Ritter's Crypto Glossary and
Dictionary of Technical Cryptography

Laugh at deceptive claims!
Learn why cryptography cannot be guaranteed!

See Cryptography's Hall of Shame!: Crypto Controversies

A Ciphers By Ritter Page

Terry Ritter

2007 August 16

Copyright 1995 to 2007 Terry Ritter. All Rights Reserved.

For a basic introduction to cryptography, see "Learning About Cryptography" @: http://www.ciphersbyritter.com/LEARNING.HTM. Please feel free to send comments and suggestions for improvement to: ritter@ciphersbyritter.com (you may need to copy and paste the address into a web email reader). You may wish to help support this work by patronizing "Ritter's Crypto Bookshop" at: http://www.ciphersbyritter.com/BOOKSHOP.HTM.

Or use the browser facility "Edit / Find on this page" to search for particular terms.

• Introduction
• Argumentation: adduction, fallacies, extraordinary claims, hypothesis, proof, scientific method, scientific model, scientific publication, Socratic Method, sophistry, term of art
• Crypto Controversies: AES, BB&S, bijective compression, block cipher definitions, CBC first block problem, cryptanalysis, data compression, distinguisher, Dynamic Transposition, entropy, huge block cipher advantages, Kerckhoffs' requirements, known plaintext, multiple encryption, old wives' tale, one time pad, proof, randomness testing, really random, risk, scalable, snake oil, software patent, strength, term of art, threat model, trust, unpredictable
• Cryptography: additive RNG, Algebra of Secrecy Systems, balance, BB&S, bent function, block cipher and stream cipher models, block cipher, Boolean function nonlinearity, break, cascade ciphering, cipher, CBC, a cipher taxonomy, cipher testing, cipher system, Cloak2, cryptanalysis, Dynamic Substitution, Dynamic Transposition, entropy, jitterizer, known plaintext, homophonic substitution, huge block cipher advantages, Kerckhoffs' Requirements, known plaintext, letter frequencies, man-in-the-middle attack, Message, Mixing Cipher design strategy, multiple encryption, old wives' tale, one time pad, opponent, Perfect Secrecy, public-key cipher, risk analysis, stream cipher, s-box, secret-key cipher, standard cipher, Variable Size Block Cipher
• Electronics: amplifier, bypass, capacitor, clock, conductor, crystal oscillator, finite state machine, flip-flop, ground loop, hardware, inductor, jitter, logic function, logic level, metastability, negative resistance, noise, operational amplifier, oscillator, quality management, RC filter, resistor excess noise, resonance, semiconductor, shot noise, software, system design, thermal noise, transformer, transistor, transistor self-bias
• Math: associative, commutative, distributive, fast Walsh transform, field, finite field, group, Latin square, math notation, mod 2 polys, orthogonal Latin squares, primitive polynomial, proof, ring
• Noise: 1/f Noise, avalanche multiplication, Johnson noise, pink noise, really random, resistor excess noise, shot noise, thermal noise, white noise, zener breakdown
• Patents: intellectual property, patent changes, patent claims, patent complaints, patent consequences, patent infringement, patenting cryptography, patenting software, patent reading, patent valuation, prior art, software patent
• Random: additive RNG, finite state machine, linear feedback shift register, pseudorandom, random number generator, randomness testing, really random, RNG, unpredictable
• Risk: quality management, risk, risk analysis, risk management, single point of failure
• Software: risk management, Software Engineering, Structured Programming, system design, software patent
• Statistics: augmented repetitions, distribution, Kolmogorov-Smirnov, null hypothesis, one-sided test, population, population estimation, random, randomness testing, really random, universe

Introduction

0

1/f Noise, 8b10b

A

Abelian, Absolute, AC, Academic, Academic Break, Access, Access Control, Accident Fallacy, Accountability, Accuracy, Acronym, Active, ad baculum, Additive Combiner, Additive RNG, Additive Stream Cipher, Adduction, ad hoc, ad hominem, ad ignorantium, ad nauseam, ad populum, ad verecundiam, AES, Affine, Affine Boolean Function, Affine Cipher, Algebra, Algebraic Normal Form, Algebra of Secrecy Systems, Algorithm, Algorithmic Complexity, Alias File, Allan Variance, All or Nothing Transform, Alphabet, Alternative Hypothesis, Amphiboly, Amplifier, Amplitude, Anagram, Analog, Analogy, Analysis, AND, ANF, Anode, Antecedent, AONT, Appeal to Ignorance, Appeal to Tradition, Arc, Argument, Argumentation, Argument By Innuendo, Arity, ASCII, Associative, Assumption, Asymmetric Cipher, Asynchronous, Asynchronous Stream Cipher, Asynchronous Transmission, Attack, Attack Tree, Augmented Repetitions, Authentication, Authenticating Block Cipher, Authority, Autocorrelation, AUTODIN, Autokey, Automorphism, AUTOSEVOCOM, Availability, Avalanche, Avalanche Effect, Avalanche Multiplication, Axiom

B

Back Door, Balance, Balanced Block Mixer, Balanced Block Mixing, Balanced Combiner, Balanced Line, Bandwagon, Base-64, Base Spreading Resistance, BBM, BBS, BB&S, Begging the Question, Bel, Belief, Bent Function, Berlekamp-Massey, Bernoulli Trials, Bias, Bijection, Bijective, Bijective Compression, Binary, Binomial Distribution, Bipolar, Birthday Attack, Birthday Paradox, Bit, Bit Balance, Bit Permutation, Bit Permutation Cipher, Bit Shuffling, Bit Transposition, Black, Black Box, Block, Block Cipher, Block Cipher Definitions, Block Cipher and Stream Cipher Models, Block Code, Block Size, Blum, Blum and Shub, Boolean, Boolean Algebra, Boolean Function, Boolean Function Nonlinearity, Boolean Logic, Boolean Mapping, Braid, Branch Number, Break, Brute Force Attack, Bug, Burden of Proof, Butterfly, Bypass, Byte

C

C, CA, Capacitor, Cardinal, Card Stacking, Cartesian Product, Cascade, Cascade Ciphering, Cathode, CBC, c.d.f., Certify, Certification Authority, CFB, Chain, Chance, Chaos, Characteristic, Checkerboard Construction, Checksum, Chi-Square, Chosen Plaintext, Cipher, Cipher Block Chaining, Ciphering, Cipher System, Cipher Taxonomy, Cipher Testing, Ciphertext, Ciphertext Expansion, Ciphertext Feedback, Ciphertext Only, Ciphertext Only Attack, Ciphony, Circuit, Circular Argument, circulus in demonstrando, circulus in probando, Claim, Cleartext, Cloak2, Clock, Closure, Code, Codebook, Codebook Attack, Codebreaking, Codeword, Coding Theory, Coefficient, Cognitive Dissonance, Combination, Combinatoric, Combiner, Common Mode, Commutative, Complete, Complex Number, Complex Question, Component, Composite, Composition, Compression, Compromise, Computer, COMSEC, Conclusion, Condition, Conductor, Confidential, Confusion, Confusion Sequence, Congruence, Conjecture, Consequent, Conspiracy, Constant, Contextual, Contradiction, Conventional Block Cipher, Conventional Cipher, Conventional Current Flow, Convolution, Copyright, Corollary, Correlation, Correlation Coefficient, Counterexample, Counter Mode, Counting Number, Covariance, Coverage, CRC, Crib, CRNG, CRT, Cryptanalysis, Cryptanalyst, Crypto Controversies, Cryptographer, Cryptographic Hash, Cryptographic Mechanism, Cryptographic Random Number Generator, Cryptography, Cryptography War, Cryptology, Cryptosystem, Crystal, Crystal Oscillator, Current, Cycle, Cyclic Group, Cypher

