Cryptography: Lecture Notes in Computer Science 0387119930, 9780387119939
120 90 12MB
English Pages 402 [386] Year 1983
Polecaj historie
Table of contents :
Cryptography
Preface
Contents
Introduction
Cryptology - Methods and Maxims
Mechanical Cryptographic Devices
Cryptanalysis of a Kryha Machine
ENIGMA Variations
Encrypting by Random Rotations
Analogue Speech Security Systems
A Voice Scrambling System for Testing and Demonstration
The Rating of Understanding in Secure Voice Communications Systems
Analysis of Multiple Access Channel Using Multiple Level FSK
Analog Scrambling by the General Fast Fourier Transform
Stream Ciphers
Multiplexed Sequences: Some Properties of the Minimum Polynomial
On Using Prime Polynomials in Crypto Generators
Communication Security in Remote Controlled Computer Systems
Privacy and Data Protection in Medicine
Cryptanalysis of the Data Encryption Standard by the Method of Formal Coding
Are Big S-Boxes Best?
The Average Cycle Size of the Key Stream in Output Feedback Encipherment
Authentication Procedures
Fast Authentication in a Trapdoor-Knapsack Public Key Cryptosystem
A New Algorithm for the Solution of the Knapsack Problem
Trapdoors in Knapsack Kryptosystems
Is the RSA-Scheme Safe?
Ein Effizienzvergleich der Faktorisierungsverfahren von Morrison-Brillhart und Schroeppel
Finite Semigroups and the RSA-Cryptosystem
How to Share a Secret?
List of Talks for Which No Paper Was Submitted
Bibliography
List of Participants
Citation preview
Lecture Notes in Computer Science Edited by G. Goos and J. Hartmanis
149
Cryptography Proceedings of the Workshop on Cryptography Burg Feuerstein, Germany, March 29 -April 2, 1982
Edited by Thomas Beth
Springer-Ver Iag Berlin Heidelberg NewYork 1983
Editorial Board D. Barstow W. Brauer P. Brinch Hansen D. Gries D. Luckham C. Moler A. Pnueli G. Seegrnuller J. Stoer N. Wtrth Editor Thomas Beth Fr ied i c h-A Iexa nd e r U ni ve rs itat Er la nge n-Nu r nberg lnstitut fur Mathematische Maschinen und Datenverarbettung (Informatik 1) Martensstr 3, 8520 Erlangen, FRG
m lnstitut fur Mathernatische Maschinen und Datenverarbeitung
Gesellschaft fur lnforrnatik e.V. -FachausschuO8ARBEITSTAGUNG UPER KRYPTOGRAPHIE
-
BURG FEUERSTEIN
-
29. 3 . - 2. 4. 82
Diese erste europaische Arbeitstagung uber Kryptographie wurde von folgenden lnstttuttonen gemetnsam getragen Lehrstuhl I (Prof Dr K Leeb) des lnstituts fur Mathernatische Maschinen und Datenverarbeitung (Inforrnatik) der Universttat Erlangen-Nurnberg Gesellschaft fur Inforrnatik eV (FachausschuO 8) Deutsche Forschungs-Gerneinschaft
CR Subject Classifications (1982): D 3 ISBN 3-540-11993-0 Springer-Verlag Berlin Heidelberg New York ISBN 0-387-11993-0 Springer-Verlag New York Heidelberg Berlin
Library of Congress Cataloging I P Publication Data Main entry under title Cryptography. proceedings, Burg Feuerstein. 1982. (Lecture notes ir, computer science , 1491 1. Cryptography-Congresses I. Beth, Thomas, 1949.. II Srries. 2102 5 C 7 8 1983 001.54'36 8 3 ~ 4 3 0 ISBN 0-387-11993-0 This work is subject to apyright. All rights are reserved. whether the whole or part of the material is concerned, specifically those of translation, reprinting. re-use of illustrations. broadcasting. reproduction by photocopying machine or similar means. and storage in data banks. Under 9 5 4 of the German Copyright Law where copies are rnadr for othw than private use, a fee is payable to "Verwertungsgesellschaft Wort", Munich L by Springrr-Verlag Berlin Hpidrlbrrg 1983 Printed in Germany
Printing and binding. Beltz Offsetdruck. Hernsbach/Bergstr 31A E ~ / ? Idn E ~ A ? C Vn
Wir wcrden in der Folge Gelegenheit nehrncn, die rnancherlei Arten diescs Verstcckcns nahcr zii betrachten. Syrnbolik, Allcgorie, Ratsel, Attrape, Chiffrieren wurdcn in Ubung g e s e t z t . Apprehension gcgen Kunstverwandte, hlarktschrcierei, Dunkel, Witz und Geist h a t t e n alle gleiches Intercsse, sich auf diesc Weise zii uben und geltend z u rnachcn, so daU der Gcbratich dieser
Vcrheirnlichungskunste
sehr
lebhaft
bis
in
das
siebzehntc Jahrhundert hinubergcht iind sich Zuni Teil noch in den Kanzleien dcr Diplornatiker crhalt.
Goethe: Farbenlchre-Historischer Tei1,aus:"Lust am Geheirnnis"
This book contains t h e proceedings of a workshop on cryptography t h a t took place f r o m M a r c h 29th
to
April 2nd
, 1982 , a t
B u r g Feuerstein in t h e l o v e l y surroundings
of t h e Frankische Schweiz near Erlangen.
Burg Feuerstein i s an extensive estate many purposes , m a i n l y of social character.
,
Our workshop on cryptography these grounds
,
since t h e 'Burg
r u n by t h e diocese o f Bamberg. It serves
however
, proved
t o be i n t h e best t r a d i t i o n \ of
i s not a genuine castle : i t was b u i l t i n t h e early
1940 s as a camouflaged center for communications engineering emphasizirig c r y p t o graphic research changes
.
The unintended coincidence gives a good o p p o r t u n i t y t o n o t e t h e
t h a t cryptographic
research has undergone since then.
One of
the
mo\t
remarkable was t h e f a c t t h a t t h c r e were 76 p a r t i c i p a n t s f r o m 1 4 nations. contains 26
This volume
a r t i c l e s altogether. The i n t r o d u c t i o n i s an expository
survey for non-specialists and places i n c o n t e x t the other 25 papers submitted. Tlrcse are
grouped i n t o 10 sections w i t h i n which they are arranged w i t h r e g a r d t o content.
The editor has r e f r a i n e d judiciously f r o m judging the significance or consistency of a l l the results. Together w i t h i t s r a t h e r extensive ( doubly linked c o u l d be used as a self-contained
text.
A t t h e bacL of
bibliography t h e book
t h e book are a l i s t of
p a r t i c i p a n t s as w e l l as a l i s t of the talks f o r which no paper was submitted.
-i h e organizer
i s indebted to the Deutsche Forschungs
-
G c m e i n s r h a f t and
io the
Gesellschaft f u r l n f o r r n a t i k f o r supporting the conference.
The advice given by H.J.Beker (Racal-Comsec,Salisbury) , by H.-R. Schuchrnann (Siemens-Forschungslaboratorien,Munchen), and by N.J.A. Sloane (Bell Laboratories. M u r r a y Hill ) were
of substantial help.
F i n a l l y it i s a pleasure t o thank R.Dierstein (DFVLR Oberpfaffenhofen) perienced a i d in organizing t h e workshop.
T.B.
for h i s ex-
Contents
Section
I
:
Introduction
Section 2 : Classical Cryptography F.L.Raucr: Cryptology-Methods and Maxims Mechanical Cryptographic Devices A.G.Konheim: Cryptanalysis of a K r y h a machine H-R.Schuchmann: Enigma Variations Section 3 : Mathematical Foundations N.J.A.Sloane: Encrypting by Random Rotations Section 4 : Analogue Scrambling Schemes H.J.Beker: Analogue Speech Security Yystems P.Hess;K.Wirl: A Voice Scrambling System for Testing arid Demonstration K.-P.Tinimann: The Rating of Understanding in Secure Voice Con1m II n ic a t Ion Systems L.Gyorfi;l.Kereles: Analysis of Multiple Access Channcl Using hlultiple Level FSK F.Pichler: Analog Scrambling by the General Fasr Fourier Transform Section j : Stream Ciphers F.C.Piper: Stream Ciphers
1-18
29-68 31
47 49
65 69- 128
71 129- 178 130
I47
I57 165
173 179-21 6 IRI
S.M.Jennings: Multiplexed Sequences: Some Properties of the M i n i m u m Polynomial T.Herlestan1: On Using Prime Polynomials in Crypto Generators Section 6 : Cryptography i n Large communication Systems M.R.Oberman: Communication Security i n Remote Gntrolled Computer Systems L.Horbach: Privacy and Data Protection in Medicine
189
207 217-232 219 228
Vlll
Section 7 : The Data Encryption Standard
233-279
I.Schaumuller-Bichl: Cryptanalysis of t h e Data Encryption Standard by t h e Method of Formal Coding J.A.Gordon;H.Ketkin: A r e Big S-Boxes Best D.W.l)avies;G.I.P.ParLin:
257
The Average Cycle Size of t h e Key Stream in
Output Feedback Encipherment
M .I>av io ;J .- M .Goe t ha I s ;J .- J .Qu isqu a t e r : Au t h e n t I c a t ion Procedures
P.Sch0bi;J.L.Masse-y: Fast Authentication
in
The Merkle - Hcllnian
-
28 3
a Trapdoor -Knapsack
Public K e y Cryptocystem :
26 3
281-306
Section 8 : Authentication Systcms
Section 9
235
Scheme
289
307-322
I.lngcmarsson: A N e w Algorithm for t h e Solution of t h e Knapsack Problem
3 09
R.Eier;H.Lagger: Trapdoors in Knapsack Cryptosystems
316
Section
10:
The Rivest - Shamir
-
Adleman - Scheme
C.P.Schnorr: Is t h e RSA -Scheme
Safe ?
323-375
325
J.Sattler;C.P.Schnorr: Ein Effizienzvergleich der Faktorisierungsverfahren v o n Morrison-Hrillhart und Schroeppel
33'
A.Ecker: Finite Semigroups and t h e RSA-Cryptosystem
353
M.Mignotte: How t o Share a S e c r e t ?
37 I
List of talks for which no paper was snbmitted
376
Bibliography
377-397
List of Participants
398-402
Section
I
Introduction
T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 1-28, 1983. 0 Springer-Verlag Berlin Heidelberg 1983
3
Having all of a sudden left the shady corner of semi-military art, modern cryptography has become a central topic of research in all areas of communication science. Definitions (cf. Bauer pp. 31
- 48)
Cryptographic measures are applied to pro-
tect valuable data during transmission against unwanted interception
INTERCEPTOR
Fig. A: passive violation
and (possibly undectable) forgery
.
Fig. 2: acti-se violation
In accordance with the subsequent paper of Bauer (pp. 31
- 481,
the technique applied to meet these requirements is called e n c w tion. In this process the transmitter enciphers (or encrypts) a plaintext message into a ciphertext.
4
ciphertexc
ciphering
Fig. 3 : The Wire-tap-channel
This transformation is called a cipher(function) which the autorized receiver deciphers (decrypts). An enemy is a person
or institution who wants illegal access to the
messages. Assuming that the enemy can only get hold of the ciphertexts, he has to perform a cryptanalysis in order to reconstitute the plaintexts.
To add to the difficulties for a cryptanalyst, the cipher functions are chosen to a varying parameter, called the key. A generator cryptosystem consists of a class of injective cipher functions ES:M-C
,
mapping plaintext messages(EM) into ciphertexts(EC)
.
The parameter s runs through the set K of keys. These formulations are best demonstrated by the basic, classical examples.
Historical Ciphers A rather extensive portion of today’s cryptographic research is still concerned with the study of classic crypto-systems. One of the most simple systems,the socalled CAESAR,
5
Fig. 4: A Cipher Wheel ( t a k e n from Franke 1982)
is probably known to everybody who has ever thought about encrypting messages, cf. Kahn 1968. The article “Cryptology and Maxims” QyBauer, pp. 31
-
- Methods
48, gives a rather detailed intro-
duction to the principles of designing cryptographic devices. Bauer also places special emphasis on the weakness of most known systems, some of which were cryptanalysed more than a century ago, cf. Kasiski, 1822, Kerckhoffs, 1822. In spite of these very old publications crypto-machines were still built without their constructors’ realizing that they were practically worthless. An
example is the bea.itifullooking machine invented by Alexander von
Kryha
6
Fig. 5 : A Kryha machine (Phote credit: K. Wirl) This model was shown at Burg Feuerstein by K.O. Widman, C r y p t 0 AG
The article by Konheim pp.
49
-
64, gives a short summary of the
history of this machine and its inventor, followed by a complete cryptanalysis of its function.
This paper is an addition to the introductory chapters on cryptanalysis which €or instance can b e found in the recent textbooks by Beker and Piper ( 1 9 8 2 )
-
e.g.
for analyzing the Hagelin M-209
-
7
or that by Konheim
(
981),
where a complete analysis of the (in-)
famous German cipher machine ENIGMA is demonstrated. The reader, who is interested in the historical and political implications ofthe ENIGMA'S security being so wrongly overestimated, will find good references in Bauer's article, pp.
31
-
48,
in-
cluding the book by Kahn 1 9 6 4 . Schuchmann's contribution is yet presenting further aspects that have arisen from his occupation with the ENIGMA-machine.
Fig. 6 : A n E I I G M A ( P h o t o credit: K. Wirl) This model was simosm a t Burg Feuerstein by H.-P. Schuchnann. Siemens AG
a The weakness of all these "classical" systems is mainly owing to the principal mistake of using the same key more than once.
Towards Modern Cryptography By a small modification most of the classical though simple systems can be made secure. The idea goes back to the ATeT-engineer
G.S.
Vernam, who already in 1 9 1 7 (published as late as 1 9 2 6 ) proposed to use simply VigenOre-ciphers with a random key. Vigensre-ciphers are basically CAESAR-like ciphers; for an exact definition see Bauer, PP * The socalled Vernam-cipher had been developed for the use in telegraph systems where the plaintext, which is a binary sequence in this case, is superimposed by a binary key sequence via mod 2 addi-
tion.
Fig. 7: Vernam cipher w i t h one-time-pad
This key sequence could be realized as a sequence on a paper tape being used by both transmitter and receiver, who synchronously apply each portion of this tape only once (one-time-pad). Thus emphasis has to be placed upon the question how to generate the key-sequences in order to make the Vernam-system secure, see
again Bauer, pp.
33
-
48. I t was C.E.
Shannon (Shannon 1 9 4 2 1 ,
who gave s u f f i c i e n t c o n d i t i o n s f o r a b s o l u t e cryptographic s e c u r i t y of c i p h e r systems. So t h e proposed Vernam-system would be secure i f t h e key-sequence w a s generated by a random process such as coin-tossing,
g i v i n g a binomial d i s t r i b u t i o n of maximal entropy.
Although t h i s procedure endows t h e u s e r s with a system of utmost security
-
t h e r e a r e r e p o r t s t h a t such system a r e used on extremely
s e n s i t i v e l i n e s , c f . Kahn 1963
-
it i s obvious t h a t t h e s e c u r e d i s -
t r i b u t i o n of huge sets of key tape generates o t h e r problems, c f . Ryska/Herda 1979, Beth 1982. A p o s s i b l e way t o g e t around t h i s problem w i l l be discussed i n t h e
paragraph on S e q u e n t i a l Ciphers.
Modern Cryptosystems The few examples given so f a r show t h a t modern cryptographic systems have t o be designed w i t h a s u b s t a n t i a l portion of i n t e r d i s c i p l i n a r y work. Pursuing the d i r e c t i o n s shown by Vernm. 1 9 2 6 , H i l l 1 9 2 6 and F.lbert 1941, modern cryptography cannot be thought of without mathematics
-
ranging o v e r a l l a r e a s from a n a l y s i s , combinatorics, p r o b a b i l i t y t o geometry and a l g e b r a . This should be c l e a r from almost a l l t h e a r t i c l e s i n t h i s volume. On t h e a t h e r hand,main t o o l s and i n t r i n s i c kowledge from many Other
a r e a s , e.g.
p h y s i c s , e l e c t r i c a l engineering, computer s c i e n c e ,
systems e n g i n e e r i n g and l i n g u i s t i c s a r e required. This i s probably b e s t demonstrated by t h e f a s c i n a t i n g a r t i c l e “Encrypting by Random
10
Rotations"
, pp.
71
-
128, contributed by Sloane. This paper,
which originally has arisen from the problem of secure speech transmission, is really giving a wide-ranging survey of methods in modern cryptography.
Secure Speech Transmission Major attention has always been paid to the problem of persons speaking to each other via telephone or radio without being overheard. With the Vernam-system at disposal a secure speech transmission could just as easily be designed as follows:
F i g . 8: Secure Digital Speech Transmission
But every simple solution has its drawbacks: Let alone the quoted disadvantages associated with the design of secure Vernam ciphers, there is amoreserious problem which is essentially due to a law of physics. For the design of a secure voice transmission via a telephone line one has to be aware of the fact, that standard (wire-) telephone lines are only capable of transmitting in a €re-
11
quency range of 300-3400 Hz. Assuming the mentioned Analog-to-Binary-Converter works as a standard
I
Signals
u-
-
~
t (Time)
F i g . 9: PCM-Modulation (taken from F r a n k e 1 9 8 2 ) .
-Puls-Code-Modulator,
it has to operate at a sampling frequency Of
at least 2 ~ 3 . 4 0 0 Hz (Nyquist rate). This is due to a law of conununications engineering, the socalled sampling theorem (for this see, Sloane's article, pp. 71 - 1281, which is very similar to the renowned Heisenberg uncertainty principle in quantum physics, cf. Dym/McKean 1972. Furthermore assuming a sampling precision of 8 bit the Analog-toBinary-Converter in consideration would produce more than 50k Bit per sec. Obviously it would be impossible to transmit at such a rate via a standard telephone line.
12
Several remedies are possible (i) Wyner's scrambling scheme (cf. Wyner 1980) (ii) Analog Voice scrambling systems using Time-DivisionScrambling and Frequency-Domain-Scrambling: (cf. the recent book Beth/HeB/Wirl 1983).
segment of speech
I
1
2
3
4
5
6
7
a
5
7
permuted segment -of speech
l
4
2
8
6
3
Fig. 10: The effect of time-division scrambling (taken from Beth/HeE/Wirl 1982)
1
13
Sloane's article, pp. 7 1
N.J.A.
-
128, includes a very concise
description of the Wyner scheme. Then, in a marvelous excursion through pxobability, analysis, representation theory and combinatorics, Sloane shows how Wyner's system can'be endowed with the suitable probabilistic properties in order to make it cryptographically secure in the strict sense mentioned before. Until today the Wyner system, though
extremely appealing, has one major drawback:
N o feasible implementation is known. So for all practical purposes
voice scrambling systems still have to be built as a mixture of Time- and Frequency-Domain-Scramblers. As
these two procedures correspond to the wellknown classes of
Transposition-respectively Substitution-ciphers (cf. Bauer, pp.
31
-
48) the quoted security measures have to be applied again.
Beker's survey paper "Analogue Speech Security Systems" (pp. 131
- 146)
gives an excellent introduction to the present day techniques which finally lead to very refined combinatorical investigations concerning the availability of large key spaces as required for high security. The paper by He13 and Wirl, pp. 1 4 7 -156,
"A
Voice Scramblinq
System for Testing and Demonstration" describes a Time-DomainScrambler
14
Fig. 11: me EVOCS-system, cf. pp. 147- 156, (Photo credit: K. Wirl)
which has been developed at the Department of Computer Sciences at the University of Erlangen. A report on the state of the art (at the beginning of 1982) is contained in the book Beth/HeB/Wirl 1983 which also deals with a description of some experiments to determine subjective understandability of scrambled speech. The contribution by Timmann, pp. 157 - 163, throws some new light upon this important topic. Other analogue scrambling schemes than those described in the paper by HeR and Nirl, p p . 147 - 156, are the ones which rnanipulate the spectra. Pichler's contribution, pp. 1 7 3 - 1 7 8 ,
proposes an interesting way of designing an analogue
scrambler via the Fast Fourier Transform (Aho/Hopcroft/Cllman 1974). This technique provides the links with the very new and powerful
15
technique of spread spectra and frequency hopping. These systems, which are mainly developed for large bandwidths (see below), are the topic of the paper by Gyorfi and Kerekes, pp. 1 6 5 - 179.
Digital Cipher Systems Since the investigations of the preceding section apply merely to low frequency transmission systems, for most computers, data banking systems, VHF- and UHF-communication nets the question of bandwidth is neglectable and, besides, most of the digitized data are already available in a form which supports their processing by means of discrete mathematics and algebra. Digital cipher systems roughly fall into two classes:
-
Sequential Ciphers,
-
Block Ciphers.
The reader may be warned that these classes are not necessarily disjoint.
Sequential Ciphers Sequential Ciphers have already been considered in the context of Vernam systems. In applying these systems it is crucial to provide both at the transmitter's and receiver's end binary random sequences longer than the expected sequence of messages. To give a mathematical model: a Sequential Cipher is a cryptosystem of arbitrary injective enciphering functions, in which the sets of plaintexts (M), of keys(K) and ciphertexts(C) coincide with the set { O r 1 }N of all countable 0-1-sequences.
16
For the most restricted class of stream ciphers the set of enciphering functions Es: M - C
s E K
-
consists of the simple additions
-m *
E (_m) S -
(cf. Picture No.
=_m@smod 2 ).
More complicated sequential ciphers will be discussed in the context of the contribution by Davies/Parkin, pp. Since coin-tossing
-
aside from all other aspects
-
is not quite
what one would call a real-time random process for the use in modern computer systems, one has to refer back to "approximate random" (cf. Sloane's article, pp. 71
-
1 2 8 ) by Pseudo Random Generators.
Under the assumption that such systems are available, an electronic stream cipher system basically has the following form:
Fig. 12: A sequential cipher system
Piper's article "Stream Ciphers" (pp. 1 8 1 - 1 8 8 ) shows why the PRG'S, which up to the 1960's were realized via Linear Feedback
Shift-Registers (cf. G o l o m b 1967, Selmer 1966, Luneburg 1 9 7 9 ) ,
17
Fig. 13 : A Linear feed-back-shift-register
are totally insecure. Their replacement by socalled Non-LinearFeedback Shift Registers
Fig. 14:
A
non-linear feed-back-shift-register
is being discussed by Jennings' contribution, pp. 189 -206
I
where she describes one of the most powerful practical Pseudo Random Generators. The behaviour of it can be described wholly in terms of Polynomial Algebra over Finite Fields, Discrete Fourier Transforms and Auto-Correlation Functions.
18
Another t o o l from Polynomial Theory needed f o r t h e design of good Pseudo Random G e n e r a t o r s i s provided by Herlestam's a r t i c l e , pp. 307 -236, which w i l l prove i n t e r e s t i n g t o pure mathematicians also.
Block Ciphers While c r y p t o g e n e r a t o r s f o r t h e l a r g e c l a s s of stream c i p h e r s can b e
described and d e s i g n e d i n the q u i t e b e a u t i f u l and e f f i c i e n t s e t u p of Algebra over F i n i t e F i e l d s , t h e development of e q u a l l y good block c i p h e r s seems t o be a much harder problem.
A block c i p h e r c o n s i s t s , of an a r b i t r a r y s e t of i n j e c t i v e mappings E s : M - C
where i n most cases t h e s e t s M and C c o n s i s t of t h e space { 0 , l l n of binary v e c t o r s of l e n g t h n f o r some i n t e g e r n
, while
t h e key
space K can b e p a r a m e t r i z e d i n many d i f f e r e n t ways.
Fig. 15:
A
Block Cipher System
The f i g u r e i n p r i n c i p l e shows how t o operate block c i p h e r s . It seems t o be a c h a l l e n g e f o r most cryptographers t o design s e c u r e block c i p h e r s .
19
For further reading the references Beker/Piper 1982, Ryska/Herda 1 9 8 0 , Konheim 1 9 8 1 , o r Feistel 1973 are suggested.
The best-known, but not yet fully understood block cipher appears to be the Data Encryption Standard (DES) as published by the U.S. National Bureau of Standards, Federal Register, August lst, 1 9 7 5 . Here the messages as well as the ciphertexts are binary words of length 6 4 . The key space consists of binary vectors of 5 6 bit, extended by (additional) 8 control bits. The following flow chart
I
I
I I I I
I I I I I
I I
I I I I I
I I
I
I I I
I I I I
i4 I
-
K
I 1
I I
I
I I I
I I
, I
I I
I I I
Fig. 16: The principle of DES (taken from Ryska/Herda 1980)
P E R m an)lcE2
&
20
shows the operational logic of DES which meanwhile is available as a chip produced by several manufacturers.
The procedures in this flow chart are made public (cf. Federal Reg. 1 9 7 5 , Konheim 1 9 8 1 ) . The crucial part of the algorithm seems to lie in the construction of socalled S-Boxes, w h i c h dominantly determine the furxtions f(R,KI
-
K, MANGES FOR n = 1.2.
,16
F i g . 17: the function f(R,K) (taken frw RyskaLAerda 1980)
It has been the topic of serious discussions (cf. Morris/Sloane/ Wyner 1977, Diffie/Hellman 1 9 7 6 1 , whether the function of these
S-Boxes will guarantee sufficient crypto-complexity to withstand even forceful attacks. In her contribution Schaumuller-Bichl introduces a complexity measure through which an attempt is made to perform a security analysis of DES.
21
Gordon's article on large S-Boxes, pp. 256-261, aims at a more constructive approach to increase the security of DES-like block ciphers by proposing larger classes of enciphering algorithms. There is a natural implementation of block ciphers for producing sequential ciphers (which are not stream ciphers in the narrow sense). This principle is best demonstrated by the functional diagram
CIPHER
FEEDBACK
MODE
t-1
c OES
k K BITS
ELK
P'
ct
Pt
TRANSMISSION
RECEPTION
la: The cipher feed-back-mode of DES (taken from Ryska/Herda 1980)
Fig.
of the DES in the socalled Cipher Feedback Mode. The paper by Davies and Parkin, pp. 2 6 3 - 2 7 9
, examines
the beha-
viour of the encryption procedure in terms of combinatorical aspects towards the possible periodicities. This is a very promising approach, which, being merely automata theoretic, may well prove to extend the linear algebraic considerations as introduced by Piper, pp. 381 - 188, or Jennings, pp. 1 8 9 - 2 0 6 .
22
cryptography in Communication Nets As
DES has been chosen as a standard encryption procedure for
huge information systems (cf. Oberman's paper, pp. 2 1 9 - 2 2 7 ) between government authorities, insurance companies and hospitals
(cf. Horbach's contribution, pp. 2 2 8 - 2 3 2 ) ,
banks and point Of
sales terminals in department stores, etc., it was essential to design a key distribution system of a kind that let the users communicate with each other in a secure way. For this purpose the model of a key library has been developed, very much in analogy to that well-known "key library" known as "telephone books".
Fig. 19: A communication system based on DES
23
The concept of a key distribution system helped to develop the concept of a socalled One-Way-Function. Loosely speaking, an injective function €
:
X
-
Y is called a "one-way-function", if
(i) for any x E X it is "easy" to compute y " f (x) (ii) for given ~
.
E it Y is "practically" infeasible to find
the X E X solving the equation y
=
f(x)
.
For some more explanations of these see the articles by Davio, Goethals and Quisquater, pp. 283 -288, and Schobi and Massey, pp. 289-306. A one-way-function, which in the context of key distribution probably has become known best, is the one given by Pohlig/Hellman 1978. For this let Y
=
GF(p) be the finite field
of prime order p with a primitive element w, cf. Dornhoff/Hohn 1978, Luneburg 1979. Then the function
is a one-way-function cf. Pohlig/Hellman 1978, Ryska/Herda 1980, Beth 1982. For an implementation in a key distribution system, e.g. for DES, it can be used as follows: Each user Ti chooses a number xi (kept secret) and sends the value y i = wXi to the key library. Suppose T 1 and T2 want to communicate under DES. T1 looks up T2's key and uses kl ,2 = y ; '
T2 looks up y 1 and uses k
2,1
= yx2
as a key.
. But as
both happen to use the same key as is required.
24
This concept had been developed to provide secure pairwise communication lines on the base of a common cryptosystem like DES. For most comunication systems a different model is of equally important use. Consider a comunication system, in which any user T, wants to be able to send a message to some arbitrary other user T2 exclusively, even without identifying hixnself or having any feedback. This model applies to satellitesaddressing certain authorized ground stations, measuring instruments reporting to certain authorized controllers, etc.
Fig. 20: A puljlic key c r y p t o system
It is realized by a cryptosystem with a public key library, based on the idea of "trap-door-functions". These, loosely speaking, are one-way-functions whose inversion becomes easy if some hidden (trapdoor-)information is known, cf. Diffie/Helhan 1976, Hellman 1977. The public-key-system now operates as follows: The receiver T2 has made his trap-door-function Es
public via 2
the key library, where any sender T1 can look up E
and then s2
25
. Any other possible recei-
encipher his message m by E ver
-
s2
except T2 - will be locked out, as c
=
E
(m) is s2
scrambled under the one-way-function E s2 -
the hidden trick to invert Es
.
T2) is able to read m
by Ds 2
2
. But T2 knows
. So T2
(and only
It is one of the amazing properties of this system, cf. Diffie/ Hellman 1976, Hellman 1977, that it can be used for the contrary purpose - i.e. the identification of the sender T2
-
as well.
To do this the sender only has to encipher all his messages by "his" inverse function D ceiver T2
, who
(which is only known to him). Any re-
s1
wants to convince himself that it is indeed T,
who is transmitting, looks up Es
in the library and deciphers 1
with its help. He obtains the plaintext if T, is the sender. In the light of this concept the contribution by Davio, Goethals and Quisquater, pp. 283 -288, describes an interesting setup for new authentication procedures. The paper by Schobi and Massey, pp. 289- 306, deals with a fast authentication algorithm based on the concrete trap-door-function,
known as the Trap-door-knapsack .
Trap-Door-Functions
Two examples of trap-door-functions have become well-known:
-
the RSA-Scheme ,
-
the Merkle-Hellman-Scheme.
The Merkle-Hellman-Scheme (cf. Merkle/Hellman 1978) is based on a special knapsack problem (cf. Aho/Hopcroft/Ullman 1 9 7 4 ) , which is nicely described in the contributions by SchCibi and Massey, pp. 289 -306, or Eier and Lagger, pp. 316-322.
26
But
-
since very shortly after the publication of the MH-Scheme
-
there have been misgivings with respect to the security of cryptosystems linked to NP-hard problems (cf. Aho/Hopcroft/Ulhan 1974, Garey/Johnson 1979). Especially the MH-Scheme, which depends on a very special subclass of the general Knapsack-Problem, shows a surprising weakness. Already in 1977 it was shown by Even, Lempel and Yacobi (cf. Lempel 1978) that a slight modification, which seemingly increased the
security, makes the MH-Scheme almost trivial to "break". One proposal to launch an attack against t h e MH-Scheme is made in the paper by Eier and Lagger, pp. 316-322, giving at the same time a good starting point for the contribution by Ingemarsson (pp. 309 - 3 3 5 ) .
Ingemarsson describes a procedure transformbg the
original knapsack into a system of modified knapsack problems in elementary geometry of numbers and linear programming. Along the same lines is a paper by Shamir (Shamir 1982) in which he describes a method*) solving almost all the knapsack-equations of fixed length n in polynomial computing time. Shamir's method uses a result of Lenstra's (Lenstra 1981), which proves that the integer linear programming problem (Garey/Johnson 1977) with a fixed number of variables is plynomially solvable.
................................................................... *)
This result was already announced during a Workshop on Cryptography, Burg Feuerstein. The editor would have been happy to be able to include this paper in this volume.
27
So there remains to consider the other famous Public-Key-Crypto-
System, the renownedRSA-System (Rivest/Shamir/Adleman 1 9 7 8 ) . The RSA-System uses as a set of plaintext M the set M = [ O : r n l
.
The set K of keys consists of the pairs (N;d) of positive inte(d,cp(N))= 1
gers with N > m and g.c.d.
.
Each user selects a pair of distinct prime numbers p,q with N = p - q > m and a number d with
-
(p,q) , "Tauschalphabet") i s u s u a l l y w r i t t e n i n
38
substitution notation
1
a b c d e f ~ h i j k l n n o p q r s t u v w x y z
y = ( N F O B V G H J T K M S P D U Q W A C Z R I X Y E L1
Shorter i s the c y c l e n o t a t i o n Y = ( e v i t z l s c o u r a n d b f ~ h j k m p q ~ ! x y )
which shows t h a t i n our c a s e the o r d e r o r the s u b s t i t u t i o n i s the maximal one, namely 26 ( ' c y c l i c s u b s t i t u t i o n ' ) . I n general, there a r e several cycles and sometimes even i n v a r i a t symbols: t h e s u b s t i t u t i o n Y = (
a b c d e f g h i j k l m n o p q r s t u v w x y z S E C U R I T Y A B D F G H J K L 1. N 0 P Q V W X Z )
reads i n cycle n o t a t i o n
Y = ( a s n h y x v q l f i ) ( b e r n g t o j ) ( d u p k ) ( c ) ( z ) Since the times of G. 6 . PORTA (1535-1615), a r e s t r i c t i o n t o involutory mappings can be found. This makes encryption and decryption i d e n t i c a l . An involutory s u b s t i t u t i o n has c y c l e s o f o r d e r 2 o r 1 only: Y = ( a z ) ( b y )( c x )(dw) (eu) ( f u ) ( g t ) ( h s ) ( i r ) ( j q )( k p ) ( l o ) ( m n )
This reduces the s i z e of t h e family over ZZ6 t o
26! /(213.13!
) = 7.91-10
12
.
Surprisingly o f t e n the actual family i s q u i t e d r a s t i c a l l y small. I n many polyalphabetic systems, i t c o n s i s t s of j u s t 26 s u b s t i t u t i o n s which a r e obtained a s powers of a s i n g l e c y c l i c s u b s t i t u t i o n u i of order 26 , y!ki) 1 = (ui)ki
.
Here, the key elements I n 1795,
ki
can be denoted by the 26 l e t t e r s themselves.
