of While techniques at least as clumsy as this were often used letters such as OFTHE, TION, WHICH, etc. If a number of (e.g., see Kahn’s description of a Russian spy cipher [23, pp. probable words are tried, onewill usually produce success. 669-6701),none of themoffer its ironclad guarantee of To test for the existenceof a probable word the cryptanalyst security. It is thereforesomewhat surprising thatmultiple subtracts it from the ciphertext, mod-26, in all possible loca- running key ciphers were notmore widely used. Today, tions. If the word is present, this process produces the key they are of little value because of the availability of inexpensive, when tried at the proper location. When tried at an incorrect more easily used electronic techniques. location (and all locations are incorrect if the probable word In the limit as the number of running keys tends to infinity, is not present), the cryptanalyst findsa random looking result. the mod-26sum approaches a totallyrandom character se- Considering theciphertext in ourexample, HUIFANB . . . quence, which can be regarded as the key in a one time tape TCIQ, the cryptanalyst might use CIPHER as a probable word system. It is nowclear why the cryptanalyst is unable to learn orpartial word. Since the word ENCIPHERED did occur, anythingabout plaintext which has been encipheredwith a when the cryptanalyst subtracts CIPHER from IJPZMJ he will one time tape. If he could learn even 1 percent of the plain- obtain GBASIS. The inclusion of the word BASIS is indicative text, he could learn (by symetry) 1 percent of each key, for an of success, and the cryptanalyst then tries to extend either the infinite information gain from a finite message. plaintextor the keyin either direction (e.g., by trying INGBASIS to get ENCIPHER). When CIPHER is subtracted E. Codes off at the point just before the correct one (i.e., ciphertext Cryptographic techniques Like substitution and transposition AIJPZM) the cryptanalyst finds the key would have to have which operate on the plaintext without regard to its linguistic been YAUIVV, an impossibility. structure are called ciphers and the cryptotext they produceis Occasional false alarms will occur, especially with short referred to as ciphertext. A cryptographic system which oper- probablewords, but these will be detectedas analysis pro- ates on larger linguistic units of the plaintext, suchas words or ceeds since they will not allowreasonable extensions. It phrases, is called a code. A code usually consists of a list of should be noted that our example is too short to allow an words and phrases together with corresponding random groups easy solution and is being used solely for illustrative purposes. of numbers or letters called codegroups. Since codegroups are The second approach to solving a running key cipher is to typically shorterthan the expressions they represent, codes notethat each ciphertextletter tends to representcertain offer the advantage of data compression as well as secrecy. plaintext-keyletter pairs. In our example, ciphertext M If used properly, codes are far more difficult to break than occurs 5 times, and each time results fromthe pair I-E or other classical paper and pencil systems. There are three basic E-I. This is rather unusual, but indicative of theapproach. reasons for their success. Probably the most important is the Each ciphertext M can represent A-M,B-L, C-K, D-J,E-I, large amount of key involved. A typical ciphersystem em- F-H, G-G, N-Z, 0-Y, P-X,Q-W, R-V, S-U, T-T andthe ploys at most a few hundred bits of key. For example, the reversals thereof (i.e., M-A,L-B, etc.). It is seen that E-I, key to asimple substitution cipher is a permuted alphabet, I-E, and T-T are the only pairs’where both letters in the pair representing fewer than 90 bits, while a good-sized code book 404 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979

may containhundreda thousand or even milliona bits. As INPICTIVE LUC POSITION. LFPOSITION INDICATOR poked out byShannon [lo], the job of thecryptanalyst becomes moredifficult as redundancy is removed from the message, andcodes remove redundancy. Finally, the code operateson relatively largeblocks of plaintext(words or phrases) and thereby conceals local information which might otherwise provide valuable cryptanalyticclues. Against these strengths it must be said that the key is not well used in a code, since only a very small amount of the code book comes to bear in encoding an individual word or phrase. As aresult, codes succumb to frequencyanalysis underheavy use, andare particularly vulnerable toattack by known plaintext, whichbecomes more available the longera code is in service. Forthese reasons, codes must - be changed frequently in orderto be secure. TYPEWHEEL / ~ 1 \,&;E PIN INACTIVE Despite their success in some circumstances, codes are not PIN 26 TOOTH KEYWHEEL well adapted to modem commu~cations,because they are not Fig. 4. Essential parts of Hagelin machine. easily automated,and because the key (codebook) is not easily changed if compromised. This violates a basic security principle, and was often responsible for code failures. The six keywheels may be regarded as gears with 26, 25,23, 21, 19, and 17 teeth, respectively. Next to each tooth of each F. Hagelin Machine wheel is a pin which can be either extended or retracted. One The Hagelin C-48 machine was widely used as an American bit of key is used to set each pin, and we will use the conven- field cipher during World War 11, under its military designation tion that an extended pin correspondsto a key bit equal to 1. M-209, and is still in occasional use today (Fig. 4). We treat it Once this portion of the key has been set, the keywheels are here because it is one of the few systems whose complete de- set to theirinitial reference positions. This is facilitated by scription is public knowledge, and because its solution brings labeling the teeth ofeach gear with as many letters of the out some techniques whichare valuable in general.Our de- alphabet as there are teeth, and providing a window over each scription of the solution draws on Kahn’s outline of an attack gear that shows which teeth are active (in position to interact [ 23, p. 43 1 1, on unpublished work of Jim Reeds of the Statis- with the cage). tics Department of the University of California at Berkeley, and At the begining of the encryption process the six windows Robert Morris and Dennis Ritchie ofBell Labs [ 261, [27]. will show AAAAAA. The 6 bits which correspond to the A Wayne G. Barker [28] has recently published a book which teeth on each gear determine the first letter of the keystream. has significant overlap with these approaches. After the first character has been enciphered each keywheel Our basic approachis due to Reeds and was first implemented is rotated one position so that the windows show BBBBBB. by Morris and Ritchie. According to their results, one to two Six new bits of key (pins) come into play so the second char- thousand characters of ciphertext suffice and to a large extent acter in the keystream is independent of the first. This holds the language used in the plaintext need not be-known a priori! true for the fiit 17 characters, at which point the windows For the sake of clarity, we have simplified their technique. As show QQQQQQ. The 18th character of the keystream, how- a result, thetechnique presented here requires substantially ever, is determinedby the pins corresponding toteeth moretext. At theend of thissubsection, we indicatethe RRRRRA since the last wheelhas finished one complete nature of their improvements. revolution. Thus the 18th character of the keystream is cor- Kahn [ 23, pp. 427-431 1 gives a complete mechanical de- relatedwith the first character of the keystream. Similarly scription of the machine. For ease of understanding we delete the 19th is correlated with the second since the windows show some of the mechanical interactions which are not involved in SSSSSB. The20th is correlatedwith both the 3rd and 1st a mathematical description of the process. since the next to last gear has now also come full cycle and The M-209 combines the plaintext, character by character, the windows show TMTAC. with the keystream (a long pseudorandom sequence, derived Because 26, 25, 23, 21, 19 and 17 do not contain any com- from the key) to produce the ciphertext in a manner similar mon factors the keywheels return to the AAAAAA position to Vigenereor running key ciphers. The plaintext,the key- only after 26 X 25 X 23 X 21 X 19 X 17 a 101-million char- stream, and theciphertext are all written in a26-character acters have been enciphered. alphabet, and the plaintext P is subtracted from (rather than In most of whatfollows, wewill treatthe cage asa pro- added to)the keystream KS mod-26, to makeenciphering grammable READ-ONLY memory(PROM) holding 26 = 64 self-inverse characters.These characters are drawn from the Roman C = KS - P mod-26 alphabet, and are represented by the numbers 0 through 25. Each six bit group produced by the keywheels is transformed and into a character by using the six bits to designate a memory P= KS - C mod-26. location in the PROM and taking the contents of this location Two major components arerequired in thekeystream as output. generationprocess: the keywheels,which generate along The 1940 vintage M-209 uses a mechanical technique instead pseudorandom sequence of six bit groups and the cage, which of a PROM. This techniquerestricts the mapping in a way converts the 6-bitgroups into characters.The machine is which makes the solution easier. There are 27 bars with 2 lugs keyed by adjustments to both the keywheels and the cage. on each bar. These 2 lugs can be set to any of 8 positions. Six DIFFIE AND DIFFIE HELLMAN: ANTO INTRODUCTION CRYPTOGRAPHY 405

RBQPFFWYCXWDPPYVX Having tentatively assigned the value 0 or 1 to each of the pins on each wheel, the cryptanalyst calculates the sequence of XUBNSCLVZZQUQKYLR 6-bit patterns which would have occured for the run of cipher- IWDFYXINFVDBYWLVT text, assuming all his estimatedpin settings are correct. He also sets up 64 columns marked 000000,000001,* * , 1 1 1 1 1,1 YSXIDLUMMQNHHMDQT and as an estimated 6 bit pattern occurs he writes the corre- TWUOCHOBUUJVSYQRU spondingciphertext character in theappropriate column. If mostpin setting estimates are correct, the characters in a ZRQIURZPFFQSBCUFI column will have a frequency distribution which is close to a CUGSCNDGTXCIBBOJX reversed and shifted distribution on the plaintext (since C = KS - P) and the shift or keystream value KS corresponds to ... the PROM contents for the address specified by the column 6ig. 5. Hagelin ciphertext matrix for 17 pin wheel. heading. Errors in the pinsettings can be corrected by deciphering the ciphertext with the assumed key and noting the locations of these 8 positions line up with the 6 pins on the keywheels, of errors in the plaintext. By writing the time of occurrence and 2 positions are “inactive.” After a new 6-bit pattern has next to each error the cryptanalyst can get valuable clues as beenestablished by rotatingeach keywheel,each of the 27 to which pin settings are wrong. If the second pin on the last bars passes over these 6 pins. If either or both of the lugs on a keywheel is in error it can cause errors only at times of the bar hits an extended pin, that bar is pushed to the left (the form 17n + 2. Each of the pinshas a similar “error trace” lugs are beveled), and moves a gear connected to the printing which can be identified. For example if the only errors occur wheel which prints the ciphertext. Thus the number of bars at time 2, 12, 36, 70, 87, 90, and 116 we can identify 2,36, activated equals the shift or keystream value KS. (Of course, 70, 87 as being of the form 17n + 2 with n = 0, 2, 4, and 5; if 26 or 27 bars are activated KS = 0 or 1 since the printing and 12, 90, 116 as being of the form 26n + 12 with n=0,3, wheel has only 26 positions.) and4. This indicates thatthe second pin on the 17 tooth Although it does not affect our analysis, we note that the wheel and the twelfth pin on the 26400th wheel are in error. ciphertext alphabet is displaced one unit on the printingwheel This hypothesis can be checked by complementing these pins so that the actualvalueof KS is one less than in our description. and seeing if the deciphered text is now correct. Reeds approach makes use of the fact that the mod-26 sum In a known plaintext attack, the cryptanalyst can obtain the of twoindependent, nonuniformly distributed character portion of the keystream correspondingto theknown plaintext streams is typically not uniformly distributed. The plaintext, as being in a natural language, has a nonuniform probability dis- KS = C + P (mod-26). tribution on individual characters(e.g., in English Pr(E) = 0.1 3 while Pr(Z) = 0.001). And, since 26 does not evenly divide 64 Thesettings of pins onthe keywheels are determinedin a (thenumber ofPROM addresses) thekeystream characters manner similar to the ciphertext only case with the matrix of occur with unequal frequencies, evenif all &bit patterns occur ciphertext characters replaced by a matrix of keystream char- equally often. At best 12 letters occur with probability 3/64 acters. Once the pin settings have been tentatively identified, and 14 occur with probability 2/64. the keystream is written out in a 64-column matrix as before. If one of the six bits that enter the PROM is held constant, Now, if the pin settings are correct, each column contains a the nonuniformity of the keystream tendsto increase, and this single letter (the PROM value for that address), rather than a will be reflected in an increase in the nonuniformity of the distribution, and the process is vastly simplified. ciphertext. If the first 17 ciphertext characters are written as Ina known plaintext attack, the details of cage structure the first row of a matrix with 17 columns, the next 17 are are more important than in a ciphertext only attack. Moms written as the second row, etc.(Fig. 5), all characters in column reports that using this information, solutions can be obtained i will have been enciphered with the ith bit on the last (17 with approximately 75 characters. Consideration of the actual tooth) keywheel in the active position. If the ith and jth pins mechanical structure of the cage aids cryptanalysis.For on the last keywheel are either both 0 or both 1 then the ith example,the bit pattern 000000 alwaysproduces KS = 0, and jth columns will be drawn fromthe same distribution, since there are no extended pins. Similarly, when the bit pat- while if these bits differ the distributions will differ. Cluster tern has a single 1 not many bars will be activated, and these analysis can be used to separate the columns into two groups 6 ‘‘PROM’’ addresses will usually produce small values of KS. in such a way that all of the columns in each group aredrawn As the Hamming weight w of the bit pattern (i.e., the number fromthe samedistribution. Equivalently, we havedecided of 1’s) increases, the value of KS tends to increase. The only which pins on the last wheel are in the same position. At this exception is that when 1 11 1 11 occurs(w = 6) thevalues KS = point it makes no difference which group we assign to 0 and 0 and KS = 1 become more probable due to the possibility of which group we assign to 1since ourlater estimate of the 26 or 27 bars being activated. PROM’s contents can correct for anymislabeling of the groups, An earlier version of the M-209, known as the C-36 [23, p. although not for assigning a column to thewrong group. 4281 has only 25 bars. The folding over present in theM-209’s By writing the ciphertext in a matrix with 19 columns, the distribution was thereforeabsent and KS = 0 and1 almost cryptanalyst can perform a similar test and grouping to obtain never occurred. A later Hagelin machine, the CD-57, had the two equivalence classes for the 19 pins on the fifth keywheel. equivalent of 40 bars causing even greater foldover and tending He can then continue to obtain the equivalence classes for the to smooth out theKS distribution. remaining keywheels. While some errors may be made in these The unevenness of the keystream distribution led the Army assignments they will be caught in the nextphase. to issueguidelines for lugplacement [28, pp.198-2103 to 406 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979

CONTACTS

OUTPUT CIPHERTEXT "E" Fig. 6. The path of signal passing through a rotor. Fig. 7; A bank of rotors. ensure a more uniform distribution, but these guidelines introduce another weakness which can be exploited in cryptanalysis. Rotors can be connected one after the other in a bank in One keywheel will have a large number of lugs opposite it and such a way that a signal entering at one end will be permuted theother wheels will have successively smaller numbers of by each of the rotors before leaving at the other. The effect lugs. of this bank of rotors (Fig. 7) can be described mathematically In the extreme case, if a wheel had no lugs opposite it, it as would be impossible (and unnecessary) to recover that keywheel's pinsettings since they would have noeffect. The cryptanalyst therefore chooses the keywheel with the largest number of lugs and thus thegreatest effect, by looking for two well defined cluster distributions, and solves for its pin settings fit. He thenattacks successively harderkeywheels, making The bank of rotors is capable of implementing a large variety use of the information gained about the previously considered of different permutations as the rotors are rotated to different positions. In order to build a strong cryptographic system, the keywheels' pin settings. state of the rotors mustbe changed from character to character, Because the keystream distribution depends on w. he can much as thestate of the Hagelin machine is changed from make estimates of and indirectly of the pin settings, based w, character to character. A rotor machine consists of a bank of on his knowledge of the keystream. Whenever a larger (smaller) rotors, together with a mechanism for changing the positions than average keystream value occurs, it indicates that each of of the rotors each time a character is enciphered, along with the 6 active pins is more likely to be extended (retracted). input and output devices such as a paper tape reader and a These improvements allow known plaintext attacks to suc- printer. ceed with 50 to 100 characters of text, and ciphertext only The simplest possible rotor motion is that of an odometer, attacks to succeed with 1000 to 2000 characters of text. and was used by the German Enigma machine in World War 11. G. Rotor Machines The rightmost wheel rotates once each time a character is enciphered. When this (or any other) wheel has moved M posi- The rotor machine was the most important cryptographic tions and made one complete rotation, the wheel to the left device of World War 11, and remained dominantat least of it is advanced one place and the process is repeated. This untilthe late nineteen fifties. The M-134 or SIGABA, the process will carry the bank of rotors through all of its possible highest level American system ofWorld War 11, the British states before it ever repeats. TYPEX, andthe German Enigma were all rotor machines, The characteristics which are desirable in a pattern of rotor and undoubtedly many are still in use today. motion are straightforward but difficult to achieve with purely Thecentral component of the rotor machine is the rotor mechanical devices. or wired wheel, a disk about the size of a hockey puck which 1) The period must be long. serves to implement a cipher alphabet. Around the perimeter 2) Each change of state should be a large one, that is all or of each circular face of the disk there are M evenly spaced most of the rotors should rotate relative to each other, after electrical contacts where is the number of characters in the M each character so that few, if any, of the exponents, ji - ji-1, alphabet. If only the Roman alphabet is represented, M = 26, in (9) are zero. whereas if full ASCII were in use-M would equal 128. Each Consideration of the odometer motion shows that it is op- contact on the front face is wired to exactly one contact on timal with respect to the first property, but fails dismally with the rear face as shown in Fig. 6. An electrical signal represent- respect to the second. In order to improve this aspect of the ing a character will thus be permuted as it passes through the odometer'sperformance, each wheel can rotate more than rotor from the frontface to the rear face. once when it is moved. The period is still maximal if the dis- If the rotor is rotated from one position to another, theper- placement of each wheel has no factor in common with the mutation which it produces on anincoming signal wiu change. alphabet size M. In general this permutation can be represented as Another approach is to move each rotor one position as in p = CiRC-i the motion of the Hagelin machine. Since each of the rotors has the same number of contacts, however, this would result in where R is the implemented by the rotor in its position, is a cyclic shift through one position and an unacceptably short period of at most M for the entire machine. The usual solution is to limit the number of permitted c/ is a cyclic shift though positions. F~~example if R (A)= and the rotor is moved 3 positions (i= 3) then plaintext D stopping places of each rotor by adding a plastic outer ring on c which the stopping places are marked in some way. A rotor will be oppositethe rotor contact which used to represent plaintext A and ciphertext J will be opposite the rotor contact machine using the Roman alphabet can thus be made to move in much the same way as the wheels of a Hagelin machine as which used to represent ciphertext G and P(D) =J when j = 3. follows. The first wheel is allowed to stop in each of its 26 This is expressed algebraically as positions. The second wheel, however, is allowed to stop in P(D) = C3RC-3(D)= C3R(A)= C3(G)= J (8) only 25. Thethird can stop in only 23, and so onuntil the DIFFIE AND HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY 401