D

Data, Data Compression, Data Fabrication, Data Falsification, Data Security, dB, DC, Debug, Decade, Deception, Decibel, Decimal, Decimation, Decipher, Decoupling, Decryption, Deductive Reasoning, Defined Plaintext, Defined Plaintext Attack, Degenerate Cycle, Degree, Degrees of Freedom, DeMorgan's Laws, Depletion Region, DES, Design Strength, Deterministic, Deus ex Machina, DH, Dialectic, Dichotomy, Dictionary Attack, Dictionary Fallacy, Differential Cryptanalysis, Differential Mode, Diffie Hellman, Diffusion, Digital, Digital Signature, Diode, Distinguisher, Distribution, Distributive, Divide and Conquer, Division, Dogma, Domain, Double Shuffling, DSA, DSP, DSS, Due Care, Due Diligence, Dyadic, Dynamic Keying, Dynamic Substitution Combiner, Dynamic Transposition

E

Ebers-Moll Model, ECB, ECC, ECDSA, EDE, Efficiency, Electric Field, Electromagnetic Field, Electromagnetic Interference, Electrostatic Discharge, Electronic, Electronic Codebook, EMI, Encipher, Encryption, Enemy, Engineering, Ensemble Average, Entropy, Equation, Equivocation, Ergodic, Ergodic Process, Error Correcting Code, Error Detecting Code, ESD, Even Distribution, Evidence, Exclusive-OR, Expectation, Exposure, Expression, Extraordinary Claims, Extractor

F

F_q, F_q*, (F_q,+), Factor, Factorial, Failure, Failure Modes and Effects Analysis, Fallacy, Fast Walsh Transform, Fault, Fault Tolerance, Fault Tree Analysis, FCSR, Feedback, Feistel, Feistel Construction, Fenced DES, Fencing, Fencing Layer, FFT, Field, FIFO, Filter, Finite Field, Finite State Machine, Flat Distribution, Flip-Flop, Flow Control, Formal Proof, Fourier Series, Fourier Theorem, Fourier Transform, Frequency, FSM, Function, FWT

G

(G,*), Gain, Galois Field, Game Theory, Garble, Gate, Gaussian, GCD, Geffe Combiner, Geiger-Mueller Tube, Generator, GF(x), GF(2), GF(2ⁿ), GF(2)[x], GF(2)[x]/p(x), Goodness of Fit, Gray Code, Greek Alphabet, Ground, Ground Loop, Group

H

Hadamard, Hamming Distance, Hardware, Hash, Hazzard, Heuristic, Hex, Hexadecimal, Hidden Markov Model, Hold Time, Homomorphism, Homophonic, Homophonic Substitution, HTTP Status Codes, Huge Block Cipher Advantages, Hybrid, Hypothesis

I

IDEA, Ideal Mixing, Ideal Secrecy, Identity, Identity Element, ignoratio elenchi, i.i.d., Imaginary Number, Impedance, Impedance Matching, Impossible, Improbable, Independent, Independent Variable, Inductive Reasoning, Inductor, Inference, Informal Proof, Information, Injective, Innuendo, Insulator, Integer, Integrity, Intellectual Property, Intermediate Block, Interval, Into, Invention, Inverse, Inverter, Invertible, Involution, Irreducible, Iterated Block Cipher, IV

J

Jitter, Jitterizer, Johnson Noise, Just Semantics

K

Karnough Map, KB, Kb, Kerckhoffs' Requirements, Key, Key Archives, Key Authentication, Key Distribution Problem, Key Loading, Key Loss, Key Management, Key Problems, Key Reuse, Key Selection, Key Storage, Key Transport, Keyed Substitution, Keyphrase, Key Schedule, Keyspace, Keystream, Keystroke, Known Plaintext, Known Plaintext Attack, Kolmogorov-Chaitin Complexity, Kolmogorov-Smirnov

L

Latency, Latin Square, Latin Square Combiner, Law, Layer, LC, Lemma, Letter Frequencies, LFSR, Lie, LIFO, Linear, Linear Complexity, Linear Cryptanalysis, Linear Equation, Linear Factor, Linear Feedback Shift Register, Linear Logic Function, Log₂, Logic, Logic Fallacy, Logic Function, Logic Level, lsb, lsB

M

MAC, M-Sequence, Machine Language, Magnetic Field, Man-in-the-Middle Attack, Mapping, Markov Chain, Markov Process, Mathematical Cryptography, Math Notation, Maximal Length, MB, Mb, MDS Codes, Mean, Mechanism, Mechanistic Cryptography, Median, Mere Semantics, Mersenne Prime, Message, Message Archives, Message Authentication, Message Authentication Code, Message Digest, Message Integrity, Message Key, Metastability, Method of Proof and Refutations, Military Grade, Misdirection, MITM, Mixing, Mixing Cipher, Mixing Cipher Design Strategy, Mod 2, Mod 2 Polynomial, Mode, Modulo, Monadic, Monoalphabetic Substitution, Monographic, Monoid, Monomial, msb, msB, M-Sequence, Multipermutation, Multiple Anagramming, Multiple Ciphering, Multiple Encryption

N

N, National Cryptologic Museum, Natural Number, Negative Resistance, NIST, Noise, Nomenclator, Nominal, non causa pro causa, Nonce, Nonlinearity, Nonrepudiaiton, non sequitur, Normal Distribution, NOT, Novelty, NSA, Null, Null Distribution, Null Hypothesis

O

OAEP, Object Code, Objective, Occam's Razor, Octal, Octave, OFB, Ohm's Law, Old Wives' Tale, oLs, One-Sided Test, One-Tailed Test, One Time Pad, One-To-One, One Way Diffusion, One Way Hash, Onto, Op Amp, Opcode, Operating Mode, Operational Amplifier, Opponent, Option, OR, Order, Ordinal, Orthogonal, Orthogonal Latin Squares, Oscillator, OTP, Output Feedback, Overall Diffusion

P

P-Value, Padding, Paradox, Parallel, Parity, Password, Patent, Patent Changes, Patent Claims, Patent Complaints, Patent Consequences, Patenting Cryptography, Patenting Software, Patent Infringement, Patent Reading, Patent Valuation, Path, Pedantic, Penknife, Perfect Secrecy, Period, Permutation, petitio principii, PGP, Phase, Phase Locked Loop, Phase Noise, Physically Random, Piezoelectric, Pink Noise, Pipeline, PKCS, PKI, Plagiarism, Plaintext, PLL, PN Sequence, Poisson Distribution, Polyalphabetic Combiner, Polyalphabetic Substitution, Polygram Substitution, Polygraphic, Polynomial, Polyphonic, Population, Population Estimation, post hoc ergo propter hoc, Power, Practice, PRBS, Precision, Predictable, Premise, Primitive, Primitive Polynomial, Prime, Prior Art, Privacy, PRNG, Probability, Process, Product Cipher, Proof, Propaganda, Proposition, Pseudorandom, PTO, Public Key Cipher, Public Key Infrastructure, Pure Cipher