THOMAS JEEFFERSON (1743-1826) used a polyalphabetic s u b s t i t u t i o n o f period
36 , based on powers o f 36 d i f f e r e n t c y c l i c s u b s t i t u t i o n s . The same system ( w i t h
period 20 ) was proposed by ETIENNE BAZERIES (1846-1924). In b o t h cases, a Cylind r i c a l device was used t o support encryption und decryption mechanically, and i n order t o s i n p l i f y the use, the sane power k i = k was used f o r every s u b s t i t u t i o n . The Same weakness showed the machine 1:-94 o f the US Army (period 25), a l s o a cyl i n d r i c a l device and the machine M-138-A of t h e US S t a t e Department (period 33), using s l i d e s . S e c u r i t y of t h e s e systems rested s o l e l y with the f r e e choice o f the order these d i f f e r e n t s u b s t i t u t i o n s U . were t o be used. In the f4-133-A, there was 1 even a choice of 30 o u t of 1CO a v a i l a b l e alphabets - s t i l l , t h e system was vulnerabl e .
Following general u s e , p l a i n t e x t i s s e t i n lower case, crypto keys a r e set i n LACGE CAPS.
SMALL CAPS,
t e x t i s set i n
39 Another weakness i s shown by p o l y a l p h a b e t i c systems which use d i f f e r e n t powers o f t h e same c y c l i c s u b s t i t u t i o n
u
Using t h e above c y c l e
u = ( e v i t z l s c o u r a n d b f g h j k m p q w x y ) and p e r i o d
E
~ 5u
,L
,
4
A B E L
we o b t a i n w i t h t h e key word
(where
1 A a u ,
B
2
u
2,
~ 12 ) O
plain text
c r y p t o l o g y
key crypt0 t e x t
A B E L A B E L A E O N Z C Z R R M H V
A particular
s i m p l e case uses a c y c l i c s u b s t i t u t i o n
a0
w i t h t h e c y c l e i n com-
mon a l p h a b e t i c o r d e r
u o = ( a b c d e f g h i j k l m n o p ~ r s t u v w x y z ) LJith p e r i o d
4
a g a i n and w i t h t h e key word
plain text
c r y p t o l o g y
key
A B E L A B E L A B
crypto t e x t
D T D E U Q Q A H A
A
B
E L
,
we o b t a i n
P o l y a l p h a b e t i c e n c i p h e r i n g of t h i s k i n d i s c a l l e d a VIGENERE
(BLAISE
DE VIGENERE,
1523-1596). I n t h e monoalphabetic case, one speaks o f a CAESAR (according t o SUEMNIUS,
CAESAR
i n letters to
CICERO replaced every p l a i n t e x t l e t t e r by t h e One
standing t h r e e p l a c e s f u r t h e r down t h e alphabet).
VIGENERE and i n p a r t i c u l a r CAESAR can be viewed as a d d i t i o n modulo
N
,
t e x t and key t h e i - t h l e t t e r o f t h e c y c l e is represented by t h e number
if in
i
.
Thus,
t h e y a r e monographic s p e c i a l cases o f inhumogenous linear s u b s t i t u t i o n s .
, i . e . f o r a b i n a r y p l a i n and c r y p t i c vocabulary, IGENERE reduces t o a d d i t i o n modulo 2, which i s c a l l e d a VERNAH c i p h e r (GILBERT 5. VERNAM, Especially for
N = 2
1890-1963). VIGENERE a ready uo , , f o l l o w e d by a power o f uo
I n s t e a d o f w o r k i n g w i t h powers o f a s i n g l e s u b s t i t u t i o n used an a r b i t r a r y s u b s t i t u t i o n
( ' p a r a l l e l mixed a l p h a b e t s ' ) This l i n e is f o l l o w e d
by t h e r o t o r machines, an example bein? the ENIGMA, used
by t h e German A r m y b e f o r e and d u r i n g N o r l d War 11. I t used j
s p e c i a l l y chosen
40
fixed substitutions P(') , P(') ,.. & J ) which were sandwiched between similarity transformations with powers of (the use of similarity transformations u0 being motivated by an electro-mechanical realization) :
, k\')
Here, the single key i s the j-tuple (k\') is also a choice in the use o f the chosen out o f 10 .
p'")
-
,
... k;rj)) of letters. There
in the 1943 Navy ENIGMA, 4 were to be
The rotor machines showed about the most involved polyalphabetic encryption that was practically manageable before the advent o f electronic computers.These allowed to increase the size of the key family dramatically; in particular polyalphabetic polygraphic substitution could be used effectively.
SOME REMARKS O N CRYPTANALYSIS There is neither room nor reason to discuss cryptanalysis here at length. However, a few remarks of general nature are appropriate i n order t o judge the use of cryptological methods. Monoalphabetic substitution offers no security, not even in the polygraphic case. This was already well known to ALEERTI (1466) and VIETE (1589). After FRIEDRICH W. KASISKI, a Prussian Army officer (1805-1881) had shown [Kasiski Id631 how to determine the period of a general polyalphabetic substitution and then reducing the analysis to the monoalphabetic case, it took only a few decades until better cryptologists knew that polyalphabetic substitution with periodic key offers no security either, unless the key is o f about the length of the message. In addition, AUGUSTE KERKHOFFS (1835-1903) had shown [Kerkhoffs 18831 how t o break general polyalphabetic substitutions with nonperiodic keys, if the same key is used several times. He also gave the method to facilitate solution when parallel mixed alphabets are used, in particular against a VIGENERE. And the I4arquis G. H. L . DE V r m ~ s(1847-1901), a French army officer, could show [de Viaris 18931 how to facilitate breaking a JEFFERSON-BAZERIES polyalphabetic substitution. These methods were still refined by WILLIAM FREDERICK FRIEDMAN (1891-1969), the leading cryptologist of our century, and his school (SINKOV, KULLBACK), introducing sensitive test functions. In 1915, PARKER HITT (1877-1950) gave an open warning [Hitt 19161 of the dangers of repeating or repeated keys. Thus, the way led naturally to m n i n g keys for one-tC-e use ('one-time pads'). Amateurs were inclined to use widely available books of the world literature, which
41
o f f e r e d no s e c u r i t y : A meaningful t e x t contains too many r e p e t i t i o n s . Much b e t t e r was t h e method o f p r o f e s s i o n a l spies t o use s t a t i s t i c a l yearbooks. But f i n a l l y , i t was o n l y consequent t o use a r u n n i n g key of t o t a l l y s t o c h a s t i c nature. T h i s came up around 1920 i n Germany, i n France, i n the USA; p r i o r i t y probably goes t o JOSEPH C. ~ U B O R G N E , US Army S i g n a l Corps, who introduced s t o c h a s t i c one-time keys i n 1918
on t h e b a s i s o f a VERNAH e n c r y p t i o n (which had been invented i n 1917 f o r t e l e t y p e machines by GILBERT
S. VEFWAM).
studied, among o t h e r s , by FRE IDMAN
The p r o b a b i l i s t i c aspect o f t h e one-time key was who coined t h e word ' h o l o c r y p t i c ' , and by Claude
E. SHANNONwho d e f i n e d ' p e r f e c t secrecy' i n l o o k i n g a t message and key as s t o c h a s t i c
sources; i n f a c t SHA"ONS I n f o r m a t i o n Theory was motivated by h i s work. Soon, however, t h e disadvantages o f p r a c t i c a l nature t h e one-time key showed came t o t h e open: t h e d i s t r i b u t i o n o f key m a t e r i a l was d i f f i c u l t and dangerous, and t h e p r o d u c t i o n of good random keys was problematic. Thus, everywhere pseudo random keys, which c o u l d be produced mechanically, came i n t o use,
-
b u t then, t h e h o l o c r y p t i c
p r o p e r t y i s , a t l e a s t t h e o r e t i c a l l y , l o s t . How some p r a c t i c a l pseudo random gener a t o r s can be a t t a c k e d , i s t r e a t e d i n the a r t i c l e by T.
BETH and F. C. PIPER.
To make t h i n g s worse, known r o t o r machines d i d n o t even use pseudo random key, b u t j u s t keys o f somewhat i r r e g u l a r patterns, w i t h a r a t h e r huge period. 'Success i n d e a l i n g w i t h unknown c i p h e r s i s measured by these four t h i n g s i n t h e order named: perseverance, c a r e f u l methods o f analysis, i n t u i t i o n , l u c k . ' Parker H i t t , 1916
KAX I M S Over t h e c e n t u r i e s , c r y p t o l o g y has gathered a wealth o f experience; even t h e open l i t e r a t u r e shows t h i s . From t h i s experience o r i s i n a t e maxims f o r t h e c r y p t o g r a p h i c work, i n p a r t i c u l a r i n defense o f i l l e g i t i m a t e decryption, which cannot be neglected, even
-
or rather j u s t
-
i n todays era o f computers. I n a d d i t i o n t o t h e t r i v i a l
'keep t h e enemy i n t h e d a r k ' , t h e r e i s Rule Nr. I: Don't underestimate the enemy.
U n t i l 1944 t h e Germans d i d n o t suspect the A l l i e s t o be c o n t i n o u s l y r e a d i n n t h e 3-rot o r Er4IGtA e n c r y p t i o n
-
o n l y t h e German Navy i n 1942 switched i n t h e U-boat war t o
t h e more c o m p l i c a t e d 4 - r o t o r ENIGblA. The B r i t i s h Navy r e a l i z e d o n l y i n 1942, t h a t the German Navy xB-Dienst was reading t h e i r t r a f f i c . American c r y p t o l o g i s t s were unsuspicious, too, and c o u l d n o t imagine t h a t Hans Rohrbach had broken t h e i r t1-133-A
-
enciphering which, however, was of importance only f o r a s h o r t w h i l e , s i n c e t h e USA was i n t h e process o f i n t r o d u c i n g new c i p h e r machines. I t included !!-134-C,
42
a l s o c a l l e d SIGABA, a r o t o r machine FRIEDMAN had devised. The Signal Security Agency, US Army, in vain had t r i e d t o break t h i s encryption. Did t h a t mean t h a t t h e Germans would not be u p t o i t ? Did t h e Americans know a l l about t h e B r i t i s h success in breaking t h e E N I G i d - was the information they received from t h i s source c a l l e d ULTRA a l s o covered with ' a bodyguard of l i e s ' (KINSTON S.,CHURCHILL)? Typically, F. 0. RCOSEVELT, t h e i n t e l l e c t u a l among t h e a l l i e d statesmen, d i s t r u s t e d cryptoSraphers' a s s e v e r a t i o n s . He c e r t a i n l y knew about the deep-rooted human bias towards isnoring t h e unwanted.
I n t h i s respect, i n v e n t o r s o f encryption methods a r e p a r t i c u l a r l y endangered. 'rlearly every inventor o f a c i p h e r system has been convinced of the u n s o l v a b i l i t y o f his b r a i n c h i l d '
(KAHN). BAZERIES
o f f e r s an extreme example: Commissioned by
h i s French government and army, he had ruined numerous inventions by breaking test examples. He then conceived t h e c y l i n d e r which he now thought of a s being absolu-
t e l y unbreakable: c>, see [Bazeries 19011. of the victims of BAZERIES, took revenge on BAZERIES. This brings us t o Rule Br. 2 : Only t h e cryptanalys'
DE
VIARIS,
one
can judge the s e c u r i t y of an encryption method.
This finding, d a t i n g back t o PORTA and ANTOINE
ROSSIGNOL
(1599-1632), was formu-
l a t e d by KERKHOFFS in 1883. He c r i t i z e d the way of demonstratin; the a n a l y t i c a l s e c u r i t y of a method by counting how many years i t would take t o r u n through a l l possible cases. Indeed, such counts can only give an upper l i m i t , they a r e concerned w i t h the time the most i n e f f i c i e n t of a l l cryptanalytic methods, e3chmstit.e search, needs, and can be u t t e r l y misleading.
KERKHOFFS
was one of t h e f i r s t t o discuss cryptography from a practical p o i n t of
view: 4 1 f a u t bien d i s t i n g u e r e n t r e un systeme d ' b c r i t u r e c h i f f r P e imaginP pour u n Pchange momentani! de l e t t r e s entre quelques personnes isolPes, e t une mgthode de cryptographie destin'ee a r'egler pour un temps i l l i m i t g l a correspondance d e s d i f f e r e n t s chefs d'armi!e e n t r e eux>>. !.le will come back t o the questions of encryption d i s c i p l i n e . His p a r t i c u l a r m e r i t was t o distinguish between the c l a s s of methods ( c c l e systeme>>) and the key in the proper sense. He postulated &le Ur. 3: I n judgiwg t k e s e c u r i t y o f a cryptographic rne'irod one hGs t o a s s m e t h a t the snemj k n m s t h e cZass of methods ( t h e system).
For p r a c t i c a l reasons, i n c e r t a i n s i t u a t i o n s some methods a r e t o be preferred t o others. I n e r t i a of the e s t a b l i s h e d apparatus creates c e r t a i n prejudices ( ' c i p h e r philosophy') which can not be hidden from the enemy. And the simplest cryptanal y t i c a l t e s t s d i f f e r e n t i a t e , f o r example, r e l i a b l y between monoalphabetic s u b s t i t u t i o n , t r a n s p o s i t i o n and polyalphabetic s u b s t i t u t i o n . I n a war, encrypting devices can f a l l into the h a n d s of the enemy, they can a l s o
,
43
be s t o l e n . T h i s i n c l u d e d machines l i k e t h e ENIGFLA; f o l l o w i n g KERKHOFFS'
advice,
t h e ENIGMA s h o u l d h a v e been extended a t t h e b e g i n n i n g o f World \.Jar I 1 t o a 5 - r 0 t o r machine, and t h e r o t o r s s h o u l d have been permuted t h r e e t i m e s a day much e a r l i e r t h a n 1942; i n p a r t i c u l a r t h e whole s e t o f r o t o r s s h o u l d have been exchanged e v e r y few months. Of course, t h i s would n o t have been easy s i n c e e s t i m a t e s s a y t h a t r o u g h l y 200 000 ENIGhis have been b u i l t and used.
But t h e Americans were v u l n e r a b l e , too, i n t h i s r e s p e c t : T h e i r c i p h e r machine
M-209,
b u i l t by
HAGELIN and used i n m i l i t a r y u n i t s f r o m d i v i s i o n s down t o b a t t a No wonder t h a t t h e Germans f r o m 1942
l i o n s , was a l s o u s e d b y t h e I t a l i a n Navy.
t o 1944 i n N o r t h A f r i c a and I t a l y were o f t e n w e l l i n f o r m e d about t h e p l a n s o f t h e American t r o o p s . The d e s i r e o f t h e c r y p t o l o g i s t ,
t o make i t n o t t o o easy f o r t h e enemy, f r e q u e n t l y
l e a d s him t o d e v i s e c o m p l i c a t i o n s o f known methods. A c l a s s i c a l scheme i s t h e cornp o s i t i o n of methods. Sometimes t h i s does n o t h e l p : Double s u b s t i t u t i o n i s a s&s t i t u t i o n a g a i n ( t h e p e r i o d , however, may be l o n g e r ) , double t r a n s p o s i t i o n i s a g a i n a t r a n s p o s i t i o n . T h e r e i s more hope w i t h ' m i x i n g ' methods: P o l y a l p h a b e t i c s u b s t i t u t i o n of a code from a code book ( ' e n c i p h e r e d c o d e ' ) , t r a n s p o s i t i o n o f a monoa l p h a b e t i c s u b s t i t u t i o n . S p e c i f i c c r y p t a n a l y t i c a l methods, however, a r e o f t e n i n s e n s i t i v e a g a i n s t s u c h c o m p l i c a t i o n s . I n 1924, VARCEL GVI EI RGE,
French g e n e r a l o f
World War I, has s t a t e d t h e
RuZe Nr. 4: SuperficiaZ compZications can be illusory: they then induce a delusive f e e l i r q of s e c u r i t y . I n t h e w o r s t case, a n i l l u s o r y c o m p l i c a t i o n can even f a c i l i t a t e i l l e g i t i m a t e dec r y p t i o n . I f a l e t t e r i s n e v e r s u b s t i t u t e d by i t s e l f , t h e n t h e p o s i t i o n o f a suff i e n t l y l o n g ' p r o b a b l e w o r d ' c a n be d e t e c t e d q u i t e r e l i a b l y . T h i s s i t u a t i o n a r i s e s , i f somebody t h i n k s i t w o u l d be b e t t e r t o e x c l u d e t h e i d e n t i c a l s u b s t i t u t i o n from a
VIGEdERE. I t a l s o happens w i t h a l l p a i r w i s e i n v o l u t o r y s u b s t i t u t i o n s . I n t h e ENIGMA, by a r e f l e c t i o n i n t h e l a s t d i s k t h e number o f r o t o r s t h a t were a c t u a l l y u s e d was n u m e r i c a l l y d o u b l e d , and t h e system was known. T h i s l e d t o p a i r w i s e i n v o l u t o r y subs t i t u t i o n s and t o a s i m p l e p o s s i b i l i t y t o s t a r t a break. L a s t n o t l e a s t , human weakness i s t o be mentioned. An e n c r y p t i o n i s n o t b e t t e r t h a n t h e c i p h e r c l e r k . I l l e g i t i m a t e d e c r y p t i o n t h r i v e s on t h e c r y p t o g r a p h e r ' s s i n s :
'A c r y p t o g r a p h e r ' s e r r o r i s t h e c r y p t a n a l y s t ' s o n l y hope'. And t h i s hope i s j u s t i f i e d . There i s t h e s t r e s s u n d e r which a c i p h e r c l e r k works i n m i l i t a r y and d i p l o m a t i c traffic.
Once a n e n c i p h e r i n g m i s t a k e happens, t h e d e c i p h e r e r nay o b t a i n a l o t of
garbled c l e a r t e x t
-
methods w h i c h g i v e a thorough mix, p o l y g r a p h i c ones i n p a r t i -
c u l a r , have a t e n d e n c y t o a c h i e v e t h i s . Under pressure o f t i m e , i t may t h e n be i n e v i t a b l e t o r e p e a t t h e same message w i t h o u t thorough r e f o r m u l a t i o n . GVI, w r o t e < < C h i f f r e z b i e n , ou n e c h i f f r e z pas>> and ROHRBACH
formulated t h e
TERGE
44
Rule Nr. 5 : In J~CJGXJ the security of a cryptographic method, enciphering mistakes and other offences to encryption discipline are t o be taken i n t o accomt.
The simplest and t h e r e f o r e most frequent ones are: Repeated transmission of the same plain t e x t with d i f f e r e n t keys, r e p e t i t i o n of the enciphered message in c l e a r t e x t , frequent use of s t e r e o t y p e words and phrases ( t h e r e i s
ample supply i n t h e lan-
guage of the m i l i t a r y and diplomacy and elsewhere), the use of key words which a r e too short o r can e a s i l y be guessed, the use of a common word f o r a sudden event ('probable word'), when using code books, not t o use homophones and nulls a nd t o s p e l l r a r e l y used words, and f i n a l l y the use of double l e t t e r s and combinations l i k e ch
and
qu , of punctuation
marks and of spaces. The ideal p l a i n text i s o r t h o g r a p h i c a l l y wrong, l i n g u i s t i c a l l y poor, s t i l i s t i c a l l y ghastly. Which Commanding O f f i c e r will phrase an order in t h i s way, which diplomat will send such a r e p o r t t o his head? And w h a t should be done with commercial l e t ters? In a d d i t i o n , ambassadors and g e n e r a l s , l i k e presidents, r a r e l y take t h e time t o supervise t h e i r c i p h e r c l e r k s . As a r u l e , they lack understanding f o r the n e c e s s i t y anyhow, s i n c e they a r e mostly cryptographically ignorant. Thus, a l l e f f i c i e n t i n t e l ligence s e r v i c e s know t h a t supervision of t h e i r own u n i t s i s of the same importance as knowledge about t h e u n i t s o f t h e enemy.
M O D E R N CSMMERCIAL C R Y P T D G R A P H Y
Looking a t the e x i s t i n g proposals f o r encryption of commercial message channels, f i r s t of a l l one f i n d s t h a t the general method i s made openly known. Rule Nr. 3 i s followed t o the extreme: s e c u r i t y r e s t s with the key only. This, however, has o t h e r than sheer c r y p t o l o g i c a l reasons, i t comes from practical needs. I n c o n t r a s t t o the c l a s s i c a l communication between just two partners who beforehand have agreed on a mutual key, a ' p u b l i c key' system [Diffie, Hellnan 19761 allows a p a r t i c i p a n t t o send an encrypted message to any partner who has publicized his 'own' key. ' k e y ' i s t o be understood a s a generator f o r a running key. Here, even the encryptins algorithm i s made openly known. Nevertheless, breaking the encryption i s not t r i v i a l s i n c e ' t r a p d o o r mappings' a r e used, encrypting algorithms the inui -1 of which a r e only obtainable w i t h a great amount of work, a r e 'hard verses u i
t o compute' without a d d i t i o n a l information and a r e supposed t o be only i n t h e session o f t h e key owner.
pOS-
45
In such a p u b l i c k e y system, b o t h p r i v a c y and a u t h e n t i c i t y a r e t o be p r o t e c t e d . If p a r t n e r A wants t o send a message t o p a r t n e r B , he t h e r e f o r e f i r s t e n c r y p t s i t with
oA-I
recipient
8
( w h i c h i s known o n l y t o him) and t h e n w i t h uB (which i s p u b l i c ) , t h e -1 f i r s t d e c r y p t s i t w i t h uB ( w h i c h d i s t i n g u i s h e s him as l e g i t i m a t e
r e c i p i e n t ) and t h e n w i t h F o r more d e t a i l s ,
uA ( w h i c n q u a l i f i e s
A
as, sender).
i n p a r t i c u l a r on t h e g e n e r a t i o n o f p a i r s
(ui
, oi-')
, confer
t h e a r t i c l e by T. BETH. X h i l e t h e c l a s s o f t r a p d o o r n a p p i n z s found t h e e n t h u s i a s t i c t h e o r e t i c a l i n t e r e s t of s p e c i a l i s t s i n c o m p l e x i t y t h e o r y , t h e p r a c t i c a l schemes proposed so f a r f o r p u b l i c key systems have c e r t a i n l y g i v e n j o y t o p r o f e s s i o n a l c r y p t a n a l y s t s . A p a r t f r o m t h e l a c k of homophones, n u l l s and s t r a d d l i n g , a l l c l a s s i c a l avenues o f a t t a c k a r e w i d e open, i n p a r t i c u l a r u n d e r heavy t r a f f i c t h e same r u n n i n g key w i l l be used r e p e a t e d - . l y . The whole s i t u a t i o n i s l i a b l e t o awake d e l u s i v e c o n f i d e n c e o f t h e u s e r . Re-
ference t o SHANNON'S recommendation t o mix t h o r o u g h l y t r a n s p o s i t i o n ( ' d i f f u s i o n ' ) and s u b s t i t u t i o n s [ ' c o n f u s i o n ' ) ,
i f accompanied b y t h e a n a l o g y t o t h e
HOPF ' p a s t r y
dough' p r i n c i p l e , may u n d u l y i m p r e s s t h e mathematician. Papers which g i v e t h e mere c o m b i n a t o r i a l c o m p l e x i t y o f t h e proposed methods s u p p o r t t h e c a l m i n g i m p r e s s i o n . Yet, i t i s c h a r a c t e r i s t i c o f t h e p r e s e n t s t a t e o f c o m p l e x i t y t h e o r y t h a t i t p r o duces o n l y upper l i m i t s , i t o n l y d e a l s w i t h t h e w o r s t case. To o b t a i n l o w e r l i m i t s for,
say, t h e e f f o r t t o f a c t o r i z e a number i n t o primes seems t o be o u t o f p r e s e n t
reach. Replacement o f t h e ' c i p h e r c l e r k ' , who a t t e n d s t h e t r a f f i c , by a machine makes t h i n g s worse: i t e l i i i l i n a t e s some e n c i p h e r i n g e r r o r s , b u t a l s o t h e a l e r t m i n d w h i c h alone helps t o a v o i d grave mistakes. While i t can b e e x p e c t e d t h a t t h e proposed p u b l i c cryptosystems w i l l r e s i s t a t t a c k s by amateurs, even ift h e y have medium-size machines a t t h e i r d i s p o s a l , i t c a n a l s o be e x p e c t e d t h a t t h e y a r e v u l n e r a b l e t o a t t a c k s by t o p e x p e r t s . The N a t i o n a l Sec u r i t y Agency o f t h e U n i t e d S t a t e s o f America i s l i k e l y t o be a b l e t o s u p e r v i s e any t r a f f i c t h a t has come under s u s p i c i o n . By d e f i n i t i o n , i t should be a b l e t o do so anyhow: one c a n n o t e x p e c t t h a t t h e P r e s i d e n t o f t h e U n i t e d S t a t e s w i l l a l l o w a f o r e i g n i n t e l l i g e n c e s e r v i c e t o o p e r a t e f r e e l y under t h e c o v e r o f a commercial comm u n i c a t i o n system. The t i m e s a r e o v e r , when HENRY L. STIIISON, t h e n S e c r e t a r y of S t a t e under P r e s i d e n t HWVER,
d i s m i s s e d on e t h i c a l grounds t h e B l a c k Chamber o f t h e
S t a t e Department, w i t h t h e e x p l a n a t i o n "Gentlemen do n o t r e a d each o t h e r ' s m a i l "
( 1 9 2 9 ! ) . N o t even P r e s i d e n t CARTER
showed s i m i l a r s c r u p l e
-
o r does t h i s perhaps
mean, t h a t t h e Americans d i d n o t succeed i n b r e a k i n g Russian s e c r e t s ? d o t o n l y i n t h e G r e a t Powers, b u t a l s o i n s m a l l e r n a t i o n s , i n t h e l o n g r u n i t w i l l become n e c e s s a r y f o r p r i v a t e and commercial c r y p t o g r a p h y t o come t o t e r m s w i t h t h e r e q u i r e m e n t s o f t h e governmental a u t h o r i t i e s . Great B r i t a i n , a c l a s s i c a l c o u n t r y
Of
Democracy, h e r e g i v e s an example. I f a n a t i o n does n o t p r o t e c t i t s own s e c u r i t y , i t endangers a l s o t h e s e c u r i t y o f i t s f r i e n d s . On t h e o t h e r hand, demands o f t h e comm e r c i a l s i d e c a n n o t be suppressed i n f r e e c o u n t r i e s .
46
Therefore, s c i e n t i f i c work i n cryptosystems f o r p r i v a t e and commercial channels has t o be c a r r i e d on. I t s aim should be
d i s c i p l i n e among laymen u s e r s
-
-
under r e a l i s t i c assumptions on t h e l a c k of
t o e s t a b l i s h lower l i m i t s f o r t h e complexity of
breaking such systems on t h e b a s i s o f p r e c i s e l y s p e c i f i e d nachine c h a r a c t e r i s t i c s . This w i l l be hard work, b u t rewarding one: i t w i l l g i v e the user a guaranteed measure of s e c u r i t y and w i l l end t h e present obfuscation.
i i I N T S TO T H E LITERATUJE Good i n t r o d u c t i o n s f o r t h e amateur t o c l a s s i c a l cryptography and elementary c r y p t a n a l y s i s a r e [Gaines 19561 and [Smith]. Matheinatically o r i e n t e d readers w i l l probably f i n d [Sinkov 19661 more appealing; i t i s w r i t t e n yb: a p r o f e s s i o n a l c r y p t o l o -
G i s t o f hish rankins
-
a l t h o u s h i t c e r t a i n l y does n o t r e f l e c t t h e f u l l knowledge
of i t s author. S t i l l unsur?assed, b u t q u i t e voluminous, i s the MunuaZe de C r i t t o g m f i u iSacco 19471; most reaciers p r e f e r h e French t r a n s l a t i o n [Sacco 19511. On some s p e c i a l t o p i c s , i t may be w o r t h w h i l e t o c m s u l t i l s o [Eyraud 19531, [ F i g l 19261, [ G i v i e r g e 15251, [Lange, Soudart 19251, [ H i t t 19161, [ D e l a s t e l l e 19021, [ V a l e r i o 18931. A good source on c l a s s i c a l c r y p t o s r a p h i c nachines i s [Turkel 12271. Some now c l a s s i c a l works a r e [ K a s i s k i 16631 and [Kerkhoffs 13831, an e x c e l l e n t source f o r t h e e a r l y h i s t o r y i s [!!eister
10261 and [ l e i s t e r 1SG21.
A comprehensive h i s t o r i c a l p r e s e n t a t i o n o f c r y p t o l o g y w i t h a l l i t s i m p l i c a t i o n s has appeared w i t h [Kahn i9671. I t i s suppleqented f o r t o p i c s on World War I 1 by [Johnson 19781 and [Beesly 19771. dew m a t e r i a l from t h e other side i s found i n [Rohwer, JSckel 19791.
A r a t h e r G a t h e m a t i c a l l y o r i e n t e d i n t r o d u c t i o n t o modern cryptocraphy i s [Konheim 15311, [geker, P i p e r 13321; t h e r e a r e several o t h e r books pending, [aenning 19321 has j u s t appeared.
A s u r p r i s i n g l y c a n p l e t e b i b l i o g r a p h y has been conipiled by [Shulman 13751. Yut a l s o [Kahn 15671 m e t i c u l o u s l y l i s t s a g r e a t number o f sources. There a r e e x c e l l e n t a r t i c l e s on CRYPTOL5GY i n Encyclopedia B r i t t a n n i c a by bl. F. FRIEOI,IAN,
i n Encyclopedia h e r i c a n a by 9. KAKN, on C R Y P T X R A T Y Y i n L o r l d 3ook Encyclope-
d i a by L. 3. CALLINAHOS,
i n Chamber's Encyclopedia by H. :I.
JAMES.
47
Mechanical Cryptographic Devices
Thomas Jefferson’s wheel cipher
I
, cf. Kahn
1964
48
Mechanical Cryptographic Devices
Hagelin-s machine BC - 5 4 3
, cf.
2
Franke 1982.
49
CRYPTANALYSIS OF A KRYHA MACHINE Alan G. Konheim Mathematical Sciences Department IBM Thomas J. Watson Research Center P. 0. Box 218, Yorktown Heights, New York 10598/USA
I . Intrmi-on In the early part of this century, a mechanical "ciphering machine" was invented by a German engineer, Alexander von Kryha of Berlin. The Kryho-Ciphering-Machine received both the State Prize from the Prussian Ministry of the Interior at the 1926 Police Fair (Berlin) and a Diploma in 1928 from Dr. Konrad Adenauer at the International Press Exhibition (Cologne). Georg Hamel, who was to become famous for his work in set theory, published an analysis in 1927 of the size of the key space, which was quoted extensively by "Internationale Kryha-Maschinen-Gelleschaft" (Hamburg) to infer the unbreakabfity of the Kryha machines. The standard Kryha machine contains two basic components; the first, a cipher disk (FIGURE 2) consists of two rings. On the outer (fixed) ring the letters A, B, ..., Z of the (plaintext) alphabet are written, while on the inner (moveable) ring a substitution n(A), rr(B), ..., r(z) of the letters of the (ciphertext) alphabet is recorded twice. The cipher wheel (shown in FIGURE 1) is the second component; it has a number of pins i = (ko, k,, ..., ks-,)located at siop points and controls the (counterclockwise) rotation of the inner ring. The letters of the ciphertext alphabet are on tabs inserted into 52 slots on the inner ring, so that the permutation r is one component of the key. It appears that many cipher wheels were available and thus the number of stop points S as well as the pin values 4 form a second component of the key. Assuming, as we may, that 0 5 k; < 26, there are 26! x 4.03 x
possible cipher disks
26s possible cipher wheels For the machine we have examined, S = 17, providing a total of 4.57 x los0 possible key values. The purpose of this note is to give an example of the cryptanalysis of a Kryha machine. T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 49-64, 1983. 0 Springer-Verlag Berlin Heidelberg 1983
2. Matkmaiial Description And AmI$s
The K ~ y h amachine produces a polyalphabetic substitution. The key has three components: the number of pins & = (k,
k,, ..., k,6) at each stop point on a cipher wheel
.
I/
FIGURE 1 :A Cipher Wheel a cipher disk specifying a monalphabetic substitution
FIGURE 2 :A Cipher Dd
51
an initial displacement d, 0 5 d
< 17 of the pin wheel.
The inner (moveable) ring of the cipher disk in FIGURE 2 rotates counterclockwise relative to the outer (fixed) ring. The rotation is controlled by the pin wheel as follows; for the encipherment of the ia-letter of plaintext (0 5 i < -), the inner ring rotates ki+ 3 positions (counterclockwise) from its current position. For example; if d = 0, & = 5 , k, = 3, k, = 2 and k, = 3, plaintext HELP. . . is enciphered into ciphertext IJ P J . . .. Let(’) X,, = {O, 1, ..., 2 5 ) denote the plaintext and ciphertext alphabets with the coding (A 0,B 4r+ 1, ..., 2 ++ 25) and
++
Ki = k, + k, + ._.+ ki K = ko + k,
O, Studia Math., 4, 113127 and 158-166; 5, 43-49.
Ayoub, F. (1981), Encryption with keyed random permutations, Electronics Letters, 17, 583-585.
Baer, R. M. and Brock, P. (1968), Natural sorting over permutation spaces, Math. Comp., 22, 385-410.
Berlekamp, E. R. (1968), Algebraic Coding Theory, McGraw-Hill, New York.
Bernhard, R. (1982), Breaching system secwity, IEEE Spectrum, 19 (No. 6), 2431.
Bloomfield, P. (1976), Fourier Analysis of Time Series: An Zntraluction. Wiley, New York.
Blum, L., Blum, M. and Shub, M. (1982), A simple secure pseudo-random number generator, presented at “Crypt0 82”, Univ. of Calif., Santa
Barbara, August 1982.
Boothby, W. M. and Weiss, G . L., editors (1972), Symmetric Spaces, Dekker, New York.
Bourbaki, N. (1968), Groups et algebras de Lie, Chap. 4-6, Hermann, Paris.
113
Bovey, J. D. (1980), The probability that some power of a permutation has small degree. Bull. London Math. SOC.,12, 47-51.
Bovey, J. D. and Williamson, A. (1978), The probability of generating the symmetric group, Bull. London Math. SOC.,10, 91-96.
Box, G. E. P. and Muller, M. E. (1958), A note on the generation of normal deviates, Annals Math. Stat.,29, 610-611.
