The Dynamic Substitution Combiner (original) (raw)

PUBLISHED: Ritter, T. 1990. Substitution Cipher with Pseudo-Random Shuffling: The Dynamic Substitution Combiner.Cryptologia. 14(4): 289-303.

To read the complete article off-line, save these graphics files:Figure 1 (TEST1CGM.GIF),Figure 2 (TEST2CGM.GIF), andFigure 3 (TEST6CGM.GIF).

Substitution Cipher with Pseudo-Random Shuffling: The Dynamic Substitution Combiner

Terry Ritter

ADDRESS: Blue Jean Software, 2609 Choctaw Trail, Austin, Texas 78745.

ABSTRACT: A cipher mechanism or process which can be viewed as a modified substitution cipher. A translation table is used to replace plaintext symbols with ciphertext symbols; the modification consists of changing the contents of the translation table after each substitution. The dynamic translation table acts to confuse symbol frequency statistics and so frustrate the usual cryptanalytic attacks.

The same mechanism can also be viewed as a cryptographic combiner, and can replace the exclusive-OR combining function used in Vernam stream ciphers. The dynamic translation table acts as one-way function to protect the pseudo- random sequence, and consequently helps to prevent cryptanalysis.

KEYWORD LIST: cryptography, computer cryptography, cipher, stream cipher, product cipher, substitution, dynamic substitution, combiner, cryptographic combiner, mixer, shuffle


INTRODUCTION

This paper discloses an apparently new cryptographic mechanism which can be described as dynamic substitution. Although structurally similar to simple substitution, dynamic substitution has a second data input which acts to re-arrange the contents of the substitution table. The mechanism _combines_two data sources into a complex result; under appropriate conditions, a related inverse mechanism can then _extract_one of the data sources from the result.

A dynamic substitution combiner can directly replace the exclusive-OR combiner used in Vernam stream ciphers. The various techniques used in Vernam ciphers can also be applied to dynamic substitution; any cryptographic advantage is thus due to the additional strength of the new combiner.

This paper develops a particular form of dynamic_substitution_; a related paper develops a form of dynamic_transposition_. The substitution version is generally easier to understand, more efficient, and more easily applied as a stream cipher. However, the slower transposition version may have greater cryptographic strength.

BACKGROUND

For a general background in cryptology see Kahn [15], and for details on the classical systems and their analysis see Gaines [12]. More modern statistical approaches are given by Sinkov [45] and Deavours [6]. A good partly-technical anthology is Deavours _et. al._[5]. There is a nice but older survey by Mellen [22], a major effort by Diffie and Hellman [8], and a newer one by Massey [20] (also see the other papers in that issue). A rigorous but not always applicable theoretical base starts with Shannon [41] and is extended by Hellman [14]. Beker and Piper [1] is a good technical reference. Denning [7] and Pfleeger [32] present cryptography in the broader context of computer security issues.

THE VERNAM CIPHER

The Vernam cipher [47], although originally implemented with electromechanical relays, may well mark the start of modern cryptography. A Vernam cipher directly combines a stream of plaintext data with a pseudo-random confusion stream using what we now know of as mod 2 addition. This same combining function is also known as the Boolean logic exclusive-OR, and is widely available in digital integrated circuits and as an instruction on most computers and microcomputers.

Since each ciphertext element from a Vernam combiner is the (mod 2) sum of two unknown values, the plaintext data would seem to be well hidden. Such appearances are deceptive, however, and a Vernam cipher is susceptible to several cryptanalytic attacks, including known-plaintext and _probable_words [37]; if some part of the plaintext is known (or even guessed), the cryptanalyst can directly obtain some of the confusion stream [24, 25]. And if the confusion sequence can be penetrated and reproduced, the cipher is broken [34, 43,21]. Similarly, if the same confusion sequence is ever re-used, and the overlap identified, it becomes simple to break that section of the cipher [37].

For these reasons, the modern Vernam cipher generally relies on an analysis-resistant pseudo-random sequence generator for security [e.g. 13]. But the design of such a generator is non-obvious [3], and is even more difficult than it might seem, since the cryptanalyst might well possess analytical knowledge and capabilities superior to those of the designer of the generator. Future analysts may be even more capable. Accordingly, constructs which may seem complex to the designer [13, 33,4] may well yield, eventually, to the superior knowledge and computational resources of a cryptanalyst [43, 38,31].