Q

Qbit, Quality, Quality Management, Quantum Computer, Quantum Cryptography, Quartz, Quoting Out Of Context

R

R, R[x], R/I, Random, Randomness Testing, Random Number, Random Number Generator, Random Sampling, Random Variable, Random Walk, Range, Rationalization, Ratio Transformer, RC Filter, Reactance, Really Random, Real Number, Reasoning, Red, Red Herring, reductio ad absurdum, Redundancy, Relation, Relative Entropy, Relatively Prime, Relay, Reliability, Re-Originating Stream Cipher, Research Hypothesis, Resistor, Resistor Excess Noise, Resonance, Reverse CRC, Rhetoric, Ring, Ringing, Risk, Risk Analysis, Risk Management, Root, RMS, Root Mean Square, RNG, Round, RSA, Rule of Thumb, Running Key

S

SAC, Safe Prime, Salt, Sample, S-Box, Scalable, Scalar, Schematic Diagram, Science, Scientific Method, Scientific Model, Scientific Paper, Scientific Publication, Scrambler, Secrecy, Secret Code, Secret Key Cipher, Security, Security Through Obscurity, Seed, Self Inverse, Self-Synchronizing Stream Cipher, Semiconductor, Semigroup, Series, Session, Session Key, Set, Setup Time, Shannon, Shielding, Shift Register, Shot Noise, Shuffle, Sieve of Eratosthenes, Significance, Simple Substitution, Sine Wave, Single Point of Failure, Smooth Number, Snake Oil, Socrates, Socratic Method, Software, Software Engineering, Software Patent, Sophist, Sophistry, Source Code, S-P, Special Prime, Special Pleading, Specification, Speculation, Spin, SPN, Squares, Square Wave, SSL, Stability, Stake, Standard Cipher, Standard Deviation, State, State Machine, Static Electricity, Stationary Process, Statistic, Statistics, Steganography, Stochastic, Stochastic Process, Straw Man, Stream, Stream Cipher, Strength, Strict Avalanche Criterion (SAC), Structured Programming, Subjective, Substitution, Substitution Cipher, Substitution-Permutation, Substitution Table, Superencipherment, Superencryption, Superposition, Surjective, Switch, Switching Function, Symmetric Cipher, Symmetric Group, Synchronization, Synchronous, Synchronous Stream Cipher, Synthesis, System, System Design

T

Table Selection Combiner, Tautology, Taxonomy, Temperature, TEMPEST, Temporal Average, Term, Term of Art, Test, Theorem, Theory, Thermal Noise, Thesis, Threat, Threat Model, Time Constant, Trademark, Trade Secrecy, Traffic Analysis, Trajectory, Transformer, Transistor, Transistor Saturation, Transistor Self-Bias, Transposition, Transposition Cipher, Trap Door, Tree Analysis, Trinomial, Triple DES, TRNG, Trojan Horse, Truly Random, Trust, Truth Table, tu quoque, Tunneling, Two-Sided Test, Two-Tailed Test, Type I Error, Type II Error

U

UFN, Unary, Unbalanced Feistel Network, Uncertainty, Unexpected Distance, Unicity Distance, Uniform Distribution, Universe, Unknowable, Unpredictable, User Authentication

V

Variable, Variable Size Block Cipher, Variance, VCO, Vector, VENONA, Vernam Cipher, Vet, Voltage, Voltage Controlled Oscillator, Voltage Divider, Vulnerability

W

Walsh Functions, Walsh-Hadamard Transform, Weak Key, Weight, Whitening, White Noise, WHT, Wide Trail Strategy, Wire, Work Characteristic

X

XOR, XOR Encryption

Z

Z, Zener Breakdown, Zeroize, Z_n, Z_n*, (Z,+), (Z,+,*), Z/n, Z/p, Z/pZ, (Z/pZ)[x]

This Glossary started as a way to explain the terms on my cryptography web pages describing my:

• Inventions (e.g., Dynamic Substitution, Dynamic Transposition, Balanced Block Mixing, Mixing Ciphers and Variable Size Block Ciphers);
• Discoveries (e.g., augmented repetitions);
• Results (e.g., Boolean function nonlinearity); and
• Developments (e.g., "checkerboard construction" of orthogonal Latin squares).

Why Bother with Definitions?

The value of a definition is insight. But:

• Simple descriptions are not always possible.
• Terms have meaning within particular contexts.
• Tedious examples may be required to expose the full meaning.

Consider the idea that cryptography is used to keep secrets: We expect a cipher to win each and every contest brought by anyone who wishes to expose secrets. We call those people opponents, but who are they really, and what can they do? In practice, we cannot know. Opponents operate in secret: We do not know their names, nor how many they are, nor where they work. We do not know what they know, nor their level of experience or resources, nor anything else about them. Because we do not know our opponents, we also do not know what they can do, including whether they can break our ciphers. Unless we know these things that cannot be known, we cannot tell whether a particular cipher design will prevail in battle. We cannot expect to know when our cipher has failed.

Even though the entire reason for using cryptography is to protect secret information, it is by definition impossible to know whether a cipher can do that. Nobody can know whether a cipher is strong enough, no matter how well educated they are, or how experienced, or how well connected, because they would have to know the opponents best of all. The definition of cryptography implies a contest between a cipher design and unknown opponents, and that means a successful outcome cannot be guaranteed by anyone.

Sometimes the Significance is Implied

Consider the cryptographer who says: "My cipher is strong," and the cryptanalyst who says: "I think your cipher is weak." Here we have two competing claims with different sets of possibilities: First, the cryptographer has the great disadvantage of not being able to prove cipher strength, nor to even list every possible attack so they can be checked. In contrast, the cryptanalyst might be able to actually demonstrate weakness, but only by dint of massive effort which may not succeed, and will not be compensated even if it does. Consequently, most criticisms will be extrapolations, possibly based on experience, and also possibly wrong.

The situation is inherently unbalanced, with a bias against the cryptographer's detailed and thought-out claims, and for mere handwave first-thoughts from anyone who deigns to comment. This is the ultimate conservative bias against anything new, and for the status quo. Supposedly the bias exists because if the cryptographer's claim is wrong user secrets might be exposed. But the old status-quo ciphers are in that same position. Nothing about an old cipher makes it necessarily strong.

Unfortunately, for users to benefit from cryptography they have to accept some strength argument. Even more unfortunately:

• Many years of trusted use do not testify about strength, but do provide both motive and time for opponents to develop secret attacks.
• Many failures to break a cipher do not imply it is strong.
• There can be no expertise on the strength of unbroken ciphers.

In modern society we purchase things to help us in some way. We go to the store, buy things, and they work. Or we notice the things do not work, and take them back. We know to take things back because we can see the results. Manufactured things work specifically because design and production groups can test which designs work better or worse or not at all. In contrast, if the goal of cryptography is to keep secrets, we generally cannot expect to know whether our cipher has succeeded or failed. Cryptography cannot test the fundamental property of interest: whether or not a secret has been kept.

The inability to test for the property we need is an extraordinary situation; perhaps no other manufactured thing is like that. Because the situation is unique, few understand the consequences. Cryptography is not like other manufactured things: nobody can trust it because nobody can test it. Nobody, anywhere, no matter how well educated or experienced, can test the ability of an unbroken cipher to keep a secret in practice. Thus we see how mere definitions allow us to deduce fundamental limitations on cryptography and cryptanalysis by simple reasoning from a few basic facts.