M-BIT KEY=OO 1 sixth which can only stop in 17.The period of this rotor 100 machine is now101 million, thesame as the period of the 1 10 Hagelin machine,instead of 266 309 million with odometer 11 1 motion. The loss in length of period is well justified by the m 01 1 pxc 101 gain in complexity of motion. The second property is moder- 01 0 ately well satisfied, since each of the wheels moves after the (p-l)-BlT KSJ encipherment of each character,and many can move with Fig. 8. A three-stage shift register. respect to each other. cryptographic system (theciphertext shoulddepend onthe Furtherrefinements in themotion of rotor machines are entire key), and has been present in all of the systems dis- possible, but this is primarily a question of mechanical engi- cussed thus farin this section. neering which is not of central interestin modem cryptography. Rotor machinesmay be keyed by changing any of their H. Shift Registers variables: the rotors, the order of the rotors, the number of In the provablysecure one time tape cipher, the key is a stopping places per wheel, the pattern of motion etc. Because totally random bit string which is XoRed with the plaintext, rotors are difficult to rewire, the usual practice is to supply also represented in binary form (e.g., A = 00000, B = 00001, the machine with a basket of rotors containing more rotors C = 0001 0, etc.) to produce the ciphertext. The key must be than it can hold at any one time. Primary keying is done by as long as the message and cannot be reused. In an effort to selecting therotors which makeup the basket. Secondary use shorter keys, people often think of using pseudorandom keying is done by selecting rotors from the basket, and setting bitgenerators, notablyfeedback shift registers toproduce parameters which govern the machine’s motion. long, nonrepeating, randomlike binary sequences from a The Enigma machine, used heavily by the Germans in World short key. War I1 required three rotors and, at first,a basket of only three Fig. 8 illustratesa three stage shift register. The first and rotors was issued. The order of these in the rotor bank and third stages are added mod-2 (XoRed) to produce the next their initial positions constituted part of the key. Later in the input to the register. If the key is 001, the register is started war, the number of rotors in the basket was increased to five, in thisstate (with the 1in therightmost stage) and the se- but even then there were only 5 X 4 X 3 = 60 possible ways to quence of states is shown in Fig. 8. The register goes through load the rotors. Most of the key was in the initial rotor posi- all seven nonzerostates before retuming to its initial state, tions (263 = 17 576 possible settings) and in a plugboard which 001. Because theeighth possible state, 000, loops on itself, effected a simple substitutionon the plaintext prior to its this is the longest period obtainable with a linear (in mod-2 being enciphered andon the ciphertext after encipherment arithmetic) feedback shift register, and the sequence is called (26! = 4 X 10% possibilities). a Maximal Length Shift Register Sequence (MLSRS). Cryptanalysis of rotor machines when the basket of standard As depicted in Fig. 8, the plaintext bits are XORed with the rotors is known merits further study, but is obviously simpler MLSRS bits toproduce the ciphertext. Because the XOR thanthe problem of determiningthe rotors directly. The operation is self-inverse, deciphering is carried out in the same problem of determiningthe rotors (assuming knownrotor fashion. motion) is treated by Pohlig [ 291, for a single rotor machine The period of the sequence depends on the choice of taps. under a ciphertext only attack and for a two-rotor machine If, for example, all three stages hadbeen included in the under a known plaintext attack. His approach can be general- mod-2 sum, then the period would have been dependent on ized to larger machines, the real question being therate of the choice of the initial state and would be at most four (if giowth of therequired computation as a function of the started in state OOl), and could be as small as one (if started number of rotors. It appears that modem computational aids in state 11 1). will allow thisapproach to recoverbetween threeand five As shown inGolomb [30] or Peterson and Weldon [31], rotors. for any integer value of m there is an m-stage MLSRS with Dov Andelman of Stanford University and Jim Reeds of the period 2m - 1. If m = 100 then the sequence will not repeat University of California at Berkeley are experimenting with a in 10l6 years on a 1-Mbit/s data link.Typical tap sequences maximum likelihood estimation approach in which the rotors can be found inPeterson and Weldon’s AppendixC for all are modeled as noisy “channels” whose transition probabilities values of m up to 34. Taps are easily found for much larger are to be estimated. Their results, which appear very promising, valuesofm [32], [33]. will be treated in a forthcoming paper. In our small example, the output sequence (keystream) of Therotors cannot be determinedcompletely because Ri, the register is 1001 110, after which it repeats. There are four Ri+l cannot be distinguished from R$, C-’Ri+, as shown in 1’s and three O’s, as close to an even distribution as could be (g) above. The cryptanalyst can therefore choose one wire in asked of a sequence of length 7. If successive pairs of bits are each rotor, save one, arbitrarily. Whatever error he makes in considered, there are two occurrences each of 01, 10, and 1 1 Ri will be compensated for by shifting all other wires on Ri andone occurrence of 00, again as close as possible toan a like amount, and all wires on Ri+l by the negative amount. even distribution. With an m-stage MLSRS, this equidistribu- Theencipherment of a single character dependsonly on tionproperty extends to triples,quadruples, etc. up to m- those wiring choices over which its signal travels. If two wires tuples. Because they are so evenly distributed, MLSRS’s are are interchanged which are not in this signal path, the encipher- often used as pseudorandom bitsequences in cryptosystems ment is not changed. Thecryptanalyst can therefore test which imitate the much moresecure one time tape. hypotheses concerning rotor wirings more easily. Testing one While this cryptosystem is meant to imitatethe provably contact’s wiring rules out many keys (rotors), not just one, Secure onetime tape, it is not only not provablysecure, it and is therefore much more efficient than exhaustive search is demonstrably insecure and can be broken in a few seconds of all possible rotor wirings. This is a basic weakness in a on a minicomputer. If the taps arefixed, only m bits of known 408 PROCEEDINGS OF THE IEEE, VOL. 61, NO. 3, MARCH 1919

prime), then the filtered sequence musthave a period of either 1 (which can be easily checked) or 2'" - 1. Many such values of m areknownincludingm = 2, 3, 5, 7, 13, 17, 19, 31, 61,89, BP 107,127,521,607, 1279,2203, and2281 [36, p. 501,and Fig. 9. Linear shift register with nonlinear output logic. the associated primes are called Mersenne primes. While thefiltered output sequence cannot usually be generated by an m-stage linear feedback shiftregister, it can always plaintext areneeded to recover theinitial contents of the be generated by a larger linear feedback shift register [ 371. In register. The m bits of known plaintext are XoRed with the the extreme, a 2'" - 1 stage register will always do, and often a corresponding m bits of the ciphertext to recover m bits of muchshorter one will suffice. TheBerlekampMassey algo- the keystream. These m bits give the state of the shift register rithm[371, [381 is acomputationally efficient method for at some time and, by running the register backward, its initial finding the minimal length linear feedback shift register which contents can be found. generates a sequence, and this test should be applied to ensure If the taps are part of the key, only 2m bits of known plain- that the nonlinear outputlogic is adequate in this respect [ 351. text are needed to allow rapid solution for both the taps and This test rules out some cryptographically weak sequences, but the initial contents of the register. Let s(i) be a column vector does not guarantee that there is not some other weakness. The of m 0's and 1's which gives the state of the register at time i. sequence 000000 . * .OOOl, for example, requires a shift regis- Then ter as long asthe sequence, but is clearly very weak. s(i + 1) = As(i) mod-2 (10) Some thought shows that the linear feedback shift register is acting primarily as a form of counter, and it is not clear that where A is an m X m matrix which specifies the taps. The A anything is lost by driving the nonlinear logic f with a normal matrix for the three stageregister of Fig. is 8 counter instead. This point is treated further in Section IV. Using nonlinearities in the feedback logic appears even more attractive, but the theory of such circuits is not well under- A= 10O 0 r 'I stood(at least in theopen literature) andit is difficult to guarantee long periods, good distribution properties, etc.

A is always of this form, with 1's just below the main diagonal, I. IBM's Systems and DES the tap sequencein the first row, and 0's elsewhere. A block cipher is a cryptographic system which divides the The 2m bits of known plaintext allow calculation of 2m suc- plaintext into separate blocks, usually all of the same size, and cessive bits of the keystream. To simplify notation, we take operateson each independently to producea sequence of these to be the fiist 2m bits of the keystream. We then have ciphertext blocks. s( l), which is the first m bits of the keystream;s(2), which is Themost generalpossible block cipher is one which can the second through (m + 1)th; * - ; and s(m + 1) which is the transformany possibleplaintext block into any possible last m. ciphertextblock as long as the overall transformation is We can then form the two m X m matrices invertible. If the blocks are n bits long, there are 2" distinct blocks and 2"! ways in which this can be done. The number X(1) = [s(1),42), * * * ,s(m)l of bits of key necessary to select one of these ways is thus log,(2" !) or approximately n X 2". This number is prohib- X(2) = [s(2), s(3), * * ,s(m + l)] itively large even for fairly small values of n. For n equal to which are related by 8, it requires about 2000 bits of key and for n equal to 16 it X(2) =A X( 1) mod-2. (1 1) requiresroughly a million bits. A cipher of thistype is a simple substitution cipher, and hasbeen described earlier in It can be shown that, for any MLSRS, X(l) is always nonsin- thissection. As shownthere, simple substitutionson small gular so A can be computed as alphabets can be cryptanalyzed efficiently by compiling fre- quencytables for the characters of the ciphertext, the A = X(2) [X(l)I-' mod-2. so blocks must be of substantial size if the cipher is to be secure. The matrix inversion requiresat most on the orderof m3 oper- Because of the infeasibility of doing arbitrary substitutions ations, and is thus easily accomplished for anyreasonable value on large blocks of data, cryptographers have sought restricted of m. For example, if m = 100, the m3 = 1 000 000 and a families of transformations. In 1929, Hill [ 391, proposed the minicomputerwith a 2-ps instruction time would require 2 use of linear transformationson blocks of text, but this system secondsfor the inversion. Even if m = 1000 sucha mini- is too vulnerable to a known plaintext attack for serious use computer would need only 2000 s (less than an hour) for the [ 20, ch. 41, and so more complex families of transformations inversion. (The structure of X( 1) actually allows the inversion have been developed. to be accomplished even more rapidly.) Motivatedby the growingneed fordata security in its MLSRS's can be strengthened for cryptographic applications products, IBM initiated a cryptographic research effort, con- through the use of nonlinear logic. Groth [34] and Key [351 centrating on nonlinear block ciphers, in the late 1960's. This have suggestedusing linear logic to generatea MLSRS, but workhas added greatly tothe quality of the unclassified then using a nonlinearly "filtered" version of the shift register literatureon cryptography [401- [44] andhas produced contents as the keystream, as indicatedin Fig. 9. The function several importantcryptosystems. In January1977, one of f should be chosen to have a good balance between 0's and l's, these was adopted by theNBS as the national DES [ 7 I. so that the filtered sequenceis close to evenly distributed. The IBM systems have theirroots in Shannon'sbrilliant It also should be chosen so that the filtered sequence has a 1949 paper [ 101connecting cryptography with information longperiod. If 2'" - 1 is aprime number (as 7 = 23 - 1 is theory.Shannon suggested using product ciphers to builda DIFFIE AND HELLMAN:CRYPTOGRAPHY ANTO INTRODUCTION 409

by use of a key expansion algorithm which repeats each bit of the key 4 times. Any k-bit S-box can be implemented as a 2& word memory with k-bit words. If the S-box is to be invertible then each of the words must be different. The simplest implementation of a 4-bit S-box, therefore, requires a 24 X 4 = 64-bit memory. An 8-bit S-box would require a 2’ X 8 = 2048-bit memory, and a 16-bit S-box would requirea 1 048576 bitmemory. IBM Fig. 10. A primitive system based on substitution and permutation. selected k = 4 as a compromise between cost and security. If k = 2 had been chosen, the entire system would be solvable strong system out of simple, individually weak, components. on a minicomputer in a few seconds’ time. This is because all He suggested using products of theform BIMBzM.. . B, 4! = 24 2-bit to 2-bit invertible mappings from x = (xl,x2) to where M is an unkeyed “mixing transformation” and the Bi y = (yl, y2) are affine(linear plus a constant) and can be are simple cryptographic transformations. represented in the form High speed electronic circuitry allows the product system to y =Ax @b (12) be implemented almost as economically as a single BM pair. The data are encrypted in a number of “rounds” (iterations) where all arithmetic is done mod-2. Because transposition is a each consisting of a single pair BiM and each using the same linear operation, and thecomposition of affine mappings is hardware. The output of the ith round becomes the input to affine, the useof affine S-boxes would make the overall the (i + 1)th round. A high-speed terminal operating at 120 relation between plaintext p and the ciphertext c affine, charactersls allows 67 ms for encryption of an eight character block. If each round involves 20 gatedelays of 20 ns each, c=A~p@bK. (13) then over 150 000 rounds are possible. Tape transports, disk While the key itself might be difficult to determine, crypt- drives and similar high data rate devices place more of a de- analysis under a known plaintext attack easily produces the mand on the circuitry and pipelined systems which replicate equivalent information AK, Ai1, and bK, by solving a set of the circuitry n times may be needed. For this reason IBM has linear equations. Enciphering via ( 13) ordeciphering via limited its systems to 16rounds. Although there are minor variations, all of the IBM systems p = &‘(c - bK) (14) basically use a transposition of the bits within a block for the can then be accomplished. The linear equations are obtained fixed mixing transformation M, and substitution on four bit fromasetofn+1p-cpairs,(po,co),(pl,cl),...,(c,,~,) groups of the block for the simple cryptographic transforma- by letting tions Bi. Fig. 10 shows a primitive version of such a system described by Feistel [411.The 128 bit plaintext block is P: =Pi - PO (15) broken into thirty-two 4-bit bytes, each of which is acted on ciI = ci - co (16) by a different, invertible, 4-bitto 4-bit mapping or S (for substitution)box determined bya portion of the key. The and noting that the(pi, ci) are related by the linear mapping resulting 128 bits are then scrambled by the fixed transposition c: = ~Kpi. (17) T and input to the next round.’ The transposition mixes bits from different S-boxes and is necessary to prevent the overall Letting transformation from degenerating into a substitution on 4-bit = [c;, c;, *. * (18) blocks. c , Chl Deciphering is accomplished by running the data backward, p=[PI,d,”.,Phl (19) using the inverse of each S-box. The systemas described above is difficult to implement then because of the large key required (24 words/S:box X 4 bits/ C = AKP word X 32 S-boxes/round X 16 rounds = 32 768 bits of key), because of the restriction on the key (each of the words in a and given S-box must be different, so a randomly generated key is AK = CP-’ . (20) not directlyusable), and because it does not lend itself to repeated use of the same circuitry in low speed applications Then bK can be obtained from (the key for each round may as well be stored as a set of bK =Co - A~po. (21) S-boxes). To avoid these difficulties, Feistel [41] used only two dif- With a128-bit block size, approximately(1 28)3 a2-million ferent S-boxes, So and S1, whichare publicly known. Each operations are required to compute AK and bK. A similar of theS-boxes shownin Fig. 10 is set toeither SO or S1 number of operations yields Ai’. Numerical stability is not a depending on one bit of the key. This reduces S-box memory problem in the matrix inversion because there is no roundoff requirementsto 128 bits and the key to 512 bits. An even error in mod-2 arithmetic. Assuming a 1-ps instructiontime further reduction in key size, to 128 bits, was accomplished results in 2 s for cryptanalysis when the S-boxesare affine. The moral is clear: affine mappings are to be avoided. Map- ‘The terms transposition and T-box have been used here in preference to the terms permutation and P-box used in the IBM literature. This is pings which are “close” to affine should also be avoided, and done to conform to classical cryptographic terminology and emphasize probably resulted in IBM’s not using k = 3 even though only 3 the fact that both S and T boxes represent permutations, on the alpha- percent of the invertible 3-bit-to-3-bit mappingsare affine. bet and on the bits of the block, respectively. In describing DES, however, we conform to the terminology of the standard, referring to the Furtherstudy is needed todetermine the minimum usable transposition within the f function as P. value of k. IBM apparently feels k = 4 is adequate. A larger 410 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979