CRYPTOGRAPHIC COMBINERS

An alternate approach to the design of a secure stream cipher is to seek combining functions which can resist attack; such functions would act to hide the pseudo-random sequence from analysis [42, 43,44]. Such _cryptographic combining functions_could be used to replace the Vernam exclusive-OR combiner (if they have an inverse) [40], or they might just combine pseudo- random sequences to make a more complex sequence [28] which is harder to analyze.

A cryptographic combiner is not intended to be an ultimate cipher; indeed, it is not at all clear that such a thing is possible. An improved combiner is intended to force cryptanalysis to be more difficult, time consuming, and expensive than would be the case with a simple combiner. The cryptographic worth of a combiner can be described as the improvement in security when compared to the now-standard Vernam exclusive-OR combiner.

The mechanism of this paper is a new combining function which extends the weak classical concept of simple substitution into a stronger form suitable for computer cryptography.

SUBSTITUTION CIPHERS

Classical simple substitution replaces each letter of the alphabet with one fixed substitute [12, 45]. Simple substitution is normally considered to be a very weak cryptographic operation [22], mainly because substitution in no way obscures the letter- frequency distribution of the source text. That is, for a particular language and topic, a statistical analysis of the enciphered data will tend to match the general statistics for that language.

The fundamental operation of substitution is pervasive in cryptography [10]. But in all known previous systems the substitution is static. That is, each substitution table is fully defined (either by the designer or the key) before starting encryption, and the contents of each substitution table remain unchanged for the duration of that particular cipher or message.

This paper is concerned with the cryptographic strengthening of the fundamental substitution operation through_dynamic_ changes to a substitution table. The substitution table can be changed under the control of a separate data stream, usually originating from a pseudo-random sequence generator. The combination of substitution and a strategy for changing the contents of the substitution tables yields a cryptographic combining function; such a function may be used to combine plaintext data with a pseudo-random sequence to generate enciphered data. A particular strategy is presented which is applicable to computer hardware or software implementations. In many cases, such a substitution is desired to be invertible, and the presented scheme supports the efficient maintenance of an inverse.

SUBSTITUTION

In mathematical set-theoretic terms, a substitution is a relation between two sets, which is illustrated here using sets_X_ and Y. We define a mapping function_f_from set_X_into set_Y_, and for each element_x_in set_X_, we have_y = f(x). In many cases, function_f_is arranged to be one-to-one (such that for each_x_in_X, each corresponding y is unique), so that there will be an inverse function_f^-1_. If there is an inverse, for each element_x_in set_X_we have_x = f^-1(f(x)). Thus, we can encipher with_y = f(x)and decipher with_x = f^-1(y). Often, the domain (set_X) is identically equal to the range (the subset of_Y_covered by_y = f(x)_), but this is not necessary. The symbols_xi_and_yi_will be used as a convenient notation to represent some particular data element before and after enciphering.

The simple substitution function is a monoalphabetic substitution cipher, and is easily penetrated since a mapping preserves the frequency distributions of the source material (the message). That is, for each occurrence of element_xi_from set_X_, the corresponding element_yi = f(xi)appears in the ciphertext. Thus, whatever proportions exist among the elements_x_in the message, those same proportions will be retained among the elements_y_after substitution. It might be said that the frequency distribution characteristics are invariant through or_preserved by the static substitution function.

THE SIMPLE PERMUTING MAP

But suppose the mapping function, now_f1_, is permuted to a new, slightly changed mapping function_f2_after the first element of the message (which we take to be_xi_). In particular, suppose that the mapping which takes_xi_to_yi_is transposed or exchanged with some mapping at random, say_j_. After the exchange, the map takes_xi_to_yj_and also_xj_to_yi_. Note that simply permuting a map preserves its one-to-one characteristics (assuming it originally had any), so that a different but unambiguous inverse will still exist. In this way, the just-used map element can be changed to any of the map values, and this can be done after each element of the message is enciphered. The act of exchanging an element with another selected at random is the basis for the well-known shuffle algorithm [9, 17, p. 139]; this is one of many possible strategies for changing the contents of the substitution table. The general principle of a changing substitution table can be termed dynamic substitution.