Relationships Between Ideas

The desire to expose relationships between ideas meant expanding the Glossary beyond cryptography per se to cover terms from related areas like electronics, math, statistics, logic and argumentation. Logic and argumentation are especially important in cryptography, where measures are few and math proofs may not apply in practice.

This Crypto Glossary is directed toward anyone who wants a better understanding of what cryptography can and cannot do. It is intended to address basic cryptographic principles in ways that allow them to be related, argued, and deeply understood. It is particularly concerned with fundamental limits on cryptography, and contradictions between rational thought and the current cryptographic wisdom. Some of these results may be controversial.

The Glossary is intended to build the fundamental understandings which lie at the base of all cryptographic reasoning, from novice to professional and beyond. It is particularly intended for users who wish to avoid being taken in by attacker propaganda. (Propaganda is an expected part of cryptography, since it can cause users to take actions which make things vastly easier for opponents.) The Glossary is also for academics who wish to see and avoid the logic errors so casually accepted by previous generations. One goal of the Glossary is to clarify the usual casual claims that confuse both novices and professionals. Another is to provide some of the historical technical background developed before the modern mathematical approach.

Reason in Cryptography

The way we understand reality is to follow logical arguments. All of us can do this, not just professors or math experts. Even new learners can follow a cryptographic argument, provided it is presented clearly. So, in this Glossary, one is occasionally expected to actually follow an argument and come to a personal conclusion. That can be scary when the result contradicts the conventional wisdom; then one then starts to question both the argument and the reasoning, as I very well know. But that scary feeling is just an expected consequence of a field which has allowed various unsupported claims and unquestioned beliefs to wrongly persist (see old wives' tales).

Unfortunately, real cryptography is not well-modeled by current math (for example, see proof and cryptanalysis). It is normally expected that the link between theory and reality is provided by the assumptions the math requires. (Obviously, proof conclusions only apply in practice when every assumed quality actually occurs in practice.) In math, each of these assumptions has equal value (since the lack of any one will void the conclusion), but in practice some assumptions are more equal than others. Certain assumptions conceivably can be guaranteed by the user, but other assumptions may be impossible to guarantee. When a model requires assumptions that cannot be verified in practice, that model cannot predict reality.

Current mathematical models almost never allow situations where the user can control every necessary assumption, making most proof results meaningless in practice. In my view, mathematical cryptography needs practical models. Of course, one might expect more realistic models to be less able to support the current plethora of mathematical results. Due to the use of more realistic models, some results in the Crypto Glossary do contradict well-known math results.

Opposing Philosophies

By carrying the arguments of conventional cryptographic wisdom to their extremes, it is possible to see two opposing groups, which some might call theoretical versus practical. While this simplistic model is far too coarse to take very seriously, it does have some basis in reality.

The Crypto Theorists supposedly argue that no cryptosystem can be trusted unless it has a mathematical proof, since anything less is mere wishes and hope. Unfortunately, there is no such cryptosystem. No cipher can be guaranteed strong in practice, and that is the real meaning of the one time pad. As long as even one unbreakable system existed, there was at least a possibility of others, but now there is no reason for such hope. The OTP is secure only in simplistic theory, and strength cannot be guaranteed in practice for users. This group seems most irritating when they imply that math proofs are most important, even when in practice those proofs provide no benefits to the user.

The Crypto Practitioners supposedly argue that systems should be designed to oppose the most likely reasonable threats, as in physical threat model analysis. In the physical world it is possible to make statements about limitations of opponents and attacks; unfortunately, few such statements can be made in cryptography. In cryptography, we know neither the opponents nor their attacks nor what they can do in combination. Successful attack programs can be reproduced and then applied by the most naive user, who up to that time had posed only the most laughable threat.

Both groups are wrong: There will be no proof in practice, and speculating on the abilities of the opponents is both delusional and hopeless. Moreover, no correct compromise seems possible. Taking a little proof from one side and some threat analysis from the other simply is not a valid recipe for making secure ciphers.

There is a valid recipe for security and that is a growing, competitive industry of cipher development. Society needs more than just a few people developing a handful of ciphers, but actual design groups who continually innovate, design, develop, measure, attack and improve new ciphers in a continuing flow. That is expensive work, as the NSA budget clearly shows. Open society will get such results only if open society will pay for them. Since payment is the issue, it is clear that "free" ciphers act to oppose exactly the sort of open cryptographic development society needs.

Absent an industry of cipher design, perhaps the best we can do is to design systems in ways such that a cipher actually can fail, while the overall system retains security. That is redundancy, and is a major part of engineering most forms of life-critical systems (e.g., airliners), except for cryptography. The obvious start is multiple encryption.

What is the Point?

The practical worth of all this should be a serious regard for cryptographic risk. The possibility of cryptographic failure exists despite all claims and proofs to the contrary. Users who have something to protect must understand that cryptography has risks, and there is a real possibility of failure. If a possibility of information exposure is acceptable, one might well question the use of cryptography in the first place.

Even if users only want their information probably to be secure, they still have a problem: Only our opponents know our cipher failures, because they occur in secret. Our opponents do not expose our failures because they want those ciphers to continue in use. Few if any users will know when there is a problem, so we cannot count how many ciphers fail, and so cannot know that probability. Since there can be no expertise about what unknown opponents do, looking for an "expert opinion" on cipher failure probabilities or strength is just nonsense.

Conventional cryptographic expertise is based on the open literature. Unfortunately, unknown attacks can exist, and even the best informed cannot predict strength against them. While defending against known attacks may seem better than nothing, that actually may be nothing to opponents who have another approach. In the end, cipher and cryptosystem designers vigorously defend against attacks from academics who will not be their opponents.

On the other hand, even opponents read the open literature, and may make academic attacks their own. But surprisingly few academic attacks actually recover key or plaintext and so can be said to be real, practical threats. Much of the academic literature is based on strength assumptions which cannot be guaranteed or vulnerability assumptions which need not exist, making the literature less valuable in practice than it may appear.

Math cannot prove that a cipher is strong in practice, so we are forced to accept that any cipher may fail. We do not, and probably can not know the likelihood of that. But we do know that a single cipher is a single point of failure which just begs disaster. (Also see standard cipher.)

It is possible to design in ways which reduce risk. Systems can be designed with redundancy to eliminate the single point of failure (see multiple encryption). This is often the done in safety-critical fields, but rarely in cryptography. Why? Presumably, people have been far too credulous in accepting math proofs which rarely apply in practice. Thus we see the background for my emphasis on basics, reasoning, proof, and realistic math models.

Simple Encryption

To protect against fire, flood or other disaster, most software developers should store their current work off-site. The obvious solution is to first encrypt the files and then upload an archive to a web site. The straightforward use of cryptography to protect archives is an example of the pristine technical situation often seen as normal. Then we think of cipher strength and key protection, which seem to be all there is. But most cryptography is not that simple.

Climate of Secrecy. For any sort of cryptography to work, those who use it must not give away the secrets. Most times keeping secrets is as easy, or as hard, as just not talking or writing about them. Issues like minimizing paper output and controlling and destroying copies seem fairly obvious, although hardly business as usual. But secrets are almost always composed in plaintext, and the computers doing that may have plaintext secrets saved in various hidden operating system files. And opponents may introduce programs to compromise computers which handle secrets. It is thus necessary to control all forms of access to equipment which holds secrets, despite that being awkward and difficult. It is especially difficult to control access on the net.