I I I I I I I I I 56 bit key I I 64 bit plain text I I +, ,-, I I I left shift left shift I , . I I I I I I leftshifts I I I 1 I I +, I K, I I -1 I permuted I choice 2 I leftshifts I I I I I I I

‘1G I -c- I I I I I I I I I I I I I ti.€ bitcipher text I I I I Fig. 1 I. Data encryption standard. valueof k wouldprovide agreater margin of safety against initialpermutation (IP) the 64-bit plaintext block is broken unforeseen weaknesses, but may notbe necessary. intoleft and right-halves, LO and Ro, each 32 bits long. The The algorithm adopted as a national DES uses a different algorithm then performs 16 rounds, each of the form structure, but is still based on S and T boxes. The main difference is apparent in Fig. 11 showswhich fixed a after that Li = Ri-1 (22) DIFFIE AND HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY 411

Ri = Li-1 @f(Ri-1,Ki) (23) where @ represents componentwise addition mod-2 (XOR), Ki is a 48 bit portion of the key used in round i, and f is a function with a 32-bit output. Note that the functionf need not be inverted during decryg tion, because Li-,Ri-, can be computed from L$i as

Ri-1 = Li (24)

Li-1 @f(Li,= Ri Ki) (25) even if the function f(*,K) is many-to-one. Because the other operations are all linear in binary arithmetic, thefunction f(R,K), diagrammed in Fig. 12, is the source of all security. The 32-bit R is expanded into a 48-bit R' by repeating bits numbered 1, 4, 5, 8, 9, 12, . . * , 24, 27, 28, 32(the edge bits of each successive 4-bitbyte). The Fig. f(R, flowchart. repeatedbits are appended to the cyclically adjoining bytes 12. K) to make eight 6-bit bytes keys tried in the first and second phases of the search would be about 1014 and lo3, respectively, well below the 256 e 1017 r32rlrZr3r4r5, r4rSr617r8r9, ' * ' > r28r29r30r31r32r1. (26) required for exhaustive search. If the cluster radius could be The two 48-bit quantities R' and K are then XoRed and broken extended to 7 then each phase of the search would involve into eight 6-bit bytes which are the inputs to eight different about 3 X lo8 keys, making the algorithm useless. Error propagation is necessary, but not sufficient, to foil key cluster 6-bit-to-4-bit S-boxes (Sl, Sz, * * , Sa). The 32 output bits of the S-boxes are permuted by P and then taken as f(R,K). attacks. In order to obtain the 16 X 48 = 768 bits of K1 through Klb The expansion E and permutation P of Fig. 12 are coupled from the 56 key bits, the key is loaded into two 28-bit shift so that the four outputs from anyS-box, after going through P registers, each with 24 taps. These 48 taps provide the current and E, appear as inputs to 6 different S-boxes. This also en- 48 key bitsfor use in f(R,K). Aftereach round the shift courages rapid error propagation and foils a clustering attack. registers are cyclically left shifted to produce the next 48-bits Turning to weaknesses, we foundthat DES possesses a of key. The locations of these taps, the S-boxes, and other symmetry under complementation which allows a 50-percent details of DES are described in [7] and are not needed for the reduction in search effort under a chosen text attack. If S, cursory analysis of this paper. denotes enciphering with DES using key K then All of the operations involved in the algorithm, except the c = S,(P) (27) S-box mappings, are linear in binary arithmetic. It is therefore implies crucial that the S-boxes not be affine, or the overall algorithm - would be affine of the form F=s,- (P1. (28) c=Ap@Bk@b where X denotes thebit-by-bit complement of x. This symmetry where A, B, and b would befixed and k is the 56-bit key. is a result of (22) and (23), and of the fact that Knowledge of even one p - c pair would allow k to be com- P(R,K)=fWR @K) (29) puted as so f is invariant under complementation of R and k = B-'(c - Ap - b) K, where B-' is the pseudoinverse of B. f(R,K 1 = f (E,E). (30) Theauthors, together with R. Merkle, R. Schroeppel, L. Cryptanalysis can exploit thissymmetry if twoplaintext- Washington, S. Pohlig, and P. Schweitzer performed a pre- ciphertext pairs (PI, Cl) and (P2,CZ) are available with liminary analysis of DES [45] during August 1976. This P1 = Pz (C1 = Fz would also suffice).Under a chosen text study found that none of DES'S S-boxes are affiie, but also attack such pairs can always be obtained. Under a more normal found other structure, some of which tends to strengthen and attack,it may bethat the plaintext sequence 010101 * . is some of which tends to weaken the algorithm. Here we sent duringidle periods. Obtaining the two phases0101 . * and describe only themost important points. 1010 * . would then be sufficient. Each S-box has the property that changing any single input The search proceeds by enciphering P1 under each of the 2*' changes at least twooutputs. This produces a large, rapid keys which has a 0 as its least significant bit. If the resultant avalanche of changes if even one bit of the plaintext or keyis ciphertext C# C1 then K, thekey tried, is notcorrect. If changed, a property called error propagation, and helps foil a C # Fz, then E is not correct either. Two keys, K and E, are keycluster attack. In such an attack,the cryptanalyst fiit effectively tried with only oneencipherment. Since testing finds a key which is close to the correct key and thensearches whether C = Cz is muchfaster than an encipherment,the all keys in that neighborhood (a clusterof keys) until he fiids computational savings is very close to 50 percent. the correct one. This is much more rapid than an exhaustive We found no other weaknesses in DES which allowed us to search. For example, if a test could be devised to tell when a further reduce the search effort. However, we did finda key was correct in all but one or two positions, the number of number of questionable quasi-linear structures which lead us 412 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979

r i numberback The fed bits of can be1 anywherefrom to 64. If cipher feedback is done oneight bit characters, the maximum encryption speed will be one eighth of the block mode speed. Similarly, if cipher feedback is done on a bit basis, the maxi- C malspeed will be one64th of the blockmode speed. On the

1(5i otherhand, if cipherfeedback is doneon wholewords, there will be very little reduction in speed over block mode. Pi 4-‘ Ci Fig. 13. DES in cipher feedback mode. J. Analog Systems When voice, facsimile, or otheranalog communications must to believe thata more detailedanalysis might be able to be encrypted, this is frequently done using analog rather than reduce the search effort substantially. The reader is referred digital operations on thesignal, a technique called scrambling. to [45] for details .of these other structures. NBS and NSA It is difficult,if not impossible, to build a truly secure analog have since stated [46] that they are not aware of methods for scrambler which provides acceptable voice quality, delay etc. exploiting the quasi-linearities. Speech that has been scrambled by a stationary process using Because there are 256 or almost 1017 keys it might appear frequency domain techniques alone or time domain techniques that even a substantial reduction in search effort would leave alone can usually be understood by a persistent human listener. DES secure. For example, recovery of 10 bits of key would Even the more complex types can be broken by using Fourier cut the search effortby a factor of 1024, to a searchover 1014 analysis to reconstructthe sequence of transpositionsand keys, which is still a very large number. Unfortunately while inversions. 1014 and 1017 are large numbers, technology has progressed Brunner,Kirchhofer, and McCalmont [ 561 -[ 581present tothe point wheresearches of this size areeconomically moredetailed treatments. One can summarize the situation feasible. To facilitateexhaustive search, an LSI chipcan be bysaying that analogscramblers are notcurrently able to built [8] whichcan search one key every microsecond. By achieve the high levels of security possible with digital crypto- building a search machine with a million such chips, all search- systems, and there is some doubt they ever will.If voice or ing in parallel, lo’* keyscan be searchedper second. The some other analog signal must be conveyed with a high level entire keyspace can then be searched in lo5 seconds, which of security then it should be digitized (A/D converted) and is aboutone day. Theauthors [8] have given adetailed digitally encrypted. Analogscramblers still finda place in justification for the feasibility of this machine, and estimate the securitybusiness because of theirlower cost andlower its cost to be $20-million and the average cost per solution to bandwidthrequirements, and one reason for the military’s be $5000. push to obtainlow bit rate(2400-bitls) digitized speech This estimatehas not met with universalagreement, and [59] is to allow use of voice grade telephone lines for secure there has been much controversy about the security of DES, voicetransmission. Dial up lines arelimited to 2400-4800- particularly about the key size [47]-[ 501. Although twenty bit/sdata rates, with the higherrates requiring expensive million dollars is a large enough sum that, today, the machine modems.Reasonable quality 2400-bitls speech digitizers are could only be built covertly by a large intelligence organiza- now available but are expensive (=$lo 000) and require low tion,the authors feel thatthe steadilydecreasing cost of noise, high quality input speech. Their cost should fall mark- computer hardware will reduce this fireto an unacceptably edly in larger quantity production. small $200 000 within the decade [ 5 1 ] - [ 541. Second, there The simplest analog scramblers are frequency inverters which is no safetymargin. If 10 bits of key can be recovered the merelyinvert thespectrum of the voice signal througha prices dropto $20 000 forthe machineand $5 for each heterodyne operation. If a 300-2800 Hz filtered voice signal solution. is mixed with a 3 100-Hz tone a 2800-Hz tone is converted to A way to improve the security ofDES throughmultiple a 300-Hz tone and vice versa. The resultant speech in unintel- encipherment is described in [8] and has also been suggested ligible to a casual eavesdropper, but is easily descrambled with by IBM [55],but it would be preferable forthe standard the same device. Because there are no keys, a “cryptanalyst” itself to beimproved. If multipleencipherment, imperfect need only buy one of the scramblers to understand all that is though it is, is to be used at all it must be written into the said. More-distressingly, people can learn to understand, and standard. No suchaction seems imminent. We predict that to an extent speak, inverted speech much as if it were a new the standard will beimproved in five to ten years and that language. part of that improvement will be to use a larger key. Equip More complexband splitting scramblers break the speech ment which uses DES should be designed with this possibility into approximately five frequency bands and permute these. in mind. White 5! = 120 permutations are possible, many of these are In order to adapt the DES to applications which require the almost equivalent, and even 120 keys would allow exhaustive data to be enciphered character by character, or applications search of the keyspace with a human listener deciding when in which the data vary in length, NBS has suggested that DES the correct key is being used. Proper placement of even one can be operated in a mode called cipher feedback, as shown in of the500-Hz bands is oftensufficient for reproducing in- Fig. 13. The ith plaintext character is XoRed with a pseudo- telligible speech. randomcharacter which depends only on the key and the Rolling code scramblerschange thepermutation several previouseight ciphertextcharacters, Ci-l * Ci-*. This times per second, and also frequency invert a changing subset system is self-synchronizing and removes the need for special of the 5 bands. The sequence of inversion subsets and permu- synchronizationprotocols since a transmission error or lost tations is determined by a pseudorandom number generator charactercauses only seven additionalcharacters to bede- which uses the key as a seed. While the number of keys can ciphered incorrectly, after whichthe error propagationceases. bevery large, thesesystems are still breakable. Because the DIFFIE AND HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY 413

r------: of GF(4)),then X is referred to as the logarithm of Ythe to base a,over GF(4): PI0____oC(t) I I ?Ill

ENXRAMELER I *n(lG DEXRAMELER L------X = log, Y over GF(4),for 1 < Y < 4 - 1. (32) CHANNEL Calculation of from is easy, taking at most 2 X log2 4 Fig. 14. An analog scrambler and link. Y X multiplications. For example speech spectrum does notchange instantaneously, it is possible al* = (((a2)2)2)2*a2. (31) to track a frequency band across a transition, thus determining how thenew permutation is related to theprevious permutation. Computing X from Y, on the other hand can be much more difficult, and for certain carefully chosen values of 4 requires According to McCalmont [ 581, an even simpler approach is possible. Although there are 2’ X 5 ! = 3840 distinct encoding on the order of 4”’ operations, using the best known algo- transformations, these can be grouped into about five classes rithm [60]. with one decoder for each class. While the decoder for a class Each user generates an independentrandom number Xi will perfectly descramble only one of the encodingtransforma- chosen uniformly fromthe set of integers(1, 2, * ,4- l}. tions in the class, it will partially descramble the others to the He keeps Xi secret, but places point wheremost of the meaning can be recovered. By q=aXi mod-q (34) summing theoutputs of these five decoders and listening carefully, McCalmont says it is possible to extractabout in a public file with his name and address. When users i and j 60 to 80 percent of the meaning. wish to communicate privately they use Time division scramblersbreak the speech intoshort seg- X.X. Kii =a (35)1 modq ments and permute the segments within blocks, much as in a transposition cipher.Permuting bothtime and frequency as their key. User i computes Kii by obtaining I;. from the segments is also possible andproduces a two-dimensional public file and letting scrambler. If theduration of eachblock is longenough Kii = Y? mod 4 (36) (>lo s), and the duration of each segment short enough (GO x. x. ms), time scrambling alone would seem to produce a highly = (a l) mod 4 (37) secure system. Because the descrambled speech is delayed by - axjXi = aXixi mod 4. (38) twice the duration of a block, such long delays are impractical, and to the best of our knowledge none of the systems now in User j obtains Kij in a similar fashion use is very secure. X. Kii = Yi J mod 4. (39) Why are highly secure digital scramblers so much easier to design? Much of the answer lies in Fig. 14 which shows that Another user must compute Kii from yi and 5, for example, transmission distortion and noise affect the scrambled signal by computing c(t) before it is descrambled. While E and Dare inverse Kii = Yi(logaYi) mod 4. (40) operations, they will not undo each other unless they com- mute with the channel. Further, unless D is a linear operation Therefore, if logs over GF(4) are easily computed, the system the effect of the additive noise may be disastrous. can be broken. While no one currently has a proof of the con- Limitation to linear operations is as damaging to the security verse (Le., that the system is secure if logs over GF(4) are of any scrambler, whether analog or digital (Section 111-H and difficult to compute), neither has anyone come forth with a 111-1). Digital scramblers can largely neglect distortion and way tocompute Kii from yi and I;. without first obtaining noise because on most digital channels these cause only very either Xi or Xi. low bit error rates. Digital scramblers can therefore be highly If 4 is a prime slightly less than 2b, all quantities are rep- nonlinear and are more easily made secure. resentable as bbit numbers. Exponentiationthen takes at Aaron D. Wyner of Bell Labs has recently developed an ana- most 2b multiplications over GF(4), while taking the loga- log scrambling approach (A. D. Wyner, “An analog scrambling rithm requires 4’12 = Zb12 operations, using the best currently scheme which doesnot expand bandwidth, partI,” ZEEE known algorithm. Thecryptanalytic effort therefore grows Trans. Inform. Theory, vol. IT-25, May 1979) which appears exponentially relative to encryption or decryption. If b = 200, to overcome a number of these problems by using a time vary- at most 400 multiplications are required to compute yi from ing, distance preserving, linear operation (rotation) on an ana- Xi, or Kii from yi and Xi, yet taking logs over GF(4) hopefully log pulsetrain representation of the waveform. It uses optimal requires 21°0 or approximately 1030operations. bandwidth efficient signals (discrete prolate spheroidal wave functions)to convey the scrambledpulseheights with com- L. RSA Public Key Cryptosystem plexity comparable to a high-speed telephone modem. Discrete exponentiation hasbeen employed ina different way by Rivest, Shamir,and Adleman [ 171 toproduce a K. Public Key Distribution Systems public key cryptosystem. They make use of thefact that One public key distribution system [ 151 makes use of the finding large (e.g, 100 digit) prime numbers is computationally apparent difficulty of computing logarithms over a finite easy, butthat factoring the product of two such numbers (Galois) field GF(4) with a prime number 4 of elements (the appears to be computationally infeasible. numbers (0, 1, * * * ,4 - 1) under arithmetic modq). Let A user A selects two very large prime numbers, P and Q at random, and multiplies them together to obtain a number N. Y =ax mod-q, for 1