Brent, R. P. (1974), A Gaussian pseudo-random munber generator, Commun. ACM, 17, 704-706.
Brigham, E. 0. (1974), The Fast Fovier Transfonn. Prentice-Hall, Englewood Cliffs, N.J.
Bright, H. S. and Enison, R. L. (1979), Quasi-random number sequencesfiom a long-period TLP generator with remarks on application to cryptography, Computing Surveys, 11, 357-370.
Brillinger, D. R. ( 1 9 7 3 , Time Sekies: Data Analysis and Theoty, Holt, Rinehart and Winston, New York.
Brown, G. W. (1956), Monte Curio m e t h d , in Modern Mathematics for the Engineer, edited E. F . Beckenbach, McGraw-Hill, New York, pp. 279303.
114
Brown, M. and Solomon, H. (1979): On combining pseudorandom number generators, Ann. Statistics, 7 , 691-695.
Cartan, E. (1966), The Theory of Spinors, Hermann, Paris. Reprinted by Dover Publications, New York, 1981.
Chambers, R. P. (1967), Random-number generation, IEEE Spectrum, 4 (No. 2),
48-56.
Chatfield, C. (1975), The Analysis of Time Series: Theory and Practice, Chapman and Hall, London.
Conway, J. H., Parker, R. A. and Sloane, N. J. A. (1982), The covering radius of the Leech lattice, Proe. Royal SOC.London, A 380, 261-290.
Cook, J. M. (1957). Rational formulae for the production of a spherically symmetric probability distribution, Math. Tables Other Aids Comp., 11, 81-82. Cook, J. M. (1959), Remarkr on a recent paper, Commun. ACM, 2 (No.
lo),
26.
Coppersmith, D. and Grossman, E. (1975), Generators for certain alternating groups with applications to cryptography, SIAM J. Applied Math., 29, 624-
627.
115
Coxeter, H. S. M. (1973), Regular Polytopes, Dover, New York, third edition.
Davis, R. M. (1978), The Data Encryption Standard in perspecthe. IEEE Communications Society Magazine, 16 (November), 5-9.
Deak, I. (1979), Comparison of methodr for genercting u n i ~ o d ydistributed random points in and on a hypersphere, Problems of Control and
Information Theory, 8, 105-113. Diaconis, P. (1980), Average running time of the fast Fourier transform, J. Algorithms, 1, 187-208.
Diaconis, P. (1982),
Group Theory in Statistia. lecture notes, Harvard
University.
Diaconis, P. and Graham, R. L. (1977), Spearman’s footrule as a measure of disarray, J. Royal Stat. SOC.,B 39, 262-268.
Diaconis, P., Graham, R. L., and Kantor, W. M . (1982), The mathematics of perfect shufles, Advances in Applied Math., in press.
Diaconis, P. and Shahshahani, M. (1981), Generating a random permutation with random transpositions, Z . Wahrscheinlichkeitstheorie, 57, 159-179.
Diaconis, P. and Shahshahani, M. (1982), Factoring probabilities on compact
116
groups, preprint.
Dieter, U. and Ahrens, J. H. (1973), A combinatorid method for the generation of normally distributed random variables, Computing, 11, 137-146.
Diffie, W. and Hellman, M. E. (1976), A critique of thepopsed Data Encryption Standurd, Commun. ACM, 19, 164-165.
Diffie, W. and Hellman, M. E. (19771, Exhaustive analysis of the NBS Data Encryption Standard, Computer, 10, 74-84.
Dixon, J. D. (1969), The probabiliry of generating the symmetric group, Math. Zeit., 110, 199-205.
Durstenfeld, R. (1964), Random permutation, Commun. ACM, 7 , 420.
Eaton, M. L. and Perlman, M. (1977), Generating O ( n ) with reflections, Pacific
J. Math., 73, 73-80.
Even, S. and Goldreich, 0. (1981), The minimum-length generator sequence problem is NP-hurd, J. Algorithms, 2, 311-313.
Feistel, H. (1973), Ctyptogaphy and computer privacy, Scientific American, 228 (May), 15-23.
Feistel, H., Notz, W. A. and Smith, J. L. (1975), Some cryptographic techniques
117
for machine-temachine data communications, Roc. IEEE, 63, 1545-1 554.
Feller, W. (1957), An Introduction to Probability Theory and Its Applications, Volume I, Wiley, New York, second edition.
Fienberg, S. E. (1971), Randomitation and social affbirs: the 1970 drafi lottery, Science, 167 (22 January), 255-261.
Fino, B. J. and Algazi, V. R. (1976), Unified matrix treatment of the fast Walsh-
Hadamard transform, IEEE Trans. Computers, C-25, 1142-1 146.
Fox, P. A., editor (1976), The PORT Mathematical Subroutine Library, Bell Laboratories, Murray Hill, New Jersey.
Furstenberg, H. (1980), Random walks on Lie groups, in Harmonic Analysis and
Representations of Semisimple Lie Groups, edited by J. A. Wolf et al., Reidel Publ., Dordrecht, Holland, pp. 467-489.
Geffe, P. R. (1967), An open fetter to communication engineers, Proc. IEEE, 55, 2173.
Geramita, A. V. and Seberry, J. (1979), Orthogonal Designs, Dekker, New York.
Girsdansky, M. B. (1971), Data privac3r-cryptology and the computer at IBM
118
Research, IBM Research Reports, 7 (No. 4), 12 pages. Reprinted in
Computers and Automation, 21 (April, 1971), 12-19.
Golomb, S. W. (1964), Random permutations, Bull. Amer. Math. SOC.,70, 747.
Goncharov, V. (1944), Du domaine d’analyse combinatoire (Russian, French summary), Bull. d e 1’Academie URSS, Ser. Math. 8, 3-48. English translation in Amer. Math. SOC.Translations, (2) 19 (1962), 1-46.
Good, 1. J. (1 958), The interaction algorithm and practical Fowier analysis, J. Roy. Stat. SOC.B 20, 361-372 and B 22, 372-375.
Grenander, U. (1963), Probability on Algebraic Stnrctures. Wiley, New York.
Guivarc’h, Y., Keane, M. and Roynette, B. (1977), Marches aleatoires sw les groups de Lie, Lecture Notes in Math. 624, Springer-Verlag, New York.
Hall, M., Jr. (1967), Combinatonal Theory, Blaisdell, Waltham, Mass.
Hall, M., Jr. ( 1 9 7 3 , Sem’-automorphisms of Hadamard manices, Math. Proc. Camb. Phil. SOC.,77,459-473.
Halmos, P. R. (1950), Measure Theory, Van Nostrand, Princeton, N.J
Halmos, P. R. (1956), Lectures on Ergodic Theory, Chelsea, New York.
119
Hammersley, J. H. (1972), A few seedlings of research, in Proc. Sixth Berkeley Symp. Math. S t d . andProb., Vol. 1 , pp. 345-394.
Hannan, E. J. (1960), Tihe Series Analysis, Methuen, London.
Harwit, M. and Sloane, N. J. A. (1979), Hadamard Transform Optics,Academic Press, New York.
.
Heiberger, R. M. (1978), Generation of random orthogonal matrices, Applied Statistics, 27, 199-206.
Hess, P. and Wirl, K. (1983), A voice scrambling system for testing and demonstration, in this volume.
Hewitt, E. and Ross, K. A. (1963-1970), Abstract Harmonic A n a l ~ ~ i 2s , vols., Springer-Verlag, New York.
Heyer, H. (1977), Probablity Measures on Locally Compact Groups, SpringerVerlag, New York.
Heyer, H., editor (1982), Probability Measures on Groups. Lecture Notes in Math. 928, Springer-Verlag, New York.
Hicks, J. S. and Wheeling, R. F. (1959), An eficient method for generating unifonnlv distributed points on the surface of an n-dimensional sphere,
120
Commun. ACM, 2 NO.^), 17-19.
Hopf, E. (1937), Ergodentheone, J. Springer, Berlin. Reprinted by Chelsea, New York. 1948.
Humphreys, J. E. (19721, Introduction to Lie Algebras and Representation Theov, Spnnger-Verlag, New York, second printing.
Ito, N., Leon, J. S. and Longyear, J. Q. (19811, Classijkation of 3-(24,22.5) designs and 24-dimensional Hadamard matics, J. Combinatorial Theory,
A31, 66-93.
Jansson, B. (1966), Random Number Generators, Stockholm.
Jayant, N. S. (1982), Analog scramblersfor speech privacy. preprint.
Kantor, W. M. (1969), Automorphism groups of Hadamard matrices, J. Combinatorial Theory, 6, 279-28 1,
Kantor, W. M. (1982), Polynomial-time perfect shufling. preprint.
Kendall, M. (1970), Rank Correlation Methods, Griffin, London, fourth edition.
Kennedy, W. J., Jr. and Gentle, J. E. (1980), Statistical Computing, Dekker, New York.
121
Knop, R. E. (1970), Random vectors uniform in solid angle, Commun. ACM, 13,
326.
I
Knuth, D. E. (1980), Deciphering a linear congruential enayption, Report STANCS-80-800, Computer Science Dept., Stanford Univ., Stanford, Calif.
Knuth,
D. E. (1981), The Art of Computer Programming, Volume 2:
Seminumerical Algorithm, Addison-Wesley,
Reading Mass.,
second
edition.
Lewis, T. G. (1975), Distribution Sampling for Computer Simulation, Lexington Books, Lexington, Mass.
Li, T. Y. and Yorke, J. A. (1978), Ergodic maps on [O,I] and nonlinear pseudorandom number generators, Nonlinear Analysis, Theory, Methods and Applications, 2, 473-481.
Lloyd,
S.
P.
(1977),
Random
rotation
secreq
systems,
unpublished
memorandum, Bell Laboratories, Murray Hill, N.J.
Lloyd, S. P. (1978), Choosing a rotation at random, unpublished memorandum, Bell Laboratories, Murray Hill, N.J.
Logan, B. F. and Shepp, L. A. (1977), A variational poblem for random Young tableaux, Advances in Math., 26, 206-222.
122
McGonegal, C. A., Berkley, D. A. and Jayant, N. S. (1981), Private
communicationr, Bell Syst. Tech. J. 60, 1563-1572.
MacKinnon, N. R. F. (1980), The development of speech encipherment, Radio and Electronic Engineer, 50, No. 4, 147-155.
MacLaren, M. D. and Marsaglia (1965), Uniform random number generators, J. Assoc. Comput. Mach., 12, 83-89.
MacWilliams, F. J. and Sloane, N. J. A. (1981), The
Thee? ofError-Correcting
Codes, North-Holland, Amsterdam.
Marsaglia, G. (19721, Choosing a point f.om the &ace
of a sphere, Annals.
Math. Stat., 43, 645-646.
Marsaglia, G., Ananthanarayanan, K., and Paul, N. (1973), Random number
generator package - “Super-Duper”, School of Computer Science, McGill University, Montreal, Quebec.
Marsaglia, G., Ananthanarayanan, K., and Paul, N. J. (1976), Improvements on
fast methods for generating normal random variables, Information Processing Letters, 5 (No. 2), 27-30.
Marsaglia, G. and Bray, T. A. (19641, A convenient method for generating normal
variables, SLAM Review, 6 , 260-264.
123
Massey, J. L. (1969), Shifi-register synthesis and BCH decoding, IEEE Trans. Inform. Theory, IT-15, 122-127.
Meyer, C. H. and Tuchman, W. L. (1972), Pseudorandom codes can be cracked, Electronic Design, 20 (Nov. 9), 74-76.
Mihram, G. A. (1972), Simulation: Statistical Foundations and Methodology, Academic Press, New York.
Moore, C. C., editor (1973), Harmonic Analysis on Homogeneous Spaces, Proc. Sympos. Pure Math. 26, Amer. Math, SOC.,Providence, Rhode Island.
Morris, R. (1978), The Data Encryption Standard - retrospective and prospects, IEEE Communications Society Magazine, 16 (November), 11-14.
Morns, R., Sloane, N. J. A. and Wyner, A. D. (1977), Assessment of the National Bureau of Standards proposed Federal Data Encryption Standard, Cryptologia, 1, 281-306.
Muller, M. E. (1959), A note on a method for generating points u n $ o d y on n dimensional spheres, Commun. ACM, 2 (No. 4), 19-20.
Von Neumann, J. (1951), Various techniques used in connection with random digits, in Monte Carlo Metho&, National Bureau o f Standards Applied Math. Series 12, U. S . Dept. Commerce, Washington, D.C. pp. 36-38.
124
Niederreiter, H. ( 1978), Quasi-Monte Carlo methods and pseudo-random numbers, Bull. Amer. Math. SOC.,84, 957-1041.
Nijenhuis, A. and Wdf, H. S. (1978), Combinatonal Algorithms, Academic Press, New York, second edition.
Page, E. S. (1967), A note on generating random penrmtations, Applied Statist., 16, 273-274.
Plackett, R. L. (1968), Random permutations. J. Royal Stat. SOC.,30, 517-534.
Pratt, W.K. (1969), An algorithm for a fast Hadamard matrix transform of order
twelve, IEEE Trans. Computers, C-18, 1131-1132.
Pratt, W. K., Kane, J. and Andrews, H. C. (1969), Hadamard tramfonn image
coding, Proc. IEEE, 57, 58-68.
Reeds, J. (1977), “Cracking” a random number generator, Cryptologia, 1 (No. l ) , 20-26.
Reeds, J. (1979), Cracking a multiplicative congruential enoyption algorithm. in
Information Linkage Between Applied Mathematics and Industry (Proc. First Annual Workshop, Naval Postgraduate School, Monterey, Calif., 1978), Academic Press, New York, pp. 467-472.
125
Reeds, J. (19794, Solution of challenge cipher, Cryptologia, 3, 83-95.
Riordan, J. (1958), An Introduction to Combinatorial AnaEysis, Wiley, New York.
Robbins, D. P. and Bolker, E. D. (1981), The bias of three pseuderandom shufles. Aequationes Math., 22, 268-292.
Rose, D. J. (1980), Matrix identities of the fast Fowier transform, Linear Alg. Applic., 29, 423-443.
Rosenblatt, J. R. and Filliben, J. J. (1971), Randomization and the dra@ lottery, Science, 167 (22 January), 306-308.
Sakasegawa, H. (1978), On generation of normal pewbrandom numbers. Ann. Inst. Statist. Math., A30, 271-279.
Schmeiser, B. W. (1980), Random variate generation. a swvey, in Simulation with Discrete Models: A State-of-the-Art Swvey, edited by T . I. Oren, C. M. Shub and P. F. Roth, IEEE Press, New York.
Schrack, G . F. (1972), Remark on Algorithm 382, Commun. ACM, 15, 468.
Schwerdtfeger, H. (19SO), Introduction to Linear Algebra and the Theory of Matrices, Noordhoff, Groningen.
Shamir, A. (198 l ) , The generation of cryptographically strong pseudo-random
126
sequences, presented at “Crypt0 81”, Univ. of Calif., Santa Barbara, August 1981.
Shannon, C. E. (1949), Communication theory of secrecy systems, Bell Syst. Tech.
J., 28, 656-715. Shepp, L. A. and Lloyd, S. P. (1966), Ordered cycle lengths in a random permutation, Trans. Amer. Math. SOC., 121, 340-357.
Sibuya, M. (1964), A method for generating uniyody distributed points on n dimensional spheres, Ann. Inst. Stat. Math., 14, 81-85.
Slepian, D. (1978), Prolate spheroidal wave functions. Fowier analysis. and uncertainty, Part V: the discrete case, Bell Syst. Tech. J., 57, 1371-1430.
Sloane, N. J. A. (1981), Error-correcting codes and cryptography, in The Mathematical Gardner, edited by D. A. Klarner, Prindle, Weber and Schmidt, Boston, pp. 346-382. Reprinted in Cryptologia, 6 (1982), 128153 and 258-278.
Smith, J. L. (1971), The design of Lucifer. a cryptographic device for data comunicazions, Report RC-3326, IBM Thomas Watson Research Center, Yorktown Heights, N.Y.
Stewart, G. W. (1980), The efficient generation of random orthogonal matrices with
127
an application to condition estimators, SIAM J . Numer. Anal., 17, 403-409.
Tashiro, Y. (19771, On methods for generating uniform random points on the
surface of a sphere. Ann. Inst. Stat. Math., A29, 295-300.
Turyn, R. J. ( I974), Hadamard matrices, Baumert-Hall units, four-symbd
sequences, pulse compression, and surface wave encodings, J . Combinatonal Theory, 16A, 313-333.
Verkik, A. M. and Kerov, S. V. (1977), Asymptotics of the Plancherel measure of
the symmetric group and the limiting form of Young tableaux (Russian), Dokl. Akad. Nauk SSSR, 233, No. 6. English translation in Soviet Math. Doklady, 18 (1977), 527-53 1 .
Wallis, W. D., Street, A. P. and Wallis, J. S. (1972), Combinatorics: Room
Squares, Sum-Free Sets, Hadamard Matrices, Lecture Notes in Math., 292, Springer-Verlag, New York.
Walter, P. (19811, An Introduction to Ergodic Theory, Springer-Verlag, Berlin and New York.
Warner, G. (1972), Harmonic Analysis on Semi-Simple Lie Groups, 2 vols., Springer-VerIag, New York.
Wyner, A. D. (19791, A n analog scrambling scheme which does not expand
128
bandwidth, P u r ~I: discrete time, IEEE Trans. Inform. Theory, IT-25, 261274.
Wyner, A. D. (1979a), An analog scrambling scheme which does mt expand
bandwidth. Part 11: continuous times, IEEE Trans. Inform. Theory, IT-25, 415-425.
Yao, A. C. (1982), private communication.
130
ANALOGUE SPEECH SECURITY SYSTEMS
D r . H.J. Beker, C h i e f Mathematician, Racal -Comsec Lirni t e d , M i 1 f o r d I n d u s t r i a1 E s t a t e , T o l l g a t e Road, Sal isbury , W i l t s h i r e SP1 236.
T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 130-146, 1983. 0 Springer-Verlag Berlin Heidelberg 1983
131
1.
Introduction
Speech i s probably the most fundamental form of comnunication a v a i l a b l e t o U S and our s o c i e t y has become highly dependent on our modern, f a s t and accurate means of transmitting spoken messages. Usually the main aim of comnunicants i s merely t o t r a n s m i t a message a s q u i c k l y , a c c u r a t e l y and cheaply as possible. There a r e , however, a number of s i t u a t i o n s where the information i s confidential and where an i n t e r c e p t o r might be able t o benefit immensely from the knowledge gained by monitoring the i n f o r mation c i r c u i t . I n such s i t u a t i o n s t h e comnunicants must take steps t o conceal and protect the c o n t e n t of their spoken message. Of course, the amount of protection Will vary. On occasions i t i s s u f f i c i e n t t o prevent a casual ' l i s t e n e r ' from understanding the message b u t there a r e o t h e r times when i t i s crucial t h a t even a determined i n t e r ceptor must not be a b l e t o deduce i t . One basic problem f a c i n g t h e designer of speech security equipment i s t h a t there already e x i s t a g r e a t v a r i e t y of c o m u n i c a t i o n s c i r c u i t s f o r the transmission of speech s i g n a l s . Many of the techniques a t h i s disposal might n e c e s s i t a t e the r e s t r i c t i o n , of the communicator, t o only a few of these types of channel. Furthermore, the designer must remain aware, a t a l l times, t h a t almost a l l speech security systems reduce, a t l e a s t t o some e x t e n t , the audio q u a l i t y of a voice transmission. Clearly, s e c u r i t y Will not be enhanced i f t h e l i n k has been so badly degraded t h a t we have t o repeat the same message a number of times. There i s , t h e r e f o r e , a need t o take i n t o consideration the type of transmission l i n k t h a t might be used and, f o r any p a r t i c u l a r s e c u r i t y e q u i p m e n t , t o choose an encryption system t h a t will give the l e a s t degradation of audio q u a l i t y . There i s n o - p o i n t i n having a very high security level i f i t i s no longer possible t o comnunicate! There a r e , e s s e n t i a l l y , two techniques f o r encrypting speech: d i g i t a l and analogue. Figure 1 i l l u s t r a t e s the b a s i c block diagram f o r a d i g i t a l system. The s e r i a l data stream t h a t r e s u l t s , a f t e r the voice input has been converted t o a d i g i t a l s i g n a l , comnonly takes one of the following values: ( i ) 64 k b i t / s , ( i i ) 32 k b i t / s , ( i i i ) 1 6 k b i t / s , ( i v ) 9.6 k b i t / s , ( v ) 4.8 kbit/s o r ( v i ) 2 . 4 k b i t / s . U t i l i S i n g b i t rates of 9.6 k b i t / s o r more normally implies an increase in the signal bandwidth a f t e r encipherment. Thus f o r many comnunication channels they cannot be used. Achievement of the lower b i t r a t e s i s normally associated with a reduction in voice recognition and because of the complex algorithms required t o achieve these low b i t r a t e s such devices a r e , a t present, l a r g e and expensive. T h u s , applications which involve narrowband channels and t a c t i c a l l e v e l s of s e c u r i t y ( i . e r e l a t i v e l y short cover times) r e q u i r e an a l t e r n a t i v e approach.
132 serial data stream
Enciphered data stream
W i d data stream
serial daa Stream
Figure 1 Digital cipher system
The object of t h i s paper is t o t r a c e the development o f analogue scrambling systems and t o discuss both the advantages and disadvantages o f the various techniques available. For a f u l l e r discussion o f both analogue and digital techniques see [Beker and Piper, 19821
2.
.
Speech Inversion
a device known as a speech inverter. Suppose we have a speech signal which i s band-limited t o the 300-3000Hz range as i n Figure 2.
One of the e a r l i e s t forms o f frequency scrambler was
Figure 2 A speech signal band-limited t o 300-3000 Hz
133
The basic idea of an i n v e r t e r i s t o interchange the high and low frequencies. T h i s can be achieved r e l a t i v e l y e a s i l y and the r e s u l t i s illustrated i n Figure 3 .
Figure 3 Power density spectrum of inverted speech signal So f a r we have not introduced a key. Thus the system i s simply a code which, as such,
i s not secure against any interceptor w i t h a similar piece o f equipment t o r e i n v e r t the signal. Some improvement on t h i s basic inversion code i s obtained by using a device known as a band-shift inverter. Once t h i s device i s introduced we a t l e a s t have a genuine cipher system i n the sense t h a t the concept of varying keys i s introduced. One theoretical way of considering band-shift inversion is the following. When we discussed inversion we began w i t h a signal which was bandwidth-limited to 3003000Hz. If our system were designed such that the inverted signal occupied a d i f f e r e n t band, say 1000-3700Hz, then we would get the signal whose spectrum is shown i n Figure 4 ( a ) . This signal is no longer i n the same band as our original one, b u t we can arrange for i t t o be in t h i s band by taking t h a t part of the signal above 3000Hz and p u t t i n g i t a t the low frequency end. (Note t h a t although the signal o f Figure 4 ( a ) has a different frequency range i t has, of necessity, the same bandwidth as our original s i g n a l ) . This i s the principle of band-shift inverting and i s i l l u s t r a t e d i n Figure
4 (b).
Figure 4 The principle of band-shift inversion
134
A typical i n v e r t e r has between 4 and 16 d i f f e r e n t c a r r i e r frequencies which r e s u l t
in the same numbers of d i f f e r e n t ' s h i f t s ' . There a r e two ways i n which a key may operate. The simple way i s t o s e l e c t t h e s h i f t d i r e c t l y . Alternatively i t may be used t o i n i t i a l i z e a pseudo-random number generator, which will then s e l e c t a d i f f e r e n t s h i f t every so o f t e n . A t y p i c a l time i n t e r v a l between s h i f t s might be 10 o r 2 h S . This l a t t e r arrangement i s o f t e n r e f e r r e d t o as a cyclical band-shift inversion . Systems relying on band-shift inverters have two obvious f a i l i n g s . F i r s t l y s i n c e , a t any given time, t h e r e a r e only a l i m i t e d number of p o s s i b i l i t i e s f o r the s h i f t , t h e original signal can b e recovered reasonably e a s i l y by using ' t r i a l and e r r o r ' methods
w i t h r e l a t i v e l y simple e q u i p m e n t . Secondly, and perhaps more importantly, the r e s i d u a l i n t e l l i g i b i l i t y in the o u t p u t s i g n a l i s unacceptably high. The residual i n t e l l i g i b i l i t y of an output signal i s t h a t proportion of the original signal which can be understood d i r e c t l y when l i s t e n i n g t o the enciphered message. In t h i s case, t h i s i s e s p e c i a l l y high a f t e r the message has been r e i n v e r t e d .
3.
Bandscramblers
I n this s e c t i o n we c o n s i d e r a t h i r d speech scrambler i n the frequency domain: the bandscrambler o r b a n d s p l i t t e r . In t h i s case the spectrum i s divided i n t o a number of equal sub-bands and the s i g n a l i s then scrambled by rearranging t h e i r order. In some of the more s o p h i s t i c a t e d systems c e r t a i n of the sub-bands may a l s o be inverted. Figure 5 i l l u s t r a t e s a simple example w i t h f i v e sub-bands. The sub-bands 1 , 2 and 5 have been inverted a s well a s d i s p l a c e d . For t h i s p a r t i c u l a r example t h e r e a r e 51 p o s s i b l e r e orderings and 2 5 ways o f deciding which, i f any, sub-bands t o i n v e r t . Thus there a r e 5 51 x 2 = 3840 p o s s i b l e ways o f rearranging the sub-bands. Unfortunately the r e s i d u a l i n t e l l i g i b i l i t y i s unacceptably high f o r most of these arrangements, and i t i s g e n e r a l l y agreed t h a t , i f one i s forced t o r e l y on reordering alone and not use inversion, l e s s than 10% of the p o s s i b i l i t i e s provide reasonable security. Some of the reasons f o r t h e
Figure 5 Band scrambling technique
135
high r e s i d u a l i n t e l l i g i b i l i t y a r e easy t o understand. For instance, experiments have shown t h a t r e o r d e r i n g s which leave some o f the sub-bands i n t h e i r o r i g i n a l p o s i t i o n s tend t o have h i g h r e s i d u a l i n t e l l i g i b i l i t y . Since these reorderings leave p a r t o f t h e signal u n a l t e r e d t h i s i s n o t completely s u r p r i s i n g . There i s another disadvantage t o t h i s type o f system. I t i s usual f o r more t h a n 40% of the energy t o l i e i n t h e f i r s t two sub-bands. So, i n our example, no m a t t e r which r e o r d e r i n g i s used, as soon as t h e c r y p t a n a l y s t f i n d s the new p o s i t i o n s o f t h e f i r s t
two sub-bands and t r a n s l a t e s them back, he w i l l have recovered s u f f i c i e n t o f t h e c o n t e n t of t h e s i g n a l t o have a good chance o f 'understanding the message'. We can improve matters s l i g h t l y by h a v i n g a number o f d i f f e r e n t rearrangements and u s i n g a pseudorandom number g e n e r a t o r sequence t o s e l e c t a new one every few hundred m i l l i s e c o n d s . For many p r a c t i c a l systems, t h e ' b e t t e r ' reorderings, i.e those w i t h small r e s i d u a l i n t e l l i g i b i l i t y , a r e s t o r e d i n a ROM (read o n l y memory) w i t h i n t h e equipment. For o u r example t h e system may work as f o l l o w s . I n a f i v e sub-band system t h e number of s t o r e d 5 r e o r d e r i n g s i s t y p i c a l l y about 32 and consequently, since there are s t i l l 2 ways of i n v e r t i n g some o r a l l o f t h e sub-bands, there are 1024 rearrangements a v a i l a b l e . Each rearrangement needs 10 b i t s o f t h e sequence t o d e f i n e i t ; f i v e t o determine t h e r e o r d e r i n g and f i v e t o decide on t h e inversions. The sequence generator i t s e l f may have a p e r i o d o f many m i l l i o n s o f b i t s so t h a t the c y c l e o f rearrangements used does n o t repeat i t s e l f f o r days. C l e a r l y , then, the s i z e o f t h e key may be chosen so t h a t i t i s l a r g e enough t o d e t e r an i n t e r c e p t o r f r o m t r y i n g a l l p o s s i b i l i t i e s . Nevertheless, no m a t t e r what i s done, t h e r e s i d u a l i n t e l l i g i b i l i t y o f a l a r g e p r o p o r t i o n o f t h e arrangements i s so h i g h t h a t t h i s sytem cannot be considered f u l l y secure. I n general, scramblers which a f f e c t o n l y the frequency domain are regarded more as p r i v a c y devices t h a n as f u l l y secure systems. T h e i r use tends t o be l i m i t e d t o s i t u a t ions where t h e aim i s t o p r e v e n t a casual l i s t e n e r from understanding a c o n v e r s a t i o n o r p o s s i b l y even a determined i n t e r c e p t o r who does n o t have any reasonably s o p h i s t i cated equipment. U n f o r t u n a t e l y , t h e m a j o r i t y o f the more secure systems e i t h e r i n c r e a s e the bandwidth necessary f o r t h e s i g n a l o r introduce a time delay i n t r a n s m i s s i o n . Both o f these changes i n t r o d u c e t h e i r own problems and so, when t h e s t r i c t e s t s e c u r i t y i s n o t e s s e n t i a l , t h e systems j u s t discussed are o f t e n preferable. We must now pay a t t e n t i o n t o t h e number o f sub-bands i n a bandscrambler. I n o u r example we had f i v e sub-bands and, c l e a r l y , i f t h i s number were s i g n i f i c a n t l y i n c r e a s e d t h e r e would be a c o n s i d e r a b l e i n c r e a s e i n t h e number o f reorderings a v a i l a b l e and we m i g h t expect t h a t t h i s would i n c r e a s e t h e s e c u r i t y . However, the i n t r o d u c t i o n o f t o o many sub-bands would i n t r o d u c e t o o many p r a c t i c a l d i f f i c u l t i e s .
It must be remembered t h a t
the i n p u t s i g n a l has t o be r e c o n s t r u c t e d a t the r e c e i v e r ' s end o f the t r a n s m i s s i o n l i n k . The f i l t e r s and o t h e r components used introduce noise i n t o the s i g n a l and a r e
136 n o t t r u l y l i n e a r i n t h e i r o p e r a t i o n . Any m o d i f i c a t i o n o f the s i g n a l r e s u l t s i n t h e i n t r o d u c t i o n of i m p e r f e c t i o n s and degrades the f i n a l q u a l i t y o f t h e s i g n a l . Bandscramblers are p a r t i c u l a r l y s u s c e p t i b l e t o these types o f imperfection. Thus i n t r o ducing a l a r g e r number o f sub-bands would, f o r most p r a c t i c a l transmission l i n k s , render t h e system e i t h e r unusable o r so expensive as t o be uneconomical.
4.
Time Element Scramblers
We w i l l now l o o k a t scramblers which a f f e c t the time element o f a s i g n a l . These t i m e element scramblers (t.e.s)
u s u a l l y employ the f o l l o w i n g basic p r i n c i p l e . The analogue
s i g n a l i s f i r s t d i v i d e d i n t o ( e q u a l ) time periods c a l l e d frames. Each frame i s t h e n sub-divided i n t o small equal t i m e periods c a l l e d segments. Once t h i s has been done t h e i n p u t i s scrambled by permuting t h e segments w i t h i n each frame. The process i s i l l u s t r a t e d d i a g r a m a t i c a l l y i n F i g u r e 6 where we have d i v i d e d the frame i n t o e i g h t segments.
'
When s e t t i n g up a t.e.s
Figure 6 Time Element Scrambler
system i t i s necessary t o decide upon values f o r t h e l e n g t h s
o f t h e frames and segments. C l e a r l y t h e message w i t h i n a segment i s n o t d i s t o r t e d i n t h i s type of scrambling.
Furthermore t h e segment l e n g t h decides how much i n f o r m a t i o n
i s contained w i t h i n t h a t segment. T h i s makes i t d e s i r a b l e t o keep the segments as s h o r t as p o s s i b l e and, o b v i o u s l y , t h e y must be s h o r t enough t h a t whole words cannot be contained w i t h i n a segment. On t h e o t h e r hand, the segment l e n g t h has a s i g n i f i c a n t bearing on t h e audio q u a l i t y o f t h e t r a n s m i t t e d message, and the q u a l i t y decreases as the segment l e n g t h s g e t s m a l l e r . Thus, because o f d i f f i c u l t i e s i n implementation, t h e r e i s a d e l i c a t e balance t o be made when choosing a segment l e n g t h . I n o r d e r t o choose a frame l e n g t h we need t o see how t h i s choice a f f e c t s t h e d e l a y between t h e analogue s i g n a l b e i n g f e d i n t o the equipment and the s i g n a l b e i n g recons t r u c t e d as ' c l e a r speech'. To understand t h i s time delay we w i l l look back a t o u r example i n Figure 6. L e t us suppose t h a t , i n t h i s example, the segment l e n g t h i s T seconds. Thus i t takes 8T seconds f o r our e i g h t speech segments t o e n t e r t h e scrambler. Although i t i s n o t so i n o u r example, we may wish t o permute the segments so t h a t
137
segment 8 i s t r a n s m i t t e d f i r s t . Consequently we w i l l n o t s t a r t t o t r a n s m i t u n t i l a l l 8 segments are i n t h e d e v i c e and consequently, delays have already occurred. ( F o r instance segment 1 m s t be delayed by a t l e a s t 8T seconds). Once t h e t r a n s m i s s i o n i s begun i t takes another 8T seconds t o complete i t . This, o f course, causes f u r t h e r
4
delays. Ifwe wish t o a l l o w a l l permutations then, as i n the case o f our example, t h e l a s t segment t o reach t h e r e c e i v e r may be t h e f i r s t t h a t he must output. T h i s means t h a t t h e r e c e i v e r cannot b e g i n t o decipher u n t i l he has received a l l 8 segments. So, even ifwe assume n e g l i g i b l e t i m e f o r t h e a c t u a l transmission, t h e r e i s a t i m e d e l a y of 16T seconds f o r each speech segment. I n general f o r a system w i t h m segments p e r frame t h e t i m e d e l a y i s 2mT. This, o f course, i s provided no r e s t r i c t i o n i s p l a c e d upon t h e permutations t o be used. Figure 7 shows which segment i s being processed d u r i n g each of t h e f i r s t 24 T-second periods o f transmission, f o r our example.
I
6
4
8
7
3
2
5
1
I
tlmiln I
1
I
f-0
I
I
I-8T
Figure 7 A t i m i n g diagram f o r the t.e.s.
2
3
4
5
6
7
8
I I - i6r
process
The e f f e c t o f t h i s d e l a y i s s i m i l a r t o t h a t experienced on i n t e r n a t i o n a l telephone c a l l s which are t r a n s m i t t e d v i a s a t e l l i t e . From t h e u s e r ' s p o i n t o f view t h e y a r e undesirable and p r e s e n t a case f o r making the frame as s h o r t as possible. U n f o r t u n a t e l y from t h e s e c u r i t y p o i n t o f view we need long frames. One reason f o r t h i s i s t h a t a speech 'sound' can l a s t f o r q u i t e a long time. To i l l u s t r a t e how d i s a s t r o u s s h o r t frames can be, l e t us suppose t h a t we have a frame which i s so s h o r t t h a t i t c o n s i s t s o f a s i n g l e tone. No m a t t e r how we scramble i t the r e s u l t w i l l s t i l l be a s i n g l e continuous tone ( b u t a l m o s t c e r t a i n l y degraded i n q u a l i t y as a r e s u l t o f o u r tampering). Although t h i s example i s extreme, i t nevertheless shows t h a t i f we make o u r frames t o o s h o r t we may n o t be a b l e t o achieve s u f f i c i e n t dispersement o f the segments. T h i s may r e s u l t i n s i g n i f i c a n t p a r t s of words being u n a l t e r e d and a l l o w a l i s t e n e r t o guess part, o r a l l , o f t h e message. Furthermore i t i s c l e a r t h a t i n c r e a s i n g t h e numbers
Of
segments i n a frame increases t h e number o f permutations. There i s no obvious mathematical way f o r choosing optimal values f o r t h e l e n g t h s of the segments o r frames. In p r a c t i c e i t i s necessary t o t e s t any given choice
experimentally. One good, and v e r y demanding, t e s t f o r a t.e.s
system i s t o r e a d Out,
i n an a r b i t r a r y o r d e r , some numbers between one and ten, and f o r some l i s t e n e r s t o w r i t e down t h e numbers which t h e y b e l i e v e they ' h e a r ' . Our reason f o r c l a i m i n g t h a t t h i s t e s t i s demanding i s t h a t t h e l i s t e n e r i s o n l y t r y i n g t o d i s t i n g u i s h between t e n p o s s i b l e sounds. T h i s i s c o n s i d e r a b l y e a s i e r than t r y i n g t o understand what i s b e i n g s a i d when he has no i d e a o f t h e c o n t e x t . Experiments show t h a t , unless the frame l e n g t h i s s u f f i c i e n t l y l a r g e , most t . e . s
systems perform badly a g a i n s t t h i s t e s t . One
i n t e r e s t i n g p o i n t about t h i s p a r t i c u l a r t e s t i s t h a t most o f the l i s t e n e r s ' m i s t a k e s a r i s e from confusing 5 and 9. T h i s i s because they are the o n l y two o f the numbers w i t h the same vowel sound and vowel
sounds are f a r longer than consonant sounds. Thus
the l i s t e n e r tends t o i d e n t i f y t h e vowel sounds and then guess the f i n a l word from them.
As a general r u l e t h e frame l e n g t h should be as l o n g as the user w i l l accept. W i t h i n most of these types o f equipment c u r r e n t l y a v a i l a b l e a frame comprises between 8 and 16 segments, and each segment has a d u r a t i o n o f , t y p i c a l l y , between 20 and 6OmS. Once the lengths o f t h e segments and frames are chosen the f i n a l ' i n g r e d i e n t ' f o r a t.e.s
i s the permutation. C l e a r l y some permutations a r e b e t t e r than others and we must
now t r y t o decide p r e c i s e l y which ones a r e 'good'. We must also decide how t o use t h e pennutations. As i n t h e case o f b a n d - s h i f t i n v e r t e r s o r bandscramblers t h e r e a r e a number o f ways i n which we can use o u r basic t.e.s
system. We can, f o r instance, have
a key which s e l e c t s one f i x e d permutation and then use t h i s given permutation for every frame. Another a l t e r n a t i v e i s t o l e t our key s e l e c t several permutations and then repeatedly use them i n some f i x e d order. However, a s before, a b e t t e r system i s t o employ some f o r m o f sequence g e n e r a t o r t o s e l e c t a ' d i f f e r e n t ' permutation f o r each frame. (Here, when we say ' d i f f e r e n t ' we merely mean t h a t the permutations a r e n o t chosen i n any f i x e d o r d e r . Two d i s t i n c t frames may w e l l use the same permutation i f the o u t p u t of t h e sequence generator, which makes the selection, i s the same). W i t h e i g h t segments i n a frame t h e t o t a l number o f permutations i s 81 = 40320. So, i f each segment has a d u r a t i o n of 4 h S , a f t e r about 3.6 hours o f continuous usage we must be using permutations f o r a t l e a s t t h e second t i m e . However, the p a t t e r n o f permutations used w i l l n o t begin t o r e p e a t u n t i l t h e sequence repeats; i . e the p e r i o d o f t h e sequence determines the p e r i o d o f r e p e t i t i o n o f the sequence o f permutations used. Although we have s a i d t h a t t h e r e a r e a maximum o f 40320 permutations on e i g h t symbols, we may n o t wish t o use them a l l . As an i l l u s t r a t i o n , consider the f o l l o w i n g two permutations. For these and f u t u r e permutations, t h e t o p l i n e represents the o r i g i n a l order o f t h e segments and the second l i n e r e p r e s e n t s the order a f t e r scrambling. Thus the p e r m u t a t i o n representing t h e example o f F i g u r e 6 i s : 1 2 3 4 5 6 7 8
6 4 8 7 3 2 5 1
139
Example 1
1 2 3 4 5 6 7 8 1 3 2 4 5 7 6 8
Example 2
1 2 3 4 5 6 7 8 3 6 2 5 8 4 7 1
If we were able t o l i s t e n t o the e f f e c t s of each of these two permutations we would find t h a t the f i r s t has a very high residual i n t e l l i g i b i l i t y . In f a c t , a f t e r a few r e p e t i t i o n s , we would probably begin t o understand the message. The second permutation would have a f a r lower r e s i d u a l i n t e l l i g i b i l i t y a n d i t i s doubtful whether o u r understanding would i n c r e a s e a f t e r t h e f i r s t few hearings. I f we now look c l o s e l y a t our two examples we can see the reason f o r t h i s . In Example 1 four segments remain unmoved and each of the o t h e r s i s only moved one place. Thus the permutation does n o t do much t o d i s t o r t the i n p u t s i g n a l . However, i n the second example most of the segments have been displaced much f u r t h e r . I f , f o r any permutation a, we l e t a ( i ) represent the position t o which
a
moves the
.
(For instance, i n Example ith segment then the displacement o f i i s merely l i - a ( i ) l 2 , a(2)=3 and the displacement of 2 is 12-31 = 1 . ) We can then e a s i l y compute t h e average displacement of a by computing
For Example 1 t h i s average i s 4 whereas f o r Example 2 i t i s 26. The value of t h i s average displacement i s c a l l e d the s h i f t f a c t o r of the permutation and a high s h i f t f a c t o r i s e s s e n t i a l i f a permutation i s t o r e s u l t in low residual i n t e l l i g i b i l i t y . B u t a high s h i f t f a c t o r c e r t a i n l y o f f e r s no guarantees about the residual i n t e l l i g i b i l i t y . The following i s an example, with a s h i f t f a c t o r of 4, which could p e r f o m very badly in l i s t e n i n g t e s t s . Example 3
1 2 3 4 5 6 7 8 5 7 6 8 3 2 4 1
Experiments have shown t h a t i n o r d e r t o lessen the residual i n t e l l i g i b i l i t y , a f t e r scrambling, i t i s f a r more important t o i n h i b i t certain patterns in the permutation. In t h i s context the most important r u l e i s t o ensure t h a t the pennutation does n o t leave any p a i r of consecutive segments, s t i l l consecutive a f t e r permuting; i . e does not contain any p a t t e r n s i ( i + l ) . Although a l i t t l e l e s s important p a t t e r n s of the types i ( i + 2 ) and i ? ( i + l ) should a l s o be i n h i b i t e d . Some authors a l s o recommend t h a t the following p a t t e r n s should be avoided: i ? ( i + 2 ) , i ? ( i + 3 ) , i ? ? ( i + 2 ) and i ? ? ( i + 3 ) .
140
The extra conditions which m u s t be imposed are highly subjective and d i f f e r e n t people use different c r i t e r i a . This r e s u l t s in considerable discrepancies in values f o r the number of 'good' permutations. For instance in [Telsy Systems, 19791 i t i s claimed t h a t a b o u t half of the 40320 permutations on eight segments are useful, whereas bcKinnon, 19801 p u t s the number as low as about 3000. If there i s any reasonable d o u b t about a permutation then, since his aim i s t o guarantee security, the cryptographer should not use i t . For t h i s reason we feel i t i s safer t o a d o p t MacKinnon's figure.
Having agreed upon o u r conditions f o r good permutations, we must now decide how o u r key i s going t o s e l e c t t h e m . Basically we have two choices. One alternative i s t o allow the sequence generator to produce arbitrary permutations and then 'screen' them i n some way to see which ones meet our requirements. The other i s to select some ( o r a l l ) of the 'good' permutations, s t o r e them i n a ROM w i t h i n the equipment and then l e t the sequence generator s e l e c t pseudo-randomly from the ROM. We will consider the relative merits of each a l t e r n a t i v e . The main disadvantage of the f i r s t alternative i s the time factor. If a frame l a s t s for 3ZGmS, say, then a t the end o f t h a t time we must have selected the next 'good' permutation. B u t i f we merely l e t our sequence generate permutations a t random then, although s t a t i s t i c a l l y the probability i s very high, we cannot guarantee t h a t i t will produce a 'good' one i n time. So we need t o incorporate some contingency plan t o prot e c t ourselves from t h i s p o s s i b i l i t y . This could, f o r example, allow the use of a previous permutation f o r a second time. Another possibility i s t o relax the screening conditions as time runs o u t . B u t both are undesirable. On the other hand the system has one b i g advantage. T h i s i s t h a t , once we have a reasonable sequence generator and algorithm f o r generating permutations from t h a t sequence, a l l the good permutations can be used. In contrast the ROM method only allows the use of those permutations which are stored. If our s t o r e i s not big enough then t h i s will not be a l l the good permutations. When there a r e only e i g h t segments per frame then, i f we take the ' s t r i c t e s t ' definition of 'good', the number of such permutations i s small enough t h a t we can probably store them a l l . When t h i s happens the ROM method. i s usually considered preferable. B u t , as soon as we s t a r t using more than eight segments per frame, the limitation on the number of permutations which can actually be used i s a definite disadvantage o f o u r second method. I n order t o understand another of the advantages of the ROM method we m u s t consider the situation of the cryptanalyst w i t h the same machine b u t no knowledge of the key we are using. In this case he m i g h t be trying t o decipher a frame scrambled under a permutation X w i t h same !J -1 . Thus, ideally, we also require that P-', leaves a small residual i n t e l l i g i b i l i t y f o r a l l acceptable pairs a , P . If we are using the
141
'screening' method t o obtain our good permutations, i . e using our sequence generator to generate the permutations d i r e c t l y , then there i s n o t h i n g we can do to ensure this. All we can do is r e l y on t h e f a c t t h a t the number of permutations i s so large t h a t the probability of a 'success' of t h i s type i s small. However w i t h only e i g h t segments per frame, the t o t a l number o f 'good' permutations is,. in our view, n o t large enough f o r US t o t r u s t t o ' l u c k ' and the system i s l i a b l e t o be broken by straightforward t r i a l and error. I f , on the other hand, we are only using permutations which we have chosen and stored i n a ROM then, a t the cost of further reducing the number of usable 'good' permutations, we can protect ourselves. To do t h i s we simply avoid putting any pair of permutations x,p i n our ROM before f i r s t testing t h a t ~ - ' x is s u f f i c i e n t l y bad; i . e SO t h a t scrambling by a and then unscrambling by p does not give a signal which i s too similar t o our o r i g i n a l one. We b u i l d up t h i s store by testing any new entry w i t h a l l the e x i s t i n g ones until e i t h e r our ROM contains sufficient permutations f o r o u r purposes o r t h e l i s t of 'good' permutations i s exhausted. (This process o f testing permutations a g a i n s t each other i s often referred to a s testing mutual security). In Figure 8 we give a block diagram f o r a typical time element scrambler. If t h e sequence generator i s used t o generate patterns in real time then the n - b i t r e g i s t e r and ROM must be replaced by a processor (.or complex piece o f hardware] t o determine permutations and 'screen' them f o r low residual i n t e l l i g i b i l i t y .
K€Y
+ 1 n-BIT REGISTER
FQM
2" STORED PATTERNS
Figure 8 A typical t.e.s. system
The A/D converts the analogue i n p u t t o a digital form t o make the actual s t o r i n g and
processing easier. Once i t i s converted t o a digital form, the signal i s fed i n t o a . the number of segments i n a frame. (SO, i n O u r store of 2 k elements, where 2 k is example, where we have been u s i n g eight segments per frame, k=3.) Each element Of t h i s
142
s t o r e contains t h e number o f d i g i t a l elements appropriate t o a p a r t i c u l a r segment. The segments are then removed f r o m ' t h e s t o r e by a m u l t i p l e x e r addressed from t h e ROM c o n t a i n i n g t h e permutation. F i n a l l y the s i g n a l i s reconverted t o an analogue f o r m f o r transmission. The s i g n a l t r a n s m i t t e d s t i l l contains many o f the c h a r a c t e r i s t i c s
Of
speech and thus s t i l l r e t a i n s some r e s i d u a l i n t e l l i g i b i l i t y . There are a number of techniques f o r r e d u c i n g t h i s r e s i d u a l i n t e l l i g i b i l i t y s t i l l f u r t h e r . We w i l l d i s c u s s three. The f i r s t o p t i o n i s s i m p l y t o r e v e r s e t h e order i n which b i t s are taken from an element o f the 2
k element d i g i t a l s t o r e i n F i g u r e 8. This more o r l e s s reverses the o r d e r
Of
a segment o f speech. (The sequence generator can be used t o decide which segments should be reversed i n t h i s way.) S u p e r f i c i a l l y i t may appear t h a t r e v e r s i n g i n t h i s way w i l l have a s i g n i f i c a n t e f f e c t on t h e r e s i d u a l i n t e l l i g i b i l i t y . However a t y p i c a l segment i s 20-6OmS and, i n comparison, most speech 'sounds' are reasonably l o n g . T h i s means t h a t t h i s t y p e of r e v e r s i n g i s o f t e n i n e f f e c t i v e . I n p r a c t i c e use o f t h e numbers t e s t suggests t h a t t h e success r a t e o f a l i s t e n e r i s reduced by about 10% i f i n v e r s i o n i s used i n t h i s way. The second method o f r e d u c i n g r e s i d u a l i n t e l l i g i b i l i t y i s t o vary the c l o c k r a t e of the A/D and D/A c o n v e r t e r s . T h i s method, which i s a form o f frequency modulation, gives a two-dimensional scrambling system; time and frequency. The clock may e i t h e r vary i n some f i x e d way o r be dependent on the sequence generator. I n e i t h e r case v a r y ing
t h e c l o c k r a t e has t h e e f f e c t o f changing the s i g n a l i n t h e frequency domain. Use
of the numbers t e s t i n d i c a t e s t h a t t h i s method reduces the success r a t e of a l i s t e n e r by about 15%. The t h i r d a l t e r n a t i v e a l s o depends on the frequency domain. This time we use a bandscrambler and a t . e . s
s i m u l t a n e o u s l y t o again, o b t a i n a two-dimensional system.Although
such a method reduces t h e success r a t e o f a l i s t e n e r by about 20% i t has a number of disadvantages when compared t o t h e q t h e r two. To s t a r t w i t h i t i s considerably more expensive t o implement. Secondly, i t r e q u i r e s a frequency-stable,
noise-free trans-
mission path f o r good a u d i o performance. (We have already observed t h a t every m o d i f i c a t i o n t o t h e s i g n a l reduces t h e audio q u a l i t y and t h a t frequency d i s t o r t i o n s a r e p a r t i c u l a r l y s u s c e p t i b l e t o n o i s e and n o n - l i n e a r i t i e s i n the transmission p a t h . )
5.
Refinement o f t h e t . e . s
One p o s s i b l e refinement o f t h e b a s i c time element scrambler i s t o use what i s known as a s l i d i n g window. The s l i d i n g window system i s a technique whose aim i s t o reduce t h e delay of t h e t i m e element scrambler and simultaneously increase the number of
143
permutations. The method i t employs i s t o r e s t r i c t the permutations s e l e c t e d t o those i n which no segment i s delayed f o r ‘ t o o l o n g ’ . More p r e c i s e l y ; f o r an n-segment frame we r e s t r i c t ourselves t o those permutations i n A(n,k)
and
7 denotes
where
the r e s i d u e c l a s s o f j modulo n w i t h the classes l a b e l l e d 1, Z , . . - ,
n.
To consider an example, l e t a~A(8,3) be given by 1 2 3 4 5 6 7 8 6 1 8 3 2 5 4 7 To appreciate how such a p e r m u t a t i o n i s used and what delay i s i n c u r r e d c o n s i d e r t h e t i m i n g diagram of F i g u r e 9 f o r o u r example above.
1 8 3 2 5 4 7 6 1 8 3 2 5 4 7 6 1 8 3 2 5 4 7
I
---___
I
‘
I
I
i
f
,
t
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5
_-----
i
Figure 9 A Timing Diagram f o r the S l i d i n g Window
I n t h i s t i m i n g diagram we see t h a t transmission s t a r t s a t time t=T, i.e as soon as the f i r s t segment has been r e c e i v e d . Because o f t h e c o n d i t i o n imposed on o u r permut a t i o n s we know t h a t each segment w i l l be t r a n s m i t t e d w i t h i n k segment t i m e s l o t s . This means t h a t j u s t (k-1) t i m e s l o t s l a t e r the r e c e i v e r can begin unscrambling t h e speech s i g n a l . Thus i n t o t a l we have a delay o f kT seconds. C e r t a i n l y the d e l a y time has been reduced b u t have we r e a l l y increased t h e number permutations? To decide t h i s we must determire IA(n,k)/ A r e c e n t l y developed a l g o r i t h m (see
[Beker and M i t c h e l l , 19821 ) has enabled IA(n,k)I
t o be evaluated f o r some reasonably l a r g e values o f n,k. For example (and a l s o t o i l l u s t r a t e how q u i c k l y A(n,k)
grows):
Of
; the s i z e o f the s e t A(n,k).
144
IA(8,4)1
=
264
IA(16,8)1
= 5.67
x 108
lA(24,8))
= 8.75
x 10"
lA(48,8)1
= 3.68 x
lA(48,12)1
=
^^
1.67 x lodd
Of course, as before, not a l l of t h e permutations leave a s u f f i c i e n t l y low l e v e l of residual i n t e l l i g i b i l i t y . In o r d e r t o appreciate some of the problems i n deciding whether a permutation i s adequate i n terms of residual i n t e l l i g i b i l i t y , c o n s i d e r the following example of a permutation from A(8,3):
1 2 3 4 5 6 7 8 7 8 2 1 3 4 5 6
The e f f e c t of t h i s permutation i s shown i n Figure 10.
Figure 10 Timing Diagram f o r our Example
Experimentation has i n d i c a t e d t h a t , a s i n the case o f our e a r l i e r t . e . s . , the most important property t o avoid i s t h a t two segments which were o r i g i n a l l y consecutive should remain so. Thus o u r choice o f permutations should be f u r t h e r r e s t r i c t e d t o the s e t B(n,k) where
For more d e t a i l s o f the s l i d i n g window system see [Bromfield and Mitchell, 1982
1.
145
6.
Summary
The analogue speech s e c u r i t y systems t h a t we have discussed are characterized by t h e i r analogue o u t p u t which i s of the same bandwidth as the original sequence. Furthennore they usually contain t h e d i s t i n c t i v e syllabic rhythms, plus the frequencylpower distribution patterns and phonemic sequences, of clear speech ( b u t , of course, in a distorted form). The s e c u r i t y depends b o t h on the type of scrambling and on the way in which i t i s implemented. In p a r t i c u l a r , the use of a key-dependent sequence generator t o pseudo-randomize the scrambling can considerably increase the security l e v e l . The particular method chosen f o r scrambling depends largely on the type and quality of the transmission channel and on the t h r e a t considered likely. (This l a t t e r consideration affects the l i k e l y investment in machinery). Scramblers range from cheap i n v e r t e r s , which are merely privacy devices, r i g h t t h r o u g h t o sophisticated t . e . s . systems which offer a high level of s e c u r i t y and force any would-be cryptanalyst t o invest a g r e a t deal of time and money before he can have any hope of breaking the system. Nevertheless a l l scramblers must be considered purely as tactical security systems; i . e we must be prepared to assume t h a t , eventually, any scrambled analogue message may be broken i f the cryptanalyst has s u f f i c i e n t determination. Increasing the sophistication merely delays the inevitable. B u t , in practice, i t may be possible t o delay i t f o r as long as the situation demands.
Acknowledaernent
I would like t o thank Racal-Comsec Limited f o r t h e i r support in the preparation of this paper.
146
7.
References
[l]
Beker, H.J and Mitchell ,C.J. t o be submitted.
[Z]
Beker, H . J . and P i p e r , F . C . Northwood Books (1982).
[3]
'Permutations w i t h r e s t r i c t e d displacement',
'Cipher Systems : The protection of conununications',
Bromfield, A.J. and M i t c h e l l , C.J. 'Pennutation s e l e c t o r f o r a s l i d i n g window time element s c r a m b l e r ' , t o b e submitted.
[4]
MacKinnon, N.R.F. , 'The development o f speech encipherment' , Radio and E l e c t . Eng. Vol 50, No 4, 1980, 147-155.
[5]
Telsy Systems, 'Secure Voice : Reality o r myth' (1979)
147
A
VOICE SCRAMBLING SYSTEM FOR TESTING AND DEMONSTRATION Peter Hess Universitat Erlangen IMMD v Martensstr. 3 D-8520 Erlangen
Klaus Wirl Universitat Erlangen IMMD I11 Martensstr. 3 D-8520 Erlangen
1. Introduction
The principle of time division multiplexing was known before world War 11 [Kahn, 7 6 1 . But time division multiplexing was not very important, as it was quite complicated to implement this method in analog technique. But since digital memories have become cheaper, more TDM-systems have been introduced. Our system, called Erlangen Voice Scrambling (EVS-1 system [Beth,Hess,Wirl, 821 was built for testing and demonstration.
2. The Principle of Time Division Multiplexinq
The idea of time division multiplexing is to permute the speech signal in the time domain, as you can see in figure 1. We store one speech segment, say 600 ms, and divide this segment into n, say 8, parts, called blocks. These 8 blocks are now permuted by a permutation n, which 1s known to the receiver, but only to the receiver. He receives the permuted speech signal and rearranges the blocks by applying the inverse permutation TI-’TDM has two main shortcomings: First, you have to Store one whole speech segment in the sender and in the receiver, S O the speech is delayed by the length of two speech segments. And second, TDM is not “absolutely“ secure, so you speak about a privacy system, not a Security system. In designing a TDM-system it is important to choose the length of a block Rearly the length of a phoneme. Because the Germans speak slowly, we decided that one block should last 75 ms. The number of blocks in one speech segment is limited by the delay time - every block needs a delay of 1 5 0 ms in the system - but the number of blocks should be large in T. Beth (Ed.): Cryptography - EUROCRYPT ’82, LNCS 149, pp. 147-156, 1983. 0 Springer-Verlag Berlin Heidelberg 1983
r-
I
SPEECH SEGMENT
BLOCK
1
3
2
5
4
6
7
8
INPUT
J, CONTROL
LOG I c
! SCRAMBLED
4
2
8
6
OUTPUT
3
1
5
7
Figure 1 : The Principle of Time Division Multiplexing
order to break the words as widely as possible. Considering these constraints and the complexity of the implementation, we choose 8 blocks
for each speech segment.
149
F i g u r e 2 : EVS-System
3 . T h e E r l a n g e n V o i c e S c r a m b l i n g System
? i g u r e 2 shows our s y s t e m i r h i c h c o n s i s t s of a s e z d e r , a r e c e i v e r and a
line y o u c a n e a v e s d r o p . F o r t e s t i n g o n l y one 2 i z s c t i o n is s c r a m b l e d .
The s k e l e t o n of cr,e a p p a r a t a s i s shown i n f i g . i r ? 3. T h e s p e e c h s i g n a l i s d e l t a m o d u l a t e c a n d p o r t i o n s o f 6 0 0 ms a r s 2 i : i t a l l y kbit s h i f t regiszar. digital-analog
s t o r e d in a 2 4
By s k i l l f u l r e a d i n g , i t i s s c r a m b l e d a n d t h e n
c c n v e r t e d by a d e l t a d e m o d u l a t 3 r .
Zow d o w e p e r m u t e ? R e m e m b e r t h e d e f i n i t i o n of 2'7 i n v e r s i o n t a b l e :
Def.:
Let
x
= {:
, . . . , n)
m u t a t i o n c< X . w h e r e bl
=
,..
be a r i n i t e s e t and
= ,'-1(1)
7
T h e i n - ; e r s i o n t a b l a ir.,,:::',
I{j I r ! ( : )
1I
, . . . ,n ( n j !
1 s gixien by
a per-
( k l r . .tbn)
.
H a l l h a s she:.;:. :ha: t:-ere i s a b i 2 e c t i v e f-.?c?ion betweei! t h e s e t 3f p e r m u t a t i o n s ar.6 r;?e s e t of i n v e r s i o n tablss. SO we c a n u s e the i n -
?I.
v e r s i o n t a b l e ir.szeac' of
>locks o f a speecr. do i t .
ti,e corresponding permucation t o permute t h e
seyr,er.t.
We w i l l show
:/O>J
3
s i n a l l e x a m p l e , ?OW
to
150
1
I AMPLIFIER
1
GENERATOR
INITIALIZ.
KEYBOARD
32
-.
CONTROL-
FEEDBACK
SHIFTREG I STER
c
SWITCHES
F i g u r e 3 : Block Diagram
8
7
6
5
4
3
2
1
Then w e read o u t t h e f i r s t b l o c k a c c o r d i n g t o b , = 0 . A t t h e same t i m e a l l o t h e r blocks a r e s h i f t e d and b l o c k 1 ' of t h e n e x t s p e e c h segment i s s h i f t e d i n 1 ' 8
7
6
5
4
3
2
A c c o r d i n g t o b2 = 6 t h e block t h a t now c o v e r s c e l l 7 i s read o u t . Block 1 ' i s s h i f t e d and b l o c k 2 '
is stored.
151
And so on until the whole permutation n is handled and the next speech segment is stored in the shift register
6
2
4
5
7
3
8
1
We then only need one 2 4 kbit shift register in each apparatus instead of two memory blocks we need using RAMS. Which permutations do we take? We have stored 256 permutations in an EPROM.
Here we know that scrambled speech is unrecognizable, and we Call
such permutations unrecognizable permutations. For every speech segment we take a new permutation that is pseudo-randomly chosen by a nonlinear feedback shift register. The setting of this nonlinear feedback shift register can be done with a keyboard. The key sequence consists of 8 hexadecimal digits, so that we have about 2 billions of keys. The receiver is nearly identical to the sender. Only the initializing routine is slightly changed and the inverse permutations are stored in the EPROM.
4.
Selection of Permutations
To select 2 5 6 suitable permutations for our system out of the 4 0 , 3 2 0 permutations of the symmetric group S 8 , we defined a distance function d(n,cp), where IT and v are permutations. The distance of a permutation n from the identity permutation d(rr,id) should be high, if n is a unrecognizable permutation; that means that texts scrambled with n are not intelligible. Definition of d(n, cp) : d : Sn X Sn
- No
We require the following properties for the permutations of our EVS-
system : a) d(n,id) L 2 4 b) d(n,o) 2 1 8 This requirement secures that an eavesdropper who tries to understand
152
the speech signal by unscrambling with o fails, where o is the permutation which simply reverses the order of the elements, o = (817,6,5,4,3,2,1)
-
c) d(n, cp) b 8 for all chosen Permutations n and q. -1 Because d(n, g) = d ( R cp, id) this property prevents somebody listening, who has the same system but not the correct key.
5.
Experimental Results
Next we wish to refer to the tests we made with the scrambler. The object of these two tests was to find outl whether our distance function d(n,id) is suitable for finding good permutations for scrambling purposes. As there are only subjective criteria for measuring the intelligibility of a scrambled speech signal, we had a number of listeners who were given the task of recognizing several texts processed by our EVS-system. In the first-test we had 6 texts, which were scrambled by several fixed permutations, one for each text (see table 1 ) . The texts had different topics and lasted about one minute. After each text the persons were asked how much of the text they understood.
-~
TEXT 1 2 3 4 5 6 Table 1
:
PERMUTATI ON
(1,2,3,4,8,6,5,7> (7,1,3,4,5.2,6,8> (7,2,6,3,4,5,8,1) (6,4,8,1,2,7,3,5> (5,6,7,8,1,2,3,4> (6,5,8,7,2,1.4,3>
D(R,I D >
6 12 20 26 32 32
List of Used Permutations
RUNS UP
3 3 4 4 2 6
153
There were five possible degrees: literal understanding of the text, literal understanding of great portions of the text, understanding the topic of the text, understanding only single words but not the topic, and understanding nothing. Each complete experiment was preceeded by another scrambled text just to let our test persons hear the sound of scrambled speech, since most of them were completely untrained. To minimize the effect of "learning" on the one hand and "tiredness" on the other hand we reversed the order of the texts in every other experiment. Thus we found the scores listed in table 2 for the six different permutations. The total number of listeners w a s 4 5 .
1,, 6 TEXT
ORDER
1 2 3 4 5 6 -
L I TE R A L L Y LITERALLY
(PORT ONS)
THEME S I N G L E WORDS NOTHING
6
ORDER
.,
1
TEXT LITERALLY LITERALLY
(PORTIONS
1
THEME S I N G L E WORDS NOTH IN G
Fable 2
:
1 5 12 10 2 2 16 1 4 11 20 20 3 21
Results of Test 1
1 2 3 4 5 6 7 1 13 19 5 1 22 1 2 4 18 22 1 22
154
You can see that text I , which is scrambled with permutation 1 has the highes intelligibility score, while the permutations 3 , 4 and 6 have low scores. The intelligibility score of permutation 1 is much better in the experiments with reversed order of the texts. We.think that this an effect of "learning". If you listened to such a text f o r several times you would probably understand it. But this is true only for permutations which are "bad" in respect to our distance function with some modifications. These modifications we got from the following result: The two permutations 5 and 6 both have the same value of d(rr,id), but the text scrambled with permutation 5 has a higher intelligibility score than the other. This is due to the fact that permutation 5 has only 2 runs up, while the other has 6 runs up. A run up is an increasing connected subsequence of a permutation. In our device we use only permutations with more than 3 runs up, so that texts have quite a low intelligibility even if we use only one fixed permutation f o r scrambling. In our second test we had "spoken digits" as speech samples. We had seven sets of twenty four-digit-numbers. We refer to such a set also as a text. Each digit in these four-digit-numbers was spoken individually for instance 3 - 8 6 - 4 . After each number there was a short pause
-
-
of about two seconds. These numbers were balanced so that within every set of twenty numbers each of the digits occurred eight times. Each digit also occurred exactly twice in every position within these numbers. To decrease the effect of fatigue, one test person only had to listen to three texts (or sets of numbers) in one experiment. We used a Steiner System 5 ( 2 , 3 , 7 ) to fix the order of the sets of numbers. Thus we got seven schemes with three texts, shown in table 3 . Each text occurs once in every position of these schemes. The texts 1 to 6 were scrambled with the same fixed permutations as those listed before. Text 0 was scrambled with randomly chosen permutations changing every 600 milliseconds. Every test person had to listen to one scheme, that means to three texts. The test persons were told to listen to each number and write the digits they heard on their answer sheets. They were also told, that if some of these numbers were difficult to understand, they should write down their best guess rather than to leave blanks. Table 4 shows the results of this test. The tendency of our first experiment is unchanged. This means, that texts, scrambled w;th a permutation with high value of our distance
155
SCHEME 0 1 2 3 4 5 6
FIRST TEXT SECONDTEXT THIRDTEXT 1 3 0 2 4 1 3 5 2 3 4 5 6
4
6
5 6
0
@
2
Table 3 : S ( 2 , 3 , 7 )
I
TEXT
I D E N T I F I E DD I G I T S .PERCENTAGE 708 2 173 2 144 1 486 1 609 1 949 1 415
Table 4
: Results
of T e s t
2
29,5 90,5 89,3 61,9 67,O
% % % % % 51,2 % 59,O %
1
156
function d(n,id) have lower intelligibility scores than those where d(n,id) has lower values. Altogether the identification score is higher for spoken digits than f o r complete sentences. This is caused on the one hand by the small size of the digit vocabulary and on the other hand by the pauses between two numbers. These pauses decrease the typical effect of mixing the blocks of the speech signal into an unintelligible order. Another interesting result is the score of text 0. This text was scrambled with permutations, changing every 600 milliseconds. This kind of voice scrambling has lower intelligibility than scrambling schemes with fixed permutations. Together with pure security considerations this is the reason to scramble with frequently changing permutations. This also prevents an eavesdropper from "learning".
157
T H E RATING OF UNDERSTANDING IN SECURE VOICE COMMUNICATIONS SYSTEMS
by
Klaus-P. Timmann, M S E E managing director o f TST
T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 157-163, 1983. 0 Springer-Verlag Berlin Heidelberg 1983
The q u a l i t y o f a n y v o i c e m e s s a g e c o m m u n i c a t i o n d e p e n d s on v a r i o u s e l e c t r o a c o u s t i c and e l e c t r o n i c parameters of t h e communication equipment ( f r e q u e n c y r e s p o n s e , bandwidth l i m i t a t i o n , d i f f e r e n t i a l delays, rythmic o r arythmic distortions o r interruptions, s i g n a l /
...
) as well as noise r a t i o w i t h w h i t e o r frequency s e l e c t i v e noise t h e human p a r a m e t e r s o f a r t i c u l a t i o n o f t h e s p e a k e r and t h e r e c o g -
n i t i o n and c o m p r e h e n s i o n o f t h e r e c e i v e d m e s s a g e b y t h e h e a r e r . A l t h o u g h t h e e l e c t r o a c o u s t i c and e l e c t r o n i c q u a l i t i e s o f a v o i c e c o m m u n i c a t i o n s y s t e m c a n p r o p e r l y be m e a s u r e d and e v a l u a t e d , t h e r e i s no e a s y way o f d e t e r m i n i n g t h e ' r a t e o f u n d e r s t a n d i n g ' t h a t a c t u a l l y l e a d s t o t h e comprehension o f t h e message c o n t e n t , which i s t h e r e a s o n f o r c o m m u n i c a t i o n . T h i s r e q u i r e s f i r s t of a l l i t s ' u n d e r s t a n d i n g ' i n t h e means o f p h y s i c a l l y n o t i n g t h e s o u n d s , s e c o n d l y t h e a b i l i t y t o u n d e r s t a n d t h e words and t o make s e n s e o f t h e m e s s a g e a n d t o consume i t i n t e l l e c t u a l l y . I n l i n g u i s t i c r e s e a r c h i t i s w e l l known, t h a t a m e s s a g e i s u n d e r s t o o d e v e n when p a r t l y d i s t o r e d o r m i s s i n g , b e c a u s e o f t h e redundancy of -speech. The e l e m e n t s o f m e s s a g e a r e : - 1 The i n d i v i d u a l s e n t e n c e s .
H e r e , o n e s e n t e n c e c a n l e a d t o t h e n e x t s e n t e n c e and u n d e r s t a n d i n g i s made e a s i e r t h r o u g h t h e c o n t e x t u a l d e a d - r e c k o n i n g ( e x t r a p o l a t i o n ) p e r f o r m e d by t h e human b r a i n . forming the sentence. The w o r d s i n t h e i r c o n t e x t a r e e a s y t o i d e n t i f y , m i s s i n g w o r d s
- 2 The w o r d s ,
a r e e v e n a d d e d by human b r a i n t o s a t i s f y t h e r u l e s o f g r a m m e r . - 3 The s y l l a b l e s , f o r m i n g t h e w o r d s . The r e d u n d a n c y o f many w o r d s i s s o h i g h t h a t a m i s s i n g s y l l a b l e s t i l l l e a d s t o u n d e r s t a n d i n g o f t h e word i n t h e s e n t e n c e . - a The s o u n d s , f o r m i n g t h e s y l l a b l e . A l t h o u g h t h e r e i s no c l e a r d e f i n i t i o n o f t h e s y l l a b l e , i t i s g e n e r a l l y accepted as t h e ' b a s i c u n i t ' f o r t h e d e s c r i p t i o n o f t h e r e l a t i o n s h i p s o f s o u n d s , w h i c h i s d i f f e r e n t i n a l l l a n g u a g e s . I f we t a k e t h e s y l l a b l e o u t o f i t s t e x t u a l e n v i r o n m e n t and communicate w i t h d i s a r r a n g e d s y l l a b l e s o n l y , t h e human b r a i n c a n no l o n g e r p e r f o r m t h e c o n t e x t u a l c o m p u t a t i o n s and we h a v e a means t o r a t e t h e t r u e u n d e r -
159
s t a n d a b i l i t y o f t h e c o m m u n i c a t i o n . However, t h e s y l l a b l e a s t h e b a s i c u n i t o f t h e w o r d , e x h i b i t s ' t o n e s and s t r e s s e s ' which i d e n t i f y t h e s p e c i f i c s y l l a b l e i n t h e s p e c i f i c word. F o r t h e r e s e a r c h o f t h e ' u n d e r s t a n d a b i l i t y ' , we w i l l h a v e t o n e g l e c t t h e t o n e s and s t r e s s e s , and t a k e i n t o c o n s i d e r a t i o n o n l y t h e b a s e o f a s i n g u l a r s y l l a b l e . S y l l a b l e s a r e f o r m e d o f v o w e l s and c o n s o n a n t s . VOWELS a r e t h o s e s o u n d s ( a , e , i , 0 , u ) , with d i f f e r e n t l i p - c o n f i g u r a t i o n s only.
f o r m e d by t h e v o c a l t r a c t
Vowels may be o f s h o r t o r l o n g c h a r a c t e r i s t i c . CONSONANTS a r e b , c , d , f , g , h , j , k , 1 , m , n , p , q , r , s , t , x, Y , 2 . They c a n be g r o u p e d i n s o u n d i n g and n o t s o u n d i n g , b i l a b i a l
V ,
W,
(spoken
w i t h b o t h l i p s ) , l a b i o - d e n t a l ( s p o k e n w i t h l i p and t e e t h ) , alveolar, alveolopalatal, palatal, velar, glottal. The ' r ' ( i n o t h e r l a n g u a g e s a l s o 'j' and ' c h ' ) can be g e n e r a t e d e i t h e r by t h e t o n g u e ( v i b r a t i o n o r n o t ) , or t h e u v u l a ( A r a b i c , German o r Spanish p r o n o u n c i a t i o n ) r e s u l t i n g i n q u i t e d i f f e r e n t sounding.
-S i n g l e
s y l l a b l e s a r e formed by t h e l e f t consonant C , , and t h e r i g h t c o n s o n a n t C r , s o t h a t SSYL - - 1 x c c , , Y x v , z x c r
t h e vowel V ,
.. 5 , d e p e n d i n g o n l a n g u a g e . 1 , the syllable i s called 'closed syllable', 0, the syllable i s called 'open'. The s i n g l e s y l l a b l e s w i t h o u t ' t o n e s and s t r e s s e s ' a r e r e p r e s e n t i n g t h e most i m p o r t a n t p a r a m e t e r f o r t h e r a t i n g of u n d e r s t a n d i n g i n c o m m u n i c a t i o n s s y s t e m s , when d e f i n e d a s t h e p e r c e n t a g e o f t h e C o r r e c t l y u n d e r s t o o d s y l l a b l e s o f a l l communicated s y l l a b l e s . . X and Z c a n be 0
If Z = if Z =
e.g.
c1 0 1
-
v - cr 1
1
1
0
ab, o r , un ba, ru, l a
l a p , n i k , suk f l u , c r i , smo W o r k - s h e e t s w i t h t h e i n d i c a t e d mixed d i s a r r a n g e d s y l l a b l e s h a v e t o b e w r i t t e n , w i t h a t l e a s t 1000 e l e m e n t s f o r t e s t i n g . 1
1
1
2
1
1
When d e s i g n i n g t h e s e w o r k - s h e e t s , a.
c a r e s h o u l d be t a k e n t h a t
t h e s y l l a b l e s a r e n o t m e a n i n g f u l 1 b y t h e m s e l v e s and
b. t h e y a r e p r o n o u n c a b l e b y a n o r m a l s p e a k e r , c.
t h e y r e f l e c t a good m i x t u r e o f sounds f o r t h e p a r t i c u l a r l a n g u a g e , f o r w h i c h t h e t e s t i s t o be p e r f o r m e d o r f o r a l l languages t h a t m i g h t be used.
Those s y l l a b l e s a r e known as Logatomes. I t was t e s t e d t h a t t h e s y l l a b l e - u n d e r s t a n d i n g - r a t e
(SUR) o f a p e r f e c t
c o m m u n i c a t i o n c h a n n e l i s r e d u c e d b y 5 I , when t h e b a n d w i d t h was l i m i ted t o 500-4000
500-1700
Hz, a n d b y 3 5 %, when t h e b a n d w i d t h was l i m i t e d t o
Hz. ( T h e t e s t was p e r f o r m e d f o r E n g l i s h , F r e n c h a n d G e r m a n ) . Hz a r e much l e s s
T h i s means t h a t b a n d w i d t h r e d u c t i o n s f r o m 1 0 0 t o 5 0 0 important,
than bandwidth reductions i n the higher frequency area.
From t h e s y l l a b l e - u n d e r s t a n d i n g - r a t e to the word-understanding-rate
(WUR),
(SUR),
there i s a r e l a t i o n s h i p
which i s h i g h l y nonlinear,
approximately a c c o r d i n g t o t h i s t a b l e , which proves t h e c o n t e x t u a l p r o c e s s i n g o f t h e human b r a i n .
I..
I
b
30
Imo
g r a p h s h o w i n g SUR a g a i n s t WUR From t h e WUR t h e M U R ( m e s s a g e - u n d e r s t a n d i n g - r a t e ) a similar relationship w i l l
be f o u n d ,
there i s a sharp d e g r a d a t i o n of t h a n 35 %,
can be t e s t e d a n d
so t h a t i t i s obvious t h a t
u n d e r s t a n d i n g , when t h e SUR i s l e s s
a n d a p e r f e c t c o m p r e h e n s i o n o f message t e x t w i t h SUR
o f b e t t e r t h a n 6 5 %.
I t s h o u l d be n o t e d t h a t v a r i o u s i n f l u e n c e s c a n
r e d u c e t h e SUR,
e.g.
r e d u c e d b a n d w i d t h and/or low volume ( o l d t e l e -
phone systems),
i n - b a n d w h i t e n o i s e (VHF/UHF r a d i o ) and i n - b a n d
161
s p l a t t e r and b e e p - t o n e s ( H F r a d i o ) . I t w i d e l y depends o n t h e s p e a k e r and h e a r e r , how w e l l s y l l a b l e s a n d t h u s messages can be u n d e r s t o o d . There a r e wide d i f f e r e n c e s i n p e r s o n n e l due t o t r a i n i n g , c o n c e n t r a t i o n and mental c o n d i t i o n .
4 ) The r a t i n g of u n d e r s t a n d i n g from normal c o m m u n i c a t i o n s ( o r s c r a m b l e r s ) may r e s u l t a d d i t i o n t o t h o s e found i n
i n c r y p t o p h o n i c communications d i f f e r s i n t h a t t h e use of c i p h e r e q u i p m e n t i n a s e v e r e r e d u c t i o n of S U R i n 'clear'
- 1 Most f r e q u e n t l y , s e c u r e commun signal/noise r a t i o t o 20-40 d b analogue/digital converters o r cies. A t 2 0 d b ( m o s t 9 o r 1 6 KHz d i g
c a t i o n s reduces t h e a v a i l a b l e due t o q u a n t i z i n g n o i s e o f f e e d t h r o u g h of mixing f r e q u e n -
t a l c i p h e r s e t s ) , t h e SUR i s h e a v i l y r e d u c e d and even t h e w o r d - u n d e r s t a n d i n g i s d e g r a d e d . a t 3 0 d b , t h e SUR w i l l be s l i g h t l y r e d u c e d , a t 4 0 d b a r e d u c t i o n was n o t n o t i c e a b l e .
- 2 C i p h e r e d c o m m u n i c a t i o n commonly produces d i s t o r t i o n s o f 1 0 2 0 % by d e f o r m i n g t h e a u d i o s i g n a l s , where e v e r y t h i n g a b o v e 1 0 X s u r e l y w i l l r e d u c e t h e u n d e r s t a n d i n g , a s i t was measured b y t h e SUR t e s t method. - 3 D i s t o r t i o n t h r o u g h b l a n k i n g s i g n a l s and n o n c o n f o r m i t i e s
i n r e a r r a n g i n g t h e t i m e segments o f time d i v i s i o n e q u i p m e n t s . T h i s g e n e r a l l y i s g i v i n g a n o t i c e a b l e r e d u c t i o n i n SUR. Time s e g m e n t s a r e i n t h e l e n g t h of 8 - 5 2 ms w i t h t h e e q u i p m e n t o n t h e m a r k e t , 4 t o 3 2 t i m e e l e m e n t s a r e used. The a u d i o q u a l i t y o f t h e e q u i p m e n t s a s measured by t h e SUR v a r i e s s u b s t a n t i a l l y ( d e p e n d i n g o n t h e e x a c t s y n c h r o n i z a t i o n between speaker-set a n d h e a r e r - s e t and d i f f e r e n t i a l delays o f t h e l i n e o r radio s e t ) .
5 ) In o r d e r t o t e s t v a r i o u s e q u i p m e n t s f o r performance a n d c o m p a r i s o n
i t s h o u l d be done s o t h a t t h e t e s t can be reproduced by o n e s e l f o t h e r s w i t h t h e same r e s u l t s :
O r
162
- 1 D e s i g n p r o p e r s y l l a b l e w o r k s h e e t s as e x p l a i n e d ,
- 2 s e t up t h e e q u i p m e n t i n t h e l a b , -3 introduce from a tape recorder the attenuation,
white noise
o r s p l a t t e r and beep t o n e d i s t o r t i o n s o f t h e communication channel,
as i t i s e x p e c t e d i n r e a l - l i f e and e s t a b l i s h S U R .
- 4 Make d i f f e r e n t
speaker-hearer
t e s t s and n o t e t h e SUR.
t e s t s w i l l v a r y between e'very p a i r of
'speaker-hearer',
Since t h e a true
c o m p a r i s o n o f t h e e q u i p m e n t s i s p o s s i b l e o n l y , when c o m p a r i n g t h e i n d i v i d u a l r e s u l t s o f each s p e a k e r - h e a r e r p a i r . O n l y t h e SUR-method o f s c i e n t i f i c
evaluation w i t h reproduceable system
variables gives s a t i s f a c t o r y r e s u l t s f o r the evaluation o f secure communication systems. F i e l d t e s t s a r e m o s t l y n o t r e p r o d u c e a b l e and m i g h t l e a d t o t h e p r o curement o f equipment t h a t i s n o t b e s t f o r t h e purpose.
As wrote Lord K e l v i n :
' I o f t e n say, when y o u c a n measure what y o u a r e s p e a k i n g a b o u t , and e x p r e s s i t i n n u m b e r s , y o u know s o m e t h i n g a b o u t i t , b u t when y o u c a n n o t m e a s u r e i t , when y o u c a n n o t e x p r e s s i t i n n u m b e r s , y o u r knowledge i s o f a meager and u n s a t i s f a c t o r y k i n d . '
163
L I S T OF U S E D LITERATURE Chomsky-Halle 1 9 6 8
N o a m C h o m s k y and Morris Halle, T h e S o u n d Pattern o f English, New York 1968
Delattre 1965
Pierre Delattre, C o m p a r i n g t h e Phonetic Features o f E n g l i s h , French, German and Spanish, H e i d e l b e r g 1965
Hala 1 9 6 0
Bohuslav HAla, " a u t o u r d e problcme d e la s y l l a b l e " , P h o n e t i c a 5 ( 1 9 6 0 ) . 159 - 1 6 8
Martens 1 9 6 5
Carl und Peter Martens, P h o n e t i k d e r deutschen Sprache, Munchen 1965
Scholz 1972
Hans-Joachim Scholz, U n t e r s u c h u n g e n z u r Lautstruktur D e u t s c h e r Worter, Munchen 1972
165
ANALYSIS OF MULTIPLE ACCESS CHANNEL USING MULTIPLE LEVEL FSK L6sz16 Gydrfi Istvan Kerekes Technical University of Budapest H-1111 Budapest . Stoczek u. 2 . Hungary
Abstract. F o r multiple level FSK system of multiple user communication a model is considered containing independent parallel noisy OR channels. The error probability is calculated if a random block code and a majority type decoding rule is applied.
Channel model Initiated by Viterbi (11, Goodman, Henry and Prabhu [ 2 3 investigated the performance of a multiple access channel consisting of multiple frequency bands, and they gave an approximation on the probability of decoding error for a random code and a majority type decoder. Our purpose is to give a channel model for this problem and an exponential bound on the probability of error.
Fig. 1.
T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 165-172, 1983 0 Springer-Verlag Berlin Heidelberg 1983
166
Suppose t h a t e a c h of t h e M u s e r s c a n a c c e s s t h e p a r a l l e l c h a n n e l s C1,
...
C 2 /~F i g . 1./. C . i s a s s u m e d t o be a n o i s y OR c h a n n e l , i . e . C . i s 3 1 a n OR c h a n n e l f o l l o w e d b y a b i n a r y memoryless c h a n n e l w i t h t r a n s i t i o n K p r o b a b i l i t i e s p F / f a l s e alarm, O+l/ and pD / d e l e t i o n , 1-O/ /j=1,2, 2 / C2,
/Fig.
...C
2 . 1 . C1,C2,
...
2 a~ r e i n d e p e n d e n t .
CL
X2i a
a
AlYL
i
Yi -
F i g . 2 . The c h a n n e l C .
1
The c h a n n e l s C1,C2,
...C 2 % a r e t h e models
of t h e ZK f r e q u e n c y b a n d s . The
t r a n s m i t t e r s s e n d t h e b i t 1 t h r o u g h o n e of t h e c h a n n e l s C1,C2,
...C 2 ~ ,
which means t h a t t h e y s e n d a s i n g l e f r e q u e n c y s i n u s s i g n a l i n a b i t t i m e . The r e c e i v e r s try t o d e t e c t t h e s u b s e t of C 1 , C 2 , C 2 t~h r o u g h w h i c h s i n u s s i g n a l s were s e n t . T h i s c h a n n e l i s a m u l t i p l e access c h a n n e l . Although e a c h of t h e rec e i v e r s h a s t h e s a m e i n p u t s e q u e n c e , w e i n v e s t i g a t e t h e c a s e , when t h e encoders are a s y n c h r o n o u s , t h e d e c o d e r s are s e p a r a t e d , t h e i - t h d e c o d e r i s s y n c h r o n i z e d t o t h e i - t h e n c o d e r and i t knows o n l y t h e codebook O f t h e i - t h encoder / i = 1 , 2 , HI. T h i s i s a n i m p o r t a n t scheme c f m u l t i p l e
...
...
u s e r communication i f , f o r example, t h e p o p u l a t i o n of t h e u s e r s i s chang i n g from t i m e t o t i n e . E i n a r s s o n L 3 1 a n d T i m o r L4] c o n s t r u c t e d a block c o d e f o r s u c h c h a n n e l
if C L , C 2 , . . . C 2 ~ a r e n o i s e l e s s OR c h a n n e l s and supposed a f i x e d o r s l i g h t l y v a r y i n g p o p u l a t i o n of u s e r s .
Coding-decoding
rule
167
I n d e p e n d e n t e n c o d e r - d e c o d e r p a i r s a r e assumed and a random c o d i n g p r o -
..
i s a p p l i e d . The s o u r c e a l p h a b e t i s t h e s e t 1 , 2 , . gK f o r all s o u r c e s . Each e n c o d e r h a s a memoryless sequence of random v a r i a b l e s The e n c o d e r p r o d u c e s w i t h uniform d i s t r i b u t i o n on t h e s e t 1,2,...2K a b i n a r y m a t r i x of LxZK as f o l l o w s : l e t E be. a m a t r i x h a v i n g 1-s i n j t h e j - t h row, 0 - s o t h e r w i s e . The s o u r c e l e t t e r j i s encoded t o a b i n a r y m a t r i x D i j t h e c o l u m n s o f which are t h e r o t a t i o n s of E and t h e s i z e j of t h e r o t a t i o n s i s g e n e r a t e d by a segment of l e n g t h L of t h e random sequence of t h e i - t h e n c o d e r / F i g . 3 , / . The element anm of t h e m a t r i x K D. i s t r a n s m i t t e d t h r o u g h t h e c h a n n e l Cn a t t h e moment m / n = 1 , 2 , 2 l j m=1,2, L/. cedure
.
...
...
,
The i - t h d e c o d e r h a s t h e random sequence of t h e i - t h e n c o d e r and it i s s y n c h r o n i z e d t o t h e i - t h e n c o d e r . For t h e r e c e i v e d b l o c k / m a t r i x / t h e i - t h d e c o d e r e x e c u t e s t h e i n v e r s e r o t a t i o n s Rade by t h e i - t h e n c o d e r 8 n and d e c o d e s t h e c h a r a c t e r 3 i f t h e 1 - t h row h a s t h e most 1-s / F i g . 4.1. I n c a s e of t i e s a r b i t r a r y c h a r a c t e r i s chosen,
O O 0 0 0
0O O u u 0 0 0 0 0
~
l
OU O o o u 0 0 0 0 l
l
O u o 0 0
O O o o 0
O u o o 0
f
l
l
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 f 0 0 7 0 0 0 o o u o 0 0 0 0 0 o l o o u f o - 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 .f ,o 0 0
UO O u o 0 o o 0 0 l
f
f
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Random generatori
0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 07
F i g . 3 . Encoding
P r o b a b i l i t y of e r r o r
Introduce t h e n o t a t i o n Rsum-
for
:.IK -
L2K
t h e sum o f t h e e q u a l c o d e r a t e s of t h e e n c o d e r s . Given a s o u r c e
l e t t e r j t h e p r o b a b i l i t y of e r r o r d o e s n o t depend on j b e c a u s e o f t h e p r o p e r t i e s of t h e r a n d o n s e q u e n c e s of t h e r o t a t i o n s . b a b i l i t y of t h e d e c o d i n g e r r o r .
L e t Pe be t h e p r o -
0 0 0 I 1 I 0 0 I* I 0 I 1 1 0 1 7 0 1
7
1 1 1 1 0 1 1 1 1 1
0 0 0 1 1 1 1 1 0 ? 1 0 1 0 1 1 1 1 I 7 I 1 I7 1 1 I 1 7 1 10 I 7 1 1 0 0 0 1 0 ' l O l O a o 7 l o l I7 01 : I I 0 0 1
7 1 0 1 0 0 1 0 f 7 7 1 1 0 1 1 1 1 0 0 ~ 0 0 1 11 1 0 1 I ? 7 1 I0 l ? I 1 7 7 'I 1 I I 1 1 1 I 1 1
Random
j^~
0 1 0 7 0 1 1 1 O f
F i g . 4 . Decoding
Theorem
If M a2
K
and p D + p F 4 , then
I n t h e case of p = p = O e a c h C / j = 1 , 2 , D F j and 22 --c to%( A O,O)
...2 K/
i s a n o i s e l e s s OR c h a n n e l
-
F(c,
implying
-K(
E s 2
9.
sum
- 4)
.
i f M/ZK-ln2=0.69.. T h i s p a r t i c u l a r case was i n v e s t i g a t e d i n s i d e r some v a l u e s of F ( c , p D , p F ) . If 0 . 5 5 c a t h e n F( c ,O , 1 0 - 3 ).66 ~ F( c , , O ) p O . 59
F( c ,0,10-2)50.6 5
c57.
Con-
* ,0 )SO.47
F ( c ,lo-
F( c ( 0 , 10'l)zO. 5 7 F ( c ,10-1 ,O)l,O. 2 3 which shows t h a t t h e i n c r e a s e of pF d o e s n o t a f f e c t t h e p r o b a b i l i t y e r r o r , however, t h e i n c r e a s e of pD is c r u c i a l .
Of
Proofs
I n t h e proof of t h e Theorem w e a p p l y t h e f o l l o w i n g C h e r n o f f - t y p e bound: Lemma L e t Y1 ,Y 2 , . .Yn be -1,O, +1 v a l u e d independent random v a r i a b l e s
.
169
- [ P+E+ po + P-R] = n
Proof of t h e Theorem W e c a l c u l a t e t h e p r o b a b i l i t y o f e r r o r f o r t h e c o m m u n i c a t i o n from t h e 1-st e n c o d e r t o t h e 1-st d e c o d e r . Without loss o f g e n e r a l i t y assume t h a t t h e source c h a r a c t e r 1 was s e n t . Denote by X i j
K
/i=1,2,....L, j=1,2,..2 / t h e m a t r i x a f t e r t h e i n v e r s e r o t a t i o n s i n t h e decoder, then L L ?e 5~ therefore
T=
(
vLE z
Z p4 " i ] )
'L 4 X i j
L
s f 1 p 1xi;~ i.2
L
1 i=x t i ) = 4
L
Apply t h e Lemma f o r Yj=X2j-Xrj. C l e a r l y
170
The c o n d i t i o n p + ~ p , o f Lemma i s e q u i v a l e n t t o
p,,
which i s e q u i v a l e n t t o t h e c o n d i t i o n
+rF.z4.
Thus
2 l - i T + ?o = = Crj?(X,i-
m Y L p 4 ~+~p,1F,i"o)P1X2i'O)
2
)
(4)
If MrZK, t h e n i t i s e a s y t o c h e c k t h a t
For
p D + p F e l w e h a v e ~ ( ~ ~ ~ ) e ~ c ~ i i' n~ t )h ia s nr adn g e ( 4 ) i s a monoton
i n c r e a s i n g f u n c t i o n of 1p(x,i-d), t e n ~ = M A w Z e~ g e t
F C c , p o , ~ r )2
=2
-K
[
I=-
t h e r e f o r e by ( 3 ) and ( 5 ) f o r t h e n o t a -
+PO
RIWn
-4
Generalization
A possible generalization
of model c o n s i d e r e d i s s e e n on F i g . o u t p u t o f t h e c h a n n e l C y i s d e f i n e d a s follows:
5.
The
171
( 2
Ci *
otherwise,
Yi -
Zi
F i g . 5. G e n e r a l i z a t i o n
h
C . d e n o t e s a c h a n n e l w i t h t e r n a r y i n p u t s and b i n a r y o u t p u t . p F /(MI/, 1
pD / W O / and pI / i n t e r f e r e n c e , respectively.
'24/
denote the t r a n s i t i o n p r o b a b i l i t i e s ,
I n t h e case of p I = p D t h e model is r e d u c e d t o t h a t of F i g .
2 . I n t h i s model t h e v a r i a b l e s X
lj
and X
2 j
i n t r o d u c e d i n t h e p r o o f of
t h e Theorem a r e n o t i n d e p e n d e n t , b u t t h e s e q u e n c e of Y . - X -X is 7 2j 1 j independent. A f t e r c a l c u l a t i n g t h e p r o b a b i l i t i e s p+,p-,po as a f u n c t i o n of pF,pD,pI o n e c a n g e t a s i m i l a r u p p e r bound f o r P as b e f o r e w i t h a e much more i n v o l v e d f u n c t i o n F ( c , p F , p D , p I ) i n s t e a d of F ( c , p D , p F ) . The c o n d i t i o n p,>p+
o f Lemma i s m e t i f
where
While t h e o r i g i n a l model i s s u i t a b l e , € o r example, f o r m o b i l e d i g i t a l r a d i o t e l e p h o n y i n t h e d i r e c t i o n b a s e t o m o b i l e , t h i s g e n e r a l i z a t i o n of
172
t h e model m i g h t b e a p p l i e d m o d e l i n g t h e d i r e c t i o n m o b i l e t o b a s e .
-enc
1 2
3 4
5
es
V i t e r b i , A . J : A P r o c e s s i n g S a t e l l i t e T r a n s p o n d e r f o r M u l t i p l e Access b y L o w - R a t e Mobile Users. D i g i t a l S a t e l l i t e Communications C o n f e r e n c e , M o n t r e a l , O c t o b e r 23-25 /1970/ Goodman, D. J., H e n r y , P. J . , P r a b h u , V . K . : Frequency-hopped M u l t i l e v e l FSK f o r M o b i l e Radio. B.S.T.J. 5 9 , 1257-1275 /19801 E i n a r s s o n , G . : Address A s s i g n m e n t f o r a Time-Frequency-Coded, S p r e a d 59, 1241-1255 /1900/ S p e c t r u m System. B.S.T.J. T i m o r , U . : I m p r o v e d D e c o d i n g Scheme f o r Frequency-Hopped M u l t i l e v e l FSK S y s t e m . B.S.T.J. 5 9 , 1839-185s /1980/ GyLirfi, L . , K e r e k e s , I.: A Block Code for N o i s e l e s s A s y n c h r o n o u s M u l t i p l e Access OR C h a n n e l . I E E E T r a n s . o n I n f o r m a t i o n T h e o r y 27, 788-791 / 1 9 8 1 /
173
ANALOG SCRAMBLING BY THE GENERAL FAST FOURIER TRANSFORM Franz Pichlert Department of Systems Science Johannes Kepler University of Linz A-4040 Linz, Austria
1.
Introduction
There are many different methods in use to scramble voice signals. Two of them seem to be of special importance: band-splitting and time-division. In existing devices for scrambling analog signals often only one of these methods is implemented. However, newer equipment, which is realized by digital circuitry, a l l o w us to use both methods, band splitting and time division, at the same time. Our paper presents a methematical basis for that situation. We show how an operation which realizes band-splitting - in a generalized way - and time division can be designed, and point out that such an operation can be realized by a fast algorithm. The mathematical background is the theory of group-characters for finite abelian groups and the theory of the general fast fourier transfrom (GFFT). Besides voice scrambling the method is well suited for image scrambling of remotely sensed signals ([PISO]). A development project on that topic is under preparation at the Institute of Systems Science at the University of Linz.
2.
The Basic Scrambling Scheme
We assume that the analog signal a i s already sampled. Therefore a is a discrete time-function a: No -+ R : k + a(k). Frequently the signal a has to pass some pre-processing operation T before it is scrambled. T could be a digital filter, e.g. for data-compression, or the DPSS-transform of Nyner ( C W Y 7 9 7 ) . +Currently as Visiting Professor at the Department of S y s t e m s Science, School of Advanced Technology, State University of New York at Binghamton, Binghamton, N.Y. 13901. The work presented in this paper was partially supported by the Oesterreichischen Fonds zur Foerderung der Wissenschaftlichen Forschung under EWF-Project Nr 4141. T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 173-178, 1983. 0 Spnnger-Verlag Berlin Heidelberg 1983
1 74
The resulting analog signal x constitutes the "plaintext" for our scrambling operation EK which is controlled by a key K. The resulting "ciphertext" y = EK(x) is reprocessed to form the final scrambled output Of the system. Figure 1 shows the block-diagram of this basic arrangement. a
X
T
1
Y
1
t
1 :
C
-1 T
+
0
K
Figure 1: Basic Scrambiing Scheme We assume furthermore that scrambling is done blockwise with block-length N. So the input signal x is divided into blocks x i = ( x ~ ~ ~ x ~ ~ , . . . , X i = 0 , 1 r 2 . , , , . In every step i the scrambling operation % receives the block xi to compute the block yi = (yio,yil ,yiN-l) of the scrambled
,...
signal y; yi = EK(xi).
(1)
In the case of band-splitting EK is often realized by the conventional n discrete fourier-transform F and subsequent coordinate permutation rK,
A
n K is assumed here to be an the spectrum block Si = Fxi a one-to-one correspondence { O r l , ...,N-11 of indices of
operation which permutes the components of Therefore is in (Xiorxil,. . with a related permutation iK on the set x..
--
A
,
.
. ,siN-l).
Time division of x by EK is realized very simply. coordinate permutation of the time-block x i yi
= TI((".
1.
cx
It consists of the
(3)
In terms of cryptographic notation time-division of x . establishes a 1 polyalphabetic substitution-cipher; band-splitting is a product cipher, consisting of a linear cipher as given by the fourier transform F followed by the substitution G K . In many cases of application K will not
175
stay constant f o r each block x
i
b u t w i l l change w i t h i: K = K ( i ) .
To f i n i s h t h e b a s i c d i s c u s s i o n of t h e i n t r o d u c e d s c r a m b l i n g scheme w e
combine b a n d - s p l i t t i n g w i t h t i m e - d i v i s i o n and g e t a s c r a m b l i n g o p e r a t i o n *
EK = n K FnK by
Equation (4) i s t h e s c r a m b l i n g o p e r a t i o n which w e would l i k e t o g e n e r a l i z e by u s i n g t h e g e n e r a l i z e d d i s c r e t e f o u r i e r - t r a n s f o r m R r e p l a c i n g F.
3.
The G e n e r a l Discrete F o u r i e r - T r a n s f o r m
I t i s w e l l known # a t
t h e " c l a s s i c a l " fourier-transform has been gener-
a l i z e d i n many d i f f e r e n t ways.
A famous example of it i s t h e L a p l a c e -
t r a n s f o r m which i s p r o d u c e d by e x t e n s i o n of t h e r e a l domain R o f t h e s i g n a l s t o t h e complex number f i e l d C .
Another example i s t h e f o u r i e r -
t r a n s f o r m a s d i s c u s s e d i n a b s t r a c t harmonic a n a l y s i s .
In t h i s theory
an a r b i t r a r y l o c a l l y compact a b e l i a n group G t a k e s t h e p l a c e of R. i s t h i s g e n e r a l i z a t i o n o f t h e f o u r i e r - t r a n s f o r m which w e w i l l u s e .
It How-
e v e r , f o r o u r p u r p o s e s it w i l l be s u f f i c i e n t t o c o n s i d e r f i n i t e a b e l i a n groups.
L e t G d e n o t e a n a r b i t r a r y f i n i t e a b e l i a n group and l e t f d e n o t e
a f u n c t i o n d e f i n e d o n G w i t h v a l u e s i n t h e s e t C of complex numbers; n f: G C. Then t h e f o u r i e r - t ansform f of f i s d e f i n e d a s t h e f u n c t i o n f : R + C which i s g i v e n by -+
h
(5)
where R d e n o t e s t h e c h a r a c t e r - g r o u p o f G which c o n s i s t s o f t h e s e t of c h a r a c t e r - f u n c t i o n s w:
-
G
-+
C , w i t h t h e i r m u l t i p l i c a t i o n as group-compo-
s i t i o n ; w ( g ) d e n *o t e s t h e complex c o n j u g a t e of w ( g ) .
The i n v e r s e t r a n s -
form which maps f t o f i s g i v e n by
For a more d e t a i l e d t r e a t m e n t o f t h e f o u r i e r - t r a n s f o r m f o r f u n c t i o n s d e f i n e d on a b e l i a n g r o u p s c o n s u l t f o r example t h e book o f Rudin (CRU621). Our g o a l i s t o r e p r e s e n t t h e t r a n s f o r m s a s given i n ( 5 ) and ( 6 ) i n
176
matrix notation. For that we define an ordering in both groups G and il by numbering the elements from 0 to N - 1 (we assume that G as N elements); G = ~gO,gll...lgN-L)and fi = {wO,~ll...l~N-l). Then equations (5) and. ( 6 ) can be written in the form h
-f = f -
g
and
1
g*
= -R* N -
(7)
A
where f. and
denote the column-vectors of length N which are given by
symbol T denotes transposition of matrices. g denotes the N x N matrix = Cw. . I which is given by w. . = w R*denotes the adjoint matrix 13 13 i(gj); of R . We call 1 we see that unitary.
2 the
c*
fourier-matrix of G.
= I (the unity matrix).
From equations (7) and ( 8 ) Therefore $ is basically
After this mathematical exposition we return to the scrambling scheme.
4.
Generalized Band-Splitting
We identify now the set of indices {O,llZl...,N-l} of a block xi = (xiol Xil' I x ~ ~ of - ~input-text ) with the arbitrary abelian group G of order N. Then x. can be considered as * a function xi: G -+ C . Since now the 1 (generalized) fourier-transform xi of xi is defined we are able to degeneralized version of band-splitting by permuting the spectrumfine a * text xi with rK. In matrix notation this reads as
- .-
h
h
xi = TK
R xi
(91 1
tK
where denotes the matrix representation of a K . Using the matrix representation TT-K for the permutation rrK: G + G we are in the position to combine time-division with generaliced band-splitting to establish he scrambling operation
The matrix
g
,. (?rKl.irK):
=
n
--K
-
TI
-K
of this operation is derived from
- by
177 h
row permutation according to
T~
and column permutation according
TK.
I\
5.
Fast Realization of R ( r K , r K )
In order that the operation a5 described in equation (10) is of practical use in analog signal scrambling it is necessary to have efficient algorithms for hardware or software realization available. For the general fourier-transform it is known that there exist algorithms which reduce the number of primitive operations from O ( N 2 ) to O ( N log N ) (“1 7 1 1 , CKU 771). If we assume that the permutation T~ and GK do not reduce the effectiveness of the algorithm, then we have found also a fast realization for the matrix-operation R-( G K’TK) = 5 n_ EK. However, since in practical application the group G has to be chosen depending on the key K , i.e., G = GK , we have to make sure also that the related scrambling operation IT^ i l K E~ is easy to realize for any choice of the key K. For implementations in software this is the case since the specific groupstructure of GK does not change the effectiveness of the realization algorithm (CFE 8 2 1 ) . For hardware implementation which depends on a fixed wiring scheme, the applicability of our general scrambling scheme remains to be investigated. h
A
6.
Conclusion
The concepts which have been presented in this paper show that it is possible to generalize the common scrambling method of band-splitting such that fast algorithms for digital realization are also available. By the generalization an additional parameter for the key K is obtained, which determines the specific group GK and therefore also the related character-group RK on which the spectral representation of the signals are based. The method also provides a tool for the cryptanalyst since it enables one to represent signals and systems by the different possible spectral-representations. Such an application could be to eliminate time-division permutations n K which are of convolution type with respect to a certain group G and therefore provide little security. An extension of the method to nonabelian groups seems to be possible and also desirable, since in that case also fast realization algorithms exist (CKA 771).
Finally it should be mentioned that the paper received its final form
170
after listening to a lecture of N.J.A. Sloane on "Encyrption by Random Rotations" ([SL 821). In this lecture a randomly chosen orthogonal matrix M was suggested for the transform of the signals. As parameters determining the user-key, permutations of the rows and columns of M and sign-changes were proposed. By the framework presented in our paper we see that for the special case that a fourier-matrix g is chosen for M I the method suggested by the Sloane lecture is,neglecting the sign-change operation,exactly our generalized scrambling method.
Re ferences [FE 821
Fellner, H.: Master Thesis Jin German), Institut fur Systemwissenschaften, Universitat Linz, 1982 [KA 771 Karpovsky, M.G.: Fast Fourier Transforms on Finite Non-Abelian Groups, IEEE Trans. on Computers, Vol. C-26, No. 10, October, 1977, pp. 1028-1030. CKU 771 Kunz, H.: Approximation optimaler linearer Transformationen durch eine Klasse schneller, verallgemeinerter, FourierTransformationen. Dissertation ETH5832, Zurich, Juris Druck & Verlag, Zurich, 1977. [NI 711 Nicholson, P.: Algebraic Theory of Finite Fourier Transforms. Journal of Comp. and Systems Sc. 5 (1971), p p . 5 2 4 - 5 4 7 .
[PI 801
[RU
621
[SL 821
Chi
791
Pichler, F.: Fast Linear Methods for Image Filtering, in: Applications of Information and Control Systems (D.G. Lainiotls and N.S. Tzannes, eds.) Reidel Publishing Corp., Denhaag, 1980, pp. 3-11. Rudin, W.: Fourier Analysis on Groups Interscience, New York, 1962. N.J.A. Sloane: "Encryption by Random Rotations" Lecture presented at the "Workshop on Cryptography" Burg Feuerstein March 29 - April 2 , 1982 organized by Institut f u r Fathematische Maschinen und Datenverarbeitung, Universitat Erlangen (Thomas Beth). Wyner, A.D.: An Analog Scrambling Scheme which does not Expand Bandwith, IEEE Trans. on Informational Theorv, V o l . 2 5 , Part I (Mav 1979), Part I1 ( J u l v 1979).
181
STREAM
CIPHERS
Fred P i p e r INTRODUCTION
The o b j e c t o f t h i s t a l k i s t o g i v e a g e n e r a l i n t r o d u c t i o n t o
stream c i p h e r s .
I t w i l l p r o v i d e t h e g e n e r a l background f o r t h e o t h e r
f o u r t a l k s on this t o p i c .
W e b e g i n by g i v i n g a d i a g r a m a t i c d e f i n i t i o n
o f a stream c i p h e r
Algorithm
infinite b i n a r y sequence
binary plaintext interceptor (Of c o u r s e the i n t e r c e p t o r i s n o t p a r t of t h e system.
H e i s included
i n t h e diagram m e r e l y t o i n d i c a t e where i n t e r c e p t i o n s a r e l i k e l y t o take place.) B e f o r e d i s c u s s i n g stream c i p h e r s w e must mention one o f t h e i r most i m p o r t a n t p r o p e r t i e s ;
t h e r e i s no e r r o r p r o p a g a t i o n .
Although
i t i s n o t always t h e c a s e , e r r o r p r o p a g a t i o n i s o f t e n u n d e s i r a b l e and,
on t h e s e o c c a s i o n s , stream c i p h e r s may be p r e f e r a b l e t o b l o c k c i p h e r s . We a l s o n o t e t h a t t h e a l g o r i t h m i s u s u a l l y a f i n i t e s t a t e machine. I n h i s l e c t u r e P r o f e s s o r Bauer s t r e s s e d t h e importance of n e v e r underestimating t h e i n t e r c e p t o r .
T h i s , of c o u r s e , i s v i t a l and i n
t h i s c o n t e x t i t means w e must assume :
C1
The c r y p t a n a l y s t h a s a complete knowledge of t h e c i p h e r systerra, ( i . e . a l l s e c u r i t y l i e s i n t h e k e y ) .
T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 181-188, 1983. 0Springer-Verlag Berlin Heidelberg 1983
182
C2
The c r y p t a n a l y s t h a s o b t a i n e d a c o n s i d e r a b l e amount
of t h e c i p h e r t e x t .
C3
The c r y p t a n a l y s t knows t h e p l a i n t e x t e q u i v a l e n t of a c e r t a i n amount of t h e c i p h e r t e x t .
Assumptions C1, C 2 , C 3 may sound p e s s i m i s t i c b u t t h e y a r e almost c e r t a i n l y r e a l i s t i c , and a n y c i p h e r system should be s e c u r e u n d e r t h e s e assumptions.
( O f c o u r s e i n any g i v e n s i t u a t i o n t h e t e r m s ' c o n s i d e r a b l e '
and ' c e r t a i n amount' w i l l need t o b e q u a n t i f i e d .
Their p r e c i s e values
w i l l depend on t h e s y s t e m i n u s e and t h e l e v e l of s e c u r i t y r e q u i r e d . ) If w e a c c e p t t h e s e a s s u m p t i o n s t h e n , i n t h e c a s e of a stream c i p h e r , w e require : A1
The number of c h o i c e s f o r t h e key must be l a r g e enough t h a t t h e c r y p t a n a l y s t c a n n o t t r y them a l l .
A2
The i n f i n i t e s e q u e n c e s must have a g u a r a n t e e d minimum l e n g t h for t h e i r p e r i o d s .
(We w i l l t h e n o n l y e n c i p h e r
messages which a r e s h o r t e r t h a n t h i s p e r i o d . ) A3
The c i p h e r t e x t must a p p e a r t o be 'random'.
I n g e n e r a l terms, a 'random' sequence i s one i n which knowledge o f a number of c o n s e c u t i v e e l e m e n t s does n o t h e l p anyone t r y i n g t o predict t h e next one.
.
O f c o u r s e any sequence g e n e r a t e d by a f i n i t e
s t a t e machine i s p e r i o d i c a n d , c o n s e q u e n t l y , cannot b e t r u l y random. ( C l e a r l y knowledge of a c o m p l e t e c y c l e e n a b l e s one t o d e t e r m i n e t h e e n t i r e sequence.) N e v e r t h e l e s s i f t h e p e r i o d i s l a r g e enough t h e n w e can o b t a i n s e q u e n c e s which a r e e f f e c t i v e l y random. G o l o m b h a s s u g g e s t e d t h e f o l l o w i n g randomness p o s t u a l t e s f o r a
b i n a r y sequence o f p e r i o d p .
R1
A c y c l e of l e n g t h p h a s
[$I
R2
I n a c y c l e of l e n g t h p,
4
the
0 s o r 1s.
runs have l e n g t h 1, % h a v e
l e n g t h 2 , a n d , i n g e n e r a l , f o r each i f o r which t h e r e are 1 Moreover for 2i+1 runs, - of the r u n s have l e n g t h i . 2i e a c h of t h e s e l e n g t h s t h e r e a r e e q u a l l y many gaps and b l o c k s .
183
R3
The o u t - o f - p h a s e
autocorreclation is a constant.
I f a s e q u e n c e s a t i s f i e s R1, R2, R 3 t h e n it i s s a i d t o be
G-random.
I t m u s t n o t b e f o r g o t t e n t h a t G-randomness i s a p r o p e r t y
which r e l a t e s t o the e n t i r e sequence.
In practice the cryptographer
hopes t h a t t h e l e n g t h o f t h e sequence o b t a i n e d by t h e c r y p t a n a l y s t
w i l l be small i n comparison w i t h t h e period.
Thus it i s i m p o r t a n t
t h a t o u r sequence a l s o h a s 'good' l o c a l randomness p r o p e r t i e s , and t h e r e a r e many s t a t i s t i c a l t e s t s f o r i n v e s t i g a t i n g l o c a l randomness. Now t h a t w e h a v e s t a t e d some r e q u i r e m e n t s f o r o u r sequence w e must l o o k a t ways o f a c h i e v i n g them.
I n most p r a c t i c a l s y s t e m s t h e
f i n i t e s t a t e m a c h i n e i s a s h i f t r e g i s t e r and w e w i l l d e v o t e t h e r e s t of t h i s t a l k t o s e q u e n c e s which can be g e n e r a t e d by s h i f t r e g i s t e r s . SHIFT REGISTER SEQUENCES An n - s t a g e s h i f t r e g i s t e r produces a sequence of s t a t e v e c t o r s such t h a t s i ( t + l ) = , ~ ~ - ~ ((where t ) ) ,t = 0,1,2,..),
,...
(so(t),sl(t)
i = ~ ~ +fo ~r ( t 0,1, )
...,n-2
and ~ ~ - ~ (=t f+ ( s lo ) (t),sl(t),...r
s n m 1 ( t ) ) . I f w e w r i t e st f o r s o ( t ) t h e n w e g e t t h e s h i f t r e g i s t e r sequence sosls2...
which w e w r i t e a s ( s t ) .
The f u n c t i o n f i s c a l l e d
t h e feedback f u n c t i o n of t h e r e g i s t e r and i f f ( s o , s l , . . . , s n - l )
=
c0 s 0 +c1 s 1+ . . . + C ~ - ~ S ~t h- e~n w e s a y t h a t t h e r e g i s t e r i s l i n e a r . C l e a r l y , f o r any l i n e a r s h i f t r e g i s t e r ,
(1)
( s t ) i s c o m p l e t e l y determined b y c o , c l , . .
(2)
Sn+t =
n- 1
1
c t+ist+i f o r t = 0 , 1 , 2 ,
.
,
C
~
~
~
--
,
S. l S ~ n ,- l ~ -
...
i=O
(3)
( s t ) h a s p e r i o d 5 2"-1.
I n o r d e r t o s t u d y t h e r e l a t i o n between ( s t ) and t h e p a r a m e t e r s
listed i n
(1)w e
f ( x ) = c 0 + c1x+ .
. .
d e f i n e the c h a r a c t e r i s t i c polynomial f ( x ) by n n-1 + C ~ - ~ X +X I f , adopting Selmer's n o t a t i o n , we
.
l e t Q ( f ) be t h e s e t of a l l s e q u e n c e s g e n e r a t e d by f ( x ) t h e n an n-dimensional v e c t o r s p a c e o v e r Z 2 .
Q(f)
is
~
184
For any p o l y n o m i a l g ( x ) i n Z2[x] t h e exponent of g ( x ) i s e i f g ( x ) Ixe+l b u t g ( ~ ) $ ~ + fl o r any
r < e.
The i m p o r t a n t p r o p e r t i e s of
exponents a r e
5
(a)
e
(b)
i f ( s t ) E Q ( f ) and f ( x ) have exponent e t h e n t h e p e r i o d of ( s t ) d i v i d e s e
c)
2n-l
f o r a l l p o l y n o m i a l s of degree n
i f f ( x ) i s i r r e d u c i b l e w i t h exponent e and ( s t ) E Q ( f ) t h e n (st) i s e.
t h e p e r i o d of
( b ) and ( c ) assume t h a t ( s t ) i s n o t t h e sequence of a l l z e r o s . )
(Note
From ( a ) w e know t h a t t h e maximum p o s s i b l e s i z e f o r t h e e x p o n e n t I f f ( x ) has d e g r e e n of a polynomial of d e g r e e n i n Z 2 [ x ] i s 2 n - l . and exponent 2"-1 t h e n f ( x ) i s c a l l e d p r i m i t i v e and any n o n - n u l l The f o l l o w i n q a r e t r u e : ( s t ) E n ( f ) i s o f t e n c a l l e d a PN-sequence. T1
I f f ( x ) is p r i m i t i v e t h e n any non-zero c h o i c e for s
T2
n- 1
PN-sequences being
a r e G-random,
( t h e out-of-phase
autocorrelation
-1 ) 2"- 1
T3
S,,,Slr.--~
will r e s u l t i n a sequence of p e r i o d 2"-1.
T h e r e are
'
(2n-1) n
p r i m i t i v e polynomials of degree n .
From t h e s e r e s u l t s i t i s c l e a r t h a t w e can produce s e q u e n c e s s a t i s f y i n g A l , A 2 , A3.
S i n c e t h e s e c o n d i t i o n s were chosen t o e n s u r e
t h a t o u r s y s t e m s a t i s f i e d t h e c o n d i t i o n s C 1 , C 2 , C 3 w e m i g h t , ( b u t of c o u r s e w i l l n o t ! ) , b e tempted t o assume w e have a ' g o o d ' s y s t e m . The ' f l a w ' i n
o u r system i s a consequence of t h e f a c t t h a t a
PN-sequence w i t h p e r i o d 2"-1
2n c o n s e c u t i v e terms.
i s completely determined by any s e t o f
Thus i f a c r y p t a n a l y s t knows 2n c o n s e c u t i v e
b i t s of p l a i n t e x t and c i p h e r t e x t e q u i v a l e n t s he w i l l b e a b l e t o deduce t h e e n t i r e m e s s a g e .
T o do t h i s h e w i l l have t o i n v e r t a
s u i t a b l e n by n b i n a r y m a t r i x whose e n t r i e s a r e t h e 2n known b i t s of the sequence.
So i f t h e ' c e r t a i n amount' i n C3 is more t h a n 2 3 c o n s e c u t i v e b i t s the cover time f o r o u r s y s t e m w i l l be r o u g h l y the
185
t i m e needed f o r t h e i n v e r s i o n of an n by n b i n a r y m a t r i x .
This
weakness comes from t h e u s e o f a l i n e a r feedback f u n c t i o n and f o r c e s
u s t o add a f o u r t h r e q u i r e m e n t
:
The s y s t e m must a p p e a r t o b e n o n - l i n e a r .
A4
(For a s h i f t
r e g i s t e r t h i s means t h a t t h e feedback f u n c t i o n f must c o n t a i n a t l e a s t o n e p r o d u c t i n v o l v i n g two ( o r more) of t h e si. ) There a r e two s t a n d a r d ways of i n t r o d u c i n g n o n - l i n e a r i t y : (a)
use a non-linear
feedback function,
(b)
u s e more t h a n one l i n e a r s h i f t r e g i s t e r .
I do n o t i n t e n d t o s a y much a b o u t ( a ) .
t h e same t y p e o f registers.
There does n o t appear t o b e
' n e a t ' m a t h e m a t i c a l t h e o r y a s for l i n e a r s h i f t
F o r i n s t a n c e t h e r e i s no n a t u r a l analogue t o T1.
Anyone
i n t e r e s t e d i n s t u d y i n g n o n - l i n e a r f e e d b a c k s shoulc! c o n s u l t t h e r e c e n t survey a r t i c l e of Ronse ( 1 9 8 0 ) . With ( b ) i t i s a b s o l u t e l y c r u c i a l t o r e a l i s e t h a t a complex looking system w i t h n u n e r o u s s h i f t r e g i s t e r s i s n o t n e c e s s a r i l y s e c u r e . I n f a c t i t i s i m p e r a t i v e t o combine t h e r e g i s t e r s i n such a way t h a t i t
i s p o s s i b l e t o a n a l y s e t h e o v e r a l l system.
An i m p o r t a n t c o n c e p t i n
t h i s t y p e of a n a l y s i s i s t h e l i n e a r e q u i v a l e n c e of a sequence.
The
l i n e a r e q u i v a l e n c e of a b i n a r y sequence i s t h e l e n g t h of t h e s h o r t e s t l i n e a r s h i f t r e g i s t e r which c a n g e n e r a t e i t . I f (st) has l i n e a r e q u i v a l e n c e n t h e n knowledge o f 2n c o n s e c u t i v e b i t s completely d e t e r m i n e
(st).
Thus, no m a t t e r how w e a c t u a l l y g e n e r a t e ( s t ) , w e must e n s u r e
t h a t it h a s a l a r g e l i n e a r e q u i v a l e n c e .
I n f a c t l a r g e enough t h a t t h e
c r y p t a n a l y s t s h o u l d n o t b e able t o i n v e n t an n by n m a t r i x w i t h our required cover t i m e .
T h i s means t h a t w e now r e q u i r e o u r sequence t o
have a long periocl, l a r g e l i n e a r e q u i v a l e n c e and good s t a t i s t i c a l properties.
However i t i s i m p o r t a n t t o r e a l i z e t h a t t h e s e t h r e e
p r o p e r t i e s Only o f f e r n e c e s s a r y c o n d i t i o n s f o r a good sequence.
They
c e r t a i n l y do n o t g u a r a n t e e a s e c u r e system. I t i s a l s o i m p o r t a n t t o r e a l i z e t h a t no two of t h e s e p r o p e r t i e s
186
g u a r a n t e e t h e t h i r d and t h a t e a c h of t h e three of them must b e c a r e f u l l y
As a n i l l u s t r a t i o n of what can go wrong, c o n s i d e r t h e
checked.
f o l l o w i n g two ' b a d '
examples of ways of combining r e g i s t e r s .
Example 1
"':?.-----. SR2
SR1 i s a s h i f t r e g i s t e r g e n e r a t i n g a PN-sequence of p e r i o d 2"-1 SR2 is a s h i f t r e g i s t e r g e n e r a t i n g a PN-sequence of p e r i o d zm-l
0 If
is a n AND g a t e , o r modulo 2 m u l t i p l i e r . (2m-1,2n-1)
= 1 it is e a s y t o show t h a t t h e p e r i o d of t h e
r e s u l t i n g s e q u e n c e i s ( 2 m - l ) (2"-1)
.
However t h e sequence w i l l not
have good s t a t i s t i c a l p x o p e r t i e s because r o u g h l y t of i t s e n t r i e s w i l l be 0 . ( T h i s i s b e c a u s e O x 1 = 1 x 0 = Ox0 = 0 and 1 x 1 = 1.) Thus, no m a t t e r what t h e l i n e a r e q u i v a l e n c e t h i s example i s u n s u i t a b l e . Example 2
A J-K
flip-flop
SR1 \ /
SR2
Here S R 1 and SR2 are a s i n Example 1 and t h e a c t i o n of the J-K f l i p - f l o p is d e s c r i b e d by :
187
I
where qoqlq
*... is
I
t h e o u t p u t sequence.
Here t h e p r o b l e m is n o t t h e p e r i o d i c i t y o r t h e s t a t i s t i c a l properties.
I t a r i s e s from t h e f a c t t h a t knowledge of two c o n s e c u t i v e
e n t r i e s of t h e o u t p u t s e q u e n c e d e t e r m i n e s an e n t r y i n one of t h e t w o s h i f t r e g i s t e r sequences.
Thus knowledge of a c e r t a i n amount of t h e
o u t p u t sequence w i l l e v e n t u a l l y g i v e enough i n f o r m a t i o n t o d e t e r m i n e each of t h e two s h i f t r e g i s t e r s e q u e n c e s . I n g e n e r a l it is o f t e n d i f f i c u l t t o a c t u a l l y d e t e r m i n e t h e l i n e a r e q u i v a l e n c e of a s e q u e n c e .
But it i s probably dangerous t o u s e o n e
w i t h an unknown l i n e a r e q u i v a l e n c e .
A t p r e s e n t one of t h e most
promising ways of combining two r e g i s t e r s i s by m u l t i p l e x i n g .
This
i s t h e t o p i c of t h e n e x t l e c t u r e and p r o v i d e s a s u i t a b l e p l a c e f o r t h i s t a l k t o end.
However, t o p u t t h i n g s i n t o p e r s p e c t i v e , w e must
n o t f o r g e t t h a t t h e s e q u e n c e g e n e r a t o r i s o n l y a p a r t of t h e overall system and t h a t , a l t h o u g h c r u c i a l , a good sequence i n no way g u a r a n t e e s a secure system.
Professor F.C.
Piper,
Department of M a t h e m a t i c s , W e s t f i e l d C o l l e g e , ( U n i v e r s i t y of London) , Kidderpore Avenue, London,
NW3 7ST.
U.K.
188
REFERENCES
The standard references f o r s h i f t r e g i s t e r sequences are Golorub (1967)
As m e n t i o n e d e a r l i e r Ronse ( 1 9 8 0 ) i s a s u r v e y of s h i f t registers w i t h n o n - l i n e a r f e e d b a c k . An o v e r a l l d i s c u s s i o n of stream c i p h e r s c a n be found i n Beker and P i p e r ( 1 9 8 2 ) . and S e l m e r ( 1 9 6 6 ) .
Beker, H . J .
a n d P i p e r , F.C.
C i p h e r Systems : the p r o t e c t i o n of communications Northwood Books, 1982.
G o l d ,
S.W.
S h i f t R e g i s t e r Sequences Holden-Day,
Ronse, C .
1967.
Non-linear s h i f t r e g i s t e r s : A s u r v e y
MBLE Research R e p o r t R430, 1980. Selmer, E.S.
L i n e a r r e c u r r e n c e r e l a t i o n s over finite fields Univ. of Bergen, 1 9 6 6 .
189
MULTIPLEXED SEQUENCES : SOME PROPERTIES
OF THE M I N I M U M POLYNOMIAL
.
S M. J e n n i n g s ,
Racal Research L t d . , Worton Grange I n d u s t r i a l E s t a t e , R e a d i n g , B e r k s . RG2 OSB, England. 1.
INTRODUCTION I n r e c e n t y e a r s c o n s i d e r a b l e i n t e r e s t h a s been shown i n t h e
g e n e r a t i o n o f b i n a r y s e q u e n c e s which have good randomness p r o p e r t i e s . Such s e q u e n c e s p l a y an i m p o r t a n t r o l e i n c i p h e r systems.
I n many
s i t u a t i o n s t h e enciphering process begins with the conversion o f the p l a i n t e x t i n t o a s t r i n g o f bits by means of a b i n a r y " a l p h a b e t " .
The
sequence is t h e n added t o t h e p l a i n t e x t b i t by b i t , u s i n g modulo 2 a r i t h m e t i c and t h e r e s u l t i n g c i p h e r t e x t i s t h e n t r a n s m i t t e d .
De-
c i p h e r m e n t i s a c c o m p l i s h e d s i m p l y by a d d i n g t h e sequence t o t h e c i p h e r t e x t i n a s i m i l a r manner. Any s e q u e n c e g e n e r a t e d by a f i n i t e - s t a t e machine c a n n o t be c o n s i d e r e d t r u l y random, s i n c e i f t h e i n p u t is u l t i m a t e l y p e r i o d i c t h e n t h e o u t p u t must be a l s o .
An i n t e r c e p t o r who knows t h e p l a i n t e x t
e q u i v a l e n t of k b i t s o f c i p h e r t e x t also knows k b i t s o f t h e s e q u e n c e .
If it t a k e s l e s s t h a n k b i t s o f sequence t o d e t e r m i n e i t s e n t i r e t y , t h e n t h e whole message may be d i s c o v e r e d .
If t h e g e n e r a t e d s e q u e n c e h a s
minimum p o l y n o m i a l o f d e g r e e d , t h e n knowledge o f any 2d c o n s e c u t i v e b i t s i s s u f f i c i e n t t o d e t e r m i n e it completely.
Thus w e have t h r e e
i m p o r t a n t r e q u i r e m e n t s for a sequence used i n a c i p h e r s y s t e m : 1.
The p e r i o d o f t h e sequence must be l o n g ( a t l e a s t as l o n g a s any message t o be e n c i p h e r e d ) .
2.
The s e q u e n c e shouid have a minimum polynomial o f large d e g r e e .
3.
The s e q u e n c e must a p p e a r random.
It must be e m p h a s i z e d t h a t for a good sequence g e n e r a t o r w i t h i n a
a c i p h e r s y s t e m , t h e s e r e q u i r e m e n t s are c e r t a i n l y n e c e s s a r y b u t c l e a r l y T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 189-206, 1983. 0 Spnnger-Verlag Berlln Heidelberg 1983
190
n o t s u f f i c i e n t ( f o r example see [ B e k e r & P i p e r , 1 9 8 2 1 1. I n t h i s p a p e r w e show how a s p e c i a l class o f s e q u e n c e s , c a l l e d m u l t i p l e x e d s e q u e n c e s , s a t i s f y t h e f i r s t two r e q u i r e m e n t s .
This
p r o v i d e s some e v i d e n c e t h a t m u l t i p l e x e d s e q u e n c e s may be e l i g i b l e f o r u s e as a b u i l d i n g b l o c k ( [ Beker & P i p e r , 1 9 8 2 1 ) towards a c o m p l e t e sequence g e n e r a t o r .
I n p r a c t i c e , a sequence used i n a c i p h e r s y s t e m
would be f a r more complex t h a n t h o s e w e s h a l l c o n s i d e r h e r e . T h i s work is c o n t a i n e d i n my Ph.D.
t h e s i s e n t i t l e d "A S p e c i a l Class
of B i n a r y S e q u e n c e s " s u b m i t t e d to t h e U n i v e r s i t y o f London i n 1 9 8 0 .
I
would l i k e t o t h a n k D r . Henry Beker a n d P r o f e s s o r Fred P i p e r for t h e i r i n v a l u a b l e a d v i c e a n d encouragement and Racal E l e c t r o n i c s L t d . f o r t h e i r h e l p and s u p p o r t .
191
PRELIMINARIES
2.
( b i n a r y l i n e a r f e e d b a c k ) s h i f t r e g i s t e r c o n s i s t s of
An n-stage
n binary storage elements SoyS1~...ySn-l c a l l e d s t a g e s , connected i n
series.
The c o n t e n t s of t h e s t a g e s change i n . t i m e w i t h a c l o c k p u l s e
a c c o r d i n g t o t h e r u l e :Let Si(t)
d e n o t e t h e c o n t e n t o f Si a f t e r t h e t - t h t i m e p u l s e
(t = 0,1,2y...).
Then
I
f o r i = O,ly...yn-Z
= Si+l(t)
Si(t+l)
n-1 and
=
Sn-l(t+l)
i=o
c.S.(t)
(mod 2)
I.
where t h e ci aFe a l l s p e c i f i e d as 0 o r 1. T h i s i s r e p r e s e n t e d by t h e diagram below where ci = 1 d e n o t e s a c l o s e d c o n n e c t i o n a i d c . = 0 a n open o n e . I
C
0
'n-1
s2
s1
W e assume c o = 1 so t h a t S n - l ( t + l )
i s dependent on S o ( t ) .
If w e p u t s t = S o ( t ) , w e g e t an i n f i n i t e b i n a r y sequence d e n o t e d ( s t ) s a t i s f y i n g t h e l i n e a r I\ecurrence r e l a t i o n n-1
S t+n
-- .Lr
~
~
f osr t = ~0 9 1 y 2+, . . .
~
(1)
1=0
We o f t e n i d e n t i f y a s h i f t r e g i s t e r w i t h its c h a r a c t e r i s t i c p o l y n o m i a l
f(x) = 1+c1x+c2x2 +.
.
'+Cn-l
xn-'+xn
(remembering co = 1 ) .
The s e t of a l l
i n f i n i t e b i n a r y r e c u r r i n g s e q u e n c e s ( s t ) g e n e r a t e d by f ( x ) i s c a l l e d t h e
192
Each o f t h e 2n p o s s i b l e
s o l u t i o n space o f f and i s denoted Q c f ) .
i n i t i a l s t a t e s c o r r e s p o n d s t o a unique sequence i n Q ( f ) .
It i s w e l l -
known [ S e l m e r , 1 9 6 6 1 t h a t Q(f) i s a v e c t o r space of dimension n o v e r
GF(2), where a d d i t i o n a n d s c a l a r m u l t i p l i c a t i o n of s e q u e n c e s are t h e obvious t e r m w i s e o p e r a t i o n s . The i n f i n i t e sequence o f a l l zeros a r i s i n g from an i n i t i a l s t a t e of n z e r o s i s t h e n u l l s e q u e n c e .
For p r o o f of t h e f o l l o w i n g , t h e r e a d e r is r e f e r r e d t o [ Z i e r l e r , 19591.
Result 1
For a n y n o n - n u l l p e r i o d i c binary sequence ( s
*
exists a unique polynomial g ( x ) with g ( 0 ) nomial h ( x ) w i t h h(O)
*
0, (s
t
E
), t h e r e t 0 , such t h a t f o r a n y p o l y -
R(h) i f and o n l y i f g ( x ) l h ( x ) .
The p o l y n o m i a l g ( x ) of R e s u l t 1 i s t h e minimum polynomial sequence ( s t
We l e t (st) by T.
Of
the
. T ( ~ t ) ,
or
T
( s ) d e n o t e t h e sequence ( s t + ? ) , t h e t r a n s l a t e o f
I t c a n b e shown t h a t i f t h e minimuin p o l y n o m i a l g ( x ) has
degree d, t h e n t h e d sequences ( s t ), l ( s t ) independent i n n(g) [ Selmer, 19661
,... ,d-l(st)
are l i n e a r l y
.
For an a r b i t r a r y p o l y n o m i a l f ( x ) o v e r GF(2) w i t h f ( 0 )
*
0 , we s a y
f ( x ) b e l o n g s t o e x p o n e n t e i f f ( x ) l x e t l , f ( x ) f x r t l for O € , 1 3 * * . ¶ 5k 2 -1 k t h a t f o r P. = 0,1, 2 -1 a n d t = 0,1,2
...,
such
,...
,. ..
Substituting t h e expressions f o r at,at+T
,bt+vl,-.
,bt+v
1
0
.. ,
from ( 3 1 , ( 4 ) a n d ( 7 ) i n t o e q u a t i o n ( 6 ) , w e have
bt+" 2
-1 n-1 1 Ut = ozi J followed by x.
= Q. This proves Lemma 2. Because the final
value o$ S(k) will be the remainder h t e r a division by bl, this final value must be zero when bl = 1. But if bl 2 2, the initial value S(kl = 1 will be unchanged in each pass through step a) so the final value of
S(k)
will a l s o be 1. This proves Lemma 3 .
For convenience, we now define
so that the inequality
holds for 0
zi
k whenever 5 has b i n a r y components. More generally, if the components
of 5 are integers (possibly negative) such that I x . 1 2 6,
1 ~ 1 2 1 1
I
(16)
then (15) can be replaced by
Ix'a (i)I
m(i-l)
m
(i)
, lzi(k.
(191
With these preliminaries, we can now state the following lemma that will be the basis for our subsequent authentication procedure. Lemma 4: If 5 is a vector with integer components satisfying ( 1 6 ) such that
298
Proof: Multiplying both s i d e s of (20) by w ( ~ )and then reducing modulo m ( i ) ,
w e s e e by v i r t u e
of ( 3 ) and (23) t h a t
X'd
( i )- z ( i ) (i)) (mod m ,
which i s e q u i v a l e n t t o ( 2 1 ) h o l d i n g f o r some i n t e g e r L. But by d e f i n i t i o n O L E
(i)
m(i-i)
,
which t o g e t h e r w i t h (17) g i v e s
I5.5 ( i ) -
z(i)
I
~ s c I( +~ )
< ( ~ + i )m
.
(i-1)
I n e q u a l i t y ( 2 2 ) now f o l l o w s from t h i s i n e q u a l i t y and ( 2 1 ) . Notice t h a t when & ( i ) = 0 i n Lemma 4 , t h e corresponding ~ 5 ' is~some ) (i) integer multiple of m according t o ( 2 1 ) . W e s h a l l make u s e of such v e c t o r s 5 i n our a u t h e n t i c a t i o n procedure t o ' c o r r e c t ' f o r discrepancies between ~ - 5 'and ~ )S (i) a t each s t e p i n t h e d e c i p h e r i n g p r o c e s s . Toward t h i s end, we w r i t e & ( i , L ) t o d e n o t e a vector with i n t e g e r components such t h a t t ( i , L ) -a-(') -
L m (i) ,
=
and we c a l l & ( i , L ) an i - t h
(24)
l e v e l correction vector w i t h multiplicity L. I t f o l l o w s
from ( 2 4 ) t h a t ENl t ( i , L 1 )
+
N
t ( i , L 2 ) ] * d(1) = [NILl
+
N ~ L ~m ( ] i );
2 -
(25)
t h i s l i n e a r r e l a t i o n s h i p can be used t o combine c o r r e c t i o n v e c t o r s so as t o produce f u r t h e r c o r r e c t i o n v e c t o r s . Notice i n p a r t i c u l a r t h a t we can choose - t ( i , L )
as the
c o r r e c t i o n v e c t o r of m u l t i p l i c i t y -L without a l t e r i n g the magnitudes of t h e components. We now s t a t e an a u t h e n t i c a t i o n procedure i n which we assume t h e a v a i l a b i l i t y o f t ( i , L ) for 0
2
i < k
and f o r a l l necessary p o s i t i v e m u l t i p l i c i t i e s L. I n t h e n e x t s e c t i o n ,
w e w i l l determine t h e n e c e s s a r y m u l t i p l i c i t i e s and show how t o f i n d such c o r r e c t i o n vectors whose components have s m a l l magnitude, a s required f o r t h e a u t h e n t i c a t i o n procedure t o be s e c u r e . W e a l s o h e r e a f t e r assume t h a t b l = I so t h a t , accordin? t o Lemma 3 , every p r e - s i g n a t u r e S is an apparently v a l i d knapsack f o r t h e d e c i p h e r i n g algorithm D'. Signature-Forming A l g o r i t h m f o r TK-PKC:
a) S e t S(') s(i+l)
= u
f o r i = 0,1,
e q u a l t o t h e given pre-signature S. Compute t h e i n t e g e r ( i )s ( i )
(mod m ( i ' )
...,k. b) A p p l y Algorithm I1 t o S ( k ) t o produce a vector x such t h a t
299
Set i = k-1. c) Calculate the integer L d) If L
2 0, replace x by
=
[x-a(i)- s(i)l
x - t(i,L).
If L
,
0, but we then use Algorithm I1 to find =
- ' 5(k) + h u (k-1) ,(k-2)
(mod m
(k-1)
5 ' ' such that (38)
for some integer L'. Using the previously formed correction vector t(k-l,L'), we can now form x = X" -
-
X' -
- -t(k-1,L')
(40)
302 which will s a t i s f y (k-1)
-x --a
= h m
(k-2)
Again w e invoke Lemma 4 , now t o o b t a i n X'5 -
(k-2)
= L m (k-2)
f o r some1 i n t e g e r L. I f L
i
0 , w e r e p l a c e 5 by -5 t o obtain a v e c t o r 5 such that
so t h a t w e may now choose
a s a (k-21-level from ( 2 9 ) ,
c o r r e c t i o n v e c t o r of c l a s s 1 with p o s i t i v e m u l t i p l i c i t y L. I t f o l l o w s
(311 and ( 3 7 ) t h a t the components of 5 s a t i s f y
Choosing both h = 0 and h = 1, and forming a l s o class-2 and class-3 c o r r e c t i o n v e c t o r s by sums and d i f f e r e n c e s as b e f o r e , we continue with f u r t h e r choices of t(k-2,L)
has been o b t a i n e d f o r a l l L ,
12
L
2
r'
p. The components of these
until (k-Z)-level
c o r r e c t i o n v e c t o r s are guaranteed t o s a t i s f y
j t . (k-2,L) J
1
5
3*28 = 8 4
(43)
but t h e maximum components w i l l g e n e r a l l y be considerably smaller.
3. The Remainina C o r r e c t i o n Vectors -
To f i n d the c o r r e c t i o n v e c t o r s t ( k - i , L ) f o r i > 2 , we again choose 5'
e x a c t l y a s b e f o r e , b u t t h e n u s e Algorithm I1 t o f i n d
x ' .a(k) I
=
rn
We then use 5"
- y-'
+ h u (k-i)
(k-i)
mod m
.. .
(k-i+i)
)
[u
r"
(k-i+2)
mod m
such t h a t (k-i+l)
( u
(k-i+2)
I
... mod
m ( k - L ) . (44)
w i t h t h e c o r r e c t i o n vectors obtained a t t h e previous l e v e l s t o
obtain f i n a l l y a v e c t o r 5 such t h a t
X'd
(k-il
= L m
(k-il
> o
which we may t h e n choose a s a ( k - i ) - l e v e l c o r r e c t i o n vector o f c l a s s i w i t h p o s i t i v e m u l t i p l i c i t y L. Choosing b o t h h = 0 and h = 1, and forming a l s o clas-2 and c l a s s - 3 c o r r e c t i o n v e c t o r s by sums and d i f f e r e n c e s as before, we continue with f u r t h e r c h o i c e s of 5' u n t i l g ( k - i , L ) h a s been formed f o r a l l L
,
1
L 2 1.1.
I t can r e a d i l y be checked
t h a t t h e components o f t h e s e ( k - i ) - l e v e l c o r r e c t i o n vectors a r e guaranteed t o s a t i s f y
[i-e., at most two m r e bits are required to represent the components ofthecorrection vectors at each successive level], but again the maximum components will generally be considerabLy smaller. This process is iterated with increasing i until finally the 0-level
u . These complete the set of
correction vectors L(0,L) have been formed for 1 2 L
correction vectors required to carry out the Signature-Forming Ugorithm. As
an indication of the actual complexity of forming the set of correction
vectors, the above process was implemented for a TK-PKC system of practical size, namely n = 200, k = 3 and u = 3/2 n
= 300
[the choice of vhich will s m n be explained].
Twenty random choices of 5' sufficed to generate all l~
=
300 level 2 correction vec-
tors; 34 choices of 5' were needed for level 1 and 29 choices of 5' were required for level 0. Modular multiplications similar to that in ( 5 ) 0
k i j = k i - l , j . mod lii f o r i > 0
e 11 .
=
e 1. 3.
= 0
eii
Li-l , j mod
for j < i
for j > i
Ejote t h a t t h e i n t e g e r s lii a r e i n d e p e n d e n t v a r i a b l e s . W e now s o l v e for y i
in (2):
n
y. = 1
- j =1o
b. . x . + z 11 7 i
k.. where b . . = 3 13 eii
-
i-1 t v=l
for i > 0
2.
2 lii
b , VJ
Even t h o u g h (1 ) h a s o n l y o n e s o l u t i o n ,
( 2 ) and ( 4 ) may mave more t h a n
one i n t e g e r s o l u t i o n f o r y . w i t h x E (0,lj. O n l y o n e of t h e s e soluj t i o n s , however, w i l l a l s o s a t i s f y ( 3 ) .
312
The i d e a o f t h e a l q o r i t h m i s t o u s e t h e f a c t t h a t x . i s bound t o t h e 3 i n t e r v a l [ 0 , 1 ] ( i n f a c t x E { 0 , 1 } ) t o bound yi u s i n g ( 3 ) and ( 4 ) - I f j w e a r e l u c k y t h e r e i s o n l y o n e i n t e g e r yi ( f o r some i ) i n t h e i n t e r v a l
so f o u n d . The d e r i v e d y . a r e i n s e r t e d i n ( 4 ) and some x
a r e found j u s i n g t h e same b o u n d i n g t e c h n i q u e . Then t h e number of unknown v a r i a b l e s 1
x i n ( 1 ) i s r e d u c e d . The k n a p s a c k problem i s t h e n r e f o r m u l a t e d t o o n e
o f lesser d i m e n s i o n a l i t y a n d t h e a l q o r i t h m i s r e p e a t e d . From ( 4 ) w e c a n d e r i v e a r e c u r s i v e r e l a t i o n f o r y
eiv/Lii
and sum o v e r v f r o m 1 t o i - 1 .
i - 1 Liv E - L,, v=1
n Yv = -1
j=o
(
x
'iv -b
v = l Lii
.)x
v7
j
+
i-1 1
i' This yields:
W e multiply
(4)
by
L.
1v z
v = l Lii
v
W e now o b s e r v e t h a t : i - 1 tiv E - b . v = l Lii
VJ
k.. = A - b . Lii 11
and i-1
Liv
v =1
xi,
t -
= -'iv 'ii
2.
Thus :
W e r e c o g n i z e y . f r o m ( 4 ) i n t h e r i g h t p a r t of t h e above r e l a t i o n . T h i s finally yields:
As w e h a v e n o t e d b e f o r e ,
(5) m i g h t have m u l t i p l e s o l u t i o n s ( i n t e g e r s
yi and x . E C O , 1 > ) d u e to t h e modulo r e d u c t i o n s l e a d i n g t o ( 2 ) 3 a u n i q u e s o l u t i o n w e h a v e t o u s e b o t h ( 5 ) and ( 3 ) .
.
To o b t a i n
313 3.
Bounding of y .
W e w i l l now bound y . u s i n g t h e f a c t t h a t x . E I 0 , l I . W e observe t h a t k . . 3 17 and 1 . . a r e n o n - n e g a t i v e f o r a l l i an6 j w h i l e b . . c a n have any s i a n .
13 This observation used i n
11
( 3 ) , ( 4 ) and ( 5 ) y i e l d s :
max y . = 1
I
Z.
- Z b.. 13 j such t h a t b . . > 0 17
min y . =
i- 7
2
Here
[XI
denotes t h e i n t e g e r
[ei-l.jJmin 'ii
2
yi -
L-1'i-1 'ii
x
The most i m p o r t a n t p a r t i n t h e b o u n d i n g
a b o v e , i s t h e o n e b a s e d on ( 4 )
u s i n g t h e c o e f f i c i e n t b . . . To o b t a i n t i a h t bounds we u s e t h e f o l l o w i n g 11 rule:
How w e l l t h e a l g o r i t h m w o r k s u s i n g t h i s r u l e i s s t i l l an open q u e s t i o n . E x p e r i e n c e i n d i c a t e s , h o w e v e r , t h a t t h e bounds for y i o f t e n e m b r a c e s j u s t o n e i n t e g e r f o r i from 4 - 5
on upwards.
314
Once a number o f y . a r e f o u n d t h e y c a n b e u s e d i n (4) t o a i v e a s y s t e m
of e q u a t i o n s . From t h i s s y s t e m t h e same number of x . may be s o l v e d u s i n a 7 t h e same b o u n d i n s t e c h n i q u e a s when d e r i v i n g y ,
Geometric i n t e r p r e t a t i o n
4.
The s y s t e m of e q u a t i o n s ( 2 ) =
Kx
( f o r i > 0 ) may be w r i t t e n i n m a t r i x form:
+ Ly
( w h i c h o f t e n t u r n s o u t t o b e a d v a n t a g e o u s l y ) i 11 . . i s chosen amongst n ‘ k i - 1 , j ’ j = o t h e n t h e columns o f t h e m a t r i x K mz>- b e r e a r r a n a e d ( i - e .
If
x
r e n u m b e r e d ) so t h a t K i s u p p e r t r i a n g u l a r . The m a t r i x L i s b y d e f i j n i t i o n lower t r i a n g u l a r . Using ( 6 ) w e c a n r e w r i t e
(4) y i e l d i n u :
where B = L-1 K
x
Since x . E {O,l} the p o s s i b l e vectors t e r m i n a t e i n t h e c o r n e r s of t h e 3 n - d i m e n s i o n a l h y p e r c u b e with o n e c o r n e r a t t h e o r i u i n . T h i s h y p e r c u b e i s t r a n s f o r m e d b y t h e m a t r i x B i n t o t h e i n t e q e r l a t t i c e formed by a l l
possible vectors
y.
The e f f i c i e n c y o f t h e a l g o r i t h m r e l i e s upon t h a t
n o t more t h a n o n e l a t t i c e p o i n t is l o c a t e d i n o r on t h e t r a n s f o r m e d c u b e . The volume of t h e t r a n f o r m e d c u b e i s e q u a l t o t h e d e t e r m i n a n t o f t h e m a t r i x B. W i t h t h e above m e n t i o n e d c h o i c e of bil
(yielding a tri-
a n g u l a r m a t r i x X) t h e d e t e r m i n a n t of B i s : n
L c.. li i=l
Due t o t h e modulo r e d u c t i o n s , knn i s v e r y s m a l l , i n f a c t o f t e n l e s s t h a n 1 0 . Thus t h e v o l u n e o f t h e t r a n s f o r m e d cube i s s m a l l , i n t h e o r d e r o f t h e i n v e r t e d v a l u e crf a n e l e m e n t i n { k O j ) . T h i s s h o u l d g u a r a n t e e a
315
s i n g l e l a t t i c e p o i n t w i t h i n o r on t h e t r a n s f o m e d hypercube i f B i s o r t h o g o n a l o r c l o s e t o o r t h o g o n a l . The problem i s t h a t t h e a l g o r i t h m c a n n o t g u a r a n t e e t h i s . How t o make t h e m a t r i x B t o o u r a d v a n t a g e i s
s t i l l a n open p r o b l e m .
Reference [Merkle,
19781
R.C.
Merkle and M.E.
Hellman: "Hiding I n f o r m a t i o n a n d
S i g n a t u r e s i n Trap-Door Knapsacks", IEEE T r a n s . on I n f o r m a t i o n T h e o r y , Vol. I T - 2 4 , 1978.
zp.
525-530,
September
316
Trapdoors in Knapsack Kryptosystems
Prof. Dr. R. Eier
Institut fur Datenverarbeitung, Technische Universitat Wien
Dip1.-Ing. H. Lagger
Forschungslaboratorien der Siemens AG., Munchen
Abstract
A way to attack public-key cryptosystems based on the knapsack problem is proposed. The basic idea of the approach described is to find p a i r s of natural numbers, namely values for a moduwhich reduce the knapsack elements lus m and a multiplier - - simultaneously by modular multiplication. The ratio r=w/m plays an overriding role.
w,
T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 316-322, 1983. 0 Springer-Verlag Berlin Heidelberg 1983
31 7
Introduction In the last years a new kind of cryptographic system, the publickey system, has been introduced [Dif fie , Hellman, 1 9 7 6 ]. This system uses different keys for encryption and decryption. The key used to encrypt a message can be made public. There is no longer any need to transmit keys through secure channels. Some of these public-key systems are based o n the knapsack problem. I n the following, some aspects associated with th2 security of such systems will be discussed. knapsack is mathematically represented by a vector A of n natural numbers (al.......an). The knapsack problem is to find a ) binary vector ( x l.....x n for a given sum S, such that
A
s =
f
ai x 1.
i=l
holds, if such an X does exist [Merkle, Hellman, 1 9 7 9 1 . Almost n additions are needed to compute the sum S for a given vector X, yet finding a vector X corresponding to a known sum S grows exponentionally with the dimension of n. This property can be used to construct a public-key system. The public-key in such a cryptosystem is given by the vector A and the message to be transmitted is represented by the binary vector X. The cryptogram S = x a i xi is sent to the intended receiver. Only this person knows the hidden structure and is thus in the position to reconstruct the information X. There exist various structures of knapsacks which allow for a fast computation of the vector X. R.C. Merkle and M.E. Hellman originally proposed using a superincreasing sequence (a'l...a' n ) with the property
i=l
318
To hide this structure they suggested to use a modulus m and a multiplier v, such that L m fati i=l gcd (v, m) = 1.
and
Instead of publishing the elements a t i rthe system is published according to a1. = a'.1 * v
(mod m).
(4)
On the premises that gcd ( v , m) = 1, a natural number w exists, which fulfills the property w * v = l
(mod m).
(5)
This number w can be used together with the modulus in order to recover the hidden structure and thus to decrypt the transmitted cryptogram.
The Cryptanalytic Attack A cryptanalyst is not in the possession of the secret parameters m, w. However, he may try to find other pairs of natural numbers -m, -w, which fulfill the following properties:
(mod
n i=l
m)
319
The problem of this kind of analysis is to find appropriate pairs of natural numbers m, which reduce the elements ai simultaneously by modular multiplication. The probability that two randomly chosen numbers have this property is very small [ Shamir, 19803. A s will be shown later, the knowledge of a correct pair of integers is almost equivalent to the knowledge of the original t r a p door information. We call such pairs knapsack trapdoors. An exhaustive search f o r correct parameters :, seems to be computationally unfeasible. One has two degrees of freedom, namely the selection of the integers m and To narrow down the number of possible candidates we first study the effect of the operation denoted by (6).
w,
:
:.
Equivalently one can write
-ai/m-
-
= a.* w /:
or with the ratio
- -
(mod 1)
1
7
=
;/m
-
ai/m = a.* 1 r
(mod 1)
(9)
The function represents a sawtooth like curve starting at the origin with an ascent ai. Upon reaching 1 the function falls back and starts from the zero line again.
1
r
This function therefore consists of a set of parallel lines. The As noted above, a cryptlength of one period is given by l/a. 1' which fulfill analyst has to find paris of natural numbers m, the property
w,
320 n
ai
*
r
(mod 1)
L
1
.
i=l
This means he has to search for one characteristic rational parameter ;instead of two parameters ; , If one adds together all the sawtooth like curves with the frequencies ai, the resulting curve will be in general greater than one. There must however be at least one small interval [rl, r2] where this function is less than one.
;.
If this interval has once been found one has no difficulty to with a ratio compute appropriate natural numbers m, r = lying in the interval rl r2*
w,
- w/m
If knapsack systems with large numbers are considered, there remains the problem how to find the small intervals according to the knapsack trapdoors. To simplify the solution we propose to shift the interval of the function by a factor of 0.5 in the direction of negative values: A
-
ai/m =
(ai/;
+
0.5)
(mod 1)
-
0.5
(11)
To derive an equation instead of a congruence, now the sum of A all absolute values a,/= must be smaller than 1. Graphically 1 this is equivalent to a superposition of n triangular like curves with the frequencies ai. The advantage of this is, that the number of intervals where the resulting curve is less than one as well as the width of these intervals becomes substantionally increased. If one choses for example the small knapsack cryptosystem p u b lished in [Hellman 19791, intervals for appropriate ratios ;/m are found by a short computer program (see table 1).
321
Public-Key : a1=2292 a2=1089
a3= 211 a4=1625
a5=1283 a6= 599
a7= 759 a8= 315
ag =2597 a10=2463
? 0.175395 0.175370 0.350785 2 0.350790 0.412305 L 7 L 0.412405 Table 1:
- - -
Intervals for appropriate ratios r=w/m
Because all triangular curves ly symmetrically about the value r = 0.5, a11 derived intervals can be found between r = 0.5 and r 5 1 as well. In order to analyze knapsack systems with more and larger elements, one has to take measures to diminish the computational effort. For example the periodic structure of the elementary functions can be used to iteratively restrict the regions where the minima for the resulting function must be located.
322
Discussion The described algorithm indicates one way to find knapsack trapdoors. Using these trapdoors, a cryptanalyst may attack a cryptosystem in various ways. As discussed by A . Shamir, he may try to find n linearly ndependent equations in n unknowns x 1' . This attempt need not be successful in each case. In contrast to [Shamir, 19801 we found that not all resulting equations are linearly independent If a large knapsack system is considered such as proposed in [Merkle, Hellman, 19791, there exists only one linearly indepent solution. Another method of attack may prove to be more successful. Here the salient point is to find a pair of integers with a ratio r=c/K lying very close to the ratio r=w/m, so that the first transformed element becomes very small. Using this type of trapdoor, the hidden structure is likely to reappear. In our example a modu= 1000000 lead to a superinlus m = 1701559 and a multiplier creasing sequence as well as the original used parameters m=2731 an w=1605. In addition one can find the region of the original modulus m by summing all elements ai and by dividing the sum by n/2.
-
w
Yet another attack would be to look for partially solvable k n a p sacks [ Ingmarsson, 19801. This method may prove quite efficient using the above mentioned trapdoors. Finally one can state that the difficulty of attacking such a cryptosystem does not consist of applying the trapdoors, but in finding them. The time needed to find such trapdoors depends crucially on the magnitude of the knapsack elements used.
325
Is t h e RSA
-
Scheme s a f e ?
(Abstract) C.P. Schnorr Fachbereich Mathematik Uni versi t a t Frankfurt
We present a new f a c t o r i n g algorithm which under reasonable assumptions
Summary:
and f o r r 1.2 w i l l f a c t o r about n(r-2)-(‘-I
integers i n [ 1 , n 1 within n
1/2r
m u l t i p l i c a t i o n s i n G(-n). Here G ( - n ) i s the group of equivalence classes under SL2( ), of p r i m i t i v e , p o s i t i v e forms ax2 + b x y + c y 2 w .i t h discriminant
z
-
n = b2
-
4 a c . Let h ( - n ) =
1
G(- n ) ! be the class number. Then n w i l l be f a c t o r e d
within t h i s time bound i f
(1) the l a r g e s t prime d i v i s o r of h ( - n ) i s 2 n 1/ r U2r. ( 2 ) t h e second l a r g e s t prime d i v i s o r of h ( - n ) i s 5 n So f a r i t i s unpredictable which i n t e g e r s n s a t i s f y these conditions. Stage 1 of the algorithm H E G ( - n ) i s c a l l e d arrbiguous
i f H2
=
1 i s the u n i t in G ( - n ) . I t is well known
t h a t t h e anbiguous c l a s s e s correspond t o the factorizations n = n l * n z
of n w i t h
g c d(nl, n2) = 1. O u r method of f a c t o r i n g n i s t o construct an ambiguous c l a s s i n G ( - n ) as follows:
beain
A
input n , r form the l i s t p1
stage 1
choose
Ho
while
p i < n
F
=
2 , p2 = 3 ,
... of
a l l primes p i < n
G ( - n ) a r b i t r a r i l y , i : = 2 , H : = H0 1/2r
do -
T. Beth (Ed.): Cryptography - EUROCRYPT ’82, LNCS 149, pp. 325-329, 1983. 0 Springer-Verlag Berlin Heidelberg 1983
1/2r
326
w : = 1,
e+
while -
e*A H # 1
if -
:=log2@
,
H : = H 2
V L
H # 1 then goto
l,n)
: =
‘J t
1]
stage 2
S i s amb guous and y i e l d s some d i v i s o r i f t E
,v
[ S: = H, H : = H
do -
then
of
t
n
r e t u r n t o s t a g e 1 and choose a n o t h e r independent Ho
end fact 1
Suppose h ( - n ) Pi‘
an a&iguous
-
I n case
e pii
i~ n
and ord(Ho) even, t h e n stage 1 g e n e r a t e s
1/2r
c l a s s S # 1.
n = 1 mod 4 e v e r y ambiguous c l a s s S # 1 y i e l d s a p r o p e r f a c t o r o f n . I n
p a r t i c u l a r , when n has d d i s t i n c t p r i m e f a c t o r s , t h e n 2d-1
h(
-
n ) , and t h e r e a r e
e x a c t l y Z d - l ambiguous c l a s s e s c o r r e s p o n d i n g t o t h e 2d-1 p a i r s (nl, nl-n2
= n, nl
< n2, gcd(nl,
with
n ) = 1. Moreover, when n i s composite and Ho E G ( - n ) 2
i s chosen a t random, t h e n p r o b [ o r d ( H o ) even 1 2
“2)
2
1/2 t o f i n d a p r o p e r f a c t o r o f n p r o v i d e d h ( - n )
1 / 2 . Hence s t a g e 1 has a chance
1
: Pi< n
p p i . A few
li2r
r e p e t i t i o n s o f s t a g e 1 a l m o s t s u r e l y generate a p r o p e r f a c t o r o f n p r o v i d e d h(- n)
e. pi1
1
and n i s c o m p o s i t e :
1
e. Suppose h ( - n ) ; Ti pi’ and n i s composite. i I f stage 1 i s passed w i t h Ho chosen i n d e p e n d e n t l y k times, then w i t h p r o b a b i l i t y
fact 2
2
1
-
2-k a p r o p e r f a c t o r o f n has been found.
Next we c o n s i d e r t h e chance t h a t
f o r random n.
Siege1 ( 1 9 3 6 ) p r o v e d
327
We will assume the following f o r a l l r and s u f f i c i e n t l y large n :
Hypothesis 4
Conclusion about
4 s t a g e 1 f a c t o r s a b o u t one out of rr integers n i n
By Hypothesis
5 4.6 n l i Z r
-
G(- n)
multiplications.
Using a Pollard - Brent recursion i n stage 2 e. If h ( - n ) Ki p i ' w i t h e i = log n / log pi J f o r p . 1
i
n1/2r
then stage 1 f a i l s
t o f a c t o r n and computes
Stage 2
uses H ,
and w i l l most l i k e l y find a proper d i v i s o r of n within O(nl/")
steps provided ord(H) 5 n 1 j r . >
Stage 2 generates a random walk through the c y c l i c group < With some function f :
Fil :
-> =
H,
H
with generator iT
.
let
>
Hi+1
: = f(Fii)
,
The function f must be chosen such t h a t (1)
f i s easy t o compute
(2)
f i s s u f f i c i e n t l y random
(3)
every r e l a t i o n
H. = Hk J
with j
+k
y i e l d s an ambiguous c l a s s S, depending
o n q , f , j , k. I t i s known ( s e e Knutn(1981), e x e r c i s e 3.1.12) t h a t s o r e H. = J
qk can be expected i f f i s s u f f i c i e n t l y random.
k
Stage 2:
,
H1 = H
(4)
H. 1+1 -
1
Hi
let
Find some k < j with H k = t i . , and t h e n s t a r t a s i m i l a r recursion on H : J
i < k
A
g(Hi) = 2
W e have
H=H
ze*
with TT = # { i
k
with
1
e+ =
L log
log 2
nl’r/
1.
g(Hi) = 2 7 .
Now suppose (6)
which w i l l
o r d ( H ) : 1 mod 2 ,
T :1 mod 2
almost surely be the c a s e , and l e t ord(H)
: Ze
mod Ze+’.
Then ord(Hk) = Ze ord(Hk) ord(Hk)
!
Ze T
,
RkT
=
Fij
Hk-’
Hence ( 6 ) implies ord(H Hk- 1 ) = Ze j -1 2e-l and therefore S : = (H. H ) J k e t 1.
Fact 5
Let F ( n , r )
i s a n ambiguous class S with S f 1 whenever
- n be t h e nurrber o f i n t e g e r s i n
2. By h e u r i s t i c a l arSUmentS
[ l,n
1
which will be factored by s t a g e
we obtain the following lower bound on F ( n , r ) :
329
$00
4
5.8
. lo4
$00
5
1
*
lo6
3.2
.
3.8
2300
6
3.3
*
7 10
2
.
3.6
2400
7
4
*
lo8
1.2
*
2.6
2500
7.6
8
8
lo9
2
.
5.2
3.4
4
*
. .
-
331
E I N EFFIZIENZVZRGLEICH DER FAKTORISIERUNGSVERFAHREN VON MOWISON-BRILLHART
UND SCHROEPPEL
*)
(EXTENDED ABSTRACT)
J. S a t t l e r
C.P.
Schnorr
F a c h b e r e i c h Mathematik Universitat Frankfurt
Abstrakt
D i e A l g o r i t h m e n von M o r r i s o n - B r i l l h a r t und S c h r o e p p e l
s i n d f u r groRe n a t u r l i c h e Z a h l e n
der worst-case-Rechenzeit)
( a l l g e m e i n e r G e s t a l t und b e z u g l .
die e f f i z i e n t e s t e n a l l e r b i s h e u t e
b e k a n n t e n Faktorisierungsalgorithmen. D e r v o r g e l e q t e E f f i z i e n z v e r g l e i c h b a s i e r t a u f e i n e r t h e o r e t i s c h e n A n a l y s e , d e r e n Annahmen experimentell'verifizrert w u r d e n .
Wegen d e r u b e r g r o R e n
Rechenzeiten ist namlich e i n experirnenteller Vergleich d e r Laufz e i t e n beider Algorithmen f u r Zahlen n
lo5'
zur Zeit technisch
s e h r s c h w i e r i g . D i e d e r A n a l y s e z u g r u n d e g e l e g t e n Anna5rnen bet r e f f e n das Verhalteii der z a h l e n t h e o r e t i s c h e n Funktion
cowie d a m i t v e r d a n d t c r F u n k t i o n e n .
Entqegen den b i s h e r i q e n
V e r m u t u n g e n k o R n e n :iir z e i g e n , d2.R d e r W o r z i s o n - B r i l l h a r t A l g o r i t h m u s den S c h r o e p p e l - A l g o r i t h m u s
f u r Zahlen a l l e r G r o B e n -
b e r e i c h e i i b e r l e g e n ist.
->)
D i e s ? A r b e i t wurdc i m R a h m e n des F o r s c h u n g s p r o j e k t e s SICHERHEIT K3YPTOGRAPHISCIIER VERFAHREN a n g e f e r t i g t , w e l c h e s vorn 3i'll;T u n t e r dcm F o r d e r u n g s k e n n z e i c h e n 0 8 3 0 1 0 8 gefordert w i r d .
T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 331-351, 1983. 0 Springer-Verlag Berlin Heidelberg 1983
332
E i n l e itunq Hintergrund d i e s e s V e r g l e i c h s d e r beiden asymptotisch schnells t e n Faktorisierungsverfahren i s t , daB d i e S i c h e r h e i t d e s RSX-
a l s o f f e n t l i c h e s Kryptosystem weitgehend d a r a u f b e r u h t , daO es k e i n e s c h n e l l e n V e r f a h r e n g i b t , um grone
Schemas [RSA 7 8 1
Zahlen i n i h r e P r i m f a k t o r e n zu z e r l e g e n .
I n d e n am MIT h e r g e -
s t e l l t e n C h i p s zum RSA-Schema w e r d e n j e zwei P r i m z a h l e n
p,q
CI
I h r Produkt n = p-q
2 2 5 0 - ~ ~ 7 5z u f a l l i g g e w a h l t .
ist d e r
o f f e n t l i c h e S c h l u s s e l zum X o d i e r e n , w a h r e n d d i e D e k o d i e r u n g n u u n t e r K e n n t n i s d e r g e h e i m g e h a l t e n e n P r i m z a h l e n p und q g e l i n g t I n d e r T a t f u h r e n d i e b i s h e r b e k a n n t e n A n s a t z e zum B r e c h e n des RSA-Schemas
a l l e z u r Z e r l e g u n g von n i n d i e F a k t o r e n p und q .
D a m i t s t e l l t s i c h die Frage nach schnellen Faktorisierungs-
verfahren. B e i d e r D i s k u s s i o n d e r S i c h e r h e i t d e s RSA-Schemas b e z i e h e n s i c h
R i v e s t e t a l i i a u f d e n u n p u b l i z i e r t e n A l g o r i t h m u s von S c h r o e p p e l
als d e n a s y m p t o t i s c h s c h n e l l s t e n Faktorisierungsalgorithmus. I n n l n l n n' S e i n e L a u f z e i t g e b e n s i e m i t' e Makroschritten b=a r i t h m e t i s c h e O p e r a t i o n e n i n 7 L ) a n , d i e s b e d e u t e t f u r S e k . ernz10150 e t w a lo9 J a h r e , s o f e r n e i n M a k r o s c h r i t t fordert. E i n e d e t a i l l i e r t e A n a l y s e des S c h r o e p p e l - A l g o r i t h m u s
z e i g t , daB
d i e L a u f z e i t a s y r n p t o t i s c h s t a r k e r und z w a r f a s t w i e 3 ?('jlri n l n l n n ' - l n l n n - l n l n l n n ) e wachst. Damit i s t d e r Schroeppel-Algorithmus s o g a r langsamer als der Morrison-Brillhart-1n Algorithmus m i t e
3
n l n l n n'- - ( l n l n 2
n
+
l n l n l n n) Makroschritten.
333
Um d i e i m RSA-Schema v e r w e n d e t e n Z a h l e n n
zu z e r l e g e n ,
FJ
b e n o t i g t d e r Morrison-Brillhart-Alqorithmus v o r a u s s i c h t l i c h 8 ca. 9 . 1 0 J a h r e u n d ca. 1 0 1 3 B i t S p e i c h e r p l a t z , d e r S c h r o e p p e l A l q o r i t h m u s d a g e q e n e t w a 1 0 1 3 J a h r e und ca.
loi6
B i t Speicher-
p l a t z ( j e w e i l s u n t e r d e r Annahme, daR e i n e M u l t i p l i k a t i o n i n
ca. S e k . k o s t e t ) . D i e s b e d e u t e t a u c h , dafl b e i m E i n n s a t z e i n e r h o c h l e i s t u n g s f a h i g e n A r i t h m e t i k b e i der e i n e M u l t i plikation i n
zne t w a
Sek. k o s t e t (dies e r s c h e i n t t e c h n i s c h
m o g l i c h ) und wenn ca. 1O 4 d i e s e r Multiplikations-Prozessoren zur Parallel-Ausfuhrunq
des M o r r i s o n - B r i l l h a r t - A l g o r i t h m u s
q e s e t z t werden, d a n n k o n n e n Z a h l e n n
fi
ein-
i n e t w a 90 Jahren
z e r l e q t w e r d e n . A l l e r d i n q s d u r f t e es s c h w i e r i g s e i n , d e n d a z u e r f o r d e r l i c h e n S p e i c h e r p l a t z von l o 1
Bit
z3u S e s c h a f f e n .
W i r b e s c h r e i b e n vorweg d i e den Faktorisierungsverfahren von
M o r r i s o n , B r i l l h a r t u n d S c h r o e p p e l z u q r u n d e l i e g e n d e Methode. Urn e i n e n a t u r l i c h e Z a h l n zu z e r l e g e n , r e i c h t es a u s , q a n z e
Z a h l e n x,y zu b e r e c h n e n m i t x 2 = y 2m o d n , x = # + y m o d n
Aus x
2
2 = Y mod n f o l g t n S m l i c h
(x-y) (x+Y)
X f 2 y mod n i m p l i z i e r t , dal) g g T ( x von n s i n d .
= 0 mod n und
2 y,n) n i c h t - t r i v i a l e T e i l e r
B e i d e Faktorisierunqsverfahren q e h e n so v o r , daR man Z a h l e n
x,y G Z m i t ( 1 . 1 ) k o n s t r u i e r t , indem man f u r e i n q e e i q n e t e s v e t w a O ( v ) Z a h l e n T i d e r G r o R e Ti 5 2$7 e r z e u g t derart, dan d i e Ti n u r P r i m f a k t o r e n
S
v haben.
M o r r i s o n , B r i l l h a r t s a m m e l n K o n g r u e n z e n vom T y p 2 T . = A . mod n 1
(1.2)
334
und w a h l e n T . a l s g e e i g n e t e K o n t i n u a n t e n d e r X e t t e n b r u c h e n t 1
w i c k l u n g von
1,s i n d ,
E.
D a b e i n u t z e n s i e a u s , daR d i e T i
deren W u r z e l A
geliefert wird.
Quadrate i n
durch d i e Kettenbruch-Rekursion
i Zum A u f f i n d e n d e r P r i m f a k t o r e n
5
mit-
v von Ti
s e t z e n w i r d i e P o l l a r d ' s c h e F a k t o r i s i e r u n q s n e t h o d e e i n und kommen d a m i t z u e i n e r e r h e b l i c h e n V e r b e s s e r K n g d e s V e r f a h r e n s . S c h r o e p p e l s m e l t e t w a O ( v ) K o n g r u e n z a n vcn T y p
+
Ta , b = (
I,
+
a)-(
b ) mod n
(1.3)
I
Ib = o ( n ) , so daB T nur Primteiler S v hat. a ib bei festem a e i n e r l i n e a r e n S c h r o e p p e l n u t z t a u s , daA d i e T atb P r o g r e s s i o n g e n i i g e n u n d man d a h e r d i e P r i n t e i l e r d e r T a l b
m i t la
Siebinethoden r e l a t i v s c h n e l l f i n d e t . I n b e i d e n V e r f a h r e n e r h a l t man s c h l i e f i l i c h x u n d y , indem man Kongruenzen des Typs
(1.2)
bzw.
( 1.3)
m u l t i p l i k a t i v kombiniert.
D i e q c e i q n e t e K o m b i n a t i o n d i e s e r K o n g r u e n z e n e r h a l t man d u r c ' a Losen e i n e s l i n e a r e n G l e i c h u n g s s y s t e n s i r n R a m der Exponentenz i,P v e k t o r e n (zi I p 5 v , p p r i m ) d e r P r i m f a k t o r z e r l e g u n g T . = T p 1 IP P +J p prim D i e Rechenzeit, den T . m i t
(1- 2 )
d i e i n d i e s e n A l g o r i t h m e n S e i d e r Suche nach (bzw. n a c h dcn T
a ,b von d e r z a h l e n t h c o r e t i s c h c n F u n k t i o n 1
m i t (1.3) )
a n f s l l t , h8nqt
ab. W i r v e r q l e i c h e n d i e bcidcn Algorithmen u n t e r f o l g e n d e r Annahme 1 :
$(n,nl'r)sn-r
-r
fur r
D i e s e Annahme h a b e n w i r f G r n I l o 3 '
-
In n
(1.4)
und f u r r S 6 e x p e r i m e n t e l l
qestiitzt (vgl. h i e r z u d i e ausfuhrliche Versicn der vorliegenden Arbeit)
-
335
P o m e r a n c e [POM 811 $(n,n
1/ r
1 = n'r
hat einen Beweis qeliefert fur
r+o( r )
ln n
' (1+E)lnln n
'Ur
U n a b h a n g i g von d e r v o r l i e g e n d c n A r b e i t kam a u c h Pomerance i n [POM
8 1 1 z u den S c h l u O , dar3 dcr
den S c h r o e p p e l - A l g o r i t h n u s
orriso on-Brillhart-Algorithnus
a s y n p t o t i s c h iiberlegen ist.
2 . D e r A l g o r i t h i u s von > l o r r i s o n - a r i l l h a r k
A1 g o r i t h m u s
"
M o r r i s on - 3 r i 11h a r t "
b e g i n input n,r
i s t d i e z u f a k t o r i s i e r e n d e Zahl; die o p t i m a l e
comment [ n
W a h l v o n r e n t n e h m e man d e r R e c h e n z e i t a n a l y s e ]
Stufe @
v = Ln 1 /TJ
Es s e i
-
pr:=
T(v) :=
b1 - - I
M i t p 0 :=
-1
{ p s v: p p r i m
, P F ( v j -1
A
n
(--)
= 1).
der Primzahlen p
s e t z e Pr:=
-
Pr w
Lege d i e L i s t e n = 1 an.
s v r n i t (-1 P
{pol.
comment [Da n u r P r i m z a h l e n r n i t (9) = 1 als T e i l e r der i n P S t u f e 1 zu f a k t o r i s i e r e n d e n Zahlen w a u f t r e t e n , wahlen w i r e i n e ausgedunnte Primzahlbasis]
E= 8 i:=0
S t u f e 1 w h i l e +B s F ( v ) + l
do
begin e r z e u g e genZr3 d e r R e k u r s i o n W:=
(-1)
%
B erec hn e
Qi
(10)
- (IS)
das i-te G l i e d
m o d n d e r K e t t e n b r u c h f o l g e von 1- 1
= A2
a
=
(aklk =
0 ,..., i r ( v ) )
und w c m i t
K.
336 Stufe 2
S u c h c e i n e n i c h t t r i v i a l c L o s u n g von f E{0,11 a_
CeeBf5.a = O_ mod 2 , und setze
comment c w e g e n wa = 2 2 = a -
n i Tk(=vo)
pkakmod n g i l t
2 y mod n i s t , mod n ; falls x s o s i n d g g T ( y + y , n ) n i c h t t r i v i a l e F a k t o r e n von n]
X2
2.1
= y2 = llfaZlwa
D i e S t r u k t u r d e r K e t t e n b r u c h f o l g e zu
B e i d e r E n t w i c k l u n g von
%? i n
%?
einen Kettenbruch
(vgl. [KNU 8 0 ) s i n d d i e W e r t e q . , i
*
0 , und P i , Q i , i2 1 , gens0
fnlgender Iterationsformeln zu bercchnen:
a b , v o n w e l c h e r GroDenordnung d i e i n S t u f e 1 d e s Morrison-Brillhart-Algorithrnus u b e r Pr zu f a k t o r i -
W i r schatzen zunachst
s i e r e n d e n Z a h i e n s i n d , d.h. w i r z e i g e n (2.1)
S e t z t man ( 1 1 ) i n
(12) ein,
s o e r h s l t man
337
D a h e r f o l g t a u s (12):
u n d d a m i t i s t ( 2 . 1 ) g e z e i g t . Aunerdem i s t ( - 1 ) ' Q . in
p eTr\
$ ( n , r ) : = lim w-
m z e r f a l l e n d e n Elerncnte der K e t t e n b r u c h f o l g e
d e r iiber
ZU
v-
r 1 /r) Wir w o l l e n e i n e n Z u s s m m e n h a n g z w i s c h e n $(n,r) und $(n,n h e r s t e l l e n u n d dahcr b e w e i s e n wir den f o l o e n d e n F a k t : '
Fakt 2 F a l l s d i e R e s t e ( A i mod p r
Sei p p r i m und es g e l t e
B. mod p) g l e i c h v e r t e i l t 1
Beweis:
Sei p p r i m u n d es g e l t e Y i E N r
P
= 1 . Wegen
(2.2)
gibt e s w e g e n
n
(-)
D
gilt: ;
(2.5)
2 mod p ) ( p l ~ ~ A i- 1 = n B 11
Zu j e d e m a € [ l ,p-l]
= 1 cenau z w e i E l e m c n t e
mit
b c [O,p-l] 'a
n
(--)
= nb2 m o d p
Falls
(Aimod
4
p , B.mod p ) g l e i c h v e r L e i l t i n 7 \ [ ( O , O ) }
(beachke:
(Airnod
daher a u s
(2.5)
p , B.nod p )
:i
(0,O)
g i l t wcgen ( 2 . 4 ) ) ,
2 2 2 + ~ ( a , b ) e ~ , ' . ~ ( O , O ! } \ a =nS mod p } Y i E N :
r.rs(pla.)
=
p2-1
1
-
-
2 (2-1 1 2
P -1
ist
folot
339 F u r e i n z u f a l l i g g e w a h l t e s a E [ l ,2-m] s t jeZes E l e m e n t d e r Primzahlbasis pr =
IFE
[ l , n I/‘]
p prinl
m i t Wahrscheinlichkeit 5 1 e i n T e i l e r von d a n d i e Reste
(Airnot!
a . U n t e r d e r Annahme, p,B.mod p ) g l e i c h v e r t e i l t i n 1I ( 0 , O ) 1
z2 P
1
s i n d , i s t n a c h F a k t 2 jedes p E ( P r l { - I } ) r n i t K a h r s c h e i n l i c h k e i t 2 - e i n T e i l e r von Q Wegen #Pr F= 2 * + ? i s t es d a h e r s i n n v o l l P i’ r anzunehmen (vgl. a u c h [WUN 791 ) :
2.2
Rechenzeitanalyse des Morrison-Brillhart-Algorithmus
W i r konnen d i e R e c h e n z e i t d e s M o r r i s o n - B r i l l h a r t - A l g o r i t h m u s
asymptotisch w i e f o l g t abschatzen: Satz 1 U n t e r d e n Annahrnen
(1- 4 )
und ( 2 . 7 )
g i l t f u r die Rechenzeit
TMB(n) d e s M o r r i s o n - B r i l l h a r t - A l g o r i t h m u s :
Bewe is :
(-1)
Zur F a k t o r i s i e r u n g der
i
Qi
i n S t u f e 1 des M o r r i s o n - B r i l l h a r t -
A l g o r i t h m u s b i e t e t s i c h d e r P o l l a r d - A l g o r i t h m u s a n ( v g l . [SCH 8 1 3 )
Z u r A u f f i n d u n g a l l e r P r i r n f a k t o r e n sp d e r e i n g e g e b e n e n Z a h l n b e n i j t i g t der P o l l a r d - A l g o r i t h m u s Makroschritte (vgl.[GUY Brillhart-Algorithmus
7f;l )
.
erfahrungsgeman e t w a
‘@ v i e l e
D a i n S t u f e 1 des Morrison-
n u r n a c h < e m A u f t r e t e n von P r i m f a k t o r e n
kann diese S t u f e d a h e r s o r e a l i 1 /2r s i e r t w e r d e n , i n d e m man d e n P o l l a r d - A l g o r i t h m u s etwa n
Snl’r
i n (-l)iQi
gesucht wird,
v i e l e M a k r o s c h r i t t e a u f j e d c m ( - 1 ) ’Qi
rechnen 1 a R t . D a w i r
v i e L e iiber P r z e r l e g b a r e Z a h l e n f i n d e n miissen, e r g i b t s i c h d a h e r f u r S t u f e 1 e i n e G e s a m t r e c h e n z e i t THB,l ( n , r ) von
i?(n”r)+l
-
340
r l/r nn
v i e l e n M a k r o s c h r i t t e n . Wegen i r ( n l / = )
o 2.111
und wegen (1.4)
folgt aus Fakt 2
2.ln n D i e Losung d e s l i n e a r e n G l e i c h u n g s s y s t e m s i n S t u f e 2 des X o r r i s o n B r i l l h a r t - A l g o r i t h m u s er f o r d e r t
r3 EJ
( 2 - l n n) 3
.n3/r
(2.9)
viele Bitoperationen. Um d i e a s y m p t o t i s c h e R e c h e n z e i t d e s A l g o r i t h m u s d u r c h e i n e
g i i n s t i g e Wahl v o n r o p t i m i e r e n z u k o n n e n , m i n i r h i e r e n w i r
r -
n3 / 2 r - r *
+ n 3/r
M i t dem A n s a t z
r(n) =
lnln n
i s t i n e r s t e r N a h e r u n g der A u s d r u c k
zu m i n i m i e r e n . D a h e r w z h l e n w i r c r(n) In
4-
(2.8)
,
(2.9)
=
und d u r c h E i n s e t z e n v o n (2.10)
e z h a l t e n w i r f u r d i e Gesamtrechenzeit Tm(n)
Morrison-Brillhart-Algorithmus
des
341
Die Abschatzung zeigt, daR fur die asymptotische Rechenzeit der Aufwand z u r Auflosung d e s linearen Gleichungssystems dominierend ist.
~~
LL
342
3. Der A l q o r i t h m u s von S c h r o e p p e l Algorithmus
"
Schroeppel"
begin input n , r , t c o m e n t c n fst d i e z u f a k t o r i s i e r e n d e Z a h l ; d i e o p t i m a l e Wahl v o n r,t e n t n e h m e man d e r R e c h e n z e i t a n a l y s e l S t u f e @ v:=
Ln''=j
s:= min(m€ N t m
> nl't
und m g e r a d e )
---
Bilde die Liste P = (p
M i t po:=
-1
1' IPll ( v ) s e t z e P:= P V ( P ~ ]
]
aller Primzahlen 5v
B = @ S t u f e 1 fiir i = o f . . . , 2 s sei f u r a l l e ( i , j ) c [o,s] 2 do T . . := 11
"Test":
if
w*
oi:= [GJ-
5+i
Qi*Qi+j-n (a,E N [ O L k 5 n ( v ) ) und w * m i t
und berechne
J-
= 1 thenrb:=
e. 0 ei+j
=
K
B := B b ( (5,b) I] comment [ D a b e i i s t e i
E
{ O , 1 ) 2s+1
der
i - t e E i n h e i t s v e k t o r und 8 d i e b i t w e i s e V e k t o r a d d i t i o n modulo 2 ]
Stufe 2
S u c h e e i n e n i c h t t r i v i a l e L o s u n g von
comment [Es i s t x2 = y 2 n o d n ; f a l l s
X++J
mod n i s t ,
so s i n 6 qqT ( x 3 , n ) n i c h t t r i v i a l e F a k t o r e n von n ]
343 3 . 1 Verwendbarkeit von Siebmethcden i m SchroeDoel-Algorithmus D i e e n t s c h e i d e n d e E i g e n s c h a f t d e s Schroeppel-Algorithmus
b e s t e h t d a r i n , daR b e i der S u c h e n a c h d e n iiber der P r i m z a h l b a s i s P z e r l e g b a r e n E l e m e n t e d e s F e l d e s T Siebrnethoden a n g e wendet werden konnen.
Bevor w i r d i e Rechenzeit des Schroeppel-
Algorithmus a n a l y s i e r e n , g e b e n w i r d a h e r a n , w i e d i e Berechnung d e r V e k t o r e n g i n S t u f e 1 u n t e r Verwendunq von S i e b rnethoden r e a l i s i e r t w e r d e n k a n n . Stufe 1
for i = o 9 2 s let o.:= I f o r i = 0 to s do f o r j = 0 to s Tij
1 y n ] -: + i 1
= Qi*Q. l+j-"
coment:
[ F u r f e s t e s i b i l l e t ( T . .)osjss 1.7
wegen Ti
,j+l
= T.
.+ai:
111
OSjSs-1
e i n e a r i t h m e t i s c h e Folge]
-
a. l , k : = ~ for j = of..
corrment:
.,2s+l,ic
=
[ D i e (s+l ,TI (v)+ I ) - M a t r i x
o ,... , n ( v ) (aj
,k) d i e n t
i n folqenden Siebverfahren zur Speicherung d e r a
1, k
:= max{€:PEIT
k
.I]
it]
344
(3.2)
Rechenzeitanalyse des Schroeppel-Algorithmus B e i r n Sieben in Stufe 1 fallen fur jedes pk mit pk Ti,j in ( 3 . 1 ) bzw. ( 3 . 2 ) 2.2
,
E T ~j , a . ,k:= max{E :pkl }+i
Makroschritte an. D i e Gesamtzahl dieser Xakroschritte ist hochs tens
D a b e i g i l t d i e l e t z t e G l e i c h u n g n a c h H a r d y , W r i g h t (vgl. Theorem 4 2 7 i n [HW 601). A l l e u b r i g e n R e c h e n s c h r i t t e i n S t u f e 1
e t w a z u r B i l d u n g der T i ,
s i n d demgegenuber v e r n a c h l a s s i g h a r
.
Auch d e n F a k t o r 2 i n d e r o b i g e n A b s c h a t z u n g kann man u n t e r d r u c k e n , wenn man d i e P r i m z a h l p o t e n z e n i n d e r s e l b e n Weise w i e d i e P r i m l z a h l e n d u r c h s i e b t . I n S t u f e 1 m u s s e n e t w a ~ r ( n ’ / ~ ) + 2 s +Kongrue n z e n e r z e u g t w e r d e n , d a m i t das l i n e a r e G l e i c h u n g s s y s t e m i n S t u f e 2 e i n e n i c h t t r i v i a l e Losung h a t . M i t s = n l / t g i l t wegen ( 1 - 4 ) :
TI ( r i l / r ) +2s=r n1/r+2n1/t Kongruenzen erIn n z e u g t w e r d e n , m i i s s e n r u n d t s o g e w S h l t w e r d e n , daR
D a m i t mindestens
2 s
2/t
= n
F u r d i e Anzahl TSch,
$ ( L
In n (n,r,s)
g i l t damit d i e Abschatzung:
1 /r
-n
+ 2n
’It
1
-
r
r
(7 +. 7 )
-r2 + - tr
der Makroschritta i n S t u f e 1
.
(3.3)
346
D i e Losung des l i n e a r e n G l e i c h u n g s s y s t e m s i n S t u f e 2 e r f o r d e r t
(n,r,s)
=
(n(n”r)
+2*s)3
TSch,2
viele Bitoperationen. Indem man d i e P a r a m e t e r r , t gemdll
r ( n ) := 2 -
t ( n ) :=
lnln n y
1
i
n
x
w a h l t , k a n n man d i e R e c h e n z e i t d e s S c h r o e p p e l - A l g o r i t h m u s
etwas besser a l s n i t O ( e
1 . 5 - 1 1 n n l n l n n’ )
abschgtzen:
Satz 2 U n t e r d e r Annahne
u n d s o f e r n i n S t u f e 2 das G a u R ’ s c h e E l i m i (1.4) n a t i o n s v e r f a h r e n v e r w e n d e t w i r d , g i l t f u r d i e R e c h e n z e i t TSch ( n )
des Schroeppel-Algorithmus TSch(n)
= O(e
t
I - 5 ( V l n n l n l n n’ - l n l n n
-
l n l n l n n) 1
I
347
Rivest, Shamir und A d l e m a n
[ R S A 783
s e h e n d i e H a u p t q e f a h r fiir
i n den S c h r o c p p e l - A l g o r i t h m u s , f u r d e n s i e e i n e l n n lnln n’) s n g e b e n . Diese o b e r e S c h r a n k e
d a s RSA-Schema
L a u f z e i t von 0 ( e
fur d i e L a u f z e i t d e s S c h r o e p p e l - A l g o r i t h 3 u s s t e h t b i s h e u t e u n w i d e r s p r o c h e n i m Raun.
E i n e s o l c h e L a u f z e i t s c h r a n k e lSl3t s i c h
jedoch n a c h u n s e r e n E r k e n n t n i s s e n n u r u n t e r V e r l e t z u n g dinqunq
(3.3)
beweisen.
Da
vOD- B e -
( 3 . 3 ) j e d o c h e i n e n o b d e n d i q e Be-
d i n q u n g f u r d i e K o r r e k t h e i t des s c h r o e p e e l - ~ l q o r i t h m u s i s t
I
konnen w i r e i n e a s y m p t o t i s c h s tjrkcre unkere Schranke f u r d i e L a u f z e i t des S c h r o e p p e l - A l g o r ithmus beweisen, de3n e s g i l t : Sat2 3 U n t e r Annahme
(1 . 4 )
TSch (n)=n ( e1.5
g i l t fiir d i e R e c h e n z e i t des S c h r o e p p e l - A l g o r i t h m u s :
Yln n lnln n’
-
l n l n n l n l n l n n-lnln
n-lnlnln
n))
”)
m 4.
Vergleich d e r beiden Algorithmen
In d i e s e m K a p i t e l w o l l e n w i r d i e b e i d e n A l g o r i t h m e n f u r Z a h 1 e n . n Ees t e r G r o O e n o r d n u n g e n m i t e i n a n d e r v e r g l e i c h e n . H i e r b e i mu13 i m G c g e n s a t z zu d e r a s y m p t o t i s c h e n A n a l y s e aus d e n K a p i t e l n 2 und 3 b e c u c k s i c h t i g t w e r d e n , dafl e i n
( i n S t u f e 1 a n h l l e n d e r ) Makro-
s c h r i t t w e s e n t l i c h mehr R e c h e n z e i t e r f o r d e r t a l s e i n e ( i n S t u f e 2 anfallendel Bitoperation.
D i e Eolgenden Verqleichswerte s i n d d a h e r
n i c h t aus d e n a s y m p t o t i s c h e n R e c h c n z e i t a b s c h a t z u n g e n d e r S a t z e 1 und 2,
s o n d e r n aus d e n
Forneln (2.8)
( e b e n f a l l s a u f d e r Annahme ( 1 - 4 ) b a s i e r e n d e n )
u n d ( 2 - 9 ) bzw.
*) F u r A b b i l d u n g e n
f : fN
+
-
( 3 4 ) und ( 3 . 5 ) b e r e c h n e t w o r d e n .
R,
q: IN
+
iR s c h r e i b e n
348 Aufgrund d e r L a u f z e i t e n u n s e r e r Unterprogramme f u r d i e A r i t h 150)
m e t i k i n z n h a b e n w i r f u r n 6 [lo2',
(bzw. f u r n S 1 0 f u r j e d e n i n S t u f e 1 a n f a l l e n d e n N a k r o s c h r i t t lo-' Sek. (bzw. S e k . ) a n g e s e t z t ( H i n w e i s : Im F a l l e n
1 over S, S a finite semigroup is a permutation-polynomial if and only if the following conditions hold simultaneously: (i)
S is completely regular,
359
(ii) g.c.d.{crDSl= 1 .
Proof If S is completely regular this follows immediately from PrOpOSition 4.1. n xC is a permutation iff xc is a permutation for all nrl. Therefore as n in the proof of Proposition 3 . 3 an integer no exists with x OeGe for SOme eaES and any xeS. Hence Ke\Ge=$ for all eeES. We conclude that S necessarily is completely regular. Remark. Proposition 4.1 can be easily extended to arbitrary (finite) S = { p , ] if H>1 as follows from by means of Corollary 3.1.1. We note that Theorem 4.1. Definition 4.1 Given two integers c r d r lccl) is the multiplicative semigroup of inteqers
D=D =L.c.m. {exp S
GeI G
E E ~ } = x (XI).
-
-
Lemma 5.3 Let N- = max{n-lacKe}, eeES and define z(a)=maxClluCalpa/j ml e a ( a c 2 ) . Then we get N ; = E (ml(e)) . Proposition 5 . 4 If S=Z m ( m l ) , then H=HS=E(m). Theorem 5.4 If Zm is the finite multiplicative semigroup of integers modulo m(m>O)I then -t+s -t X = x for all X€Zm if and only if t>E(m) and A(m) I s . Proof This is a special case of Theorem 3.1 if we take S=Zm and use Proposition 5.3 and Proposition 5 . 4 . Corollary 5.4.1
for all
Xezm. XE
(The global Euler-Fermat-theorem)
~lternativelyin terms of congruences,
(m)+A (m)
X~ (m)(mod
m)
for all X E Z . Corollary 5 . 4 . 2 teger I then
If m is a positive integer and t is a non-negative in-
x t +(m) ~ P x t (mod m)
(m.1)
for all integers x iff rn is (t+l)th power-free. Proof See [Ecker, 1 9 8 0 1 Corollary 3 . 3 .
364
Proposition 5.5
(The local EGler-Fermat-theorem)
.
Let el) We have
-
E
(m,)
for all
2 E K-e , where
- E :(ml1 + x (m/m,1
= x
X
.
m,=ml (e)
Proof Note that K z is a semigroup and Lemma 5.2 and Lemma 5 . 3 completes the proof. Remark. The exponents in the foregoing theorems are the best possible if one insists on idependence of the special choice of xcZm or XEK-e O K -x E ("for all
%
Lemma 5 . 4 (i)
E(m)iQ(m)
for all integers m>l and E(m)=rp(m) holds iff m=2,4.
(ii)
If m * 8 , 2 4 , then ~(m)l, then for all xeZm ,Q(m) Zm or alternatively x"~) = x2'(m) (mod m) for all Proposition 5.7 %Zm(m>l) conditions is fulfilled: (i) (ii)
ml (a)la, g.c.d.Ia,mi
=
is an idempotent of xeZ.
is regular if and only if one of the following
g.c.d.{a 2 ,m}.
Theorem 5.5 S=Zm(m>l) is completely regular iff m is square-free. Proof If m is square-free then Proposition 5 . 7 ( i ) and Theorem 5.1 gives h-=l for all aeZm. Hence H =1 and from Theorem 3.2 we see that S=Z, is a S completely regular. Now suppose that S=Z,
is completely regular and thus H = I (Theorem 3.2). s This means h-=l for all aeZm, hence m (a)la for allaeZ (Proposition 5.7 a 1 (i) , Theorem 5 . 1 ) . It is easily seen that this is only possible if m is square-free.
Corollary 5.5.1 S=Zm is completely regular iff there exists no none-zero nilpotent elenent in Zm. Proof Corollary
5.1.2 of Proposition 5.1.
365
Remark. Note that Zm is a commutative semigroup, hence there is no difference between “regular“ and “completely regular”. proposition 5 . 7 and Theorem 5.5 were first proved by [Morgado, 19741 within the framework of elementary number-theory. Proposition 5.8 Let aeZm(m>l)
then
a=al+x(m)(mod m) holds iff
a
is regular.
Proof See Proposition 3 . 2 and Corollary 2 . 2 . 1 . Corollary 5.8.1 a=a’+’P(m) (mod m) holds iff
is regular.
5.9 The relation xc=z with some integer c>l holds for all -Proposition xcZm if and only if m is square-free and x(m) I ( c - 1 ) . The least c having
this property is c=l+l(m). Proof Take S=Zm in Proposition 3 . 1 and see what we proved in Proposition 5 - 3 and Theorem 5.5. Theorem 5.6 The polynomial-function xC , czl over Z is a permutationm polynomial if and only if m is square-free and g.c.d.{c,~(m)}=l. Proof This is Theorem 4 . 1
for S=Zm (see Proposition 5.3 and Theorem 5 . 5 ) .
Remark. Theorem 5.6 can be treated from different point of views; as a problem of number theory it has been solved in [Cordes, 19761 and [Small, 19771. In connection with the uniform distribution of polynomials modu10 m [Zane, 19641 proved Theorem 5.6. For a more general question see [Kuipers and Niederreiter, 1 9 7 4 1 Chap. 5 . Clearly the polynomial-function axC, c> 1 ( ~ c Z) is a permutation-polynom mial over 2 m if€ m is square-free and g.c.d. a , especially m=p Fives always m/g=l. n
a.
n p.
and 1 Scid. Then the number i=l of solutions of xC=xd in Zm is given by the forinula
Theorem 5.7 ( [Schwarz, 1981 ]) Let m
IL(c,d,Zm) I = Yi and Here gi=pi a.
to pi’
,
and
‘i
y. 1
n II (m/gi+Li)i= 1
is defined as
r g.c.d.{d-c,X(pii)a
y
in Proposition 5.10 but w i t h respect
“i if p. is odd or p. =2,4,: a. a. g.c.d. {d-c,2}.3.c.d.{d-c,i,(pi1 X if ~ ~ ‘ . = 2 ~ , a > 3 . }
=I
Corollary 5.7.1 the formula
=
,
C
The number of solutions of x =x, c>l in Zm is given by
n IFix(c,Zm ) I = n (l+Li), i= 1 where ti is as in Theorem 5.7. Corollary 5.7.2 Let m be square-free, then the number of solutions of d xc=x , lsccd is given by the formula n IL(c,d,Zm)l=
(l+g.c.did-c, p . - l ? ) . i=l
Corollary 5.7.3 Let m be square-free, then the number of solutions of xc=x,c>l is given by the formula n IFiX(C,z ) I = Il (lAg.~.d.{~-l, pi-l>). m i=l
367
Reinark. Corollary 5.7.1 is Theorem 3 , p. 174 in [Blakley and Borosh, 19791. But note that the formula given by Blakley and Borosh is only true if 81m is assumed. Proposition 5 . 1 1 E =Fix(c,Zm),l l be odd and square-free and q.c.d.{c,X(m)}=l, c>l . Then the permutation-polynomial xc over Zm has at least 3" fixedpoints, where n>O is the number of different prime divisors of m. We have IFix(c,Zm ) I = 3" iff q.c.d.{c-l,X(m)}=Z. Proposition 5.13 Let m>2 be an integer anddany integer with g.c.d.{d, A(m) )=l Then we define
.
Cd= ~ c l l ~ c ~ X ( m ) , g . c . d . ~ ~ , X ( m ) } = l and q.c.d.{c-d,X(m)
=2},
and have ICdi= x(m)/f
TI (1-2/p), pl x (m) Pf2
where the product is taken over all different p r h e divisors of x ( m ) , with 4 , if 4iX(m), f 2 , if 4 , ( x ( m ) .
={
Corollary 5.13.1(EBlakley and B o r o s h , 19791) Let d=l, then we obtain the same formula a s in Proposition 5 . 1 3 and if m > 2 then always IC,Izl. Whether m is square-free or not makes no sense. Proposition 5 . 1 4 Let m>l be square-free and odd, then IFixl (c,,z m ) 1=3",
where n is the number of different prime divisors of m.
,
368 6 . Sbme other Semigroups.
Given a finite semigroup it is tedious to computer H and D. We consider some further examples. a. The semigroup of binary relations on a finite set. By an nxn Boolean matrix ( m l ) we mean an nxn matrix over the set {0,1; under the Operations a+b=sup(a,b) , a-b=min(a,b). Denote by Bn the multiplicative Semigroup of all Boolean matrices. Clearly IB I = 2n2 and Bn is isomorphic n to the multiplicative semigroup of all binary relations on a finite set is a with n elements. In this case it is known that Ha =(n-1)2+1, DBn n function of n which can be computed in the following way. Let n=n,+ fnk be a partition of n. Then Dgn = max{ C.c.m.!nl, ,n 1 ) where (nl, S ....+ nk) runs through all possible partitions of n, or otherwise expresis the largest order of an element in Sn(the symmetric group sed: DBn on n elements ) .
...
...
b. The multiplicative semigroup of certain finite rings. The a P C h taken insection 5 of this paper can be generalized to a Class of rings containing 2 Let R be a principal ideal domain.; if (m)(mcR) mis an ideal of R with R=R/(m) a finite ring, we can get an Euler-Femat theorem and most of the theorems and propositions in the foregoing section can be taken over to the multiplicative semigroup of
.
z.
ring of special interest is the polynomial ring K[x], where K is a finite field. Instead of m we take m(x)~K[x], and if cp denstes the generalized cp-function of Dedekind we have a new kind of RSA-cryptosystem. Instead of m ue take m(x)~K[x] and cp(m(x)) is known if the factorization of m(x) as a product of irreducible polynomials over K is known. But polynomial factoring can be done in polynomial time, hence the proposed system is unsafe.
A
c. Matrices over
2
m' In a paper of [Davis, 1951lthe following Euler-Fermat theorem for natrices is proved: a l . . .ps aS Theorem 6.1 ([Daurs, 1951 3)Let m=pl be an arbitrary number with S distinct prime divisors p l ,...,p,, nsl an arbitrary integer, pfi the r. pin-l,..., least power of p . greater than or equal to n, q.=L.c.m.{pil, pi-1 }, and finally let
369
w = l.c.m.iq
a,-1 1-P 1
a
S
-1
r.*-r9sPs
1-
If A is a matrix of order n whose determinant is prime to m and I is the unit matrix, then A"aI(mod
m)
and w is the least exponent f o r which this is true. If Mn denotes the multiplicative semigroup of a l l nxn matrices over Zm, then w=exp(Mi) is just the exponent of the group of all non-singular matrices M*n over Zm. We note that a factorization of m is needed to compute w. A (generalized) RSA-cryptosystem seems to be possible in Mn, if the folLowing two problems were solved: The structure of Mn has to be determined completely (HM , D ) Mn cially the completely regular Mn have to be singled out?
espe-
37 1 HOW TO SHARE A SECRET M a u r i c e Mignotte, S t r a s b o u r g
I. Introduction. We c o n s i d e r t h e following problem. L e t S be s o m e s e c r e t . A collection of n people E . s h a r e t h i s 1
s e c r e t in s u c h a w a y t h a t
. .
e a c h E . knows s o m e information x. J J f o r a c e r t a i n fixed i n t e g e r k , 2 < k
P
2
n
, the knowledge
of a n y k of
t h e x's e n a b l e s t o find S e a s i l y ,
. the knowlegde of l e s s t h a n
k of the x ' s l e a v e s S undetermined.
T h i s p r o b l e m w a s c o n s i d e r e d f i r s t by A. Shamir [ 7 9 ] and he c a l l s s u c h
a s c h e m e a ( k , n) t h r e s h o l d scheme. The p r a c t i c a l i n t e r e s t of t h i s p r o b l e m i s obvious and i s d i s c u s s e d in Shamir [ 7 9 ]
.
S h a m i r g i v e s a s o l u t i o n u s i n g interpolation of polynomials o v e r a f i n i t e f i e l d , t h e s e c r e t b e i n g s o m e polynomial. We give h e r e a m o r e e l e m e n t a r y s o l u t i o n i n which the s e c r e t i s a n integer. These two solutions a r e p a r t i c u l a r c a s e s of the use of the Chinese Remainder T h e o r e m . So we study this t h e o r e m in the following section.
11. Chinese R e m a i n d e r T h e o r e m . Our p r o b l e m is t o c u t s o m e s e c r e t into pieces. An usual way in m a t h e m a t i c s t o "divide" a s e t into s i m p l e r p i e c e s is to r e p l a c e i t by a p r o d u c t of s i m p l e r s e t s .
t y p i c a l example of this situation i s given by t h e
T. Beth (Ed.): Cryptography - EUROCRYPT '82, LNCS 149, pp. 371-375, 1983 0 Spnnger-Verlag Berlln Heidelberg 1983
372 Chinese R e m a i n d e r T h e o r e m , Moreover, and this i s e s s e n t i a l i n o u r application, the i s o m o r p h i s m s which o c c u r in this t h e o r e m a r e e a s i l y computable f o r t h e two cases we consider.
The g e n e r a l v e r s i o n of t h e Chinese Remainder Theorem is the following.
THEOREM.
(1)
- Let
A b e a ring. L e t I l , .
I. -+ I., = A f o r 1 J
J
m Then, if I = fl I. j=1 J
, the
be ideals of
A such that