Network Security. Computers only can do what they are told to do. When network designers decide to include features which allow attacks, that decision is as much a part of the problem as an attack itself. It seems a bit much to complain about insecurity when insecurity is part of the design. Design decisions have made the web insecure. Until web systems only implement features which maintain security, there can be none.

It is possible to design computing systems more secure than the ones we have now. If we provide no internal support for external attack, no attacks can prevail. The entire system must be designed to limit and control external web access and prevent surprises that slip by unnoticed. We can decompose the system into relatively small modules, and then test those modules in a much stronger way than trying to test a complex program. A possible improvement might be some form of restricted intermediate or quarantine store between the OS and the net. Better security design may mean that some things now supported insecurely no longer can be supported at all.

Current practice identifies two environments: The local computer, which is "fully" trusted, and the Internet, which is not trusted. This verges on a misuse of the concept of trust, which requires substantial consequences for misuse or betrayal. Absent consequences, trust is mere unsupported belief and provides no basis for reasoning. We do not trust a machine per se, since it only does what the designer made it do. And when there are no consequences for bad design, there really is no reason to trust the designer either.

A better approach would be fine OS control over individual programs, including individual scripts, providing validation and detailed limits on what each program can do, on a per-program basis. This would expand the firewall concept from just net access to every resource, including processor time, memory, all forms of I/O, plus the ability to invoke, or be invoked by, other programs. For example, most programs do not need, and so would not be allowed, net access, even if invoked by a program or running under a process which has such access. Programs received from the net would by default start out in quarantine, not have access to normal store, and could run only under strong limitations. A human would have to explicitly elevate them to a selected higher status, with the change logged. Program operation exceeding limitations would be prevented, logged, and accumulated in a control which supported validation, fine tuning, selective responses and serious quarantine.

Security is Off-The-Net. The best way to avoid web insecurity has nothing to do with cryptography. The way to avoid web insecurity is to not connect to the web, ever. Use a separate computer for secrets, and do not connect it to the net, or even a LAN, since computers on the LAN probably will be on the net. Carefully move information to and from the secrets computer with a USB flash drive. Protect access to that equipment.

Glossary Structure and Use

For most users, the Crypto Glossary will have many underlined (or perhaps colored) words. Usually, those are hypertext "links" to other text in the Glossary; just click on the desired link.

Links to my other pages generally offer a choice between a "local" link or a full web link. The user working from a downloaded copy of the Glossary only would normally use the full web links. The user working from a CD or disk-based copy of all my pages would normally use the local links.

Links to my other pages also generally open and use another window. (Hopefully that will avoid the need to reload the Glossary after a reference to another article.) Similarly, links from my other pages to terms in the Glossary also generally open a window specifically for the Glossary. (In many cases, that will avoid reloading the Glossary for every new term encountered on those pages.)

In cryptography, as in much of language in general, the exact same word or phrase often is used to describe two or more distinct ideas. Naturally, this leads to confused, irreconcilable argumentation until the distinction is exposed (and often thereafter). Usually I handle this in the Crypto Glossary by having multiple numbered definitions, with the most common usage (not necessarily the best usage) being number 1.

The worth of this Glossary goes beyond mere definitions. Much of the worth is the relationships between ideas: Hopefully, looking up one term leads to other ideas which are similar or opposed or which support the first. The Glossary is a big file, but breaking it into many small files would ruin much of the advantage of related ideas, because then most related terms would be in some other part. And although the Glossary could be compressed, that would generally not reduce download time, because most modems automatically compress data during transmission anyway. Dial-up users typically should download the Glossary onto local storage, then use it locally, updating periodically.

Value

I have obviously spent a lot of personal time constructing this Crypto Glossary, with the hope that it would be more than just background to my work. Hopefully, the Glossary and the associated introduction: "Learning About Cryptography" (see locally, or @: http://www.ciphersbyritter.com/LEARNING.HTM) will be of some wider benefit to the crypto community. So, if you have used this Glossary lately, why not drop me a short email and tell me so? Feel free to tell me how much it helped or even how it failed you; perhaps I can make it better for the next guy. If you use web email, just copy and paste my email address: ritter@ciphersbyritter.com

1/f Noise

In electronics, a random-like analog signal with amplitude proportional to the inverse of frequency. Also called "flicker." Well known both in semiconductor electronics and physics. Not a white noise, but a pink noise.

Resistor excess noise is a 1/f noise generated in non-homogenous resistances, such as the typical thick-film surface-mount (SMT) resistor composed of conductor particles and fused glass. It is thought that DC current forms a preferential path through the conductive grains, a path that varies dynamically at random, thus modulating the resistance and creating noise. Homogenous metal films do not have 1/f noise.

The especially large amount of 1/f noise in MOSFET's could be understood if the glass layer the gate rests on is unexpectedly rough. That could could create islands of conduction (which some literature appears to support), which then act like resistive grains.

In a single-crystal semiconductor, 1/f noise may be related to the organization of atomic bonding at the outside surfaces, which must be different than inside the crystalline bulk material. If the semiconductor surface could be shown to be composed of conductive islands, that would be an enlightening result.

8b10b

A block code which represents 8-bit data as 10-bit values or codewords. This gives 1024 codewords to encode 256 values plus perhaps 12 new control codes; this freedom can be used to approach general bit balance in each codeword. However, since a 10-bit code has only 252 balanced values (whereas 256 data and perhaps 12 control symbols are required), balancing must extend across codewords. The encoding process must maintain a count of the current unbalance and correct that in the next codeword. Also see coding theory.

Abelian

In abstract algebra, a commutative group or ring.

Absolute

In the study of logic, something observed similarly by most observers, or something agreed upon, or which has the same value each time measured. Something not in dispute, unarguable, and independent of other state. As opposed to contextual.

AC

Alternating Current: Electrical power which repeatedly reverses direction of flow. As opposed to DC.

Generally used for power distribution because the changing current supports the use of transformers. Utilities can thus transport power at high voltage and low current, which minimize "ohmic" or I²R losses. The high voltages are then reduced at power substations and again by pole transformers for delivery to the consumer.

Academic

1. Scholarly.
2. Theoretical.
3. Conventional.
4. Impractical.

Academic Break

A break or technically successful attack which is also impractical. See: academic.

Access

The ability (right or permission) to interact with (approach, enter, speak with, read or use) some one or some thing.

Access Control

A possible goal of cryptography. The idea of restricting documents, equipment or keys to those authorized such access.

Accountability

Nonrepudiation. A goal of cryptography. Responsibility for messages sent.

Accuracy

The ratio of a measured value to the true value. A percentage of the measured value, surrounding the measured value, which is supposed to contain the correct value. Also see: precision.

Acronym

A word constructed from the beginning letters of each word in a phrase or a name or a title.

Active

1. In motion, or in use. In contrast to "passive."
2. An S-box whose input has changed.

Additive Combiner

An additive combiner uses numerical concepts similar to addition to mix multiple values into a single result. This is the basis for conventional stream ciphering. Also see extractor.

One example is byte addition modulo 256, which simply adds two byte values, each in the range 0..255, and produces the remainder after division by 256, again a value in the byte range of 0..255. The modulo is automatic in an addition of two bytes which produces a single byte result. Subtraction is also an "additive" combiner.