tively prime to N)as a2 , . . * ,a,) and an integer S, the knapsack problem is to frnd a subset of the {ai) such that the sum of the elements of @(N)=(P- l)(Q- 1). (41) the subset is equal to S. Equivalently, given a and S finda He then chooses another number E at random from the in- binary n-vector x such that a . x = S. terval 2 through @(N)- 1. This number is also made public. The knapsack problem is believed to be extremely difficult A message is thenrepresented as asequence of integers in general, belonging to a class of problems that are thought not to be solvable inpolynomial time anydeterministic M1,Mz, - - * witheach M an integerbetween 0 and N- 1 on (roughly 700 bits). Enciphering is carried out on each block computer.Some cases of the knapsackproblem are quite M using the public informationE and N, as simple,however, and Merkle and Hellman's technique is to start with a simple one and convert it into a more complex C =ME mod-N (42) form. where C represents the enciphered block. The vector u can be used to encipher a message by dividing Using the secret number @(N) user A can easily [ 6 1, vol. 2 the message into n-bit blocks xl, x2, andforming the dot p. 3 15 ex.151 calculate a numberD such that products Si =a xi. The Si form the ciphertext. Recovery of xi from Si involvessolving a knapsack problem and is thus EDmod = 1 WN). (43) believed to be computationally infeasible if a and x are ran- (If E has a common factor with @(n) then D does not exist, domly chosen. butthe algorithm will indicatethis and another E can be If the vector a is chosen so that each element is larger than chosen.) Equivalently, ED = k@(N)+ 1. Then, because the sum of the preceding elements, its knapsack problem is very simple. For example, if (I' = (171, 197,459, 1191, 2410) Xk'(N)+' =Xm0d-N (44) and Sf = 3798 than x5 must equal 1. If it were 0 then even if for all integers X between 0 aid N- 1 and for all integers k, x1 = x2 = x3 = x4 = 1, the dot producta * x would be too small. deciphering is easily accomplished by raising C to the Dth Then,knowing that x5 = 1, S' - a; = 3797 - 2410 = 1387 power mustbe a sum of a subset of the first fourelements of u. Because 1387 2 4; = 1 191, x4 must equal 1. Finally S' - u; - fl = MED = M*(N)+' = M mod&(45) 4 = 196=~; ~0x3 =O,X~= 1, andxl =O. As a very small example, supposeP = 17 andQ =3 1 arechosen This simple knapsack vector a' cannot be used as a public so that N=PQ = 527 and @(N)= (P- l)(Q - 1) = 480. If enciphering key because anyone can easily recover x from S. E = 7 ischosenthen D = 343. (7 X 343 = 2401 = 5 X 480 + 1). The algorithm for generating public keys therefore generates a If M = 2 then random simple knapsack vector a' (with several hundred components)and keeps u' secret.It also generatesarandom C = PE mod-N number m which is larger than Ea: and a random pair w, w-' = 2' mod-527 suchthat ww-' = 1mod-m. Itthen generates the public knapsackvector or encipheringkey a bymultiplying each = 128. component of u' by w mod-m Note that only the public key (E,N) is needed to encipher M. u = waf mod-m. (46) To decipher, the private key D is needed to compute When another user wishes to send the message x to A he M = mod-N computes S=a*x (47) = 128343 mod-527 and sends this to A. A uses his secret information, w-' and = 128''6 1286412816 1284 128' 128' mod-527 m, to compute = 35 256 35 101 47 128 mod-527 Sf = w-'S mod-m = 2 mod 527. = w-l Zaixi mod-ni Unless surprisingly large improvements are made in factor- = w-'Z(w a: mod m)xi mod-m ing, ormethods of inverting ME without calculating D are discovered, thissystem will remainsecure. Simmons and = Z(w-'wa; mod m)xi mod-m Norris [62] analyzed a potential method for carrying out the = Zajxi mod-m latter approach, but found that its probability of success was I too small to be of value. Rivest [63] has noted that a minor =u 'X modification to the system removes eventhis small threat. because m > Za:. Note added in proof: Michael 0. Rabin of the Hebrew Uni- For example, if the secret vectora' is as above, then w = 2550 versity, Jerusalem, Israel, hasshown that avariation of the and m = 8443, results in the public vector, u = (5457,4213, RSA scheme in which E = 2 has cryptanalytic difficultyequiva- 5316,6013,7439), which hides the structure presentin u'. lent to factoring the modulus. (Michael 0. Rabin, "Digitalized The vector u is published by theuser as his public key, while signatures and public-key functions as intractable as factoriza- the parameters w-' and m are kept secret as his private key. tion," submitted to Commun. ACM.) Theycan be used to decipherany message which has been encipheredwith his public key,by computing S' = w-'S M. Trap Door Knapsacks mod-m and then solving the simple knapsack Sf = uf . x. Merkle and Hellman [ 181 have devised a public key crypto- Thisprocess can be iteratedto produce asequence of system using a well-known problem in combinatorics known vectors with seemingly more difficult knapsack problems by as the knapsack problem. Given a vector of integers u = (a,', using transformations (wl, ml), (wz,mz), etc. The overall DIFFIE AND HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY 415 transformation is not, in general,equivalent to any single but independent of what 42 characters preceded it. (w, rn) transformation. Anotherfrequently encountered class of streamsystems The trap door knapsack system does not meet condition 1' is called self-synchronizing orciphertext autokey, and is of Section 11-E because most elements S of the cryptogram typified by the operation of the DES in cipher feedback mode space, 0 < S < Eai, do not have inverse images x. This does Fig. 13. Systems of this sortare self-synchronizing, because not interfere with the use of the system for sending private the deciphering device haslimited memory so that an er- messages, but requires special adaptation when used to produce roneousor lost ciphertext character causes only afixed signatures [ 181 , [ 641 . number of errors in the deciphered plaintext,after which IV. CRYPTOGRAPHICTAXONOMY correct plaintext is again produced. A third class of stream systemsare those whichare both A. Block and Stream Ciphers time varying and possessed of memory.The encryption of Since the plaintext to be enciphered is of arbitrary length it each plaintext character thus depends on the position of the cannot be handled all at once by a computing device of fixed character and the characterswhich preceded it. Some rotor size. As shown by the examples of the previous section it is machines were placed in this class by the addition of influence usually divided into chunks (bits, characters, or words) as is letters, specially selectedcharacters (part of the key) which the input of other translating devices such as compilers. We caused the machine to stutter in its usual motion whenever shall often refer to these chunks as characters, treating the set these characters occurred in the plaintext or ciphertext. of possible chunks as an alphabet regardless of their size, but The encryption process which is internal to the DES is also sometimes use the suggestive term block to designate a chunk of this character. In each round, the left half of the register is from an alphabet witha large size. encrypted in a fashion which depends on the right half from Block ciphers divide the plaintext into blocks, usually of a the previous round(the memory) and onthe keyschedule fixed size, and operateon eachblock independently. A which varies from round to round (the time-varying nature). particular plaintext block will therefore be carried intothe B. Cryptosystems as Finite Automata same ciphertext block each time it appears in the text. Block ciphersare therefore simple substitution ciphersand must The behavior of cryptographic processes is best studied by have large alphabets to foil frequency analysis. The64-bit viewing them as finite automata [ 301, [ 651. Using this model block size of the DES for example, represents an alphabet of is illuminating and suggests extensions of the basic block and 264 characters. stream structures. The properties desired in a block cipher are much the op- A finite automaton consists of three sets: an input alphabet posite of those desired in a systematic error correcting code. I, an output alphabet 0, and a set of states S, together with No bit of theplaintext should ever appear directlyin the two functions and an initial state so. The next state function ciphertext.Rather, each bit of ciphertext should be an in- NS maps the input and the current state intoa new state volved function of all bits of the plaintext and the key. The NS:IX S-S (48) ciphershould be designed so that changing even a single bit of either the plaintext or thekey causes approximately 50% of and the output function UP maps the input and the current theciphertext bits to change. As explainedin Section V-D, state into an output in the alphabet 0 this error propagation is usefulin authentication andmakes 0P:Ix s 0. (49) it improbable that an opponentcan make undetected modifica- - tions to encrypted data,unless he has learned the key. Thus if at time n the device is in state s, and receives an input Stream ciphers,in contrast,do not treat the incoming in, it responds by producing an output 0, = OP(i,, s,) and charactersindependently. Every characteraccepted as input going to a new state s,,~ =NS(i,,s,). Although no formal is enciphered into an output character in a manner which de- restriction is placed onthe input and outputalphabets, we pends on the internal state of the device. After each character will usually consider alphabets whose elements are n bit blocks is enciphered, the device changes state according to some rule. of data. Two occurrences of the same plaintext character will usually The enciphering device can be thought of as an automaton not, therefore, result in the same ciphertext character. Stream with plaintext as input and ciphertext as output.The key ciphers may be further subdivided intosynchronous and determinesthe next state and output functions. Similarly, self-synchronizing systems. the deciphering device is akey dependentautomaton with In synchronous stream systems the next state depends only ciphertext as input and plaintext as output. on the previous state and not on the input,so that the progres- Important classes of cryptographic systems can be identified sion of states is independent of the sequence of characters by placing suitable restrictions on the output and next state received. Such a system is memoryless, but time varying. The functions. The first distinction is between systems with only output corresponding to aparticular input depends only on one state and thosewith more than one state. (If an automaton the input and its position in the input sequence, not on the has more than one state but the next state function always characters encipheredbefore it or after it. In consequence, maps onto a single fixed value, we disregard the unused states there is no error propagation at all. Each character corrupted and say thatthere is onlyone.) In this way, cryptographic in transmission will result in precisely one erroneousdeciphered systems are divided into blockand stream systems much as character. The loss of a character, however, causes loss of error correctingcodes are divided into blockand convolu- synchronization, and all text following the loss will be de- tional codes. crypted incorrectly. If NS(i,s) doesnot depend on the external input i, the The Hagelin machine,feedback shift registers, and rotor automaton is free running or in the autonomous mode. The machines are examples of synchronous devices. The43rd state then varies with time, but in a memoryless fashion, and character in a message will be enciphered (or deciphered) in thecryptographic system is a synchronous streamsystem. a manner which is dependent on its being the 43rd character, Otherwise, theautomaton issaid to be driven. All systems, 416 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979

other than block or synchronous stream, are of this type, but COUNTER there are possibilities otherthan self-synchronizingciphers. a Self-synchronizingciphers are driven, butthe deciphering automaton has a fiite memory with respect to the influence of past characters. The automaton model shows that there are other interesting cryptographic possibilities. KS, KSi Pi - c, CHANNEL P, CI - - C. Structure of Some Synchronous Systems Fig. 15. Counter with nonlinear combinatorial output logic. Oneof the mostcommon techniques for buildinga synchronous cryptographic system is to generate a pseudorandom sequence of characters, dependent on the key, which is combined in some invertible way with the bits of the plaintext. Th$ sequence, called the keystream, must be long enough not to repeat during the life of a key, and must have most of the characteristics of statistical randomness. The Hagelin machine (Section 111-F) and some shift register systems (Section 111-H) Fig. 16. Generic form of a self-synchronizing cipher. are of this form. With a synchronous system, the known plaintext assumption is equivalent to giving the opponent access to the keystream. synchronous systems can be thought of as being of this form, For the systemto be secure it must therefore be impossible for but the complexity of such an implementation may be exces- him to derive any portion of the keystream which he has not sive. Rotor machines with odometer motion are implemented seen from the portion which he has seen. This precludes his directly in this form, and the Hagelin M-209 could be imple- being able to derive the key from which the keystream was mented this way too. (At time t, the wheel with n teeth is in generated, since if he had the key he would be able to derive position i + t mod n, where i is its initial position. It is there- any portion of the keystream that hewished. fore easy to compute the ithkeystream character from the key The period of the keystream must also be long. If it is short and i, withoutcomputing the i - 1intervening characters.) compared with the length of the message, a Kasiski solution is Algebraic study of linear feedback shift registers [67, ch. 61 possible(Section 111-D), andeven if the periodof the key- shows that theyalso allow rapid calculationof the ith keystream stream is long compared to thelength of a message, a solution character(bit), but rotor machineswith complex motions is often possible. and other complex systems (e.g., shift registers with varying If 100 messages of 200 characters each are enciphered with feedback functions) cannotbe efficiently implemented directly the Hagelin M-209 with the same key, there are only 20 000 in the form of Fig. 15. characters in the overall“message” while the M-209’s key- Aftera counter, the next simplestprocess for generating streamhas a period of over 101-million characters. But, if sequencesof very longguaranteed period is the product of the initial positions ofthe six keywheels are chosen at random, short cycles of relatively primelength. This is the basis of as theyoften are, there is asignificant probability thatat the Hagelin machine, where the short cycles were of lengths least two messages will use some overlapping portion of the 17,19, 21, 23,25, and 26,and the resultantkeystream keystream. (The “birthday problem” [ 661 shows that if more cycle was oflength 17 X 19 x 21 X 23 X 25 X 26 = 101 thanpeople choose independent random integers between million. It is also used in the multiple Vigenere systems [ 241 1 and n, there is significant probability that at least two people of Section 111-C. will pick a common number, and twenty thousand characters More complex process with very long periods include linear is approximately twice the square root of 101 million.) Such feedback shift registers (Section 111-H), and linear congruential overiaps can be detected through use of statistical tests. The random number generators [61, ch. 31. Such known period two ciphertexts can then be aligned and subtracted to cancel processes may be made more complex by introducing stutter; the keystreamyielding an easilysolved runningkey cipher detectingcertain properties of theinternal state and either (Section 111-D). pausing or skippingaccordingly. A shift register can, for Guaranteeing that the keystream is of adequate length re- example,be tapped at some number of places independent quiresconstructing a finite automaton whose autonomous of the feedback taps. A function computed on these tapped behaviorproduces a long sequence before repeating. Most places then determines how many times the register will be of the theory of free running automata is unfortunately con- cycled before its contents are again used as input to the out- fined to those whose change of state function is linear (linear put logic. This does not shorten the period unduly, and adds feedback shift registers), or at least affine (linear congruential greatly to thecomplexity of the sequence. generators, counters). Linear or affine automata produce sequences which are readily predicted and thus cryptanalytically D. Stream Systems derived from Block Systems weak (Section 111-H). They can be combined with nonlinear Asecure block system can beused to constructeither a elements,however, to producesystems of much greater synchronous or a self-synchronizing cipher system. strength. Just as Fig. 15 represents the general form of a synchronous Theoutput sequence of one of the simplest automata,a stream system, Fig. 16 represents the general form of a self- counter, hasmaximal period, but lacks theother required synchronizing cipher. The finite memory of the decoder, and properties.It is statisticallyanything but random, and from the associated limited error propagation and self-synchroniza- any portion of the output, an opponent can determine any tion are seen clearly. otherportion byinspection. To counteract this, the output Comparing Fig. 16 with Fig. 13, shows that DES in cipher canbe put through a nonlinear output transformation as feedbackmode has the form ofFig. 16,with DES’S logic shown in Fig. 15. Theautomaton model shows that all replacing thearbitrary Boolean logic ofFig. 16.Any block DIFFIE AND DIFFIE HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY 417

The above arguments cannot be viewed as a complete answer to the questionof the security of the derived systems, because, in pathological cases, it may not be necessary to recover, the key to break them. In the synchronous case, for example, if LC successive keystream characters are derived as PI1 t + $ CHANNEL I WKSL CI 1 c,- -pi KSi = aK+imodq (50)

Fig. 17. A self-synchronizing cipher derived from a block cipher. where (Y and q arepublic, thenthe keystream is easily extended using KSi+i = KSid mod-q (5 1) whereas computing the key K involves finding a discrete logarithm (Section 111-K) and is a much more difficult problem.

V. CRYPTOGRAPHYIN PRACTICE A cryptographic system requires far more than a mathematical description of the effects of the encryption algorithm on the message. It must be realized in electronichardware, Fig. 1 E. A synchronous cipher derived from a block cipher. packaged, testedfor reliability,usability, and security, and maintained in the field. In addition, keys must be distributed to all installations, and cryptography must be integrated with cipher can be used to generate a self-synchronizing system by other systems features suchas error correction. employing cipher feedback, as shown in Fig. 17, andit is natural to wonder about the relative security levels offered by the A. Key Management original block system and the derived cipher feedback system Providing for the proper distribution of keys to the senders of Fig. 17. and receivers of enciphered messages is one of the major If the blocksystem is secure against recovery of the key problems in building a working cryptographic communication under a chosen text attack, then the derived cipher feedback system. Keys must be produced and distributed not once, but system is also secure against recovery of thekey under a constantly. In some systems they must be changed with the chosen textattack. A chosen textattack against ablock passageof time, or with theamount of traffic, and in all system is equivalent to giving the cryptanalyst a cipher device systems they must be changed when they are feared com- loadedwith a key which hecannot see. He can applyany promised. Frequent key changes limit theamount of data input he wishes to either the plaintext or ciphertext port of compromised if an opponent does learn a key. Keys must be the device and observe the resulting output at the other port. provided to new users of the systemand old keys mustbe If the cipher feedback system of Fig. 17 were insecure and the retired as users withdraw. The consideration of all these cryptanalyst were trying to break the associated block system, problems forms thesubject of key management. he couldsimulate the cipherfeedback system and use its The classical militaryapplication of cryptography involves solution for the key as the solution to the block system. In onlya few independent 'sides' anda restricted flow of inthis sense, the cipher feedback system is at least as secure as formation. A colonelin one division does not need to be the block system. able to talk privately to asergeant inanother. Messages Fig. 17 canbe modified in anobvious way toproduce a normallyflow up and downthe chain of commandin a synchronous keystream system from a block system, as shown predictable pattern and are seen by a varietyof intermediaries. in Fig. 18. The initial value assumed by the counter could be Cryptographicprotection of a large, randomly accessed, 0, part of the key, ora random value sent as an indicator (Sec- communicationnetwork, like thetelephone system,has tion V-B). The initial load of the shift register in the cipher entirely different problems. It would behard to predict feedback system of Fig. 17 is not as useful as part of the key, in advance which pairs of users would wish to talk privately because of the limited error propagation atthe receiver. If on a given day and complete privacy from all other parties is only entirely correct messages were accepted by the receiver often desired. (losing the main motivationfor self synchronization),the Resorting to the predistribution of keys to all potential user initial shift register load could be eitherthe date and time pairsby some physically securechannel such as a private (to foil the playback threat discussed in Section V-C), or part courier or registered mail is clearly infeasible. A system with of the key. n subscribershas (nZ- n)/2 such pairs, andrequires almost Thecounters in Figs. 15 and 18 couldbe replaced witha 500-billion keys for a system with only a million users. Other feedback shift register (as suggested in Section 111-H) or other solutions must, therefore, be sought. generalized counter,but it is not clear whetherany real A partial solution, known as link encryption is discussed advantage is gained. While a MLSRS has more bits changing further in the next section. Each user has only one key which per"count," error propagation inthe blocksystem should he uses forcommunicating witha local networknode. The allow even single bit changes in the input tosuffice. message is decrypted and reencrypted as it passes through each The same argument used to demonstrate the security of a successive node. The compromise of anynode on the net- cipher feedback system derived from a block system can also work, however, will cause the compromise ofall messages be applied to show that if ablock system is secure against passing through it. recovery of the key in a chosen text attack, so is the derived In military networks where each node is a physically secure synchronous system of Fig. 18. NBS has approved the cipher facilitystaffed by cleared personnel,link encryption is an feedback mode of operation for DES, but has not mentioned attractive solution. It is much less attractive for a commercial the possibility of using it in synchronous fashion. network with a smaller budget whose nodes may be unmanned. 418 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979

Somecommercial networks evenplace nodes ontheir cus- problemdiscussed in SectionIV-C will lead to overlapping tomer’s property in cities where they haveno facilities of their keying sequences. own. In such an arrangement, link encryption would provide For a self-synchronizing system, the indicator is the initial little or no protection. contents of the shift register. This is chosen at random by the There is an alternative which permits the vulnerability to be transmitter and sent at thebeginning of the cryptogram. concentrated in one place rather than distributed through the A form of indicator which IBM has used with the DES is the net [681. Each user, instead of sharing a key with the local session key, a key which is used only for one “session” or con- node, shares a ‘master’ key with a special network resource versation.A session key may either besupplied by a KDC called the key distributioncenter (KDC). Whenever user A (in this case it is synonomous with a conversation key) or it wishes to converse with user 3, he contacts the KDC which may be employed by a pairof users who already hold a “master” generates a key for this specific conversation. The KDC then key in common. At the beginning of the session, the session sends this key to A, encrypted in A’s master key, and to B, key is arrangedbetween thetwo parties by using messages encrypted in B’s master key, then withdraws, allowing A and enciphered in the “master” key. After this, all traffic during B to communicatedirectly with their conversation specific that session is enciphered in the session key. key.The security of this conversationdepends only on the security of the KDC, rather than on the security of each node C. TrafficAnalysis and Playback through which messages between A and B must pass. As described in Section 11, the basic model for the applica- The security of this system can be improved substantiallyby tion of cryptographyconsists of communications which are the use of multiple KDC‘s [ 691. Each user must have several subject to interception or modification by an eavesdropper. different master keys, each of which he shares with a different If the eavesdropper can cryptanalyze the messages he receives KDC.When starting a conversation, A and B receivea con- and determine the key, he can obtain any information which versation key, properly encrypted, &om each of the KDC’s, flows in the communication system, or inject false informa- and combine all of these keys, for example by XORing them, tion at will. If he cannot determine the key, heis much more to create the key theywill actually use. For such a network to restricted in his actions, but not totally stymied. be compromised, all of the KDC‘s would have to be subverted. Insome circumstances, the mereexistence of traffic is A more satisfactory solution to thekey distribution-problem important. The pattern of messages in a communication net- is given by public key cryptography as described in Section workcan reveal theamount of businessbeing transacted 11-E andSections 111-K through 111-M. Untilpublic key between different users, the hours of peak load, the flow of systems are adequately certified and widelyavailable, however, authority, etc. The determination of such information from keydistribution will continueto beamajor problem of traffic flow is called traffic analysis. If a traffic analyst observ- cryptography. inga commercial network were to notice a sudden increase in trafficbetween a large conglomerateand a young but B. Indicators promisingcompany, he wouldsuspect thata takeover was Closelyrelated to the problem of key management is the in the planning. subject of indicators, data which are usedto vary the encipher- Since it is often impractical to reduce traffic artificially in ing and deciphering process from timeto time or frommessage order to mislead a traffic analyst, the usual practice is to add to message. An indicator is sent as part of a cryptogram and, additional traffic. This is called padding and the data added combined with the key, tells the receiver how to decrypt the arecalled pads or nulls. If dummytraffic is sentwhenever message. Indicators may be sent in clear or enciphered, and the channel is idle, the channel will appear constantly busy. mayeither be placed at the beginning of acryptogram or This techniquemust be used with care, since the costof a hiddenwithin it. In any case, thelegitimate receivermust channel often dependson the amountof traffic it carries. knowhow to locate or decipher the indicator in order to Even if the eavesdropper is unable to cryptanalyze the decipher therest of the message. system, he can record properly encrypted messages and play In using a stream cipher it is important to guarantee that no them backlater. While he cannot becertain of the results, portion of the keystream is reused, since if this were to happen hehopes this will sabotage the system.If, forexample, a the cryptanalyst might be able to locate two ciphertexts C1 telephoneauthorization for electronic funds transfer were and Cz whichhad been enciphered with the samepiece of recorded and then played back several times, it would wreak keystream KS. For a binary stream cipher, he would then be havoc with the account being debited. This threat of playback in a position to form shows that authentication procedures must establish not only tborigin, but the timeliness of messages. One way to guarantee timeliness is to employ a synchronous which is a running key cipher with P1 as the plaintext and P2 system driven by an external clock, but this requires absolute as the key (or vice versa). This could then be solved by the clock synchronization, and is inconvenient for many purposes. methods described in Section 111-D. Another is to include the date and time with each message. A similar concern applies to the M-209 Section 111-F. If the In the latter case, authentication must tie themessage together keywheelswere always started in the sameposition, for so that an opponent cannot alter a current message by sub- example, AAAAAA to encipherthe first letter,the crypt- stituting a partof an older message into it. analyst would be able to read messages by solving a derived Messages encryptedwith synchronous stream ciphers or running key cipher. Instead, for each new message the opera- cipher feedback systems are tied together in this way.With tor chooses a random initial setting (e.g., XFRLAM) for the blockciphers, however, explicit stepsmust be taken to foil keywheels and sends this as an indicator. As long as the key playback,either by setting aside information in eachblock is changedfrequently enough, this will suffice, but if too which connects it with the adjacent blocks, or by introducing much traffic is enciphered in any one key, then the birthday time variance into the system. The first technique is typified DIFFIE AND HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY 419

pn UNUSED BITS

/I \ -

CIPHER

13 Fig. 2 1. Cipher feedback on whole blocks.

L 1 Fig. 19. Block chaining.

I I

BLOCK CIPHER L ______J L ______J TRANSMITTER RECEIVER Fig. 23. External error control. Cn 1 .~ Fig. 20. Cipher block chaining. they will be deciphered, he can still hope to create confusion and disruptthe system. Automaticauthentication therefore by block chaining, which was described by Feistel [ 41 I. The requires internal error control. first block contains the date and time and,as shown in Fig. 19, If error correction, rather than just error detection,is desired a portion of each successive data block is given over to authen- then external error control mustbe used. If internal error con- tication information, which connects it to the previous block. trol is used, errorpropagation in the deciphering operation Each plaintext block contains in additionto data, a number of introducestoo many errors for the error control code to bits of the previous ciphertext block. To be considered valid, correct. If both automatic authentication and error correction a deciphered block must agree with the previous block. If a are needed, two error control codes can be used, one before 20-bit authentication field is included, the chances are only and one after encryption. one in a million that a block will mistakenly be accepted if it Some thought shows thaterror expansionin decryption, occurs outof place [ 41 I. which prevents error correction with internal error control, is Unless the blocks are very large, this technique is inefficient, necessary for automatic authentication. A synchronous stream since at least 20 to 30 bits in each block must be set aside for cipher has no errorexpansion and so provides no authentication authentication. In order to overcome this inefficiency, a tech- when used witha fixed linear errorcontrol code, since an nique known as cipher block chaining has been proposed for opponent knows which error control bits to change when he use with the DES [70]. Cipher block chaining is very similar changes information bits in the message. (The use of a keyed to acipher feedback modein which the whole block is fed or nonlinear error control codecould prevent this.) Conversely, back every time (Fig. 21). As shown in Fig. 20, each block of error correction can be implemented either internally or ex- the message is XoRed with the previous ciphertext block and ternally with a synchronous stream cipher. then enciphered prior to transmission. Because errordetection with retransmission of erroneous messages is usually moreefficient than error correction and D. Error Control because automaticauthentication is needed inmost appli- Error control codes are used in digital communications either cations, we expectinternal error control, shownin Fig. 22, to detector correct transmission errors [3 1 1, [ 71 1. Such to predominate.The advantage given to thecryptanalyst codes are usually publicly known and offer no cryptographic by his knowledge of the redundant error control bits would protection. make this scheme risky for use with any cipher which was not When cryptography and error. control coding are used to- secure against a known plaintext attack [ 181, but should be of gether, either operation can be performed first, but with dif- little concern today. ferent results. If, as in Fig. 22, the error control coding is performed first E. Operation and Maintenance then,at the receiver, decryption is preformed fiit. With a Reliability and ease of operation are crucial to the security block cipher, this method has the advantage of allowing auto- of cryptographic systems. Many systems that are secure when matic authentication of received messages because an opponent operatedproperly have been penetrated because of either does not know how to generatea cryptogram which, when mechanical failure or operator error. decrypted, will possess valid error control bits (even though he Consider, for example,a rotor machine withthree rotors does know what the modified error control bits should be). (Section 1114). Since the arrangement of therotors in the If instead the error control code is the outer code, as in Fig. machine is typically part of the key, the operator must select 23, an opponent can inject messages which will pass the error the right rotors and place them in the correct positions in the control decoder. Although he cannot know intowhat messages machine. It is easy for him to make a mistake in this process 420 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979 and insert one rotor correctly, but interchange the other two, Cryptographic equipment, like any other computing equip- resulting in an incorrectly encrypted message which cannot be ment is prone to radiationleakage resulting from the short decrypted properly by the receiving station. When the receiver pulses employed. Since radiation~leaking from a cryptographic sends back a message saying so, the operator has the oppor- device can be picked up and analyzed for useful information, tunity to make a very serious mistake. He can correct the error it is necessary to shield the equipment very carefully against in rotor position and retransmit the message. If he does so, he both conductive and radiative losses. Techniques for prevent- will put a pair of cryptograms into the handsof his opponents ingsuch losses areknown in the military by theterm whose underlying plaintexts are identical and whose keys differ TEMPEST. only by an interchange of rotors. Furthermore, the opponents The fit step in the shielding process is a careful division of may recognize that this is what has happened from their ob- the device into red and black regions, that is secure regions in servationof thetraffic pattern and their knowledgeof the which plaintext is present and insecure regions in which only machineand theerrors to which its operation is prone. An ciphertext is present. The design must guarantee that all data error in the operation of a system which allows a cryptanalytic paths between red and black are known, and that these data break is called a bust. paths are protected,(for example with optical isolators) to To avoid such errors, the operator is instructed to encipher, insure that only the intended datatravel along them. but not transmit, a test message, such ‘AAAAAAAAAAas . . .’, An opponent may also mount an active tempest attack by prior to enciphering any real traffic. Some portion of the re- transmitting high energy radiation at a communications node, sultingcryptogram is thencompared witha correctly enci- while monitoring its output, in hopes of gaining information phered version included with the keying material. This tech- about its internal state. nique is called a letter check. A 26 letter check was used with Similar attention must be paid to leakage of sound, light, the Hagelin machineand a 36 through48 letter check was or any other potential carrier of information. Sound is a less used with some rotor machines. seriousproblem with purely electronic machines thanwith Returning to a three rotor machine, there is another possi- electromechanicalones. Rotor and Hagelin machines, for bility that mayweaken itsubstantially: a failure of the example,are both susceptible to analysis of theirmotions mechanism which moves one of the rotors could reduce the when the sound of their operations is overheard. effective number of rotorsto two. This indicatesthat me- If cryptographic equipment is to be placed in an unguarded chanical failure can be as disastrous as operator error. area, it must be packaged in a container that protects againstit In modem systems human failures are minimized by auto- physical tempering. Such a container must be made resistant mating encryption and making it as transparent to the user as to surreptitious entry, without interfering with either cooling possible. The details of key setup, selection of indicators etc. or shieiding requirements. In order to prevent the surreptitious are handled by the machine. extraction of the key, devices are included that reset the key In order to achieve high levels of reliability inmodem to zero if the container is opened or if tampering is detected. cryptographic equipment, encryptionis often done in duplicate. Physical and electronic security measures for use with DES Only if the outputs of two independent encryptiondevices are are the subject of a new federal standard [ 721 which is still identical will the cryptogram be transmitted. This is coupled under development. with a careful analysis of the effects of failures, to guarantee A cryptosystem is of no value if a person, authorized to have that no single failure can result in loss of system security. If a access to plaintext documents, sells or otherwise divulges them. failure is detected, the equipment shuts itself off to prevent Personnel security is the obvious fitline of defense and audit insecure transmissions. trails [ 73 1 , which record every accessto sensitive information, provide a valuable second line. Authorized personnel hesitate to access information not needed for their assigned tasks for F. Integration with Other Security Measures fear they will be discovered during an audit. If every access of Tooffer a high degree of security,cryptography must be anincome tax return wererecorded it is probable that the employedincoordination with other security measures. illegal uses of this information brought out during the Water- Effective communication security requires that an opponent gateinvestigations would not haveoccurred. In addition, a be preventedfrom bypassing the cryptanalytic problem by computer can be programmed to look for unusual activity on either intercepting unintended leaks of radiation, or physically the part of a user orof a fie, and to print out wamings. violating thecryptographic equipment. In addition, the use of data by authorized personnel must be monitored. G. Certification The output of an electronic encryption device is a sequence Certification of securitysystems has always been fraught of pulseswhich represent abstract zeroes and ones.In any withunseen hazards. Designers of systemshave often over- electronicequipment such pulses must conform to certain lookedweaknesses, which were laterfound by opponents. standards so they can be recognized by otherparts of the The success of the opponent can result from a larger budget, system; in cryptography, there is the additional requirement a cleverer staff, better luck, or a fresh pointof view. that pulses representing the same value must be as uniform as We expect that provably secure systems will be developed as possible. The output of an imperfect XOR gate, for example, computer science progresses, but until that time, the current may allow an opponent to distinguish not just two types of process of certification by mock attack will remain the most signals, but four: those corresponding to 0 @ 0, 0 @ 1, 1 0, reliable test of a system’s strength. and 1 @ 1. Although 0 @ 1 should produce the same output Certificationalattacks should give theattackers a much as 1 @ 0, if the two waveforms can be distinguished, even a greater advantage than is expected in practice. This provides one time tape system using this gate could be broken by an both aconservative measure of securityand an economic opponent who carefully examined the waveform representing lever. That is, if a small-scale certificationalattack is not theciphertext. Even this extreme casehas occufred [23, p. successfulunder extremely favorablecircumstances, then a 7 141, and substantially more subtle failures are possible. larger scale attack by an opponent will probably not succeed DIFFIE AND HELLMAN: AN INTRODUCTION TO CRYPTOGRAPHY 421

if carried outunder more usual, less favorable,conditions. key. To gain access to an encrypted file, without resorting to Use of the chosen text attack in certificationis one method of cryptanalysis, the system programmers would have to place a providing such leverage. Another is to assume the attackers tap in the system which could copy the plaintext file while it know some of the key as well. was being processed. This action would be more difficult, Contrary to common practice, it is desirable for the design, more likely to be observed, and thus less likely to succeed. including any underlyingprinciples, to be published. An at- Encryption also frees the system managers from any moral tempt to keep the design secret is likely to guarantee only that dilemma associated with surrendering a user’s data in response the designers will be unaware if the system is broken by oppo- to a subpoena. They may surrender encrypted data without nents who have obtainedit surreptitiously. If the design is fear of compromising its owner,and therebyprotect them- published, especially if a reward is offered for its solution, it selves from citation for contempt. Any effective legal demand is much more likely that the manufacturer will learn if it is for the data must, as it properly should, be levied against the broken.Systems with interestingmathematical structure data’s owner. have a built in reward, since the solution is publishable and Cryptography cannot replace standard file protection mea- will bring prestige to itsdiscoverer. sures but, properly integrated into system functioning, it can If a system is in use by many organizations, it may even be greatlyincrease the overall security of the system. A file is economical to offer a larger reward than any onesolution most vulnerable during the long periods when it resides idly would produce through illegal use. If a thousand organizations on disk ortape. If the file is encryptedat suchtimes, an were to offer a thousand dollars each in a pooled reward, each opponent can only compromise it during the brief periods would carry only a small risk and yet could feel safe protecting when it must be converted to plaintext for processing. a million dollars worth of information, because an opponent In order for encrypted fides to be processed conveniently, rarelyknows how to use a solution against morethan one thecryptographic system must be integrateddirectly into target. the fide access mechanism in such a way that excessive encryption and decryption times are avoided. On read access, exces- VI. APPLICATIONSOF CRYPTOGRAPHY sive decryption may seriouslyslow down systemresponse. A. Timesharing Systems When a file is modified, however, a delicate balance must be Most of the study of timesharing system security has been maintained between the inefficiency of reencrypting the entire devoted to noncryptographic techniques [ 741 -[ 761. There file and the danger that the opponent will learn which part of are, however, several ways in which cryptography can augment the file has been changed, even though the precise change may other protection measures in a timesharing system, particularly be unknown. in the areas of data storage and authentication. Another majorapplication of cryptography to computer In the usual authentication procedure for computer login, security lies in the protection of secondarystorage, such as the computer demandsa password from the user and compares tapes and disk packs. Encrypting the contents of such port- the response with an internal password table. It is vital that able memory devices, protects them from being read on drives the internal table be extremely well protected since anyone otherthan those on which they were written. In this way who gains access to itscontents can impersonate any user their security may be brought under the control of the system perfectly. and an opponent prevented from bypassing system security by This threat can be countered by using a oneway functionf, means of physical theft. This also lowers the cost of providing a function which is easy to computein one direction, but backup against physical destruction. Encrypted backup tapes computationally infeasible to compute in theother [ 151, may be prepared in duplicate and stored at remote locations [ 771, [ 781. The passwords are “encrypted”and only the without being guarded, while each copy of an unencrypted images of the passwords, under f, rather than the passwords tape must be guarded at considerable expense. themselves, are stored in the password table. The system can Ideally, each disk or tape drive would be equipped with its now judge the validity of a login request by operating with own cryptographic device and its own key. This key is unique the function f on the password given by the user before com- and is neither transmitted nor shared with other devices. The paring it with the table. An opponent who steals the password encryption is completely transparent: all data stored on the directorycannot use thisinformation to impersonateother tape or disk is automatically encrypted in this key, andall data users, because the image of a password is not a password, and read is automatically decrypted. The physical theft of a tape inverting f to find the password is computationally infeasible. would not,therefore, entail the theft of theinformation it For a function tobe truly oneway, it must have a large domain, contained. so this technique is secure only with large passwords. It is the most widespread computer security applicationof cryptography B. CommunicationCryptography to date. Communication between the computer and a remote user is An obvious application of cryptography to computers is the currently one of the most vulnerable aspects of a computer protection of files by encryption. This presents manyprob- system. In order to secure this, cryptographic equipment must lems and,although many timesharing systems have crypto- be built into theuser terminal, and suitable protocols developed graphic programs available, no system known to the authors to allow the computer and the user to recognize each other offers a satisfactory implementation. The proper integration upon initial contact and maintain continued assurance of each of file encryption into system functioning will probably await other’s identity [41], [ 791. the advent of machines with built in enciphering hardware. Password logins are vulnerable to eavesdropping, even when Avirtue of cryptographic file protection is the degree to a one-way function is used toprotect the password table. which it frees the user fromthe need totrust the system Therefore, when the computeranswers the user’s login request, managers. Noncryptographic protection measures can always it should initiate the conversation by sending the user a chal- be bypassed by the system authorities. With cryptographic lenge which is guaranteed never torepeat, for example the protection, however, the systemneed notknow the user’s date andtime. Theterminal receives the challenge and en- 422 PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979 crypts it under a key supplied by the user. The computer also End-to-end encryption using conventional cryptosystems knows this key and can authenticatethe user’s identity by also has the disadvantage of requiring a key to be exchanged comparing this response with a correctly encrypted version of securely betweeneach pair of users who wish to communi- the challenge. Because the key itself is never sent, an eaves- cate. With link encryption, each user needs only one key for dropper must cryptanalyze the system in order to impersonate communicating with his local node. a user. Once the user’s identity has been established, the user’s VII. SELECTEDBIBLIOGRAPHY specific key can be used to encrypt all further transmissions. Because the user’s login request is sent to the system in clear, The following bibliography is intended to provide the inter- a traffic analyst can observe the user’s identity. It is possible ested reader with a guide to the open cryptographic literature. to avoid any exchange in clear at the expense of greater login Unfortunately, although this literature is extensive, it is frag- overhead. When thecomputer receives theencrypted chal- mentary,frequently hard toobtain, and highly variable in lenge, it decrypts the response under each of the keys in the quality. We have listed an assortment of both the best crypto- user key table until one is found which produces the original graphic work and some of the more readily available. challenge as plaintext. The cryptographic literature has recently been enriched by This protocol allows the user to convey his identity to the the appearance of both a new press computer without ever having to transmit it in clear. A traffic Aegean Park Press analyst observing the interchange would probably recognize P.O. Box 2837 it as an initial connection, but would be unable to learn the kgUM Hills, CA 92653 identity of the user. and a new journal This challenge and response procedure may be combined Clyptologia with the use of one-way functions to offer both protection Albion College against eavesdropping and against the possibility that com- Albion, 49224. promise of system-passwords will permit forged logins. MI Both problems can be solved at once by the use of public The Aegean Park Press has concentrated on reprinting classic key cryptography.The user transmits a login requestcon- works in cryptography, whichhas made out of print works taining both his name and the date and time, encrypted first available again. Cryptologia is a journal devoted to all aspects in his own private key and then in the system’s public key. of cryptography. It has published articles ranging from history The system fiit decrypts this using its own private key then, and biography to technical details of public key cryptography. acting onthe basis of an internal header giving the user’s The bibliography has been divided into sections by subject, name, transforms it using the user’s public key to check its andthe subjectshave been arranged alphabetically. Items authenticity.The activities of trafficanalysts are foiled, which straddledmore than one category have been placed because the header is encrypted in the system’s public key. according to theirmost central themes. In some places this Safety against compromise of system password tables is has been a close decision, and the reader interested in appli- also provided because there are no secrettables of user cations will want toconsult some of the papers on system passwords in thesystem, onlypublic tables of users’ implementation andvice versa. public keys. A. AnalogScrambling Cryptography is even more important in teleprocessing net- E. R. Brunner, “Efficient speech scrambling: An economic solution to works than in timesharing systems. The most important data thesecure voicecommunication problem,” in Rec. Znt. Conf.Com- paths in a timesharing system are centralizedand can therefore municationsEquipment and Systems (-ton,Sussex, London, be physically protected.In a geographically distributednet- England, pp. 336-339, June 8-1 1,1976. work, by contrast, data vital to system functioning must be Kirk H. Kirchhofer,“Secure voice communication-Cryptophony,” transmitted over communication links whose physical protec- Znt. Defense Rev., vol. 9, pp. 761-767, May 1976. tion would be uneconomical. For such a network to function A. M. McCalmont,“Communication security for voice4echniques, systems, and operations,” Telecommun., pp. 35-42, Apr. 1973. securely, therefore, these links must be protected cryptograph- A. M. McCalmont, “How to select and apply various voice scrambling ically. techniques,” Commun News, pp. 34-37, Jan. 1974. There are two basic ways in which cryptography can be ap- Aaron D. Wyner, “An analog scrambling scheme which does not expand plied to networks, depending on whether encryptionis regarded bandwidth, part I,” ZEEE naris. Inform. Theory, vol. IT-25, May 1979. as a responsibility of the net ora responsibility of the users. In A promising new approach to analog scrambling using n-space rota- tions of vectors of sample points as the keying elements, and discrete link encryption a message passed along the net is decrypted prolate spheroidal wave functions to encode the signal in an optimally and reencrypted at each node through which it passes. This bandwidth efficient manner. allows all data flowing on the links, even the address informa- B. Applications tion, to be encrypted. Since the dataare decrypted ateach node, they are available in clear for the node to decide where Paul Baran, “On distributedcommunications: IX. Security, secrecy, and tamper-free considerations,” The Rand Corporation, Santa Monica, to forward them. CA,RM-3765-PR, Aug. 1964. (Reprinted in Lance J. Hoffman, Ed. An alternative to link encryption is end-to-end encryption, Security and pn‘vocy in Computer Systems. Los Angela, CA: Melville Publ., 1973, PP. 99-123.) in which a message is encrypted at its source and decrypted This is a fine discussion of the appiication of stream cryptography to only at its final destination. This has the advantage that the computernetworks. It is part ofa series of papers whichlaid the dataare protectedthroughout their entire journey and will foundations for packetized computer networks. not be compromised if a node hasbeen subverted. End-to- D. K. Branstad, “Securityaspects of computernetworks,” in Rec. AZAA ComputerNetwork Systems Con5 (Huntsville, AL), AIAA end encryption byitself, however, does not permit message Paper no. 73-427, Apr. 16-18, 1973. addresses to be encrypted ina storeand forward network, Dennis Branstad, “Encryption protection in computer data communi- aseach nodethrough which the message passes must have cations.”in Roc.4th Data CommunicotiomSymp. (QuebecCity, access to the addressin order to decide how to forward it. Canada), Oct. 7-9, 1975. A ND HELLMAN: AN INTRODUCTION AN HELLMAN: DIFFIE AND TO CRYPTOGRAPHY 423

Ehud Gudes, Harvey S. Koch, and Fred A. Stahl, “The application of Governmentfor Germany, Field Information AgenciesTechnical, cryptographyfor data base security,”in Roc. Nat.Computer Conf. Wiesbaden, Germany, pp. 233-257, 1948. (Translated by B. Hardie in (New York, June7-10, 1976), pp. 97-107,1976. two parts, Cryptologia, vol. 2, pp. 20-37, Jan. 1978 and Cryptologia, Steven T. Kent, “Encryption-based protection protocols for interactive vol. 2, pp. 101-121, Apr. 1978.) user-computer communication,” M.I.T. Lab. Computer Science, Tech. This paper describes some of the systems attacked by the German Rep. 162, May 1976. cryptanalysts and discusses their successes and failures. This thesis developes protocols for the use of block cipher systems in Luigi Sacco, Manuale di crittogra~,2e editionriwduta e aumenta, protecting and authenticating messages sent over networks with asyn- Rome,Italy 1936. (Translations,French-Manuel deCryptographie, chronous and full duplex line protocols. from 3rd Italian edition by J. Bres, reviewed by the author with a pre- face by R.Leger, Paris, France:Payot, 1951; English-Manual of Richard R. Keys and Eric H. Clamons,“Security architecture using Cryptography. Laguna Hills, CA: Aegean Park Press, 1977.) encryption,”in Approaches to Privacy and Security in Computer Thiswork is noted for being particularlyreadable. It issimilar in Systems (Proceedings of aconference held atthe National Bureau scope to Eyraud or Friedman, but slightly earlier in date. of Standards), pp. 37-41, Mar. 4-5, 1974. Abraham Sinkov, Elementary Cryptanalystq, AMathematical Approach. Richard R. Keys and Eric H. Clamons, “File encryption as a security New York: Random House, New Mathematical Library no. 22, 1968. tool,” Honeywell Comput. J., vol. 8, no. 2, pp. 90-93, 1974. (Now published by the Mathematical Association of America). “Design alternatives for computer network security,” National Bureau This is the best elementary cryptanalysis book available. of Standards, Special Publication 500-21, vol. 1, Jan. 1978. “The network security center: A system level approach to computer F. Cryptanalysis security,” National Bureauof Standards, Special Publication 500-21, Don Coppersmith and Edna Grossman, “Generators for certain alternat- vol. Jan. 1978. ing groups with applications to cryptography,” SZAM J. Appl. Mathe., Pierre E. Schmid, “Review of ciphering methods to achieve communi- Vol. 29, pp. 624-627, Dec. 1975. cationsecurity in datatransmission networks,” in Roc. Znt. Zurich This paper examinesthe family of permutations generated by schemes Seminar on Digital Communication?, Mar. 11, 1976. which are in some ways a generalization and in other ways a specializa- tion of the method used in the IBM Lucifer family of ciphers. J. L. Smith, W. A. Notz, and P.R. heck, “An experimental applicationof cryptography to aremotely accessed datasystem,” in Proc. Daniel JamesEdwards, “OCAS-On-Line Cryptanalytic Aid System” ACMNat. Conf. (Boston, MA), pp. 282-297, Aug. 14-16,1972. M.I.T. Project MAC Tech. Rep. 27, May 1966. A description of the construction of an experimental system using A primitive systemfor computer aidedcryptanalysis, including a Lucifer to communicate with an IBM 360/67 timesharing system. language with integer arithmetic and strings over defmable alphabets. Routines to fiid the period of a polyalphabetic cipher, do frequency C. Authentication counts, and locate repeated sequences are shown, but not built in. Horst Feistel, “A surveyof problems and systems in authenticated EdnaGrossman, “Group theoretic remarks on cryptographic systems communication and control,” M.I.T. Lincoln Lab., May 20, 1958. based on two types of addition,” IBM T. J. Watson Research Center, Yorktown Heights, NY, RC 4742, Feb. 26, 1974. Roger M. Needham andMichael D. Schroeder, “Using encryption for This paperdetermines the class oftransformations generated by a authentication in large networks of computers,” Commun. ACM, vol. system which alternates addition mod 2 with addition mod 2”. 21, pp. 993-999, Dec. 1978. Edwin L. Key, “An Analysis of the structure and complexity of non- Walter R. Widmer,“Message authentication, a special identification linear binary sequence generators,” ZEEE Trans. Znfonn. Theory, vol. requirement in one-way digital data transmission,” in Proc. Znt. Zurich IT-22, pp. 732-736, NOV.1976. Seminar on Digital Communications, Mar. 1 1, 197 6. K. Kjeldsen, “On the cycle structure of a set of nonlinear shift registers D. Bibliographies withsymmetric feedback functions,” J. CombinatorialTheory (A), VOl. 2, pp. 154-169, 1976. JohnArthur Scherf, “Computer anddata security: A comprehensive Robert Morris, “The Hagelin ciphermachine (M-209), reconstruction annotated bibliography,” M.I.T. Project MAC, Tech. Rep. 122, Jan. of the internal settings,”Cryptology, to appear. 1974. Cryptanalysis of the M-209 with known plaintext. Thisbibliography is less comprehensive oncryptography than the present one, but its extensive coverage of other aspects of computer Steven C. Pohlig and Martin E. Hellman, “An improved algorithm for security will be of use to those interestedin applications of cryptography. computinglogarithms in GF(p) and its cryptographicsignificance,” David Schulman, AnAnnotated Bibliography of Cryptography. New ZEEE Tram. Information Tlteory, vol. IT-24, pp. 106-110, Jan. 1978. A discussion of a cryptographic system with a high degree of mathe- York: Garland Publishing, 1976. This bibliography has almost no overlapwith thepresent one.It matical structure and simplicity. offers the most extensive coverage of the classical literature available. James Reeds, Dennis Ritchie, and Robert Morris, “The Hagelin cipher machine (M-209), cryptanalysis fromciphertext alone,” Cryptologia, E. Classical to appear. Cryptanalysis of the M-209 from ciphertext only. Wayne G. Barker, Cryptanalysis of the Hagelin Cryptograph. Lagum Hills, CA: Aegean Park Press, 1977. Bryant Tuckerman, “A study of the Vigenere-Vemam single and mut- tiple loop encipheringsystems,” IBM T. J. WatsonResearch Center, CharlesEyraud, Precis deCryptographie Moderne, Paris, France: Yorktown Heights, NY, RC 2879, May 14, 1970. Editions Raoul Tari, 1st ed., 1953; 2nd ed., 1959. Tuckerman develops cryptanalytic techniquesfor solving these ciphers This is the most recent major public treatise on cryptanalysis, and from either rather small amounts of matched plaintext and ciphertext as such touches on some relatively modem devices such as the Hagelin or larger amounts of pure ciphertext. machine which are omitted in earlier works. Bryant Tuckerman,“Solution of a substitution-fractionation- W~mFrederick Friedman, Military Cryptanolysis, Washington, DC: transpositioncipher,” IBM T. J. WatsonResearch Center,Yorktown U.S. Government Printing Office, 1944. 4 volumes, I-Monoalphabetlc Heights, NY, RC 4537, Sept. 21, 1973. Substitution Systems. II-Simpler Varieties of Polyalphabetic Substitu- Solutionof a cipher which is similar to one round of the system tion Systems, 111-Aperiodic Substitutions, IV-Transposition Systems. shown in Fig. 10. This is the most detailed course in cryptography which has slipped into public hands, and one of themost readable. Although out of print, it is available in several major libraries. G. Data Encryption Standard Helen F. Gaines, Cryptanalysis, A Study of Ciphers and Their Solution. Dennis K. Branstad,Jason Gait, and Stuart Katzke,“Report of the New York: Dover, 1956. workshop on cryptography in support of computer security,” National This is the mostreadily available work on cryptanalysis, and gives Bureau of Standards, NBS IR 77-1291, 21-22 Sept. 1976. extensive coverage of classical systems. Herbert S. Bright and Richard L. Enison, “Cryptography using modular Solomon Kullback, Statistical Methods in Cryptanalysis Laguna Hills, softwareelements,” in hoc. Nar. ComputerConf. (NewYork, NY), CA: Aegean Park Press, 1976. pp. 113-123, June 7-10, 1976. This reprint of a 1938 paper is an extensive exposition of the use of This paper describes the implementation and testing of the DES on correlation in cryptanalysis. several computers. HansRohrbach, “Mathematbche und mschinelle Methoden biem WhitfieldDiffle and Martin E. Hellman, “Exhaustive cryptanalysis of chiffiierenund dechiffiieren,” Fiat Review of GermanScience, the NBS dataencryption standard,” Computer, vol. 10, no. 6, pp. 1939-1 946 Applied Mathematics, -Part I, Article IX. Office of Military 74-84, June 1977. 424 PROCEEDINGSIEEE, OF THE VOL. 67, NO. 3, MARCH 1979