It seems clear that repeated application of pseudo-random map exchange operations destroys the fixed correspondence between_xi_and_yi_so that the frequency distribution invariance no longer holds. That is, since the mapping from_xi_to_yi_is shuffled whenever_xi_is enciphered, it is unlikely that the next occurrence of_xi_will also map to_yi_. This change occurs for all elements_x_in set_X_whenever an element is enciphered. Thus, this scheme would seem to obscure the frequency distribution statistics of the message. And, since the pseudo-random sequence acts only indirectly (through the exchange operation), there is some hope that it will remain hidden in any case.

THE INVERSE PERMUTING MAP

A dynamic substitution function might be used to encipher data, or it might be used to further complicate a random-number sequence. But if it is to be used to encipher data, it will be necessary to create and maintain an inverse map to support deciphering. Assuming that there are no repeated values in_f_, the initial inverse_f^-1_of_f_is easily obtained by stepping through_X_: For each value_x_in set_X_, the original map_f_generates a corresponding_y_value; that_y_value is the position in the inverse map_f^-1_where the original_x_value is placed.

Before the original map_f_is permuted, it takes_xi_to_yi_and also_xj_to_yj_; the inverse map_f^-1_will function in the reverse direction to take_yi_to_xi_and also_yj_to_xj_. After the exchange operation, the original map_f_takes_xi_to_yj_and also_xj_to_yi_; accordingly the inverse map_f^-1_must take_yi_to_xj_and also_yj_to_xi_. Thus, it is also necessary to permute the inverse map_f^-1_appropriately after each mapping operation, and this is done simply by exchanging elements_yi_and_yj_in the inverse map_f^-1_.

In practice, permuting the inverse map_f^-1_is slightly more complicated than permuting_f_alone, because the pseudo-random value (which we call_j_and which selected_xj_in_f_) must be mapped through_f_to find_yj_, which is one of the elements to exchange in_f^-1_. This scheme requires that both_f_and_f^-1_maps be present during deciphering, even if only the_f^-1_map is actually used to decipher data. But this scheme also keeps the inverse map up to date without re-generating the full inverse after every substitution operation. The other element of the "exchange pair" is_yi_, which is just the enciphered data element, and is thus already known.

DYNAMIC SUBSTITUTION

In cryptologic terms, dynamic substitution is a sort of extended substitution cipher. A substitution table is used to translate each data value into an enciphered value. But after each substitution, the table is re-ordered. At a minimum, it makes sense to exchange the just-used substitution value with some entry in the table selected at random. This generally changes the just-used substitution value to help prevent analysis, and yet retains the existence of an inverse, so that the cipher can be deciphered.

To a potential cryptanalyst, the substitution table starts out completely unknown. When a data value is translated through the table, that particular substitution is at least potentially known. But that substitution value is immediately changed, so the substitution table is again completely unknown. In this way, external cryptanalysis of the arrangement of the substitution table is greatly complicated.

Whenever a particular substitution is used, it is changed, and the more often it is used, the more often it is changed; this seems to be the optimal characteristic for hiding usage frequency statistics, and this is automatic and inherent in the combiner. Moreover, the pseudo-random number sequence does not directly select any data for output, it only changes the table "behind the scenes"; this gives us some grounds for asserting that the pseudo-random sequence remains hidden, to some unknown extent.

A substitution which has an inverse is normally thought to be weaker than one which does not, so it is worth noting that dynamic substitution does not have an inverse, it has a_changing_ inverse, and that affects the analysis.

Dynamic substitution is one way to build a cryptographic combiner; it is not a complete cipher. However, when combined with a strong cryptographic random number generator, message keys, and other extensions, dynamic substitution can be a major part of a strong cryptographic system. It might be used simply to replace a Vernam combiner in existing equipment. It can also be used to complicate a random-number stream, or as one module in a complex multi-module ciphering system.

BLACK BOX ANALYSIS

Dynamic substitution may be considered to be a black box, with two input ports ("Data In" and "Random In"), and one output port ("Combiner Out"). In the simple version, each data path has similar width; evidently the mechanism inside the box in some way combines the two input streams to produce the output stream. It seems reasonable to analyze the output statistically, for various input streams.

[Fig. 1]

Figure 1 charts the frequency distributions measured on two ports of a Simple Substitution Combiner. The "Data In" data was a sizable text file (a book chapter) with all spaces and punctuation deleted, and lower case converted to upper, leaving a 26-element alphabet of 18,135 capital letters. No random stream is used in simple substitution. Note that the "Data In" and "Combiner Out" distributions are the same, just re-arranged.

[Fig. 2]

Figure 2 charts the frequency distributions measured for a Dynamic Substitution Combiner. The "Data In" stream was the same as in Figure 1. The "Random In" stream is random, with a 26-element capital letter alphabet. Note that the "Data In" and "Combiner Out" distributions are very different.

[Fig. 3]

Figure 3 charts the frequency distributions for a Vernam Combiner. "Data In" was the same as before. Because the Vernam system operates on a binary representation, a Vernam "Combiner Out" stream is inherently a binary-power alphabet (in this case 32 elements); the "Random In" stream was given the same range.

Two additional experiments were conducted on Dynamic Substitution, using a constant value ('E') into one port, and a pseudo-random stream into the other port; the results were a little surprising, but their graphs provided little insight: In both cases the "Combiner Out" stream resembled a random data stream. This was unexpected because the design was intended to randomize a stream of predictable data, and not necessarily to handle a non-random "random" input, which it does. Apparently this happens because the exchange process (functioning after each substitution) takes two streams; if either one has random characteristics, the substitution table will be randomized, and this will randomize the output stream. It may be that this sort of statistical independence of the input ports is necessary for a strong cryptographic combiner. Similar results are obtained using what would normally be considered radically different inputs to the mechanism.

The last experiment was the randomization effect of a standard Vernam exclusive-OR combiner on the same constant input.

Results from these experiments were collected using common cryptographic statistical measures.

MEASURES OF RANDOMNESS

The black box test results can be summarized in the form of cryptographic _delta IC_[23], and _Z-coefficient_[6, 18] computations. In both cases, a count is made of the number of occurrences of each value in the stream being analyzed. Then a "Phi" value is computed, which is conceptually the sum of the squares of each element count. (In practice, instead of the square of the element counts n * n, the value n * (n - 1) is used [1, 45].)

The index of coincidence (IC) is conceptually the sum of the squares (of the element counts) over the square of the sum(the total element count). Because the IC depends on the size of the cryptographic alphabet, it is useful to normalize it to a delta IC by multiplying by the size of the alphabet. A delta IC value of 1.0 indicates a random distribution.

The Phi value has been computed, and an "expected" value of Phi (for a random data stream) can be derived. Similarly, a statistical variance (for a monographic cipher) can also be computed. The Z-coefficient is just the difference between the actual and expected Phi values, normalized by dividing by the variance. Thus, the Z-coefficient represents the extent (in statistical standard deviations) to which a particular sample differs from the expected value of a random sample. Consequently, a value of 0 would be expected, and a value between -2 and 2 would be most probable for a random sequence. The probability that a truly random sequence would produce any other Z-coefficient value can be interpreted as the area under a_bell shaped_ standard normal probability curve. Table 1 summarizes the statistical results.

Table 1.

SUBSTITUTION DISTRIBUTION STATISTICS (delta IC / Z-coefficient)

                          Data In       Random In     Combiner Out

The Data are 26-Letter Text Static Substitution 1.66 / 1684 ---- / ---- 1.66 / 1684 Dynamic Substitution 1.66 / 1684 1.00 / -0.9 1.00 / 1.1 Vernam (exclusive-OR) 2.04 / 2393 1.00 / -0.4 1.00 / -1.0 The Data are One Value Repeated Dynamic Substitution 26.0 / 35347 1.00 / -0.3 1.00 / -0.2 Same, Inputs Reversed 1.00 / -0.2 26.0 / 35347 1.00 / -0.1 Vernam (exclusive-OR) 32.0 / 39360 1.00 / 0.0 1.00 / 0.0

Apparently, dynamic substitution does randomize a statistically non-random input, with results similar to the standard Vernam system.

INTERNAL-KNOWLEDGE ATTACKS

A simple dynamic substitution combiner might conceivably allow some sort of insight into the pseudo-random sequence with a known-plaintext attack. For example, after_xi_is enciphered to_yi_, an exchange occurs as a result of a particular pseudo-random value (j). If another_xi_occurs immediately, the resulting_yj_mapped value might somehow provide some insight into the value (j) taken from the pseudo-random sequence. Note that the random sequence value_j_is not directly available in this way, but only the mapped value. And if_xi_does not recur immediately, the mapping it eventually reveals may be the result of multiple exchanges, and so would be much less useful.

Another approach would be to concentrate on the next occurrence of_yi_in the ciphertext, which, if it recurred immediately, might somehow provide a similar insight to the preceding swap value (j). Since both a subsequent_xi_and a subsequent_yi_might somehow provide insight to the same swap value, it may be possible to achieve a likely confirmation. Again, this would be the_mapped_ value (xj), and not directly the desired pseudo-random value (j) itself. It is not clear how this information could be used to penetrate the cipher.

Penetration would seem to be easier if the known-plaintext_x_values were close together, because this would make a re-mapped mapping less likely. Thus, there is some reason to suspect that an uneven plaintext distribution (which is normal) would have some effect in making the system somewhat more vulnerable. But a good value distribution could be enforced by first randomizing the data with a Vernam (exclusive-OR) combiner (and a random-number stream) prior to dynamic substitution, or by using an additional level of dynamic substitution.

In any case, it is the responsibility of the rest of the system to assure that the same pseudo-random sequence will "never" be re-used. This is a normal requirement for Vernam stream ciphers, and is often handled with a _message key_[1].

POLYALPHABETIC DYNAMIC SUBSTITUTION

An obvious countermeasure to known-plaintext and chosen-plaintext attacks would be to use multiple different dynamic substitution maps (a polyalphabetic dynamic substitution cipher) [e.g. 1], and to select between them using a hidden pseudo-random sequence. Since consecutive xi elements would generally be enciphered in different maps, the use of repeated xi elements leads to the probability that some maps will be entered multiple times (on the same mapping) before all of the maps have been entered once, and this seems to substantially complicate cryptanalysis.

Moreover, the normal attacks on a polyalphabetic cipher are also statistical, and these seem likely to be complicated by the anti-statistical properties of the underlying permuting maps. Because the multiple maps are to be used at pseudo-random instead of in rotation, it would seem to be difficult for an analyst to isolate any particular map on which to work.

REAL CIPHER SYSTEMS

In broad terms, a Vernam stream cipher consists of an exclusive-OR combiner and some sort of confusion (random number) generator. However, real systems must be considerably more complex than this, since any cipher is only as strong as its weakest link.

Even a strong combiner and confusion generator can be made irrelevant if the system supports only a small number of keys, since simply trying all the keys (a key search attack) would be sufficient to penetrate such a cipher. Any real system based on keys must support enough keys to prevent this attack, but this is really more of an issue for the confusion generator than for the combiner.

There is a large body of literature on various sorts of pseudo-random number generators and some amount of work on their abilities to resist cryptanalysis. However, this literature is equally applicable to systems containing either dynamic substitution or Vernam exclusive-OR combiners, and so is essentially irrelevant to comparisons between the two.

INTERNAL STATE

Dynamic substitution combiners inherently contain internal_state_ data (in the finite automata sense [e.g. 8, p. 415]), while the exclusive-OR does not. This internal state data must be initialized before ciphering, and is continuously re-ordered as a consequence of both incoming data streams; thus, the internal state is a function of initialization and all subsequent data and confusion values. Consequently, if data errors occur during communication of the ciphertext, the deciphering process will deviate from the expected sequence, and will not re-synchronize. This problem is mitigated by the widespread use of the error-detection codes (e.g., CRC) and the error-correcting block re-transmissions now commonly used in data communications. Although there can be no such thing as an error rate of absolutely_zero_, computer data can be stored or communicated with_arbitrarily_low error rates based upon the relative economic impacts of errors versus error-protection. In practical terms, even very simple "binary protocols" (e.g., XMODEM) only rarely allow any errors to survive uncorrected, so error sensitivity is not nearly the problem it was in the days of manual telegraph operators or mechanical typing-telegraph machines.

The changing internal state of dynamic substitution is the source of its strength, and that state is affected by both input sequences. Thus, it should come as no surprise that the new combiner is not as tolerant of data errors as its weaker cousin, the exclusive-OR.

APPLICATIONS

Any substitution is a mapping (from input to output), and a mapping is the most general function possible; thus, it may be used to replace a network of simple logic operations. In particular, dynamic substitution might be designed to replace substitution-permutation functions [10, 11,16] (although large S-P functions might imply an exceedingly large map). In some cases, dynamic permutations of existing S-P maps may be used to strengthen those designs.

One use for dynamic substitution would be as a combining or mixing function on data streams. For example, dynamic substitution might easily replace the exclusive-OR logic function in a Vernam cipher. Or dynamic substitution could be used to combine two pseudo-random sequences [27, 28], in which case an inverse would be unnecessary.

Alternately, by making the domain and range of the substitution maps (f and f^-1) the same, dynamic substitution can be used in a product cipher [41], as one element in a chain or network of ciphering functions or modules.

CONCLUSIONS

The simple substitution cipher--normally one of the weakest in cryptography--becomes substantially stronger when the substitution table is changed during operation. By re-mapping at least the just-used symbol, the cipher acts to hide letter-frequency statistics, which have previously been the main avenue of entry into such a cipher. The polyalphabetic version seems even stronger.

ACKNOWLEDGMENTS

Many thanks to the referees for pointing out ambiguous discussions and important unmentioned issues. This work has improved because of their efforts.

REFERENCES

1. Beker, H. and F. Piper. 1982. _Cipher Systems._New York: John Wiley & Sons.

2. Beker, H. and F. Piper. 1985. Secure Speech Communications. London/Orlando: Academic Press.

3. Blum, L., M. Blum, and M. Shub. 1983. Comparison of Two Pseudo-Random Number Generators. Advances in Cryptology--Proceedings of Crypto 82. New York: Plenum Press. 61-78.

4. Ciarcia, S. 1986. Build a Hardware Data Encryptor.Byte. September. 97-111.

5. Deavours, C., D. Kahn, L. Kruh, G. Mellen, and B. Winkle. 1987. _Cryptology Yesterday, Today, and Tomorrow._Norwood, Mass: Artech House.

6. Deavours, C. 1987. Cryptanalytic Programs for the IBM PC. Laguna Hills, CA: Aegean Park Press.

7. Denning, D. 1982. _Cryptography and Data Security._Reading, Mass: Addison-Wesley.

8. Diffie, W. and M. Hellman. 1979. Privacy and Authentication: An Introduction to Cryptography. _Proceedings of the IEEE._67: 397-427.

9. Durstenfeld, R. 1964. Algorithm 235, Random Permutation, Procedure SHUFFLE. Communications of the ACM. 7:420

10. Feistel, H. 1973. Cryptography and Computer Privacy.Scientific American. 228: 15-23.

11. Feistel, H., W. Notz, and J. L. Smith. 1975. Some Cryptographic Techniques for Machine-to-Machine Data Communications. Proceedings of the IEEE. 63: 1545-1554.

12. Gaines, H. 1956 (original publication 1939).Cryptanalysis. New York: Dover Publications.

13. Geffe, P. 1973. How to protect data with ciphers that are really hard to break. Electronics. January 4. 99-101.

14. Hellman, M. 1977. An Extension of the Shannon Theory Approach to Cryptography. IEEE Transactions on Information Theory. IT23: 289-294.

15. Kahn, D. 1967. The Codebreakers. New York: Macmillan.

16. Kam, J. and G. Davida. 1979. Structured Design of Substitution-Permutation Encryption Networks. IEEE Transactions on Computers. 28: 747-753.

17. Knuth, D. 1981. _The Art of Computer Programming,_Vol. 2 Seminumerical Algorithms. 2nd ed. Reading, Mass: Addison-Wesley.

18. Kullback, S. 1976 (original publication 1938). Statistical Methods in Cryptanalysis. Laguna Hills, CA: Aegean Park Press.

19. MacLaren, M. D. and G. Marsaglia. 1965. Uniform Random Number Generators. Journal of the ACM. 12: 83-89.

20. Massey, J. 1988. An Introduction to Contemporary Cryptology.Proceedings of the IEEE. 76: 533-549.

21. Meier, W. and O. Staffelbach. 1988. Fast Correlation Attacks on Stream Ciphers (extended abstract). Advances in Cryptology--Eurocrypt 88. New York: Springer-Verlag. 301-314.

22. Mellen, G. 1973. Cryptology, Computers, and Common Sense.National Computer Conference, 1973, Proceedings. 569-579.

23. Mellen, G. 1983. Cryptanalysts' Corner. _Cryptologia._7: 371.

24. Meyer, C. and W. Touchman. 1972. Pseudorandom codes can be cracked. Electronic Design. 23: 74-76.

25. Meyer, C. 1973. Design considerations for cryptography.National Computer Conference, 1973, Proceedings. 603-606.

26. Meyer, C. and S. Matyas. 1982. Cryptography: A New Dimension in Computer Data Security. New York: John Wiley & Sons.

27. Michener, J. 1985. The "Generalized Rotor" Cryptographic Operator and Some of Its Applications. _Cryptologia._9: 97-113.

28. Michener, J. 1987. The Use of Complete, Nonlinear, Block Codes for Nonlinear, Noninvertible Mixing of Pseudorandom Sequences. Cryptologia. 11: 108-111.

29. Michener, J. 1987. The Application of Key Dependent and Variable Rotor Sets to Generalized Rotor Cryptographic Systems.Cryptologia. 11: 166-171.

30. Michener, J. 1988. A Tool for Secret Key Cryptography.Dr. Dobb's Journal. August. 50-55, 96.

31. Pearson, P. 1988. Cryptanalysis of the Ciarcia Circuit Cellar Data Encryptor. Cryptologia. 12: 1-9.

32. Pfleeger, C. 1989. _Security in Computing._Englewood Cliffs, New Jersey: Prentice Hall.

33. Pless, V. 1977. Encryption Schemes for Computer Confidentiality. _IEEE Transactions on Computers._C26: 1133-1136.

34. Reeds, J. 1977. "Cracking" a Random Number Generator.Cryptologia 1. (also [5, pp. 509-515]).

35. Retter, C. 1984. Cryptanalysis of a MacLaren-Marsaglia System. Cryptologia. 8: 97-108. (Also see letters and responses: Cryptologia. 8: 374-378).

36. Retter, C. 1985. A Key Search Attack on MacLaren-Marsaglia Systems. Cryptologia. 9: 114-130.

37. Rubin, F. 1978. Computer Methods for Decrypting Random Stream Ciphers. Cryptologia 2. (also [5, pp. 493-508]).

38. Rubin, F. 1979. Decrypting a Stream Cipher Based on J-K Flip-Flops. IEEE Transactions on Computers. C28: 483-487. (also Cryptologia Vol. 5, and [5, pp. 283-293]).

39. Rubin, F. 1987. Foiling an Exhaustive Key-Search Attack.Cryptologia. 11: 102-107.

40. Sancho, J. 1987. Enumeration of Multivariable Decipherable Boolean Functions. Cryptologia. 11: 172-180.

41. Shannon, C. 1949. Communication Theory of Secrecy Systems.Bell System Technical Journal. 28: 656-715.

42. Siegenthaler, T. 1984. Correlation-Immunity of Nonlinear Combining Functions for Cryptographic Applications. IEEE Transactions on Information Theory. IT30: 776-780.

43. Siegenthaler, T. 1985. Decrypting a Class of Stream Ciphers Using Ciphertext Only. _IEEE Transactions on Computers._C34: 81-85.

44. Siegenthaler, T. 1986. Design of Combiners to Prevent Divide and Conquer Attacks. Advances in Cryptology--CRYPTO '85, Proceedings. New York: Springer-Verlag. 273-279.

45. Sinkov, A. 1966. Elementary Cryptanalysis: A Mathematical Approach. Washington, DC: The Mathematical Association of America.

46. Stahl, F. 1973. A homophonic cipher for computational cryptography. National Computer Conference, 1973, Proceedings. 565-568.

47. Vernam, G. 1926. Cipher Printing Telegraph Systems.Transactions AIEE. 45: 295-301.

BIOGRAPHICAL SKETCH

Terry Ritter is a registered Professional Engineer, a member of IEEE and ACM, with a background in computer architecture, hardware, software, and now, library research. He has enjoyed spending the past few years being Blue Jean Software and Blue Jean Computer Engineering.


Terry Ritter, hiscurrent address, and his top page.

Last updated: 1996-01-04