Another example is bit-level exclusive-OR which is addition mod 2. A byte-level exclusive-OR is a polynomial addition.

Additive combiners are linear, in contrast to nonlinear combiners such as:

• Latin square combiners, and
• Dynamic Substitution combiners.

Additive RNG

(Additive random number generator.) A LFSR-based RNG typically using multi-bit elements and integer addition (instead of XOR) combining. References include:

Knuth, D. 1981. The Art of Computer Programming, Vol. 2, Seminumerical Algorithms. 2nd ed. 26-31. Addison-Wesley: Reading, Massachusetts.

Marsaglia, G. and L. Tsay. 1985. Matrices and the Structure of Random Number Sequences. Linear Algebra and its Applications. 67:147-156.

Advantages include:

• A long, mathematically proven cycle length.
• Especially efficient software implementations.
• Almost arbitrary initialization (some element must have its least significant bit set).
• A simple design which is easy to get right.

In addition, a vast multiplicity of independent cycles has the potential of confusing even a quantum computer, should such a thing become realistic.

For Degree-n Primitive, and Bit Width w
   Total States:       2nw
   Non-Init States:    2n(w-1)
   Number of Cycles:   2(n-1)(w-1)
   Length Each Cycle:  (2n-1)2(w-1)
   Period of lsb:      2n-1

The binary addition of two bits with no carry input is just XOR, so the lsb of an Additive RNG has the usual maximal length period.

A degree-127 Additive RNG using 127 elements of 32 bits each has 2⁴⁰⁶⁴ unique states. Of these, 2³⁹³⁷ are disallowed by initialization (the lsb's are all "0") but this is just one unusable state out of 2¹²⁷. There are still 2³⁹⁰⁶ cycles which each have almost 2¹⁵⁸ steps. (The Cloak2 stream cipher uses an Additive RNG with 9689 elements of 32 bits, and so has 2³¹⁰⁰⁴⁸ unique states. These are mainly distributed among 2³⁰⁰³²⁸ different cycles with almost 2⁹⁷²⁰ steps each.)

Like any other LFSR, and like any other RNG, and like any other FSM, an Additive RNG is very weak when standing alone. But when steps are taken to hide the sequence (such as using a jitterizer nonlinear filter and Dynamic Substitution combining), the resulting cipher can have significant strength.

Additive Stream Cipher

The conventional stream cipher, based on simple additive combining.

Adduction

In argumentation, the process of synthesizing a deep understanding of meaning, based on the analysis of multiple examples. Often used in the Socratic Method.

ad hoc

Something established for a particular one-time purpose.

AES

Advanced Encryption Standard. A 128-bit or 256-bit conventional block cipher replacement for DES. The new block cipher chosen by NIST for general use by the U.S. Government.

The mechanics of AES are widely available elsewhere. Here I note how one particular issue common to modern block ciphers is reflected in the realized AES design. That issue is the size of the implemented keyspace compared to the size of the potential keyspace for blocks of a given size.

A Block Cipher Model

A common academic model for conventional block ciphers is a "family of permutations." The "permutation" part of this means that every plaintext block value is found as ciphertext, but generally in a different position. The "family" part of this can mean every possible permutation. However, modern block ciphers key-select only an infinitesimal fraction of those possibilities.

Suppose we have a block which may take on any of n different values. How many ways can those n block values be rearranged as in a block cipher? Well, the first value can be placed in any of the n possible positions, but that fills one position so the second value has only n-1 positions available. Continuing on, the third has n-2 possibilities and so on for n different factors. Thus we find that the number of options is the same as the definition of factorial. The number of distinct permutations of n different values is n-factorial.

The Corresponding AES Model

A 128-bit key can select 2¹²⁸ emulated tables. However, a 128-bit block has an alphabet of about 3.4x10³⁸ different values, and so could have 3.4x10³⁸ factorial emulated tables. That value is BIG, BIG, BIG, but still within range of my JavaScript page:

• "JavaScript Powers and Factorials Computation," locally, or @: http://www.ciphersbyritter.com/JAVASCRP/PERMCOMB.HTM#Powers

There we find that 3.4x10³⁸ different values have on the order of 2⁽¹⁰⁴⁰⁾ distinct permutations. That value would take 10⁴⁰ bits to represent, and can be directly compared to the 256 bits needed to represent the larger keys used in AES.

A 128-bit block can be any one of 2¹²⁸ or 3.4x10³⁸ different values. To form a particular permutation, the first value can be placed in any of 3.4x10³⁸ places, the second in 3.4x10³⁸-1 places, and so on for 3.4x10³⁸ different factors. As a ballpark calculation, we might expect 3.4x10³⁸-factorial to be similar to (10³⁸)¹⁰³⁸. That would be the same as 2 to the power 10³⁸ log2 10³⁸, which is 2 to the power 10³⁸ * 128, and that is about 2 to the power 10⁴⁰, nicely confirming the JavaScript results.

AES Reality

For 128-bit blocks and 256-bit keys, AES provides:

• 2²⁵⁶ keyed or emulated tables, out of about
• 2^{10,000,000,000,000,000,000,000,000,000,000,000,000,000} possibilities.

The obvious conclusion is that almost none of the keyspace implicit in the theoretical model of a conventional block cipher is actually implemented in AES, and that is consistent with other modern designs. Is that important? Apparently not, but nobody really knows. It does seem to imply that just a few known plaintext blocks should be sufficient to identify the correct key from a set of possibilities, which might make known plaintext more of an issue than normally claimed. Does it lead to a known break? No, or at least not yet. But having only a tiny set of keyed permutations should lead to questions about patterns and relationships within the selected set.

The real issue here is not the exposure of a particular weakness in AES, since no such weakness is shown. Instead, the issue is that conventional cryptographic wisdom does not force models to correspond to reality, and poor models lead to errors in reasoning. The distinction between theory and practice is pronounced in cryptography. For other examples of failure in the current cryptographic wisdom, see one time pad, BB&S, DES, and, of course, old wives' tale.

Is AES Enough for Government Secrets?

AES is said to be certified for SECRET and TOP SECRET classified material. That might have us believe that AES is trusted by NSA, but it may mean less than it seems.

No cipher, by itself, can guarantee security. Any cryptographic system will have to be certified by NSA before protecting classified information. In practice, cryptosystems will be provided by NSA to contractors, those systems may or may not use AES, and they may not use AES in the expected form. That does not imply that AES is bad, it just means that we cannot really know what NSA will allow, despite general claims.

Affine

Generally speaking, linear.

Technically, function f : G -> G of the form:

   f(x) = ax + b

with non-zero constant "b".

Affine Boolean Function

A Boolean function which can be represented in the form:

a_nx_n + a_n-1x_n-1 + ... + a₁x₁ + a₀

where the operations are mod 2: addition is Exclusive-OR, and multiplication is AND.

Note that all of the variables x_i are to the first power only, and each coefficient a_i simply enables or disables its associated variable. The result is a single Boolean value, but the constant term a₀ can produce either possible output polarity.

Here are all possible 3-variable affine Boolean functions (each of which may be inverted by complementing the constant term):

     affine    truth table

          c    0  0  0  0  0  0  0  0
         x0    0  1  0  1  0  1  0  1
      x1       0  0  1  1  0  0  1  1
      x1+x0    0  1  1  0  0  1  1  0
   x2          0  0  0  0  1  1  1  1
   x2+   x0    0  1  0  1  1  0  1  0
   x2+x1       0  0  1  1  1  1  0  0
   x2+x1+x0    0  1  1  0  1  0  0  1

See also: Boolean function nonlinearity.