This paper gives a detailed cost estimate for the construction of a J. Historical highly parallel special purpose computer tobreak the DES in one day. Linda Flato, “NSA’s computer story,” Dcltamation, vol. 24, no. 3, pp. W. F. Ehrsam, S. M. Matyas, C. H. Meyer, W. L. Tuchman, “A crypto- 207-208,212, Mar. 1978. graphic key management scheme for implementing the data encryption standard,” IBMSyst. J.,vol. 17,110. 2, pp. 106-125, 1978. Bian Jones, The Secret War. New York: Methuen. 1978. Chapter 6 contains a good acount of British cryptanalysis during the Jason Gait, “Validating the correctness of hardware implementations World War 11. of the NBS data encryption standard,’’ National Bureau of Standards, Special Pub. 500-20. David Kahn, The Codebreakers, The Story of Secret Writing. New York: Macmillan. 1967. “Telecommunications: Compatibility requirements for use of the data This is the most complete history of cryptology available, containing encryption standards,” Proposed Federal Standard 1026, General %r- within its thousand pages material sufficient to reward several careful vices Administration, Oct. 13, 1977. readings. As a technical reference, it leaves much to be desired, because “Telecommunications:Security requirements for useof thedata it is concernedmore with the influence of cryptology than with its encryptionstandard,” Proposed FederalStandard 1027, General Ser- technicaldevelopment, thoughmuch of thelatter comesthrough. vices Administration, 25 Aug. 1977. Despite its nontechnical orientation, a lot can be learned from a careful study of the many details assembled. In addition, Kahn conveys a valu- M. E. Hellman, R. Merkle, R. Schroeppel, L. Washington, W. Diffie, able feel forthe subject, through theexperiences of past cryptologists. S. Pohlig, and P. Schweitzer, “Results of an initial attempt to Crypt- analyze the NBS dataencryption standard,” Electrical Engineering Herbert 0.Yardly, TheAmerican Black Chamber. Indianapolis, IN: Dep., Stanford Univ., Stanford, CA, SEL 76-042, (available from Bobbs-Merrill, 1931. NTIS), Sept. 9, 1976. This volume gives an excellent feeling for the flavor of cryptanalysis. Donald L. Heatonand Howard 0. Wright,“LSI implementation of the proposeddata encryption standard,” presented at the Nat. Com- K. Homophonic Systems puter Conf., New York, NY, June 7-10, 1976, and circulated but not included in the proceedings. Wesley W. Chu and Charlie Neat, “A new computer cryptography: The A detailed description of the Collins implementation of DES on a expandedcharacter set (ECS) cipher,” Advances in ComputerCom- chip. munimtions (Sect. XIII-Computer Communications Security) Dedham, MA: Artech House, 1976. DavidKahn, “Tappingcomputers,” NewYork Times, p. 27 (op. ed.), Apr. 3, 1976. Fred A. Stahl, “A homophonic cipher for computational cryptography” in Roc. Nut. ComputerConf. (NewYork, NY),pp. 565-568, June GinaBari Kolata, “Computerencryption and the National Security 4-8, 1973. Agency, connection,”Science vol. 197, pp. 438-440, July 29, 1977. Fred A. Stahl, “On computational security,” Ph.D. dissertation, Univ. “An evaluation of the NBS data encryption standard,” Lexar Corpora- Illinois, Urbana, Rep. R-637, UILU-ENG 73-2241, Jan. 1974. tion, Los Angeles, CA, Sept. 1976. This report is remarkably similar tothe above report ofHellman et al. L. Information Theoretic Papers Robert Morris, N. J. A. Sloane,and A. D. Wyner,“Assessment of Aydano 8. Carleial and Martin E. Hellman, “A note on Wyner’s wiretap the National Bureau ofStandards proposed federal data encryption channel,” ZEEE Trans. Information Theory, vol. IT-23, pp. 387-390, standard,’’ Cryptologia, vol. 1, pp. 281-291, July 1977. May 1977. This paperpresents a slight generalization ofWyner’s results on “Dataencryption standard,” National Bureau ofStandards, Federal wiretapchannels and suggests a way to quantify Shannon’s concept Information Processing Standard(FIPS) Publication No. 46, Jan. of cryptographic diffusion. 1977. E.N. Gilbert, F. J. MacWilliams, and N. J. A. Sloane, “Codes which “Report of the 1976 workshop on estimationof significant advances in detectdeception,” Bell Syst.Tech. J., vol. 53, pp. 405-424, Mar. computer technology,” held at the National Bureau of Standards, Aug. 1974. 30-31, 1976. This workshopconcluded that exhaustivesearch of DESwas in- Thispaper considers an interesting authentication problem which arises in monitoring a nuclear test ban treaty. The problem is closely feasible untilat least 1990, indisagreement withthe conclusions of the present authors. related to digital signatures, which werenot yet known. Ingemar Ingemamson,“Analysis ofsecret functions with application “Guidelines forimplementing and using the NBS dataencryption standard,’’ National Bureau of Standards (draft), Nov. 10, 1975. to computer cryptography,” in Proc. Nut. Computer Conf. (New York, NY), pp. 125-127, June 7-10,1976. “Computer security and the data encryptionstandard,” NationalBureau S. K. Leung-Yan-Cheong and Martin E. Hellman, “The Gaussian wire- of Standards, Special Pub. 500-7, Feb. 15, 1978. tap channel,” ZEEE Tmns. Inform. Theory, vol. IT-24, pp. 451-456, E. Stephan,“Communication standards for usingDES,” in Roc. Sept. 1978. COMPCON, Sept. 8, 1978. C. E.Shannon, “Communication theory ofsecrecy systems,” Bell David J.Sykes, “Implementation of the NBS encryptionstandard,” Syst. Tech. J., vol. 28,pp. 656-715,Oct. 1949. presentedat the 1977 HoneywellComputer Security and Privacy This is a classic paperin which Shannon develops the information Symp., Apr. 19-20, 1977. theoreticfoundation for classical cryptanalysis,characterizes the W.L. Tuchman,“Efficacy of DES indata processing,” in Roc. systemswhich are unbreakablefor information theoretic reasons, COMPCON, Sept. 78. and outlines the construction of product ciphers. Edward K. Yasaki, “Encryptionalgorithm: Keysize is the thing,” AaronWyner, “The wiretap channel,” Bell Syst.Tech. J., vol. 54, pp. 1355-1387, OCt. 1975. Damnation, vol. 22, no. 3, pp. 164, 166, Mar. 1976. This paper evaluates the rate at which information can be conveyed to a legitimatereceiver and kept secret from a wiretapperwhose channel H, EncyclopediaArticles is noisier, introducing a new concept to both cryptography and information theory. Lambros D. Callimahos,“Cryptography,” ColliersEncyclopedia VOl. 7, Pp. 513-530, 1973. M. Key Distribution Lambros D. Callimahos, “Cryptology,” Encyclopedia Britanica, 15th ed., Macropaedia, vol. 5, pp. 322-333, 1976. S. M. Matyas and C. H. Meyer, “Generation, distribution, and installa- William FrederickFriedman, “Cryptology,” Encyclopedia Britanica, tion of cryptographic keys,” IBM Syst. J., vol. 17, no. 2, pp. 126-137, vol. 6 pp. 844-851, 1967. 1978. David Kahn, ‘‘Cryptology,” Encyclopedia AmericUM, vol. 8, pp. 276- M. Sendrow, “Key management inE. F. T. environments,” in Proc. 285,1976. COMPCON, Sept. a, 1978. I. Glossaries N. Miscellaneous David Kahn, PIointext in the New Unabridged: An Examination of the Whitfield Diffie, Data Security for EFT and Automated Business. San Definitions on Cryprologyin Webstem Third New IntemationaIDiction- Jose, CA: SBS Publishing, 1978. ary. Section 2 of Handbook of Cryptography. New York:Crypto Prognosis for the development and business applications of communi- Press, 1963. cation security over the next twenty years, followed by technical and A ND HELLMAN: AN INTRODUCTION AN HELLMAN: DIFFIE AND CRYPTOGRAPHY TO 425 businessadvice forcompanies interested in making cryptographic Q. Surveys products or employing cryptographic security. M. B. Girsdansky,“Cryptology, the computer and data privacy” Whitfield Diffie,“The outlookfor computer security,” Mini-MjCro Compu. Automation,vol. 21, no. 4, pp. 12-1 9, Apr. 1972. Syst., vol. 2, no. 9, pp. 42-44, Oct. 1978. This article gives an overview of cryptographic work atIBM, including Fairly accurate brief summary of the above. a discussion of the weakness of linear feedback shift registers, Tucker- Solomon W. Golomb, ShiftRegister Sequences. SanFrancisco, CA: man’s attack on the Vigenere-Vernam systems, and Lucifer. Holden-Day, Inc., 1967. G. E. Mellon, “Computers, cryptography and common sense,” in Proc. Shift registers are one of the best studied approaches to the genera- Nut. Computer Conf. (New York, NY), pp. 569-579, June 4-8, 1973. tion of pseudorandom sequences. This volume discusses the random- A rather pessimistic survey of the application of cryptography. ness characteristics of sequences from both linear and nonlinear shift registers. Rein Turn, “Privacy transformationsfor data banks” in Roc. Nut. Computer Conf. (New York, NY), pp. 589-600, June 64,1973). James Clinton Halsey, “Finite automata admitting inverses with some Surveyof thefundamentals of cryptographywith a view to data applications to cryptography,” Ph.D. dissertation, Dep. Mathematics, bank applications. North Carolina State Univ., Raleigh, 1970. John B. Kam and George I. Davida, “Astructured designof substitution- R. System Design and Implementation permutationencyrption network,” in R. A. De Millo, D. P. Doblin, A. K. Jones, and R. J. Lipton, &., Foundations of Secure Computa- G. GordonBenedict, “An encipheringmodule formultics,” M.I.T. tion. New York: Academic Press, 1978. Project MAC, Tech. Memo. 50, July 1974. Designof complete S-P networks (every outputdepends on every This mastersthesis describes thecomputer implementation of the input) given complete S-boxes. IBM Lucifer system as described by Smith. Paul Kinnucan,“Data encryption gurus: Tuchman and Meyer,” I. M. Carroll and P. M. McLelland, “Fast‘Infinite-key’ privacy trans- Mini-Micro Syst., vol. 2, no. 9, pp. 54, 56-58, 60, Oct. 1978. formation for resource sharing systems,” in Roc. Fall Joint Computer History of DES from the IBM point of view. Conf. (Houston, TX), pp. 223-230, NOV.17-19,1970. R. E. Lennon, “Cryptography architecture for information security,” Thispaper describes a stream cipher based on an additiverandom number generator. ZBMSyst. J.,vol. 17, no. 2, pp. 138-150, 1978. Carl H. Meyer, “Design considerations for cryptography,” in Roc Nut. Arthur Evans Jr., William Kantrowitz,and Edwin Weiss, “A user Computer Conf. (New York, NY), pp. 603-606, June 44,1973. authentication system not requiring secrecyin the computer,” Com- mun. ACM,vol. 17, pp. 437-442, Aug. 1974. Carl H. Meyer and Walter L. Tuchman,“Putting data encryption to This paperdescribes a oneway function obtained byusing atrans- work,”Mini-Micro Syst., vol. 2, no. 9, pp. 46,48-50, 52, Oct. 1978. formation similar to the IBM Lucifer system and using the argument Stephen Carl PohIig, “Algebraic and combinatoric aspects of cryptogra- as both input and key. phy,” Ph.D. dissertation, ElectricalEngineering Dep., Stanford Univ., HorstFeistel, “Cryptographic coding for data-bankprivacy,” IBM Stanford, CA, SEL-77-038, Oct. 1977. T. J. WatsonResearch Center,Yorktown Heights, NY, RC-2827, Mar. 18, 1970. 0. Popular HorstFeistel, William A. Notz,and J. LynnSmith, “Somecrypto- Horst Feistel, “Cryptography and computer privacy,” Scientific Amer., graphic techniquesfor machine to machinedata communications,” vol. 228, no. 5, pp. 15-23, May 1973. Proc. IEEE,vol. 63, pp. 1545-1554, NOV.1975. This article gives the most readable account of the operation of the These two papersdescribe various ways ofbuilding blockcipher IBM Lucifer cipher. systemsand shows their application to avariety ofprivacy and authentication problems in computer systems and networks. David Kahn, “Modem cryptology,” Scientific Amer., vol. 215, no. 1, pp. 38-46, July 1966. Philip R.Geffe, “How to protectdata with ciphers that are really This article presents a superficial discussion of cryptology in roughly hard to break,”Efectronics, vol. 46, no. 1, pp. 99-101, 4 Jan. 1973. the WorldWar I1 period. Rotor and Hagelin machines are mentioned, A scheme forconstructing a keystream byusing a linear random alongwith a discussionof one time pads, butneither mathematical number generator to select bits alternately from the streams produced techniques in cryptanalysis nor the use of computers are covered. by two other linear random number generators. GinaBari Kolata,“Cryptography: On the brink of arevolution?” Marvin Perlman, “Generation of key in cryptographic system for secure Science, vol. 197, pp. 747-748, Aug. 19, 1977. communications,” NASA Technical Brief 75-10278, Feb. 1976. Discussion of some nonlinear shift registers with known periods. P. Public Keys Vera Pless, “Encryption schemes for computer confidentiality,” ZEEE WhitfieldDiffie and Martin E. HeIlman,“Multiuser cryptographic Trans. Computers, vol. C-26, pp. 1133-1 136, Nov. 1977. techniques,”in Roc. Nut. ComputerConf. (New York, NY), June An interesting discussionof the use of J-K flipflop networks to 7-10, 1976. produce maximal period keying sequences. This paperdescribes two approaches to supplyingsecure fust con- George B. Purdy, “A high security log-in procedure,” Commun. ACM, tactbetween users of a computer network, without sending keys VOI. 17, pp. 442-445, AUg. 1974. along outside channels, and some related problems. This paper studies the use of a polynomial of very high degree over a WhitfieldDiftie andMartin HeIlman, “Newdirections in cryptog- finite field as a one-way function. This function has subsequently been E. used to protect thepasswords on the BBN TENEX system. raphy,” ZEEE Trans. Inform.Theory, vol. IT-22, pp. 644-654, Nov. 1976. R. 0.Skatrud, “A consideration of the application of cryptographic This paperexamines several new possibilities m cryptography: techniques to data processing,” in Roc. Fall Joint Computer Conf. (Las systemswhich require no priorkey channel, unforgeable digital Vegas, NV), pp. 111-1 17, Nov. 18-20, 1969. signatures, and the use of complexity theory to study the security of Describes two systems: a substitution system similar to a double loop cryptographic systems. Vigenere, and a matrix transposition system. Ralph Merkle, “Securecommunication over insecurechannels,” I. Lynn Smith, “The design of Lucifer, a cryptographic device for data Commun. ACM,vol. 21, pp. 294-299, Apr. 1978. communications,” IBMT. J. WatsonResearch Center,Yorktown This paper introduced the concept of public key distribution inde- Heights, NY, RC 3326, Apr. 15, 1971. pendently of Diffie and Hellman. This workingpaper gives adetailed discussionof thefunctioning, Michael 0. Rabin, “Digitalized signatures and public-key functions as hardware design, and costs of the IBM Lucifer system. intractable as factorization,” submitted to Commun ACM I. Lynn Smith, “Hardware implementation of a cryptographic system,” A variation of the RSA scheme with E = 2 is shown to have crypt- IBM Tech. Disclosure BulL,vol. 13, pp. 1004-1008, Aug. 1971. analytic difficulty equivalent to factoring. This describes theimplementation of a system different from the Ronald L. Rivest, Adi Shamir, and L. Adleman, “On digital signatures above. and public key cryptosystems,” Commun. ACM, vol. 21, pp. 120-126, Feb. 1978. This paperdescribes a public key cryptosystem based on exponentiation in modular arithmetic. REFERENCES Gustavus J. Simmons and Michael J. Nod,“Preliminary comments on [ 11 I. Squires, “Russ monitor of U.S. phones,” Chicago Tribune pp. the M.I.T. public key cryptosystem,” Cryptologia, vol. 1, pp. 406-414, 123, June 25,1975. Oct. 1977. 121 R. Davis, “Remediessought to defeat Soviet eavesdropping on 426 PROCEEDINGSIEEE, OF THE VOL. 67, NO. 3, MARCH 1979

microwave links,”Microwave Syst., vol. 8, no. 6, pp. 17-20, June linear binary sequence generators,” IEEE Tmns. Inform. Theory, 1978. VOI. IT-22, pp. 732-736, NOV. 1976. [ 31 Supplementary Detailed Staff Reports on Intelligence Activities [36] N. J. A. Sloane, A Handbook of Integer Sequences. New York: and the Rights of Americans, Final Report of the United States Academic Press, 1973. Senate Select Committee toStudy GovernmentalOperations [37] J. L. Massey, “Feedbackshift register synthesisand BCH de- with Respect to Intelligence Activities, Report No. 94-755, Book coding,’’ IEEE Trans. Inform. Theory, vol. IT-15, pp. 122-127, 3 (Washington, DC: U.S. Government Rinting Office), 1976. Jan. 1969. [4] J. L. Ranagan, Speech Analysis, Synthesis, and Perception, 2nd [ 381 E. R. Berlekamp, Afgebmic Coding Theory. New York: McGraw- ed. Berlin; Germany: Springer-Verlag, 1972. Hill, 1968. [ 51 D. Raj Reddy, Speech Recognition. New York: Academic Press, [39] L. S. Hill, “Cryptographyin an algebraic alphabet,” Amer. 1975. Math. Mondhly,vol. 36, pp. 306-312, June-July 1929. [ 61 Proc. IEEE, Special Isrue on Packet Communication Networks, [40] H. Feistel,“Cryptographic coding for data-bank privacy,” IBM Nov. 1978. T. J. Watson Research Center, Yorktown Heights, NY, RC-2827, [7] Data Encryption Stan&rd. National Bureauof Standards, Mar. 18,1970. Federal Information Processing Standard (FIPS) Publication no. [41] -, “Cryptographyand computer privacy,” ScientificAmer., 46, Jan. 1977. vol. 228,no. 5, pp. 15-23, May 1973. [8] W. Diffie and M. E. Hellman,“Exhaustive cryptanalysis of the [42] H. Feistel, W. A. Notz, and J. L. Smith, “Somecryptographic NBS data encryption standard,” Computer, vol. 10, no. 6, pp. techniques for machine to machinedata communications,” 74-84, June 1977. Proc. IEEE, VOI. 63, pp. 1545-1554, NOV. 1975. [9] W. L. Tuchman, ‘‘Efficacy of DES in data processing,” in Proc. [43] J. L. Smith, “The design of Lucifer, a cryptographic device. for COMPCON, Sept. 1978. datacommunications,” IBM T. J. Watson ResearchCenter, [lo] C.E. Shannon,“Communication theory of secrecy systems,” Yorktown Heights, NY, RC 3326, Apr. 15, 1971. BeUSyst. Tech. J.,vol. 28, pp. 656-715, Oct. 1949. [44] J. L. Smith, W. A. Notz,and P. R.Osseck, “An experimental [ 111 W. F. Friedman, “Cryptology,” Encyclopedia Britanica, vol. 6, application of cryptography to a remotely accessed data system,” pp. 844-851, 1967. in Roc. ACM Conf.,pp. 282497,1972. [12] M. E. Hellman, “An extension of the Shannon theory approach [45] M. E. Hellman,R. Merkle, R. Schroeppel, L. Washington, W. to cryptography,” ZEEE Trans. Inform. Theory, vol. IT-23, pp. Diffie, S. Pohlig, and P. Schweitzer, “Results of an initial attempt 289-294, May 1977. to cryptanalyzethe NBS dataencryption standard,” Electrical [ 131 C.E. Shannon,“Prediction and entropy of printed English,” Engineering Dep., Stanford Univ. SEL 76-042 (available from BellSyst. Tech. J.,vol. 30, pp. 50-64, Jan. 1951. NTIS), Sept. 9, 1976. [ 141 T. M. Cover and R.C. King, “A convergent gambling estimate ..1461 D. K. Branstad, J. Gait, and S. Katzke, “Report of the workshop of the entropy of English,” IEEE Trans. Inform.Theory, vol. on cryptographyin support of computersecurity,” National IT-24, Pp. 413-421, AUg. 1978. Bureau of Standards Rep. NBSIR 77-1291, 21-22 Sept. 1976. [ 15 1 W. Diffie and M. E. Hellman, “New directions in cryptography,” [47) E. K. Yasaki, “Encryptionalgorithm: Keysize is the thing,” IEEE TM~.Inform. Theory, vol. IT-22,pp. 644-654, Nov. Datamation, vol. 22, no. 3, pp. 164, 166, Mar. 1976. 1976. [48] D. Kahn, “Tapping computers,” New York Times, p. 27, Apr. 3, [16] R. Merkle, “Securecommunication overinsecure channels,” 1976. Commun. ACM, pp. 294-299, Apr. 1978. [49] G. B. Kolata,“Computer encryption and the National Security [ 171 R. L. Rivest, A. Shamir, and L. Adleman, “On digital signatures Agency connectionscience,” vol. 197, pp. 438-440, July 29, and public key cryptosystems,” Commun.ACM, vol. 21 no. 2, 1977. pp. 120-126, Feb. 1978. [SO] Unclassified summary: Involvement of NSA in the Development 1181-- R. C. Merkle and M. E. Hellman, “Hiding informationand sig- of the Data Encryption Standard, Senate Committee on Intelli- natures in trap door knapsacks,” IEEE Trans. Inform. Theory, gence, 1978. vol. IT-24, pp. 525-530, Sept. 1978. [ 5 11 F. Faggin, “The role of technology in microcomputer design and [19] R. J. McEliece, “A public key cryptosystem based on algebraic evolution,” IEEE Trans. Circuits Sysi., vol. CAS7, pp. 4-13, coding theory,” JPL DSN Progress Report 42-44, pp. 114-116, Feb. 1975. Jan.-Feb. 1978. [52] -, “Microprocessor technology:Yesterday, today and tomor- [ZO] A. Sinkov, Elementary Cryptanalysis, A Mathematical Approach. row,’’ EDN, Nov. 20,1975. New York: Random House, New Mathematical Library, no. 22, I531 “Pentagon to fund major IC program,” Electronics, pp. 81-82, 1968. Sept. 14, 1978. [21] H. F. Gaines, Cryptamlysis, A Study of Ciphers and their Solu- [ 541 “VHSI proposal finds willing audience,” Electronics, pp. 89-90, tion. New York: Dover Publications, 1956. Sept. 28, 1978. [ZZ] W. F. Friedman, MilitaryCryptanalysis. WashingtonDC: US. [SS] W.L. Tuchman, Talk presented atthe Nat. Computer Conf., Government Printing Office, 1944. Anaheim, CA, June 1978. [23] D. Kahn, The Codebreakers, The Story of Secret Writing. New [56] E. R. Brunner,“Efficient speech scrambling: An economic York: Macmillan, 1967. solution to the secure voice communication problem,” in Rec. [24] Tuckerman, “A study of thevigenere-Vernamsingle and multiple Int. Conf. Communications Equipment and Systems (Brighton, loop enciphering systems,” IBM T. J. WatsonResearch Center, Sussex, London, England), pp. 336-339, June 8-1 1,1976. Yorktown Heights, NY, RC 2879, May 14,1970. [ 571 K. H. Kirchhofer, “Secure voice communication-Cryptophony,” [25] W. F. Friedman, Methods for theSohttion of Running-Key Int. LlefenseRev.. vol. 9. OD. 761-767. Mav 1976. Ciphers. Geneva, IL:Riverbank Laboratories, Department of [58] A. M. McCalmont, “Voiceprivacy (scrambling)for mme effec- Ciphers Publication no. 16, 1918. tivecommunications: Techniques, systems, and operations,” [26] R. Morris, “The Hagelin cipher machine (M-209), reconstruction Technical CommunicationsCorp., Jan. 1973. of the internal settings,” Cryptologio, to appear. [59] B. Gold, “Digital speechnetworks,” Proc. IEEE, vol. 65, pp. [27] J. Reeds, D. Ritchie, and R. Morris, “The Hagelin cipher machine 1636-1638, Dec. 1977. (M-209), cryptanalysis fromciphertext alone,” Cryptologia, to [60] S. C.Pohlig and M. E. HeIlman, “An improvedalgorithm for appear. computinglogarithms in GF(p) andits cryptographic signifi- [Z8] W. G. Barker, Cryptanalysis of the Hagelin Cryptograph. Laguna cance,” IEEE Tmns. Inform. Theory, vol.IT-24, pp. 106-111, Hills, CA: Aegean Park Press 1977. Jan. 1978. [29] S. C. Pow, “Algebraic and combinatoric aspects of cryptogra- I611 D. E. Knuth, The Artof Computer Programming. Reading, phy,” Ph.D. dissertation,Electrical Engineering Dep., Stanford MA: Addison-Wesley, 1969. Univ., SEL-77-038, Oct. 1977. [62] G. J. Simmons and M. J. Norris, ”Rebinary comments on the (301 S. W. Golomb, ShiftRgister Sequences. San Francisco, CA: M.I.T. public key cryptosydem,” Cryptologia, vol. 1, pp. 406- Holden-Day, 1967. 414, Oct. 1977. [31] W.W. Peterson and E. J. Weldon, Error Correcting Codes, Second (631 R. L. Rivest, “Remarks on aproposed cryptanalytic attack on Edition,Cambridge, MA: M.I.T. Press, 1972. the MIT public key cryptosystem,” Cryptologia, vol. 2, no. 1, [32] R. C. Tausworthe, “Random numbers generated by linear recur- pp. 62-65, Jan. 1978. rence modulo two,” Math. Computation, vol. 19, pp. 201-209, [64] A. Shamir, “A fastsignature scheme,” MIT/LCS/TM-107, July 1965. 1978. [33] E. J. Watson, “Primitive polynomials (mod 2),”Math. Computa- (651 H. S. Stone, Discrete Mathematical Structures. Chicago, IL: tion,vol. 16, pp. 368-369, 1962. Science Research hoc., 1973. 1341 E. J. Groth, “Generationof binary sequences with controllable I661 E. Parzen, Modem Probability Theory and ItsApplications. complexity,” IEEE lYans. Inform. Theory, vol. IT-17, pp. 288- New York: Wdey, 1960. 296, May 1971. [67] R.G. GaJlager, InformationTheory and ReliobZe Communica- [35) E. L. Key, “An analysis of the structure and complexity of non- tion. New York: Wiley, 1968. PROCEEDINGS OF THE IEEE, VOL. 67, NO. 3, MARCH 1979 427

1681 D. Branstad, “Encryptionprotection in computerdata com- [ 741 J. H. Saltzer and M. D. Schroeder, “The protectionof information munications,” in Roc. 4th Data Communications symp. (Quebec in computer systems,”Ptoc. ZEEE, vol. 63,pp. 1278-1308, Sept. City, Canada), Oct.7-9, 1975. 1975. [69] W. Diffie and M. E. Hellman,“Multiuser cryptographic tech- (751 L. J. Hoffman, ModemMethods for ComputerSecurity and niques,’’ in hoc. Nat.Computer Conx (New York, NY), June mvacy.Englewood Cliffs, NJ: Rentice-Hall 1977. 7-10, 1976. [ 70) “Telecommunications: Compatibility requirements for use of the [76] J. A. Scherf, Computer and Data Security:A Comprehensive dataencryption standard,” Roposed Federal Standard 1026, AnnotatedBibliography, M.I.T. Project MAC,MAC TR-122, General Services Administration, Oct. 13, 1977. Jan. 1974. [71] S. Lin, Error Correcting Codes. Englewood Cliffs, NJ: Prentice- [77] G. B. Purdy, “A high security loginprocedure,” Commun. Hall, 1970. ACM, vol. 17,pp. 442-445,AUK. 1974. [ 72 1 “Telecommunications: Security requirements for u8e of the data encryption standard,” Roposed Federal Standard General (781 A. Evans, Jr., W. Kantrowitz, and E. We&, “A user authentica- 1027, tion system not requiringsecrecy the computer,” Commun. Services Administration, AUK.25, 1971. in [73] R. A. De Millo, D. P. Dobkin, A. K. Jones, and R. I. Lipton, Eds., ACM, VO~.17,PP.437-442, AUK. 1974. Foundations of Secure Computation. New York:Academic [79] Desipn AItemativesforCompurer Network Security. NBS Special Ress, 1978. Publ. 500-21, vols., 2 Jan. 1978.

Contributors

Berthdd G. Bosch (”64-SM’67) was born in BNR, Inc., where he is responsiile for research on computer and com- Bonn,Germany, on May 30, 1930. He re- munications security. ceived the DipL-Ing. degree in electrical engineering fromAachen Technical University, Germany, in 1956, the Ph.D. degree from Southampton University,England, m 1960, theHabilitation from Karlmhe University, Germany, in 1969, and the D.Sc. degree from Southampton UMtyin 1976. Martin E. Hellman (s’63-hf69-Shf78) received From 1956 to 1957, he held anAEG Fore@ the B.E. degreefrom New YorkUniversity, Scholarship atthe Electronics Deparhnent of New York, NY, in 1966, the MS. and Ph.D. theUniversity ofSouthampton. During 1958-1960, as a Research degreesfrom Stanford University,Stanford, Assistant at the same department, he was engaged in work on mime CA, in 1967 and 1969, respectively, all in elec- wave-tubenoise. From 1960 to 1972, he was with AEGTelefunken, trical engineering. Ulm, Germany, where he occupied various posts in the Tube Works Currently,he is an AssociateProfessor of and in the Research Institute, eventuaIly becoming Head of the Elec- ElectricalEngineering atStanford University, tronics Department in the latter institution. During that time, he car- doingresear& in cryptography,information ried out and was responsible for work on microwave tubes, parametric theory, and communication theory. He is also ampMks, microwave semiconductors, and highsate PCM circuitry. acting as Associate Department Chainnan during In 1969, he was made an Adjunct Staff Member mat-Dozent) in the 1977-1979. He was an Assistant Professor at Massachusetts Institute of Faculty of Electrical Engineering of Karlsruhe University, and m 1972, Technology Cambridge, from 1969 to 1971, and on the Staff of IBM he became Professor of Electronics at the Ruhr-University, Bochum, T. J. Watson Research Center, Yorktown Heights, NY, from 1968 to Germauy, and simultaneously Joint Director of the Institute of El- 1969. He is the author of over thirty publications. tronics. During the academic year 1973-1974, he served as Dean of Dr. Hellman is a member of the Information Theory Group’s Board the Facultyof Electrical Engineering. His presentresearch interests of Governors and was an Associate Editor of the IEEE Transactions on include devices and integrated circuits for high-speed electronics, inte Communications. grated optics, and optical communications. He is coauthor (together with R. W. H. Engelmann) of Gunn-EffectElectronics. Dr. Bosch was awarded the A.F.-Bulgin Premium of the British IRE in * 1962 (jointly with W. A. Gambling), and in 1969, he received the An- nual Prize of the Nachrichtentechnische Gesellschaft. He is a member of Verband Deutscher Elektrotechniker, DeutschePhysikalische Gesell- schaft, and of the Administrative Committee of the European Society Geoffrey H. C. New was born in Shrewsbury, for Engineering Education. England, in 1942. He received the B.A. and DPhil. degrees in physics at Oxford University, Oxford, England, in1964 and 1967 respectively. * From 1967 untilSeptember 1973 he was a Lecturer at Queen’s University, Belfast, North- Whitfiid Diffie (”77) received the B.S. degree ernIreland, U.K., and hasrecently moved to in mathematics from Massachusetts Institute of a lectureship at Imperial College, London Uni- Technology, Cambridge, in 1965. v&ty where he is presently a Reader in Non- Subsequently, he worked on symbolic mathe- linear Optics. For his graduate work at Oxford, matical manipulation at the Mitre Corporation he conducted experiments both on optical rec- in Bedford, MA, and proof of program correct- tification and on third-harmonic generation in gases which was tint ob- ness at the Stanford Artificial Intelligence Lab- served at that time. In Belfast, he took part in a research program deal- oratory, Stanford, CA. More recently, he was a ing with various aspects of the generation,measurement, and properties

~ graduate student in the Department of Electrical of ultrashort light pulses. His recent work has been concerned with the Engineering of Stanford University,Stanford, theory of mod&ocking in various types of laser and with the theory of ’ Ck He is a member of theScientific Staff of twephoton resonant ftequencymixing processes.