Affine Cipher

One of the classic hand-ciphers, described mathematically as

    F(x) = ax + b (mod n)

where the non-zero term makes the equation affine.

Most of the classic hand-ciphers can be seen as simple substitution stream ciphers. Each plaintext letter selects an entry in the substitution table (for that cipher), and the contents of that entry becomes the ciphertext letter. The affine equation thus represents one way to set up the table, as a particular simple permutation of the letters in the table. (Of course, by using the equation we need no explicit table, but we also constrain ourselves to the simplicity of the equation.) To assure that we have a permutation, we require that a and n be relatively prime, that is, the gcd(a,n) = 1, or in number theory notation, just (a,n) = 1.

In modern terms, the strength of the classic substitution ciphers is essentially nil. In modern cryptanalysis, we generally assume that the opponent has a substantial amount of known plaintext. Since the table does not change, every known-plaintext character has the potential to fill in another entry in the table. Very soon the table is almost completely exposed, which ends all strength. These simple substitution ciphers with small, fixed tables (or even just equations for such tables) are also extremely vulnerable to attacks using ciphertext only.

Algebra

The use of variables and the valid manipulation of expressions in the study of numbers.

Algebraic Normal Form

(ANF). Typically, the symbolic representation of a mapping in the usual sum-of-products form.

• For Boolean functions in symbolic form, each term is an input variable combination for which the output is '1'.
• For Boolean functions in explicit form, basically a truth table: simply a list of the output value as it will occur when stepping through all possible input variable combinations, one-by-one. This is just the bit sequence of the output value as it would occur in input-variable order.

Algebra of Secrecy Systems

An oft-overlooked proposal by Shannon, describing both the construction of a multiple encryption cipher (called the "product") and the keyed selection of one from among many ciphers (called the "weighted sum").

"The first combining operation is called the product operation and corresponds to enciphering the message with the first secrecy system R and enciphering the resulting cryptogram with the second system S, the keys for R and S being chosen independently."

"The second combining operation is 'weighted addition.'

   S = pR + qS  p + q = 1.

It corresponds to making a preliminary choice as to whether system R or S is to be used with probabilities p and q, respectively. When this is done or R or S is used as originally defined." [p.658]

More specifically (and with a change of notation):

"If we have two secrecy systems T and R we can often combine them in various ways to form a new secrecy system S. If T and R have the same domain (message space) we may form a kind of 'weighted sum,'

   S = pT + qR

where p + q = 1. This operation consists of first making a preliminary choice with probabilities p and q determining which of T and R is used. This choice is part of the key of S. After this is determined T or R is used as originally defined. The total key of S must specify which of T and R is used, and which key of T (or R) is used."

"More generally we can form the sum of a number of systems.

   S = p1T + p2R + . . . +  pmU    Sum( pi ) = 1

We note that any system T can be written as a sum of fixed operations

   T = p1T1 + p2T2 + . . . +  pmTm

T_i being a definite enciphering operation of T corresponding to key choice i, which has probability p."

"A second way of combining two secrecy systems is taking the 'product,' . . . . Suppose T and R are two systems and the domain (language space) of R can be identified with the range (cryptogram space) of T. Then we can apply first T to our language and then R to the result of this enciphering process. This gives a resultant operation S which we write as a product

   S = RT

The key for S consists of both keys of T and R which are assumed chosen according to their original probabilities and independently. Thus if the m keys of T are chosen with probabilities

   p1p2 . . . pm

and the n keys of R have probabilities

   p'1p'2 . . . p'n ,

then S has at most mn keys with probabilities p_i p'_j. In many cases some of the product transformations R_i T_j will be the same and can be grouped together, adding their probabilities.

"Product encipherment is often used; for example, one follows a substitution by a transposition or a transposition by a Vigenere, or applies a code to the text and enciphers the result by substitution, transposition, fractionation, etc."

"It should be emphasized that these combining operations of addition and multiplication apply to secrecy systems as a whole. The product of two systems TR should not be confused with the product of the transformations in secrecy systems T_i R_j . . . ."

-- Shannon, C. E. 1949. Communication Theory of Secrecy Systems. Bell System Technical Journal. 28:656-715.

It is easy to dismiss this as being of historical interest only, but there are advantages here which are well beyond our current usage.

For the keyed selection among ciphers, there would be some sort of simple protocol (i.e., not cryptographic per se), for communicating cipher selections to the deciphering end. (Perhaps there would be some sort of simple handshake for email use.) The result would be to have (potentially) a new selection from a set of ciphers on a message-by-message basis.

• Having frequent cipher changes guarantees that we can change ciphers, immediately and easily, if any cipher we use is found weak.
• A cipher change terminates any existing break of a particular cipher which has been exposing our information. Since we cannot expect to know when a break exists, changing to a different cipher can minimize the effect of a cipher fault even though we know nothing about that fault.
• Using different ciphers at different times prevents information from being concentrated under a single cipher. This prevents the opposing attack budget from concentrating on one target.
• The ability to easily change ciphers supports the continued creation and use of new ciphers, which the opponents must then identify, obtain, analyze and break. Although single new cipher design costs can be distributed among users simply by selling product, each opponent must bear the full cost of analysis, since most attackers cannot cooperate. And as the set of ciphers continues to grow, the opponents may never catch up to the complete set of ciphers actually in use.
• Cipher selection has minimal execution cost.

With respect to multiple encryption or ciphering "stacks" (as in "protocol stacks"), there are various security advantages:

• A cipher stack prevents a single broken cipher from exposing our information. Since any particular cipher may be broken and we will not know (the opponents do not tell us), this protects against a dangerous single point of failure.
• A three-cipher stack hides the known-plaintext (and "defined-plaintext") information for each individual cipher. Such information simply is not exposed to the opponents, which thus prevents known-plaintext attacks (and defined-plaintext attacks) on the individual ciphers. The construction thus eliminates whole classes of attack on the component ciphers.
• A three-cipher stack gives us exponentially many different ciphering stack possibilities. The intent here is not to add keyspace, since reasonable ciphers already have enough keyspace. Instead, the point is the easy construction of many conceptually different overall ciphering functions which the opponents must engage.
• Users who are "Nervous Nellies" could specify that their particular favorite cipher would always be part of the (changing) cipher stack, thus "guaranteeing" at least as much strength as using that cipher alone. (If the adjacent cipher was the same, in decipher mode, using the same key, then there would be no strength. So do not do that. If an arbitrary cipher was likely to reduce strength, that would be an attack, and we see no such attack.)
• A three-layer cipher stack obviously has an execution cost of three layers of ciphering.

Also see: Perfect Secrecy and Ideal Secrecy.

Algorithm

The description of a sequence of operations which does something. Typically,

• a finite procedure,
• composed of discrete steps,
• expressed in a fixed instruction vocabulary.

Also see heuristic, Structured Programming and software patent.

An algorithm intended to execute reliably as a computer program necessarily must handle, or in some way at least deal with, absolutely every error condition which can possibly occur in operation. (We do assume functional hardware, and thus avoid programming around the possibility of actual hardware faults, such as memory or CPU failure.) These "error conditions" normally include Operating System errors (e.g., bad parameters passed to an OS operation, resource not available, various I/O failures, etc.), and arithmetic issues (e.g., division by zero, overflow, etc.) which may halt execution when they occur.

Other possibilities include errors the OS will not know about, including the misuse of programmer-defined data structures, such as buffer overrun.

A practical algorithm must recognize various things which validly may occur, even if such things are exceedingly rare. One example might be in assuming that two floating-point variables which represent the same value will be equal. Another example might be to assume that a floating-point variable will "never" have some particular value (which might lead to a divide-by-zero fault). Yet another example would be to assume that an arbitrary selection of x will lead to a sufficiently long cycle in BB&S, even if the alternative is very, very unlikely.

Algorithmic Complexity

Kolmogorov-Chaitin complexity.

Alias File

My term for a cipher system computer file relating names to keys. This allows ordinary users to specify which key is to be used by using the far-end name, without knowing the actual key itself. Thus, the actual key can be long and random and can change over time and the user need not coordinate these changes.

In particular, my Cloak2 and Penknife ciphers implemented encrypted alias files of text lines of arbitrary length, each of which included name, start date, and key. New keys were made available only as secure ciphertext, but the alias files were arranged so they could consist of multiple ciphertext files simply concatenated as ciphertext. Thus, new keys could be added to the start of the alias file just using a simple and secure file copy operation. When searching for a particular alias, the date was also checked, and that key used only when the correct date had arrived. This allowed an entire office of users to change to a new key automatically, at the same time, without even knowing they were using a different key. Appropriate functions allowed access to old keys so that email traffic could be archived in ciphertext form.

Obviously, an alias file must be encrypted. The single key or keyphrase decrypting an alias file thus provides access to all the keys in the file. But each alias file contains only a subset of the keys in use within an organization, and even those are only valid over a subset of time. An organization security officer could archive old alias files, strip out the old keys and add new ones, then encipher the new alias file under a new pass phrase. In this way, the contents of old encrypted email would not be hidden from the authorizing organization. Alias file maintenance could be either as complex or as simple as one might like.

See, for example,

• the key management features section of my "Cloak2 Features" piece locally, or @: http://www.ciphersbyritter.com/CLO2FEA.HTM#KeyMgt
• and the alias file usage section of my "Cloak2 Cipher User's Manual" locally, or @: http://www.ciphersbyritter.com/PROD/CLO2DOC3.HTM#DetAF

describing the Cloak2 cipher.

Allan Variance

A descriptive variance statistic based on deviation from preceding sample. This is computed as the sum of the squares of differences between each sample and the previous sample, divided by 2, and divided by the number of samples-1.

Allan Variance is useful in analysis of residual noise in precision frequency measurement. Five different types of noise are defined: white noise phase modulation, flicker noise phase modulation, white noise frequency modulation, flicker noise frequency modulation, and random walk frequency modulation. A log-log plot of Allan variance versus sample period produces approximate straight line values of different slopes in four of the five possible cases. A different (more complex) form called "modified Allan deviation" can distinguish between the remaining two cases.

Also see

• the conversation "Allan Variance and Deviation," locally, or @: http://www.ciphersbyritter.com/NEWS6/ALLANVAR.HTM

All or Nothing Transform

(AONT). Basically the idea of a block mixing function in which knowing even all but one of the mixed outputs exposes none of the original input block values. As defined by Rivest in 1997:

"Definition. A transformation f mapping a message sequence m₁,m₂,...,m_s into a pseudo-message sequence m₁',m₂',...,m_s' is said to be an all-or-nothing transform if:

• The transform f is reversible: given the pseudo-message sequence, one can obtain the original message sequence.
• Both the transformation f and its inverse are efficiently computable (that is, computable in polynomial time).
• It is computationally infeasible to compute any function of any message block if any one of the pseudo-message blocks is unknown."

-- Rivest, R. 1997. All or nothing encryption and the package transform. Fast Software Encryption 1997. 210-218.

When used with a conventional block cipher, an AONT appears to increase the cost of a brute-force attack by a factor which is the number of blocks in the message. Rivest also notes that the large effective block size can avoid ciphertext expanding chaining modes by using ECB mode on the large block. Also see huge block cipher advantages.

The Balanced Block Mixing (BBM) which I introduced to cryptography in my article: "Keyed Balanced Size-Preserving Block Mixing Transforms" ( locally, or @: http://www.ciphersbyritter.com/NEWS/94031301.HTM) in early 1994 (three years before the Rivest publication), and then developed in a series of subsequent articles, apparently can be an especially fine example of an all-or-nothing transform.

Alphabet

In cryptography, the set of symbols under discussion. Also see universe, population and cardinal.

Alternative Hypothesis

In statistics, the statement formulated to be logically contrary to the null hypothesis. The alternative hypothesis H₁ includes every possible result other than the specific outcome specified in the null hypothesis.

The alternative hypothesis H₁ is also called the research hypothesis, and is logically identical to "NOT-H₀" or "H₀ is not true."

Amplifier

a component or device intended to sense a signal and produce a larger version of that signal. In general, any amplifying device is limited by available power, frequency response, and device maximums for voltage, current, and power dissipation. Also see: voltage divider.

Transistors are analog amplifiers which are basically linear over a reasonable range and so require DC power. In contrast, relays are classically mechanical devices with direct metal-to-metal moving connections, and so can handle generally higher power and AC current. The classic analog amplifier is an operational amplifier.

Unexpected oscillation can be indicated by:

• An unusually hot active device as felt by a finger.
• Unexpectedly high current flow as shown by a multimeter.
• Unexpected sounds as heard from a speaker monitoring the unit under test.
• Unexpected output signal as seen on an oscilloscope.
• Unexpected variation when touching various pins, as shown on a multimeter measuring the output signal, the output DC level or power supply current.
• Unexpected signal or variation as shown by an RF voltage probe connected to multimeter.
• Unexpected signal or variation as seen on a wideband AC voltmeter.

Oscillation occurs when:

• an amplified signal finds its way back to the amp input; AND
• the gain through the amplifier and feedback exceeds 1.0; AND
• the total phase shift around the feedback loop is 360 degrees.

To stop undesired oscillation:

• Increase isolation between input and output; OR
• Decrease gain; OR
• Change phase.

To Increase Isolation

• Bypass the amplifier power pins. All current from the output pin originally comes through a power pin. Signal at the output is necessarily reflected in signal at the power pins. Unless power lines are bypassed with significant storage capacitance, signal on the output will feed back to the input. Serious bypassing should be a part of normal use. The negative supply often needs to be cleaner than the positive supply.
• Decouple the amplifier power pins. Add series resistors to the power supply to form low-pass filters (in combination with the bypass capacitors), and thus decrease high-frequency feedback between stages via the supply.
• Try moving input and output leads as far apart as possible. If that improves the situation, the feedback path has at least been identified.
• Try preventing capacitive coupling between input and output. Interpose a conductive shield (try a finger) between in and out. If that helps, consider shielding the input and output lines. Or put in a permanent metallic shield like a piece of copper sheet or PC board material.
• For units with single-ended input and output signals and high overall gain, try breaking the ground loop. Try isolation transformers on input and/or output signal lines. Any stage with 40dB or more of resulting gain can be a particular problem when output signal returns through the same ground used by the input signal.
• Consider redesigning for balanced input. Balanced signal lines help prevent signal-line magnetic coupling and feedback.

To decrease gain: