BIDIRECTIONAL HEURISTIC SEARCH AND SPECTRAL S-BOX SIMPLIFICATION FOR THE CRYPTANALYSIS OF THE NBS DATA ENCRYPTION STANDARD by E r i c Alexander G u l l i c h s e n B.Sc.(Hons.), U n i v e r s i t y of Manitoba, 1981 A THESIS SUBMITTED IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE i n THE FACULTY OF GRADUATE STUDIES DEPARTMENT OF COMPUTER SCIENCE We accept t h i s t h e s i s as conforming to the r e q u i r e d standard THE UNIVERSITY OF BRITISH COLUMBIA February 1983 (c) E r i c Alexander G u l l i c h s e n , 1983 In p r e s e n t i n g t h i s t h e s i s i n p a r t i a l f u l f i l m e n t o f the requirements f o r an advanced degree a t the U n i v e r s i t y of B r i t i s h Columbia, I agree t h a t the L i b r a r y s h a l l make i t f r e e l y a v a i l a b l e f o r r e f e r e n c e and study. I f u r t h e r agree t h a t p e r m i s s i o n f o r e x t e n s i v e copying o f t h i s t h e s i s f o r s c h o l a r l y purposes may be granted by the head of my department o r by h i s or her r e p r e s e n t a t i v e s . I t i s understood t h a t copying or p u b l i c a t i o n o f t h i s t h e s i s f o r f i n a n c i a l g a i n s h a l l not be allowed without my w r i t t e n p e r m i s s i o n . Department of Computer Science The U n i v e r s i t y o f B r i t i s h Columbia 1956 Main Mall Vancouver, Canada V6T 1Y3 Date March 3, 1983. DE-6 (3/81) ABSTRACT D e t a i l s o f t h e N a t i o n a l B u r e a u o f S t a n d a r d s D a t a E n c r y p -t i o n S t a n d a r d (DES) a r e e x a m i n e d , and t h e s t r e n g t h o f t h e c r y p t o s y s t e m f o u n d t o l i e i n i t s s u b s t i t u t i o n box ( S - b o x ) c o m p o n e n t s . An u n s u c c e s s f u l a t t e m p t i s made t o d i s c o v e r sym-m e t r i e s i n t h e S-box f u n c t i o n s u n d e r p e r m u t a t i o n a n d / o r com-p l e m e n t a t i o n of v a r i a b l e s . The p r o b l e m o f c r y p t a n a l y z i n g DES i s t h e n shown t o be e q u i v a l e n t t o a p r o b l e m o f t r e e s e a r c h . T e c h n i q u e s w h i c h c a n r e d u c e t h e number o f t r e e n o d e s w h i c h n e e d be v i s i t e d t o e f f e c t a c r y p t a n a l y s i s a r e , i n v e s t i g a t e d . The l i n e a r i z a t i o n o f t h e S-box f u n c t i o n s by c o e f f i c i e n t t r a n s l a t i o n s i n t h e Hadamard s p e c t r a l d o m a i n i s f o u n d t o be h i g h l y e f f e c t i v e i n r e d u c i n g s e a r c h t r e e s i z e . F o r a b i d i r e c t i o n a l t r e e s e a r c h w h i c h e m p l o y s t h e l i n e a r i z e d S - b o x e s , t h e number o f n o d e s w h i c h n e e d be v i s i t e d t o c r y p t a n a l y z e DES i s shown t o be on t h e o r d e r o f t h e key s p a c e s i z e . The u s e o f an AND/OR s e a r c h t r e e s t r u c t u r e w i t h key b i t c o n s t r a i n t s s t o r e d a t t h e l e a v e s e n s u r e s t h a t e a c h node n e e d be v i s i t e d o n l y o n c e . G i v e n t h a t t h e work i n v o l v e d i n v i s i t i n g a node i s l e s s t h a n t h a t r e q u i r e d f o r a k e y t r i a l , t h i s key s e a r c h method r e p r e s e n t s an i m p r o v e m e n t o v e r t h e c r y p t a n a l y t i c t e c h n i q u e o f e x h a u s t i v e key s e a r c h . T h e s i s S u p e r v i s o r - i i -CONTENTS ABSTRACT i i Chapter page I. INTRODUCTION 1 I I . S-BOX COMPLEXITY: STRENGTH OF DES 6 I I I . AN INVESTIGATION OF S-BOX GROUP PROPERTIES . . . . 10 Theory: Permutation and Complementation o p e r a t o r s 10 Implementation f o r DES 17 A p p l i c a t i o n to DES 22 IV. CRYPTANALYSIS BY S-BOX APPROXIMATION 24 V. QUINE-MCCLUSKEY MINIMIZATION OF S-BOXES 27 Quine-McCluskey: Implementation 27 S e l e c t i o n of A l t e r n a t i v e Terms by REDUCE . . . 30 I n d i v i d u a l Term C o n t r i b u t i o n : RANK-TERMS . . . 33 VI. SELECTION OF THE BEST SUM-OF-PRODUCT TERMS . . . . 35 C o m b i n a t o r i a l l y Exhaustive Best-Set D i s c o v e r y . 35 A H i e r a r c h i c a l Approach to Best Set D i s c o v e r y . 41 N-ary Tree Implementation 45 V I I . SPECTRAL DOMAIN S-BOX ANALYSIS 53 Orthogonal Transformations t o the S p e c t r a l Domain: Theory 53 S-Box complexity i n the S p e c t r a l Domain . . . . 59 S p e c t r a l T r a n s l a t i o n s 61 Implementation f o r DES 63 V I I I . UNIDIRECTIONAL CRYPTANALYTIC SEARCH 69 Search S t r a t e g y 78 Nodes i n the Search Tree 82 D e s c r i p t o r Node: SUPER 82 Data Node: RNODE 84 Data Node: FNODE 85 Data Node: XNODE 89 - i i i -The P L / I P r o c e d u r e : SEARCH 90 The R_EXPAND p r o c e d u r e 92 The F_EXPAND p r o c e d u r e 94 The X_EXPAND p r o c e d u r e 95 The BACKTRACK p r o c e d u r e 96 A p p l i c a t i o n t o a 2-Round DES 99 I X . KEY SEARCHES OF GREATER SOPHISTICATION 102 C o m p u t a t i o n a l C o m p l e x i t y and B i d i r e c t i o n a l S e a r c h 102 D i g r e s s i o n : S e a r c h a s t h e S o l u t i o n o f B o o l e a n E q u a t i o n s 109 S y m b o l i c S i m p l i f i c a t i o n M e t h o d s 114 E x p r e s s i o n S i z e 114 P r o b l e m s o f S i m p l i f i c a t i o n 115 A PROLOG S y m b o l i c S i m p l i f i e r 117 A M o d i f i e d , K n o w l e d g e - I n t e n s i v e Key S e a r c h . 120 AND/OR E x p r e s s i o n T r e e F o r m a t i o n . . . . . 122 I m p l e m e n t a t i o n o f t h e T r e e F o r m a t i o n A l g o r i t h m 125 AND/OR E x p r e s s i o n T r e e T r a v e r s a l 129 OR- m e r g i n g o f S u m - o f - P r o d u c t s E x p r e s s i o n s 130 AND-merging o f S u m - o f - P r o d u c t s E x p r e s s i o n s 135 X. CONCLUSIONS 137 REFERENCES 143 LIST OF TABLES v LIST OF FIGURES v i APPENDIX A 164 APPENDIX B 1 7 0 APPENDIX C 1 8 0 APPENDIX D 1 9 6 APPENDIX E 2 0 5 APPENDIX F 2 1 3 APPENDIX G 2 3 0 APPENDIX H 2 3 3 APPENDIX I 240 - i v -LIST OF TABLES PAGE # 1. ^^inimal Sum-of-Products terms f o r each S-box and Output 1 4 5 2. C(f) C a i p l e x i t y M e t r i c f o r S-boxes Before and A f t e r T r a n s l a t i o n 153 - v -LIST OF FIGURES Page # 1. Exhaustive Tree Search Using No S-box Reduction 154 2. Complete Pa r t i t i on ing o f a Matrix 155 3. Essent ia l and A l t e rna t i ve Sum-of-Product Terms 156 4. Representation of Quasi-Best Set Search Tree 157 5 . Permutation Cutof f During N-ary Tree Expansion 158 6. Pa r t i a l Search Tree fo r 2-Round DES 159 7. Nodes in the Cryptana ly t i c Search Tree 160 8. B id i r e c t i ona l Search Tree 161 9. 2-Round Search Tree of Uniform Structure 162 10. Stages in the Development of the AND/OR Search Tree 163 - vi -ACKNOWLEDGEMENTS The author wishes to thank the f o l l o w i n g people, without whom the gen e r a t i o n of t h i s t h e s i s would have been impossi-b l e : Dr. R.G. Stanton and NSERC f o r remuneration i n v a r i o u s forms; Dr. Paul Gilmore, f o r a c c e p t i n g my t h e s i s q u i c k l y , and my a d v i s o r Dr. C y r i l Leung, for not a c c e p t i n g my t h e s i s q u i c k l y ; Dr. D.M. M i l l e r , my surrogate t h e s i s a d v i s o r at the U n i v e r s i t y of Manitoba, f o r many i n v a l u a b l e and e s o t e r i c ideas about the m a n i p u l a t i o n and m i n i m i z a t i o n of Boolean f u n c t i o n s ; Dr. Hugh W i l l i a m s f o r wry p s y c h o l o g i c a l encour-agement and a d v i c e . F i n a l l y , I wish to acknowledge M i c a e l a , who helped i n her own ways. - v i i -Chapter I INTRODUCTION In January of 1977, the N a t i o n a l Bureau of Standards (NBS) of the U n i t e d S t a t e s of America proposed a data en-c r y p t i o n standard (DES) which they recommended be adopted fo r the purposes of c r y p t o g r a p h i c p r o t e c t i o n of commercial and n o n - m i l i t a r y governmental data [26], The standard i s designed to be implemented i n hardware, and may be employed fo r the purposes of both p r i v a c y and the a u t h e n t i c a t i o n of messages [3,4]. An i n t e g r a l p a r t of the s p e c i f i c a t i o n of any cryptosystem i s some i n d i c a t i o n of the nature of the s e c u r i t y t h r e a t which the system i s designed to s u c c e s s f u l l y r e s i s t . The types of a t t a c k to which any system may be exposed are usu-a l l y d i v i d e d i n t o three c a t e g o r i e s [3,4]. The l e a s t potent of these i s the " c i p h e r t e x t o n l y " a t t a c k , i n which the c r y p -t a n a l y s t has i n h i s p o s s e s s i o n only encrypted data, with no d i r e c t knowledge concerning the p l a i n t e x t . Cryptosystems un-a b l e to r e s i s t such an a t t a c k are very f e e b l e , and not i n modern use. The " p l a i n t e x t " a t t a c k i s more d i f f i c u l t f o r a cryptosystem to r e s i s t . Here, the c r y p t a n a l y s t has knowledge of the b l o c k s of p l a i n t e x t which correspond to the blocks of encrypted t e x t . In t h i s case, only the e n c r y p t i o n key, K, - 1 -2 remains to be d i s c o v e r e d . F i n a l l y , the most powerful of a l l a t t a c k s to which any given cryptosystem may be exposed i s the "chosen p l a i n t e x t a t t a c k " , i n which the c r y p t a n a l y s t has po s s e s s i o n of corres p o n d i n g b l o c k s of p l a i n t e x t (P) and c i -p h e r t e x t (C), as i n the case of the p l a i n t e x t a t t a c k , and furthermore that the P are s e l e c t e d by the c r y p t a n a l y s t . Although s i t u a t i o n s of known or chosen p l a i n t e x t a t t a c k on a cryptosystem may tend to a r i s e f a i r l y i n f r e q u e n t l y i n the r e a l world, DES was designed to r e s i s t even such an a t -tack. In f a c t , NBS cl a i m s that "... no technique other than t r y i n g a l l p o s s i b l e keys using known input and output f o r DES w i l l guarantee f i n d i n g the chosen key." [26] NBS co n t i n u e s i t s d i s c u s s i o n of the s e c u r i t y of DES and i n d i c a t e s that there e x i s t a very l a r g e number of p o s s i b l e keys of 56 b i t s (about 7 x l 0 1 6 ) as used i n DES, i n order t o a s s e r t that the s e c u r i t y of the system i s adequate and w i l l c o n tinue to be so, given the c u r r e n t s t a t e of computer t e c h -nology, with the standard to be reviewed i n f i v e y e a r s . In the author's view such s u p e r f i c i a l reasoning i s poten-t i a l l y dangerous, and appears tantamount to a s s e r t i n g that a simple s u b s t i t u t i o n c i p h e r as a p p l i e d to a n a t u r a l language i s q u i t e secure, s i n c e there are 26! p o s s i b l e keys which must be t r i e d , to guarantee breaking the system. To put f o r t h such a naive c l a i m i n d i c a t e s that one i s e i t h e r over-l o o k i n g or p u r p o s e f u l l y i g n o r i n g a wide range of f a c t o r s which may indeed be of a s s i s t a n c e i n breaking the c i p h e r 3 system, such as an u n d e r l y i n g s t a t i s t i c a l s t r u c t u r e to the language being encrypted [ 2 1 ] , or a f e a s i b l e means of a l g o r -i t h m i c a l l y or h e u r i s t i c a l l y " i n v e r t i n g " the e n c r y p t i o n a l -gorithm i n order to sol v e f o r the key K from the given P-C p a i r s . The former may be of i n t e r e s t with respect to the c r y p t a n a l y s i s of t e x t of known s t r u c t u r e encrypted with the DES a l g o r i t h m . However, t h i s t h e s i s w i l l d e a l p r i n c i p a l l y w ith p a r t i c u l a r h e u r i s t i c techniques f o r the purposes of an " i n v e r s i o n " of the DES e n c r y p t i o n a l g o r i t h m . I t i s r e a l i z e d that at present there e x i s t no good theo-r e t i c a l t o o l s f o r pr o v i n g the i m p o s s i b i l i t y of breaking a given p r a c t i c a l cryptosystem, and that the demonstration of the s e c u r i t y of any such system i s u s u a l l y p r o v i d e d by the i n a b i l i t y of expert c r y p t a n a l y s t s to perform a s u c c e s s f u l c r y p t a n a l y s i s . Indeed, with the exce p t i o n of e n c r y p t i o n s based on the Vernam system or i t s v a r i a n t s , no cryptosystems are t h e o r e t i c a l l y secure, but are simply d i f f i c u l t t o break given the best known a l g o r i t h m s f o r performing v a r i o u s tasks [ 2 1 ] . In the m a j o r i t y of i n s t a n c e s , the most e x p l i c i t q u a n t i f i -c a t i o n of s e c u r i t y of a cryptosystem which can be pr o v i d e d i s to i n d i c a t e that breaking the system w i l l be "at l e a s t as hard as" some task assumed to be of s u b s t a n t i a l time com-p l e x i t y as a f u n c t i o n of i n s t a n c e l e n g t h . For i n s t a n c e , the d i f f i c u l t y of breaking the well-known p u b l i c key c r y p t o s y s -tem of R i v e s t e t . a l . [ 2 0 ] i s assumed to be at l e a s t as hard 4 as f a c t o r i n g a very l a r g e number chosen f o r use i n the sys-tem. With respect to the above d i s c u s s i o n , NBS may now be c r i t i c i z e d on at l e a s t two accounts. F i r s t l y , NBS has r e f -used to provide any t h e o r e t i c a l j u s t i f i c a t i o n f o r the sup-posed s e c u r i t y of DES, and has only i n d i c a t e d that about 17 man-years of e f f o r t were expended i n the c e r t i f i c a t i o n of the standard and that the system i s thus secure. N e i t h e r NBS, nor the N a t i o n a l S e c u r i t y Agency (NSA) which p a r t i c i -pated i n t h i s c e r t i f i c a t i o n p r o c e s s , have r e l e a s e d any de-t a i l s of the study which a p p a r e n t l y i n d i c a t e d the s t r e n g t h of the system. S i m i l a r l y , no e x p l a n a t i o n f o r the s t r u c t u r e of the e n c r y p t i o n a l g o r i t h m has been o f f e r e d . Such a n o t i c e -a b l e omission of i n f o r m a t i o n has l e d some authors [2,5] to s p e c u l a t e that DES has concealed w i t h i n i t some "trap-door" i n f o r m a t i o n which would allow those i n p o s s e s s i o n of such d e t a i l s ( i . e . , the NSA) to break the system with r e l a t i v e ease. Secondly, v a r i o u s attempts at c r y p t a n a l y s i s of DES have i n d i c a t e d t h at the NBS c l a i m that a l l p o s s i b l e keys must be t r i e d to ensure breaking the system i s exaggerated. Heilman e t . a l . [5] d i s c o v e r e d a symmetry under complementation of P, C, and K which r e s u l t s i n a 50% time saving i n cryptana-l y s i s over exhaustive key search. Elsewhere [ 6 ] , Heilman a l s o d e s c r i b e s how a f t e r i n i t i a l exhaustive c r y p t a n a l y s i s , D E S - l i k e systems may be broken f o r subsequent P-C p a i r s i n 5 time on the order of the square root of the key space s i z e . Other authors [2] have suggested that i t i s t e c h n o l o g i c a l l y f e a s i b l e to c o n s t r u c t a s p e c i a l - p u r p o s e machine with a m i l -l i o n d i s t i n c t p rocessor elements which would be capable of s o l v i n g f o r K from any P-C p a i r i n l e s s than 24 hours. H o p e f u l l y , the above serves to i n d i c a t e that the DES sys-tem may not be as secure f o r many a p p l i c a t i o n s as e i t h e r NBS or the NSA would p r e f e r that people b e l i e v e . / Chapter II S-BOX COMPLEXITY: STRENGTH OF DES It w i l l be u s e f u l f o r both purposes of f a m i l i a r i z a t i o n of the reader with some d e t a i l s of DES, and to i n d i c a t e i n which areas of the a l g o r i t h m the s t r e n g t h s of the system l i e , to examine the e n c r y p t i o n a l g o r i t h m with some p r e c i -s i o n . F u l l d e t a i l s of the a l g o r i t h m are p u b l i c a l l y a v a i l a b l e in the a p p r o p r i a t e NBS documents [26], In i t s most common mode of o p e r a t i o n , DES serves as an " e l e c t r o n i c code book", e n c r y p t i n g 64-bit b l o c k s P to form 64-bit b locks C, us i n g 56 b i t s of a 64-bit key K. For a g i v -en K, DES may be thought of as a one-to-one mapping of a 64-dimensional v e c t o r space over GF(2) i n t o i t s e l f . To a i d in a s s u r i n g the s e c u r i t y of the cryptosystem t h i s mapping should be h i g h l y n o n - l i n e a r . Examination of the i n t e r n a l s t r u c t u r e of the DES a l g o r i t h m i n d i c a t e s t h a t i t f o l l o w s Shannon's advi c e of a l t e r n a t i n g l a y e r s of permutation and s u b s t i t u t i o n , i n order to r e s p e c t i v e l y p r o v i d e d i f f u s i o n and c o n f u s i o n [4,21]. F o l l o w i n g an i n i t i a l permutation, the P block i s s u b j e c t -ed to 16 rounds of an e n c r y p t i o n process, where each round c o n s i s t s b a s i c a l l y of a s u b s t i t u t i o n of b i t s f o l l o w e d by a simple permutation, and i s preceeded by an XORing of b i t s of - 6 -7 K s e l e c t e d i n a permuted f a s h i o n as a f u n c t i o n of l a y e r with a permutation of the c u r r e n t b i t s i n the de v e l o p i n g c i p h e r -t e x t . At each l a y e r of e n c r y p t i o n , t h i s o p e r a t i o n i s per-formed on only the rightmost 32 b i t s of the de v e l o p i n g c i -p h e r t e x t , but the r i g h t and l e f t h alves of t h i s block are transposed at each l e v e l . A f t e r these 16 l a y e r s of encryp-t i o n , the r e s u l t i n g block i s sub j e c t e d to another a p p l i c a -t i o n of the i n i t i a l permutation, i n v e r t e d , to y i e l d C. In the case of a known p l a i n t e x t a t t a c k , as i s our assumption, the a p p l i c a t i o n s of the p u b l i c a l l y - k n o w n i n i t i a l permutation add no d i f f i c u l t y to the c r y p t a n a l y t i c t a s k . I t may c l e a r l y be seen a t t h i s p o i n t that the s t r e n g t h of DES r e s t s i n the process of s u b s t i t u t i o n of b i t s at each round, as performed by the S-boxes. A l l other o p e r a t i o n s i n the e n c r y p t i o n procedure: the XORing, the permutation, and the expansion, are l i n e a r i n b i n a r y a r i t h m e t i c . Were the s u b s t i t u t i o n s performed by the S-boxes a l s o l i n e a r , the en-t i r e e n c r y p t i o n procedure would be l i n e a r , and C=AP + BK for C, P and K c o n s i d e r e d as bi n a r y v e c t o r s . In such a case, chosen p l a i n t e x t c r y p t a n a l y s i s would be e q u i v a l e n t to per-forming the i n v e r s i o n of a 56x56 b i n a r y matrix, as from the above e q u a t i o n : BK = C - AP K = B" 1 (C - AP) 8 I t i s thus t r i v i a l to c a l c u l a t e K when P and C are known; the A and B ma t r i c e s come from the e n c r y p t i o n a l g o r i t h m . I t has been shown [5] that the S-boxes as employed i n DES are n e i t h e r l i n e a r nor a f f i n e (a case which would y i e l d almost as simple a c r y p t a n a l y t i c procedure), although there e x i s t s s p e c u l a t i o n as to whether or not the S-boxes co n c e a l l e s s o v e r t trap-door i n f o r m a t i o n such as p a r i t y . That i t i s t h i s n o n - l i n e a r i t y of the S-boxes which leads to e x t e n s i v e d i f f i c u l t i e s i n a " s e a r c h - t r e e " exhaustive ap-proach to c r y p t a n a l y s i s may e a s i l y be p e r c e i v e d when the search f o r K from a known P-C p a i r i s represented g r a p h i c a l -l y . ( F i g u r e 1, Exhaustive Tree Search) The search f o r K may be represented as an AND/OR t r e e t r a v e r s e d i n a top-down f a -s h i o n . At l e v e l 1 i n the t r e e , the valu e s f o r C i n a l l 64 b i t p o s i t i o n s are known. L e v e l 0 i s represented by an AND node, as a l l of i t s s u c c e s s o r s must be t r u e , as a r e s u l t of p r e c i s e knowledge of a l l b i t s of C. At the leaves of the t r e e , the valu e s of P i n a l l b i t p o s i t i o n s are s i m i l a r l y known. T h i s search procedure i s presented more f o r m a l l y i n Chapter V I I . When one c o n s i d e r s the f i r s t 1 branch to t h i s t r e e , i t may be seen that there are two ways to make the 64th b i t of the C block l . 2 One such p o s s i b i l i t y i s that the p o s i t i o n a l l y c o r r e s p o n d i n g b i t of L15 and that of f(R15,K16) are both 0. 1 employing a standard preorder t r e e t r a v e r s a l 2 or 0, without l o s s of g e n e r a l i t y 9 As a consequence of the s t r u c t u r e of the S-boxes, there are 32 ways i n which t h i s c o n d i t i o n may be s a t i s f i e d , i f the S-boxes are u t i l i z e d i n the manner i n which they are presented i n the DES l i t e r a t u r e [26]. Of the sf6=64 p o s s i b l e input c o n f i g u r a t i o n s f o r any S-box, p r e c i s e l y h a l f of these (32) r e s u l t i n the value of some s p e c i f i e d S-box output being 1; the other 32 cause the S-box output to have a value of 0. Thus, when the process of e n c r y p t i o n i s i n v e r t e d , i t may be seen that any of 32 p o s s i b l e inputs can have caused some s p e c i f i c S-box output to have a c e r t a i n v a l u e . Due to t h i s very high t r e e branching f a c t o r , an exhaus-t i v e t r e e search f o r K would be no more e f f i c a c i o u s than ex-h a u s t i v e c r y p t a n a l y s i s by t r y i n g a l l p o s s i b l e K's and d e t e r -mining t h e i r c o r r e c t n e s s by use of DES i n the forward d i r e c t i o n . In f a c t , there would be f a r more nodes i n such a search t r e e than there are p o s s i b l e keys of 56 b i t s . The f a c t that the 32 c o n d i t i o n s which l e a d to the same f output are d i s j u n c t i v e makes i t s i m i l a r l y i m possible to d i s -cover K by h e u r i s t i c a l l y pruning mutually incompatible but n e c e s s a r i l y c o n j u n c t i v e c o n d i t i o n s from the same l e v e l of the t r e e . A l l of the input c o n d i t i o n s l e a d i n g to,the S-box-es p r o d u c t i o n of a 1 output i n the given b i t p o s i t i o n would have to be i n c o n s i s t e n t with that of another AND path before the subtree growing at such a p o i n t c o u l d be d i s r e g a r d e d . The search f o r such c o n d i t i o n s throughout the e n t i r e t r e e to h e u r i s t i c a l l y guide search f o r K would be more c o s t l y than b r u t e - f o r c e exhaustive key t r i a l s . Chapter III AN INVESTIGATION OF S-BOX GROUP PROPERTIES 3.1 THEORY: PERMUTATION AND COMPLEMENTATION OPERATORS In an attempt to discover potential r e g u l a r i t i e s within the structure of the DES S-boxes, a method devised by McCluskey [12] was employed to ascertain whether or not any of the Boolean functions represented by the actual S-boxes employed in the DES system possess any properties of group invariance. As i s described below, i t i s convenient to i n -terpret each of of the 8 S-boxes as a set of 4 Boolean func-tions of 6 variables. Each of the 8x4=32 outputs of the bank of S-boxes i s a d i f f e r e n t function of 6 variables. It i s our concern here to discover which, i f any, of these functions are invariant under the permutation and/or comple-mentation of input variables. The set of a l l permutation and complementation operators forms a mathematical group, hence the term "group invariance" of a function. As they are represented in the DES algorithm in tabular form, the S-boxes are exceedingly d i f f i c u l t to work with: conventional Boolean algebra provides no formalisms for dealing with such structures. Consequently, each S-box was interpreted as 4 Boolean functions, each of 6 independent variables, one such function for each of the S-box outputs. - 1 0 -11 With l i t t l e d i f f i c u l t y , i t i s possible to obtain a Boolean function whose value i s equivalent to that of a spe c i f i e d output b i t of any desired S-box. This function i s in the form of a l o g i c a l sum of elementary product terms (p-terms) where each such p-term i s a l o g i c a l product of the values of the 6 input variables to the chosen S-box. By examining a binary representation of the contents of an S-box, i t i s possible to discover for which 32 of the 2' = 64 possible input configurations to the S-box a chosen out-put b i t w i l l be on. The row and column index of the S-box entry with a 1-bit in the chosen output position are used to determine which input configuration i s responsible for the selection of t h i s entry causing the 1 output. Each of the 32 entries for which the desired output b i t w i l l be on w i l l correspond to a p-term in the Boolean function form for that S-box - output b i t pair: a 0 in a position of the binary representation of a S-box entry corresponds to a complement-ed l i t e r a l in the p-term in the corresponding p o s i t i o n , whereas a 1 corresponds to an uncomplemented l i t e r a l . For instance, i f S-box 1 output 1 is on for the configurations of input variables: 000000, 000001, ... ,' 111110 then the p-term Boolean function for that S-box and output may be written as: X1,X2'X3'X4,X5'X6' + XI'X2'X3'X4'X5'X6 + ... + X1X2X3X4X5X6' Such functions may be obtained for each of the 4 outputs of each of the 8 S-boxes, and may be represented as 32x6 b i -12 nary m a t r i c e s . Each row i n such a r e p r e s e n t a t i o n w i l l c o r -respond to a s i n g l e c o n j u n c t i v e p-term. F o l l o w i n g the t e r m i -nology of McCluskey [ 1 2 ] , these matrices w i l l be r e f e r r e d to as t r a n s m i s s i o n m a t r i c e s , T. What i s of i n t e r e s t with respect to S-box s t r u c t u r e i s the group i n v a r i a n c e (or lack t h e r e o f ) of these Boolean f u n c t i o n s . D i s c o v e r y of the group p r o p e r t i e s with which we concern o u r s e l v e s at t h i s p o i n t i s e q u i v a l e n t to the d e t e r -mination of whether or not there e x i s t any permutation and/ or complementation o p e r a t i o n s which leave the f u n c t i o n s un-changed when these o p e r a t i o n s are a p p l i e d to the input v a r i a b l e s . I f any such group p r o p e r t i e s are d i s c o v e r e d w i t h i n the S-boxes, the symmetries they represent may be used to reduce the s i z e of the search space i n v o l v e d i n the search f o r the e n c r y p t i o n key when c r y p t a n a l y z i n g i n s t a n c e s of the a p p l i c a t i o n of DES. The d i s c o v e r y of any symmetries i n the S-box f u n c t i o n s w i l l make i t p o s s i b l e to repr e s e n t these f u n c t i o n s i n a more compact form, and hence reduce the branching f a c t o r i n the search f o r K. C l e a r l y , i t i s of great i n t e r e s t to be a b l e to d i s c o v e r any p o s s i b l e means of reducing the s i z e of the i n e v i t a b l y l a r g e search t r e e formed to uncover the key used t o encrypt known p l a i n and c i p h e r -t e x t b l o c k s . As a simple example of how a d i s c o v e r y of f u n c t i o n a l i n -v a r i a n c e under the permutation of input v a r i a b l e s a l l o w s a more s u c c i n c t r e p r e s e n t a t i o n of a f u n c t i o n , c o n s i d e r the f u n c t i o n : 13 f(Xl,X2) = X1X2 + XI'X2 + X1X2' If i t i s known that f i s symmetric in XI and X2, then f(X2,Xl) = X2X1 + X2'X1 + X2X1'= f(Xl,X2) and i t may be concluded that f(Xl,X2) = XI + X2. We s h a l l use McCluskey's notation of SiT to represent some permutation of the Boolean transmission function T where the i subscript represents the s p e c i f i c permutation. NjT s h a l l be used to represent a complementation of the i n -put variables of T which correspond to a 1 in the binary representation of the subscript j . For example, Si(XI X2 X3 X4 X5 X6) = (X2 XI X3 X4 X6 X5) for i=213465 and Nj(Xl X2 X3 X4 X5 X6)=(X1 X2 X3' X4 X5' X6') for j=001011 We are interested in determining, for each T, the values of i and j such that SiNjT=T. Even for our application, which involves a r e l a t i v e l y small number, n=6, of independent variables in the T func-tions, an exhaustive search for group invariants may e a s i l y be shown to be intractable. There are n! possible Si opera-tors, and 2fn possible Nj operators, hence n!2 n possible SiNj operators. When the T functions involve 6 independent variables, t h i s means there exist 6!2' =46080 possible SiNj operators. A brute-force determination of the invariance of T under these operators would involve operating on T with each of the operators, and then determining i f there i s some 1 4 row permutation of the binary matrix which represents SiNjT which would make SiNjT i d e n t i c a l to T's matrix representa-t i o n . (If an SiNj operator leaves T unchanged, then the only possible effect of applying the operator to T i s to change the order of the rows of T, analogous to changing the order of the disjunction of conjunct terms in the elementary p-term expression). As our T functions involve 32 rows each, up to 32!=2.6xl0 3 S permutations of SiNjT might have to be tested for each of the 46080 SiNj operators. To circumvent such blatant computational i n t r a c t a b i l i t y , some considera-tion of the c h a r a c t e r i s t i c s of the s p e c i f i c T functions i s required. For an Si operator to have no e f f e c t , the columns of T exchanged by the Si must have equal numbers of l ' s , as per-muting the rows cannot vary the t o t a l number of l ' s in any column. For an Nj operator to have no e f f e c t , either the single primed column of T must have an equal number of l ' s and 0's, or else there must exist two primed columns, where the f i r s t has as many l ' s as the second has 0's. Following McCluskey, i f one transforms T into a standard matrix D, the SiNj operators leaving T invariant may be determined d i r e c t -ly from the Si operator which leave D i n v a r i a n t . 3 (SiD=D). D is formed from T by priming a l l columns with more l ' s than 0's. 3 Actually, which leave invariant either D or any D' formed by priming suitable combinations of columns of T with equal numbers of l ' s and 0's. This consideration of Ni op-erators w i l l be deferred u n t i l l a t e r . 15 As D has columns with at least as many O's as l ' s , one need only consider permutations of columns with equal num-bers of O's. For t h i s reason, D i s partitioned into column p a r t i t i o n s where each column present in any given p a r t i t i o n has the same number of O's. Thus, one need only consider Si operators which switch columns within the same column p a r t i -tions. Rows may also be partitioned in an i d e n t i c a l fashion: Only rows from within the same row p a r t i t i o n may be permuted to i d e n t i f y SiD with D. It can be reasoned that t h i s process of p a r t i t i o n i n g should be further c a r r i e d out on the submatrices of D formed by the i n i t i a l p a r t i t i o n i n g . As McCluskey indicates: "In general, only rows which have the same weight in each submatrix can be interchanged. Priming columns of the same p a r t i t i o n does not change the weight of the rows in the corresponding submatrices" [12: p.1448] The p a r t i t i o n i n g process i s c a r r i e d out recursively on the submatrices formed by prior p a r t i t i o n i n g s of D u n t i l a matrix results in which each row and column of each subma-t r i x has the same number of O's. Assuming that the p a r t i -tions are r e l a t i v e l y small, even an exhaustive approach to the determination of which row and column permutations leave D unchanged should be tractable, as only permutations i n -volving rows or columns from within the same p a r t i t i o n need be considered. That i s , for each possible permutation of each of the column p a r t i t i o n s in the f u l l y - p a r t i t i o n e d D, permutations of row p a r t i t i o n s are applied to restore D to i t s o r i g i n a l form. If the column p a r t i t i o n s of D are very 16 small, the number of possible column permutations i s d r a s t i -c a l l y l i m i t e d . In the t r i v i a l case where each column i s in a p a r t i t i o n by i t s e l f , where submatrices have di f f e r e n t c o l -umn weights for a l l columns of D, i t can be concluded that no Si exists such that SiD=D. After D has been f u l l y partitioned and the Si permuta-tions which leave D invariant have been discovered, we must consider the D'. Recall that as defined, our D may possess some columns with an equal number of 0's and l ' s . In t h i s eventuality, we must form a set of possible special standard matrices D', by priming certain combinations of the columns of D which have th i s equal number of 0's and l ' s . These primings w i l l determine the j superscripts of possible Nj operators. i f we form D'=NjD, and SiD'=D' as determined by the p a r t i t i o n i n g and column and row permutations of D', we can deduce the SiNjT=T represented by t h i s invariance. Not a l l possible combinations of primings of these c o l -umns of D need be considered; special c h a r a c t e r i s t i c s of D w i l l permit the a p r i o r i elimination of some D'. If some row of D i s a l l 0 (or 1) and after priming, D'=NjD does not also have a row of a l l 0 (or 1) we know there cannot exist an Si such that SiNjD=D. No amount of column switching can allow us to form a row of a l l 0 (or 1) i f such a row does not already exist in D'. After the elimination of some potential D' in th i s man-ner, we form the D' and p a r t i t i o n them recursively as was 17 done for the D matrix, to form submatrices of the D' with the property that each row (column) of each submatrix has the same number of O's. If any of these D' matrices has the same p a r t i t i o n i n g as D, permutations of columns within c o l -umn p a r t i t i o n s are examined to determine i f any such column permutation, followed by a row permutation of rows within the same p a r t i t i o n ( s ) can restore the SiD' to D'. If such permutations e x i s t , we have determined SiNj operators such that SiNjD=D. (Nj i s the priming of D to form D'). From the i n i t i a l primings used to transform the transmission matrix T into the standard matrix D, the SiNjT=T invariances may be d i r e c t l y determined. 3.2 IMPLEMENTATION FOR DES The language f i r s t chosen for the implementation of thi s algorithm, and some subsequent experimentation with DES was APL, due to i t s pseudo-parallel array processing c a p a b i l i -t i e s , i t s power with respect to both Boolean and matrix ma-nipulations, and i t s interactive nature. The code for a l l APL functions referred to in t h i s chapter may be found in Appendix A. Unfortunately, i t was discovered that the compu-ationa l cost overhead incurred by the fact that APL i s an interpreted language l i m i t s i t s a p p l i c a b i l i t y to problems of a r e l a t i v e l y small s i z e . For later programs involving compu-tations of a combinatorially large nature, the compiled lan-guage PL/I was employed. 1 8 The p a r t i t i o n i n g procedure d e s c r i b e d i n the preceeding s e c t i o n was implemented as a r e c u r s i v e APL r o u t i n e , PARTITION. The r o u t i n e i s passed a standard matrix, as de-f i n e d e a r l i e r , with rows and column both permuted i n order of i n c r e a s i n g number of 1 - b i t s . The i n i t i a l p a r t i t i o n i n g of rows and columns i s determined by examining at which p o i n t s the next row (column) has more l ' s than the preceeding row (column). Such p o s i t i o n s i n d i c a t e p a r t i t i o n p o i n t s i n the standard matrix. T h i s i n i t i a l p a r t i t i o n i n g i s d i s c o v e r e d by means of c a l l to the r o u t i n e INITPARTIT. Given a b i n a r y r e p r e s e n t a t i o n of a standard matrix, the r o u t i n e INITPARTIT r e t u r n s a 2xN i n -teger matrix of p o i n t e r s i n t o the standard m a t r i x . Each p o i n t e r i n d i c a t e s a p a r t i t i o n p o i n t of the standard m a t r i x : a p o i n t before which the matrix should be d i v i d e d t o form a submatrix. The f i r s t row of the matrix of p o i n t e r s r e t u r n e d from the INITPARTIT r o u t i n e r e f e r s t o d i v i s i o n s between rows of the standard matrix, while the second row r e f e r s to c o l -umn d i v i s i o n s . A f t e r having c a l l e d INITPARTIT to determine the i n i t i a l p a r t i t i o n i n g of the standard matrix as determined by where the number of l ' s i n rows and columns changes, PARTITION c a l l s the r e c u r s i v e r o u t i n e PARTITCALL with both the i n i t i a l p a r t i t i o n i n g and the standard matrix as arguments. I t i s t h i s PARTITCALL r o u t i n e which may be c o n s i d e r e d the c e n t r a l r o u t i n e i n the p a r t i t i o n i n g system. The r o u t i n e i s 19 passed both the standard matrix, and the p a r t i t i o n points which divide that matrix into the f i r s t l e v e l of submatric-es. Employing two nested loops, PARTITCALL iterates through a l l of the i n i t i a l submatrices of the standard matrix by columns. For each of these submatrices, INITPARTIT i s c a l l e d to obtain the i n i t i a l p a r t i t i o n i n g of that submatrix, and PARTITCALL i s recursively invoked to further p a r t i t i o n the submatrix. PARTITCALL returns a matrix of pointers con-taining a l l p a r t i t i o n points discovered for either the i n i -t i a l matrix with which i t was invoked, or any recursively-discovered submatrices of that matrix. During the debugging of t h i s system of routines, i t was discovered that the above recursion was i n s u f f i c i e n t as im-plemented to discover the complete p a r t i t i o n i n g of a binary matrix. (Where as defined e a r l i e r , a completely partitioned matrix i s one in which a l l rows (columns) within any p a r t i -tion have the same number of l ' s ) . The reason for thi s was that p a r t i t i o n s made in one submatrix at a s p e c i f i c l e v e l of recursion are not known to other submatrices at the same le v e l of recursion during their p a r t i t i o n i n g . Consider, for instance, the following case which acutally occured during the p a r t i t i o n i n g of the standard matrix rep-resenting the Boolean function for S-box 1, output 1. Sup-pose that 2 has already been discovered as a column p a r t i -tion point for the top l e v e l matrix as a result of the pa r t i t i o n i n g of some submatrix occuring higher in the same 20 column as the submatrix currently being processed. That i s , a p a r t i t i o n should exist between columns 1 and 2 of the standard matrix. Suppose also that the submatrix now occur-ing lower in the column i s : 011110 101011 Application of the recursive p a r t i t i o n i n g routine to th i s submatrix would result in the following p a r t i t i o n i n g : 01 | 1 | 1 | 1 | 0 10 | 0 | 1 | 1 | 1 Each of the submatrices formed as a result of t h i s p a r t i -tioning indeed s a t i s f i e s the property of each row (column) having an equal number of l ' s . However, as a d i v i s i o n exists in the top l e v e l matrix of which t h i s i s a submatrix as a result of an e a r l i e r p a r t i t i o n i n g of another submatrix, the top l e v e l matrix may not be f u l l y partitioned, even after a l l submatrices have been partitioned in t h i s manner. The d i v i s i o n existing between the f i r s t and second columns im-p l i e s that within the i l l u s t r a t e d submatrix, two 2x1 subma-t r i c e s exist which do not have an equal number of l ' s in their rows. As a consequence of t h i s ignorance of each submatrix con-cerning the p a r t i t i o n i n g of the other submatrices at i t s same l e v e l , to f u l l y p a r t i t i o n the standard matrix i t does not s u f f i c e to simply c a l l PARTITCALL once. Consequently, the PARTITION routine c a l l s PARTITCALL i t e r a t i v e l y . On the f i r s t c a l l to PARTITCALL, the p a r t i t i o n i n g of the standard 21 matrix supplied i s that returned by INITPARTIT. Subsequent-l y , PARTITCALL i s c a l l e d with the i n i t i a l p a r t i t i o n i n g set to be the complete p a r t i t i o n i n g as returned from the pr e v i -ous c a l l to PARTITCALL. In t h i s manner, the par t i t i o n i n g s of each submatrix are made known to other submatrices at the same l e v e l . With reference to our example, the fact that a p a r t i t i o n exists between the f i r s t and second columns is known globally when PARTITCALL i s i t e r a t i v e l y reinvoked from PARTITION, so the two 2x1 submatrices with unequal numbers of l ' s in their rows would be further p a r t i t i o n e d during th i s c a l l . The process of p a r t i t i o n i n g terminates when no further p a r t i t i o n i n g s are discovered as a result of repeated c a l l s to PARTITCALL. Another routine, PRINT-PARTIT, was devised to display the p a r t i t i o n i n g of a matrix. When c a l l e d with a matrix and i t s p a r t i t i o n points as arguments, the matrix i s printed with spaces between i t s submatrix components. An i l l u s t r a t i o n of the operation of these p a r t i t i o n i n g routines may be seen in Figure 2, Complete P a r t i t i o n i n g of a Matrix. A 9x6 binary matrix i s partitioned, and the r e s u l t -ing p a r t i t i o n i n g displayed by c a l l to the PRINT-PARTIT rou-t i n e . This matrix i s the same as that used by McCluskey [12: p.1447]. From t h i s example, i t may c l e a r l y be seen that each row (column) of the f u l l y p a r t i t i o n e d matrix has an equal number of l ' s . 22 3.3 APPLICATION TO DES As the discussion of the algorithm for detecting group symmetries in Boolean functions indicated, after a standard matrix has been formed, only columns from within the same column p a r t i t i o n may be permuted, i f the matrix i s to be re-stored by means of row permutations. Thus, the f i r s t step towards the discovery of possible symmetries in the trans-mission functions which represent the DES S-boxes i s to f u l -l y p a r t i t i o n the standard matrices for such transmission functions. For t h i s purpose a driver routine, PARTITION-ALL, was im-plemented, to c a l l PARTITION with standard matrices repre-sentative of the transmission functions for each of the 32 possible S-box - output p a i r s . This driver routine forms a l l of these transmission matrices T from S-box data, and puts T into standard form by priming a l l columns which contain more l ' s than 0's. The rows and columns of each standard ma-t r i x are then permuted in order of increasing l ' s . The purpose of t h i s routine was to obtain some approxi-mate idea of how small the column p a r t i t i o n s of the standard matrices would be, to determine the t r a c t a b i l i t y of an ex-haustive approach to the permutations of columns within the same column p a r t i t i o n s . As usual, the numbers indicative of the p a r t i t i o n points are positions before which the matrix should be divided. 23 As may be seen in the table of output from t h i s routine, somewhat surprising results were obtained. A l l 32 matrices p a r t i t i o n so that there i s only one row and one column in each submatrix; submatrices are a l l l x l in s i z e . Such a structure implies that for these functions, no SiNj exist such that SiNjT=T. There i s no possible way to complement and/or permute the inputs to any S-box and leave the S-box functionally invariant. This approach to the discovery of S-box symmetry i s consequently of no use in reducing the search space size during cryptanalysis. Subsequent discussion of the problem of symmetry detec-tion with Dr. D.M. M i l l e r led to the idea of the use of Rad-macher-Walsh spectral techniques for the detection of any p a r t i a l two or multi-variable symmetries which may be pres-ent in the Boolean functions for the S-boxes [14,17]. A l -though i t i s not possible to permute and/or complement any S-box inputs and leave the function of any S-box invariant, i t may be possible that for some S-boxes such symmetries as: f ( 0 , l , . . . ) = f ( l , 0 , . . . ) do e x i s t . The existence of even such p a r t i a l symmetries in the S-boxes could allow us to reduce the size of the seach tree for the encryption key. The application of such tech-niques to the S-box functions has not as yet been pursued, and remains as an interesting problem for future research. Chapter IV CRYPTANALYSIS BY S-BOX APPROXIMATION Given that the core of the problem of cryptanalysis of DES rests in the complexity of the S-boxes, i t was decided that one p o t e n t i a l l y successful means of attack of DES could conceivably be through approximation of the S-boxes. P-term expressions for the Boolean functions embodied in the S-box-es have already been obtained as a result of the analysis of the preceeding chapter. Other advantages may result from obtaining some sort of "minimal" sum-of-products expression for each S-box output, as a function of the 6 input v a r i -ables or their complements. Such a representation may be amenable to making some as-yet unnoticed S-box structure more apparent. A more compact expression for the action of the S-boxes should reduce the e f f e c t i v e branching factor of the search tree, and should also a s s i s t in increasing the t r a c t a b i l i t y of the operation of pruning t h i s search tree. For these reasons, we s h a l l wish to obtain sum-of-product expressions for each output of every S-box which contain the minimal number of Boolean l i t e r a l s required to express the function which represents that S-box - output pai r . More s p e c i f i c a l l y , having the S-boxes in such a form may permit the Boolean functions performed by the S-boxes to be - 24 -25 approximated in such a manner as to allow a valuable trade-off between the accuracy of the approximated S-boxes and the cost of the solution for K from P and C in such an approxi-mate system. Suppose for instance that some approximation to the S-boxes as could be achieved by considering the sum of only the 3 most s i g n i f i c a n t conjunctive terms in the sum-of-products expression for each S-box - output pair y i e l d s a system which may be simply inverted, and i t i s pos-s i b l e to tractably solve for K, from P and C. 4 Unfortunately, i f the functions which represent the S-boxes are only approximate, and are thus not correct for a l l possible input configurations, the K obtained from search with a P-C pair may also be incorrect. If the K we obtain as a solution has a p r o b a b i l i t y of being correct of only 1/n, then on average we must solve for K using n/2 P-C pairs before the re s u l t i n g K:P->C under the " r e a l " DES algorithm. However, i f the time required to discover a K in the approx-imate DES system i s a factor of more than n/2 less than that required when accurate S-box functions are employed (weight-ed by the cost of the n/2 encryption t r i a l s to ascertain i f the K i s c o r r e c t ) , then t h i s cryptanalytic technique should be of some merit. * The solution need not be a n a l y t i c a l , but may well involve h e u r i s t i c search of a tree s i m p l i f i e d in the sense of i t having a reduced branching factor r e s u l t i n g from the use of the s i m p l i f i e d S-box expressions. 26 In summary, we wish to approximate the Boolean f u n c t i o n s which represent the S-boxes, and search f o r K from P-C p a i r s , an u n l i m i t e d amount of which are a v a i a l b l e to us. As the S-box f u n c t i o n s are o n l y approximate, such K may be i n -c o r r e c t . Any p o t e n t i a l l y - c o r r e c t K d i s c o v e r e d may be q u i c k -l y v e r i f i e d by seeing i f i t does map P to C. We continue to produce a p o t e n t i a l K by using, the search procedure with with d i f f e r e n t P-C p a i r s u n t i l a c o r r e c t K i s produced. G e n e r a l l y , i t would be of i n t e r e s t to examine the charac-t e r i s t i c s of the t r a d e o f f between the degree of S-box ap-proximation, and the time r e q u i r e d f o r c r y p t a n a l y s i s . As one c o n t i n u e s to s i m p l i f y the S-box approximating e x p r e s s i o n i n some r e g u l a r f a s h i o n , the e n c r y p t i o n employing these ex-p r e s s i o n s w i l l continue to l o s e accuracy, although an ana-l y t i c a l or s e a r c h - t r e e s o l u t i o n f o r K should become more simple. E x a c t l y how optimal a s i m p l i f i c a t i o n may be achieved, from the p e r s p e c t i v e of c r y p t a n a l y t i c c o s t , i s an-other t o p i c f o r f u t u r e r e s e a r c h . T h i s t h e s i s w i l l be more concerned with the r e d u c t i o n of the s i z e and complexity of the f u n c t i o n s r e p r e s e n t e d by the S-boxes without any compro-mise i n t h e i r accuracy. Chapter V QUINE-MCCLUSKEY MINIMIZATION OF S-BOXES 5.1 QUINE-MCCLUSKEY: IMPLEMENTATION Several c l a s s i c a l methods exist in the f i e l d of d i g i t a l logic design for the minimization of Boolean functions. These include the Karnaugh map method and the Quine-McClus-key (QM) procedure [13], th i s l a t t e r procedure being more suited to computerized implementation. Both are designed to minimize the Boolean function in . question as a sum-of-prod-ucts expression. The Reed-McClennan technique i s occasional-l y employed as an alternate procedure, to minimally express any given Boolean function by means of XOR operations. While such a minimization algorithm may be of use as the S-boxes could be as heavily XOR-oriented as the remainder of the DES algorithm, the reliance of the Reed-McClennan algor-ithm on highly topological methods makes i t clumsy to imple-ment. Chapter VII w i l l be concerned with alternatives to the Reed-McClennan technique for the extraction of XORs. The QM algorithm may be seen to have two d i s t i n c t phases: that of discovering a l l prime implicants, and that of form-ing non-redundant sums. A prime implicant of an n-variable Boolean function f i s a product term B consisting of m (which i s not greater than n) l i t e r a l s , such that B->f, but - 27 -28 that any B' formed by deleting a l i t e r a l from B no longer implies f. A l i t e r a l i s a Boolean variable or the complement of a Boolean variable. It i s not of substantial interest to discuss the d e t a i l s of the QM procedure here, as the algor-ithm referred to may be found in McCluskey's paper [13], or in any standard textbook concerned with d i g i t a l logic design [16]. An implementation of the QM algorithm was devised and ap-p l i e d to the S-boxes of the DES system. The code for the routines referred to in t h i s section may be found in Appen-dix B. As previously mentioned, i t i s possible to view the bank of S-boxes in the DES encryption algorithm as 32 sepa-rate Boolean functions, each of 6 independent variables. Both these functions and th e i r complements were minimized by the QM procedure. The requirement for minimal forms for the complements of the S-box functions, i . e . minimal forms to describe the input conditions for which an output of the S-bank i s 0, i s elaborated upon in Chapter VIII. The require-ment i s connected to the fundamental asymmetry in the number of ways a sum-of-products form and the corresponding prod-uct-of-sum form generated by DeMorgan complementation may be instantiated to produce a functional output of 1. The routine ANALYZE c a l l s QM i t e r a t i v e l y for each of the 32 possible S-box - output pair combinations. QM c a l l s the function PRIMIMP in order to determine the prime implicant terms for the various inputs. Complemented and uncomple-29 merited forms of the S-boxes themselves are represented as a global 3-dimensional matrix consisting of a lamination of the tables as supplied in the DES l i t e r a t u r e [26]. The func-tion BINARY converts the decimal representation of the S-boxes to binary, and the ON function, also c a l l e d from ANALYZE, returns the 32x6 matrix of p-term inputs for which the s p e c i f i e d output of the s p e c i f i e d S-box is on, i . e . 1. By means of the ANALYZE procedure, global tables of es-s e n t i a l and a l t e r n a t i v e products of input l i t e r a l s for each of the 32 S-box - output pairs were constructed. At t h i s point, exact expressions for the S-boxes had s t i l l not been discovered. The e s s e n t i a l terms are those which must be i n -cluded; the table of alternatives indicates what options are available in selecting the remainder. For the purposes of v i s u a l inspection to detect some overt S-box structure, these tables were printed by the DUMP-SP routine. One such table may be seen in Figure 3t Essential and Alternative Sum-of-Products Terms. Each row of the table of terms corresponds to a single p-term, where the p-terms are in a notation known as "cube" notation 5 as developed by Roth [10]. In t h i s notation, the presence of a 1 in some position of a p-term indicates that the corresponding l i t e r a l i s to remain uncomplemented; a 0 indicates complementation i s to occur. The presence of an X 5 Named for the topological interpretation in which each variable of an n-variable function corresponds to a vertex of an n-dimensional cube. 30 indicates that the value i s a "don't care", and the input variable may be ignored. The rather sparse occurence of don't care inputs i s remarkable. In the alternatives table, the integer to the right of the term indicates the class to which that product term belongs, and only one term from each class need be chosen from the set of a l l choices, when com-bined with the essential terms, to form a f u l l y accurate representation of the S-box. In order to v e r i f y that the QM minimizations performed are accurate, the PROB-CORR function was used to check that the minimal Boolean expression for each S-box returns the same value for every possible input configuration as does the r e a l tabular S-box. This function was also l a t e r used to determine the p r o b a b i l i t y of correctness of some approximate forms of the S-boxes. 5.2 SELECTION OF ALTERNATIVE TERMS BY REDUCE After the Quine-McCluskey minimization procedure had been applied to the Boolean functions represented by the S-box tables, i t was necessary to select one conjunct term from each of the classes of impli c a t i o n a l l y equivalent terms, in order to be able to represent the output of each of the S-boxes in a closed form as a sum-of-products expression. After some r e f l e c t i o n , i t became apparent that there ex-isted techniques for the selection of such a class represen-tative which were in some ways superior to simply picking 31 the p o s i t i o n a l l y f i r s t member of each class as the conjunc-ti v e term representative of that c l a s s , a simpleminded strategy f i r s t followed by SELECT-SP in forming the sum-of-products expression used by PROB-CORR to v e r i f y the correct-ness of the minimization as mentioned in the preceeding sec-t i o n . Referring to Figure 3 again, one may notice that there exist terms which appear in more than one c l a s s . Cer-t a i n l y , the selection of such a term as a class representa-tive would eliminate the need for selecting any member of the other class(es) in which i t appears, hence reducing the number of terms in the sum-of-products expression without losing any accuracy. Such an a b i l i t y i s c l e a r l y advanta-geous . The APL routine REDUCE employs t h i s strategy in a relaxa-t i o n - l i k e fashion, to p o t e n t i a l l y reduce the number of classes prior to the selection of terms as class representa-t i v e s . A comparison of each alt e r n a t i v e term with a l l other alternative terms i s performed to detect the existence of i d e n t i c a l terms in d i f f e r e n t classes. Beginning with the term which most often appears i n t e r - c l a s s , as the same term could appear in more than two d i s t i n c t classes, and i t e r a -t i v e repeating the process on the alt e r n a t i v e terms which remain after t h i s reduction, the REDUCE routine serves to constrain potential choices of a l t e r n a t i v e s . As the above technique cannot serve to completely con-s t r a i n the choice of class representative terms except in 32 the most radic a l of circumstances, where a l l classes contain some term also occuring in another c l a s s , a case which never occurs in DES, the problem remains of choosing the "best" representative of each class from the remaining terms. The REDUCE routine h e u r i s t i c a l l y and somewhat a r b i t r a r i l y se-l e c t s as class representative the term which contains the most don't care (X) values. It was hoped that such a selec-tion c r i t e r i o n could serve to simplify future operations which involve the sum-of-products expressions. It i s clear that the h e u r i s t i c of selecting class repre-sentatives having the most don't care inputs may not be op-timal for reasons which pertain to the applications of our minimal functions. As the minimal sum-of-products expres-sions are to be used in the tree search procedure for K, i t w i l l be desirable to have expressions for the S-boxes with a maximal number of terms in common, to allow pruning across subtrees during search tree growth. For th i s reason, the i n -teractions between the functions which represent the S-boxes may prove to be of si g n i f i c a n c e . Thus, i t may eventually be necessary or advantageous to perform a simultaneous mini-mization of a l l functions for the entire bank of S-boxes. The sum-of-product terms res u l t i n g from the application of REDUCE to the tables of essential and alternative terms are stored in a global 4-dimensional matrix, SPTERMS, whose space and plane coordinates respectively represent S-box and output b i t choices. The sum-of-product terms produced by REDUCE may be seen in Table 1, where these p-terms are in cube notation. The minimal sum-of-product expressions for the S-box outputs contain between 14 and 23 terms depending on the function. This may be seen as a s i g n i f i c a n t reduction from the 32 terms involved in the elementary p-term expres-sion for each function. 5.3 INDIVIDUAL TERM CONTRIBUTION: RANK-TERMS After having obtained such a minimal expression for each S-box and output pair, i t was desired to ascertain which of the terms of each expression was most important, i . e . which of the terms contributed the most to the pro b a b i l i t y of cor-rectness of the expression. One may speak of each term as possessing an associated p r o b a b i l i t y of correctness value, Pcorr, which indicates the pro b a b i l i t y that the single term produces the same output for each possible input configura-tion as does the S-box in whose approximation the term ex-i s t s . Knowledge of t h i s quantity was o r i g i n a l l y considered nec-essary in order to rank the terms in importance, to allow the selection of the "best" n terms to approximate the exact sum-of-products form. A scheme of greater sophistication was actually employed for t h i s purpose, as elaborated in the succeeding chapter. To accomplish t h i s estimation of the importance of i n d i -vidual conjunctive terms, the RANK-TERMS procedure was de-34 vised. This program calculates the contribution of each term to the correctness of the expression, and accordingly reorders the terms in SPTERMS for each S-box and output. The routine CONTRIB calculates the "contribution" of a single term, by assuming that the S-box i s represented by the s i n -gle conjunctive term which the routine receives as an argu-ment and c a l c u l a t i n g the percentage of the 64 possible i n -puts to that S-box which produce the correct output b i t . For most terms, the calculated contribution value i s s l i g h t l y above .5, i . e . the term in question "turns on" for several input configurations. RANK-TERMS it e r a t e s over a l l S-box - output pairs, and c a l l s CONTRIB to ascertain the contribution of each term. The terms in SPTERMS are ranked in decreasing order of con-t r i b u t i o n . Table 1 displays the ranked terms, together with their associated Pcorr values. Chapter VI SELECTION OF THE BEST SUM-OF-PRODUCT TERMS 6.1 COMBINATORIALLY EXHAUSTIVE BEST-SET DISCOVERY When one approximates something, i t i s often useful to have a precise quantitative measure of the q u a l i t a t i v e "goodness" of the approximation, where "goodness" must be accurately defined. In our situ a t i o n which pertains to the formation of sum-of-product expressions to approximate the output of an S-box, the precision of the expressions may ea s i l y be quantified. The Pcorr of a sum-of-products ex-pression i s defined as the fr a c t i o n of the number of inputs for which the result of the expression has the same value as the output of the S-box which i t approximates. Notice that these Pcorr w i l l always l i e in the range {.5,1}. In the t r i v i a l case where the approximation consists of 0 terms, the approximate expression's output w i l l always be 0, as w i l l that of the S-box for half of the input configurations. An increase in the number of terms in the approximation can only increase the Pcorr. As the conjunct terms were ob-tained from a QM minimization of the S-box output values, the approximating expression can never return a 1, when the actual S-box output should be 0. - 35 -36 The p r i n c i p a l q u e s t i o n to be answered a t t h i s p o i n t i n our d i s c u s s i o n i s : Given the chance to s e l e c t n sum-of-prod-uct terms to approximate an S-box output, what terms should be chosen t o guarantee the best p o s s i b l e approximation? T h i s r a i s e s a r e l a t e d c o n s i d e r a t i o n , the answer to which i s not evident a p r i o r i : Denote by Bn a set of n conjunct terms which have a c o r r e c t n e s s v a l u e at l e a s t as hig h as any other p o s s i b l e s e l e c t i o n of n terms. I f one i s only p e r m i t t e d to change the approximating e x p r e s s i o n by the monotonic a d d i -t i o n of terms, w i l l such an ex p r e s s i o n always be a most c o r -r e c t approximation? That i s , w i l l there always be a set Bn+1 such that t h i s Bn+1 c o n t a i n s a Bn, f o r a l l n? To attempt t o address the preceeding two q u e s t i o n s , a system of PL/I r o u t i n e s was w r i t t e n , as may be seen i n Ap-pendix C. Although the author f i n d s PL/I to be a p r i m i t i v e and clumsy computer language t o use, i t was chosen f o r i t s reasonably h i g h speed of e x e c u t i o n . C o m b i n a t o r i a l l y l a r g e problems tend to be co m p u t a t i o n a l l y i n t r a c t a b l e i n APL, due to APL's i n t e r p r e t e d nature. Two small APL r o u t i n e s , DUMPTERMS and DUMPONS, were w r i t t e n to c r e a t e PL/I-accessa-b l e d a t a s e t s which c o n t a i n both the complete sum-of-products r e p r e s e n t a t i o n f o r each S-box - output p a i r , and the v e c t o r s of input v a r i a b l e v a l u e s f o r which the corresp o n d i n g S-box outputs were on. The output which r e s u l t e d from running the r o u t i n e s on the p-terms d i s c o v e r e d by Quine-McCluskey m i n i m i z a t i o n of 37 S-box 1, output 1 may be seen in Appendix C, following the program l i s t i n g . Page xxx l i s t s t h i s minimal set of p-terms, together with a l i s t of the 32 input configurations for which t h i s p a r t i c u l a r S-box function returns a 1. The PL/I system operates in three d i s t i n c t steps. F i r s t , the 23x32 binary "contribution table" i s formed, as may be seen on page 188. Each row of t h i s table corresponds to a p a r t i c u l a r p-term; the corresponding p-terms may be seen to the l e f t of the table. The binary entries in a row of the table indicate i f that p-term i s "on" for a p a r t i c u l a r input configuration which causes the function to be 1. There are 32 columns in th i s table, as for each S-box output there are prec i s e l y 32 input configurations which cause that output to be 1. In t h i s sense, the matrix indicates the contribution of each term. S p e c i f i c a l l y , a p a r t i c u l a r term i s on for a given input configuration i f an ORing of the don't care i n -put positions of the term with the XOR of the complemented (0) positions of the term with the input s t r i n g y i e l d s a s t r i n g of a l l l ' s . The rows of CONTRIB correspond to terms. As mentioned at the end of section 5.2, an exact sum-of-products expression for any given S-box - output pair re-quires at most 23 conjunctive terms, which explains the d i -mensioning of the CONTRIB matrix. Within a row of CONTRIB, l ' s indicate for which of the 32 inputs the term i s on in the sense indicated above. 38 Next, the COVER t a b l e i s c r e a t e d , u s i n g CONTRIB. COVER i s an Mx23 b i n a r y matrix, formed to c o n t a i n an i n d i c a t i o n of which of the conjunct terms to s e l e c t t o get the best ap-proximation to the S-box, given that one i s r e s t r i c t e d to s e l e c t i n g p r e c i s e l y k=l,2,...,n of these terms. A p o r t i o n of t h i s ( r a t h e r lengthy) t a b l e appears from pages 189 to 193. I t i s i n the c r e a t i o n of COVER that most of the compu-t a t i o n a l complexity of the system r e s i d e s . In order to de-termine the best s e l e c t i o n of k terms, a l l c h o i c e s of k terms s e l e c t e d from a set of n p o s s i b l e terms must be exam-ined. In i t e r a t i v e l y d etermining the best s e l e c t i o n of k terms as k ranges form 1 to n terms, a t o t a l of 2fn s e l e c -t i o n s must be c o n s i d e r e d . As n may be as l a r g e as 23, t h i s computation i s f a r from t r i v i a l . Due to the a s s o c i a t e d expense, only the terms f o r the f i r s t output of the f i r s t S-box were searched i n t h i s man-ner, p r i o r to de v e l o p i n g a more s o p h i s t i c a t e d technique f o r d i s c o v e r i n g best s e t s . To perform the a n a l y s i s f o r output 1 of S-box 1 r e q u i r e d 788 seconds of execution time, on the AMDAHL 470/V8 at U.B.C. The improved a l g o r i t h m of the next s e c t i o n subsequently reduced t h i s execution time by a f a c t o r of more than 40. The cover t a b l e i s p a r t i t i o n e d i n t o n s e t s of b e s t - s e t s , where n i s the number of p-terms i n the S-box approximation (n=17 i n the example f o r S-box 1, output 1 ). The p a r t i t i o n -ing of the t a b l e i s i n d i c a t e d i n the output by blank l i n e s . 39 The cover t a b l e a n a l y s i s t a b l e at the top of page 189 i n d i -c a t e s the number of b e s t - s e t s i n each p a r t i t i o n . For i n -stance, there are 2 ways to s e l e c t the best set B l , which c o n t a i n s 1 p-terms; only 1 way to s e l e c t B2; 12 ways to se-l e c t B3; and so f o r t h . For each of the n se t s of these b e s t - s e t s , a Pcorr value may be seen i n the cover t a b l e a n a l y s i s s e c t i o n of the output produced by the PL/I r o u t i n e . For a p a r t i c u l a r b e s t - s e t k, t h i s value denotes the c o r r e c t -ness of the approximation i f any set from that set of best s e t s i s chosen as the approximation to the S-box. That i s , the Pcorr value denotes what f r a c t i o n of the p o s s i b l e inputs are mapped to the c o r r e c t output v a l u e . I t i s t r i v i a l to no-t i c e that as k i n c r e a s e s , the a s s o c i a t e d c o r r e c t n e s s value s t r i c t l y i n c r e a s e s . ' For ease of r e a d a b i l i t y , the dump of the COVER t a b l e shows the t a b l e p a r t i t i o n e d i n t o the d i f f e r -ent s e t s of b e s t - s e t s . I t i s c l e a r that w i t h i n a row of t h i s t a b l e a value of 1 i n d i c a t e s that the term i n the c o r r e -sponding b i t p o s i t i o n i s to be chosen as pa r t of the approx-imation. (The 23 columns i n the t a b l e correspond to the 23 p-terms i n an S-box f u n c t i o n ) . The c r e a t i o n of the COVER t a b l e served to answer the p r i n c i p a l q u e s t i o n posed at the beginning of t h i s s e c t i o n . A best approximation to an S-box, where the approximation i s r e s t r i c t e d to p o s s e s s i n g k terms, i s found by s e l e c t i n g any element from the kth set of best s e t s i n the COVER t a b l e . 6 I f i t d i d not, t h i s would imply that our QM m i n i m i z a t i o n procedure was f a u l t y , and had produced redundant terms. 40 The correctness value for such an approximation i s known. The l a s t purpose of the system of routines i s to perform a search of the cover table to see i f there exists a way to select one member of each set of best sets, such that the set of terms indicated by each selection i s a subset of the terms indicated by the selection from the next set of sets. The search was implemented as a standard top-down search of the COVER table, with backtracking on f a i l u r e . As may be seen on page 195 of the output, t h i s search was successful for S-box 1, output 1. This term selection table is a cumulative record of the sum-of-product terms chosen at each l e v e l . One new 1 appears in each successive row of the table; i t s position corre-sponds to the one new term added to the previous terms to form the new, more correct, approximation. The corresponding correctness values for these successive selections are re-peated in t h i s table. An alternative representation of t h i s data i s provided below the table, for the sake of conven-ience, with the terms l i s t e d in order of decreasing value. That i s , to form a best approximation to the S-box output using k terms, one should select the f i r s t k terms of t h i s l i s t . It should be apparent at t h i s point why the RANK-TERMS procedure was used to put the terms in decreasing order of their individual contribution to S-box correctness. By hav-ing the best terms appear f i r s t , considerable backtracking 41 during the search of the COVER table was avoided. As t h i s table was of substantial si z e , the rather minimal e f f o r t i n -volved in ranking the terms i n d i v i d u a l l y was deemed worth-while. 6.2 A HIERARCHICAL APPROACH TO BEST SET DISCOVERY Due to the computational expense inherent in the combina-t o r i a l l y exhaustive approach to the discovery of the "best sets" which was described in the preceeding section, a more sophisticated technique was la t e r devised in order to reduce the expense of th i s operation within reasonable bounds. The 788 seconds of CPU time required for the best set de-termination for output 1 of S-box 1 was considered to be i n -dicat i v e of the i n f e a s i b i l i t y of using such an exhaustive-search program on a l l of the 32 S-box - output p a i r s . This p a r t i c u l a r S-box - output pair has a complete approximation containing 17 terms, hence 2 1 7 selections are involved in a complete exhaustive search for best sets of size l . . . n . To apply such an approach to an S-box output whose approxima-tion contains 23 terms would require 2 2 3 comparisons. This i s a factor of 64 times more than that required for output 1 of S-box 1, and could be expected to require almost 800 hours of CPU time, to perform exhaustively. For S-box 1, output 1, i t was empirically demonstrated by use of the exhaustive search PL/I system that the property of monotonic addition of sum-of-product terms did hold, 42 i . e . , i t was true that there existed a Bi+1 which contained a Bi for a l l i = l,2, ...,n-1, where Bi i s a best set formed by the disjunction of i sum-of-product terms. That such a property i s not necessarily true for every possible c o l l e c t i o n of sum-of-product terms may be i l l u s -trated by a simple counter-example. Suppose that the follow-ing 3 b i t strings represent how these terms "contribute" to the coverage of some hypothetical s i t u a t i o n involving 2' =64 possible input configurations: 1) 101011 2) 110001 3) 001110 The f i r s t b i t s t r i n g connotes that the result w i l l be on i f input b i t s 1,3,5, and 6 are on and input b i t s 2 and 4 are o f f . One may see that the only possible BI consists of a set containing term 1 alone. Term 1 has 4 b i t s on, which i s the largest number of any term. The only possible B2, how-ever, i s formed as the union of terms B2 and B3 and has a l l 6 b i t s on. There are no other possible selections for BI or B2 which could allow BI B2 ; a l l other choices of two terms from the given set of terms have s t r i c t l y less than 6 b i t s on. Accordingly, given that one i s w i l l i n g to s l i g h t l y com-promise the optimality of the approximations obtained for a given S-box's output, but that one i n s i s t s that such an "op-timal" approximation involving n sum-of-product terms be a 43 subset of some "optimal" approximation of n+1 terms, a com-putationally tractable algorithm to discover such "quasi-best sets", denoted B i ' , has been devised and implemented. In the cases where the sum-of-product terms and the real S-box are such that a monotonic addition of terms to form the Bi sets i s possible, as was the case for the f i r s t output of S-box 1 , then our algorithm w i l l return Bi'=Bi for each qua-si-best set B i ' . This algorithm used to form the Bi' i s as follows: Clear-l y the Bl' are those single sum-of-product conjunctive terms which are "on" for the largest number of input configura-tions for which the s p e c i f i c output of the S-box under con-sideration i s also on. These B l ' , which are always the same as the actual best sets B l , are thus e a s i l y determined by counting the b i t s on in the b i t st r i n g which represents the contribution of the term to the correctness of the output. Note that there may be more than one B l ' ; more than one term may have a maximal number of b i t s on. Given the B i ' , form the B i + 1 ' as follows. For each B i ' , add to the set of terms comprising t h i s B i ' the one new sum-of-products term which has a contribution b i t s t r i n g which i s on for the most input configurations for which the disjunction of terms in the B i ' are o f f , to form a potential B i + 1 ' . Note that more than one such potential B i + 1 ' may be formed for each B i ' . If the t o t a l number of input configura-tions for which th i s potential B i + 1 ' i s on i s as great as 44 that f o r any p o t e n t i a l B i + 1 ' formed from any other B i ' , then the p o t e n t i a l q u a s i - b e s t set B i + 1 ' i s t o be r e t a i n e d as an a c t u a l B i + 1 ' . T h i s process i s repeated u n t i l some Bn' i s on f o r a l l of the input c o n f i g u r a t i o n s f o r which the r e a l S-box i s . ( I . e . , u n t i l a Bn' has a c o n t r i b u t i o n b i t s t r i n g a l l of whose b i t s are on). At such a p o i n t , one may t r a c e back through the a d d i t i o n of terms which r e s u l t e d i n the forma-t i o n of that Bn', i n order to uncover the sequence of q u a s i -best s e t s : BI',B2',...,Bn'. As a consequence of the manner in which the B i ' were produced, the p r o p e r t y of monotonic a d d i t i o n of terms holds f o r t h i s sequence. With some good f o r t u n e , the p r o b a b i l i t y of c o r r e c t n e s s v a l u e s of approxima-t i o n s to the S-box formed by the d i s j u n c t i o n of the sum-of product terms i n such q u a s i - b e s t s e t s should not be s i g n i f i -c a n t l y lower than the corres p o n d i n g v a l u e s f o r the r e a l best s e t s , which c o u l d only be d i s c o v e r e d through c o m b i n a t o r i a l l y exhaustive search. The preceeding a l g o r i t h m may be viewed as the breadth-f i r s t c o n s t r u c t i o n o f , and subsequent trace-back through, an n-ary t r e e . The t r e e w i l l possess as many l e v e l s as there are sum-of-product terms r e q u i r e d f o r a p e r f e c t (Pcorr=l) approximation to the given S-box output. During t r e e growth, the open nodes of t h i s t r e e at any l e v e l i w i l l correspond to nodes from which the development i n p a r a l l e l of a l l of the q u a s i - b e s t s e t s B i + 1 ' may occur. C u t o f f s w i l l occur at 45 lev e l i for branches leading to potential Bi+1' which are superseded by the discovery of other potential Bi+1' with better Pcorr values. The algorithm was implemented as a system of PL/I proce-dures compiled by the IBM PL/I Optimizing compiler. (See Appendix D). It i s worthy of mention that these procedures managed to discover the quasi-best sets for S-box 1, output 1 (for which the property of monotonic addition happened to hold) in less than 33 seconds of CPU time, on the University of Manitoba AMDAHL 470/V7. This represents an improvement in speed over the exhaustive search algorithm by a factor of more than 40. 6.3 N-ARY TREE IMPLEMENTATION The n-ary tree formed for each S-box - output pair to discover the quasi-best sets contains data nodes with a variable number of pointers. Each node at l e v e l i repre-sents a quasi-best set B i ' and contains: the number of the sum-of-products term added to form th i s B i ' from i t s father Bi-1', a pointer to th i s father node, a f i e l d (ORMASK) con-taining a 32-bit s t r i n g with l ' s in positions corresponding to S-box input configurations for which the Bi' approxima-tion i s on, and a pointer to a linked l i s t of c h i l d point-ers. (See Figure 4, Representation of the Quasi-Best Set Search Tree). 46 I t i s r e q u i r e d t h a t one m a i n t a i n s a l i n k e d l i s t of c h i l d p o i n t e r s f o r each d a t a node, as each such B i ' node may have up t o n - i c h i l d r e n , g i v e n t h a t t h e r e a r e n sum-of-product terms i n the complete a p p r o x i m a t i o n t o the o u t p u t under con-s i d e r a t i o n . C l e a r l y , such a case would o n l y o c c u r when the a d d i t i o n of any new term t o B i ' t o form Bi+1' would r e s u l t i n an e q u a l l y good a p p r o x i m a t i o n t o the S-box. For r e a s o n s of e f f i c i e n t memory u t i l i z a t i o n such a v a r i a b i l i t y of b r a n c h i n g f a c t o r i m p l i e s t h e use of l i n k e d l i s t s t o c o n t a i n each node's c h i l d p o i n t e r s . For each of the 32 S-box - output p a i r s , p r o c e s s i n g be-g i n s as i t d i d f o r the c o m b i n a t o r i a l l y e x h a u s t i v e b e s t s e t s e a r c h : by the f o r m a t i o n of the b i n a r y c o n t r i b u t i o n m a t r i x (CONTRIB) which i n d i c a t e s , f o r each term, f o r which of the 32 i n p u t c o n f i g u r a t i o n s where the r e a l S-box i s on the term i s a l s o on. In t h i s f a s h i o n , each term may be r e p r e s e n t e d as a b i t s t r i n g where a 1 i n p o s i t i o n k i n d i c a t e s t h a t an ap-p r o x i m a t i o n c o n t a i n i n g t h i s term w i l l be on f o r the k t h i n -put f o r which the r e a l S-box s h o u l d be on. The t o p l e v e l of the s e a r c h t r e e i s then formed, from terms whose c o r r e s p o n d i n g c o n t r i b u t i o n v e c t o r has a maximal number of l ' s . As was mentioned i n the p r e c e e d i n g s e c t i o n , such terms must comprise t h e b e s t s e t s B I . The t o p p o i n t e r t o t h i s f i r s t t r e e l e v e l a c t u a l l y p o i n t s t o a l i n k e d l i s t of l i n k nodes, each of whose son p o i n t e r f i e l d s p o i n t t o the r e s p e c t i v e d a t a nodes a c t u a l l y c o n t a i n i n g the sum-of-product 47 term numbers and o t h e r a s s o c i a t e d f i e l d s . D u r i n g t r e e growth, a v e c t o r (OPEN) of p o i n t e r s i s m a i n t a i n e d . The e l e -ments of t h i s v e c t o r p o i n t t o t r e e nodes from which f u r t h e r growth i s p o s s i b l e . A l l t o p l e v e l nodes a r e i n i t i a l l y p l a c e d i n t h i s OPEN v e c t o r . The f o l l o w i n g p r o c e s s then i t e r a t e s t o g e n e r a t e the t r e e i n a b r e a d t h - f i r s t f a s h i o n , and c o n t i n u e s u n t i l a complete sequence B l ' , B 2 B n ' of q u a s i - b e s t s e t s has been formed. W i t h i n t h i s i t e r a t i o n t o produce new t r e e l e v e l s , the a l g o r -ithm l o o p s t h r o u g h a l l nodes i n the OPEN v e c t o r i n o r d e r t o produce a new OPEN v e c t o r which i s t o be used i n the g e n e ra-t i o n of the next t r e e l e v e l . For each node i n the OPEN v e c t o r , i t i s d e t e r m i n e d what would be the b e s t term t o add t o the B i ' i n t h a t node t o form the p o t e n t i a l B i + 1 ' w i t h a maximal c o n t r i b u t i o n t o the c o r r e c t n e s s of t h i s new a p p r o x i m a t i o n . I t i s p o s s i b l e t h a t t h e r e may be more than one such term which c o u l d be added t o g e n e r a t e a p p r o x i m a t i o n s w i t h the same degree of c o r r e c t n e s s . I f the new p o t e n t i a l B i + 1 ' i s a b e t t e r a p p r o x i m a t i o n t o the S-box than any o t h e r p o t e n t i a l B i + 1 ' y e t formed a t t h i s l e v -e l i , a l l of t h e s e o t h e r p o t e n t i a l B i + 1 ' a r e d i s c a r d e d and a r e superseded by t h i s newly-formed p o t e n t i a l B i + 1 ' . Even i f t h i s supersedence does not o c c u r , i f the new B i + 1 ' i s as good or b e t t e r than o t h e r p o t e n t i a l B i + 1 ' y e t d i s c o v e r e d , i t might be added t o the t r e e as a c h i l d of the c u r r e n t B i ' be-i n g examined. 48 Whether or not the algorithm i s to add t h i s new potential quasi-best set to the tree depends on whether or not there has yet been added to the tree a quasi-best set which con-tains the same terms as th i s new quasi-best set. Once terms have been added to the tree at the end of some path, one term being added at each tree l e v e l , the order of addition of terms i s i r r e l e v a n t . Neglect of t h i s fact w i l l lead to redundancy of sets in the tree, and vast associated computa-t i o n a l expense. Consider, for instance, the case where there exist two BI, sum-of-product terms #1 and #2, both of which have contribution vectors with more l ' s than those of any other terms, and where a l l l ' s of the respective vectors are in d i f f e r e n t positions. Such a case actually occurs for S-box 1, output 1, where terms #6 and #7 both have 4 l ' s . One potential B2' consists of terms #1 and #2. However, to form another potential B2' consisting of term #2 then term #1, by expanding from l e v e l 1 the node containing term #2 i s not a reasonable operation to perform. (See Figure 5, Per-mutation Cutoff). To avoid these permutations of order of addition of terms when following d i f f e r e n t paths in traversing the tree, prior to adding a new c h i l d to the tree at l e v e l i+1 the algorithm examines the new OPEN vector containing pointers to the nodes added so far at t h i s new l e v e l , to see i f the c o n t r i -bution vector of this new potential Bi+1' i s the same as that for a term already added. If th i s i s the case, one may 49 be assured that the addition of thi s new potential Bi+1' i s redundant, and represents a quasi-best set already added to the tree. One need not even follow back-links to ascertain that precisely the same terms are included in some di f f e r e n t permutation in another path to le v e l i+1 i f the ORMASK vec-tor i s redundant at th i s l e v e l . This i s so, as since a l l sum-of-product terms are unique, to arrive at the same ORMASK at the same l e v e l of the tree, one must have used the same terms to form that ORMASK, unless the addition of one or more terms had no eff e c t at a l l on the ORMASK. The l a t t e r condition i s impossible, as i f this were the case, the term causing an increase in the number of l ' s in the ORMASK would not have been added to the tree. In summary, i f the ORMASK of the potential quasi-best set to be added i s not redundant at the current l e v e l of tree expansion, the new node added to form th i s set i s added to the tree. After a l l nodes in the current OPEN vector have been pro-cessed, any c h i l d nodes which remain as potential quasi-best sets for l e v e l i+1 are indeed the quasi-best sets for that l e v e l as there are no better sets. The new OPEN vector of pointers to the le v e l i+1 nodes becomes the OPEN vector, and the process iterates u n t i l some Bn' covers a l l input for which the real S-box i s on. When such a Bn' i s produced, one can follow i t s father l i n k s back to tree l e v e l 1, to trace-back and recover the sequence of quasi-best sets B l ' , B 2 B n ' . As has been 50 stated, because of the fashion in which these sets are formed, that Bi' Bi+1' i s assured. There exists another feature of the implementation of th i s search-tree algorithm which contributes to i t s e f f i -ciency with respect to both memory and processor u t i l i z a -t i o n . This feature i s tantamount to a depth-first component of the tree search which i s activated under certain s p e c i f i c conditions. In general, the n-ary tree i s generated in a b r e a t h - f i r s t fashion. That i s , a l l nodes are generated at some l e v e l i , prior to any of the l e v e l i+1 nodes being formed. This i s es s e n t i a l , as we wish to be guaranteed that the quasi-best set sequence we ultimately discover i s optimal in the sense defined e a r l i e r for such quasi-best sets. If the tree was not generated breadth-first in p a r a l l e l , the s a t i s f a c t i o n of this condition would e n t a i l a rather complex backtracking operation. Some path would be produced depth-first to l e v e l n, and exhaustive backtrack exploration of every junction at every l e v e l would be required, to ensure that some other complete path from the root to l e v e l n did not contain some Bi' at l e v e l i which was a better quasi-best set than that discovered on the former path. Such a depth-first expansion would generate the complete tree, as we have just seen to be required to assure the optimality of the sequence Bl',B2',...,Bn', and would also involve the additional com-putational expense associated with the backtracking opera-tions. 51 Nothwithstanding the preceeding argument, there i s indeed a requirement for some depth-first component in our search algorithm. I n i t i a l implementations of the search which neg-lected to consider t h i s feature expanded a vast number of nodes at the lower lev e l s (large i) of the tree for certain S-box - output p a i r s . Analysis of the factors which pro-duced such an undesirable situation resulted in the i n c l u -sion of the following modifications to the basic search a l -gorithm. At some point in the breadth-first generation of the search tree, a l l nodes at l e v e l i+1 w i l l be such that they represent an approximation to the actual S-box which i s cor-rect for exactly one more S-box input than any of the nodes in the preceeding tree l e v e l i . The crux of the matter i s that since the tree i s formed in a b e s t - f i r s t fashion, with the algorithm adding at e a r l i e r tree levels the terms whose contributions add more l ' s to the ORMASK contribution of the B i ' , once a time i s reached where only one more 1 b i t i s added to the approximation of the preceeding tree l e v e l , no later term choice may subsequently add more than 1 b i t per l e v e l . As each sum-of-product term must contribute some-thing to the correctness of the o v e r a l l approximation in or-der to have been returned by the Quine-McCluskey minimiza-tion routines, i t must be that a l l as-yet-unused terms w i l l add exactly one b i t to the correctness of the approximating expression. Thus, at t h i s point, the algorithm need no 52 longer expand the tree breadth-first, but can penetrate im-mediately in a depth-first manner to l e v e l n, adding as-yet-unused terms in an a r b i t r a r y order to any node in the OPEN vector to form the desired B l ' , B 2 B n ' sequence. More e x p l i c i t l y , once i t has been discovered at l e v e l k that only terms "adding" one b i t of correctness to the ap-proximating expression remain unused, only one path in the n-ary tree from l e v e l k+l to l e v e l n need be formed in order to ensure that the nodes on the res u l t i n g path form a se-quence of optimal quasi-best sets. Applied to the DES S-box functions, t h i s set of routines was capable of discovering these quasi-best set sequences in reasonable time. As mentioned at the end of Chapter IV how-ever, the p r i n c i p a l d i r e c t i o n of t h i s thesis has been to work with accurate expressions for the S-boxes, as the so-phisticated techniques described in the following chapter permitted the size of the S-box functions to be reduced suf-f i c i e n t l y to allow a special type of search to be (marginal-ly) tractable, without the need to use approximations to the S-box functions. The p o t e n t i a l applications of approxima-tions to the S-box functions as have been produced by the routines of t h i s chapter remains a topic for future re-search. Chapter VII SPECTRAL DOMAIN S-BOX ANALYSIS 7.1 ORTHOGONAL TRANSFORMATIONS TO THE SPECTRAL DOMAIN: THEORY Our previous attempts at minimization of the Boolean functions embodied in the S-boxes have not proven very use-f u l . One conventional technique of Boolean minimization, the Quine-McCluskey method, has allowed us to reduce the number of p-terms in accurate sum-of-products expressions for the S-boxes and their complementation from 32, to between 14 and 23, depending on the S-box - output p a i r . While t h i s does represent a s i g n i f i c a n t decrease in the e f f e c t i v e branching factor of the search tree for K when compared with that of 32 i f the elementary p-term expressions for the S-boxes were employed, as may be seen from the pr o b a b i l i t y of correctness values in the table on page 145, nearly a l l of these minimal p-terms must be retained in an S-box approximation, for the approximation to have a high ( >.9) pro b a b i l i t y of correct-ness value. As a result of thi s indication that the use of approximations to the S-boxes may not have many applications towards cryptanalysis, we turn instead to methods which are capable of minimizing certain classes of Boolean functions more e f f e c t i v e l y than can the Quine-McCluskey procedure. - 53 -54 Discussions with an expert in the f i e l d of d i g i t a l logic design led to experimentation with a number of more recent-ly-developed Boolean function manipulation and minimization techniques, as are employed in the f i e l d of logic design for hardware applications. S p e c i f i c a l l y , such techniques refer to the use of suitable transforms to permit the manipulation of Boolean functions in a "spectral" domain, analogous to the use of the Fourier transform to allow manipulation of real functions in a frequency domain. For a more comprehen-sive treatment of the subject than can be included in thi s thesis, the reader i s referred to several excellent recent works on the subject by Hurst [7,8] and Karpovsky [10]. Consider a Boolean function of n variables defined by a vector of 2fn b i t s , which represent the output values of the function for each of the 2fn possible input configuations. Let us term t h i s the s p e c i f i c a t i o n vector, Fs. Knowledge of any p a r t i c u l a r b i t of Fs does not decrease the entropy, in an information-theoretic sense, of any other b i t of Fs, un-less other a p r i o r i knowledge of some c h a r a c t e r i s t i c s of the function i s aval i a b l e . We wish to represent Fs in some oth-er domain in which any co r r e l a t i o n between the outputs of the Boolean function and i t s inputs w i l l be more evident. That s p e c i f i c members of a set of elements of Fs have the same value i s often ind i c a t i v e of some structure of the function, yet t h i s structure i s not made e x p l i c i t by the Fs vector representation. As a dramatic i l l u s t r a t i o n of th i s 55 fact, consider the following s p e c i f i c a t i o n vector for a function of 4 variables. Fs=(0 1 1 0 1 0 0 1 1 0 0 1 0 1 1 0) Notice that Fs contains 2*=16 entries, one for each possible input configuration 0000 to 1111 for the function. In t h i s representation, i t i s not at a l l clear that the function i s a c t u a l l y f(Xl,X2,X3) = XI © X2 © X3 In fact, this high degree of structure i s quite obscured by i t s representation as the vector Fs. While topological methods such as the Karnaugh map technique [16] are capable of making some types of structure more e x p l i c i t , these meth-ods are d i f f i c u l t to program. If the function were represented in a d i f f e r e n t domain, the detection of any symmetries possessed by the function may be more e a s i l y accomplished. There exist several well-known techniques which permit the mapping of any Fs to t h i s a l t e r n a t i v e spectral domain, where these transformations may be accomplished by means of a matrix m u l t i p l i c a t i o n [7,8]. These transformations w i l l be i n v e r t i b l e ; the information content of the s p e c i f i c a t i o n vector i s preserved when map-ping from one domain to the other. The representation of Boolean functions in the spectral domain w i l l use numbers not confined to the range {0,1}. Square 2j*n x 2fn orthogonal matrices with entries +1 and -1 are used to indicate the mappings between the Boolean and 56 spectral domains. The "spectral domain" refers simply to a domain in which d i f f e r e n t basis functions are used to repre-sent any desired function, just as sine and cosine basis functions of varying frequency are used to represent real functions in the Fourier domain. In thi s Boolean spectral domain, the basis functions employed w i l l be XOR functions of various variables, the functions being s p e c i f i e d in the rows of the transform matrix, T [ 8 ] . The mapping from the conventional functional Boolean domain to the spectral do-main can be defined by t h i s orthogonal mapping matrix T. (T" 1 i s the inverse mapping, from the spectral to the Boole-an domain. T~ 1 w i l l always e x i s t , and T" 1 =T', as T i s or-thogonal) . For the matrix m u l t i p l i c a t i o n to preserve the information content of the s p e c i f i c a t i o n vector, the mapping to the spectral domain i s ac t u a l l y a mapping of a modified speci-f i c a t i o n vector with entries from a d i f f e r e n t range. The vector F i s ac t u a l l y mapped, where the entries f i of F cor-respond to the entries f s i of Fs through the equation: f i = l - 2 f s i for a l l i=l...n Thus, +1 corresponds to the usual Boolean 0, while -1 corre-sponds to the usual Boolean 1. This new representation i s required, as the presence of O's in the mapped vector would result in the matrix m u l t i p l i c a t i o n procedure (over the real f i e l d ) causing a loss of information, as the m u l t i p l i c a t i o n of 0 with either 0 or 1 returns the same r e s u l t . 57 Mapping with t h i s new s p e c i f i c a t i o n vector F results in a spectrum R of the function whose s p e c i f i c a t i o n vector i s Fs. Mathematically: R=TF and F=T~1R The entries of the vector R, r i for i=0...2f(n-1), are termed the spectral c o e f f i c i e n t s of the function. These r i are commonly interpreted as the c o e f f i c i e n t s of the c o r r e l a t i o n between the outputs Fs of the Boolean func-t i o n , and XOR's of various combinations of the input v a r i -ables [7]. In order to explain what i s meant by t h i s , con-sider the c o e f f i c i e n t r5 of a 4 variable function, f. As 5 i s 0101 in binary, the r5 c o e f f i c i e n t gives the co r r e l a t i o n of Fs with X20X4, where X2 and X4 are the 2nd and 4th input variables to the function. (These variables corrspond to the Is in the binary representation of the c o e f f i c i e n t num-ber). By "co r r e l a t i o n " i s meant the number of times the out-put of the basis function X2©X4 equals the output of f, mi-nus the number of times i t d i f f e r s . Clearly, i f i t happens that f=X2@X4, then r5=2*, i t s maximum possible value. Thus, each r i gives some aspect of global information about the entire function. There exist many possible variants of orthogonal trans-formations T which are nonetheless a l l the same, independent of row permutations. These bear d i f f e r e n t names, as they were developed independently, and include the: Hadamard, 58 Walsh-Kacmaz and Rademacher-Walsh transforms. We s h a l l em-ploy the former, defined recursively [8] as: With t h i s choice of T, we may divide the r i into three d i s j o i n t sets on the basis of the quantity whose co r r e l a t i o n with the Boolean function s p e c i f i c a t i o n vector Fs they rep-resent. Each spectral c o e f f i c i e n t i s c l a s s i f i e d into one of the sets on the basis of i t s order, where the order of a spectral c o e f f i c i e n t r i , denoted | | r i | | , i s defined as the number of Is in the binary number representation of i t s sub-s c r i p t i . The zero-ordered c o e f f i c i e n t , ro, provides only a measure of the number of +l's and - l ' s in F. Each of the r i for which the binary representation of i has exactly one 1 (there are n such r i ) are termed the primary spectral coef-f i c i e n t s , and measure the co r r e l a t i o n of each of the inde-pendent Boolean variables x i , for i=l...n, with the Fs vec-tor of function outputs. The remaining (2*fn)-n+l spectral c o e f f i c i e n t s constitute the secondary spectral c o e f f i c i e n t s . These represent the co r r e l a t i o n of fs with a l l other possi-ble XOR combinations of the input variables. For an example in which n=6, r7=r000111 measures the co r r e l a t i o n of Fs with the function X4©X5ffiX6. Negative values for any spectral 59 c o e f f i c i e n t indicate c o r r e l a t i o n with the complement of the Boolean function. Computationally, there exist techniques to calculate the spectral c o e f f i c i e n t s R which are less expensive than an or-dinary matrix m u l t i p l i c a t i o n . The ca l c u l a t i o n of R by mul-t i p l y i n g T by F en t a i l s 1(2^)^3) m u l t i p l i c a t i o n operations for an n variable function, as the size of T i s (2fn)x(2'fn). Various " f a s t " transforms are well-known in the l i t e r a t u r e on the subject [7,8], and operate in 0(n2fn) time. However, such fast transforms w i l l not be employed in the following analysis of the DES S-box spectra, as for t h i s case where n=6, the very simple matrix m u l t i p l i c a t i o n procedure i s of adequate speed, as only 64 3 m u l t i p l i c a t i o n s are required. 7.2 S-BOX COMPLEXITY IN THE SPECTRAL DOMAIN One of our concerns involves the complexity of the Boole-an functions which represent the action of the S-boxes. The complexity of AND/OR c i r c u i t r y required to r e a l i z e the ef-fect of the S-boxes corresponds d i r e c t l y to the degree of branching in the search tree at the point where the action of the S-box i s functionally inverted during search for the encryption key, K. In order to be able to e f f e c t i v e l y mini-mize the complexity of any Boolean function, i t is necessary to define a metric capable of usefully measuring th i s com-pl e x i t y . Algorithmic procedures may then be devised to mini-mize the value of thi s complexity function. 60 One c l a s s i c a l l y useful metric for Boolean function com-pl e x i t y , employed in the conventional Boolean domain, has been found to be a count of the number of adjacent pairs of input variable assignments for which the function f has the same output values for both assignments [16]. Geometrically, th i s corresponds to a count of pairs of adjacent l ' s and O's in the Karnaugh map representation of the function. The higher the value of such a complexity metric for a function, the more ea s i l y that function may be synthesized using con-ventional AND and OR gates. It has recently been shown [9] that the same metric may ea s i l y be computed in the spectral domain from the inner product of the square of the spectrum R, and the correspond-ing orders of the spectral c o e f f i c i e n t s in R. Following Hurst et. a l . [9] we s h a l l use the spectral domain complexi-ty estimator: n 1 2 C(f) = n2 / | | v | | rv n-2 2 "*° where the order of the vth spectral c o e f f i c i e n t rv i s ||v||. If the spectral c o e f f i c i e n t s of some function f are domi-nated by the primary c o e f f i c i e n t s , i . e . the largest magni-tude c o e f f i c i e n t s are among the primary c o e f f i c i e n t s , then C(f) w i l l be high and the function may be represented as a sum-of-product expression with few terms. Otherwise, i f the largest magnitude c o e f f i c i e n t s are among the secondary coef-f i c i e n t s , C(f) w i l l be low and the function may only be rep-resented by a more complex sum-of-products expression. 61 Considered informally, t h i s l a t t e r situation w i l l tend to occur when the function i s heavily "XOR-oriented", and may be more e a s i l y realized by means of XOR operations than by AND and OR operations. As s h a l l be described, in such a case the use of certain spectral t r a n s l a t i o n operations to s h i f t the largest magnitude spectral c o e f f i c i e n t s into the primary range may be advantageous. The C(f) complexity estimator w i l l prove to be of use in measuring the degree of s i m p l i f i -cation of the function f effected by such translations. 7.3 SPECTRAL TRANSLATIONS It i s possible to manipulate any Boolean function in the spectral domain so as to maximize the value of the C(f) com-ple x i t y metric for that function. Groups of spectral trans-l a t i o n operations are performed on the rv vector in order to permute t h i s vector in such a manner as to s h i f t the largest magnitude spectral c o e f f i c i e n t s into positions of primary c o e f f i c i e n t s . The "core" function f which remains after a l l translations have been performed and the translated function i s mapped back to the conventional domain by apply-ing T" 1 to i t s permuted rv vector is conjectured [10] to be of maximum possible s i m p l i c i t y . C l a s s i c a l minimization techniques, such as the Quine-McCluskey method, may then be applied to the core function to produce a minimal sum-of-products form. 62 Following Karpovsky [10: p.69], the required spectral translations may be seen to be of the form: f(xl,x2,...,xn) = f'(xl,x2,...,xi-l,xi©xj,xi+l,...,xn), £ U,n} Inputs to the function f are replaced by XORs of inputs, to form the translated function, f . By a repeated application of such translations, the complexity present in any function can be factored out into a tree of XOR gates through which inputs to the s i m p l i f i e d core function are conditioned. Translations of t h i s nature are performed u n t i l a l l of the n primary spectral c o e f f i c i e n t positions of the n-variable function are occupied by the c o e f f i c i e n t s of the largest magnitude. In practice, the tree of XORs which condition the inputs to the function f may be represented by a basis matrix B of l ' s and 0's through which any input to f' must be multi p l i e d under GF(2) to simulate the eff e c t of the XORing on the functional inputs. Schematically, the following s i t u a t i o n e x i s t s : (a) Before t r a n s l a t i o n : f input x vector => output b i t (b) After t r a n s l a t i o n : B f' input x vector => modified inputs => output b i t where B i s the matrix through which the x inputs are multiplied, and f i s the s i m p l i f i e d function which results from a conventional minimization of the translated function as returned to the functional domain 63 Any input vector x i s mapped to the same output value by e i -ther the o r i g i n a l function f, or by the combined action of the B matrix and the s i m p l i f i e d f . The technique of spec-t r a l t r a n slation i s exemplified in the following section. 7.4 IMPLEMENTATION FOR PES APL routines were devised to follow Karpovsky's algorithm [10] to perform these translations for the production of the mapping B and s i m p l i f i e d f , and were applied to the 32 functions which represent the DES S-boxes. The routines d i s -cussed in t h i s section may be found in Appendix E. The routine SPECTRUM maps a function's s p e c i f i c a t i o n vec-tor to the spectral domain, by application of the appropri-ately-dimensioned Hadamard transform matrix, T. FUNC ap-p l i e s the inverse mapping T" 1 to a vector of spectral c o e f f i c i e n t s to return the representation to the convention-a l functional domain. Both of these routines c a l l the func-tion TRANS, which recursively builds the required orthogonal Hadamard transform matrix. The function COMPLEXITY applies the formula for computation of the C(f) complexity metric to a vector of spectral c o e f f i c i e n t s . After the spectrum of an S-box function has been formed by application of SPECTRUM to the Fs s p e c i f i c a t i o n vector for that function, the BASIS routine i s c a l l e d with the spectral c o e f f i c i e n t s , to determine the translations re-quired to maximize the primary c o e f f i c i e n t s . These t r a n s l a -64 tions are represented in the form of a matrix BAS, which when transposed and inverted under GF(2) w i l l serve to i n d i -cate how the rv vector must be permuted. That i s , the map-ping matrix B referred to in the previous section i s simpli-fy the transpose of the inverse of the matrix BAS, whose creation s h a l l now be discussed. For a complete understand-ing of the procedure, the interested reader i s referred to Karpovsky [10]. In BASIS, the largest c o e f f i c i e n t in rv i s discovered, and i t s corresponding position v, represented as a binary number, i s added as a new row of the init i a l l y - e m p t y BAS ma-t r i x . Elements in rv whose position corresponds to any pos-s i b l e linear (XOR) combinations of rows which already exist in BAS are then deleted, to remove them from further consid-eration as large-magnitude c o e f f i c i e n t s . After BAS has ac-quired n rows, at which time a l l entries in rv should have been zeroed by the above process as a l l linear XOR combina-tions of the rows of the complete BAS must span then entire spectral space, i t i s transposed and inverted under GF(2) to form the basis matrix for the permutation of rv. The matrix BAS i s the mapping B discussed in the preceeding section through which inputs to the new f' must be mapped. For the purposes of i l l u s t r a t i o n of t h i s techniques, l e t us consider the function f of 4 variables: f = X1X2' + XI'X2 + X3X4' + X3'X4 + X1X2X3'X4' 65 Inspection reveals that t h i s function is heavily XOR-orient-ed. In fact f = (X1©X2) + (X3©X4) + X1X2X3'X4' The s p e c i f i c a t i o n vector Fs for f i s found to be F s = (0 1 1 0 1 1 1 1 1 1 1 1 1 1 1 0 ) and m u l t i p l i c a t i o n into the 16x16 transform matrix T produc-es a spectrum R = (13 1 1 -3 -1 -1 -1 -1 -1 -1 -1 -1-3 1 1 -3) When the BASIS function i s invoked to produce a basis matrix for the translation of these c o e f f i c i e n t s r i , the following operations occur, in accordance with the preceeding descrip-tion of the translation algorithm. The largest element in R (not considering rO) i s found in r3. Thus, the row (0 0 1 1), for "3" in binary i s catenated as a new row of the ( o r i g i n a l l y empty) basis matrix. A l l linear (XOR) conbina-tions of rows in the basis are formed, and positions of R corresponding to these combinations are zeroed. As in this case the basis has only one row so far, only position 3 of R is zeroed. The largest element of t h i s new R i s then located at r l 2 . As a re s u l t , the new row ( 1 1 0 0) i s added to the basis. Positions 3 and 12 of R are zeroed as a result of consider-ing combinations of the vectors in the basis taken one-at-a-time. Position 15 of R i s also zeroed as a result of combi-nations of the rows of the basis considered 2-at-a-time. 7 7 As (0 0 1 1)©(1 1 0 0)=(1 1 1 1 ) , or 15. 66 The largest element of t h i s modified R i s now in r l (only Is remain unzeroed in R). The basis vector (0 0 0 1) i s add-ed, and positions of R corresponding to a l l possible XOR combinations of the 3 rows in the basis are zeroed. The pro-cess i s repeated once more to add (0 1 0 0) to the basis ma-t r i x , at which point the entire basis has been formed (and a l l elements of R are 0). MAXPRIM i s a routine which accepts the basis matrix and the c o e f f i c i e n t s rv, and returns rv permuted by the mapping implied by the basis. In MAXPRIM, the 2[n possible input configurations for f are mapped through the basis, and the resulting sequence of configurations taken to define a per-mutation of the o r i g i n a l inputs. This permutation, when ap-p l i e d to rv, produces the vector of spectral c o e f f i c i e n t s for the s i m p l i f i e d f , where a l l of the largest magnitude c o e f f i c i e n t s occupy primary positions. To continue our e a r l i e r 4-variable example, the required permutation of the spectrum R according to the basis matrix formed by the BASIS routine i s R' = (13 -1 1 -1 -3 -1 1 -1 -3 -1 1 -1 -3 -1 1 -1) Mapping th i s permuted spectrum through the inverse Hadamard transform T" 1 y i e l d s a s p e c i f i c a t i o n vector Fs 1 for the new "core" function f F s ' = (0 1 0 0 1 1 1 1 1 1 1 1 1 1 1 1 ) As may be simply discerned from a Karnaugh map, t h i s corre-sponds to a function f = X3 + X4 + X1X2' 67 which i s evidently far more minimal than was the o r i g i n a l f. The complexity of the function f attributable to XORs has been removed. The inverse (over GF(2)) of the transpose of the basis matrix may be found to be /0 0 1 1 \ B = / 1 1 0 0 ] 0 0 0 1 I 1 0 0/ Any input mul t i p l i e d through t h i s matrix and then subjected to f w i l l be found to have a value i d e n t i c a l in a l l cases to that of the same input subjected to the o r i g i n a l f. Results of the application of these s i m p l i f i c a t i o n rou-tines to the DES S-box functions are remarkable. Table 2 presents the C(f) complexity measure for each of the 32 functions both before and after the s i m p l i f i c a t i o n by means of spectral t r a n s l a t i o n s . The average complexity prior to translation was 139. Following t r a n s l a t i o n , the core func-tions exhibited much greater s i m p l i c i t y , with an average measure of 247. This means that in a Karnaugh map represen-tation for the S-box functions, there are on average approx-imately twice the number of adjacent c e l l s containing the same value as there were prior to the spectral translation procedure. This has a great impact on the s i m p l i c i t y of min-imizations of the new "core" functions by conventional Quine-McCluskey techniques. 68 The translated f were returned to the functional domain and subjected to the Quine-McCluskey minimization. The func-tions that resulted had between 9 and 13 p-terms per func-t i o n . These are far fewer than the 14 to 23 p-terms of the Quine-McCluskey minimized S-box functions (Chapter V). The o v e r a l l average number of l i t e r a l s per p-term decreased f o l -lowing the spectral s i m p l i f i c a t i o n to 3.57, from a value of 4.96 prior to s i m p l i f i c a t i o n . The ramifications of t h i s substantial improvement in s i m p l i c i t y for the key search i s discussed in Chapter IX. Chapter VIII UNIDIRECTIONAL CRYPTANALYTIC SEARCH I t has been s t a t e d that our aim i s to f u n c t i o n a l l y " i n -v e r t " the DES e n c r y p t i o n a l g o r i t h m , so as to be a b l e to de-termine the v a l u e s of a l l b i t p o s i t i o n s of the e n c r y p t i o n key K used as a mapping between the known cor r e s p o n d i n g p a i r s of p l a i n t e x t P and c i p h e r t e x t C. T h i s p a r t i c u l a r cho-sen p l a i n t e x t a t t a c k may c o n v e n i e n t l y be viewed as a problem of s e a r c h : Given the c o n s t r a i n t s imposed by the b i t s of P and C and the d e t a i l s of the DES a l g o r i t h m , a search may be conducted to determine the assignments to the b i t p o s i t i o n s of K which s a t i s f y these c o n s t r a i n t s . As i s t y p i c a l f o r problems of t h i s nature, a search t r e e may be c o n s t r u c t e d and t r a v e r s e d i n the course of the d e t e r -mination of the K b i t v a l u e s . A t r e e i s d e f i n e d to be a l o o p - f r e e d i r e c t e d graph with a d i s t i n g u i s h e d node of inde-gree 0 (the r o o t ) . A subtree i s any subset of the nodes of a t r e e which themselves form a t r e e . A node i s s a i d t o be " s a t i s f i e d " i f the assignments to b i t s of K which are r e -q u i r e d by the complete development of the subtree from that By "key b i t h y p o t h e s i s " i s meant an assignment of a value from {0,1} to a s p e c i f i c b i t p o s i t i o n of K which i s not c o n t r a d i c t e d by any other assignments to key b i t s r e q u i r e d so f a r d u r i n g the development of the search t r e e . - 69 -70 node are compatible with current key b i t hypotheses 8 for K.' The search tree w i l l contain both "and" and "or" nodes, where the former i s the r o o t 1 0 of a subtree, a l l of whose immediate children must be s a t i s f i e d , and the l a t t e r i s the root of a subtree, any of whose immediate children must be s a t i s f i e d for the node i t s e l f to be s a t i s i f i e d [17]. Where-as a l l children of an "and" node w i l l be developed breadth-f i r s t in p a r a l l e l , only one c h i l d of any "or" node w i l l be present in the search tree at any given time. A contra-d i c t i o n in key b i t hypotheses w i l l cause a recursive back-track to the most recent "or" node for which alternative children s t i l l remain, and cause the selection of such an a l t e r n a t i v e branch at that node. Within our p a r t i c u l a r search tree, constraints w i l l re-side at both the top l e v e l of the tree and at the l e a v e s . 1 1 This occurs as both the image and preimage of the K mapping are known, in accordance with the assumptions of a chosen plaintext attack. Inversion of the action of t h i s K mapping as driven by the DES algorithm comprises the body of the 9 If no hypothetical assignments for relevant key b i t s yet e x i s t , any assignments engendered by the development of the subtree for a node by selection of the f i r s t disjunc-t i v e p o s s i b i l i t y at each choice point w i l l seem correct, and w i l l remain as hypotheses u n t i l the development of a d i f f e r e n t node leads to contradictory hypothetical assign-ments for some b i t of the key. 1 0 The root of a tree i s the node with indegree 0, i . e . the node with no edges entering. 1 1 Leaves of a tree are nodes with outdegree 0, i . e . nodes from which no edges emanate. 71 search tree. At the top of the tree, the value of each b i t in the ciphertext block C i s known. At the leaves, the b i t s in the corresponding plaintext block P are known. In working back through the encryption procedure from round 15 to round 0 to ascertain how the p a r t i c u l a r b i t s of C came to have their respective values, various hypotheses concerning the values of the b i t s of K w i l l be generated. U n t i l the search procedure i s completed, these key b i t assignments w i l l only be hypothetical and may be contradict-ed by further search tree development. The presence of OR nodes in the search tree w i l l allow backtracking throughout the tree to permit alternatives in tree development which could lead to d i f f e r e n t key b i t assignments, in the event that contradictions occur in key hypotheses during tree growth. For an i l l u s t r a t i o n of one variant of the AND/OR search tree discussed in t h i s chapter, see Figure 6, P a r t i a l Search Tree for 2-Round DES. As Figure 6 embodies a l l of the s i g n i f i c a n t features of a tree search, we s h a l l attempt to p r e c i s e l y explain i t s char-a c t e r i s t i c s . At the root are situated the (known) 64 b i t s of the ciphertext C. In the tree, nodes with arcs below them are "and" nodes. A l l subtrees which descend from an "and" node must be s a t i s f i e d , for the "and" node to be s a t i s i f e d . For t h i s reason, in an implementation of t h i s tree search, the expansion of subtrees from an "and" node w i l l occur in a breadth-first manner. There i s no advantage to delaying the 72 construction of these subtrees, as a l l must be expanded at some time. • Nodes without arcs are "or" nodes. "Or" nodes are s a t i s -f i e d i f any of their children are s a t i s f i e d . For t h i s rea-son, "or" nodes w i l l be expanded in a depth-first manner in an implementation of thi s search. There i s no need to expand in several directions simultaneously, when expansion of a single subtree s u f f i c e s . Alternative "or" paths are expanded only i f the search down one "or" path f a i l s , and backtrack to the "or" node necessitates the selection of an alterna-t i v e path. An expansion of any node in t h i s search tree constitutes an "inversion" of some aspect of the encryption procedure. Various points in the search tree of Figure 6 are numbered with the c i r c l e d d i g i t s (1) through (6), to aid the follow-ing description of the process of formation of this tree. At (1), i t can be seen that the leftmost b i t of C, that i s , b i t position 2 of the L block at encryption round 2, has a value of 1. It follows that b i t position 32 of the R block at round 1 must also have had the value 1, as Ln=Rn-l by the f i r s t of the two DES equations [26]. It i s the second of the two DES equations [26] Rn = Ln-1 © f(Rn-l,Kn) which accounts for the expansion of the subtree from (2). From (2) i t may be reasoned that either L at round 0 posi-tion 32 was 1 and b i t 32 of the output of the f function op-73 erat ing on RO and K l was 0; or e lse that the L was 0 and the f funct ion was 1. This is because the XOR operator i n d i -cates non-equivalence. Assuming .the former of the two pos-s i b i l i t i e s (since (2) was an "or " node, these two d i s junc -t i ve p o s s i b i l i t e s for subtrees from (2) are explored one-at-a-time) the node marked (3) is to be expanded. If the output from the f function at pos i t ion 32 was 0, th i s implies that the value of S-box 6, output 1 was 0, as 32 mapped back through the inverse of the P permutation of DES i s 21, and the 21st output of the bank of S-boxes re fers to th i s pa r t i cu l a r S-box - output pa i r . Knowledge concerning th i s value of the output thus con-s t ra ins what the inputs to S-box 6 could have been. In F i g -ure 6, i t is reasoned that i f th i s output of the S-box was 0, then the DeMorgan complement of our minimal expression for the Boolean function which represents S-box 6 output 1 must have been 1. While th i s is t rue, such reasoning can lead to the expansion of more nodes than are necessary, as a minimization of the complements of the S-box functions would permit an "o r " of "ands" to extend from (3), instead of the "and" of "o rs " which Figure 6 dep ic t s . Nevertheless, as F i g -ure 6 appears, at (4) we must construct "o r " subtrees to permit xl=0, x2=0, and x3=l, where the xi for i = l , 2 , . . . , 6 are the 6 input var iab les to S-box 6. At (5) we consider the problem of how to make a given S-box input have a cer ta in value. From the spec i f i c a t i on of 74 the DES algorithm [26], i t may be seen that inputs to the S-boxes are formed by an XOR of b i t s of K with E-permuted b i t s of R from the previous l e v e l . U t i l i z i n g d e t a i l s of the key selection algorithm, and mapping the position of the f i r s t input to the S-box 6 through the inverse of the E per-mutation, i t may be concluded that the quantities XORed to produce the f i r s t input to S-box 6 are key b i t 5 and b i t po-s i t i o n 16 of the R block at round 0. At (6) i t i s realized that as the R block i s at encryp-tion round 0, i t corresponds to a b i t of plai n t e x t , whose value i s known by our attack assumptions. As discussed l a t -er, i f either our assignment of a value to the b i t of K, or the discovery of the value of the b i t of R by t h i s process of inversion constitutes a contradiction with respect to what has already been discovered, backtrack occurs, to ex-plore d i f f e r e n t disjunctive paths. This procedure i s ex-plained further in section 8.1. It should be noted that for reasons of computational t r a c t a b i l i t y , we s h a l l be considering a 2-round DES encryp-tion algorithm throughout t h i s chapter. Techniques which serve to reduce cryptanalytic time for such a s i m p l i f i c a t i o n of the DES algorithm may be applied to the actual 16-round DES algorithm to achieve a similar time saving. Such a sim-p l i f i c a t i o n of DES by a reduction of the number of encryp-tion rounds i s frequently employed to permit inexpensive ex-perimentation with cryptanalysis [5]. In addition, the IP 75 and IP" 1 permutations are not being considered in our model, as they are of no cryptanalytic significance under the con-di t i o n s of a known plaintext attack. Exhaustive key search is a technique in which a l l possi-ble values of K are used to map the plaintext block P to see i f the expected C i s the image of the mapping. The desir-a b i l i t y of a search tree cryptanalytic approach r e l a t i v e to t h i s brute-force procedure of exhaustive key t r i a l s may be seen to be a function of the degree of s i m p l i c i t y of the S-box representations as they are embodied in the DES f func-t i o n . Indeed, the choice of S-box representation i s the only variable parameter of the search. The DES equations: Ln = Rn-1 and Rn = Ln-1 © f(Rn-l,Kn) lead to constant branching factors in the search tree of 1 and 4, 1 2 respectively. The branching factor of a tree i s de-fined to be the average outdegree of nodes in the tree. S i m i l a r l y , the branching factors caused by the E and P per-mutations, the KS key schedule function, and the XORing of the KS output with an R block to form the S-box inputs are a l l constant. There i s no apparent way to reduce their asso-ciated branching factors by any alternative representations of the operations they embody. Consequently, reduction of the search tree size must be effected by the compact repre-1 2 For an XOR of two terms to have the value 1 either the f i r s t term must have the value 1 and the second the value 0, or vice versa, which implies that up to 4 paths may have to be expanded to s a t i s f y a node. Similar reasoning applies for an XOR which must have the value 0. 76 sentation of the S-boxes, perhaps coupled with the clever use of h e u r i s t i c s to accomplish tree pruning prior to or during development, or to guide tree t r a v e r s a l . For i n -stance, should the elementary p-term expressions for the S-boxes as discussed in Chapter 3 be employed as the represen-tation of the S-boxes during the search for K, the search tree would possess a branching factor of 32x6=192 at each point in the search where the action of the function f oper-ating on some arguments needed to be inverted. This i s the case, as when the S-boxes are represented in the elementary p-term form, the value of any given output of a s p e c i f i c S-box i s sp e c i f i e d by a disjunction of 32 terms, each of which i s a conjunct of 6 l i t e r a l s . A simple c a l c u l a t i o n w i l l show that in t h i s event, the complete search tree w i l l possess far more nodes than there are t r i a l s in an exhaustive key s e a r c h 1 3 ( 2 5 S ). From F i g -ure 6 i t may be seen that the following expression c o n s t i -tutes an upper bound on the number of nodes in the search tree. 15 \ i 64 x / (2 t 1) i = l where: t=maximum number of conjunctive terms in any s-box representation l=maximum number of l i t e r a l s in any conjunctive term 1 3 The v a l i d i t y of comparing number of key t r i a l s to tree size i s discussed in the f i r s t section of the next chap-ter . 77 There are 64 subtrees at the f i r s t l e v e l of the tree, a l l of which have the same worst-case maximum possible number of nodes. At each of the subsequent 15 tree l e v e l s , each node has at most (2 t 1) children, where the 2 constant arises from the XOR, and the t and 1 variables from the sizes of the minimal expressions discovered for the S-box functions. For the elementary p-term S-box expressions, t=32 and 1=6, so the above expression has the value of 1.2xl0 4 S >> 2 s 6, the key space s i z e . It should however be borne in mind that in practice, such a complete search tree would never be grown. Some subtrees may be pruned on the basis of mutual incompatibility of nec-e s s a r i l y conjunctive conditions within those subtrees. As well, a l l n subtrees from an OR node are only developed i f the f i r s t n-1 subtrees cannot be s a t i s f i e d , a condition which i s highly unlikely to occur for a l l OR nodes in the entire search tree. Due to such factors, i t i s d i f f i c u l t to a n a l y t i c a l l y pre-d i c t how concise the S-box expressions must be for a search tree approach to cryptanalysis to be superior to exhaustive key search, although a "worst case" analysis of the s i t u -ation i s attempted l a t e r . 78 8.1 SEARCH STRATEGY The top-down search 1* for K w i l l be performed in a manner which u t i l i z e s a combination of breadth-first and depth-f i r s t search strategies [17]. Since for a 2-round DES core memory constraints on the number of nodes in the tree are not s i g n i f i c a n t , and as a l l branches from AND nodes must be followed eventually, a breadth-first parallel-expansion d i s -c i p l i n e i s followed at AND nodes. At OR nodes, which may be considered "choice points" in the search, the expansion i s d e p t h - f i r s t , as i f any branch from an OR node is s a t i s i f i e d , so i s the OR node. It i s not reasonable to expand a l l a l t e r -native branches simultaneously, when the s a t i s f a c t i o n of only one branch i s required. Backtracking to these choice points upon f a i l u r e at lower tree l e v e l s w i l l allow us to attempt the s a t i s f a c t i o n of other alternatives should t h i s be required. That the conjunctive terms in the sum-of-prod-ucts expressions for the S-boxes were ordered by their con-t r i b u t i o n to expression correctness, as discussed in Chapter 6, adds a h e u r i s t i c element to t h i s search. At a l l choice points, the search tree i s expanded in a "best f i r s t " f a -shion. As an implementation consideration, father pointers are maintained in each node, to f a c i l i t a t e the backtracking to the most recently expanded OR node in the event of the f a i l u r e to s a t i s f y some subtree. 1 4 A top-down search is a search which commences at the root (top) of a tree, and proceeds downwards towards the leaves. 79 That i s , i f some choice as manifested by the expansion of the tree from some s p e c i f i c branch of an OR node necessi-tates that a certain b i t position of K be assigned a value when i t already possess a d i f f e r e n t value, then either our most recent choice to follow t h i s p a r t i c u l a r branch from the OR node, or the choice which had previously resulted in the assignment to the key b i t , i s incorrect. The two choices are mutually incompatible. Recursive backtracking techniques can be used to undo the most recent choices f i r s t . If no disjunctive a l t e r n a t i v e at the most recent choice point (OR node) may be expanded without the resu l t being an inconsistency of key b i t s , then an e a r l i e r choice must be in error, and backtracking must occur to re-make t h i s e a r l i e r choice. If accurate representations of the S-boxes are em-ployed, then there must exist some selection of OR node paths which permit a unique assignment to a l l key b i t s . If this i s not possible, an error must be present in either the search procedure or the correspondence between the P and C blocks. However, i f the search i s employing approximations to the S-boxes, the procedure may backtrack a l l the way to the root of the search tree, a condition which indicates that another P-C pair should be used in the search. If thi s a r i s e s , the use of approximations to the S-boxes has led to ir r e c o n c i l a b l e inconsistencies in what the key b i t s must have been. 80 In summary, there are three types of conditions whose oc-curence leads to backtracking in the search: 1. If the search has reached the bottom l e v e l of the tree through some path, which implies that the entire process of encryption has been inverted for some b i t of the plaintext, the value of the actual known pl a -intext at the corresponding b i t position must agree with t h i s b i t of the round 0 encryption block uncov-ered by the search. As such b i t s of "plaintext" are produced by the search, i f they f a i l to agree with the corresponding position in the known plaintext, backtrack must occur, to follow disjunctive paths in the search other than those which led to t h i s errone-ous development. 2. Secondly, i f during the inversion of an encryption operation which set some position in the vector of inputs to an S-bank to a certain value, i t i s re-quired that a b i t of K be assigned a cert a i n value and i t is the case that t h i s position of K has a l -ready been assigned a d i f f e r e n t value, then backtrack must occur to remake e a r l i e r erroneous path-selection decisions. 3. F i n a l l y , i f i t happens that no more alte r n a t i v e ex-pansions exist for a node which must be expanded in a new way as a result of the search backtracking to that node, the backtracking i s invoked recursively, to backtrack yet higher in the tree. 81 It should be noted that with our 2-round s i m p l i f i e d DES, th i s search procedure may not establish the values of a l l 56 b i t s of K, as not a l l of these key b i t s are produced by the permutations and selections of K provided by the f i r s t three cycles of the KS algorithm. Consequently, the assignments made to b i t s of K which are not used in our s i m p l i f i c a t i o n of the DES algorithm are a r b i t r a r y . At t h i s point in the discussion, i t should be noted that the use of a b i d i r e c t i o n a l search [17,18] to discover K seems i n t u i t i v e l y appealing, as the cryptanalytic task i n -volves constraints at both the root and leaf nodes, and as the encryption and decryption algorithms are i d e n t i c a l . It should be possible to drive the search backwards from the ciphertext towards the plaintext as the above discussion has described while at the same time, one i s dr i v i n g forwards from the known plaintext. For a known plaintext cryptanaly-s i s of a f u l l 16-round DES, one would search 8 rounds for-wards from the plaintext, and 8 rounds backwards from the ciphertext and join the two search trees in the middle. The existence of constraints at both ends of the search tree, and the symmetry of encryption and decryption make thi s ap-proach possible. A more formal argument which indicates why the b i d i r e c t i o n a l scheme i s viable may be seen in the next chapter. 82 8.2 NODES IN THE SEARCH TREE The approach employed in our search requires the exis-tence of 3 major d i s t i n c t types of data nodes in the search tree, in addition to a descriptor type of node which i s as-sociated with every other type of node and which contains information common to a l l node types. Each type of data node possesses a unique structure, i s expanded d i f f e r e n t l y from the other types of nodes, and requires a d i f f e r e n t response i f backtracking reaches the node. This heterogeneity of nodes i s necessitated by the fact that the DES encryption algorithm involves a number of d i f f e r e n t operations in each round. A thorough discussion of these types of nodes and the i r c h a r a c t e r i s t i c s follows. (See Figure 7, Nodes in the Cryptanalytic Search Tree). 8.2.1 Descriptor Node: SUPER Two factors necessitate the inclusion of a descriptor node structure associated with the actual data portion of each of the 3 major types of data nodes in the search tree. F i r s t l y , such a structure, known as the based-storage struc-ture SUPER in the PL/I routines which perform the search, permits data common to a l l types of nodes to be factored out of these nodes. This a b i l i t y serves to simplify the struc-ture of the actual data nodes. More importantly, the PL/I language does not permit pointer reference to based-storage data, unless the symbolic 83 name of the based variable i s known. This in turn implies that during the traversal of an exis t i n g tree structure, as occurs during recursive backtrack, one must know what type of node one has linked to, before i t i s possible to access the l i n k f i e l d s in that node. As we are dealing with a tree structure with heterogeneous nodes which may be linked in a wide variety of ways, i t i s c r u c i a l to be able to link to a node without knowing i t s type a p r i o r i . A f i e l d in SUPER which contains the type of the data node for which the SUPER node i s a descriptor permits traversal in thi s fashion. The SUPER node contains 6 f i e l d s . As mentioned, there i s a single character type f i e l d , which allows the search rou-tine to determine for which of the 4 types of data nodes i t is a descriptor. A position f i e l d contains an integer in the range {1,32} to indicate which b i t of the current ciphertext block i s represented by the value in the data node. Simi-l a r l y , a l e v e l f i e l d contains an integer from {1,16} to i n -dicate at which l e v e l in the 16-round encryption procedure the block in which the b i t occurs i s contained. A father pointer points to the SUPER node associated with the immedi-ate ancestor of the current node in the tree. There i s a pointer to the actual data node which i s described by the SUPER node. F i n a l l y , there i s a pointer to the node on the queue of nodes which are "open" for further development which points to the SUPER node. If i t i s the case that the SUPER node has already been expanded and i s not s t i l l a tern-84 porary leaf of the expanding tree, t h i s OPENQ pointer i s n u l l . The need for such a pointer i s discussed in the sec-tion pertaining to the BACKTRACK routine. 8.2.2 Data Node; RNODE The RNODE structure permits representation of the knowl-edge that at some s p e c i f i c l e v e l in the encryption process a s p e c i f i c b i t position in an R-block possessed a certain b i t v a l u e . 1 5 The position and l e v e l information for the RNODE resides in i t s descriptor. In the actual RNODE, there exist f i e l d s to represent the b i t value of the RNODE, a count f i e l d from {0,2} to indicate how many times the node has previously been expanded, and two c h i l d pointers. Where these c h i l d pointers must point may be deduced through the examination of the second of the DES encryption equations: Rn=Ln-l © f(Rn-l,Kn) =Rn-2 © f(Rn-l,Kn) ( see footnote ) If the RNODE being expanded has a value 1, then i t s two children (the RNODE at l e v e l n-2 and the FNODE) must have respective values 1 and 0, or 0 and 1, as a result of the XOR. These 2 p o s s i b i l i t e s are dis j u n c t i v e . The f i r s t i s de-1 5 No analogous node to represent knowledge about L-blocks i s required. As Ln=Rn-l by the DES algorithm, i t i s known immediately that instead of representing some b i t position p of an L-block at l e v e l 1 of encryption which possesses a value v, the RNODE which must have been the predecessor to the LNODE during encryption may immediate-ly be created. This RNODE w i l l represent b i t position p at l e v e l 1-1 and have the value v. 85 veloped the f i r s t time the RNODE i s expanded (when i t s count f i e l d i s 0), and the second i s developed as an a l t e r n a t i v e should backtrack ever reach the RNODE, as a r e s u l t of the occurence of some key b i t c o n t r a d i c t i o n . Otherwise, should the RNODE being expanded have the value 0, i t s two c h i l d r e n must both have the value 0, or both have the value 1. The count f i e l d i s maintained i n the RNODE only to a llow the search a l g o r i t h m to determine i t s s t a t e of ex-pansion, should b a c k t r a c k i n g r e q u i r e other p o s s i b i l i t e s f o r the RNODE to be developed. 8.2.3 Data Node: FNODE Should i t be d e s i r e d to employ minimized forms f o r only the uncomplemented S-box f u n c t i o n s , i . e . t o c h a r a c t e r i z e i n -put v a r i a b l e c o n f i g u r a t i o n s which r e s u l t i n a s p e c i f i e d out-put of the S-bank having a value of 1, then the expansion of nodes which embody knowledge concerning the value of the output of the DES f f u n c t i o n at some e n c r y p t i o n l e v e l and b i t p o s i t i o n would be i n t r i n s i c a l l y asymmetric, f o r nodes of d i f f e r i n g v a l u e . Given that QM-minimized e x p r e s s i o n s f o r only the uncomplemented S-box f u n c t i o n s are a v a i l a b l e , forms fo r the corresponding complemented S-box f u n c t i o n s c o u l d be produced by the DeMorgan complementation [16] of the p o s i -t i v e sum-of-products forms. While the process of complemen-t a t i o n i t s e l f i s t r i v i a l , the complexity r e q u i r e d i n the search procedure to handle the asymmetry i n t r o d u c e d by the use of product-of-sum forms i s s i g n i f i c a n t . 86 While an FNODE whose value i s captured by a sum-of-products expression may be s a t i s f i e d by a l t e r n a t i v e l y attempting to s a t i s f y each of the conjunctive terms, an FNODE whose value i s expressed in a product-of-sum form has far more p o t e n t i a l l y - s a t i s f y i n g input variable configura-tions. To s a t i s f y the l a t t e r form, one X l i t e r a l from each of the disjunctive terms need be s a t i s f i e d . Consider as a s i m p l i f i e d example the case where an S-box function f has the following minimized form: f = x l x2 x3' x4' x5' x6 + x2 x3 x4 x6' then by DeMorgan complementation: V = ( x l 1 + x2' + x3 + x4 + x5 + x6')(x2' + x3' + x4' + x6) To attempt to s a t i s f y the former uncomplemented form, at most 2 disjunctive p o s s i b i l i t i e s w i l l have to be explored, each of which i s a conjunct of a number of X l i t e r a l s . The number of p o t e n t i a l l y - s a t i s f y i n g l i t e r a l i n s t a n t i a t i o n s for the l a t t e r complemented form of the f function may be seen to be a product of the number of l i t e r a l s in disjunction in each conjunctive term, i . e . 6x4=24. S p e c i f i c a l l y , each l i n e of the following table provides an ins t a n t i a t i o n of X l i t e r -a l s which causes f'=l: xl=0 x2=0 xl=0 x3=0 xl=0 x4=0 xl=0 x6=l x2=0 x2=0 x2=0 x3=0 x2=0 x4=0 x2=0 x6=l x3=l x2=0 87 Although i t i s possible to eliminate certain i n s t a n t i a -tion configurations a p r i o r i , as, for instance, the possi-b i l t y that x3=l ( s a t i s f y i n g the f i r s t conjunctive term) and x3'=l ( s a t s i f y i n g the second such term) cannot be realized simultaneously, there are s t i l l exponentially many more ways to p o t e n t i a l l y s a t i s f y the DeMorgan complementation of a po-s i t i v e S-box function than there are to s a t i s f y a sum-of-products form. As a consequence of t h i s , despite e a r l i e r experimentation with a form of the search procedure which act u a l l y complemented the QM-minimized expressions for the p o s i t i v e S-box functions, the complemented S-box functions were themselves minimized by the QM procedure, and these sum-of-products forms for the f used in the search. Recall that the sum-of-product expression for an S-box, or i t s complement, as obtained by the Quine-McCluskey mini-mization technique, consists of the disjunction of up to 23 p-terms, each of which i s a conjunct of up to 6 l i t e r a l s . (The l i t e r a l s constitute the input to the S-box). For an FNODE at some point in the search to have a value of 1, any of the p-terms in the appropriate sum-of-products expression for the uncomplemented S-box function must be "on". Such a term w i l l be "on" only i f a l l l i t e r a l s in the term possess the appropriate values. S i m i l a r i l y , for an FNODE to have the value 0 at some point, any of the p-terms in the appro-priate sum-of-products expression for f must be "on", as a 88 result of a l l l i t e r a l s in t h i s p-term possessing appropriate values. Consequently, a based structure known as an FNODE i s used in the search tree to represent knowledge that at some en-cryption l e v e l , some f function must have a spec i f i e d Boole-an output value. The FNODE structure contains an integer count f i e l d from {1,23} which indicates the number of the p-term which the search currently assumes i s responsible for turning the f function "on". There i s a value b i t , which i n -dicates whether the FNODE i s to represent an S-bank output with a value of 0 or 1. This value determines whether the QM-minimized forms for the complemented or uncomplemented S-box function, respectively, are to be used. Also in the FNODE are 6 pointer f i e l d s which contain l i n k s to the appro-priate XNODEs which possess the values required to turn the p-term on. 1 6 This expansion paradigm introduces a h e u r i s t i c component into the search, as the p-terms occur in the sum-of-products expression in b e s t - f i r s t order, and t h i s i s the order in which they are expanded. Should backtrack occur to an FNODE, i t s count f i e l d i s examined, and the next p-term in the appropriate sum-of-products expression for t h i s function (or i t s complement, depending upon the value of the value b i t within the FNODE) is assumed to be the term responsible for making the f func-1 6 If the p-term considered has some "don't care" values in some l i t e r a l positions, the corresponding pointers in the FNODE w i l l be n u l l . 89 tion output 1 (or 0). If no p-term in the appropriate sum-of-products expression can have a value of 1 without the consequences resulting in key b i t contradictions, backtrack continues past the FNODE to previous nodes in the search tree. 8.2.4 Data Node: XNODE The structure of the XNODE type i s very similar to that of the RNODE, as the values of a pa r t i c u l a r position of an R-block and of an X variable are both formed as a result of an XOR operation. In t h i s discussion, inputs to the S-boxes are referred to as variables by the name of X. Such XNODEs contain 3 f i e l d s . As for RNODES, there i s a count f i e l d which contains an integer from {0,2} to record the number of times the XNODE has previously been expanded. There is also a value f i e l d to contain a b i t indicating whether the X variable i s to have the value 0 or 1. The t h i r d f i e l d contained in an XNODE i s a pointer to the RNODE of appropriate l e v e l , value, and po-s i t i o n which caused the production of the par t i c u l a r X value during encryption. An X variable at some pa r t i c u l a r position and l e v e l ob-tains i t s value during the encryption procedure by means of application of the following DES formula: X = KS(p,n) © Rn-1 90 The f i r s t term represents the output of the DES key schedule function at l e v e l n, position p. If the value of the XNODE being developed i s 1, then the two possible disjunctive cas-es are that the KS output and the pa r t i c u l a r position of the R-block were respectively either 1 and 0 or 0 and 1. As in the case of the RNODE, should the value of the XNODE have been 0, both the KS output and R-block b i t would have to possess the same value, for the XNODE to be s a t i s f i e d . (Both 0 or both 1). Only one c h i l d pointer extends from an XNODE, as the re-quirement that a key b i t possess a certain value does not imply any further tree development. If i t is known that the output of the KS function must have a certain value in a certain position at a certai n l e v e l , a key b i t hypothesis may be immediately formed and posted in the global variable containing the developing key. The key schedule function i s inverted to determine which b i t of K i s produced in position p at the given round of encryption, and thi s b i t of K i s as-signed the appropriate value. Should backtrack occur to the XNODE, the key b i t hypothesis must be deleted. 8.3 THE PL/I PROCEDURE: SEARCH The implementation of the search strategy described ear-l i e r was ca r r i e d out in PL/I. The actual code for the rou-tines to be discussed may be seen in Appendix F. Although the strategy employed for the purposes of un i d i r e c t i o n a l 9 1 search for K has already been discussed at some length, cer-tain features of the PL/I implementation are noteworthy. In p a r t i c u l a r , attention w i l l be paid to the techniques used for node expansion and backtracking during the search. Tree development i s controlled by a queue of nodes which are "open" for further development, where the c h a r a c t e r i s t i c common to a l l such open nodes is that they are not yet sat-i s f i e d . Their subtrees require further development. Where-as a similar queue maintained for the purpose of breadth-f i r s t expansion of the n-ary tree to discover the best sum-of-product terms (as discussed in Chapter VI) was im-plemented using an array of pointers to open nodes, here a linked l i s t of pointers i s maintained. Tree development i s accomplished by expanding the subsequent open node on t h i s queue, deleting i t from the queue of open nodes, and then moving on to expand the next open node. This procedure con-s t i t u t e s the mainline of the search procedure, and continues u n t i l the open queue i s empty. The reason that a l i n k e d - l i s t implementation was chosen for the open queue involves the need to be able to choose whether the expansion is to be depth-first or bread t h - f i r s t . An array implementation may be seen to make the a b i l i t y to support the former expansion c a p a b i l i t y p r o h i b i t i v e l y ex-pensive. As the tree development i s accomplished by expand-ing nodes in the open queue successively, to grow the tree in a breadth-first manner one adds new nodes to the end of 92 the queue, where they w i l l be expanded a f t e r a l l other nodes i n the queue. Adding new nodes to the queue i n a p o s i t i o n immediately f o l l o w i n g the node c u r r e n t l y being expanded means th a t these new nodes w i l l be expanded next, before others i n the queue, and that the expansion of the t r e e w i l l occur i n a d e p t h - f i r s t f a s h i o n . In an a r r a y implementation of the open queue, the i n s e r t i o n of e n t r i e s i n the middle of the queue would e n t a i l the " s h u f f l i n g " of elements, and a great a s s o c i a t e d computational expense. When a node p o i n t e d to by an element on t h i s open queue i s to be expanded, the EXPAND r o u t i n e i s c a l l e d , from the m a i n l i n e . I t s e l e c t s and invokes one of the r o u t i n e s : R_EXPAND, F_EXPAND, or X_EXPAND, depending on the value of the type f i e l d of the node being expanded, f o r R_NODEs, FNODEs, and XNODEs, r e s p e c t i v e l y . 8.3.1 The R EXPAND procedure The r o u t i n e R_EXPAND commences by checking the e n c r y p t i o n l e v e l of the RNODE to be expanded. I f i t i s the case t h a t the RNODE i s from e n c r y p t i o n round 0 or - l 1 7 the bottom of the t r e e has been reached, and the va l u e of the RNODE may be compared with the value r e q u i r e d f o r such a node, as b i t s i n the R block at l e v e l s 0 and -1 correspond to b i t s of the known p l a i n t e x t . Should the RNODE have the c o r r e c t v a l u e , 1 7 No L nodes are e x p l i c i t l y represented i n the t r e e , but t h e i r presence i s accounted f o r by RNODEs of the preceed-ing l e v e l . Hence an RNODE at l e v e l -1 corresponds to a l e v e l 0 L node. 9 3 R_EXPAND r e t u r n s without adding any new nodes to the open queue. • However, i f the value of t h i s RNODE as produced by the i n v e r s i o n of the e n c r y p t i o n process i s i n c o r r e c t , the BACKTRACK procedure i s c a l l e d to remake c h o i c e s e a r l i e r i n the t r e e which l e d to the p r o d u c t i o n of t h i s erroneous RNODE. If round 0 of the e n c r y p t i o n has not yet been reached, the count f i e l d w i t h i n the RNODE i s examined. T h i s f i e l d c o n t a i n s a value from { 0 , 2 } to i n d i c a t e how many times the node has a l r e a d y been expanded. There are only 2 p o s s i b l e ways to expand any RNODE, corresp o n d i n g to the 2 p o s s i b l e i n puts to an XOR f u n c t i o n which can cause the f u n c t i o n to a t t a i n a s p e c i f i e d v a l u e . I f the count f i e l d i s 2, no f u r -ther expansion p o s s i b i l i t i e s remain f o r the RNODE, and BACKTRACK i s c a l l e d . I f the count f i e l d i s other than 2, a p p r o p r i a t e l e f t and r i g h t c h i l d nodes are c r e a t e d and added to the end of the OPEN queue, a f t e r any e x i s t i n g subtrees have been destroyed and t h e i r r a m i f i c a t i o n s removed. The l e f t c h i l d i s always another RNODE of l e v e l 2 l e s s than the RNODE being expand-e d . 1 8 The value of t h i s c h i l d RNODE i s as s i g n e d as 1 upon the f i r s t expansion of the f a t h e r RNODE, and 0 f o r the sub-sequent expansion. The r i g h t c h i l d i s an FNODE of value 0 or 1 , depending on both the value of the parent RNODE and the number of times which the parent has been expanded. To be 1 8 T h i s RNODE re p r e s e n t s the v i r t u a l LNODE at l e v e l 1 l e s s than the RNODE being expanded. 94 s p e c i f i c , an FNODE of value 1 i s the r i g h t c h i l d i f and only i f the parent RNODE has a count f i e l d which i s e q u i v a l e n t to the number of times the RNODE has p r e v i o u s l y been expanded. (Both 0 or both 1 ) . Otherwise, an FNODE of value 0 i s c r e a t -ed. Before l e a v i n g the R_EXPAND r o u i t n e , the count f i e l d of the RNODE being expanded i s incremented. 8.3.2 The F EXPAND procedure The F_EXPAND r o u t i n e i s invoked by the EXPAND d r i v e r to expand an FNODE. As mentioned, a l l s i m u l t a n e o u s l y d i s j u n c -t i v e paths from a p a r t i c u l a r node i n the t r e e e x i s t only v i r t u a l l y : The FNODE s t r u c t u r e at any given time has c h i l -dren which c o n s i s t of the set of XNODEs engendered by the assumption that a s i n g l e p a r t i c u l a r p-term i n the sum-of-products e x p r e s s i o n f o r the S-box i n q u e s t i o n w i l l cause the s a t i s f a c t i o n of the FNODE. When i t i s necessary to expand an FNODE, i t i s f i r s t de-termined through the examination of the value b i t w i t h i n the FNODE whether the sum-of-products form f o r the complemented or uncomplemented S-box f u n c t i o n i s to be employed i n the expansion. The procedure then a s c e r t a i n s whether there yet remain any p-terms i n the a p p r o p r i a t e S-box e x p r e s s i o n c o r -responding to the S-bank output under c o n s i d e r a t i o n , the consequences of which have not yet been e x p l o r e d . To accom-p l i s h t h i s , the count f i e l d maintained w i t h i n the FNODE i s compared with the number of p-terms i n the a s s o c i a t e d sum-95 o f - p r o d u c t s e x p r e s s i o n . T h i s f i e l d i s incremented each time an expansion of the FNODE i s performed. As no Quine-McClus-key minimized S-box ex p r e s s i o n s c o n t a i n s more than 23 p-terms, t h i s count f i e l d has a value from {0,23}. A l t e r n a -t i v e l y s t a t e d , s a t i s f a c t i o n of any FNODE can be attempted at most 23 times before backtrack continues higher i n the t r e e . If a l l p-terms have been exhausted, BACKTRACK i s c a l l e d . In such a case, no p o s s i b i l i t i e s remain to expand the FNODE without the consequences of the expansion c a u s i n g some con-t r a d i c t i o n . If u n t r i e d p-terms s t i l l remain i n the a p p r o p r i a t e sum-of- p r o d u c t s e x p r e s s i o n , c h i l d r e n corresponding to the X l i t -e r a l s i n t h i s next p-term are c r e a t e d and added to the OPEN queue. In p r a c t i c e , the e x i s t i n g c h i l d r e n of the FNODE are re p l a c e d only i f the value of the X l i t e r a l they represent d i f f e r s i n value from the corresponding X l i t e r a l i n the new p-term. I f the values do not d i f f e r , the o l d XNODE c h i l d i s r e t a i n e d along with the subtree of which i t i s the r o o t . 8.3.3 The X EXPAND procedure The expansion of an XNODE i s somewhat analogous to that of an RNODE, as both of these s t r u c t u r e s are formed as a r e -s u l t of an XOR o p e r a t i o n . To expand an XNODE, i t s count f i e l d i s f i r s t examined. I f t h i s f i e l d has reached 2, BACKTRACK i s c a l l e d , as no p o s s i b i l i t i e s f o r expansion r e -main. 96 XNODES have only one c h i l d i n the search t r e e , the other component of the XOR producing an XNODE i s a b i t of K. I f the number of times the XNODE has been expanded i s equiva-l e n t to i t s v a l u e , as i n the expansion of an RNODE, an RNODE of value 0 i s c r e a t e d as a c h i l d at the preceeding round of e n c r y p t i o n , and i s added to the OPEN queue. An RNODE with value 0 i s c r e a t e d i f the equi v a l e n c e does not occur. Based on the count f i e l d , a hypothesis f o r the value of the b i t of K i s produced. The p o s i t i o n of the b i t w i t h i n K i s determined through knowledge of the key schedule permuta-t i o n . Beore p o s t i n g t h i s hypothesis f o r the b i t of K, the c u r r e n t hypotheses are examined to ensure that a c o n t r a d i c -t o r y h y p o t h e s i s f o r the same b i t does not e x i s t . I f such a hypothesis a l r e a d y e x i s t s , BACKTRACK i s c a l l e d to r e s o l v e the c o n t r a d i c t i o n . I f no hypothesis yet e x i s t s f o r the b i t under c o n s i d e r a t i o n , the new hypothesis i s posted and X_EXPAND r e t u r n s , a f t e r having incremented the count f i e l d w i t h i n the XNODE. 8 . 3 . 4 The BACKTRACK procedure The BACKTRACK r o u t i n e has been mentioned e x t e n s i v e l y i n the preceeding d i s c u s s i o n , although i t s c h a r a c t e r i s t i c s have not yet been examined. I t i s invoked when no d i s j u n c t i v e a l -t e r n a t i v e s f o r expansion remain f o r the node whose expansion i s c u r r e n t l y being attempted by the t r e e search procedure. A l l p o s s i b l e expansions have l e d to a c o n t r a d i c t i o n , e i t h e r 97 of key b i t hypothesis, or between what has been produced as plaintext by inversion of the encryption process and what the plaintext i s known to be. If such a condition a r i s e s , i t must be the case that an erroneous choice of some disjunctive path to follow has oc-cured e a r l i e r in the tree, and such a choice must be re-made . BACKTRACK f i r s t deletes the current node. This i s accom-plished by setting to n u l l any pointer in the father of the node which points to that node, as well as removing from the OPEN queue any references to the node. The need for the l a t t e r action may be seen from the f o l -lowing example. Consider a subtree of the search tree, con-s i s t i n g of an RNODE at encryption round 2, and i t s 2 c h i l -dren: a round 0 RNODE, and an FNODE at l e v e l 1. Suppose that the RNODE at l e v e l 0 i s the node currently being developed and that the FNODE i s the next on the OPEN queue. Should the check with the known plaintext indicate that the value of the l e v e l 0 RNODE i s incorrect, backtrack occurs to re-ex-pand i t s father, the l e v e l 2 RNODE. This re-expansion w i l l cause the creation of new l e f t and right c h i l d r e n . In par-t i c u l a r , i f the l e v e l 2 RNODE may be re-expanded, a new FNODE c h i l d with a value d i f f e r e n t from the previous right c h i l d i s produced. Clearly, the old FNODE must be removed from the OPEN queue to prevent such a node, which now does not belong in the tree, from ever being developed. 98 It i s for t h i s reason that the OPENQ f i e l d e x ists in each SUPER node. This f i e l d conatins a pointer to the queue node which points to the SUPER node. E s s e n t i a l l y , the OPEN queue references are backlinked to permit the immediate location of a p a r t i c u l a r queue node for deletion. If such a f i e l d were not provided, i t would be necessary to search the OPEN queue l i n e a r l y for any references to the node being deleted, each time any open node was to be removed from the tree. As the OPEN queue may be as long as the maximum width of the search tree, such a procedure would be computationally wasteful. Clearly, the OPENQ f i e l d points to nodes on the OPEN queue only for nodes which are s t i l l open for further expansion. The f i e l d i s set to n u l l when a node i s expanded by the EXPAND routine. After these references are deleted, BACKTRACK c a l l s EXPAND for the father of the deleted node, to attempt an alternative expansion of thi s e a r l i e r node. It should be noted that t h i s process i s recursive, and w i l l continue the expansion and backtrack u n t i l a l l 64 of the round 16 root nodes are s a t i s f i e d , and a l l positions of the results of our encryption inversion agree in value with what the plaintext P i s known to be, with no contradictions in what the b i t s of K must have been. At such a point, the encryption key K has been uncovered. 99 8.4 APPLICATION TO A 2-ROUND DES For the purposes of testing these u n i d i r e c t i o n a l key search procedures, a set of APL routines were written to perform 2-round DES encryption of randomly-chosen plaintext b i t s under a randomly-chosen key, and store the resul t i n g P-C pairs in f i l e s accessable to the search routines. These APL routines may be found in Appendix G. Experimentation with the PL/1 search routines quickly demonstrated the i n t r a c t a b i l i t y of a un i d i r e c t i o n a l search approach to the discovery of the encryption key, even for a DES algorithm of only 2 rounds. Computer time l i m i t s of up to 30 minutes on the University of Manitoba AMDAHL 470/V8 were exceeded during the course of execution of the search, and further experimentation with such searches had to be cu r t a i l e d due to the computational expense. The search tree i t s e l f was constructed down to the plaintext leaf l e v e l f a i r l y rapidly, but the process of backtracking to remake choices in the tree to get the known plaintext to agree with what had been generated as a result of the posted key b i t hypotheses continued in a l l t r i a l s u n t i l the processing time l i m i t imposed upon the program had been exceeded. Examination of the causes of the f a i l u r e of thi s approach to cryptanalysis led to a d i r e c t i o n of further research d i f -fering in two components: An analysis of the use of process-ing time by the search procedure showed that a considerable amount of time was wasted by both the dynamic a l l o c a t i o n and 100 freeing of storage from the heap by PL/1 during execution, and by the continual paging of (4k byte) segments of the large (384k) search tree during the search. While the for-mer problem could have been avoided through exploitation of the r e a l i z a t i o n that the tree, in a somewhat altered repre-sentation space, i s s t a t i c and thus a l l required memory may be pre-allocated and need never be freed, the l a t t e r seems regrettably inavoidable due to the scattered d i s t r i b u t i o n of key b i t use throughout the encryption. The regularity of structure of the properly-viewed search tree w i l l be further discussed in the following chapter. Aside from these implementation considerations, upon proper r e f l e c t i o n i t must be concluded that the unidirec-t i o n a l search approach i s destined to be computationally intractable, as i t is e s s e n t i a l l y a "generate and t e s t " ap-proach. In the algorithm presented, not a l l of the available data i s e f f e c t i v e l y used to guide the search. While the c i -phertext i s employed to determine the growth of the tree, the known plaintext i s used in an i n e f f i c i e n t manner, to simply v e r i f y that the tree has grown properly, and to cause backtrack for the purposes of correction, i f i t has not. Algorithms of t h i s type are known in the f i e l d of comput-er science as the " B r i t i s h Museum" approach for their ex-haustive and somewhat foolhardy nature. Our u n i d i r e c t i o n a l approach i s analogous to employing exhaustive bottom-up gen-eration of a l l possible facts in order to prove a theorem, 101 instead of using the goal, i . e . the theorem to be proven, to guide the search in a top-down goal-directed fashion. What seems required i s an a b i l i t y to e f f e c t i v e l y use a l l available knowledge, both P and C at once, to guide the key search and thus e f f e c t i v e l y l i m i t the search time. The next chapter discusses such a b i d i r e c t i o n a l approach from a con-ceptual viewpoint as a problem of search, and then i d e n t i -f i e s the problem of the search of a tree of fixed structure with that of the symbolic solution to a set of Boolean equa-tions. After an unsuccessful attempt to program methods to symbolically simplify the Boolean equations which constrain the values of the b i t s of K which maps between a given P-C pair, a new type of AND/OR tree search i s developed. This new search benefits from a l l of the minimizations performed on the S-box functions, and has the additional advantage of not requiring any backtrack. Chapter IX KEY SEARCHES OF GREATER SOPHISTICATION 9.1 COMPUTATIONAL COMPLEXITY AND BIDIRECTIONAL SEARCH Certain properties of the DES encryption procedure make i t vulnerable to an attack by the methods of b i d i r e c t i o n a l search, under the assumption of a known plaintext attack. It has been mentioned that the knowledge possessed by the cryptanalyst under th i s assumption i s situated at both the root and the leaves of the cryptanalytic search tree. The u n i d i r e c t i o n a l search of the previous chapter at-tempted to invert the encryption process through the con-struction of a search tree beginning at the (known) b i t s of ciphertext. Hypotheses concerning the values of key b i t s and b i t s in e a r l i e r blocks of developing ciphertext were forwarded, based on knowledge of the values of b i t s in blocks formed la t e r in encryption. The known plaintext b i t s were reached after a l l l e v e l s of encryption had been invert-ed. Backtrack to attempt alternative disjunctive paths in tree development occured when either plaintext b i t s did not agree in value with what the b i t values should have been on the basis of how the encryption was inverted, or when re-quired assignments of key b i t values were contradictory. - 102 -103 In addition, during t h i s search, a single key hypothesis was maintained in a variable globally available for a l l sub-tree expansions to update. In retrospect, the "thrashing" behavior of the u n i d i r e c t i o n a l search may be seen to result at least p a r t i a l l y from the design of the search algorithm which required such a unique hypothesis to be maintained. In the AND/OR search which i s discussed in section 9.4, t h i s requirement i s removed to allow the search to proceed by building an expression tree top-down, and then traverse the tree in a bottom-up fashion, without the need for any back-tracking. It i s possible to obtain an estimate of the e f f i c a c y of t h i s search procedure by comparing the worst case number of t r i a l s in an exhaustive key t r i a l approach to DES cryptana-l y s i s (2 s * or on the order of 10 1 7) to the greatest possible number of nodes which would have to be developed in the tree during the search-approach to encryption key discovery. This comparison i s not altogether reasonable, as exhaustive key t r i a l s would probably be performed in special-purpose hard-ware [2], while the search techniques discussed would at f i r s t be implemented in software. However, i t would not be impossible to b u i l d a hardware device to perform the opera-tions involved in the search procedure. As a 16-round DES encryption requires far more basic operations than the ex-pansion and t r a v e r s a l of a single search tree node, the i d e n t i f i c a t i o n of these heterogeneous quantities errs to-104 wards the conservative. It is c r u c i a l to the success of the attack methods presented here that one accept t h i s idea that i t i s reasonable to compare key space size with number of tree nodes. A simple argument w i l l quickly demonstrate that the use of a un i d i r e c t i o n a l search for cryptanalysis as attempted in the preceeding chapter i s destined to f a i l u r e , even apart from considerations of backtracking. (I.e., even i f each node in the tree i s v i s i t e d only once, a un i d i r e c t i o n a l search w i l l f a i l ) . For such a search to be useful, the re-quired branching factor engendered by the S-boxes i s so small so as to be unattainable by means of known Boolean minimization techniques. The top l e v e l of the search tree contains 64 nodes, one for each b i t of ciphertext. In proceeding from one l e v e l of the search tree to the next, each node which represents a b i t in a block of developing ciphertext can require the i n -version of two instances of the function f. If some b i t po-s i t i o n of some R-block has a value of 1, then the values of the same b i t position of the f function which operates on the R block of the preceeding l e v e l and that of the L block at the preceeding l e v e l must d i f f e r , as an XOR indicates non-equivalence. (See Figure 6, position (2)). would be i n -vestigated, i f the search ever backtracked to the node. As the (Quine McCluskey) representation for any S-box i s a p-term expression of at most 23 p-terms, each of which is a 105 conjunct of at most 6 l i t e r a l s , the expansion of an FNODE once in the search, can engender a branching factor of up to 23x6 in the search tree. As two such expansions may be re-quired per node per l e v e l of the search tree ( i f the f i r s t expansion f a i l s ) , the worst case number of nodes in the uni-d i r e c t i o n a l search tree using QM S-box representation for the inversion of a 16-round DES w i l l be approximately: 15 \ i i 38 17 64 x / (2 x 23 x 6 ) = 2.6x10 » 10 i = l It may also be calculated that for the number of nodes in the search tree to be less than the number of possible keys, again under the highly conservative assumption that a l l pos-s i b l e disjunctive paths in the search tree must be followed, the branching factor caused by the S-boxes must be less than 5. Even the spectral minimization techniques do not allow such a small expansion factor to be achieved. Nevertheless, the use of b i d i r e c t i o n a l search techniques [18,19] may be shown to upper-bound the number of nodes in the search tree, even under worst case assumptions, to a number which i s on the order of the key space s i z e . As en-cryption and decryption procedures are v i r t u a l l y i d e n t i c a l in the DES algorithm, i t i s then possible to expand the tree "backwards" from the known plaintext towards the ciphertext, at the same time as one i s expanding the tree forwards, from the ciphertext. Key b i t hypotheses are generated during the 106 course of the expansion in both d i r e c t i o n s , and standard re-cursive backtrack occurs within either search (or within both searches) i f mutually incompatible key b i t hypotheses are generated either within one "half" of the search tree, or i f some incompatible hypotheses exist when the union i s taken of the two generated sets of hypotheses. The matching of the two halves of the tree between rounds 7 and 8 i s not d i f f i c u l t . However, i t does imply that to implement the b i -d i r e c t i o n a l search for a f u l l 16-round DES, enough memory capacity i s avaliable to store the entirety of the middle (widest) layer of the tree. This layer contains 64(2x13x5) 7 nodes. It i s not d i f f i c u l t to show how the use of such a b i d i -r e c t i o n a l search reduces the number of nodes in the tree. What the approach achieves may be seen schematically in F i g -ure 8, B i d i r e c t i o n a l Search Tree. The search i s driven forwards from both the top and bottom simultaneously, and meets in the middle of the tree. It i s only possible to do th i s because the encryption and decryption procedures are the same, and the attack assumptions include knowledge of the pl a i n t e x t . The search now consists of two symmetric searches, each of which continues for 7 level s beyond the f i r s t l e v e l at which the 64 nodes representing the known b i t s of p l a i n or cipher text are established. A t o t a l of 8 level s are searched in each half of the search. Using the same QM S-107 box approximations as seen in the preceeding c a l c u l a t i o n , the worst case number of nodes in the b i d i r e c t i o n a l search tree i s found to be: 7 \ i 19 2 x 64 x / (2 x 23 x 6) = 1.6x10 i = l Should t h i s search employ the spectrally-minimized S-box representations, even in the worst case the t o t a l number of nodes expanded in the search tree would be on the order of the key space si z e : 7 \ i 16 2 x 64 x / (2 x 13 x 5) = 8.9x10 i = l It i s important to r e a l i z e that a l l of the above rough calc u l a t i o n s have assumed worst case conditions for the search. That i s , i t has been assumed that a l l possible d i s -junctive alternatives of a l l OR nodes must be expanded in the course of the search, and furthermore that a l l such ex-pansions e n t a i l in a l l places the maximum number of branch-es. In fact, only one S-box has as many as -13 p-terms in i t s s p e c t r a l l y minimized form. The mean number of p-term i s about 11. In addition, the fact that p-terms are ordered in the sum-of-products expressions in a "best f i r s t " manner lends a h e u r i s t i c component to the search; the alternatives 108 most l i k e l y to succeed 1 9 are chosen for expansion f i r s t . It may be possible to quanti t a t i v e l y estimate the advan-tages of the b i d i r e c t i o n a l search technique by s l i g h t l y re-laxing the worst case assumptions. If the expected branching factor of the search tree i s based upon the average number of l i t e r a l s per p-term (3.57) instead of the maximum possi-ble number of such l i t e r a l s (5), the expected number of nodes in the search tree decreases to 7.68xl0 1 5. This i s a factor of 10 less than the key space s i z e . The unidirec-t i o n a l search of Chapter 8 was never actually implemented in the b i d i r e c t i o n a l manner described so far in thi s section. A r e a l i z a t i o n that the structure of the search tree would also be uniform, regardless of the p a r t i c u l a r P-C pair cryptana-lyzed, led to the digression of the next section, in which the cryptanalytic problem i s shown to be equivalent to the s i m p l i f i c a t i o n of a set of Boolean equations. While experi-mentation with th i s technique was limited by the i t s re-quirement for very large amounts of memory, t h i s next view of the cryptanalytic problem was of use, in that i t eventu-a l l y led to the development of a more sophisticated type of search, in which backtracking i s unnecessary. 1 9 This i s somewhat simpleminded, as th i s considers only the p-terms which "turn on" the S-box functions by them-selves, and ignores interactions with other branches in the tree. 109 9.2 DIGRESSION: SEARCH AS THE SOLUTION OF BOOLEAN EQUATIONS During the course of development of the un i d i r e c t i o n a l search procedures, i t was rea l i z e d that should i t be desired to invert the action of the DES encryption in making the output of some f function 0 at some round and position, to expand the product-of-sums expressions r e s u l t i n g from DeMor-gan inversion of the QM-minimized S-box functions would make the search intractable. As a consequence, complements of the S-boxes were minimized in order to possess sum-of-prod-ucts expressions for use in such circumstances. 2 0 What was only r e a l i z e d later was that the use of such minimizations of the complements of the S-boxes during the inversion of encryption implied that the structure of the re s u l t i n g search tree was always the same, independent of what P-C pair was used. 2 1 RNODEs always have another RNODE (of l e v e l 2 less than their father) as a l e f t c h i l d , and an FNODE as a right c h i l d . FNODEs have up to 6 XNODE children, depending on the number of "don't care" positions in the conjunct term currently being expanded. Each XNODE has an RNODE as an only c h i l d . Expansion of an XNODE also causes the posting of a key b i t hypothesis as a si d e - e f f e c t . (See 2 0 Quite c l e a r l y , a sum-of-products expression of the gener-a l form a r i s i n g for DES may be p o t e n t i a l l y s a t i s f i e d in far fewer ways than the corresponding product-of-sums ex-pression re s u l t i n g from i t s complementation, due to the presence of more disjuncts in the l a t t e r . 2 1 This i s not e n t i r e l y accurate. An FNODE in the f i n a l state of the tree^may have less than 6 XNODE children, i f the corresponding p-term contains "don't-care" values. 110 Figure 9, 2-Round Search Tree of Uniform Structure). As the morphology of the tree would thus be constant, re-gardless of the actual P-C pair for which K was being d i s -covered, there was no longer any need to al l o c a t e subtrees dynamically through the use of the PL/I ALLOC and FREE func-tions. The entire tree structure could be pre-allocated, and the f i e l d s in i t s nodes simply f i l l e d in to r e f l e c t the tree contents at any moment. In addition to the resultant time saving, memory space could also be saved as a result of th i s r e a l i z a t i o n , as pointers are only r e a l l y needed to refer to a c h i l d when the location of the c h i l d cannot be determined when the father i s created. With the entire tree structure known a p r i o r i , pointer locations could be determined by ad-dress c a l c u l a t i o n , and not e x p l i c i t l y stored with the nodes. An even more important revelation which followed from t h i s discovery i s that when the form of the tree i s predet-ermined, the entire tree structure can be collapsed into a set of equations, where the key b i t s are the unknowns, and the p l a i n and ciphertext b i t s are constants. In such a rep-resentation, the search tree would be present only v i r t u a l -l y , i m p l i c i t in the expression-tree structure of the equa-tions. The problem of b i d i r e c t i o n a l key search i s isomorphic to that of solving for the key b i t s in the equa-tions implied by the search tree structure. Furthermore, the process of cryptanalysis by such a meth-od could be partitioned neatly into a (lengthy) symbolic I l l precomputation procedure, followed by a (fast) application of the results of t h i s precomputation for the cryptanalysis of s p e c i f i c P-C pa i r s . In the precomputation phase, the constraint equations which contain the key b i t variables and the constants for P and C as symbolic constants would be s i m p l i f i e d through the application of algebraic transforma-tions. Such a computation would only ever have to be done once. After these symbolically-simplified equations are pro-duced, to discover K for any s p e c i f i c P-C pair, one would substitute the known values for P and C for the symbolic constants, then simplify the equations further, to discover the actual values for the b i t s of K. The idea of such a separation of components of a crypta-n a l y t i c process has been proposed elsewhere [6]. This meth-od of cryptanalysis would also benefit from a l l of the search space size reductions which aris e from the functional and spectral S-box minimizations discussed in Chapters V and VII. S p e c i f i c a l l y , the approach to be considered here i s as follows: From the d e t a i l s of the DES encryption algorithm together with the minimized representations for the S-boxes, a set of 64 equations involving ORs, ANDs, and NOTs with the 56 key b i t s as unknowns and the 64 positions of P and 64 po-s i t i o n s of C as symbolic constants may be formulated. It should be observed that for an n-round DES, these equations have 2n+l AND and OR l e v e l s , where the number of levels 112 possessed by a Boolean equation may be defined as the number of l e v e l s in the correponding n-ary 2 2 expression tree. The symbolic s i m p l i f i c a t i o n of t h i s set of 64 equations, one for each b i t of C, by means of the application of theo-rems of Boolean algebra or some other similar s i m p l i f i c a t i o n technique would constitute the precomputation phase of the cryptanalysis. S i m p l i f i c a t i o n , in t h i s context, involves the " f l a t t e n -ing" of the i m p l i c i t expression tree into a 2-level sum-of-products form, with the removal of redundant terms, and w i l l be discussed more thoroughly in the following section. The fashion in which t h i s s i m p l i f i c a t i o n should be c a r r i e d out in order that i t not require undue amounts of memory or processing time i s not at a l l evident. One of the central problems which must be addressed is that the tradeoff which exists between the advantages of moving negation "inwards" in the expressions, and those of applying theorems (such as the absorption or consensus theorems [16]) to reduce the number of terms in the expression. If negation i s moved inwards by application of the DeMor-gan theorems in a careless manner, the fact that a complex subexpression and i t s complement exist together in conjunc-2 2 OR and AND operators w i l l not be r e s t r i c t e d to 2 argu-ments, but may operate on n arguments. This convention w i l l permit an expression a+b+c to be represented in one expression tree l e v e l , as "+" operating on 3 arguments. Were we forced to consider "+" as a binary predicate, 2 tree le v e l s would be required, to represent the expres-sion as a+(b+c) or (a+b)+c. 113 tion or disjunction may be overlooked, a sit u a t i o n which wastes memory space, and eventually processing time as well. However, the detection of instances in which theorems such as the absorption theorem are applicable seems to require complex and computationally expensive pattern-matching pro-cedures. In what sequence to apply these s i m p l i f i c a t i o n techniques i s not evident. It has been mentioned that the preprocessing phase of the cryptanalysis consists of the symbolic s i m p l i f i c a t i o n of the set of 64 equations r e l a t i n g the variables in K and the con-stants in the known P to each of the 64 b i t s of C, respec-t i v e l y . After these equations have been s i m p l i f i e d , to d i s -cover K for any known P-C pair, the Boolean constants 1 and 0 are substituted in the equations for the symbolic P and C constants, and each of the 64 equations i s further simpli-f i e d as much as possible. F i n a l l y , as the 64 equations themselves must necessarily be s a t i s f i a b l e together, they are put into conjunction, and th i s conjunct further s i m p l i f i e d , by the same s i m p l i f i c a t i o n process. What must re s u l t , for a 16-round DES, i s the uni-que conjunction of key b i t s and complements of key b i t s which equals l . 2 3 This y i e l d s the encryption key, K. 2 3 For a DES of less than 16 rounds, possibly a disjunction of such conjunctions may r e s u l t . This corresponds to the si t u a t i o n where more than one key performs a s p e c i f i c P->C mapping in a 2-round DES. It i s unknown i f t h i s can occur in a f u l l 16-round DES. 114 9.3 SYMBOLIC SIMPLIFICATION METHODS A number of potential methods were examined, for the s i m p l i f i c a t i o n of the sets of Boolean equations which are seen to represent in a new form the cryptanalytic search tree of the preceeding chapter. As i t has been realized that the expression tree i s of fixed structure, i t i s possi-ble to calculate the size of such a tree for an n-round DES. The number of leaf nodes in such a tree i s the same as the number of l i t e r a l terms in the (unsimplified) expression i t represents, and w i l l vary as a function of the qu a l i t y of the S-box minimization employed. 9.3.1 Expression Size It i s of some interest to determine the t h e o r e t i c a l maxi-mum size of the 64 expressions which result from the f l a t -tening of the search tree, as their size w i l l determine the a p p l i c a b i l i t y of various s i m p l i f i c a t i o n techniques. The number of l i t e r a l s which w i l l be present in any expression is i d e n t i c a l to the number of leaf nodes in the correspond-ing expression tree, as any Boolean expression i s simply an expression tree with the structure obscured. With reference to Figure 9, the number of l i t e r a l s in un-s i m p l i f i e d expressions for a 2-round DES may be seen to be: 2( 1+ (23)(6)( 2( 1+ (23)(6)))) = 148326 for each of the 32 subtrees from the leftmost 32 b i t s of C, using the conventionally QM-minimized S-boxes, and: 2( l+(23)(6)) = 396 115 for the 32 subtrees from the rightmost 32 b i t s of C. 9.3.2 Problems of S i m p l i f i c a t i o n In view of the large size of the equations involved in the problem, the s i m p l i f i c a t i o n methods to be employed must be c a r e f u l l y chosen and implemented to be compuatationally tractable, even for a 2-round simulation. Immediately, a Quine-McCluskey s i m p l i f i c a t i o n may be seen to be inappropriate. The QM method requires that a l l prime implicants for the function be generated, and the resultant combinatorial explosion renders t h i s impossible in our 56-variable case. For QM to be used, the expressions to be s i m p l i f i e d must f i r s t be multiplied out into a 2-level sum-of-products form prior to s i m p l i f i c a t i o n . While such a form is the ultimate goal form for our equations, a feasible a l -gorithm should not expand any expression p r i o r to exhausting a l l p o s s i b i l i t i e s to reduce i t s size, due to the already un-wieldy size of these expressions. Very l i t t l e information exists in the l i t e r a t u r e concern-ing the automated symbolic s i m p l i f i c a t i o n of Boolean expres-sions. A manual application of the theorems of Boolean a l -gebra to an expression w i l l t h e o r e t i c a l l y result in i t s reduction to some form of maximal s i m p l i c i t y , i f these math-ematical operations are c a r r i e d out in the correct order. One problem with the automation of such a procedure i s that the correct order in which to apply the algebraic theorems i s often not at a l l c l e a r . 116 The only attempt known to the author at an algorithmic s p e c i f i c a t i o n of how such a s i m p l i f i c a t i o n might proceed i s that of Zissos [25]. Zissos presents a somewhat vague "re-search algorithm" for the symbolic minimization of Boolean expressions. This algorithm, while not producing a minimal form in a l l circumstances, has the advantage that i t does not e n t a i l expansion of the o r i g i n a l expression. Its disad-vantage i s that the algorithm presented i s somewhat obtuse, and does not seem well suited to computerized implementa-tion . In order to carry out the required Boolean s i m p l i f i c a -tions for the reduction of the equations embodied in the search tree, an admittedly ad hoc system of PROLOG (PROgram-ming in LOGic) routines was devised and implemented under UNIX on a DEC PDP 11-45 minicomputer. PROLOG i s a very high-level theorem proving language, with c a p a b i l i t e s of automatic recursive backtracking and pattern-directed procedure invocation. In PROLOG, control i s decoupled from the logic of a program, i s b u i l t - i n to. the PROLOG interpreter, and so need not be e x p l i c i t l y s p e c i f i e d . A user of PROLOG simply provides truths to the interpreter in the form of Horn cla u s e 2 * axioms and implications, in a notation similar to that of f i r s t - o r d e r logic [23]. The theorem whose proof i s requested i s sp e c i f i e d in a similar form, perhaps with some unbound variables, the values of 2* A Horn clause i s a conjunct of l o g i c a l predicates which involve no negations. 117 which are determined in the course of s a t i s f a c t i o n of the theorem. The linear-input resolution theorem-proving methods of Robinson [21] are then used by PROLOG to affirm the theorem by the syntactic manipulation of the facts to derive what i s known as the "empty clause." A more detailed description of the operation of the PROLOG interpreter would serve l i t t l e purpose here, and the reader i s directed to the l i t e r a t u r e on the subject [23,24]. 9.3.3 A PROLOG Symbolic S i m p l i f i e r For the purposes of exploring the p o s s i b i l i t y of crypta-nalysis by means of solving the Boolean equations r e l a t i n g P,C,and K for the unknowns K, a set of PROLOG axioms and im-p l i c a t i o n s were developed which were capable of simplifying a r b i t r a r y m u l t i - l e v e l Boolean expressions involving ANDs, ORs, and NOTs into a 2-level sum-of-products form. Appendix H l i s t s these routines, and a small example of the i r a p p l i -cation appears on page 239. The s i m p l i f i c a t i o n system r e l i e s heavily on the pattern-matching c a p a b i l i t i e s b u i l t - i n to the PROLOG interpreter to determine the a p p l i c a b i l i t y of various s i m p l i f i c a t i o n theo-rems. The feature of PROLOG which permits the user to define new operators was employed to permit the PROLOG interpreter to parse well-formed Boolean formulae which contain t i l d e s (for negation), ampersands (for conjunction) and backslashes (for d i s j u n c t i o n ) . 118 To simplify an expression, the predicate "simplify" i t e r a t i v e l y c a l l s the "simp" predicate, u n t i l no further simplifying transformations may be effected. The "simp" predicate attempts to apply some simplifying transformation d i r e c t l y to the expression. If t h i s i s not possible, i t re-cusively attempts to do the same for subexpressions of the o r i g i n a l expression, u n t i l the l i t e r a l s of the expression are reached. These simplifying transformations are a PROLOG encapsula-tion of the pertinent rules of Boolean Algebra, and are rep-resented by the "s" and "s2" predicates which are activated by the "simp" predicate. The f i r s t two "s" predicates rep-resent the t r i v i a l case of the recursive s i m p l i f i c a t i o n of expressions, a bottoming-out on l i t e r a l atoms which can be si m p l i f i e d no further. If these are not s a t i s f i e d , the next "s" predicate checks whether the expression to be s i m p l i f i e d i s a one-level ex-pression, i . e . whether i t consists of a conjunct of d i s -juncts of l i t e r a l s . This check was added late in the devel-opment of the s i m p l i f i c a t i o n system, as a measure to prevent the excessive use of stack space by the PROLOG interpreter in recursing down to the atomic l e v e l for a l l formulae. The l i t e r a l s in the expression are sorted alphabetically by a quicksort, and scanned to eff e c t the transformations: a&-"a -> 0 a&a -> a a|a -> a a ^ a -> 1 119 Should the expression not be of a single l e v e l , the next "s" predicate checks for the a p p l i c a b i l i t y of the involution law, and the next two attempt to apply the 2 DeMorgan laws to move negation inwards. The la s t "s" predicate activates the "s2" transformation predicates to match, 2-at-a-time, the top l e v e l terms in the expression to be s i m p l i f i e d against the forms of the remaining s i m p l i f i c a t i o n theorems. These "s2" s i m p l i f i c a t i o n predicates include the theorems of: idempotency, complementarity, d i s t r i b u t i v i t y ( (a|b)&(a|c)->a|(b&c)), absorption, consensus, and the other d i s t r i b u t i v i t y theorem ( a&(b|c)->a&b | a&c). The system at-tempts to apply t h i s l a t t e r d i s t r i b u t i v i t y theorem to multi-ply conjuncts only i f a l l other s i m p l i f i c a t i o n theorems f a i l to be applicable, as i t i s thi s l a s t theorem which can make expressions larger. It i s unfortunate that despite their sophisticated na-ture, these s i m p l i f i c a t i o n predicates f a i l e d to be of much use in the cryptanalysis of DES. The fact that the PROLOG interpreter tends to be very i n e f f i c i e n t in i t s u t i l i z a t i o n of memory space r e s t r i c t e d the application of t h i s elegant s i m p l i f i c a t i o n system to problems of a small "toy" nature. Despite careful use of the PROLOG cut operator (!) to remove choice points to which backtrack should never return and thereby save stack space, the very small core memory space available on the PDP 11-45 upon which the system was imple-mented (approximately 256k bytes) made i t impossible to ap-120 ply the system to equations whose size was even a factor of 100 smaller than those involved in a 2-round DES. As a consequence of t h i s regrettable fact, the PROLOG system was abandoned in favour of a more sophisticated search technique, implemented in a conventional language. The idea of the formulation of Boolean equations which con-s t r a i n the values which the b i t s of K are free to assume, as presented above, i s central to t h i s new search technique. 9.4 A MODIFIED, KNOWLEDGE-INTENSIVE KEY SEARCH Another version of a key-search procedure was developed to once again attempt to empirically demonstrate the f e a s i -b i l i t y of the attack method which involves the S-box mini-mizations which have been discussed. This approach u t i l i z e d some of the features of the u n i d i r e c t i o n a l search of the preceeding chapter, combined with a better use of the a v a i l -able knowledge concerning P and C, to l i m i t the search tree size, and thereby decrease the time required for such a search to within the l i m i t of computer time a v a i l a b l e . A l i s t i n g of the routines discussed in t h i s section may be found in Appendix I. Viewed from a high l e v e l of abstraction, the decryption procedure involves two phases. An n-ary Boolean expression tree containing AND and OR nodes i s consrtucted for each of the 64 b i t s of C, to represent the Boolean algebraic combi-nation of b i t s of K required to produce the known value for 121 each of the b i t s . This tree construction i s performed in a top-down fashion from knowledge of value of the b i t of C be-ing considered, the pa r t i c u l a r known plaintext block P, and the d e t a i l s of the DES encryption algorithm. The expression tree i s then evaluated bottom-up, where in the course of the evaluation the leaves contain the re-s t r i c t i o n on K currently required, in a sum-of-products form represented as a matrix containing values '1', '0', and 'X'. Each row of such a matrix corresponds to a single p-term, in which a '1' corresponds to the presence of an uncomplemented variable, 'C to the presence of a complemented variable, and an 'X' to a "don't care", or the absence of a variable. This representation has been discussed e a r l i e r in section 5.1, and w i l l henceforth be referred to as cube notation. ORs are evaulated by performing a s p e c i f i c type of "union" of the key r e s t r i c t i o n s , while ANDs are evaluated by an " i n -tersection". The single sum-of-products expression which results from such a traversal of the expression tree represents the d i s -junctive alternatives which constrain the values of the b i t s of K which perform the required P->C mapping under the DES algorithm. As mentioned in section 9.2, the f i n a l sum-of-products expression w i l l consist of a single p-term i f and only i f a K which maps P->C for the given P-C pair analyzed is unique. With a DES of only 2 encryption rounds, i t i s possible that many di f f e r e n t K could perform the required mapping. 122 9.4.1 AND/OR Expression Tree Formation Given the values of the b i t s in a plaintext block P, and the value of a pa r t i c u l a r b i t in some known position of C, i t i s possible to construct an AND/OR expression tree at the leaves of which reside the necessary constraints on a key K so that K:P->C. If 64 such expression trees are constructed, one for each b i t position in C, and the key constraints im-p l i e d by each are ANDed, the key K required to map the 64 bi t quantity P to the 64 b i t quantity C i s uncovered. A de-sc r i p t i o n of the technique whereby each of these 64 trees may be produced through knowledge of the d e t a i l s of the en-cryption process follows. Consider some b i t position of the ciphertext, such as the la s t b i t , 64. Assuming our usual model of a 2-round DES with no IP or IP" 1 permutations, and QM-minimized representation of the S-boxes and their complements, th i s i s the 32nd b i t of the R block at encryption round 2, which we s h a l l denote R2 3 2. Using the DES equation r e l a t i n g R at some round n to L and R at round n-1, we see that: R 2 3 2 = L 1 3 2 Q f»*(Rl,R2) = RO 32 © f 3 2 ( R l , K 2 ) (1) by the other DES equation, where f 3 2 denotes the 32nd b i t of output from the f function as described in Figure 2 of Fips Publication 46 [26], Rearranging equation (1) y i e l d s : f 3 2 ( R l , K 2 ) = R2 3 2 © RO 3 2 (2) where the right hand side of t h i s equation i s known, as RO 3 2 i s just the 32nd b i t of the R block of the plaintext P. 123 To determine which inputs X to the bank of S-boxes f i x the output of the f function, the inverse of the DES P per-mutation 2 5 and the structure of the bank of S-boxes must be considered. Bit position 32 mapped through the inverse of the P permutation y i e l d s 25, which indicates that output 25 of the bank of S-boxes i s involved. This i s the 1st output of S-box 7. The value of t h i s S-box function may be seen to be controlled by inputs X 3' to X 4 1 of the bank of S-boxes. The (known) b i t value 1 or 0 of the right hand side of equation (2) determines whether the minimal representation for S-box 7 output 1 of the representation for i t s comple-ment should be employed, respectively. Whichever should be used, the f i r s t 2 leve l s (OR, then AND) of the AND/OR tree to be constructed can now be established. For the purposes of t h i s i l l u s t r a t i v e example, assume that the right hand side of equation (2) has the value 1. The QM-minimized rep-resentation of S-box 7 output 1 (uncomplemented) begins (in cube notation): 010100 011101 111100 X10000 • This implies that: X2 3 6'X2 3 7X2 3 8'X2 3'X2 4 0'X2 4 1' + 2 5 Do not confuse the permutation P of the outputs of the S-boxes with the 64 b i t block of plaintext P. When P the permutation i s meant, the word "permutation" w i l l always be s p e c i f i e d . 124 X2 3 " X 2 3 7X2 3 8X2 3 9X2 4 6' X2 4 1 + X2 3'X2 3 7X2 3 8X2 3 9X2 4 0'X2 4 1' + X2 37X2 3 8 'X23 "X2 40*X2 41' + ... + ... (3) This expression may be represented as an AND/OR tree of 2 le v e l s , with the X l i t e r a l s currently at the leaves of the tree. (Figure 10 (b)). Examination of DES to ascertain how the value of an input to the S-boxes, such as X2 3 4' i s determined , in order to further expand the X variables currently at the leaves of the developing tree reveals that such Xs are the result of the XOR of a pa r t i c u l a r b i t of RI with a b i t of K. Applica-tion of the inverse of the DES E permutation shows that R I 2 1 i s XORed with the b i t of K produced by the key schedule gen-erator in round 2, position 36 (which happens to be K 7 ), to produce X2 3 6', i . e . key b i t 7. Thus, X2 3 6'=l implies: ( R I 2 1 © K 7)' =1 or R1 2 1K 7 + R1 2 1'K 7' = 1 (4) Equation (4) allows the construction of another 2 level s of the AND/OR expression tree. The X2 3' 1 variable currently occupying a leaf of the developing tree i s replaced by the OR of two ANDs, with R I 2 1 and R I 2 1 ' as new variables now at the leaves of the tree, and K 7 as a key b i t constraint at what w i l l remain a leaf of the tree (Figure 10 ( c ) ) . R I 2 1 and the other RI variables which appear at the leaves of the tree as a result of expanding other X v a r i -ables are then themselves expanded by the same method as was used to expand the o r i g i n a l R2 variable. 125 This process of tree expansion terminates after a l l XI variables, i . e . representations of inputs to the S-boxes at encryption round 1, are expanded. To c l e a r l y perceive why this i s so, suppose X I 3 6 i s at a leaf of the expanding AND/OR tree. As X1 3 S=1 implies: RO 2 1 © K7 = 1 and as the values of a l l positions of RO are known (RO is simply the right half of the block of plaintext P), the v a l -ue of K 7 i s thus fixed, and the variable X I 3 6 may be re-placed by the key b i t constraint which fixes forever K7=0. Through the application of such an expansion procedure, a l l leaves of the AND/OR search tree are eventually made to con-tain key b i t constraints, and a tree as in Figure 10 (d) i s formed. 9.4.1.1 Implementation of the Tree Formation Algorithm The above procedure for producing the AND/OR expression tree corresponding to a p a r t i c u l a r b i t of C was implemented as a recursive APL procedure, BUILDSUB. (Appendix I, page 240). As Figure 10(d) i l l u s t r a t e s , the search tree for a b i t of C encrypted through 2 DES rounds has only 7 l e v e l s , and so should be b u i l t in a dep t h - f i r s t , as opposed to a breadth-first fashion, as such a tree may have a branching factor as high as 23 in some p l a c e s . 2 ' 2 6 Recall that S-box approximations have up to 23 disjunc-t i v e p-terms. 126 In order to maximize the speed of execution, the recursive tree building routine was written as a single pro-cedure instead of as a set of mutually-recursive modules. The BUILDSUB routine i s passed a character type code to i n -dicate what structure i s being expanded, as well as the round of encryption at which the structure occurs (2 or 1, for our s i m p l i f i e d DES), and the position in the p a r a l l e l vectors representing the tree at which the structure i s to be placed. Upon entry into the routine, a branch i s taken to the section of the program corresponding to the type of structure being expanded: output from the S-bank, input to an S-box, etc. APL was chosen as the language for these tree routines, as e a r l i e r experience had demonstrated that the capacity to perform interactive debugging of programs which deal with large and complex tree structures was invaluable. The fact that APL lacks a b u i l t - i n capacity for the i n d i r e c t r e f e r -encing of memory locations (pointer types) did not cause any problems in the implementation of the routines to handle the AND/OR tree construction and t r a v e r s a l , as these algorithms require no subsequent modifications to the i n i t i a l structure of these trees. The tree nodes are represented in APL across correspond-ing f i e l d s of a set of p a r a l l e l vectors. When BUILDSUB cre-ates a tree in a depth-first top-down recursive manner, gaps are l e f t in the required places in the vectors, to be f i l l e d i n , l a t e r in the recursion. 127 For example, suppose an AND node i s to be created, to point to 6 children corresponding to non-don't-care posi-tions in some p-term. The next free slot in the set of par-a l l e l vectors i s located, and the global "free" pointer for these vectors incremented by 6 positions. Depth-first recur-sion then occurs to expand the f i r s t of the non-don't-care l i t e r a l s in what was formerly the f i r s t free s l o t . Eventual-l y , when thi s recursion returns, a loop continues, to expand the second l i t e r a l in the s l o t immediately af t e r what was o r i g i n a l l y the free s l o t . The automatic stacking of l o c a l variables permits the former "free" location to be retained, while the depth-first recursion i s building parts of the tree at lower l e v e l s . Although the above description indicates that the entire AND/OR tree i s b u i l t in memory prior to i t s t r a v e r s a l , there i s no reason why the tree could not be traversed depth-f i r s t , while i t i s being b u i l t . Such an implementation, while conceptually more complex than the method presented above, would have the advantage of requiring far less memory space. The results of executing BUILDSUB to bui l d the AND/OR ex-pression tree which captures the required key b i t con-s t r a i n t s on b i t 1 of the ciphertext C which results from en-crypting a plaintext block which consisted e n t i r e l y of 0-bits under a key of 56 0-bits i s somewhat remarkable. The routine required just over 4 minutes of CPU time on an Am-128 dahl 470/V8 using the IBM program IKJETF01 for batch APL ex-ecution, and produced an AND/OR tree containing 20082 nodes, 16382 of which were leaves (which contain single key b i t hy-potheses). Although no s t a t i s t i c a l analysis of the s i t u -ation was attempted, due to the extremely complex non-uni-form discrete d i s t r i b u t i o n nature of the problem, the size of t h i s tree was s i g n i f i c a n t l y less than the maximum possi-ble size of 148326 nodes (section 9.3.1) engendered by the worst-case branching factor of 23. Further t r i a l s of search tree formation has indicated that an AND/OR tree size on the order of 20000 nodes i s t y p i c a l for a 2-round DES, when us-ing Quine-McCluskey-minimized S-boxes. This means that in practice, search tree sizes on the order of one seventh of the t h e o r e t i c a l worst-case maximum size may be expected. If i t i s granted that key t r i a l e f f o r t i s comparable to that needed for the expansion and traversal of a tree node, the cryptanalytic method of tree search presented here i s faster than exhaustive key search. The processing time requirements for th i s tree construc-tion rendered i t impossible to construct trees for each of the 64 b i t s of C, using these APL routines. PL/I procedures are currently being devised, for these purposes. 129 9.4.2 AND/OR Expression Tree Traversal Once a tree as in Figure 10 (d) has been constructed, i t s recursive traversal to simplify the embodied constraint ex-pression on K i s a t r i v i a l matter. As the tree may be seen to possess only 7 levels for a 2-round DES (although i t i s quite wide), a standard dep t h - f i r s t recursive traversal for the purposes of evaluating the key constraints described in the tree i s computationally tractable. As the tree i s eval-uated, key constraints expressed in cube notation must be ORed and ANDed together. E f f i c i e n t algorithms for performing such l o g i c a l operations on 2-level sum-of-product forms were developed, and are presented in the following sections. The APL routine TRAVERSE constitutes a conventional im-plementation of the technique of de p t h - f i r s t tree t r a v e r s a l . The routine i s passed a single argument: the location in the p a r a l l e l vectors at which the node to be expanded i s locat-ed. If the node represents a key b i t constraint, i . e . the node i s a leaf of the tree, the constraint i s returned as the r e s u l t . Otherwise, i f the node i s an AND or OR node, re-cursion occurs to apply the required l o g i c a l operation to a l l children of the node. An example of the traversal of a small (63 node) AND/OR tree (printed out by the PP function) may be seen at the end of Appendix I, page 249. 130 9.4.2.1 OR-merging of Sum-of-Products Expressions An OR-merging of a pair of Boolean expressions A and B in sum-of-products form i s performed by considering a l l p-terms in either expression as a single set, and removing from th i s set those p-terms which are redundantly represented. 2 7 A p-term i s said to be redundant i f removing i t from the cover C of the switching function in which i t i s a p-term does not a l t e r C's status as a cover of the function. The algorithm assumes that no p-terms in either A or B are redundant to begin with. S p e c i f i c a l l y , within either of the expressions to be merged, no 2 p-terms exist which d i f f e r only by one having X(s) (don't care(s)) where the other has Is or 0s. For example, i t would be impossible for p-terms X01 and 101 to both exist in one expression; the l a t t e r i s redundant, as b'c+ab'c = b'c. When the 2 sets of p-terms are unioned to form the OR of expressions A and B, redundant p-terms must be removed from the union, to make the resu l t i n g sum-of-products expression minimal. To accomplish t h i s , a special representation of the p-terms was discovered, and employed together with the algorithm of Mott [15] for discovering consensus terms. We c a l l some p-term c the consensus term for terms a and b i f c->a|b. 2 7 A special case for "don't cares" also requires the modi-f i c a t i o n of some p-terms which are retained during the merge. 131 Mott's algorithm for consensus terms may be employed to OR two Boolean expressions in the following manner. The set of a l l p-terms in either expression i s a (non-minimal) ex-pression for the required OR. Form a l l possible consensus terms obtainable from pairs of p-terms in either function, and replace one or both of these p-terms with any consensus term which covers it/them. "This process of attempting to form consensus terms is repeated for a l l pairs of p-terms selected such that one p-term comes from each of the 2 ex-pressions to be ORed, and continues u n t i l no more consensus terms can be formed. By using a representation for p-terms d i f f e r e n t from the cube notation discussed e a r l i e r , both processing time and memory space may be conserved. Since any variable in a p-term i s in one of 3 d i f f e r e n t states ('1','0', or 'X'), i t i s wasteful to use a character representation (1 byte) to store such variables. Two b i t s s u f f i c e to d i s t i n g u i s h be-tween 4 states, and i f the assignment of b i t configurations to such variable states i s done c l e v e r l y , substantial compu-ta t i o n a l time savings may be achieved when ORing and ANDing expressions in th i s notation. Such time savings result from the a b i l i t y of a computer based on a k b i t wide processor to OR or AND together 2 strings of k b i t s in a single processor cycle. Let '0' be represented by the pair of b i t s (0,1), '1' by (1,0), and 'X' by (0,0). Any p-term of k variables may then 132 be represented as 2 p a r a l l e l b i t strings of length k: nl to represent the b i t s occuring f i r s t in each pair, and n2 to represent the b i t s occuring second. As an example of t h i s scheme, the p-term x='010X1' may be represented by 2 b i t strings of length 5, x nl=01001 and x n2=10100. To form the OR of expressions A and B, compare each p-term a i in A with each p-term bi in B, where each these p-terms i s represented as a pair of b i t strings nl and n2 as described above. I n i t i a l l y , a l l p-terms in either A or B are considered to be terms present in the OR, but terms are re-moved or modified during the process of the pairwise compar-ison by means of the following algorithm to be applied for each pair a i , b i : 1. Form the potential consensus term c where the s t r i n g nl for c i s produced by ORing the corresponding b i t s in the nl strings for a i and b i , and the n2 s t r i n g for c i s formed as an OR of the n2 s t r i n g s . That i s : c n l = ai nl | bi nl c n2 = a i n2 | bi n2 2. If c i s i d e n t i c a l to a i in a l l b i t positions in both strings nl and n2, 2 8 then a i may be deleted from the OR as a i i s redundant with respect to b i ; bi covers a i . The symmetric si t u a t i o n exists i f c<=>bi. This can only occur when the differences between the p-terms a i and bi are such that a i has X's wherever bi 2 8 We s h a l l write t h i s as c<=>ai. 133 has l i t e r a l s . In such a case, a i covers b i . Consider ai='0XXl' bi='0101' Using our new representation, a i nl=0001 a i n2=1000 bi nl=0101 bi n2=1010 so c nl=0101 c n2=1010 and we see that c<=>bl; ai covers b i . 3. Otherwise, check to see i f c i s a consensus term. If the bitwise AND of c nl with c n2 contains exactly one 1-bit, then c i s a consensus term. The examina-tion of a b i t s t r i n g to determine i f that b i t s t r i n g has precisely one 1-bit may be performed in a compu-t a t i o n a l l y e f f i c i e n t manner by seeing i f (c nl & c n2) & ((c n l & c n2)-l) = 0. For example, l e t : ai='010' bi='000' Then in the new notation: a i nl = 010 a i n2=101. bi nl=000 bi n2=lll so: c nl=010 c n2=lll c nl & c n2 = 010 As t h i s s t r i n g has precisely one 1-bit, c i s a con-sensus term. If c i s not a consensus term, i t i s 134 known immediately that both a i and bi must be re-tained so far in the OR-merge. If c has been discovered to be a consensus term, i t must be determined which of the p-terms a i and bi ( i f any) th i s consensus term covers. The b i t s t r i n g (c n l & c n2) i s subtracted from both c n l and c n2 to "turn o f f " b i t s related to the consensus variable. When performed on the above example, c i s l e f t as c nl=000 c n2=101. The o r i g i n a l operation of ORing nl and n2 b i t strings (as described in step 1) i s then applied again be-tween th i s modified c and both the o r i g i n a l ai and the o r i g i n a l bi to form 2 new pairs of strings, a i ' and b i ' respectively. (a) If ai'<=>ai and bi'<=>bi, then remove a i and re-place bi with c. This si t u a t i o n arises when the p-terms ai and bi d i f f e r in exactly one b i t po s i t i o n , and neither p-term i s 'X' in that p o s i t i o n . (b) Else i f ai'</>ai and bi'<=>bi, then replace bi with c. (c) Else i f ai'<=>ai and bi'<^>bi then replace a i with c. (d) Otherwise, retain both a i and b i . 135 The i t e r a t i v e application of thi s algorithm between a l l pairs of p-terms a i and bi produces a minimal OR of the ex-pressions A and B. An APL implementation of thi s algorithm may be found in Appendix I, under the name 'OR'. 9.4.2.2 AND-merging of Sum-of-Products Expressions In order to be able to AND together Boolean expressions in sum-of-products form, i t i s necessary to be able to AND p-terms. It i s convenient that the b i t - s t r i n g representa-tion for p-terms developed in section 9.4.2.1 above permits a computationally-efficient method for this ANDing. To AND p-terms a i and b i , we form: c nl = a i nl | bi nl c n2 = a i n2 | bi n2 by a bitwise OR as i s done in step 1 of the OR algorithm. If there i s a 1-bit in any b i t position of the b i t s t r i n g (c nl & c n2), then the AND of p-terms a i and bi i s n u l l , as in some position a i (in cube notation) has a '1' where in the same position bi has a '0' (or vice versa), and as for any x, x & x'=0. Otherwise, c represents the new p-term r e s u l t -ing from the AND of ai and b i , and i s to be retained. In ANDing two sum-of-products expressions, the above pro-cedure to AND a pair of p-terms i s employed together with the previously-discussed OR algorithm, in the following man-ner. The AND of expressions A and B i s the AND of p-term a l with the expression B, ORed with the and of a2 with B, and so forth. A l g e b r a i c a l l y : AB= (al+a2+...+an)B = alB+a2B+...+anB The AND of a term a i with an expression B may be seen s i m i l a r l y to be the AND of a i with b l , ORed with the AND of ai with b2, etcetera. That i s : aiB = ai(bl+b2+...+bn) = aibl+aib2+ +aibn As a consequence of t h i s , the AND procedure c a l l s the OR procedure repeatedly. The APL implementation of thi s algor-ithm may be seen in Appendix I, under the function name ' AND' . Chapter X CONCLUSIONS The DES cryptographic system has been investigated, and the strength of the cipher found to l i e in the S-box compo-nents. The S-boxes were examined for the existence of struc-t u r a l symmetries by the methods of McCluskey [12], and none were discovered. The p r i n c i p a l d i r e c t i o n of t h i s thesis has been to map the cryptanalytic problem into a domain for which powerful algorithmic and h e u r i s t i c methods e x i s t . S p e c i f i c a l l y , the discovery of the b i t s of K under known plaintext attack as-sumptions has been viewed as a problem in search, for which conventional search trees may be constructed and traversed. The worst-case size of a bidirectionally-searched AND/OR tree which stored key hypotheses at the leaves to avoid backtrack was shown t h e o r e t i c a l l y in section 9.1 to be" on the order of the key space si z e . The results of experimenta-tion with such trees for a 2-round DES model (section 9.4.1.1) has indicated that in practice, tree sizes on the order of one seventh of the worst case t h e o r e t i c a l maximum can be expected. If i t i s accepted that the amount of e f f o r t to expand a node i s less than that involved in a key t r i a l in exhaustive key search, and given that s u f f i c i e n t memory - 137 -138 capacity exists to store the mating halves of the b i d i r e c -t i o n a l search tree, the cryptanalytic technique of b i d i r e c -t i o n a l tree search represents an improvement over that of exhaustive key search. In the course of developing a tractable search procedure for K, compact representations for the functions embodied by the S-boxes have been developed. At f i r s t , conventional functional-domain l o g i c a l minimization techniques such as the Quine-McCluskey procedure [13,16] were applied to the S-boxes. The minimized S-box functions which resulted were t h e o r e t i c a l l y shown to permit a small (and not large enough) reduction in the search tree s i z e . More sophisticated spec-tral-domain minimization techniques [7,8,9,10] were then programmed and applied to the S-boxes, and these resulted in a far greater degree of s i m p l i f i c a t i o n of the S-box func-tions . Several attempts to demonstrate the usefulness of such minimal S-box representations in l i m i t i n g the time required to uncover K through the upper-bounding of the search tree branching factor in a 2-round model of DES were programmed, in a variety of computer languages. The f i r s t of these, a u n i d i r e c t i o n a l key search procedure written in PL/I, f a i l e d to operate in tractable time on even a 2-round DES. Even when an i n i t i a l oversight concerning the expansion of a subtree to represent the output of the DES f function with a value of 0 was corrected, the program 139 s t i l l could not discover K within reasonable computer time l i m i t s . It was eventually discovered that the f a i l u r e of t h i s i n i t i a l approach to key search could be attributed to two independent aspects of the search procedure. F i r s t l y , even the l i n e a r i z a t i o n of the S-boxes did not s u f f i c i e n t l y reduce the search tree branching factor to make a u n i d i r e c t i o n a l key search tractable. Secondly, the maintenance of a single globally-posted hypothesis for K which was modified as con-t r a d i c t i o n s in key b i t values arose anywhere in the tree caused an excessive backtrack "thrashing" behavior in the search procedure. It was demonstrated that the former problem could be overcome by searching the tree b i d i r e c t i o n a l l y to greatly reduce the number of nodes which would have to be expanded. The l a t t e r problem was avoided by u t i l i z i n g a more s o p h i s t i -cated search tree structure, the AND/OR tree. With key con-s t r a i n t s stored l o c a l l y at the tree leaves, backtracking was avoided as each node was v i s i t e d only once as the tree was traversed. After a theore t i c a l investigation of the potential advan-tages of a b i d i r e c t i o n a l search procedure to expand the search tree in two d i r e c t i o n s , from both P and C, simultane-ously, a r e a l i z a t i o n of the uniform structure of the search tree led to an a b i l i t y to formulate the cryptanalytic prob-lem as a set of Boolean equations to be solved. E s s e n t i a l -140 l y , the search tree could be "flattened", to reduce the problem of the discovery of K to that of the symbolic sim-p l i f i c a t i o n of Boolean equations. Although t h i s approach i n i t i a l l y appeared a t t r a c t i v e due to i t s mathematical flavour, i t was only useful insofar as i t led to the development of the AND/OR tree methods. The connection between these two methods may be c l e a r l y per-ceived i f one views an AND/OR tree as a pre-parsed Boolean expression containing only the Boolean constants 1 and 0 (no var i a b l e s ) . In retrospect, i t may be seen as foolhardy to fla t t e n a tree and remove i t s structure in order to repre-sent i t mathematically, when the structure must be recov-ered, in order to symbolically simplify the expressions rep-resented by the tree. , Before t h i s was real i z e d , a series of PROLOG routines were written to symbolically apply rules of Boolean algebra to simplify Boolean expressions which contain variables, ANDs, ORs, and NOTs. I n i t i a l l y , i t was believed that the constraints on b i t s of K required for a b i t of C to have the appropriate value, when formulated as a Boolean expression, could be reduced by thi s PROLOG system to produce K. Unfor-tunately, the very limited non-virtual memory of the DEC ma-chine on which the routines were implemented led to a f a i l -ure of t h i s approach to provide any useful r e s u l t s . In view of the recursive implementation of PROLOG, a vast amount of memory would be required in order to simplify the key con-st r a i n t expressions for even a 2-round DES. 141 From ideas about key c o n s t r a i n t made evi d e n t by the PROLOG approach, a m o d i f i c a t i o n of the o r i g i n a l search pro-cedure was produced, w r i t t e n i n APL. T h i s approach generated an AND/OR ex p r e s s i o n t r e e f o r the key c o n s t r a i n t e x p r e s s i o n s mentioned above, and then t r a v e r s e d t h i s t r e e i n a r e c u r s i v e top-down f a s h i o n , m a i n t a i n i n g key hypotheses l o c a l l y at the leaves as the t r e e was being t r a v e r s e d . These hypotheses were OR-merged or AND-merged by f a s t a l g o r i t h m s at a p p r o p r i -ate nodes, to accomplish the e v a l u a t i o n of the search t r e e and uncover K. In a number of t r i a l s , t h i s method (employed u n i d i r e c -t i o n a l l y ) managed to d i s c o v e r the key K used f o r e n c r y p t i o n with a 2-round DES. T h i s AND/OR t r e e search b e n e f i t s from the r e d u c t i o n i n branching f a c t o r r e s u l t i n g from the use of the l i n e a r i z e d S-boxes, and a l s o c o u l d be performed i n a b i -d i r e c t i o n a l f a s h i o n , although t h i s was never programmed. Even more s i g n i f i c a n t l y , experimentation with t h i s search procedure i n d i c a t e d that such t r e e s tend to possess a p p r o x i -mately one seventh of the worst-case maximum p o s s i b l e number of nodes. At l e a s t i n the case of a 2-round model, the p o t e n t i a l v u l n e r a b i l i t y of DES to methods of key search combined with a p p r o p r i a t e S-box r e p r e s e n t a t i o n s has been e m p i r i c a l l y dem-o n s t r a t e d . Work con t i n u e s towards the development of more c o m p u t a t i o n a l l y - e f f i c i e n t r o u t i n e s w r i t t e n i n l o w e r - l e v e l languages to experiment more f u l l y with 2-round DES decryp-t i o n s . 142 It i s recommended that the DES algorithm be strengthened in one or more of the following simple ways, to reduce i t s s u s c e p t i b i l i t y to the attacks outlined in t h i s thesis. In-creasing the number of layers of encryption in the algorithm by even a few should make the search tree s u f f i c i e n t l y large to render key search as intractable as exhaustive key t r i -a l s , as the tree grows exponentially in the number of layers of encryption, and i t i s only marginally small enough in i t s current form to permit our search methods to be applicable. A more complex use of the b i t s of K in the course of encryp-tion would also present d i f f i c u l t i e s to the attack presented in t h i s thesis. For instance, a concatenation of b i t s of K with developing L and R blocks at each l e v e l could serve to confound our method of cryptanalysis, by introducing far more complex constraint conditions on K. F i n a l l y , as other researchers in the area have indicated [2], increasing the length of K would also make DES more resistant to cryptana-l y t i c attack. However, t h i s would only cause the tree size to grow l i n e a r l y with the increase in K size , whereas the addition of further rounds of encryption engenders an expo-nential growth in search tree s i z e . i REFERENCES 1. Coppersmith, D. & Grossman, E. Generators for Certain Alternating Groups with Applications to Cryptography. SIAM J . Appl. Math. 29, #4, Dec. 1975, pp.624-627. 2. D i f f i e , W. & Heilman, M. Exhaustive Cryptanalysis of the NBS DES Computer #10, June 1977. 3. D i f f i e , W. & Heilman, M. New Directions in Cryptography IEEE Trans, on Info. Th. IT-22 #6, Nov. 1976, pp.644-654. 4. F e i s t e l , H. Cryptography and Computer Privacy S c i e n t i f i c American, Vol. 228, May 1973, pp. 15-23. 5. Heilman, M. et. a l . Results of an I n i t i a l Attempt to Cryptanalyze the NBS DES Tech. report SEL 76-042, Stanford University, 1976. 6. Heilman, M. A Cryptanalytic Time-Memory Tradeoff IEEE Trans, on Info. Th., 1980. 7. Hurst, S.L. (ed.) Conference: Recent Developments in D i g i t a l Logic Design Conference Proceedings, University of Bath, Claverton Down, Bath, Sept. 1977, pp.1.0-2.19. 8. Hurst, S.L. Logical Processing of D i g i t a l Signals Crane Russak, New York, 1978. 9. Hurst, S.L., M i l l e r , D.M. & Muzio, J.C. Spectral Method of Boolean Function Complexity Electronics Letters, Vol. 18, #13, June, 1982. pp. 572-573. 10. Karpovsky, M.G. F i n i t e Orthogonal Series in the Design of D i g i t a l Devices John Wiley & Son, New York, 1976. 11. Knuth, D.E. The Art of Computer Programming: Sorting and Searching Addison-Wesley, Mass., 1969. 12. McCluskey, E. J . Determination of Group Invariance or Total Symmetry of a Boolean Function BSTJ Vol. 35, #5, Nov. 1956, pp. 1445-1453. 13. McCluskey, E. J. Minimization of Boolean Functions BSTJ Vol. 35, #5, Nov. 1956, pp. 1417-1444. - 143 -144 14. M i l l e r , D. M. & Muzio, J.C. Detection of Symmetries in T o t a l l y Specified or P a r t i a l l y Specified Combinational Functions Computers and D i g i t a l Techniques, Vol. 2, #5, Oct. 1979 pp.203-209. 15. Mott, T.H. Determination of the Irredundant Normal Forms of a Truth Function by Iterated Consensus of the Prime Implicants IRE Transactions on Electronic Computers, June, 1960, pp.245-252. 16. Mowle, F. J . A Systematic Approach to D i g i t a l Logic Design Addison-Wesley, New York, 1976. 17. Muzio, J . C , M i l l e r , D.M. & Hurst, S.L. Multi-variable Symmetries and Their Detection Unpublished. 18. Nilsson, N.J. Problem-Solving Methods in A r t i f i c i a l Intelligence McGraw H i l l , New York, 1971. 19. Pohl, I. B i d i r e c t i o n a l and Heuristic Search in Path Problems Stanford Linear Accelerator Center Report, #104, May, 1969. 20. Rivest, R. L. et. a l . A Method for Obtaining D i g i t a l Signatures and Public Key Cryptosystems CACM Vol. 21, #2, Feb. 1978, pp. 120-126. 21. Robinson, J.A. A Machine-Oriented Logic Based on the Resolution P r i n c i p l e JACM Vol. 12, #1,.January 1965, pp. 23-41. 22. Shannon, C. E. Communication Theory of Secrecy Systems BSTJ Vol. 28, Oct. 1949, pp. 656-715. 23. Van Emden, M.H. & Kowalski, R.A. The Semantics of Predicate Logic as a Programming Language JACM Vol. 23, 1976, pp.733-742. 24. Warren, D. Pereira, L.M., & Pereira, F., PROLOG- The Language and i t s Implementation Compared with LISP SIGPLAN Notices (ACM), Vol. 12, #8. 25. Zissos, D. & Duncan, F.G. Boolean Minimization B r i t i s h Computer Journal, Vol. 16, #2, 1972, pp. 174-179. 26. Federal Information Processing Standards Publication. Announcing the Data Encryption Standard FIPS PUB 46, Jan. 1977. TABLE 1 - MINIMAL SUM OF PRODUCT TERMS FOR EACH S-BOX AND OUTPUT. - terms are ' ranked ' by weight of c o n t r i b u t i o n to cor rect s-box output S-BOX NUMBER 1 - - output 1 - -TERM CONTR. X1X010 0 . 562 X 1 X 1 1 1 o . 562 000X00 0 .531 X00011 0 . 531 X11001 0 .531 10X011 0 . 531 001X01 0. .531 001X10 0. 531 00X100 0. 531 010X01 0. 53 1 010X IO 0. 53 1 100X01 0. 531 1001x0 0. 531 X01110 0. 531 1 10XOO 0. 53 1 11001X 0. 531 101000 0. 516 - - output 2 - -TERM CONTR. XOOXOO 0.562 0X010X 0.562 1X000X 0.562 10XOOX 0.562 01X110 0.531 01X011 0.531 11110X 0.531 1X1111 0.531 00X010 0.531 000X11 0.531 001X01 0.531 X00011 0.531 1010X0 0.531 110X10 0.531 11011X 0.531 011000 0.516 - - output 3 - -TERM CONTR 0010XX 0 . 562 0100XX 0 . 562 X10X11 0 . 562 010XOO 0 . 531 10X100 0 . 531 X11101 0 . 53 1 11011X 0 . 531 00X000 0 .531 00X011 0. . 531 001X00 0. 531 10X 1 1 1 o. 531 101X10 0. 531 11XOOO 0. 531 1101X1 0. 531 11100X o. 531 1X1010 0. 531 000101 0. 516 100001 0. 516 01 1 1 10 o. 516 - - output 4 - -TERM CONTR 00X10X 0 . 562 X1X000 0 . 562 0110XX 0 . 562 11XX00 0 . 562 110X0X 0 . 562 X011X1 0 . 562 0001xo 0 . 531 0X1010 0. .531 ix1000 0. 531 1X0001 0. 531 01 1X 10 0. 531 1101X0 0. 531 1100X1 0. 531 10111X 0. 531 101X 1 1 0. 531 1X1111 0. 53 1 0X1101 0. 531 OOOO11 0. 516 100010 0. 516 010111 0. 516 TERMS IN OUTPUT 1 = 17 OUTPUT 2 = 16 OUTPUT 3 = 19 OUTPUT 4 = 20 S-BOX NUMBER 2 -- output 1--TERM CONTR. XOOO11 o . 53 1 001X01 0 . 53 1 1X0010 0 . 531 101XOO 0. . 531 100X01 0. .531 0011X1 0. 531 10X011 0. 531 oooxoo 0. 531 OX0110 0. 531 o1x000 0. 531 X10001 0. 531 X101 11 0. 531 X11101 0. 531 X11 1 10 0. 531 X00110 0. 531 X11000 0. 531 1 1 1 1 1X 0. 531 001010 0. 51G 110100 0. 516 011011 0. 516 -- output 2--TERM CONTR. OX100X 0 . 562 OOX11X 0 . 562 1 101XX 0 . 562 OOXOOO 0 .531 O10X10 0. . 531 011xoo 0. .531 OOOX11 0. .531 0001X1 0. 531 O1X001 0. 531 10X010 0. 531 110X00 0. 531 OX 1 1 1 1 0. 531 11X1 10 0. 531 10X100 0. 531 1X1011 0. 531 1X1101 o. 531 110X 1 1 0. 531 100001 0. 516 -- output 3--TERM CONTR OOXOOX 0 . 562 0010XX 0 . 562 X0100X 0 . 562 X01X11 o . 562 001X00 o .531 100X10 o. 531 0X0111 0. 531 11OOX1 0. .531 X11 1 10 0. . 531 111x10 0. . 531 00011X 0. 531 011X01 0. 531 10010X 0. 531 11X101 0. 531 1X0110 0. 531 11 1 1X0 0. 531 010010 0. 516 010100 0. 516 -- output 4--TERM CONTR X0X001 0 . 562 10X1X0 0 . 562 X 1 1X 1 1 0 .562 0X00X0 0 .562 1 1 1 X 1 X 0 . 562 00X010 0. . 531 010X10 0 . 531 OOOX11 0. .531 OX 1100 0. 531 01X101 0. .531 XOO111 0. 531 1010x1 0. .531 11X000 0. 531 110x01 0. 531 TERMS IN OUTPUT 1 = 20 OUTPUT 2 = 18 OUTPUT 3 = 18 OUTPUT 4 = 14 1 cz O l to u> 1 i— ID D ro ^> z o in in IT) in i n i n i n m m i n i n m L o m i n i n i n in 3 (J O O O O OOOOOOOOOOOO O O a £ O O .- O O — — >-x*- — O—OO''-O O 3 or X O o O •^ •^ OOO-- — - -O--0 tu o — o *~ x x x — O x x x x O O O t— O X X OOOX — '-O"- — O — -O i O o o — OO — "-0"-0-xO — o X o o X OO'-O'-'-'-OO'-xx l a O l O l O l io io l y~ to 1 0 ID CD z Q in in in in LninminLninminiriinmin in in •h 3 (J O OOOOOOOOOOOOOOO O O £OOxxOO*-0-----0»-0 — — O--aOOOOO — <-0-0-*-'--0-0-U J X — — — O — Ox — OO-OOOxOO t-- — — xxOOO — - ---OxO — - O — xxx-OxO-OOO-Oxx---Oxo — OOX"-xxxx — ^- — — OO * 1 * 1 tx • •w-L U • m * -H * * a 2 * +-* * D X * 0 o * i i * i IS) • O l — — — - — — - — - ^ - r - , - , - — , - . - ( 0 atDcnnnnronnonronnnron — K i n m i n u i u i i r m u i i n i n i n i n K i i n i n i n i n OOOOOOOOOOOOOOOOOO _x O - 0 - 0 - 0 - O x O - - 0 - -E x O x - - — 00—-OOOX—-0 a-xOOOOxx — - — x — O — OO ujO — Oxxx — — ••-x — OOOxx — 1--OO-OO — — xOOOx — — - O 0O000--0-''-0O-----^ • — — — — -T- T - -T- - r - ^ ) ( f l J£ annriDnnnnnnnnnionnnnp)--'-'-K i n i n i f l i n t n i n i n i n i n t n i n i n i n i n i n i n i n i n i n i n i n i n o o o o o o o o o o o o o o o o o o o o o o o xOOOxx — — — OO — — O — — O — OO — 20000-0-00--OOX--<-0--0-aO"0O0'-xO'-O'-'"O0OO'-'-wOxOOO-x--0*-xOOOxxxO — T - -l - O O x x - - 0 - - x x O x O x - 0 0 - - - -000"-OOOOx — — - 000'--'-xO*- — oi i ^ oo co oi — — T-ii ii it n * - O l CO TJ-CL CL a. a. h l - l - l -3 3 3 D OOOO z or ui r-S - B O X N U M B E R 4 * * * * * * * * * * * * * * * - - o u t p u t 1 --T E R M C O N T R . X 1 X 1 1 1 0 . 5 6 2 0 1 1X 1X 0 . 5 6 2 O O O O 1 X 0 . . 5 3 1 0 X 0 1 0 0 0 . . 5 3 1 0 1 1 0 X 0 0 . 5 3 1 X O O O 1 1 0 . 5 3 1 0 1 1 1 X 1 0 . 5 3 1 1 1 0 1 1 X 0 . 5 3 1 0 0 0 X 0 1 0 . 5 3 1 0 X 1 0 1 1 0 . 5 3 1 0 0 1 1 xo 0 . 5 3 1 1 0 0 X 0 0 0 . 5 3 1 1 0 1 0 X 0 0 . 5 3 1 101x01 0 . 5 3 1 1 0 1 1 1X 0 . 5 3 1 1 1 0 0 0 X 0 . 5 3 1 1 X 1 0 0 1 0 . 5 3 1 1 1 1 1 0 0 0 . 5 1 6 - - o u t p u t 2 - -T E R M C O N T R . X 1X 1 1 0 0 . 5 6 2 O O O X O O o . 5 3 1 1 1 X 0 0 0 0 . . 5 3 1 0 1 1 1 0 X 0 . 5 3 1 1 0 1 1 0 X 0 . . 5 3 1 0 0 X 0 0 1 0 . 5 3 1 0 0 X 0 1 0 0 . . 5 3 1 0 X 0 1 1 1 0 . 5 3 1 0 0 1 0 1 X o. 5 3 1 0 1 0 0 X 1 0 . 5 3 1 O X 1 0 1 0 0 . 5 3 1 1000ix 0 . 5 3 1 X 0 0 1 1 1 0 . 5 3 1 1 0 1 X 0 0 0 . 5 3 1 1 0 1 1 X 0 0 . 5 3 1 1 1 X 0 1 1 0 . 5 3 1 1 1 1 0 0 X 0 . 5 3 1 1 1 1 1 1X 0 . 5 3 1 1 1 0 1 0 1 0 . 5 1 6 - - o u t p u t 3 - -T E R M C O N T R 0 0 1 X 1 X 0 . 5 6 2 1 0 0 0 X X o . 5 6 2 0 1 0 0 1 X 0 . 5 3 1 O X 1 1 1 0 0 . 5 3 1 0 0 0 X 0 0 0 . 5 3 1 0 X 0 1 0 1 0 . 5 3 1 O O O 1 X 0 0 . . 5 3 1 X 0 1 0 0 1 0 . . 5 3 1 X 1 1 0 1 1 0 . 5 3 1 X 1 1 1 0 1 0 . . 5 3 1 1 X 0 1 1 1 o. 5 3 1 1 X 1 0 1 0 0 . 5 3 1 1 1 0 X O O 0 . 5 3 1 1 1 0 1 X 0 0 . 5 3 1 1 1 X 1 1 1 0 . 5 3 1 0 1 1 0 0 0 0 . 5 1 6 1 0 1 1 0 0 0 . 5 1 6 - - o u t p u t 4 - -T E R M C O N T R X 1 X 0 0 0 0 . 5 6 2 1 1 0 X 0 X 0 . 5 6 2 X 0 1 1 0 0 0 . 5 3 1 0 1 1 0 0 X 0 . 5 3 1 1 1 0 0 X 0 0 . 5 3 1 1 0 1 1 0 X 0 . 5 3 1 1 X 1 0 1 1 0 . . 5 3 1 1 1 0 1 X 1 0 . . 5 3 1 0 0 0 0 X 0 0 . 5 3 1 0 0 0 X 0 1 0 . 5 3 1 O X 0 1 1 0 0 . 5 3 1 O O X 1 1 1 0 . 5 3 1 0 0 1 X 1 1 0 . 5 3 1 0 1 1 1 1X 0 . 5 3 1 1 0 0 0 X 1 0 . 5 3 1 1 X 0 1 0 0 0 . 5 3 1 1 0 1 X 1 0 0 . 5 3 1 0 1 0 0 1 1 0 . 5 1 6 T E R M S I N O U T P U T 1 = 1 8 O U T P U T 2 = 1 9 O U T P U T 3 = 17 O U T P U T 4 = 18 S-BOX NUMBER 5 • i t * * * * * * * * * * * * - * output 1 - - output 2--TERM CONTR. TERM CONTR. XOOOX1 0 . 562 0X0010 0 . 53 1 0X110X 0 . 562 1X0000 0 . 53 1 101X 1X 0 . 562 011XOO 0 . 53 1 1010X0 0 .531 001X01 0 531 110X00 0 . 531 010X01 0 53 1 100X01 0 .531 X00111 0. .531 10X1 10 0. .531 10101X 0 53 1 00X010 0. .531 1001x1 0. .531 OX011 1 0. 531 11X110 0. 531 01x000 0. 531 00X001 0. 531 0101X1 0. 531 OX 10OO 0. 531 01X 1 10 0. 531 0010X1 0. 531 11001X 0. 531 010X 10 0. 531 X101 1 1 0. 531 10X 1 1 1 0. 53 1 X 1 1 1 10 0. 531 1100X1 0. 53 1 01 1011 0. 516 110XOO 0. 531 1 1 1001 o. 5 16 X11000 0. 53 1 1X1011 0. 531 OOO1oo 0. 5 16 001110 0. 516 101100 0. 516 011111 0. 516 1 11101 0. 516 TERMS IN OUTPUT 1 = 17 OUTPUT 2 = 23 OUTPUT 3 = 17 OUTPUT 4 = 17 - - output 3 - - - - output 4 - -TERM CONTR. TERM CONTR 001XX0 0 . 562 XX0110 0 . 562 0101XX 0. . 562 X10X10 0 . 562 1 1X00X 0. 562 110X1X o. . 562 X01XOO 0. 562 1XX 1 1 1 0 562 100X10 0. 531 00X01 1 0 531 X01011 0. 531 1100X0 0. . 531 X11001 0. 531 10X001 o. 531 10011X 0. 531 01X110 0. 531 10110X 0. 531 1X1010 0. 531 11OOX1 0. 531 1111X1 0. 531 OOOOOX 0. 531 001X00 0. 531 OOOOX1 0. 531 001 1X 1. 0. 531 OOOXO1 0. 531 010X01 0. 531 OX 1100 0. 53 1 0101X0 0. 531 X 1 1 1 1 1 0. 531 01100X 0. 531 X00001 0. 531 OX 1011 0. 531 111X10 0. 53 1 10X 100 o. 531 70 3 OOOO (Z <z <z c H H H H TJ TJ T3 13 c c c c -I H -t H Ji U U -. I I I I — io ro — CJl U U -J — O — OOOO — — — — OxO — x — — — O — XOOO — Ox — O X X O X H 0 0 0 — — XOxO — — O — — — O — m - - x - - - x - x o - x o o x o o 3 OOOX-O----O--O-OX OOOOOOOOOOOOOOOOOO oiuiuic^oiaioiuioiuioioiuiaiuiuiui? _k_.0J(JCJCJ(JCJGJCJCJCJCJCJCJ)fflcT)7: 01 <T) — — — — — — ^ - a ^ u w u . - - O - - - - 0 0 0 0 0 - - X O - - 0 0 0 0 - 0 0 - - 0 0 - - - X X - 0 0 0 - 0 - O X O H - 0 0 - - 0 0 - O X - 0 0 - - - 0 0 0 - O x m OOO — x — — O — O — — x — o x x x x o — OX3 0 0 0 - - - X X - - 0 - - 0 - - 0 - 0 X 0 - 3 - - O X O X O O X O O O - X - - O O - - - -OOOOOOOOOOOOOOOOOOOOOOO — — — CJCJ(J0JCJCJCOtJCJCJCOCJCJ0JCJCJUCJtJ33 on 1 1 * i ! 1 ca * o i 0 X 1 c * 1 f+ * 2 I TJ * c i c * 1 rt 03 * m 1 -t * 73 1 | 1 1 * CD * O- — — - - - O X O O O - - 0 - - 0 0 0 0 0 - 0 - X X O O - - X O O - - - - 0 - X O X O ~ ' - ^ x O - - 0 - 0 0 0 0 - X - 0 0 - - x O X H - 0 - 0 - - - x - 0 - x - 0 0 0 0 0 0 0 - - r r i ° S A " J x o ; - ' O X j ) < 0 ' 0 ' X - O O O 5 — OO — O — XO — — O — O — XXXOO — 0 0 3 OOOOOOOOOOOOOOOOOOOOOOO o - ' - U U U Q U Q U U U U U U U U U U Q U O m < ' i a i - - - - - - - - - - - - - - - - ' - - - - - ; o TJ c x x — - — - O x o - — O O x o O ----OO-OO-OOOO--- - O x x O - O O x x - - - x x n — O x o o x x o x — — — o x — om O-OO — o - - - — — XOOO — ;o OO — O — OO — O — O — x — X X 2 OOOOOOOOOOOOOOOOO O oioioiuioioiuiuioiaiaiaiuiuiuiuiz u o u g u u u u u u y u u j i o i o i H — — — — — — — — — — — — — foioro^3 XI c 150 S-BOX NUMBER 7 **************** -- output 1-- -- output 2--TERM CONTR. TERM CONTR. XOX110 0 . 562 ooxoox 0 . 562 1001XX 0 . 562 XOX110 o . 562 1X011X 0 562 0X011X 0 . 562 X01000 0 531 XIX 1 1 1 0 562 1OOX11 0 .531 011X00 0 .531 10X101 0. .531 100X01 o. 53 1 11X001 0. .531 11X010 0. 531 X101 1 1 0. .531 011X11 0. 531 11X111 o. 531 101X11 0. 531 OOOX01 0. 531 010X01 0. 531 0X0010 0. 531 010X10 0. 531 OO1X11 0. 531 100X10 0. 531 001xoo 0. 531 101XOO 0. 531 0X0001 0. 531 110X11 0. 53 1 01101X 0. 531 110100 0. 516 1100X0 0. 531 111001 0. 516 01010O 0. 516 011101 o. 516 1 1 1 100 0. 516 TERMS IN OUTPUT 1 = 19 OUTPUT 2 = 16 OUTPUT 3 = 18 OUTPUT 4 = 23 -- output 3-- -- output 4--TERM CONTR. TERM CONTR 0001XX 0 . 562 OX 1000 0 . 53 1 01XOX1 0 . 562 OOOX01 0 . 53 1 X110X1 0 . 562 100X00 0 .531 1011XX 0 . 562 OOO1X1 0 .531 OOOX10 0 531 00X101 0 .531 0X0110 0 . 531 1001X0 0 53 1 1100X0 0. . 531 OX 1 1 10 531 1000X1 0. 531 OX 1011 0. 531 01101X 0. 531 1X1010 0. 531 101X10 0. 531 1X0011 0. 531 1X1110 0. 531 1100X1 0. 531 OX 1 1 1 1 0. 531 11110X 0. 531 01000X 0. 531 110X11 0. 531 1XO1oo 0. 531 010X00 0. 531 1X1101 0. 531 01X011 0. 531 001OOO 0. 516 01010X 0. 531 011100 0. 516 0101X0 0. 531 110111 0. 516 XOO101 0. 531 10X100 0. 531 11X010 0. 531 OOOO10 0. 516 101001 0. 516 101111 0. 516 30 3 O O O O c c c c TJ TJ TJ TJ c c c c J> GJ IO — O O - - - - — O O O x x O — O — - O x — O — — — O O - - — O O O — - X O O O — — X X O X — X X O O — O — X O O - O O O O O O O O O O O O O O O O O O O O O cjiuicjiuicjiuiuiuiuiuiuiuiuiuiuiuiuiuiui — — U ( J ( J U U U U U U C J U U U U U U U 0)01- — — — — — — — — — -. — * 1 • 1 H 1 * CD rn * O XI 0 * X 3 c * r+ * Z TJ c Cl C 3 O * CD z * m H — • 33 73 1 * 1 * CO * — - - - - O O X O O - O X O X X X O - O O O - X O O O - X O x — — _ i H l — O X O O X O — X X — O - O x o . m O x — — x — — — o o o - o o X 70 0 O - O X O - O - O O O o 3 c — O O - O O - - - O X - o o - - o o o o o o o o o o o o o o o o o o o z UIUIUIUIUIUIUIUIUI Ol 01 Ul CJ1 01 Ul - i ro CJCJCJCJCJCJCJCJCJ CJ U CJ 01 si CD 70 i IO IO ro i - - - - - 0 - - x x o O O O O - - - X O X O O O O O - - X 0 0 - 0 - - O O x O X H - 0 0 0 0 0 - - 0 — X — X O m 0 X O — O x — x x — o O - X O 73 c - X O - 0 - - 0 - O O X X X X 3 r+ TJ o o o o o o o o o o o o O O O O C r+ O UIUIUIUIUIUIUIUIUI Ol Ul 01 cn Ul Ul z CJ COCJCJCJtJGJCJCJCJ CJ CJ CD cn CD cn -t 1 IO ro ro 73 1 O — - O O O O O — - - O O O X O - -— X O O O O O O — — X — x x — — O — O — X — — O X O O — OO — — — OO — — — o — x x O O x x — x — — O O x o 0 - O X - 0 - 0 0 0 - - 0 - 0 - - X O — O O O — - x — O O - — O O x x x O O O O O O O O O O O O O O O O O O O o CJIUIUIUIUIUIUIUIUIUIUIUIUIUIUIUIUIUIZ — cjcocjcjcjcjcjcjcjcjcocjcjcjcjcncOH cn — — — — — — — — — — -. — — _._roro53 152 = > - T A B L E 2. C C F ) M E T R I C F O R S - B O X E S B E F O R E & A F T E R T R A N S L A T I O N O U T P U T # 1 2 3 4 b e f , a f t b e f , a f t b e f , a f t b e f , a f t CU 1 4 8 2 5 2 1 5 6 2 4 4 1 4 4 2 4 8 1 3 6 2 6 0 C 2 ) 1 2 0 2 5 2 1 3 2 2 6 4 1 4 4 2 3 2 1 6 8 2 5 2 C 3 D 1 1 2 2 6 0 1 2 8 2 5 2 1 5 2 2 3 2 1 2 8 2 3 6 B O X C 4 D 1 4 8 2 4 8 1 4 8 2 5 2 1 4 8 2 5 2 1 4 8 2 4 8 # C 5 D 1 4 8 2 4 8 1 1 2 2 4 4 1 5 2 2 4 4 1 5 2 2 2 4 C 6 D 1 3 2 2 5 2 1 2 0 2 4 4 1 2 8 2 3 6 1 5 6 2 5 6 C 7 ) 1 3 6 2 4 4 1 4 8 2 6 8 1 3 6 2 4 0 1 0 8 2 5 2 C 8 D 1 4 0 2 2 8 1 4 4 2 5 2 1 5 2 2 4 4 1 4 0 2 4 4 A V E R A 6 E C O M P L E X I T Y B E F O R E T R A N S L A T I O N : 1 3 9 A V E R A G E C O M P L E X I T Y A F T E R T R A N S L A T I O N : 2 4 7 C(f) is a spectral-domain measure of function complexity equal to the classical functional-domain complexity measure which counts the number of topologically adjacent pairs of assignments for which f takes the same value for both assignments in the pair. 153 FIGURE 1 Exhaustive Tree Search Using No S-Box Reduction Illustrative of how the nonlinear S-boxes used to compute f cause a branching factor so large as to make key search intractable. (ciphertext bit 64) - - - level 0 r 6 3 _ l r 6 2 _ l L - "0 1 .~0 .1 1 •- level 1 L15 U R6 4-0 J 4 c64 ( R 1 5 ' K 1 6 ) = ^ / / / - I L 6 4 = l L15 1 r64 ( R15' K16 ) :fi? •- level 2 / / / - A L i 3 © f 6 4 ( R 1 3 > K 1 4 ) = 0 There exists a branching factor of 32 at each of these points in the tree, based on the relationship between 6 bits of R1(-and 6 bits of K as defined by the S-boxes. Notational Notes: - superscripts indicate bit position in block. - subscripts indicate encryption round O s r s 16 - - - level 16 - after selection fromfav . ^ -, -, , ^ a d e at level 1 node, select same position for subtree. FIGURE 2 Complete Partitioning of a Matrix - an example of the partitioning of a matrix, from'McCluskey [7 p.1447] The matrix X: 0 0 0 1 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 1 0 1 0 0 0 1 1 0 0 0 1 0 0 1 0 0 10 10 1 1 0 0 0 0 0 1 1 1 1 1 - transcribed results of running the APL routine PARTITION on X: Row and column slice points: 1 3 4 8 9 12 3 5 Partitioned matrix: 0 0 01 00 0 0 10 00 1 0 00 00 0 0 01 01 0 0 01 10 0 0 10 01 0 0 10 10 1 1 00 00 0 1 11 11 x 3 s 155 FIGURE 3 Essential and Al ternat ive Sum-of-Product Terms FOR S-BOX 1 OUTPUT 3: Essential : 000101 100001 011110 010X00 10X100 X11101 11011X 0010XX 0100XX X10X11 i . e . : X 1 X 2 X 3 X 5 X g X 4 is a "don't care" A l ternat ive : 00X000 1 0X0000 1 00X011 4 0X0011 4 001X00 8 X01100 8 d S x T J T ) 25T 1X0111 25 X01010 28 101X10 28 1X1010 28 101X10 31 1011X0 31 10111X 31 10111X 32 pLOXlTD 3 2 1 X10000 33 11X000 33 1101X1 37 11X101 37 11X000 38 1110X0 38 11100X 38 11100X 39 111X01 39 1X1010 40 1110X0 40 Note inter-class occurences of the same p-term. Example of one of the many a l ternat ive "c lasses" . One member of each must be chosen as a p-term in the minimal representation. 156 FIGURE 4 Representation of Quasi-Best Set Search Tree S~ indicates a pointer reference TREE •term added current ORMASK] is IOI-IIO 4 OU-Q| 4 to other level 1 nodes (not shown) = 5 —•> — > » 4 loo- (OlO father pointer to node at previous level 4 o o 157 FIGURE 5 P e r m u t a t i o n C u t o f f D u r i n g N-ary T r ee E x p a n s i o n TREE S-box 1 o u t p u t 1, bo th p-terms 6 and 7 have 4 b i t s o n , i n " d i s j o i n t " p o s i t i o n s . CUTOFF d u r i n g t r e e g rowth T h i s node i s n e v e r a c t u a l l y grown as i t s ORMASK w o u l d be' i d e n t i c a l t o t h a t o f a n o t h e r ORMASK a l r e a d y e x i s t i n g a t l e v e l 2 . 158 FIGURE 6 Partial Search Tree for 2-Roimd DES tree root is a conjunct of 64 nodes, representing values of bits of C eg: C=10*'"Ol'"'1 32 P"1 P e n \ S-box 6, output 1 ^ ( R Q . K J H I L^O R 2^=l bit position encryption round KS(26,1)(RJ6=1) KS(26,l)f Rn6=0 . =0 K ^ L ^ - , =1 V U y K5=0 K5=l /L. -» key bit hypotheses, as produced by X node expansion suppose S-box_6 output 1 has function x-^x^ + X3 X4 X5 then by DeMorgan, for the output to be 0, it_must be: (x1+x2+x3)(x3+x4+x5) bit position, as determined by the application of E"1 permutation NOTES 1) AND nodes labelled with arcs. 2) OR paths exist simultan-eoulsy only conceptually. Alternatives developed i f f backtrack. 3) Circled nodes are search tree leaves, which may cause backtrack. 159 FIGURE 7 Nodes in the Cryptanalytic Search Tree 1) SUPER descriptor node R' 12 4 - type code, this is a descriptor for a type 'R' node - position from f1,32] in R block - round efl, 16) in encryption - father pointer - pointer to RNODE 2) Node of type 'RNODE' 'O'B 1 — » — - value of RNODE from [0,l] - count, i . e . , # of times node expanded from [0,2} ^pointer to RNODE 2 levels before pointer to an FN0DE1 or an FNODEO'' 3) Node of type 'FN0DE1' count from fl,23? which conjunct term in sum-of-product representation is currently used f I j l n i l f If j * ^ i, ,/ v to 6 XNODES, expanded in parallel 4) Chain of type 'FNODEO' nodes SUPER of type 'FNODEO' v £ 23 in parallel on linked l i s t 1 -literal number from ^1,6} pointers to XNODEs 5) Node of type 'XNODE' value of XNODE from £0,1} count, i . e . , # of times node expanded from f0,2} l'B pointer to an RNODE. (a virtual 2nd pointer affects key bit hypothesis) 160 FIGURE 8 Bidirectional Search Tree (a) unidirectional search tree C P (plaintext bits) (b) bidirectional search tree - cross-hatched area is an area existing in the unidirectional search tree, which need never be developed in the bidirectional tree. - bidirectional search techniques make linear what is exponential. 161 FIGURE 9 2-Round Search Tree of Uniform Structure note: bit positions (superscripts) not explicitly shown 162 FIGURE 10 Stages in the Development of the AND/OR Search Tree (a) R2 32 (b) X2 3 6 ' X2 3 7 (c) OR AND AND OR AND AND AND AND /\ /\ RI 2 1 K7 RI 2 1 , K7' (d) AND AND AND AND OR OR OR OR OR OR ' \ /v A r\ ,> AND AND AND 4 AND AND / \ / \ OR K7 OR K7' /\ — AND K7 K 3 4 163 APPENDIX A APL CODE FOR THE DETECTION OF GROUP INVARIANCE OF A BOOLEAN FUNCTION BY MCCLUSKEY ALGORITHM. 164 V Z+BINARY DECBOX [ 1 ] a TO CONVERT AN SBOX INTO BINARY FORM [ 2 ] Z-<- 3 1 2 ^ 2 2 2 2 T DECBOX 7 V Z+DUPKILL V [ ] Z«-( (\pV)=V\V)/V 7 7 Z+INITPARTIT M; RWT ;CWTRSLIC E; CSLICE [ 1 ] ft TO INITIALLY PARTITION A MATRIX INTO SUBMATRICES C 2 ] RWT-+/M [ 3 ] CWT+++M [ 4 ] -(l=pRWT)/ROWVEC [ 5 ] RSLICE+lll.*/ ~1 0 +( ( " l + i p i ? k T ) < t > ( 2 p p i ? t V r ) p / ? V r ) [ ; i 2 ] ) / i pfiiv'T) l + l + p,V [ 6 ] +J0IN1 [ 7 ] ROWVEC:RSLICE+l ; 1 + l t p A f [ 8 ] J O I f f 1 :-»•( l = p C V D ICOLVEC [ 9 ] CSLICE+Ul.*/ " l 0 +( ( ~ l M p C V 2 , ) 4 > ( 2 p p C ( V ; T ) p C . V 7 ) L " ; i 2 ] ) / i p i ? v r ) l + ' l + p M [ 1 0 ] -+JOIN2 [ 1 1 ] COLVEC-.CSLICE+l , l + " l t p / V [ 1 2 ] J O I A ' 2 : Z«- ( ( 1 + [ / pM ) T RSLICE) , [ 0 . 5 ] ( l + [ / p A / ) T C SLICE 7 7 Z+IOTA X [ 1 ] ft F0J? ENUMERATION OF INCLUSIVELY BOUNDED INTEGER LIST [ 2 ] ->-U[2]<;J[l]) /SC>4£. [ 3 ] Z«-X[ l ] + " l + i 1+ | [ 4 ] - 0 [ 5 ] 5 C i 4 £ : Z * , X [ I ] 7 7 Z-BITPOS ON S [ 1 ] ft GIVEN AN SBOX AND OUTPUT BIT POSITION, RETURN THE 3 2 x 6 [ 2 ] ft MATRIX OF BINARY INPUTS FOR WHICH THE OUTPUT BIT IS 1 [ 3 ] Z«-(16 16 ) T Z « - ~ l + ( , Z ) / I x / p z « - S [ ; ;BITPOS] tH] Z+- 3 1 2 ^ 2 2 2 2 T Z [ 5 ] Z ^ Z [ 1 ; ; 3 ] , Z [ 2 ; ; ] , Z [ 1 ; ; ' + ] 7 165 V Z+SLICES PARTITCALL M; RSLIC E iCSLICE; NEWRSL-, N EWC SL ; RCTR; C CTR'.SUBiP C 1] n [ 2 ] n RECURSIVE FUNCTION TO FURTHER PARTITION A MATRIX M, [ 3 ] fl GITEtf >5 CURRENT STATE OF PARTITIONING, SLICES. [ 4 ] n SLICES IS A MATRIX WITH 2 /?CW£, WHERE FIRST ROW CONTAINS [ 5 ] a POINTERS BEFORE WHICH ROW SLICES OCCUR, SECOND ROW SAME F OR COLS. [ 6 ] R C 7] - * ( a / 1 1 -pM)/TRIV [ 8 ] RSLICE+iSLICESll;]*0)/SLICESll;] [ 9 ] C5LICF-(S£IC£S[2;]*0)/SLIC£S[2;] [ 1 0 ] Af/W^ C pRSLICE) [pCSLICE [ 1 1 ] Z«- 0 1 +( (MAXfRSLICE) , [ 0 . 5 ] MAXiCSLICE) , 2 1 pO [ 1 2 ] - * ( a / a / ( 2 2 + Z) = <S( 1 + p.V) , [ 0 . 5] 0 0)/TRIV [ 1 3 ] n [ 1 4 ] fl ITERATE THROUGH EACH SUBMTX, RECURSIVELY SLICING [ 1 5 ] NEWRSL*-NEWCSL-\0 [ 1 6 ] CCTRo-1 [ 1 7 ] CLOOPiRCTR+l { [ 1 8 ] RLOOP-.SUB+MIIOTA 0 " l +RSLICELRCTR+ 0 1];I077! 0 " l +CSLICEL CCTR+ 0 1 ] ] [ 1 9 ] RECURSE:P-(.INITPARTIT SUB) PARTITCALL SUB [ 2 0 ] NEWRSL+NEWRSL,~1+RSLICEIRCTR1+Pll;] [ 2 1 ] NEVCSL-NEWCSL,~l+CSLICE[CCTRl+Pi 2;] [ 2 2 ] -•( (RCTR-RCTR+l)<pRSLICE)/RLOOP [ 2 3 ] -((CCTR-CCTR+l)<pCSLICE)ICLOOP [ 2 4 ] n [ 2 5 ] n I F A/CT /5T TCP LEVEL, JUST RETURN NEWRSL, NEWCSL [ 2 6 ] -*•( ~v/RECURSE=DLC) /TOPLEVEL [ 2 7 ] Z+lMAXtRSLICE) , [ 0 . 5 ] (AM**-( pRSLICE) [ pCSLICE) iCSLICE [ 2 8 ] Z*- 0 "l + 0 1 + Z [ 2 9 ] *0 [ 3 0 ] TOPLEVEL-. [ 3 1 ] NEWRSL-( [ / p,V) + ( NEWRSL< l\pM) / NEWRSL-*-NEWRSL [ &N EW RSL+-DUPKI LI N EWRSL,RSLICE3 [ 32 ] NEWCSL-( [/pM) + ( NEWCSLH~ 1*pM) /NEWCSL*-NEWCSLi k.NEWCSL+DUPKILL NEWCSL ,CSLICE'S [ 3 3 ] Z«-A/EW?S£.[0. 5] NEWCSL [ 3 4 ] -*0 [ 3 5 ] JTTiTiZ*- 2 0 pO 7 166 V Z+PARTITION M\OLDZ [ 1] n [ 2 ] * TO FULLY PARTITION A MATRIX, M. [ 3 ] ft DIVIDE INTO ROWS AND COLUMNS SUCH THAT ALL ROWS/COLS IN A SUBMATRIX [ 1] ft HAVE AN EQUAL NUMBER OF l'S. [ 5 ] ft RETURN PARTITION POINTS AS A LIST OF POINTERS INTO M BEFO RE WHICH [ 6 ] ft DIVISIONS SHOULD OCCUR [ 7 ] ft [ 8 ] OLDZ+ilNITPARTIT AO PARTITCALL M [ 9] L00P:-+(*/*/0LDZ = Z+-(0LDZ, 2 1 pl + pM) PARTITCALL AO/0 [10] OLDZ-Z [11] +L00P V V PARTITIONHALL;BOXiBITiSTDiTR;P [ 1] ft [ 2 ] ft TO PARTITION STANDARD TRANSMISSION MATRICES REPRESENTING [ 3 ] ft ELEMENTARY PRODUCT TERM BOOLEAN FNS FOR EACH OF THE 3 2 [ 4] ft S-BOX - OUTPUT PAIRS'. [ 5] ft [ 6] BOX-1 [ 7 ] BOXLOOP-.BIT-rl [ 8] BITLOOP-.TR-BIT ON BINARY SBOXL BOX ; ; ] [ 9 ] ft FORM STANDARD MATRIX: [10] STD*-TR*(pTR) pFLIP-( 0 . 5 x l + pTR) < + JTR [11] nRANK SO l'S INCREASE IN DIRECTIONS •* AND + [12] STD"-STD[i + /STD:'] [13] STD+STDlU+JSTD] [14] ft PARTITION THIS MATRIX: [15] P-PARTITION STD [16] " [17] 'FOR S-BOX ',(wB0X),' BIT: ',lBIT [18] 'ROW SLICES: ' , 3 0 T (P[1;]>0)/P[1;] [19] 'COL SLICES: ',3 0 T(Pi 2;]>0)/PL 2;] [20] ( (lfpT/f)= + /P[l;]>0)/'//(7 POSSIBLE ROW PERMUTATIONS1 [21] ( ("lTpr/?) = + /P[2;]>0)/'A/0 POSSIBLE COL PERMUTATIONS' [22] +((BIT<-BIT+l)<.k)/BITLOOP [23] (B0X-B0X+1)<B)/B0XL00P V 167 V Z+PARTIT PRINTbPARTIT M;R;C;EX [ l ] A GIVEN PARTITION POINTS FOR A MATRIX M, [ 2 ] A PRINT THE MATRIX IN PARTITIONED FORM. [ 3 ] A LEAVE BLANK ROWS/COLUMNS BETWEEN SUBMATRICES C 4] A [ 5] PARTIT [ 6] Z-(A/ [ l ; ] * ' ')/M+TM [ 7] C^(P/3tfnr[2;]*0)/P/?/fTIT[2;] [ 8] EA>( (pC)+~l+pZ)pl [ 9] EX[~l+C+\pOO [ io ] z-«-mz [11] >7^(P>iffri7 ,[l;]*0)/P/iv7'ir[l;] [12] FAX (p/?) + l + pZ)pl [13] EXl'l+R+xpRl-O [14] Z+FXHZ V V Z-RAND [1] « [2] a TO GENERATE RANDOM 3 2x6 BINARY MATRICES IN STANDARD FOE:-' [3] A [4] Z«-"l + ? 32 6 p2 [5] A PUT INTO STD FORM AND RANK : [6] Z*Z*(pZ)p(0.5xi + pZ)< + j'Z [7] Z«-ZU + /Z;] [8] Z*Z[;l+yz] 7 168 V SYM [ 1] n TR*-1 ON BINARY SBOXl [ 2] STD*-TR*(.pTE) pFLIP<-(O.Sxl + pTR)< + JTR [ 3] EQUAL*-(Q .5*l+pSTD) = + SSTD [ 4 ] R EXCHG ROWS SO NO. l 'S INCREASES • /A'P * C 5 ] STD*-STD\_ k+/STD% ] [ 6 ] STD*-STD [ ; PFtfA?- A + /527? 3 [ 7] PRIM.ING*-EQUAL\ " l 0 4 $ ( (+/EQUAL)p2)Ti2*+/EQUAL [ 8 ] R PRIMING IS MTX WHOSE ROWS INDICATE POSSIBLE WAYS COLS [ 9 ] R OF STD CAN BE PRIMED [10] R [11] R PARTITION THE STD MATX [12] PART-PARTITION STD [13] R ELIMINATE SOME OF THE POSSIBLE PRIMING OPERATIONS: [14] R IF SOME ROW IS ALL 0/1 AND NO ROW AFTER PRIMING IS 0/1.E [15] fl THE PRIMING IS NOT POSSIBLE [16] CONST-0 [17] ELIM: KEEPER IMROW*- (1 i p PRIM ING ) pi [18] [19] REM1 :KEEPPRIMROWlK]«-~(v /AJCONST=STD)A~V /AJC0NST=STD* ( pSTZ?) p PEIMINGlK;] [20] -»•( (.K+K+l)*l*pPRIMING)/REMl [21] PRIMING*-KEEPPRIMROWf PRIMING [22] ->-( (C0NST+-CONST+ 1 )£1)/ELIM [23] R [24] R ELIMINATE PRIMINGS IF PRIMED MTX DOES NOT PARTITION AS [25] R DOES THE STD MTX. [26] R 5/WF TO COLUMN PERMUTATIONS REQD FOR 1' 5 •+ [27] SAVEPERNS-(. pSTD)P0 [28] K+l [29] KEEPPRIMROW*-{ 1 + p PRIM ING ) p 1 [ 3 0 ] syW£wr;r««-(o.pS27>)po [31] REM2 : POSSM+STD* ( pS2T) pPRIMINGlK; ] [ 32 ] POSSM-POSSMJi k + /POSSM\ ] [33] POSSM*-POSSMl ; 5/W EPERMSlK ; ]«-W POSSMl [34] SAVEMTX-SA VEMTX . [ 1 ] P0SSA? [35] KEEPPRIMROW[_Kl*-*/*/PART= PARTITION POSSM [36] + ( ) < 1 +pPRIMING)I REM 2 [ 37 ] PR IM ING*-KEEPER IM ROW-f PRIMING [38] S AV E PERM S*-KEEP PRIM ROW J SAV E PERMS [39] fl FC/? 57/) + F/SCtf RETAINED PRIMING, CHECK VAR PERM: [40] SI*-PART PERMUTE STD [41] PR IN T hiNV ARIAN T\~li pSAV EPERM [42] fl [43] K+l [44] GOLOOP:SI*-PART PERMUTE SAVEMTXlK', ;] [45] PRINTL\INVARIANT SAVEPERMiK; ] [46] -+((K*-K+l)<l + pPRIMING)/GOLOOP V 169 APPENDIX B APL CODE FOR QUINE-MCCLUSKEY MINIMIZATION OF S-BOXES. 170 V Z*-ALT BOXINP C l ] ft GIVEN BOX NUMBER AND OUTPUT, RETURN TABLE OF ALTERNATE SP' s [ 2 ] IND<-B0XINP£2_] + Hx~l + B0XINPL~n [ 3 ] Z«- (~a/» ' = Z ) -rZ*-ALLALT[IOTA ,ALLPTR[IND+ 0 1 ; 2 ] ; ] V 7 ANALYZEiSBOXCNT;OUTBIT [ l ] ft [ 2 ] * TO CALC AND SAVE THE ESSENTIAL AND ALTERNATIVE SP TERMS [ 3 ] a FOR EACH SBOX AND OUTPUT, IN INDEXED MATRICES ALLESS [ 4 ] n AND ALLALT, RESPECTIVELLY [ 5] ALLALT*- 0 10 p' • [ 6] ALLESS*- 0 6 p» ' [ 7] ALLPTR*- 1 2 p 1 1 [ 8] SBOXCNT*-! [ 9 ] BOX LOOP: OUTBIT*-! [ 1 0 ] BITLOOP-.QM PRIMIMP OUTBIT ON BINARY SBOXlSBOXCNT; ;] [ 1 1 ] ALLESS*-ALLESS,[l] ES [ 1 2 ] ALL ALT*-ALLALT, [ l ] ( ( l + p<4Zi).10H/3L [ 1 3 ] ALLESS*-ALLESS, [1 ] 6p' ' [1 4 ] ALLALT*-ALLALT, [ l ] 10p« ' [ 1 5 ] 4LLPTi?-/5L£P : r/F.[l](l + p4Z,Z;£SS) , !\p ALLALT [ 1 6 ] (OUTBIT-OUTBIT+!)<k)/BITLOOP [ 1 7 ] •+( (.SB0XCNT*-SB0XCNT+!)<8)/BOXLOOP V V Z*-BINARY DECBOX [ 1 ] ft T<? CONVERT AN SBOX INTO BINARY FORM [ 2 ] Z - < - 3 1 2 < * 2 2 2 2 i DECBOX V V Z*-ONETERM CONTRIB BOXOUTSP-, ONFOR; OFFOR [ 1 ] ft TO DETERMINE CONTRIBUTION TO OVERALL BOX OF ONE SP TERM [ 2 ] ft [ 3 ] SP*-( 32 6 ) pONETERM [ 4 ] ONFOR*-BOXOUTl2l ON BINARY SBOXlBOXOUTl 1] ; ;] [ 5 ] OFFO R*-<H( *S~0 NFOR* . = ALL) /ALL*-(ep2)r~! + \&k [ 6 ] . Z*-+ / a / ( 5 P = F X1 ) v ( 5 P = ' 0' )*ONFOR [ 7 ] Z-<-Z + + / ~ a / ( S P * « X • ) A ( S P = ' 0' )*OFFOR [ 8 ] Z - Z * 6 4 V 171 V DUMPONSiBOX;BITiTERM;ONTERMS;T - [ 1 ] DUM-100 DSVO 'TSO' I 2 ] TS0-'ALLOC DA (.DES. ONFOR) OLD FILE(ONFOR) ' [ 3 ] OUT-'ONFOR(APL)' [ 4 ] CTL—' ON FOR (CTL ) ' [ 5 ] 111 DSVO 2 3 o'OUTCTL' [ 6 ] DUM-OUT [ 7] B0X-<-l [ 8 ] BOX LOOP:BIT-1 [ 9 ] ONTERMS-BIT ON BINARY SBOXlBOX;;] [ 1 0 ] BITL00P:TERM-1 [ 1 1 ] TERML00P:0UT-(T*' '. ) / T-vONTERMSlTERM;] [ 1 2 ] (TERM-TERM+1) 5 32 ) / TERM LOOP [ 1 3 ] +((BIT-BIT+l)<H)/BITLOOP [ 1 4 ] -»-( ( B O ^ S C Z + l )<8 )/BOXLOOP [ 1 5 ] /J>L/A>rj5iV/? 'Of/r' [ 1 6 ] TSO-'FREE F(ONFOR)' 7 V Z-DUPKILL MAT',T [ 1 ] A REMOVES ANY DUPLICATE ROWS FROM MAT [ 2 ] Z-(KILL-h/ (MATv . x$MAT)vTo . <;2Vi l + pAMT) / A M r 7 7 BOXINP;IND [ 1 ] n GiTffA/ 5 0 * NUMBER AND OUTPUT, RETURNS TABLE OF ESSENTIAL s [ 2 ] I/'/Z?-<-/30^J/lrTP[2] + 4 x " i + s c ' j j ^ p [ 1 ] [ 3 ] Z « - ( ~ A / « ' =Z)SZ-ALLESSII0TA,ALLPTRIIND+ 0 1 ; 1 ] ; ] 7 Z ^ - A M r / f l * FINDCOORDS SUB STRING ; MATCH; COORD [ 1 ] A FJtfZ? OF COORDS, ONE ROW FOR EACH OCCURENCE OF SUESTRIN G [ 2 ] n IA7 Ttfi? 7?0(V5 0 F MATRIX [ 3 ] COORD-*j ( $ (<J>~ 1 + pAM 7t?#) p -Die?- i p , SUBSTRING) <H</1 lY?//*- ( . SUBSTRING ) ° . = MATRIX [ 4 ] Z ^ n i O + ^ ( p C ? O C i ? C )T - D l O - ( ,C00RD)/\p ,COORD - 7 172 V Z-IOTA X [ l ] n FOR ENUMERATION OF INCLUSIVELY BOUNDED INTEGER LIST [2] Z-Xtll+~l+\l+\-/X V V Z-PI MC2 PITiEiAiM;V;C;NCiNZ [ .1] fi THIS FUNCTION FINDS A MINIMAL COVER FROM A PRIME IMPLICAN T TABLE. [ 2] Z-(O.AOpO C 3] LI : Z-*-Z , [ 1 ] (E—PITv .Al=+/[i] P I T ) / l l ] PI [ 4] - ( ~ v IE)/PET C 5] -*-(0 = x/pPir<-(~v/[l] F/[l] PIT)/(-£)/[ 1] PID/O [ 6] P I«- (~f f )/ [ l ] PI C 7] p iTM-v/c i ] ^A~( (XAf)o .si,v^"i + pPir)A/)A<S(>i^(~t i)pj?)A.vpjr)/pir [ 8] P i r^ (^v/P JD/ [ l ] PIT r 9 ] P I < - I V [ I ] P I [10] V-~v/A*~{ ( i ) ° .Si M—l + pPIT) A A ^ G^A-*- ( V ° . £ V—+ / 2 > P I ) A ( ~PIT) A . VISJPI [11] PI:7>y/[l] PIT [12] -^Il,OpPI-kv/[l] PI [13] PET: IM ( P P IT [ ; l i 4 + /Cl3 PII ] )/I.M-«-1TPPII ) ,0pC?-^100 [14] SL:+(C<NC-+/+/2>E-PI MC2 PIT,Vll]=\M)/EL [15] C- NC,OpNZ*-E [16] ££:-••( 0*pV<-l + V)/SL [17] Z-Z.[ l ] tfZ V Z-BITPOS ON S [1] fl 6*1 VEN AN SBOX AND OUTPUT BIT POSITION, RETURN THE 32x6 [2] fl MATRIX OF BINARY INPUTS FOR WHICH THE OUTPUT BIT IS 1 [3] Z*-(16 16 )TZ«-" l + ( , Z ) / I */pZ*-Sl ; -.BITPOS] [4] Z<- 3 1 2 S 2 2 2 2 TZ [5] Z - Z [ 1 ; ; 3 ] , Z [ 2 ; ; ] , Z [ 1 ; ; 4 ] V -173 V PIM T2iC;DiNXT'tV;T . . [ l ] A TAB IS TABLE OF NINTERMS IN BINARY [ 2 ] A N IS NUMBER OF VARIABLES IN FN. PASSED GLOBALLY [3] A THIS FUNCTION FINDS THE PRIME IMPLICANTS OF A TABLE OF MIN TERMS. - [>] PI-( 0.N)p0,0pT-T2 " [5] Ll:NXT-(OtN)pO,V-(l+pT)pO [6] L2:A-(~v/(dZ>)° . >\D-li pA) *A* . =<*A)/[l] A-{2*C/[1] D) [ (C-l- + /D -T*{pT)pTl\\1)/Cl] T [7] / / ^ r - » - / / J ! T 1 , [ l ] ( ~ v / [ l ] ^TA.=tSj^)/Cl] /I [ 8 ] -(o*pv-nwc,(opT- i o *r) , opp r«-p i , [ i ] ( ( ( ~ i *nAO=+/c ) ,ff)pr[i ; ] ) / L 2 [ 9 ] + (o* i tpW/*T )/ L I [ 0 ] P i T « - $ ( ( ~ T 2 ) a . v $ P I * 0 ) a 7 2 a . v $ P I * 1 V 174 V Z+PRIMIMP IN i Ti BND ; K ; P I ; P2 ; C MATCH; NOPREVMATCH; NEW IN [ 1] ft C 2] fl FOR QUINE+MCCLUSKEY MINIMIZATION OF BOOLEAN FUNCTIONS: [ 3 ] fl RETURNS PRIME IMPLICANTS OF GIVEN N*G INPUT MATRIX C 4] Z + ( 0 , ~ l + pIAOpO T 5] fl NUMON IS VECTOR PARALLEL TO IN MTX, INDICATING NUMBER OF [ 6 ] A BITS ON IN IN ENTRIES. IN SORTED i IN BITS ON [ 7 ] A BND IS MTX INDICATING DIVISIONS BETWEEN K AND K+l BITS ON [ 8] ITER:IN<-INlT+-*NUMON+-+ /IN=1 ;] [ 9] T-(NUM0N*1$NUM0N) /\ pBND-NUMON*-NUMONlTl [ 1 0 ] BND*-(2.pBND)pl [ 1 1 ] -(0=pT)/JUST1CLASS [ 1 2 ] BND+-<$(ltl + ~l*T) , [ 0 . 5 ] T [ 1 3 ] JUST1CLASS: NEWIN*-{ 0 , "l + pIN) p 0 [ 1 4 ] K+l [ 1 5 ] A [ 1 6 ] N0PREVMATCH+-( pIOTA ,BNDll ; ] ) p l [ 17] MATCH LOOP: Pl<-INlIOTA , BNDlK; ] ; ] [ 1 8 ] P2+I/I7[I0:7\4 %BNDiK+l ; ] ; ] [ 1 9 ] A//?:Z,C,ff+l=Pl + .*$P2 [ 2 0 ] A 4#Y flOtf O F P I WI NO MATCHES IS A PRIME IMPLICANT: [ 2 1 ] Z+Z,[1l(NOPREVMATCHA~v/MATCH)fPl [ 2 2 ] C*-MATCH FINDCOORDS 1 [ 2 3 ] N OPREVMA TCH-*— v -/MA TCH [ 2 4 ] NEWIN-NEWIN,[l]("l " l 0 " l 1 ) [ 3 + P 1 [ C l ; 1 ] ; ] + P 2 [ C l ; 2 ] ; ] ] [ 2 5 ] -( (K<-K+l)<l*pBND) IMATCHLOOP [ 2 6 ] A ADD UNMATCHED ELTS OF LAST P2 TO RESULT [ 2 7 ] Z + Z . [ l ] N0PREVMATCHfP2 [ 2 8 ] -*•( 1 < l*pIN*-NEWIN) I ITER [ 2 9 ] A ADD LAST POSSIBLE IMPLICANT FROM P2: [ 3 0 ] Z + Z , [ l ] P 2 [ l + p P 2 ; ] [ 3 1 ] A REMOVE POTENTIAL DUPLICATION: [ 3 2 ] Z-DUPKILL Z V V Z + S P PROBhCORR ONFOR [ 1 ] Z+0 [ 2 ] K+l [ 3 ] L O O P : Z + Z + V / A / ( S P = ' * ' ) v ( S P = ' 0 ' ) * ( pSP) pONFORlK; ] [ 4 ] -»•( (K+K+l )^1\ pONFOR) I LOOP [ 5 3 Z + Z * l I p O N F O R v 175 V Z-QM MIN;N [ 1 ] A QM MINIMIZATION, GIVEN MINTEEM NUMBERS IN DECIMAL [ 2 ] PIM*( (N+\.l + 2®MINllMMIN])p2)TMIN [3D Z-'01X'll+PI MC2 PIT] V V REDUCE\SBOXCNT;OUTBIT [ 1] A [ 2 ] A T O FO/rW rtfff GLOBAL HD MAT SPTERMS ( 8 x 4 x 3 0 x 6 ) . WHICH GIVES [ 3 ] A MINIMAL SP FORMS FOR EACH SBOX AND OUTPUT BIT, USING REDU CEbALTS [ •+] A [ 5] SPTERMS- 8 4 30 6 p» » [ 6 ] SBOXCNT-1 [ 7] BOXLOOP'.OUTBIT-l [ 8 ] BITLOOPiSPTERMSlSBOXCNTiOUTBIT; -,]- 30 6 tREDUCEhALTS SBOXCN T,0UTBIT [ 9 ] •+{ (0UTBIT-0UTBIT+l)m)/BITLOOP [ 1 0 ] •*( (SB0XCNT-SB0XCNT+1)<8)/BOXLOOP [ 1 1 ] SPTERMS-(B 4 ,( + / v / v / v •/SPTERMS*' ' ) , 6 ) \ SPTERMS V 176 V Z—REDUCEbALTS BOXOUT;A;TI CLASS;TAB;FREQ;MOSTFREQ;KILL\KI LLPOS;CLASS;GRP [ 1 ] a [ 2 ] A TO PICK ALTERNATIVES FOR ACCURATE SP EXPRESSION FOR SBOX [ 3 ] A 1 ) CHOOSE TERMS MOST FREQUENTLY APPEARING INTER-CLASS [ 4 ] A 2 ) PICK CLASS REP. AS REMAINING TERM WITH MOST DCS C 5 ] A [ 6 ] CLASS-l. 0 7 *A*-ALT BOXOUT [ 7 ] TAB*-TA.=<*T"-Alil + pAi 16 ] [ 8 ] REDUCELLOOP:-*•(. l=MOSTFREQ-*~[ /FREQ-*-* /TAB) /OUT [ 9] KILLPOS-iT*.=$TIFREQ\M0STFREQ;1)/\l+pT [ 1 0 ] KILL*-(~CLASSeCLASSlKILLPOS] ) v ( i pOL/15.9) = 1 +KILLPOS [ 1 1 ] TAB-KILL/KILL/TAB [ 1 2 ] T-KILL/T [ 1 3 ] CLASS-KILL/CLASS [ 1 4 ] -+REDUCELL0OP [ 1 5 ] Oi/T: A SELECT REPRESENTATIVE FROM EACH CLASS [ 1 6 ] Z«-ffSS BOXOUT [ 1 7 ] SELECT&LOOP:NUMDCS<-+/' X' =GRP->-(X»-CLASS=l*CLASS)/T [ 1 8 ] Z-«-Z,[l] GRPlNUMDCS\[/NUMDCS;] [ 1 9 ] T*-(~X)/T [ 2 0 ] L ? I > 1 . 5 5 - » - ( ~ ^ ) / L 7 Z ; ^ 5 S [ 2 1 ] •+( O^pC LASS) /SELECTLLOOP V V SELECTLSP BOXOUT;AL;ES [ 1 ] A [ 2 ] A jPt9 SELECT THE FIRST PRECISE SP EXPRESSION FOR. GIVEN SBOX [ 3 ] a AND OUTPUT FROM QM MINIMIZED EXPRESSION [ 4 ] ES-ESS BOXOUT [ 5 ] AL-ALT BOXOUT [ 6 ] 0/DUPKILL 0 7 [ 7 ] S P « - E S , [ 1 ] fCILZ://1L[ I I T P / I L ; \ 6 ] [ 8 ] 5 P - ( ~ A / « » = 5 P ) / 5 P V 177 V Z+SELECTL\ALTS;T;CLASS;TAB;FHEQ;MOSTFREQ;KILL;KILLPOS;CLA SS;GRP I 11 A [ 2 ] fl TO PICK ALTERNATIVES FOR ACCURATE SP EXPRESSION FOR SBOX [ 3 ] fl 1) CHOOSE TERMS MOST FREQUENTLY APPEARING INTER-CLASS [ 4 ] A 2) PICK CLASS REP. AS REMAINING TERM WITH MOST DCS [ 5] A [ 6] +(0 = l+pAL)/HO ALTS [ 7 ] CLASS+-1, 0 7 *AL I 8 ] TAB4-T*.=$T+-AL{\l*r,AL;\§~\ [ 9 ] REDUCEhLO OP :•*•{. 1 -MOSTFREQ-*-\ /FREQ+-+ / TAB) / OUT [10] KILLPOS-*- ( T A . =§T[FREQ \M0STFREQ ; ] ) / i l + pT [11] KILL+(~CLASSeCLASSlKILLPOSl)v(\pCLASS) = 1 + KILLPOS [12] TAB-KILL/KILL/TAB [13] T+-KILL+T [14] CLASS-KILL/CLASS [15] -REDUCEM00P [16] 0#r: fl SELECT REPRESENTATIVE FROM EACH CLASS [17] Z + £ 5 [18] SELECTt.L00P:NUMDCS-+ /' X' =GRP+-(X*-CLASS=1+CLASS) fT [19] Z + Z , C l ] GRPlNUMDCS\[/NUMDCS;! [20] T+(~X)rT [21] CLASS+-{~X) /CLASS [22] -(0*pCLASS)/SELECT&L00P [23] 'NUMBER OF P-TERMS: ' . f l t p Z [24] +0 [25] NOALTS-.Z+-ES V 178 V SPDUMP;BOX;BIT;TERM C l] DUM-100 USVO 'TSO' [ 2] TSO-'ALLOC DA(DES.SPTERMS) OLD FILE(SPF)' [ 3] OUT-'SPF(APL)' [ 4] CTL-'SPF(CTL)' C 5] 111 DSVO 2 3 p'OUTCTL' • C 6] DUM-OUT C 7] BOX-1 C 8] BOXLOOP'.BIT-l [ 9] BITLOOP-.TERM-l [ 1 0 ] TERM LOOP:OUT-SPTERMSlBOX;BIT;TERM;] [ 1 1 ] -((TERM-TERM+1)S23)/TERM LOOP [ 1 2 ] •*•( (BIT-BIT+1)<H)/BITLOOP [ 1 3 ] (BOX-BOX+l)<S) IBOXLOOP [ 1 4 ] DUM-USVR 'OUT' [ 1 5 ] TSO-'FREE F(SPF)' V END OF APPENDIX 179 APPENDIX C PL/I CODE AND OUTPUT FOR COMBINATORIALLY-EXHAUSTIVE APPROACH TO BEST-SET DISCOVERY. 180 /* BEST-TERM SELECTION FOR S-BOX APPROXIMATION | E.GULLICHSEN / + * + ********* + ** + * + * + **+- + * + + .+ * + + ***+**** + *********+-* + + + *+• + * + * + + + /* /* CONTRIB PROC OPERATES IN 3 PHASES: /• 1) FORM ARRAY CONTR18(23.32), INDICATING HOW EACH TERM, /* CONSISTING OF A CONJUNCT OF S-BOX INPUTS 'COVERS' THE 32 /* TERMS FOR WHICH THE SBOX SHOULD BE ON. /• 2) USING PROC CHOOSE TO TRY ALL COMBINATIONS OF S.P. TERMS. /* BUILD THE ARRAY COVER(5000,23) CONTAINING INDICATION OF /* WHICH S.P. TERMS TO TAKE, TO GET BEST APPROX. TO S-BOX, IF /* RESTRICTED TO 1,2,...,23 TERMS /* 3) SEARCH THE COVER TABLE. TO SEE IF THE SET OF 'BEST N' /* TERMS IS A SUBSET OF BEST N-1 TERMS CONTRIB: PROC OPT IONS(MA IN): DCL (NUM_TERMS,TERMCNT,INPCNT,LEVEL,DIFF.NEXTERM) FIXED BIN(15) DCL TERMS(23,6) CHAR(1); /* S.P. TERMS AS READ FROM FILE */ DCL 0NF0R(32,6) B I T ( 1 ) ; /* INPUTS FOR WHICH S-BOX SHOULD BE ON DCL C0VER(5000.23) B I T ( 1 ) ; DCL COVERPROB(23) FIXED BIN(15); DCL (C0VERPTS,SEARCHPTS)(24) FIXED BIN(15); DCL CURR(23) BIT(1 ) ; DCL X0R_RES(6) B I T ( 1 ) ; DCL AND RETURNS(BIT( 1) ) : /* ANDING ROUTINE */ DCL ZER06(6) CHAR(1) INIT(( 6 ) (1) 'O'); DCL XSTR6(6) CHAR(1) INIT(( 6 ) (1) 'X'); DCL (GO,FAIL) B I T ( 1 ) ; /* LOOP FLAGS */ DCL CUMUL_TERMS(23) B I T ( 1 ) ; COVER(*,*)='O'B; /+ TITLE */ PUT SKIP FILE(SPRI NT) EDIT( 'BEST-TERM SELECTION FOR S-BOX APPROXIMAT ION' , ( 4 3 ) ' * ' ) (2 ( A , S K I P ) ) ; /* READ IN STUFF FOR S1, OUTPUT 1 FROM FILES */ CALL READIN; CONTRIB_CALC: BEGIN; /* CREATE TABLE OF CONTRIBUTIONS, INDICATING WHICH TERMS ARE ON FOR WHICH INPUTS */ DCL CONTRIB(NUM_TERMS,32) B I T ( 1 ) ; DO INPCNT=1 TO 32; DO TERMCNT=1 TO NUM_TERMS; /* SINGLE S.P. TERM IS A CONJUNCT, HENCE 'ALL'. FLIP BITS WHICH CORR. TO A O IN THE TERM; OR WITH 1'S FOR D C S (X'S) IN TERMS */ CALL XOR(ONFOR(INPCNT ,* ) , (ZER06 = TERMS(TERMCNT,*)) , XOR_RES); CONTRIB(TERMCNT,INPCNT)= AND( (XSTR'6 = TERMS ( TERMCNT , * ) ) | XOR_RES); END; END; /• DUMP THE CONTRIBUTION TABLE '/ PUT PAGE FILE(SPRINT) LIST(' *** CONTRIBUTION TABLE ***'): PUT SKIP(2) FILE(SPRINT) ED IT( 'T E RM IS ON FOR INPUT', 'SP TERM', (I DO 1 = 1 TO 32) , (7) '*' . (96)' " ) (COL(40) ,A,SK J P,A,X( 2) ,32 F(3) ,SKIP.A,X(2 ) ,A); PUT SKIP FILE(SPRINT) ED I T((TERMS(I, *).CONTRIB(I,*) DO 1=1 TO NUM_TERMS))(6 A(1),X(5),32 6(3),SKIP); /* CREATE COVER TABLE */ COVERPTS(1)-1; PUT PAGE FILE(SPRINT) LIST(' *** COVER TABLE ANALYSIS **•') PUT SKIP(2) FILE(SPRINT) EDIT('# SPTERMS','H OF BEST SETS', 'CORRECTNESS',(9)'*',(14)'*'.(1t)'+') (2 (A,COL( 15 ) .A.COL(35),A,SKIP)) ; DO TERMCNT=1 TO NUM_TERMS; COVER_CALC: BEGIN; DCL (NEW,OLD)(TERMCNT) FIXED BIN(15) DCL NUMON FIXED BIN(15) DCL MOST- INIT(O) FIXED BIN(15) DCL SAVE(3000.TERMCNT) FIXED BIN(15) DCL SAVEPTR INIT(1) FIXED BIN(15) DCL TEMPBITS(32 ) BIT(1); /* SETUP OLD FOR 1ST CALL TO CHOOSE */ DO 1=1 TO TERMCNT; NEW(I)=I; END; DO WHILE(NEW( 1 ) -< = o) ; /+ CALC SUM OF OR OF TERMS CHOSEN */ TEMPBITS(*)='O'B; DO 1=1 TO TERMCNT; TEMPBITS(*)= TEMPBITS(* ) | CONTRIB(NEW(I ),*); END; NUMON=0; DO 1=1 TO 32; IF TEMPBITS(I) THEN NUMON=NUMON+1; END; IF NUMON > MOST THEN DD; MOST=NUMON; SAVE( 1,* )=NEW(*); SAVEPTR=2; END : ELSE IF NUMON = MOST THEN DO;'' SAVE(SAVEPTR,*)=NEW(*); SAVEPTR=SAVEPTR+1; END ; OLD=NEW; CALL CHOOSE(NUM_TERMS,TERMCNT,OLD,NEW); END; /* PUT THE BEST COMBINATIONS (AS SAVED IN THE SAVE ARRAY) INTO THE COVER TABLE •/' /* SELECTION INDICES /* MAX OF ABOVE */ COVERPROB(TERMCNT)=MOST; CN 00 rH 00 1=0 TO SAVEPTR-2; DO J=1 TO TERMCNT; COVER(COVERPTS(T ERMCNT) + I,SAVE(I+1,J)) = '1'B; END ; END; PUT SKIP FILE(SPRINT) EDIT(TERMCNT,SAVEPTR- 1, .5 + M0ST/64. ) (X(2 ) ,F(4 ) .COL( 15).F(5).C0L(38),F(7.3)); COVERPTS(TERMCNT+1)=COVERPTS(TERMCNT)+SAVEPTR-1; END COVER_CALC; END; /* SEARCH COVER TABLE, TO DET. MONOTONICITY */ PUT SKIP(3) FILE(SPRINT) LIST( ' *** COVER TABLE * * * ' ) ; 0 = 2; DO 1=1 TO COVERPTS(NUM_TERMS+1)-1; PUT SKIP FILE(SPRINT) ED IT(I, ' ) ' .COVER(I , + ) ) (F(5),A,X(2),23 B(U); /* SKIP LINES BETWEEN 'GROUPS' */ IF COVERPTS(0)- 1 = 1 THEN DO; PUT SKIP FILE(SPRINT); J=d+1; END ; END; SEARCHPTS(*)=COVERPTS(* ) ; LEVEL=1; FAIL='0'B; PUT PAGE FILE(SPRINT ) EDIT('COVER TABLE SEARCH' ,( 18 ) '*') (2 (A,SKIP)); DO WHILE(LEVEL < NUM_TERMS S -FAIL); PUT SKIP(2) FILE(SPRINT ) EDIT('CONSIDERING ROW ' ,SEARCHPTS(LEVEL) ' AT LEVEL ',LEVEL)(A,F(5).A,F(3)); CURR(*)=COVER(SEARCHPTS(LEVEL) , * ) ; LEVEL=LEVEL+1; G0='1'B; DO I=COVERPTS(LEVEL) TO COVERPTS(LEVEL+1)- 1 WHILE(GO); /* IF DIFF BETWEEN CURR AND COVER(I,*) EXACTLY ON BIT, THEN WE HAVE GOT THE TERM NEEDED IN THIS NEXT LEVEL: */ DIFF=0; DO J=1 TO NUM_TERMS; IF CURR(J) -•= COVER(I.J) THEN DlFF =DIFF+ 1 ; END; IF DIFF = 1 THEN G0='0'B;/*•QUIT, WE HAVE MATCH AT LEVEL */ END; /* IF NONE FOUND AT THIS LEVEL, THEN BACKTRACK */ IF GO THEN DO; PUT SKIP FILE(SPRINT) EDIT('NO MATCH FOR CURR AT LEVEL '.LEVEL) (A,F(3)); LEVEL = LEVEL-1 ; SEARCHPTS(LEVEL)=SEARCHPTS(LEVEL)+1; IF SEARCHPTS(LEVEL)=C0VERPTS(LEVEL+1 ) THEN DO; PUT SKIP(2) FILE(SPRINT ) EDIT('* * LEVEL '.LEVEL,' EXHAUSTED') (A,F(3),A); DO I=LEVEL TO 1 BY -1 WHILE(SEARCHPTS(I)+1 >= C0VERPTSU+1 ro rH SEARCHPTSI I )=CDVERPTS( I ) ; END ; LEVEL= 1 + 1 ; PUT SKIP F ILE (SPRINT) ED IT( 'BACKTRACK TO LEVEL ' , L EVEL ) (A , F ( 3 ) SEARCHPTS( LEVEL )=SEARCHPTS(LEVEL ) + 1 ; / * IF FAILED ALL THE WAY BACK TO 1ST LEVEL * / IF L E VE L = 1 & SEARCHPTS(LEVEL ) = COVERPTS(LEVEL+1 ) THEN DO ; FA IL=' 1'B ; PUT PAGE F ILE (SPRINT) L I S T ( ' * * * SEARCH FAILED * *• ' ) ; PUT F ILE (SPRINT) DATA(SEARCHPTS,COVERPTS.CURR.COVERPROB): PUT SKIP (3) F ILE (SPRINT) L IST ( 'COVER T A B L E ' ) ; DO 1=1 TO COVERPTS(NUM_TERMS); PUT SKIP F ILE (SPRINT) EDIT( I ,COVER(I , *) ) ( F ( 6 ) , X ( 2 ) ,23 B I D ) ; END ; END ; END ; END; / * ELSE CURR DID MATCH */ ELSE DO; SEARCHPTS(LEVEL) = 1 - t ; PUT SKIP F ILE(SPRINT) EDIT( 'CURR MATCHES WITH COVER TERM ' 1-1 , ' AT LEVEL ' , L E V E L ) ( A , F ( 5 ) . A , F ( 3 ) ) ; END; END; /* SEARCH WAS SUCCESSFUL, PRINT THE RANKED TERMS */ IF -FAIL THEN DO; PUT PAGE F ILE (SPR INT) L I S T ( ' * * * SEARCH SUCCESSFUL *• * ' ) ; PUT SKIP (2 ) F ILE (SPRINT) EDITf ' t f TERMS INCLUDED', 'TERM SELECTION' , 'CORRECTNESS' ,( 16) ' * ' , ( 14 ) ' * ' , ( 1 1 ) '* ' ) (2 ( A , C O L ( 2 2 ) , A , C O L ( 4 5 ) , A , S K I P ) ) ; DO 1 = 1 TO NUM_T E RMS; PUT SKIP F ILE (SPRINT) ED I T ( I ,COVER (SEARCHPTS ( I ) , * ) , .5+C0VERPR0B(I )/64. ) ( F ( 8 ) , C O L ( 18 ) ,23 B( 1 ) .COL (48 ) , F ( 7 . 3 ) ) ; END ; PUT SKIP (2) F ILE (SPRINT) ED IT ( 'TERMS IN THE ORDER OF THEIR ADDITION: ' ) (A ) ; CUMUL_TERMS(* )= 'O 'B ; /* ACCUM BIT POSNS FROM COVER */ DO 1=1 TO NUM_TERMS; NEXTERM=0; DO u=1 TO 23 WHILE(NEXTERM=0); IF CUMUL_TERMS( J )='0 'B ft COVER (SEARCHPTS ( I ) . J )= '1 ' B THEN NEXTERM=J; END; PUT SKIP F ILE (SPRINT) ED IT(TERMS(NEXTERM,* ) ) ( X ( 8 ) , 6 A ( 1 ) ) ; CUMUL_TERMS(•)=CUMUL_TERMS(*) | COVER(SEARCHPTS ( I ) , * ) ; END; END; END CONTRIB_CALC; /• XOR PROC, TO F.XCLUSIVE-OR 2 BINARY VECTORS '/ XOR: PROC(A,B,RES ) ; DCL (A,B,RES ) (* ) BIT( 1 ) ; RES = (A|B)M-.( AftB) ) : END XOR; /* AND, RETURNS 1 IFF ALL ALTS IN ARGUMENT ARRAY ARE 1 +/ AND: PROC(BOOL_VEC) RETURNS(BIT( 1 )) ; DCL (RES,BOOL_VEC(* ) ) BIT(1); DCL I FIXED BIN( 15) ; RES =' 1 'B; DO 1 = 1 TO HBOUND(BOOL_VEC, 1 ) WHILE(RES) ; IF -•BOOL_VEC( I ) THEN RES='0'B; END; RETURN(RES); END AND; /+******************************•******#*******+***********+******+***/ /• V /* INPUT ROUTINE, to READ THE S.P. TERMS FOR A GIVEN S-BOX, OUTPUT, */ /* AND THE 32 INPUTS FOR WHICH THE OUTPUT IS 1, FROM SEQUENTIAL */ /* MTS FILES "SP" AND "ON", REPECTIVELY */ /* */ READIN : PROC ; CO DCL (SPFILE.ONFILE) FILE STREAM; "H CALL ATTACH('SPFILE=SP'); CALL ATTACH*'ONFILE=ON'); OPEN F I LE(ONFILE),FILE(SPFILE); NUM_TERMS=0; DO 1=1 TO 23; /* MAX H S.P. TERMS FOR ANY SBOX, OUTPUT IS 23 */ GET FILE(SPFILE) EDIT(TERMS(I,* ) ) (G A(1),SKIP); IF TERMS(I,1) ">= ' ' THEN NUM_TERMS = NUM_TERMS+1 ; END; GET FILE(ONFILE) EDIT(((ONFOR(I,J) DO u=1 TO 6) DO 1=1 TO 32)) (6 B( 1 ) .SKIP); PUT SKIP FILE(SPRI NT) LIST('SP TERMS:'): PUT SKIP(2) FILE(SPRINT) EDIT((TERMS*I,*) DO 1=1 TO NUM_TERMS)) (G A( 1 ) .SKIP) ; PUT SKIP(3) FILE(SPRINT) LIST('OUTPUT SHOULD BE ON FOR INPUTS:'); PUT SKIP(2) FILE(SPRINT) EDIT(ONFOR)(6 B(1),SKIP); CLOSE FILE(ONFILE ) ; CLOSE FILE(SPFILE) ; END READIN; /* THE CHOOSE ROUTINE RETURNS A NEW COMBINATION OF R ITEMS */ /* CHOSEN FROM A COLLECTION OF N. GIVEN THE PREVIOUS COMB, */ /* OLD. THE NEW COMBINATION RETURNED IS A VECTOR OF FIXED BIN */ /* QUANTITIES. E.G., N=5 R=3 OLD=1 2 4. NEW=>1 2 5 "/ /• */ CHOOSE: PROC(N,R.OLD.NEW); DCL(N,R. I . J ) FIXED B INM5) ; DCL(OLD.NEW)(*) FIXED BIN(15); DCL GO BIT( 1 ) ; NEW=OLD; GO='1'B; • DO I=R TO 1 BY -1 WHILE(GO); /* IF ANY POSN AT ITS MAX. INCREASE PREV POSN */ IF OLD(I) ->= N-R+I THEN DO; GO = ' O' B ; NEW(I )=NEW( I )+1 ; DO J=I+1 TO R; NEW(J)=NEW(J-1 )+1 ; END ; END; END ; IF GO THEN NEW(1)=0; /* IF NO MORE COMBS */ END CHOOSE; END CONTRIB; OO B E S T - T E R M S E L E C T I O N FOR S-BOX A P P R O X I M A T I O N * + + + + + + * + f + *t + * * + f + * k + + f + + + + + + + *# SP TERMS: fOT S-bOX 1, Output 1 X1X010 X1X1 1 1 000X00 XOOO1 1 X 1 1001 10X01 1 001X01 001X1o OOX100 010X01 010X 10 100X01 10Q1XO X01 1 10 110XOO 1 1001 X 101000 OUTPUT SHOULD BE ON FOR INPUTS: OOOOOO 000100 001010 001100 0011 10 010010 0101 10 011010 OOOO11 001001 0011O1 010001 010101 0101 1 1 011001 011111 100100 1001 10 101000 101110 110000 110010 110100 111010 100001 100011 100101 101011 11001 1 110111 111001 111111 _ i X o o o o o X X o X X l/l o —* - I o o o o o o o o o TI o o o o o o X X -~ o o X X o o X X X X X X o o o X o * -1 * o o X o _ * o o o o o * m o X o o o —» o o o —. - I o o * XI * 2 o o * z * —1 o o o o o o o o o o o o o o — o o + - * XI < CO o o o o o o o o - * o o o o o. o o * M c * -1 o o o o o o o o o —» o o o o o o o * CJ o * z o o o o o o o o -* o o o o o o o o * > * CO o o o o o o o o o o o o o o o Ul t— * rn 9 o o o o o - * o o o o o o o o o - <n + o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o - 00 o o o o o o o o o o o o o - o o o * to o o o o o o o o o o o o o o o o •* i o * -1 m o o o o o o o o o o o o o o o o _k JJ •* 2 * o o o o o o o o o o o o o o o o ro * on * o o o o o o o —» o o o o o o o o o -* to O * Z 4 o o o o o o o o o o o o o o o o Ti a XI o o o o o o o o o o o o o o o o Ol -* * z o o o o o o o o o o o o o o o o cn "0 * c -H o o o o - * o o o o o o o o o o o o -* * ~J o o o o - o o o o o o o o o o o o * -* 00 - o o o o o o o o o o o o o o o o * CO o o o — o o o o o o o o o o o o o * o ro o o - * o o o o o o o o o o o o o o -* -ro o o o o o o o o o o o o o o o — * ro * ro o o o o o o o o o o o o o o o o * u * ro o o o o o o o o o o o o o o o o — ro o o o o o o o o o o o o o o o o + Ul -* ro o o o o o o o o o o o -- o — o o o * cn * ro o o o o o — o o o o o o o o o o o ~ l ro o o o o o o o o o o o — o. o o o o * 03 ro o o o o o o o o o o o o o o o o CO CJ o o o o o o o o o o o o o o o — o o CJ o o o o o o o o o o o o - o o o o -CO o o o o o o o o o o o o o o o o ro 188 681 LO LO * UJ 2 * 1- *-CJ •» UJ *• a a : • o C J *• * (/) * LO \-•—1 LU * LO LO * > * -J (- * <' LO 2 LU < 03 * * LU LL _ ) o *-CO * < * t -U J > o LO * o * • ¥ LU * * a * LO • * roiricDcocnO-cr?rrLO<£c\icoc')CT)«?-0 ccoiinco — IT. co — 'jr^OCNr'iiniDcoO LOcccDcor^ r^ r^ cocDa)Cf)CT>CT)Cocn(j>0 O O O O O O C O O O O O O O O O -c\ — c^oO"cor--coOeocDCD'T)'T)Cr) — CO(I!CPLOr--(7)C0 m cc CD o * — CNCO^lDCDr-COCDO — C N o ^ L O CO r~ o o o O O O O O O O O O O O O O O a O L U O > o o o U O ca o o o o o o o o o o o o o o o o o o o o o o o o o o O O O o o o o o o o o o . o o o o o o o O O O O O O O o O O O O O O O " O O O O O O " O O o o o o o o o o o o o o _ . . o O O O O O O O -O O - O O - O O - O O O O O o o o o o o o o O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O -O - o - o o o o o o o o O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O o o -o - o o o o - o o O O O O O O O O O O O O O O O O O O O O O O O O O Q Q - o o o o o o o o o o o o o 88 o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o -- o O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O o o -o - o - o o O O O O O O O O o o o o o o o o o o o -o o - o o o 88 88 o o O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O - o o - o o - O O " O O O O O O O O O O O O O O O O O O O O O O O O O -O O O — - - - o o o o o o o o o o o o o o o o o o o o -- o o o o o o-o o o o o o o o o o -- o o o o o o o o o O O O O O o o o o Q O O O O O O O O O O O O O O O O O O O -o - o - o o o o o O O O O O O O O O O O O O O O O O O O O O O O O O T j L O c D r ^ c o c o O — CM r > * r L O cor-cocTiO — CNOiiniot^cccDO — n n — — — — OJOIOJCNCNOIOJCNCNCNrOrOCOCT) 3 4 ) 1 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 3 5 ) 11OO11OOOOOOOOOOOOOOOOO 3 6 ) 11001O1OOOOOOOOOOOOOOOO 3 7 ) 1 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 8 ) 1 1 0 0 1 O O O 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 9 ) 11001OOOO1OOOOOOOOOOOOO 4 0 ) 11001OOOOOO1OOOOOOOOOOO 4 1) 11OO1OOOOOOO1OOOOOOOOOO 4 2 ) 11001OOOOOOOO1OOOOOOOOO 4 3 ) 11OO1OOOOOOOOO1OOOOOOOO 4 4 ) 1100011OOOOOOOOOOOOOOOO 4 5 ) 1 1 0 0 0 1 O 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 6 ) 110001OO1OOOOOOOOOOOOOO 4 7 ) 11OOO1OOO1OOOOOOOOOOOOO 4 8 ) 110001OOOOO1OOOOOOOOOOO 4 9 ) 110001OOOOOO1OOOOOOOOOO 5 0 ) 110001OOOOOOO1OOOOOOOOO 5 1) 110001OOOOOOOO1OOOOOOOO 5 2 ) 11OOOO11OOOOOOOOOOOOOOO 5 3 ) 11OOOO1O1OOOOOOOOOOOOOO 5 4 ) 11OOOO1001OOOOOOOOOOOOO 5 5 ) 11OOOO1OOOO1OOOOOOOOOOO 5 6 ) 11OOOO1OOOOO1OOOOOOOOOO 5 7 ) 11OOOO1OOOOOO1OOOOOOOOO 5 8 ) 11OOOO1OOOOOOO1OOOOOOOO 5 9 ) 11OOOOO11OOOOOOOOOOOOOO 6 0 ) 11OOOOO1O1OOOOOOOOOOOOO 6 1) 11OOOOO10001OOOOOOOOOOO 6 2 ) 11OOOOO1OOOO1OOOOOOOOOO 6 3 ) 11OOOOO1OOOOOO1OOOOOOOO 6 4 ) 11OOOOOO11OOOOOOOOOOOOO 6 5 ) 11OOOOOO1001OOOOOOOOOOO 6 6 ) 11OOOOOO10001OOOOOOOOOO 6 7 ) 11OOOOOO1OOOO1OOOOOOOOO 6 8 ) 11OOOOOO1OOOOO1OOOOOOOO 6 9 ) 11OOOOOOO1O1OOOOOOOOOOO 7 0 ) 11OOOOOOO1001OOOOOOOOOO 7 1 ) 11OOOOOOO1OOO1OOOOOOOOO 7 2 ) 11OOOOOOO1OOOO1OOOOOOOO 7 3 ) 11OOOOOOOOO11OOOOOOOOOO 7 4 ) 11OOOOOOOOO101OOOOOOOOO 7 5 ) 11OOOOOOOOO1OO1OOOOOOOO 7 6 ) 11OOOOOOOOOO11OOOOOOOOO 7 7 ) 11OOOOOOOOOO101OOOOOOOO 7 8 ) 11OOOOOOOOOOO11OOOOOOOO 7 9 ) 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 0 ) 1111OO1OOOOOOOOOOOOOOOO 8 1 ) 11110001OOOOOOOOOOOOOOO 8 2 ) 1111OOOOO1OOOOOOOOOOOOO 8 3 ) 1111OOOOOOO1OOOOOOOOOOO 8 4 ) 1111OOOOOOOO1OOOOOOOOOO 8 5 ) 1111OOOOOOOOO1OOOOOOOOO 8 6 ) 1111OOOOOOOOOO1OOOOOOOO . 8 7 ) 1 1 1 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 8 ) 111O101OOOOOOOOOOOOOOOO 8 9 ) 111O1001OOOOOOOOOOOOOOO 9 0 ) 11101OOOO1OOOOOOOOOOOOO 9 1 ) 11101OOOOOO1OOOOOOOOOOO 9 2 ) 11101OOOOOOO1OOOOOOOOOO 1766) 11OO11101101 1767 ) 1111 11111101 1768 ) 1111 11110111 1769) 1111 111101O1 1770) 1111 11110101 177 1) 1111 11110101 1772) 1111 11101101 1773) 1111 1110011 1 1774 ) 1111 111001O1 1 775 ) 1111 11100101 1776) 1111 10111111 1777) 1111 10111101 1778 ) 1111 10111101 1779) 1111 10111101 1780) 1111 10110111 1781 ) 1111 10110111 1782 ) 1111 10110111 1783) 1111 10110101 1.784 ) 1111 10110101 1785) 1111 10110101 1786) 1111 10101111 1787 ) 1111 10101101 1788) 1111 10101101 1789) 1111 1010011 1 1790) 1111 10100111 1791 ) 1111 10100101 1792) 111011111111 1793) 1 1 1011111101 1794) 1 1 1011111101 1795) 1 11011111101 1796) 111011110111 1797 ) 111011110111 1798) 1 1 1011110111 1799) 1 1 1011110101 1800) 1 1 1011110101 1801 ) 1 11011110101 1802 ) 111011101111 1803) 1 11011101101 1804) 1 11011101101 1805) 1 11011100111 1806) 11101110011 1 1807) 111011100101 1808) 1 101 1111111 1809) 1 101 1111101 18 10) 1 101 1111101 1811) 1 101 1111101 1812) 1101 1110111 1 1813) 1 101 1101101 1814) 1 101 1101101 1815) 1 101 0111111 1816) 1 101 0111111 1817) 1 101 0111111 1818) 1 101 0111101 1819) 1 101 0111101 1820) 1 101 0111101 1821 ) 1101 10101111 1822) 1 101 0101111 1823) 1 101 10101101 1824) 11001 1111111 11101OOOOOO 1O1OOOOOOOO 101OOOOOOOO 1 110OOOOOOO 10110000000 10101000000 1 110OOOOOOO 1 110OOOOOOO 1111OOOOOOO 1 1101000000 101OOOOOOOO 1 110OOOOOOO 1011OOOOOOO 10101000000 1 1 10OOOOOOO 1011OOOOOOO 10101000000 1111OOOOOOO 11101OOOOOO 10111OOOOOO 11100000000 1 1110000000 11101OOOOOO 1 1110000000 1 1101OOOOOO 11111OOOOOO 1O10OO00O0O 1 110OOOOOOO 10110000000 10101000000 1 1 10OOOOOOO 10110000000 10101000000 1111OOOOOOO 1 1 101000000 10111000000 1 110OOOOOOO 1 1110OOOOOO 1 11O10O0000 1111OOOOOOO 1 1101000000 11111000000 10100000000 1 110OOOOOOO 1011OOOOOOO 10101000000 1 110OOOOOOO 1 1110000000 1 1 101OOOOOO 1 110OOOOOOO 1011OOOOOOO 10101OOOOOO 1111OOOOOOO 1 1101000000 10111000000 11110000000 11101OOOOOO 11111000000 1 110OOOOOOO 1825) 11001111111110110000000 1826) 11001111111110101000000 1827) 11001111110111110000000 1828) 11001111110111101000000 1829) 11001111110110111000000 18 30) 11001110111111110000000 183 1) 11001110111111101000000 1832) 11001110110111111000000 1833) 11111111111110100000000 1834) 11111111110111100000000 1835) 11111111110110110000000 1836) 11111111110110101000000 1837) 11111111011111100000000 1838) 11111111011110110000000 1839) 11111111011110101000000 1840) 11111111010111110000000 184 1) 11111111010111101000000 1842) 11111111010110111000000 1843) 11111110111111100000000 1844) 11111110110111110000000 1845) 11111110110111101000000 1846) 11111110011111110000000 1847) 11111110011111101000000 1848) 1111111O01O111111000000 1849) 111110111111111O0000O00 1850) 11111011111110110000000 1851) 11111011111110101000000 1852) 11111011110111110OO000O 1853) 11111011110111101000000 1854) 11111011110110111000000 1855) 11111011011111110000000 1856) 11111011011111101000000 1857) 11111011011110111000000 1858) 1111101.1010111111000000 1859) 11111010111111110000000 1860) 11111010111111101000000 1861) 11111010110111111000000 1862) 11111010011111111000000 1863) 11101111111111100000000 1864) 111011 1 1 11 1 1 10110000000 1865) 11101111111110101000000 1866) 11101111110111110000000 1867) 11101111110111101000000 1868) 11101111110110111000000 1869) 11101111011111110000000 1870) 11101111011111101000000 1871) 11101111011110111000000 1872) 11101111010111111000000 1873) 11101110111111110000000 1874) 11101110111111101000000 1875) 11101110110111111000000 1876) 11101110011111111000000 1877) 11011111111111100000000 1878) 11011111111110110000000 1879) 11011111111110101000000 1880) 11011111110111110000000 188 1) 11011111110111101000000 1882) 11011111110110111000000 1883) 11011110111111110000000 1 8 8 4 ) 1 1 0 1 1 1 1 0 1 1 1 1 1 1 1 0 1 0 0 0 0 0 0 1 8 8 5 ) 1 1 0 1 1 1 1 0 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 1 8 8 6 ) 1 1 0 1 1 0 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 8 8 7 ) 1 1 0 1 1 0 1 1 1 1 1 1 1 1 1 0 1 0 0 0 0 0 0 1 8 8 8 ) 1 1 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 0 0 0 0 0 0 1 8 8 9 ) 1 1 0 1 1 0 1 1 1 1 0 1 1 1 11 1 0 0 0 0 0 0 1 8 9 0 ) 1 1 0 1 1 0 1 0 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 8 9 1 ) 1 1 0 0 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 8 9 2 ) 1 1 0 0 1 1 1 1 1 1 1 1 1 1 1 0 1 0 0 0 0 0 0 1 8 9 3 ) 1 1 0 0 1 1 1 1 1 1 1 1 1 0 1 1 1 0 0 0 0 0 0 1 8 9 4 ) 1 1 0 0 1 1 1 1 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 1 8 9 5 ) 1 1 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 8 9 6 ) 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 1 8 9 7 ) 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 0 0 0 0 0 0 0 1 8 9 8 ) 1 1 1 1 11 1 1 1 1 1 1 1 0 1 0 1 0 0 0 0 0 0 1 8 9 9 ) 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 0 0 0 0 0 0 O 1 9 0 0 ) 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 0 1 0 0 0 0 0 0 1 9 0 1 ) 1 1 1 11 1 1 1 1 1 0 1 1 0 1 1 1 0 0 0 0 0 0 1 9 0 2 ) 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 9 0 3 ) 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 O 1 O 0 0 0 0 O 1 9 0 4 ) 1 1 1 1 1 1 1 1 0 1 1 1 1 0 1 1 1 0 0 0 0 0 0 1 9 0 5 ) 1 1 1 1 1 1 1 1 0 1 0 1 1 1 1 1 1 0 0 0 0 0 0 1 9 0 6 ) 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 O 0 0 0 0 0 0 1 9 0 7 ) 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 O 1 O O O 0 O O 1 9 0 8 ) 1 1 1 1 1 1 1 0 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 1 9 0 9 ) 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 9 1 0 ) 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 9 1 1 ) 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 0 1 0 0 O 0 O 0 1 9 1 2 ) 1 1 1 1 1 0 1 1 1 1 1 1 1 0 1 1 1 0 0 0 0 0 0 1 9 1 3 ) 1 1 1 1 1 0 1 1 1 1 0 1 1 1 1 1 1 0 0 0 0 0 O 1 9 1 4 ) 1 1 1 1 1 O 1 1 O 1 1 1 1 1 1 1 1 O O O O O O 1 9 1 5 ) 1 1 1 1 1 0 1 0 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 9 1 6 ) 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 9 1 7 ) 1 1 l O I 1 1 1 1 1 1 1 1 1 1 0 1 0 0 0 0 0 O 1 9 1 8 ) 1 1 1 0 1 1 1 1 1 1 1 1 1 0 1 1 1 0 0 0 0 0 0 1 9 1 9 ) 1 1 1 0 1 1 1 1 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 1 9 2 0 ) 1 1 1 0 1 1 1 1 0 1 1 1 1 1 1 1 1 O 0 0 0 O 0 1 9 2 1 ) 1 1 1 0 1 1 1 0 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 9 2 2 ) 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 9 2 3 ) 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 O 1 0 0 0 O O O 1 9 2 4 ) 1 1 0 1 1 1 1 1 1 1 1 1 1 0 1 1 1 0 0 0 0 0 0 1 9 2 5 ) 1 1 0 1 11 1 1 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 1 9 2 6 ) 1 1 0 1 1 1 1 0 1 1 1 1 1 1 1 1 1 O O O O O O 1 9 2 7 ) 1 1 0 1 1 0 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 9 2 8 ) 1 1 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 9 2 9 ) 11 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 1 9 3 0 ) 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 0 0 0 0 0 0 1 9 3 1 ) 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 0 0 0 0 0 0 1 9 3 2 ) 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 O O O O O O 1 9 3 3 ) 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 9 3 4 ) 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 9 3 5 ) 1 1 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 9 3 6 ) 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 9 3 7 ) 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 O O 0 0 O O 1 9 3 8 ) 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 O O O O O O ro COVER TABLE SEARCH * + •* + * * * + *• + * * * + * * * CONSIDERING ROW 1 AT LEVEL 1 CURR MATCHES WITH COVER TERM 3 AT LEVEL 2 CONSIDERING ROW 3 AT LEVEL 2 CURR MATCHES WITH COVER TERM 4 AT LEVEL 3 CONSIDERING ROW 4 AT LEVEL 3 CURR MATCHES WITH COVER TERM 16 AT LEVEL 4 CONSIDERING ROW 16 AT LEVEL 4 CURR MATCHES WITH COVER TERM 79 AT LEVEL 5 CONSIDERING ROW 79 AT LEVEL 5 CURR MATCHES WITH COVER TERM 269 AT LEVEL 6 CONSIDERING ROW 269 AT LEVEL 6 CURR MATCHES WITH COVER TERM 632 AT LEVEL 7 CONSIDERING ROW 632 AT LEVEL 7 CURR MATCHES WITH COVER TERM 1088 AT LEVEL 8 CONSIDERING ROW 1088 AT LEVEL 8 CURR MATCHES WITH COVER TERM 1465 AT LEVEL 9 CONSIDERING ROW 1465 AT LEVEL 9 CURR MATCHES WITH COVER TERM 1663 AT LEVEL 10 CONSIDERING ROW 1663 AT LEVEL 10 CURR MATCHES WITH COVER TERM 1723 AT LEVEL 11 CONSIDERING ROW 1723 AT LEVEL 11 CURR MATCHES WITH COVER TERM 1731 AT LEVEL 12 CONSIDERING ROW 1731 AT LEVEL 12 CURR MATCHES WITH COVER TERM 1767 AT LEVEL 13 CONSIDERING ROW 1767 AT LEVEL 13 CURR MATCHES WITH COVER TERM 1833 AT LEVEL 14 CONSIDERING ROW 1833 AT LEVEL 14 CURR MATCHES WITH COVER TERM 1896 AT LEVEL 15 CONSIDERING ROW 1896 AT LEVEL 15 CURR MATCHES WITH COVER TERM 1929 AT LEVEL 16 CONSIDERING ROW 1929 AT LEVEL 16 CURR MATCHES WITH COVER TERM 1938 AT LEVEL 17 (Ti - - x o o - o -- o - o O O - x o - - -O X o o 83 X X - o 8-— — — O O O x x o x x - o o - o o - o o - -O O O O - — - O O x x i X — X X X X O O X O X O O - O O - O 0 . 0 - - 0 - - - 0 — O rn O O TJ o -JcnUl-UCOfO — OC0C0^JJ101i*C0fO — - - - - - - - _ - _ o o - - - - - - - - - O O O - - - - - - - - O O O O - O O O O O O O O O O O - - - - - - - O O O O O - - - - - - O O O O O O O O O O O O O O O O O O O O O O O O O * * -* * * » * m * 73 s m * > * XI * Cl z I * o r~ C/l + C C * o n m o * O m i/i to -n C r-* H * rn * Xl * 3 * — — _* o o o o o o o o o o o o o m > o o o o o o o o r-O o o o o o o o o o * m a — — — O O O O O o o o o o o o o o * o o o o o o o o o o o Ht —1 H — — o c O O O o o o o o o o o o o Ht h— t-H — o o O O O O o o o o o o o o o o * o o o o o O O O O o o o o o o o o o o Ht z z o o o O O O O o o o o o o o o o o o o o O O O O o o o o o o o o o o o o o O O O O o o o o o o o o o o o o o o O O O o o o o o o o o o o o o o o O O O o o o o o o o o o o + o * o * XI nt 73 - O O O O O O O O O O O O O O O O * Ci OtDcocDcocotDracoco^^^iricriaiui * z O O J f f i u i g u O ^ f i - O D i n - ' i i i o i u o i * m O t i o u o o M d i u i i i u - . Oiflcoenuico * o 195 APPENDIX D PL/I CODE FOR N-ARY TREE APPROACH TO BEST-SET DISCOVERY. 196 //DES JOB ' , ,,T=10M,L=10, 10=20, R=10 24K' , 'ERIC GULLICHSEN',C L A S S =1 // EXEC PL10CLG,SIZE=1024K //PL1.SYSIN DD * • /* DISCOVERY OF SETS OF BEST TERMS FOR S-BOX APPROXIMATION */ CNOSTRG,NOSUBRG): BEST: PROC OPTIONS(MAIN) ; / * * * * * * * * * * * * * * * * * * * ^ / * * / /* FOR EACH OF THE 4 OUTPUTS FOR EACH OF THE 8 S-BOXES, */ /* WHAT IS THE *BEST* S.P. APPROXIMATION USING N TERMS TO */ /* THE REAL S-BOX. */ /* IS THERE ALWAYS A BEST SET OF N TERMS WHICH IS A SUBSET */ /* OF A BEST SET OF N+1 TERMS?? */ / * * / /* ALGORITHM: FORM THE COVER TABLE, INDICATING WHICH OF */' /* THE 32 INPUTS FOR WHICH THE OUTPUT SHOULD BE ON THE OUTPUT*/ /* IS INDEED ON FOR A SINGLE GIVEN TERM. */ /* THEN SEARCH THIS TABLE USING PARALLEL TREES, TO ATTEMPT */ /* CFOR EACH OUTPUT OF EACH S-BOX) TO FORM A SEQUENCE OF */ /* BEST SETS OF SIZE 1...N [N<=23 FOR ALL OUTPUTS) TO PROVE */ /* THAT A BEST SET EXISTS AT ALL SIZES 1...N UNDER THE */ /* PROPERTY OF MONOTONIC ADDITION OF TERMS. */ DCL C SBOX,OUTBIT) FIXED BINC15); /* SBOX & BIT COUNT */ DCL CSPFILE,ONFILE) FILE STREAM INPUT, DCL SYSPRINT FILE STREAM OUTPUT PRINT; DCL (NUMTERMS, /* # S.P. TERMS IN APPROX */ INPCNT, /* IDX 1..32 FOR ON-INPUTS */ TERMCNT) FIXED BINC15); /* IDX 1..N <=23 FOR TERMS */ DCL (I,J) FIXED BINC15), /* LOOP COUNTERS */ DCL SRCH_EXIST FIXED BIN[15); DCL 0NF0RC32,6) B I T C 1 ) ; /* INPUTS WHERE SBOX IS ON */ DCL TERMSC23,6) CHARflJj /* INPUTS WHERE SBOX IS ON */ DCL C0NTRIBC23) BITC32) ALIGNED; /* CONTRIBUTION TABLE */ DCL MASK BITC32); DCL COMPMASK BITC32) ALIGNED, DCL SAVEMASK( 2 3) BITC32) ALIGNED; DCL MASKVECC32) B ITf l ) DEFINED MASK; DCL TERMUSED C 2 3) BITCDJ DCL NUMONC23) FIXED BINC153; DCL CMAXON,BITSON,BESTON,OLDBESTON) FIXED BINC15); 197 PAUSE : DCL SAVEBITSONC23] FIXED BIN(15} j /* VECTOR OF PTRS TO NODES STILL AVAIL FOR EXPANSION */ DCL (OPEN,NEWOPEN3C20000) PTRj DCL COPENHI,NEWOPENHI) FIXED BINC15); DCL ZER06C6) CHARC1) INITCC6) CD '0 ' ) j DCL XSTR6C6) CHAR(1) INITCC6) CD *X')J DCL X0RESC6) BIT C13; DCL TEMPBIT BITCDJ /* ORDER IN WHICH TO MONOTONICALLY ADD TERMS */ DCL 0RDERC8,4, 23) FIXED BINC15); DCL CUMONC 2 3) FIXED BINC15); /* # BITSON IN ORDER */ DCL PRTMASK C 2 3) BIT C 32) ALIGNED; DCL CP, TOP, CURR, NEW, PREV, FIND PTR; /* N-ARY TREE NODE STRUCTURES: */ /* LINK NODE STRUCTURE FOR LIST OF POINTERS */ DCL 1 LKNODE BASED, 2 SON PTR, 2 LINK PTR; /* NODE STRUCTURE TO CONTAIN A TERM */ DCL 1 NODE BASED, 2 TERM FIXED BINC15), /* TERM # */ 2 ORMASK BITC32), /* CUMUL OUTPUTS COVERED */ 2 FATHER PTR, /* TO FATHER NODE */ 2 LINK PTR; DCL CGO, FIRST, NOTFND) BITCH); /* FLAGS */ DCL CSUBSTR,NULL,SUM,EMPTY,ALL,HBOUND,FLOAT) BUILTIN; /* AREA IN WHICH TO BUILD THE TREE */ DCL TREE AREAC512000); 1 ON AREA BEGIN; PUT SKIPC2) FILECSYSPRINT) LISTC'*** AREA OVERFLOW ***'}; STOP; END; OPEN FILECSPFILE) TITLEC'SPFILE'D; OPEN FILECONFILE) TITLEC'ONFILE'); /* LOOP FOR EACH OF THE 4 OUTPUTS OF EACH SBOX */ DO SB0X=1 TO 1; DO 0UTBIT=1 TO 4; 198 CALL READIN; /* READ IN SPTERMS AND ONFOR */ /* FOR TABLE OF CONTRIBUTIONS, INDICATING WHICH TERMS ARE ON FOR WHICH INPUT */ NUMONC*D=Q; DO INPCNT=1 TO 32; DO TERMCNT=1 TO NUMTERMS J CALL XORCONFORCINPCNT,*) , CZER06=TERMS(TERMCNT,*)) , XORES . TEMPBIT=AND( CXSTR6=TERMSCTERMCNT,*)) I XORES); SUBSTRCCONTRIBCTERMCNT),INPCNT,1)=TEMPBIT; IF TEMPBIT THEN NUMONCTERMCNT) = NUMONCTERMCNT) + 1; END; END; /* DUMP THE CONTRIBUTION TABLE */ PUT PAGE FILECSYSPRINT} LISTC' *** CONTRIBUTION TABLE***') ; PUT SKIP C 2 ) FILECSYSPRINT) EDITC'SP TERM', 'INPUT COVER' , C7 ) ' * ' , C32)'* ')CA,COLC23),A,SKIP,A,COLC12),A); PUT SKIP FILECSYSPRINT) EDITCCTERMSCI,*),CONTRIBCI),NUMON(I) DO 1=1 TO NUMTERMS))C6 AC1),XC5),BC32),FC6),SKIP) ; /* FORM TOP LEVEL OF TREE FROM SINGLE TERMS WITH MOST 1*S */ OPENHI=l; /* SET HI PTR FOR OPEN NODES */ MAXON=LARGESTCNUMON); FIRST='1'B; DO 1=1 TO NUMTERMS; IF MAXON=NUMONCI) THEN DO; ALLOC LKNODE SETCCURR) INCTREE); IF FIRST THEN DO; FIRST='O'B; PREV,TOP=CURR; END; ALLOC NODE SETCP) INCTREE); P->NODE.TERM=I; P->NODE.FATHER=NULL; /* NO FATHER FOR TOP LEVEL */ P- >NODE . ORMASK = CONTRIB CI j" J CURR->LKNODE.SON=P; OPENCOPENHI)=P; /* PUT INTO OPEN VECTOR */ OPENHI = OPENHI + l; PREV->LKNODE.LINK=CURR; PREV=CURR; END; END; CURR->LKNODE.LINK=NULL; /* LAST LINK POINTER SET NULL */ 1/ * PROCESS ALL NODES IN OPEN VECTOR TO GET TO NEXT LEVEL IN TREE 199 PAUSE OLDBESTON=Q; 60='1 1B J DO WHILE t GO D J BESTON=0; DO 1=1 TO OPENHI-l; /* FOR ALL NODES IN OPEN VECTOR */ FIRST='1'Bj /* FIND OUT HOW MANY ON IN ORMASK, GIVEN NEXT BEST TERM CHOICE */ COMPMASK=OPENCID->NODE.ORMASK; MAXON=0; DO J=l TO NUMTERMS; SAVEMASKCJ),MASK = COMPMASKICONTRIBCJD; SAVEBITSONCJD,BITSON=SUMfMASKVECDJ IF BITSON > MAXON THEN MAXON=BITSON; END; /* IF BETTER THAN ANYTHING YET ON NEWOPEN, RESET NEWOPEN * / IF MAXON > BESTON THEN DO; BESTON=MAXON; NEW0PENHI=1; END; 1 /* IF BETTER OR AS GOOD, ADD TO NEWOPEN LIST */ IF MAXON >= BESTON THEN DO; PREV=OPENCID; DO J=l TO NUMTERMS; IF SAVEBITSONCJD = MAXON THEN DO; /* EXAMINE NEWOPEN POINTER VECTOR TO DETERMINE IF MASK TO BE ADDED HAS ALREADY BEEN ADDED AT THIS LEVEL IF NOT, ADD IT TO THE TREE */ NOTFND='1'B; DO SRCH_EXIST=1 TO NEWOPENHI-1 WHILECNOTFNDD; IF SAVEMASKCJD=NEWOPEN[SRCH_EXISTD->NODE.ORMAS K THEN NOTFND='0'B; END; /* ADD IT, IF NOT FOUND */ IF NOTFND THEN DO; ALLOC LKNODE SETCCURRD INCTREEDJ /* PREV MAY PT TO NODE OR LKNODE: */ IF FIRST THEN DO; FIRST='0'B; PREV->NODE.LINK=CURR; END; ELSE PREV->LKNODE.LINK=CURR; PREV=CURR; 2 0 0 PAUSE: ALLOC NODE SETCPD INC TREE)J CURR->LKNODE.SON=Pj P->NODE.TERM= J ; P->NODE.ORMASK = SAVEMASKC JD; P->NODE.FATHER=OPENCID; /* SEE IF DONE YET */ IF SAVEBITSONCJ 3 = 3 2 THEN DO; 60='O'B; FINI=P; /* LAST NODE FOR TRACEBACK */ END; /* INSERT INTO NEWOPEN LIST */ NEWOPENCNEWOPENHI)=P; NEW0PENHI=NEW0PENHI+1; END; END; /* OF SAVEBITSON IF */ END; /* OF J FORLOOP */ CURR->LKN0DE.LINK=NULL; END; END; /* TRANSFER NEWOPEN TO OPEN */ DO 1=1 TO NEWOPENHI-l; OPENCI) = NEWOPENCID J END; OPENHI=NEWOPENHI; 1 /* DEPTH-FIRST SHORTCUT: IF ONLY ONE BIT ADDED TO ANY ORMASK DURING THIS ITERATION TO GENERATE NEW TREE LEVEL, WE MAY IMMEDIATELY PENETRATE D1ST TO END OF TREE, ADDING ANY TERM NOT YET ON A BEST PATH */ IF OLDBESTON+1 = BESTON THEN DO, GO='0'B; /*ST0P THE SEARCH */ CURR=NEWOPEN(1); /* FORM MASK TO TERMS USED IN BEST PATH SO FAR */ TERMUSED C * D ='O'B; DO WHILECCURR ~= NULL]; TE RMUSED C CURR->NODE.TERM)=' 1'B; CURR=CURR->NODE.FATHER; END; /* FORM A D1ST PATH TO LEVEL N */ COMPMASK = NEWO!'ENC ID - >NODE . ORMASK; CURR=NEWOPENC1); DO J=l TO NUMTERMS; IF ~TERMUSEDCJ) THEN DO; ALLOC NODE SETCPD INC TREE}, 201 PAUSE: P->NODE.TERM= J ; P->N0DE.0RMASK=C0MPMASKICONTRIBCJ3; COMPMASK=P->NODE.ORMASK j P->NODE.FATHER=CURR; CURR=P; END; END; FINI=CURR; /* SET LAST POINTER */ END; ELSE OLDBESTON=BESTON; /* ELSE CONTINUE TREE BUILDING */ END; /* WHILE LOOP FOR PROCESSING TREE */ 1 /* WHILE LOOP TERMINATED AS SOME ORMASK WAS ALL 111...1 TRACEBACK FROM FINI BY FATHER LINKS */ CURR=FINI; DO I=NUMTERMS TO 1 BY -1; ORDERCSBOX,OUTBIT,I3=CURR->NODE.TERM; PRTMASKCID,MASK=CURR->NODE.ORMASK; /* SAVE THE COVER */ CUMONCID=SUMCMASKVEC); CURR=CURR->NODE.FATHER; END; /* PRINT TERMS IN ORDER OF ADDITION, TOGETHER WITH THE VALUES INDICATING PROBABILITY OF CORRECTNESS */ PUT PAGE FILECSYSPRINTD EDITC"# TERMS INCLUDED',' INPUT COVER', 'CORRECTNESS ' , C 16 3 ' * ' , C143 ' * ' , C 11) ' * ' 3 C2 CA,COLC 253,A,COLC55), A, SKIP)D; DO 1=1 TO NUMTERMS; PUT SKIP FILECSYSPRINT) EDITCORDERCSBOX,OUTBIT,I3,PRTMASKCI 3, .5 +FLOATCCUMONC 1 3 , 63/64.3 CFC83,COLC213,BC 32 3 ,COLC56),FC7,3 3 3; END; PUT SKIPC23 FILEC SYSPRINT3 LISTC+ + + END OF TABLE + + +'3J TREE=EMPTY; /* FREE ENTIRE TREE BY EMPTYING AREA */ END; /* OUTBIT LOOP */ END; /* SBOX LOOP */ CLOSE FILECONFILE3,FILECSPFILE3: 1 /* * / 202 £0Z *********************************** TCJNV 0N3 rcs3d )Nyni3y '0N3 ra.o.=s3a NSH± C I )03A"iooa~ d i r(S3yD31IHn C l '03A1008]ONDOaH 01 x= i oa ' B i l l =S3d r c s D N i a 0 3 x u i noa r m n a c c*)03Anooa'S3a) i o a r c m n a ) S N y n i 3 y co3Aiooa)ooyd :QNV * * * * * ***********************************************************/ i 3yv A v y y v iN3wn9av NI s n v n v d d i x SNynisy ONV */ ****************************************************************/ i s w yai HOIHM 9 N i i v o i a N i ' s N o n n a i y i N o o do 3 i a v i yod */ 'NiaV3y 0N3 r c d i x s r C i j a 9D c y o d N O i i a s c i N i y d S A s m i d U D d i x s i n d : s i n d N i yod NO 38 ainoHs i n d i n o , n s n C i N i y d S A s ) 3 " i i d c e j d i x s i n d r c d i x s ' C i ) v 9 ) ccswy3iwnN o i I = I oa c * ' n s w u a i J ) i i a 3 C i N i y d S A S ) 3 i i d U D d i x s i n d 'C,:swyai i o n a o y d - d o - w n s • D i s n C i N i d d s x s ) 3 ~ i i d c e D d i x s i n d r c c c e ) d r v ) no', n a i n d i n o ,'xoas', xoa-s a o d . m a s C i N i y d S A S ) 3 i i d 39Vd i n d /* indNI 3H1 0H03 */ r c d i x s ' C i ) a 9) c u e o i x=i oa C9 o i x=r oa cr ' n a o d N o n n i a a C 3 i i d N o ) 3 i i d 139 T0N3 ' i+swa3iwnN=swy3iwnN N3H1 . , =~ c i ' D s w a a i d i r c d i » s ' c n v 9 ) C C * ' D s w a a i J i i a g C3"iidds)3-iid 139 • zz 01 1=1 oa /* xoyddv SIHI NI swd3i do # */ ro=swy3iwnN r o o y d :Niav3y / H^ He He He He He He He He He He He He He He He He He He He He He He He ne He He He He He He He He He He He He He H^ He He He He He He He He He He He He He He He He He He He He He He He / * */ /* • A i i v i i N 3 n b 3 s ' s y i v d i n d i n o ONV xoa-s */ /* 3HI y o d 'NO 3a ainoHS i n d i n o 3Hi HOIHM yod s3niv A i n d N i */ /* zz do 13S 3Hi ONV swyai d s 3Hi avsy o i '3Niinoy indNI */ /* RETURN LARGEST ELEMENT IN A FIXED BIN VECTOR /**************** ^ LARGEST: PROCCFBVECD RETURNSCFIXED BINC15DD; DCL CI,BIG,FBVECC*n FIXED BINC15); BIG=FBVECC UJ DO 1 = 2 TO HBOUNDfFBVEC, 1 } ; IF FBVECCU > BIG THEN BIG=FBVECCID; END; RETURNCBIG); END LARGEST; /********************** ^ /* XOR PROC TO XOR 2 BINARY VECTORS */ / * * * * * * * * * * * * * * * * * * * ^ XOR:PROCCA,B,RES D; DCL (A,B,RESD C*D BITC1D J RES=CAI BD&CCA&BD D; END XOR; END BEST; //GO.SPFILE DD DSN=GULL ICH.DES.SPTERMS,DISP=SHR //GO.ONFILE DD DSN=GULL ICH.DES.ONFOR,DISP=SHR 204 APPENDIX E APL ROUTINES FOR BOOLEAN MINIMIZATION BY SPECTRAL TRANSLATION 205 V B-BASIS SiBIGiPOSiNiK [ 1 ] ft [ 2 ] ft GIVEN VECTOR S OF SPECTRAL COEFFICIENTS, RETURN BASIS MTX . B [ 3 ] ft INDICATING REQUIRED SPECTRAL TRANSLATIONS TO MAXIMIZE PRI MARY [ 4 ] ft COEFFICIENTS [ 5 ] B«-( 0 , W ^ 2 ® p 5 ) p O [ 6] S<-\S [ 7 ] S [ 1 > 0 C 8 ] n [ 9 ] ft LOOP UNTIL VE HAVE N BASIS VECTORS [ 1 0 ] ft [ 1 1 ] L00P:BIG*-{/S [ 1 2 ] SlP0S<-S\BIGl-0 [ 1 3 ] B-B.Zl] P0S<-(Np2)j~l+P0S [ 1 4 ] n [ 1 5 ] n REMOVE ALL LINEAR (XOR) COMBS OF BASIS VECTORS [ 1 6 ] n FROM FURTHER POSSIBLE CONSIDERATION [ 1 7 ] K-l [ 1 8 ] i ? f f « : 5 [ l + 2 i ^ * / [ 2 ] BtK COMB I T p S ; ] > 0 [ 1 9 ] -»•( (Ko-K+l )<l\pB)/REM [ 2 0 ] + ( i » * l t p B ) / L O O P [ 2 1 ] ft TRANSPOSE AND INVERT TO GET BASIS [ 2 2 ] B-INVERSE<S)B 7 7 /?•«-# (TCWfl N [ 1 ] •*(M=1 ,N)/L1 ,R1 [ 2 ] R+1 + (0,(M-1) COMB A ' - l ) , [ l ] M COMB N-l [ 3 ] •+0 [ 4 ] Ll:R-(xN)o.xxi [ 5 ] [ 6 ] Rl:R-( i l j o . x ^ 7 7 Z-COM PL EXITY SPECTRUM;N;ORDER [ 1 ] N*-2&p SPECTRUM [ 2 ] 0RDER*-+j( 6p2 )T~ 1 + I 2*6 [ 3 ] . Z->-(Nx2*N)-(i2*N-2)x0RDER+ .xSPECTRUM*2 7 206 V F-FUNC R',P Cl] A [ 2 ] n GIVEN SPECTRAL COEFFS, RETURN CORR. MINTERMS NUMBERS [ 3 ] A O ] F<-(l*pR)x(TRANS 29pR)+.xR [ 5 ] F-F/~l+\pR V V Z-HAD N;K C l ] Z M 1 p i [ 2 ] /c>0 [ 3 ] LOOP:+(K=N)/0 C4] Z « - ( Z . Z ) . [ l ] Z.-Z [ 5 ] K-K+l C6] -»-£Cc9P V 207 V R—INV ERSE MAT [ 1] A THIS FUNCTION WILL TAKE ANY MATRIX AND RETURN : [ 2] A 1) THE INVERSE OF THE MATRIX IF IT EXISTS [ 3 ] A 2) A 0 MATRIX OTHERWISE I 4] A CHECK 3 EXIT CONDITIONS : [ 5 ] A 1) MATRIX=0 [ 6 ] fl 2) MATRIX IS NOT SQUARE [ 7 ] n 3) MATRIX IS SCALAR OR NOTHING C 8] ->(~((A/h/nCT> \MAT)v ({l + pMAT)*Cl*pMAT))v(0 = ppMAT)))/START [ 9 ] A RETURN THE 0x0 MATRIX [10] Jf* 0 0 pO [11] +0 [12] n NOW WE KNOW THAT MAT IS SQUARE AND * 0 [13] A SAVE DIMENSIONS [14] START:N-lipMAT [15] A CATENATE IDENTITY TO MAT [16] MAT-MAT,((\N)°.=\N) [17] A REDUCE MAT TO REDUCED ROW ECHELON FORM, WHICH IN A SQUARE MATRIX [18] A IS EQUIVALENT TO TRIANGULATION. [19] MAT-N REDROWECH MAT [20] A CHECK THAT THERE ARE NO 0 ROWS IN FIRST N COLUMNS [21] A I.E. RANK(MAT)=N [22] A FOR NON-SINGULARITY [23] -(N=MATRANK((N,N)iMAT))/OKAY [24] A FLSF. RETURN THE 0x0 MATRIX [25] i?+ 0 0 pO [26] -»-0 [27] 0O7:it«-( 0 ,N) *MAT V V R-MATRANK MAT [1] fl TtflS FUNCTION WILL DETERMINE THE RANK OF A GIVEN MATRIX [2] n PUT MATRIX IN ROW ECHELON FORM [3] MAT-CltpMAT) ROWECH MAT [4] R-+/v/(UCT<MAT) [5] -0 V 208 7 NEWLS-BAS MAXPRIM S ill ft GIVEN A BASIS MTX. AND VECTOR OF SPECTRAL COFFFS <? [ 3 ] NEWL\S-SLH + 2IB AS*. A ( 6 P 2 ) T " 1 + I 6 4 ] ' V V /?-<-# RED ROW ECH MAT [ l ] ft T#IS FUNCTION WILL REDUCE ANY GIVEN MATRIX TO A I 21 ft REDUCED ROW ECHELON FORM. C 3] ft REDUCE MATRIX TO ROWECH FIRST [ 4 ] MAT-N ROWECH MAT [ 5 ] ft CHECK 3 CONDITIONS TO EXIT : [ 6 ] P I 1) VECTOR [ 7 ] ft 2) KATRIX-0 [ 8 ] ft 3) SCALAR OR NOTHING [ 9] n [ 1 0 ] - ( - ( (l=ppMAT)v(*/*/DCT>\MAT)v (0 = ppMAT) ) )/ROWCHK [ 1 1 ] i?«-AMr [ 1 2 ] -*0 [ 1 3 ] ft CHECK LAST ROW : I F =0 RECURSE ON SMALLER [ I t ] ft MATRIX OF M-l ROWS, N COLUMNS [ 1 5 ] ROWCHK:-(*/UCT> \MATllfpMAT;xNl)/RECURSE [ 1 6 ] ft ELSE START REDUCING THIS ROW [ 1 7 ] n ALL THE ELEMENTS ABOVE THE IS [ 1 8 ] n FIND COLUMN NUMBER WHERE FIRST NON ZERO ELEMENT IS. [ 1 9 ] NZC—((UCT<|MATL1ipMAT;\Nl))\1 [ 2 0 ] ft ZERO OUT ELEMENT ABOVE THIS 1 JUST FOUND [ 2 1 ] TEMP-( ( ( " l + l + p A M D . (""ltpAfdT) ) p , ( ( -AMT[ x ~1 + 1 + pAM!T; tfZc?] ) o . xMA TlUpMAT'.D) [ 2 2 ] MAT[ \ ~ 1 + 1 +pM AT ;l-2\ M ATI \ ~ 1 + 1 +pM AT', 1 + TEMP [ 2 3 ] ft RECURSE ON SMALLER MATRIX [ 2 4 ] RECURSE:R-(N REDROWECH (. (. C 1 + 1+pMAT) ,(~l + pMAT) ) +MAT) ) , [ 1 ] ( A M !T[ l ^ p A ^ T ; ] ) [ 2 5 ] ft 7 209 V R+N ROWECH MAT [ 1] A THIS FUNCTION WILL ACCEPT ANY MATRIX AND PUT THE FIRST [ 2 ] fl N COLUMNS IN ROW-ECHELON FORM. C 3 ] n [ 4 ] fl CHECK 2 EXIT CONDITIONS : [ 5 ] A 1) MATRIX=0 [ 6] -*(~A/A/rjCT> | ( ( ( UpMAT) ,N)\MAT) )/NEXT [ 7] R+MAT C 8 ] -»-0 [ 9 ] n 2) A^T 15 A SCALAR OR NOTHING AT ALL [10] NEXT:-*(~0 = ppMAT) /START [11] fl-'-AMT [12] -»-0 [13] fl [14] fl CHECK THAT THE NUMBER OF COLUMNS PROCESSED IS <N [15] START:+(.N=0 )/0 [16] fl [17] fl FIND FIRST NON-ZERO ELEMENT : [18] fl NZC - NON ZERO COLUMN INDEX [19] n NZR - NON ZERO ROW INDEX [20] NZC+-( v/UCT< | ( {{UpMAT) ,N)+MAT) )xl [21] NZR-{UCT<\MATl-,NZC] ) xl [22] n SWITCH TO PUT ELEMENT AlNZR,NZC] INTO All,NZC] [23] MATll,NZR',]-MATiNZR ,1;] [24] fl MAKE All,NZC]-l [25] MATHi]-MATll;]iMATll;NZC] [26] R MAKE COL=NZC ALL ZEROES UNDER All,NZC] [27] MATl l + i ~ l + l tpAMT; ]«-2 I MATl 1 + x ~l + l + pMAT; ] + ( -A7M2"[ 1 + x ~1 +1 + p MAT; A/ZC] )» . xMATl 1;] [28] fl RECURSE ON SMALLER MATRIX [29] /?*Af/r[l;].Cl](0,((W-l) ROWECH ( 1 1 +AMD ) ) [30] n V ,210 7 SPECTRALLMIN;BOX;BIT;S;NEWSiF-.BAS;SPFORM [ 1 ] COMPLOLD-COMPLNEW-xO [ 2 ] NTERMSLOLD-NTERMSLNEW-xO [ 3 ] NDCOLD-NDCNEW-0 I 4 ] [ 5 ] BOXLOOP'.BIT-l [ 6 ] BITLOOP:'» [ 7 ] 'FCtf - , ( f f l O * ) . ' OUTPUT '.iBIT [ 8 ] » • [ 9 ] 1 ' [ 1 0 ] 'MINTERMS:' [ 1 1 ] ( B I T OUTPUT SBOXtBOX;;])/"l+t64 [ 1 2 ] •» [ 1 3 ] 'Qtf MINIMIZATION:1 [ 1 4 ] «3W PRIMIMP BIT ON BINARY SBOXlBOX;;] [ 1 5 ] Q-SPFORM-SELECTLALTS [ 1 6 ] NTERMS LOLD-NTERMSLOLD,HpSPFORM [ 1 7 ] NDC0LD-NDC0LD++/+I1X1-SPFORM [ 1 8 ] [ 1 9 ] " [ 2 0 ] 'SPECTRUM:1 ['21] US-SPECTRUM BOX .BIT [ 2 2 ] C0MPL0LD-C0MPL0LD.COMPLEXITY S [ 2 3 ] 'COMPLEXITY: 1,1~1+C0MPL0LD [ 2 4 ] •« [ 2 5 ] •» [ 2 6 ] 'SPECTRAL TRANSLATION BASIS (g<$) ' [ 2 7 ] ••Bi45*fl>I5I5 5 [ 2 8 ] " [ 2 9 ] ' ' [ 3 0 ] 'TRANSLATED SPECTRUM:' [ 3 1 ] D-NEWS-BAS MAXPRIM S [ 3 2 ] C OM P LN EW—C OM P LN EW.COMPLEXITY NEWS [ 3 3 ] 'COMPLEXITY: ' , l ~ l + COMPLNEW [ 3 4 ] " [ 3 5 ] 'MINTERMS 'FOR TRANSLATED FUNCTION:' [ 3 6 ] 0-F-FUNC A/£VS [ 3 7 ] [ 3 8 ] ' CA/ MINIMIZATION FOR TRANSLATED FUNCTION:' [ 3 9 ] fiA/ PRIMIMP<S)(6p2)TF [ 4 0 ] D—SPFORM—SELECTLALTS [ 4 1 ] N TERMS LN EW—NTERMS LNEW.lfpSPFORM [ 4 2 ] " NDCNEW-NDCNEW++/+/'X'=SPFORM [ 4 3 ] 5 p r j T C [ 2 ] [ 4 4 ] n [ 4 5 ] •+UBIT-BIT+DSH)/BITLOOP [ 4 6 ] -*-( ( B O X « - B 0 X + 1 )<8 )/B0XLOOP [ 4 7 ] 'NUMBER OF P-TERMS PER FUNCTION BEFORE:' 211 [ 4 8 ] [ 4 9 ] [ 5 0 ] [ 5 1 ] [ 5 2 ] [ 5 3 ] NTERMSAOLD ^AVG. NUMBER OF DC PER P-TERM ' , •( +/NTERMSLOLD)iNDCOLD 'NUMBER OF P-TERMS PER FUNCTION AFTER-' NTERMSANEW ^AVG. NUMBER OF DC PER P-TERM '(+/NTERMSLNEW)*NDCNEW [ 1 ] [ 2 ] [ 3 ] V A R+-SPECTRUM BOXOUT-,F A GIVEN S-BOX AND OUTPUT BIT, RETURN THE 64 SPECTRAL COEFFS R*-(TRANS 2*pF) + .xF-B0X0UTl2_] OUTPUT SBOXl BOXOUTl 1] ; ; ] V Z-TRANS N-.Q [ 1 ] Z - ( l , l ) p l [ 2 ] - ( A / < l ) / 0 [ 3 ] Q-TRANS N-l [ 4 ] Z+(C.e).[l](C.-«3) V V Z-XOR VEC [ 1 ] A RETURN XOR OF THE BITS IN VECTOR VEC [ 2 ] Z«-0*2 \ +/VEC V • [ 1 ] [ 2 ] [ 3 ] [ 4 ] [5 ] [6 ] [7 ] [8 ] V Z-B XORMAP INPS'.R-,C A TO MAP N*S MTX OF INPUTS THROUGH TREE OF XORS A AS REPRESENTED BY TRANSLATION MATRIX B Z+(pINPS)pO R-l RLOOP-.C-l CLOOP:ZlR;Cl+-XOR BlC;]/INPSlR;] •+( (C+-C+1 )<6)/CL00P •+(. (R+-R+1 )41 + pINPS) IRLOOP V END OF APPENDIX 212 APPENDIX F PL/I ROUTINES FOR UNIDIRECTIONAL KEY SEARCH 213 //DES JOB ' , , , T = 5M, l_=15, 10=20, R=768K ' , ' ERIC GULL I CHSEN ' , CC AS S= 1 // EXEC PL10CG,SIZE=768K //PLI .SYSIN DD * /* SEARCH TREE APPROACH TO GIVEN PLAINTEXT DES ATTACK */ /* RECURSIVE BACKTRACK SEARCH TREE TO DISCOVER K FROM KNOWN P-C PAIRS. BIST EXPANSION OF NECESSARILY CONJUNCTIVE CONDITIONS, VIRTUAL D1ST EXPANSION AT CHOICE POINTS WITH FATHER POINTERS T 0 ENABLE BACKTRACKING ON FAILURE. 6 TYPES OF NODES, TO REPRESENT THE VARIOUS STRUCTURES IN THE DES ENCRYPTION A*/ SEARCH: PROC OPTIONSCMAIN) REORDER, DCL TREE AREAC 384000); /* AREA FOR TREE GROWTH */ /* FILES */ DCL SYSPRINT FILE STREAM OUTPUT PRINT; DCL CSPFILE,SPCFILE,KSFILE,PCFILED FILE STREAM INPUT; /* Q OF POINTERS TO "OPEN" NODES I.E. THOSE REQ. EXPANSION */ DCL C OPEN,OPENEND) PTR; /* TO START AND END OF Q */ DCL (OPENCURR,OPENPREV) PTR; DCL 1 OPENNODE BASED, 2 NODE PTR, 2 LINK PTR; /* DES BLOCKS */ DCL KEYC64D CHARCU INIT C C64) (1) ' ' ) ; /* K TO DISCOVER IN SEARC H */ DCL (PTEXT,CTEXTD[64) BIT C 1 D J /* KNOWN P-C PAIR */ DCL NUMNODES FIXED BINC31) INITIO); /* # OF NODES EXPANDED */ DCL SPTERMSC32, 23, 6) CHARC13; /* S.P. APPROX. TO S-BOXES */ DCL SPCTERMSC32,23,6) CHARCl); /* S.P. APPROX. TO S-BOX COMPL */ DCL MAXPTERMS FIXED BINC15D INITCO); /* MAX PTE RMS IN ANY SP FORM */ DCL KEYPERMC16,48D FIXED BINC 15); /* KEY BIT SELECTION INDICES */ /* INVERSES OF PERMUTATIONS IN DES ALGO */ DCL E_PERM_INVC48) FIXED BINC15] IN ITC32,1 ,2 ,3 ,4 ,5 ,4 ,5 ,6 ,7 ,8 ,9 ,8 ,9 , 10, 11, 12, 13, 12, 13, 14, 15, 16, 17, 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25, 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1 }; DCL P_PERM_INVC32D FIXED BINC15D INITC16,7,20,21, 29, 12,28, 17, 1,15,23,26,5, 18,31, 10,2,8, 24, 14, 32, 27, 3,9, 19, 13,30,6,22, 11,4,25); 214 PAUSE DCL [NULL,TRUNC,REPEAT,MAX) BUILTINj /* TREEDUMP */ DCL T0PC64) PTRj /* PTRS TO TREE TOP LEVEL */ /* HOW MANY DES ROUNDS WERE USED TO GENERATE CTEXT? */ DCL NUM_ENCRY_RNDS FIXED BINC15) INITC2); 1 /* DECLARATIONS OF TYPES OF NODES IN SEARCH TREE */ /* 'SUPER' NODE IS A SET OF DESCRIPTOR FIELDS ASSOCIATED WITH EACH NODE IN THE SEARCH TREE. CONTENTS INCLUDE A TYPE CODE, POINTER TO ACTUAL NODE, AND FIELDS COMMON TO ALL TYPES */ DCL 1 SUPER BASED , 2 TYPE CHAR C1D, /* NODE TYPE */ 2 POS FIXED BINC15), /* POSITION [1,32] IN BLOCK */ 2 LVL FIXED BINC15), /* LEVEL IN ENCRYPTION */ 2 FATHER PTR, /* FATHER POINTER */ 2 OPENQ PTR, /* -> TO OPENNODE */ 2 NODE PTR; /* -> TO ACTUAL NODE */ DCL 1 RNODE BASED , /* TYPE ' R ' NODE */ 2 VAL BITC1), /* VALUE OF NODE FROM [0,1] */ 2 COUNT FIXED BINC 15 D INITCO), /* # TIMES EXPANDED [0,2] */ 2 LPTR PTR INITCNULL), 2 RPTR PTR INITCNULL); DCL 1 FNODE BASED , /* TYPE ' F ' NODE */ 2 VAL B I T C 1 D, 2 TERMNUM FIXED BINC15) INITCO), /* # OF SP TERM CONSIDERED */ 2 XPTRC6) PTR INITCC6) NULL); /* ->'S TO X NODES OF SP TE RM */ DCL 1 XNODE BASED , /* TYPE 'X' NODE */ 2 VAL BITC1), 2 COUNT FIXED BINC15) INITCO), 2 RPTR PTR INITCNULL); ON ERROR BEGIN; PUT FLOW; /* FOR CHECKOUT */ CALL TREEDUMPCTOP); /* DUMP ENTIRE SEARCH TREE */ 215 PAUSE: STOP; END; 1 -/* MAINLINE r */ CALL SETUP; /* PERFORM READS AND CREATE TREE TOP LVL */ OPENCURR=OPEN; DO WHILECOPENCURR~=NULL); /* PROCESS Q WHILE IT IS NOT EMPTY */ CALL EXP AND COPENCURR->OPENNODE. NODE); /* EXPAND CURR NODE */-OPENCURR=OPENCURR->OPENNODE.LINK; /* LOOK AT NEXT NODE */ FREE OPEN->OPENNODE; ./* DESTROY PROCESSED NODE POINTER */ OPEN=OPENCURR; /* MOVE START POINTER ALONG */ END; /* PRINT RESULTS */ PUT SKIPC2) FILEC SYSPRINT) EDITC'TOTAL # OF NODES EXPANDED ' ,NUMN ODES) C A, F C 9 )); PUT SKIPC2) FILECSYSPRINT) ED ITC'ENCRYPTI ON KEY DISCOVERED: ',KEY, . ( 64 ) ' . ' ) [A,SKIP,XC10),64 A,SKIP,XC10),A); CALL TREEDUMP(TOP); /* PRINT COMPLETED SEARCH TREE */ /* */ 1 /* SELECTION FUNCTION, TO CALL PROPER EXPANSION ROUTINE, BASED ON THE TYPE OF THE NODE TO BE EXPANDED. INPUTS: CURR = POINTER TO SUPER NODE FOR NODE TO EXPAND */ EXPAND: PROCCCURR) RECURSIVE; DCL CURR PTR, /* DEBUG */ CALL DUMPCCURR); CURR->SUPER.OPENQ=NULL; /* REMOVE ITS REF. TO Q NODE */ SELECTCCURR->SUPER.TYPE); WHENC'R' ) CALL R_EXPANDCCURR); WHENC'F' ) CALL F_EXPANDCCURR); WHENC'X') CALL X_EXPANDCCURR); END; END EXPAND; 1 /* DEBUG */ DUMP: PROCCCURR); /* DUMP SUPER DATA ABOUT NODE CURR) */ DCL CURR PTR; DCL COUNT FIXED BINC31) STATIC INIT C 0 D J /* # NODES EXPANDED */ 216 IF CURR=NULL THEN PUT SKIP FILECSYSPRINT] LISTC' NULL ---'); ELSE DO; PUT SKIP FILECSYSPRINT) ED ITCCOUNT, 1 )','TYPE.',CURR->SUPER.TY ' POS: ',CURR->SUPER.POS,' LVL: ',CURR->SUPER.LVL) CFC6),A,XC5),A,XC1),A,A,FC4),A,FC5)) ; COUNT=COUNT+l; END; END DUMP, /* TREEDUMP: A ROUTINE TO PRINT THE ENTIRE SEARCH TREE, BY RECURSIVE INORDER TRAVERSAL. USED FOR DIAGNOSTIC PURPOSES ON ERROR */ TREEDUMP: PROCCTOPD; DCL T0PC64D PTR; /* POINTERS TO TREE TOP LEVEL */ DCL CK,LEVEL} FIXED BINC15}; DCL SIZE FIXED BINC31}; /* # OF NODES IN TREE */ SIZE=Q; PUT PAGE FILECSYSPRINT} ED ITC'TREEDUMP', C8}'*' }C2 (XC50},A,SKIP } PUT SKIPC2) FILECSYSPRINT) ED ITC'ENCRYPTI ON KEY: ' ,KEY, C64 ) ' - ' ) C65 A,SKIP,XC16),A); DO K=l TO 64; /*FOR ALL TOP LEVEL NODES IN TREE */ LEVEL = 0; PUT SKIPC3) FILECSYSPRINT) ED IT('FROM CIPHERTEXT BIT: ' , K, C 23 3'- ' )CA,FC2),SKIP,A); CALL NODEPRT C TOP C K ) ) ; END; PUT SKIPC2) FILECSYSPRINT) LISTC'@@@@@ TOTAL # OF NODES IN TREE: SIZE); /* NODEPRT: PRINT NODE POINTED AT BY P, THEN RECURSIVELY EXPAND THE SUBTREE FROM P */ NODEPRT: PROCCP) RECURSIVE; DCL CP,Q,ACTUAL) PTR; DCL I FIXED BINC15), IF P=NULL THEN RETURN; /* TRIVIAL CASE */ LEVEL=LEVEL+l; /* ARE PROCESSING ONE LEVEL DOWN IN TREE */ SIZE=SIZE+l; /* INCREMENT TREE SIZE COUNTER */ PUT SKIP FILECSYSPRINT) ED ITCLEVEL,REPEATC' ',3*LEVEL),P->SUPER. 217 PAUSE: TYPE, LVL : ',P->SUPER.LVL, 1 POS: 1 , P->SUPER. POS D C F C 3 D, 3 A,FC2),A,F C2)D; ACTUAL=P->SUPER.NODE; SELECTCP->SUPER.TYPED; WHENC'R' D DO; PUT SKIPCOD FILECSYSPRINTD ED ITCRE PEATC' ' ,2 5+ 3*LEVEL), ' VAL:1,ACTUAL->RNODE.VAL,' COUNT:1,ACTUAL->RNODE.COUNTD C2 A,BC1D,A,FC2DDJ CALL NODEPRT[ACTUAL->RNODE.LPTR); /* RECURSE ON CHILDS */ CALL NODEPRTCACTUAL->RNODE.RPTR); END; WHEN['F') DO; PUT SKIPCOD FILECSYSPRINTD ED ITCREPEATC' ',25+3*LEVEL], •TERM NUMBER: ',ACTUAL->FNODE.TERMNUM, ' VALUE: ',ACTUAL->FNODE.VALDC2 A,FC3),A,BC1)); DO 1=1 TO 6; IF ACTUAL->FNODE.XPTRCID ~= NULL THEN CALL NODEPRTCACTUAL->FNODE.XPTR CID D J END; END; WHENC'X"D DO; PUT SKIPCOD FILECSYSPRINTD ED ITCRE PEATC1 ',41 + 3*LEVEL ], 'VALUE: 1,ACTUAL->XNODE.VAL, 'COUNT: ',ACTUAL->XNODE.COUNT, '=>KEYC',KEYPERMCP->SUPER.LVL,P->SUPER.POS),' )=' , ACTUAL->XNODE.COUNT=1D CA,A,BC1),XC2),A,FC3],XC2D,A,FC2D,A,BC1DDJ CALL NODEPRTCACTUAL->XNODE.RPTR D; END; END; LEVEL=LEVEL-l; /* AFTER RECURSION, POP UP 1 LVL */ END NODEPRT; END TREEDUMP; 1 /* BACKTRACK: ATTEMPT EXPANSION OF OTHER DISJUNCTIVE ALTERNATIVES OF THE FATHER OF THE CURRENT NODE. CALLED WHEN A CONTRACTICT10 N IN KEY HYPOTHESES ARISES. N.B. THE .EXPAND ROTUINES MUST THEMSELVES CALL BACKTRACK TO BACKTRACK HIGHER IN THE TREE IF THEY HAVE NO FURTHER ALTERNATI 218 PAUSE: VE POSSIBILITIES * / BACKTRACK: PROCCCURR) RECURSIVE; DCL [CURR,DAD) PTR; DAD=CURR->SUPER.FATHER; IF DAD=NULL THEN DO; PUT SKIPC2) FILECSYSPRINT) EDITC+++ ERROR + + +' , 'HAVE BACKTRACKED PAST ROOT NODE OF TREE, AT ROOT B I T : 1 ) (A,SK IP,A) ; CALL DUMPCCURR); STOP; END; CALL DELETECCCURR)); / * ? * / /*ZOOM*/ PUT SKIP FILECSYSPRINT) LI STC'BACKTRACK TO REEXPAND: ' ); CALL EXPAND C DAD) ; END BACKTRACK; 1 / * CREATE: GIVEN NODE TYPE CHARACTER CODE, CREATE SUCH A NODE [BOTH THE SUPER AND DATA COMPONENT) AND RETURN A POINTER TO IT INPUT: NODE_TYPE = 1 CHAR CODE. OUTPUT: P = PTR TO SUPER COMPONENT OF NEW NODE * / CREATE: PROCCNODE_TYPE) RETURNSCPTR), DCL NODE_TYPE CHARC1); DCL CP,Q) PTR; ON AREA BEGIN; / * IF NO SPACE LEFT FOR TREE * / PUT SKIPC2) FILECSYSPRINT) L I S T C ' * * * OVERFLOW IN TREE * * * ' , ' TOTAL # OF NODES ALLOCATED: ',NUMNODES), CALL TREEDUMPCTOP); STOP; END; ALLOC SUPER INCTREE) SETCP); NUMNODES=NUMNODES+l; / * INCR GLOBAL MAX NODE CTR * / P->SUPER.TYPE=NODE_TYPE; / * SET NODE TYPE * / / * ALLOCATE DATA NODE OF PROPER TYPE * / SELECTCNODE_TYPE); WHEN C 'R' ) ALLOC RNODE WHENC'F') ALLOC FNODE WHENC'X') ALLOC XNODE END; INCTREE) SET(Q) INCTREE) SET C Q) INCTREE) SET C Q) P->SUPER.NODE=Q; 219 PAUSE : RETURN(P)J END CREATE; 1 /* TO CREATE A NODE OF TYPE R AND INITIALIZE THE FIELDS/ INPUTS: POS = POSITION [1,32] IN BLOCK LVL = LEVEL [0,3] IN ENCRYPTION VAL = VALUE [0,1] OF RNODE OUTPUT: P = PTR TO SUPER OF THE NEW NODE */ CREATE_RNODE: PROC(POS,LVL,VAL) RETURNSCPTR); DCL [POS,LVL) FIXED BINf15)J DCL VAL BITC1DJ DCL P PTR, P = CREATE C'R' D J /* CREATE THE NODE */ /* FILL IN THE FIELDS */ P->SUPER.POS=POS; P->SUPER.LVL=LVL; P->SUPER.NODE->RNODE.VAL=VALj RETURN C P D J END CREATE_RNODEJ 1 /* SETUP CAUSES DATA TO BE READ IN FROM 3 FILES AND BUILDS THE TOP LEVEL OF THE SEARCH TREE FROM RNODES BASED ON KNOWN CIPHER */ SETUP: PROC; DCL K FIXED BIN C15 3 J DCL P PTR; CALL READIN; /* READIN 3 FILES */ /* SET UP THE TOP LEVEL OF THE SEARCH TREE, ADD NODES TO OPEN */ ALLOC OPEN.NODE SET C OPEN}; OPENPREV,OPENCURR=OPEN; DO K=l TO 64; IF K <= 32 THEN P = CREATE_RNODECK , NUM_ENCRY_RNDS , CTEXT t K]) ELSE P=CREATE_RNODECK-32 , NUM_ENCRY_RNDS-1 , CTEX T (K)); /* TREEDUMP "*/ TOPCKD = P; /* SET TOP LEVEL PTR */ P->SUPER. FA">'HER=NULL; /* TOP LEVEL NODES ARE FATHERLESS */ OPENCURR->OPENNODE.NODE=P; OPENPREV->OPENNODE.LINK=OPENCURR; /* CHAIN TO OPEN LIST */ OPENPREV=OPENCURR; 220 ALLOC OPENNODE SETCOPENCURR D; END; FREE OPENCURR->OPENNODE; OPENPREV->OPENNODE.LINK=NULL; OPENEND=OPENPREV; /* READIN: TO READIN DATA FROM 3 FILES: ID S.P. APPROXIMATIONS FOR S-BOXES FROM SPFILE. 2D SCHEDULE OF KEY INDICES BY LEVEL FROM KSFILE. 3D P-C PAIR FROM PCFILE. ALL ARE PLACED IN GLOBAL VARIABLES */ READIN: PROC; DCL [K,OUTPUTS,MAX] FIXED BIN(15D; OPEN FILECSPFILED,FILECKSFILED,FILE(PCFILED,FILE(SPCFILEDJ MAX=0; /* READIN S.P. TERMS FOR S-BOX FNS UNCOMPLEMENTED */ DO OUTPUTS=l TO 32; DO K=l TO 23; GET FILECSPFILED EDITCSPTERMS(OUTPUTS,K,*DDC6 ACID,SKIP]; IF SPTERMSCOUTPUTS,K, ID ~= ' ' THEN MAX= K; END; IF MAX >MAXPTERMS THEN MAXPTERMS = MAX; END; /* READIN S.P. TERMS FOR S-BOX FNS UNCOMPLEMENTED */ DO OUTPUTS=l TO 32; DO K=l TO 23; GET FILECSPCFILED ED ITCSPCTERMSCOUTPUTS,K,*DDC6 ACID,SKIP] IF SPCTERMSCOUTPUTS,K, ID ~= ' 1 THEN MAX = K; END; IF MAX >MAXPTERMS THEN MAXPTERMS = MAX; END; /* READIN KEY SCHEDULE */ GET FILECKSFILED ED ITCKEYPERMDC48 FC3D,SKIPDJ /* READIN C1STD P-C PAIR */ GET FILECPCFILED EDITCPTEXT,CTEXT)C64 BC1D,SKIPD, PUT FILECSYSPRINTD EDITC'DES KEY SEARCH',C14D '*'DC2 CX(40D,A,SKI PUT SKIPC2D FILECSYSPRINTD EDITC'PLAINTEXT: ',PTEXT, 'CIPHERTEXT: ',CTEXTDC2 CA,64 BC1D,SKIPDD; PUT SKIP FILECSYSPRINTD LI ST C'NUMBER OF ENCRYPTION ROUNDS:', NUM_ENCRY_RNDSD; 221 PAUSE CLOSE FILE(KSFILE}, FILE(SPFILE},FILE(PCFILE},FILE(SPCFILE}; END READINJ END SETUP; 1 /* ADD_TO_OPEN: TO ADD A NODE WHOSE SUPER IS POINTED TO BY P TO T HE END OF THE OPEN Q FOR EVENTUAL EXPANSION. INPUT: P = POINTER TO THE NODE'S SUPER. */ ADD_TO_OPEN: PROCCPD; DCL CNEW,Pj PTR; ALLOC OPENNODE SET(NEW}; NEW->OPENNODE.NODE=P; NEW->OPENNODE.LINK=NULL; OPENEND->OPENNODE.LINK=NEW; OPENEND=NEW; /* A FIELD IN THE NODE -> TO THE Q NODE WHICH -> IT */ P->SUPER.OPENQ=NEW; END ADD_TO_OPEN; 1 /* DELETE: TO DELETE THE SUBTREE WHOSE ROOT IS POINTED AT BY CURR 1} SET THE FIELD IN THE FATHER OF CURR WHICH NOW POINTS TO CUR R TO BE NULL. 2} RECURSIVELY DELETE THE SUBTREE FROM CURR */ DELETE: PROC(CURR}, DCL (CURR,P} PTR; DCL K FIXED BIN(15}; /* BASED ON THE TYPE OF CURR NODE, DECIDE WHAT TYPE ITS FATHER COULD BE, AND NULL THE PROPER FIELD OF THE FATHER ACCORDINGLY */ IF CURR=NULL THEN RETURN; /*ZOOM*/ PUT SKIP FI LE ( S Y S PRINT } L'. S T ( ' ***DELETE FOR NODE:'}; /*ZOOM*/ CALL DUMP(CURR}; SELECT(CURR->SUPER.TYPE}; /* IF TYPE 'R', FATHER IS R OR X */ 222 WHENC ' R ' ) IF CURR->SUPER.FATHER->SUPER.TYPE='R' THEN CURR->SUPER.FATHER->SUPER.NODE->RNODE.LPTR=NULL; ELSE CURR->SUPER.FATHER->SUPER.NODE->XNODE.RPTR=NULL; / * IF TYPE ' F ' FATHER IS TYPE 'R' * / WHENC'F 1) CURR->SUPER.FATHER->SUPER.NODE->RNODE.RPTR=NULL; / * IF TYPE 'X ' FATHER IS TYPE ' F ' * / WHENC' X ' ) / * ONLY RESET TO NULL THE ONE PARTICULAR XPTR * / DOJ P=CURR->SUPER.FATHER->SUPER.NODE; DO K=l TO 6 WHILECP->FNODE.XPTRCK] ~= CURR); END; P->FNODE.XPTRCK)=NULL; END; END; / * SELECT * / CALL DELETE.SUBCCURR); / * RECURSIVELY DELETE SUBTREE * / / * DELETE_SUB: GIVEN POINTER TO A NODE, DESTROY IT AND ITS SUBTREE OF DESCENDANTS. CALLED FROM DELETE AFTER THE FATHER'S SON POINTER HAS BEEN NULLED INPUT: CURR = POINTER TO SUBTREE TO DESTROY * / DELETE_SUB: PROCCCURR) RECURSIVE; DCL CCURR,P,ACTUAL,PREV) PTR; DCL GO BITC1); DCL K FIXED BINC15); IF CURR=NULL THEN RETURN; / * TRIVIAL CASE * / / * IF THE NODE TO BE DELETED IS ON THE OPEN QUEUE, IT MUST BE REMOVED, TO AVOID TRYING TO EXPAND A NODE WHICH NO LONGER EXISTS. * / / * IF IT WAS 1ST ON Q, WILL BE KILLED IN MAINLINE ANYHOW * / / * IF NODE IS ON THE OPEN Q, I.E. IF WE ARE DELETING AN UNEXPANDED NODE * / IF CURR->SUPER.OPENQ ~= NULL THEN DO; /*ZOOM*/ K=0; PREV=OPENCURR; DO P=OPENCURR REPEAT P->OPENNODE.LINK WHILECP ~= CURR->SUPER.OPENQ); PREV=P; /*ZOOM*/ K=K+l; END; 223 PREV->OPENNODE.LINK=P->OPENNODE.LINK; FREE P->0PENN0DEJ /* ZOOM*/ PUT SKIP FILECSYSPRINTD LISTC /*ZOOM*/ 'NODE REMOVED FROM OPEN, ' , K , ' ENTRIES EXAMINED'); END; 1 /* DELETE THE NODE AND ITS CHILDREN */ ACTUAL=CURR->SUPER.NODE; /* ACTUAL IS PTR TO DATA PART OF NODE SELECTCCURR->SUPER.TYPED; WHENC'R"D DO; CALL DELETE,SUBCACTUAL->RNODE.RPTRD j CALL DELETE_SUBCACTUAL->RNODE.LPTRD j FREE ACTUAL->RNODE IN C TREE D j END; WHENC'F'D DO; DO K=l TO 6; CALL DELETE SUB C ACTUAL->FNODE . XPTR C K D D END; FREE ACTUAL->FNODE INCTREED J END; WHENC'X'D DO; /* REMOVE KEY BIT HYPOTHESIS */ KEYCKEYPERMCCURR->SUPER.LVL,CURR->SUPER.POSDD=' ' ; CALL DELETE_SUBCACTUAL->XNODE.RPTRD j FREE ACTUAL->XNODE INC TREE D J END; END; /* SELECT */ FREE CURR->SUPER INC TREED J /* FREE THE SUPER NODE */ END DELETE_SUB; END DELETE; 1 /* R_EXPAND: TO EXPAND AN RNODE WHOSE SUPER IS POINTER TO BY CURR IF THE LEVEL OF THE RNODE IS 0 OR - 1 , HAVE HIT BOTTOM OF SEARC TREE, AND MUST CONFIRM KEY HYPOTHSIS VS. KNOWN PLAINTEXT, BACKTRACK ON CONTRADICTION. IF RNODE HAS ALREADY BEEN EXPANDED 2 TIMES, NO DISJUNCTIVE 224 PAUSE: ALTERNATIVES REMAIN, AND WE MUST BACKTRACK. * / R_EXPAND: PROCCCURR) RECURSIVE; DCL CP,CURR,ACTUAL) PTR; DCL BITPOS FIXED BINC15); IF CURR->SUPER.LVL <= 0 THEN DO; / * HAVE HIT BOTTOM OF TREE. CHECK KEY HYPOTHESIS * / / * DECIDE WHAT PLAINTEXT BIT IS REPRESENTED. (NOTE R3,R1,R-1 FOR LEFT BLOCK OF CIPHERTEXT */• BITPOS=CURR->SUPER.POS; IF CURR->SUPER.LVL=0 THEN BITPOS=BITPOS+32; / * CHECK WITH PTEXT, BACKTRAVK ON =><= * / IF CURR->SUPER.NODE->RNODE.VAL ~= PTEXTCBITPOS) THEN CALL BACKTRACKCCURR); RETURN; END; ACTUAL=CURR->SUPER.NODE; / * SET ACTUAL TO PT TO THE NODE * / / * IF NO EXPANSION ALTERNATIVES REMAIN, BACKTRACK * / IF ACTUAL->RNODE.COUNT = 2 THEN CALL BACKTRACKCCURR); ELSE DO; / * NODE HAS BEEN EXPANDED O i l TIMES * / / * CREATE NEW LEFT SUBTREE * / IF ACTUAL->RNODE.COUNT=0 THEN P=CREATE_RNODECCURR->SUPER.POS,CURR->SUPER.LVL-2, 11'BO; ELSE DO; / * DELETE OLD RAMIFICATIONS * / CALL DELETECCACTUAL->RNODE.LPTR)}; CALL DELETEC CACTUAL->RNODE.RPTR)); P=CREATE_RNODECCURR->SUPER.POS,CURR->SUPER.LVL-2, 'O'B); END; P->SUPER.FATHER=CURR; / * CHAIN LPTR INTO TREE * / ACTUAL->RNODE.LPTR=P; CALL ADD_TO_OPENCP); / * ALLOC AN F NODE OF VAL AS RPTR FROM RNODE. VALUE OF THE FNODE DEPENDS ON THE RNODE COUNT FIELD * / P = CREATE C ' F ' ); IF ACTUAL->RNODE.VAL = ACTUAL->RNODE.COUNT THEN P->SUPER.NODE->FNODE.VAL='l'B; ELSE P->SUPER.NODE->FNODE.VAL='O'B; / * INIT FIELDS OF THE F NODE * / 225 PAUSE */ URR D ERM */ D,KDD P->SUPER.POS=P_PERM_INV(CURR->SUPER.POSD; P->SUPER.LVL=CURR->SUPER.LVLj P->SUPER.FATHER=CURRj /* CHAIN THE RIGHT SUBTREE TO THE NEW RNODE */ ACTUAL->RNODE.RPTR=P; CALL ADD_TO_OPENCP); ACTUAL->RNODE.COUNT=ACTUAL->RNODE.COUNT+lJ END; END R_EXPAND; 1 /* F_EXPAND: TO EXPAND AN FNODE. THIS MAY BE TRIED AS MANY TIMES AS THERE ARE CONJUNCT TERMS IN THE SP APPROX FOR THE S-BOX FUNCTION CORRESPONDING TO THE POSITION OF THE FNODE */ F_EXPAND: PROCCCURRDJ DCL [ACTUAL,CURR,P D PTR; DCL [TERM,K,BITPOS D FIXED BIN(15); ACTUAL=CURR->SUPER.NODE; /* LOOK AT NEXT DISJUNCTIVE POSSIBILITY FOR THE NODE */ TERM,ACTUAL->FNODE.TERMNUM=ACTUAL->FNODE.TERMNUM+1; /* ESTABLISH WHICH OF THE 32 S-BANK OUTPUTS IS BEING CONSIDERED BITPOS=P_PERM_INV(CURR->SUPER.POSD; /* IF THE VALUE OF THE FNODE IS 1, WE USE THE S.P. REPRESENTATIONS FOR THE UNCOMPLEMENTED S-BOXES */ IF ACTUAL->FNODE.VAL='l'B THEN DO; /* CHECK FOR NO DISJUNCTIVE POSSIBILITIES LEFT */ IF TERM >2 3 I SPTERMS[BITPOS,TERM,1D=' ' THEN CALL BACKTRACK[C ELSE DO K=l TO 6; /* DO NOT CHANGE THE XNODE SUBTREE IF: ID SPTERM AT POSITION K IS A D.C. OR 2D SPTERM AT POSITION K IS THE SAME AS IT WAS IN LAST T IF SPTERMS[BITPOS,TERM,KD~='X' & (TERM=1 I SPTERMSCBITPOS,TERM,KD~=SPTERMS[BITPOS,MAX[1,TERM-1 THEN DO; 226 PAUSE : TREE*/ CURR D ERM */ 1 ], K ] } TREE*/ IF ACTUAL->FNODE.XPTRCK]~=NULL THEN /*KILL XNODE SUB CALL DELETECCACTUAL->FNODE.XPTRCK)D)j P = CREATE C'X' D; ACTUAL->FNODE.XPTRCK)=P; P->SUPER.FATHER=CURR; P->SUPER.POS = K+ 6*TRUNCC CBITPOS-1)/4DJ P->SUPER.LVL=CURR->SUPER.LVL; IF SPTERMSCBITPOS,TERM,K 3 = ' 1 ' THEN P->SUPER.NODE->XNODE.VAL='1'B; ELSE P->SUPER.NODE->XNODE.VAL='0'B; CALL ADD_TO_OPENCP)J END, ELSE IF SPTERMSCBITPOS,TERM,K 3 ='X' & ACTUAL->FNODE.XPTRCK]~=NULL THEN CALL DELETECCACTUAL->FNODE.XPTRCK333; END; END; 1 /* ELSE THE FNODE HAS VALUE 0, AND WE USE THE S.P. REPRESENTATIONS FOR THE COMPLEMENTED S-BOXES */ ELSE DO; /* CHECK FOR NO DISJUNCTIVE POSSIBILITIES LEFT */ IF TERM >2 3 I SPCTERMSCBITPOS,TERM, 1)=' ' THEN CALL BACKTRACK C ELSE DO K=l TO 6; /* DO NOT CHANGE THE XNODE SUBTREE IF: 13 SPCTERM AT POSITION K IS A D.C. OR 2) SPCTERM AT POSITION K IS THE SAME AS IT WAS IN LAST T IF SPCTERMSCBITPOS,TERM,K)~='X' & C TERM=1 I SPCTERMSCBITPOS,TERM,K3~=SPCTERMS(BITPOS,MAXC1,TERM-THEN DO; IF ACTUAL->FNODE . XPTRCK3~=NULL THEN /*K I LL XNODE SUB CALL DELETECCACTUAL->FNODE.XPTRCKDDD; P = CREATE C 1X' ); ACTUAL->FNODE.XPTRCKD=P; P->SUPER.FATHER=CURR; P->SUPER.POS = K+ 6*TRUNCC CBITPOS-1]/4D; 227 PAUSE: P->SUPER.LVL=CURR->SUPER.LVL; IF SPCTERMSCBITPOS,TERM,K) ='1' THEN P->SUPER.NODE->XNODE.VAL='l'Bj ELSE P->SUPER.NODE->XNODE.VAL='0'B; CALL ADD_TO_OPENCPDJ END; ELSE IF SPCTERMSCBITPOS,TERM,K) ='X' & ACTUAL->FNODE.XPTRCK]~=NULL THEN CALL DELETECCACTUAL->FNODE.XPTRCK)))j END; END; END F_EXPAND; 1 /* X_EXPAND: TO EXPAND AN X NODE. 2 CHOICES FROM XOR ANALOGOUS TO RNODE EXPANSION, WITH THE EXCEPTION THAT ONLY ONE SUBTREE GROWS FROM AN XNODE, THE OTHER IS IN THE FORM OF A KEY BIT HYPOTHESIS */ X_EXPAND: PROCCCURR) RECURSIVE; DCL CCURR,ACTUAL,P) PTR; DCL BITPOS FIXED BINC15); DCL HYPSET CHARC13; ACTUAL=CURR->SUPER.NODE; /* CHECK FOR NO MORE DISJUNCTIVE POSSIBILITIES */ IF ACTUAL->XNODE.COUNT=2 THEN CALL BACKTRACKCCURR); ELSE DO; /* IF ONE EXISTS, DELETE OLD SUBTREE */ IF ACTUAL->XNODE.COUNT=l THEN CALL DELETECCACTUAL->XNODE.RPT IF ACTUAL->XNODE.VAL = ACTUAL->XNODE.COUNT THEN P=CREATE_RNODECE_PERM_INVCCURR->SUPER.POS) , CURR->SUPER.LVL-1, '0 'B ) ; ELSE P=CREATE_RNODECE_PERM_INVCCURR->SUPER.POS) , CURR->SUPER.LVL-1,'1'B); P->SUPER.FATHER=CURR; /* CHAIN NEW NODE INTO TREE */ ACTUAL->XNODE.RPTR=P; /* MAKE THE KEY HYPOTHESIS */ /* DETERMINE POSITION OF AFFECTED KEY BIT */ BITPOS=KEYPERMCCURR->SUPER.LVL,CURR->SUPER.POS); /* DETERMINE WHAT KEY BIT SHOULD BE, BASED ON COUNT */ 228 IF ACTUAL->XNODE.COUNT=0 THEN HYPSET='Q1; ELSE HYPSET=' 1 ' J ACTUAL->XNODE.COUNT=ACTUAL->XNODE.COUNT + l j /* BACKTRACK IF THIS REPRESENTS A KEY BIT CONTRADICTION IF KEYCBITPOSj~=' ' & KEYCBITPOS ) ~ = HYPSET THEN CALL X_EXPAND C CURR D J /* RETRY EXPANSION, COUNT ELSE DO; KEY(BITPOSD=HYPSET; /* SET KEY BIT */ CALL ADD_TO_OPEN[P); /* ADD NODE TO OPEN Q */ END J END; END X_EXPAND; END SEARCH; //GO.SPFILE DD DSN=GULL ICH.DES.SPTERMS,DISP=SHR //GO.SPCFILE DD DSN=GULL ICH.DES.SPTERMSC,DISP=SHR //GO.KSFILE DD DSN=GULLICH.DES.KEYSCHED,DlSP=SHR //GO.PCFILE DD DSN=GULL ICH.DES.PCPAIRS,DISP=SHR 229 APPENDIX G APL ROUTINES FOR DES ENCRYPTION 230 CT-KEY DES&ENCRYPT PT;LVL;ROUNDS;L;R;KNEW;LNEW NOTE: NO IP OR IPINV PERMUTATIONS APPLIED. ARE ALL 64 BIT BINARY VECTORS V [ I ] fl [ 2 ] fl KEY, PT AND CT C 3 ] ft [ 4 ] ROUNDS+2 [ 5 ] LVL-1 [ 6 ] L-32iPT [ 7 ] R-~32*PT [ 8 ] LOOP:LNEW-R [ 9 ] RNEW+L*R F KEYlKEYSCHEDiLVL;]] [ 1 0 ] L-LNEW [ I I ] R+-RNEV [ 1 2 ] •+( (LVL+-LVL+1 )^ROUNDS) I LOOP [ 1 3 ] CT-R,L V [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] V Z-R F K;X;CT Z«-i0 X+K*R[E] CT+1 SL00P:Z+Z,(Hp2)TSB0Xl[CTi6;l+2LXlCT+ 0 5 ] ; l + 2 l X i C T + x 4 ] ] -»•( (CT-*-CT+ 6 ) < 4 9 ) / SLOOP Z-ZlPl V V Z-*-GENLKEYSCHED ; KIDX; ROUND [ 1 ] fl TO GE/V 16x4 8 MTX OF INDICES FOR KEY BIT SELECTION [ 2 ] Z*- 0 48 pO [ 3 ] KIDX+XSH [ 4 ] KIDX+KIDXlPCll [ 5 ] ROUND+1 [ 6 ] LOOP: fl LEFT SHIFTS [ 7 ] x2B]*-NUMLS[ROUND]4>KIDXZ x 2 8 ] [ 8 ] KiTJ^L 28 + ! 2 8 1-NUMLSlROUND]$KIDXl 28+ i 28] [ 9 ] Z « - Z , [ l ] AT£*[PL ? 2 ] [ 0 ] (ROUND-*-ROUND+l )<16 ) / LOOP V 2 3 1 V GEN LPCPAIRS;K;KEYS;KEY;PT;CT;T [ 1] PCPAIRS-KEYS— 0 64 p ' » [ 2 ] K+l [ 33 L O O P : K F Y + ~ l + ? 6 4 p 2 [ 4 ] P r + " l + ? 6 4 p 2 [ 5 3 CT-KEY DES LENCRYPT PT [ 6 3 n [ 7 ] n SAVE INTO GLOBAL SCHEDULES [ 83 PC PAIRS—PCPAIRS,[13( ' '*T)/T-vPT [ 93 'PLAINTEXT1 [10 3 PPRINT PT [ 1 1 3 PCPAIRS-PCPAIRS,[13(' '*T)/T-vCT [ 1 2 3 ' IA/T0 CIPHERTEXT' [13 3 PPRINT CT [143 K F Y S + K F Y S , [ l 3 ( » '*T)/T-vKEY [ 153 ' B Y K F Y : » [16 3 PPRINT KEY [173 » ' [183 (K+K+l ) £ 5 )/L00P [193 »» [ 2 0 3 ' K F Y S : ' [ 2 1 3 • » [22 3 (5 3 p 3 0 T i 5 ) , ' '\KEYS V V PPRINT BIN; 7 [ 1 3 A TO PRETTY-PRINT A BINARY VECTOR IN BIN AND HEX [23 ( ( • '*T)/T-VBIN) .' ' , « 0 1 2 3 4 5 6 7 8 9 / ! B O / ; F F ' [ l - r l 6 T 2 x $ 1 6 4 pBI / / ] FA/£> O F APPENDIX 232 APPENDIX H PROLOG SYSTEM FOR THE SYMBOLIC S IMPLIF ICATION OF BOOLEAN EXPRESSIONS 233 /* PROLOG axioms and i m p l i c a t i o n s */ /* t o s i m p l i f y a r b i t r a r y b o o l e a n e x p r e s s i o n w i t h ANDs C&), ORs C\) , and NOTs C~) i n t o 2 l e v e l s u m - o f - p r o d u c t s */ /* top l e v e l s i m p l i f i c a t i o n d r i v e r . p a t t e r n match w i t h an s s i m p l i f i c a t i o n p a t t e r n , r e p e a t e d l y */ /* o p e r a t o r d e c l a r a t i o n s */ ?-opC8, fx,~) . /* l o g i c a l n e g a t i o n */ ?-opC9 ,xfx ,& ) . /* c o n j u n c t i o n */ ? - o p C 1 0 , x f x , \ ) . /* d i s j u n c t i o n */ s imp 1 i f y C E x p ) :- s impCExp ,SExp ) , p r i n t s t r i n g C ' S E x p : " ), n l , w r i t e [ S E x p D , n l , d i s p l a y C S E x p ) , n l , n l , CCExp=SExp , w r i t e C E x p ) ) J C ! , s i m p l i f y C S E x p ) ) ) . s impCExp ,SExp ) :- sCExp , SExp ) s i m p C L a r g \ R a r g , R e s ) :- s i m p C L a r g , S L a r g ) , s impCRa rg , SRarg) , C CLarg\Rarg = SLarg\SRarg , ! , b i n d C R e s , L a r g \ R a r g 1 ) C ! , s i m p C S L a r g \ S R a r g , R e s ) ) ) . s impCLa rg&Ra rg ,Res ] :- s i m p C L a r g , S L a r g ) , s i m p ( R a r g , S R a r g ) , C CLarg&Rarg = SLarg&SRarg , ! , b i n d C R e s , L a r g & R a r g ] ] , C ! , s impCSLa rg&SRarg ,Res ) ) ) . /* bot tom out on t r i v i a l cases */ /* l i t e r a l atoms can be s i m p l i f i e d no f u r t h e r */ s ( X , X ) :- a tomicCX ) , ! . sC~X,~X ) :- a tomicCX ) , ! . /* n e i t h e r can t o p - l e v e l & or \ composed o n l y of l i t e r a l s */ /* o rde r the l i t e r a l s by q u i c k s o r t to d e t e c t and t r a n s f o r m : a&a->a a&~a->0 a\a->a a\~a->l */ sCX ,Y ) :- m k l i s t C X , O p , L i s t ) , a l l i t e r a l C L i s t ) , ! , /* X s o r t l l C L i s t , S l i s t , [ ] ) , s c a n C O p , S 1 i s t , R e d l i s t ) , /* m k 1 i s t l C Y , O p , R e d l i s t ) . /* must be a o n e - l e v e l exprn */ form reduced l i s t , R e d l i s t * back to e x p r e s s i o n form */ /* i s a l i s t a l l l i t e r a l s ? */ a l1 i t e r a l ( [ X I Y ] ) :- ! , l i t e r a l C X ) , ! , a l l i t e r a l C Y ) a l l i t e r a l C X ) :- l i t e r a l C X ) . l i t e r a l C X ) :- a tomicCX ) , ! . l i t e r a l C ~ X ) :- a tomicCX ) . /* t o s o r t a l i s t of l i t e r a l s */ 234 s o r t l l C [ H I T ] , S , X } :- sp 1 i t C H, T, A, B D , ! , s o r t l l C A , S , [ H I Y ] D , s o r t l l C B , Y , X D . s o r t l l C [ ] , X , X D . s p l i t C H , [ A I X ] , [ A l Y ] , ZD :-s p l i t C H , [ A l X ] , Y , [A lZ ]D :-s p l i t C . , [ ] , [ ] , [ ] ] . o rde r [A ,HD , sp 1 i t C H , X , Y , ZD . orderCH,AD , sp1 i t C H , X , Y , Z D . o rde r p r e d i c a t e d e t e r m i n e s i f 2 l i t e r a l s are as name f a i l s f o r i n t e g e r s 0 and 1 */ /* /* o r d e r ( X , 1D o r d e r [ X , 0 ) o r d e r C 0,XD o r d e r C l , X D o rde rC~X ,~Y D o rde r C~X,YD o rde r CX,~YD orderCX ,YD : i n c o r r e c t o rde r */ _ j j i f a i l . f a i l . , a l e s sCX ,YD a l e s s C X , Y D . a l e s s C X , Y D . - a l e s s C X , Y D . /* a l p h a b e t i c l e s s - t h a n p r e d i c a t e f o r atoms */ a l e s s C X , YD : - nameCX,l_D , nameCY,MD , a l e s s x C L , M D . a l e s s x C C D , [ _ . _ ] ) . a l e s s x C C D , []D • a l e s s x C [HI X ] , [HI Y]D :- ! , a l e s s x C X, Y D a l e s s x C [ X I _ ] , [ Y I _ ] D :- X=<Y. /* s c a n : t o l ook at s o r t e d top l e v e l atoms 2 - a t - a - t i m e , and p e r f o r m a p p r o p r i a t e r e d u c t i o n s */ scanC&, C~AD.A ._ , [ 0 ] ) :- ! . scanCN, C~AD• A. _ , [1 ] D :- » . sc an C & , A . 0 . _ , [ 0 ] D :- ! . s c a n C \ , A . 1 . _ , [ 1 3 D :- ! . s c a n C O p , A . A . X , Y D :- ! , s c a n C O p , A . X , Y D . s c a n C O p , A . X , A . Y D :- ! , s c anCOp ,X ,YD . s c a n C _ , A , A ] ~: - atomicCAD-/* i n v o l u t i o n */ sC~C~XD,YD :- ! , s i m P C X , Y D . /* demorgan */ sC ~CX\YD , ZD :- ! , simpC~X&C~YD , ZD. sC r CX&Y D ,ZD :- ! , s im P C~X\C~YD , ZD. /* d r i v e r r o u t i n e to match c o m b i n a t i o n s of top l e v e l \ or & 2 terms at a t ime a g a i n s t p a t t e r n s i n s2 i m p l i c a t i o n s */ sCX,YD :- m k l i s t C X , O p , L i s t D , /* break f o r m u l a X i n t o a l i s t */ 235 c o m b 2 C L i s t , T 1 , T 2 , R e m l i s t ) , /* s e l e c t 2 t e r m s f r o m l i s t */ P o s s =.. [ 0 p , T l , T 2 ] , s 2 [ P o s s , S i m p ] , ! , a p p e n d C [ S i m p ] , R e m l i s t , S i m p l i s t ) , m k l i s t l f Y , O p , S i m p l i s t ) . /* t o b r e a k an e x p r e s s i o n w i t h \ or & i n t o a l i s t */ m k l i s t C ~ A , X , X ) :- ! , f a i l , mk 1 i s t C E x p , O p , L i s t ) :-/* make t o p l v l i n t o a l i s t */ m k l i s t l C E x p , O p , T o p l i s t ) , m k l i s t s u b [ T o p l i s t , L i s t , O p ) . m k l i s t s u b [ [ X ] , [ X ] , O p ) :- a t o m i c C X ) , ! . m k l i s t s u b C C X ] , [ X ] , O p ] :- ! , mk 1 i s t 1 C X , O p 2 , _ ) , 0 p \ = 0p2 m k l i s t s u b C [ X I Y ] , R e s , O p ) :- m k 1 i s t C X , O p , L 1 ) , ! , mk 1 i s t s u b C Y , L 2 , O p ) , ! , a p p e n d C L l , L 2 , R e s ) . /* t e r m i n a t o r i f X c a n n o t be f u r t h e r done: */ m k l i s t s u b C [ X I Y ] , [ X I L 2 ] , O p ) :- ! , m k 1 i s t s u b C Y , L 2 , O p ) . /* t o p l e v e l l i s t b r e a k e r */ mk 1 i s t l C A & B , & , A . R ) :- m k 1 i s t 1 C B , a , R ) . m k l i s t l C A \ B , \ , A . R ) :- m k 1 i s t 1 C B , \ , R ) . m k l i s t l C X , & , [ X ] ) . m k l i s t l C X , \ , [ X ] ) . /* f o r c e p a t t e r n m a t c h * / b i n d C X , X ) . /* t o s e l e c t a l l t r a n s p o s i t i o n s o f c o m b i n a t i o n s of o b j e c t s f r o m a l i s t */ c o m b 2 C L i s t , E l , E 2 , R e s t ) :- m e m b e r C E 1 , L i s t , P o s 1 ) , m e m b e r C E 2 , L i s t , P o s 2 ) , P o s l \= P o s 2 , r e m e l t C E l , L i s t , T e m p ) , r e m e l t C E 2 , T e m p , R e s t ) . /* t o remove e l e m e n t f r o m a l i s t */ r e m e l t C X , [ ] , [ ] ) : - ! . r e m e l t C X , [ X I Y ] , R ) :- ! , r j m e 1 t C X , Y , R ) . r e m e l t C X , [ A l Y ] , [ A l R ] ) :- ! , reme I t C X , Y , R ) . /* l i s t m e m b ership p r e d i c a t e , i n c l u d i n g p o s i t i o n */ member CX, [ X l _ ] , 1 ) . memberCX, [ _ l Y ] , P I ) :- memberCX,Y,P) , PI i s P + l . 236 /* l i s t append f u n c t i o n */ append C [ 3 , L , L D• append C[X I L 1 ] , L 2 , [XI L3] D a p p e n d C L l , L 2 , L 3 ] /* 2-a t-a- t ime p a t t e r n match i m p l i c a t i o n s */ s2C X\Q , YD s2C X \ l , ID s2C X&l , YD s2C X&O , 0) ! , s i m p ( X , Y ) ! , s impCX.YD /* idempotent */ s2C X\X , YD s2C X&X , YD ! , s impCX .Y ) ! , s impCX.YD /* c o m p l e m e n t a r i t y */ s2C X&C~XD , 0D s2C X\[~XD , ID /* d i s t r i b u t i v i t y 1 * / s2C (A\BD&CA\C) , YD s2C (B\AD&CA\CD , YD s2C CA\BD&CC\AD , YD s2 ( CB\AD&CC\AD , YD simpC A\CB&CD , YD simpC AXCB&CD , YD simpC A\[B&CD , YD simpC AVCB&CD , YD /* a b s o r p t i o n */ s2C A&B\A&["B D , YD s2C B&A\A&C~BD , YD s2 [ A&B\C~BD&A , YD s2C B&A\C~BD&A , YD s imp C A,Y D simpCA,YD s imp C A,Y D s imp C A,Y D s2C A\A&B s2C AXB&A YD YD s imp C A,YD s imp C A,Y D s2C A& C A\B D , YD s2C A&CB\AD , YD s imp C A,Y D s imp(A ,YD s2C A&C~BD\B , Y) s2 [ C~BD&A\B , YD s impCAXB,YD. s impCAXB,YD. /* consensus [ o n l y 1- t h a t w i t h 2 terms on l h s */ 237 s 2 ( (X\YD&C~X\ZD , A) :- ! , simp(X&Z\(~XD&Y , AD. s2C CY\XD&C~X\ZD , AD :- ! , s imp(X&Z\(~XD&Y , AD. s2C (X\Y)&CZ\C~XDD , AD :- ! , s i m p ( X & Z \ ( ~ X ) & Y , A ) . s2C (Y\XD&CZ\C~XDD , AD :- ! , simp(X&Z\(~XD&Y , AD. /* d i s t r i b l i t i v i t y 2- l a s t as i t makes more t e r m s */ s2C X&CYNZD , AD :- ! , simp(X&Y\X&Z , A ] . /*zoom a&b&c \ a&b&x&c -> a&b&c k l u d g e */ s2(A\B,SD :-s u b s e t ( [ ] , Y D :- ! . s u b s e t C [ A l X ] , Y D :- mem(A,YD > s u b s e t ( X , Y D . mem(X,[XI_]D :- ! . memCX, [ _ l Y ] D :- mem(X, YD . /* u t i l i t i e s */ p r i n t s t r i n g ( [ ] D• p r i n t s t r i n g C [ H I T ] D putCHD > p r i n t s t r i n g ( T D • t e s t l :- s i m p l i f y C ~ ( ( ~ ( a \ b D D \ ( ~ ( c \ d D D \ C ~ ( e \ f D D D D -t e s t 2 :- s i m p l i f y ( ~ ( ~a&(~bD \ (~c&(~dDD DD. t e s t 3 :- s i m p l i f y C Ca&C~bD&c&[~dD&e \ C~a]4[~b)&C~eD&f \ C~aD&C~bD&c&(~dD D & (a&(~dD \ C~aD&C~bD&c&C~dD \ (~aD&b&C~cD&d&(~fD DD-/* e d i t o r u t i l i t y */ ed : - s h e l l C ' e d m i n " D , [ $ m i n ] . m k 1 i s t CA,&,A1 D m k l i s t C B , & , BID ( ( s u b s e t [ A l , B 1 D ( s u b s e t ( B 1 , A l D a l l i t e r a K A l D , a l l i t e r a K B I D , ! , simp(A,SDD; ! , s i m p ( B , S D D D • 238 TEST OF SYMBOLIC BOOLEAN SIMPLIFIER * * * * * * * * * * * * * * * * * * * * * * ** * * * * * * * * * * * $ prolog PROLOG Vers ion NU7. 1 ?- [min]. min consulted. yes ?- 1 i s t ing[test 1 ] . t e s t l :- s impl i fyC~C~ta\b)\~Cc\d)\~Ce\ n n . yes ?- t e s t l . SExp : a&c&e\b&c&e\a&d&e\b&d&e\a&c&f\b&c&f\a&d&f\b&d&f NCVCXC&Ca.&Cc.eDD.&Cb^&Cc.eDDJ.NC&Ca.aCd.eDD.&Cb.&Cd.eDDDD, \C\C&Ca,&Cc,fDD,&Cb,&Cc,fDDD,\C&Ca,aCd,f)D,&[b,aCd,fD)Dn SExp : aacae\bacae\aadae\badae\aacaf\bacaf\aadaf\badaf \C\C\CaCa,aCc,eDD>aCb,aCc,eDDD,\CaCa,aCd,e]],aCb >aCd,e)]]), \C\C&Ca,&Cc , f )D,&Cb,&Cc , f j )D,\C&Ca,&Cd , fn ,&Cb,&Cd , f )D)D) a&c&e\bacae\aadae\badae\a&c&f\bacaf\aadaf\badaf yes . ?- 1 i s t ing Ctest2 ] . test2 :- simp 1 ifyC~C~aa~b\~ca~d)D. yes ?- test2. SExp : aac\bac\a&d\bad \C\CaCa,cD,aCb,cDD,\caCa,d),a(b,dDD) SExp : aac\bac\aad\bad \C\CaCa,cD,aCb,cD),\CaCa,dD,a[b,dD)D aac\bac\aad\bad yes 239 APPENDIX I APL CODE FOR AND/OR TREE FORMATION AND TRAVERSAL 240 V Z*-X AND Y\XMAX\YMAX\XC\YC\NEW\ONEXWITHY [ 1] +{0*(pX)l2])/NOTNULLX [ 2] Z+Y [ 3 ] *0 [ 4 ] NOTNULLX-.XMAX-i pX)i 2] [ 5] YMAX+lpY)[2] [ 6] Z^(2,0,~l+pZ)pO [ 7] XC-1 [ 8 ] *L00P :0f fm^Tffy*(2 .O,~l*pJr )pO [ 9] YC+-1 [10] IL00Pi+(v/AfNEW+Xl i tXC;]vY[; ,YC-.])/NEXTY [11] ONEXWITHY+ONEXWITHY OR NEW [12] NBXTYi-+((YC4-YC+l)*YMAX)/YL00P [13] -*-( 0 = ( pONEXWITHY) [ 2] )/NEXTX [14] Z+-Z 0/7 ONEXWITHY [15] NEXTX-.+i (XC+XC+1)<XMAX) IXL00P V V Z+-X AND1 Y [] Z+TOL1XO(TOLBIT X) AND TO LBIT Y V 241 V TYPE BUILDSUB ATLLVL;AT;LVL;VAL;SP;NUMSP;TERMNUM;T;K;LOC TERM;POSN [ 1] AT-ATLLVLlll I 2 ] LVL-ATLLVL12] [ 3 ] fl CHOOSE TYPE OF NODE TO EXPAND C 4 ] -*-( ( 1+TYPE)='T' . 'P' . ' X' , 'R' ) / TOP , PTERM, XTERM, RTERM [ 5 ] ft [ 6 ] fl INITIALIZE GLOBAL TREE IN PARALLEL VECS [ 7 ] TOP; TREELTYPE— 10000 2 pO C 8 ] TPPFAPTP-'-lOOOOpO [ 9 ] TREEtNKIDS-lOOOOpO [ 1 0 ] FREE-2 [ 1 1 ] VAL-CTEXTlP0S+32xNR0UNDS=2]*PTEXTlP0S+32*NR0Ur!DS=2l [ 1 2 ] RPOS-POS [ 1 3 ] -*R EXPAND [ 1 4 ] ft [ 1 5 ] fl - - -[ 1 6 ] PTERM:TREE LTYPElAT;1—LAND [ 1 7 ] TREELPTRlATI-FREE [ 1 8 ] TREE LN KIDSlAT~S—+ /TERM* ' X' [ 1 9 ] POSN-FREE [ 2 0 ] FREE-FREE**/TERM*'X' [ 2 1 ] ft L00P POP /ILL LITERALS IN TERM [ 2 2 ] Jf-«-0 [ 2 3 ] LOCTERM-TERM [ 2 4 ] LITLOOP:+(LOCTERMlK+ll='X')INEXTLIT [ 2 5 ] ft S E T P i 4 / W S FO/? TO SP EXPANDED [ 2 6 ] RPOS-ElSBOXINP+Kl [ 2 7 ] AW UM-KEYSCHEDILVL;SB OX INP*K] [ 2 8 ] XlML^L0C• :^Ef iM[A'+l ]= , 1' [ 2 9 ] 'XTERM' BUILDSUB(POSN+K) tLVL [ 3 0 ] NEXTLIT(.K-K+l) <6 ) / LITLOOP [ 3 1 ] -+0 [ 32 ] ft [ 3 3 ] ft - -[ 3 4 ] XTERM; -»( LV L=l ) / BOTTOMOUT [ 3 5 ] T P F F A T T P F ^ Z ' ; >A07? [ 3 6 ] TREE LPT Rl AT"]—FREE [ 3 7 ] TREELNKIDSi ATI—2 [ 3 8 ] ft LEFT SUBTREE OF XOR [ 3 9 ] TREELTYPElFREE;~]—LAND [ 4 0 ] TREELPTRlFREE]-FREE*2 [ 4 1 ] TREE LNKIDSlFREEl—2 [ 4 2 ] ft RIGHT SUBTREEE OF XOR [ 4 3 ] TREE LTYPElFREE*! ; ~]—LAND [ 4 4 ] TREELPTRlFREE+11-FREE+k [ 4 5 ] TREELNKIDSIFREE+11-2 [46 ] FREE—FREE+6 [47 ] POSN-FREE 242 [ 4 8 ] fl EXPAND RTERMS [ 4 9 ] RVAL-1 [ 5 0 ] * RTERM' BUILDSUB(POSN-k).LVL-1 [ 5 1 ] tfl//3Z>0 [ 5 2 ] 'RTERM' BUILDSUB(P0SN-2).LVL-1 [ 5 3 ] n SETtfP KEY HYP FROM LEFT SUBTREE [ 5 4 ] TREEtTYPElP0SN-3 il-L\KEY [ 5 5 ] rtf£F^Pr/?[P05//-3]-«-l + ( p A : £ T ) [ 2 ] [ 5 6 ] KEY-KEY.121 2 64 pO [ 5 7 ] KEYl ',(pKEY)l2l;KNUMl-~XVAL ,~XVAL [ 5 8 ] n S£T£/F KEY HYP FROM RIGHT SUBTREE [ 5 9 ] TREE&TYPEIP0SN-1;1-hKEY [ 6 0 ] TREEbPTRlPOSN-11-1 +(pKEY)I 21 [ 6 1 ] KEY-KEY,[2] 2 64 pO [ 6 2 ] # £ T [ ; ( p # E T ) [ 2 ] -.KNUMl-XVAL ,~XVAL [6 3] -"-0 [ 6 4 ] BOTTOMOUT:TREE&TYPElAT;1-AKEY [ 6 5 ] IF ^ i?APrtf [ - , 4 r>l + ( p A : £ T ) [ 2 ] [ 6 6 ] KEY-KEY,[2] 2 64 pO [ 6 7 ] KEYl ; ( p # £ T ) [ 2] ;KNUMl-T.~T-PTEXTlRPOS+ 32 ] [ 6 8 ] -+0 [ 6 9 ] Ft [ 7 0 ] n -[ 7 1 ] n RPOS ESTAB IN PTERM OR TOP [ 7 2 ] RTERM:VAL-RVAL*PTEXTlRPOSl [7 3 ] REXPAND:-+(~VAL) /COMPL [ 7 4 ] SP-SPTERMSl [PlRPOSl * 4 ; 1 + 4 | P [ i ? P 0 5 ] - l ; ; ] [7 5] +JOIN [ 7 6 ] C0#P£:SP^SPCrFtt¥5[[P[/?P0S]*4 ; 1 + 4 \PlRP0Sl-l; ;] [ 7 7 ] JOIN:NUMSP-+/' • * S P [ ; l ] [7 8] TflEEAryPEL ' i lT ; 3>A0J? [ 7 9 ] TREELPTRlATI-FREE [ 8 0 ] TREE LNKIDSlATl—NUMSP [ 8 1 ] POSN-FREE [ 8 2 ] FREE-FREE+NUMSP [ 8 3 ] 5B0A-JWP+-l + 6x[ ( P[/?P0S] -1 ) * 4 [ 8 4 ] TERMNUM—0 [ 8 5 ] TERM LOOP:TERM-SPlTERMNUM+1;] [ 8 6 ] 'PTERM' BUILDSUB(POSN+TERMNUM).LVL [ 8 7 ] -+( (TERMNUM—TERMNUM+1 )<NUMSP)/TERMLOOP [8 8] -*0 7 243 V KEY-DECRYPT PCPAIR;POS;TOP\MASK\NROUNDS;PTEXT;CTEXT [ 1] PTEXT-PCPAIRllil [ 2 ] CTEXT-PCPAIR12',] [ 3 ] A LEFTMOST 32 512*5 tfiWE' ££EW ENCRYPTED IN 2 ROUNDS [ 4] NROUNDS-2 [ 5] KEY*- 2 0 64 pO [ 6 ] ft B171 LA TRAVERSE AND I OR TREE FOR EACH BIT OF CTEXT [ 7] P05«-l [ 8 ] LOOP:'TOP' BUILDSUB 1,NROUNDS [ 9] MASK-TRAVERSE 1 [10] KEY-KEY AND MASK [11] P05*-P05+l [12] NR0UNDS-NR0UNDS-P0S=33 [13] P05«-P05-32xP05=3 3 [14] ->-(P05<64)/LOOP 7 V 7J>£WP [1] PI DUMP ALL TREE PARALLEL VECTORS [2] K-l [3] LOOP:TREE K [4] -+( (K-K+l)<pTEEELPTR)/LOOP 7 7 [] X-'OIX*[?((l+?3),4)p3] 7 7 Z-MIN1 INTERSECT MIN2 [1] fl 5£T INTERSECTION OF 2 VECTORS OF MINTERM NUMBERS [2] Z-{v/MINlo.=MIN2)/MINl 7 244 V Z-X OR Y',XMAX;YMAX;XTAKE;YTAKEiXC',YCiXCUBE;YCUBEiCiCYiCX ;CXEQX;CYEQY [ 1 ] * ( 0 * ( p X ) l 2 1 ) / N O T N U L L X [ 2] Z-Y [ 3 ] -*-0 [ 4 ] NOTNULLX:+{3=ppX)/OKX [ 5 ] ( l t p X ) , l . ' l t p * ) pX [ 6 ] OKX:+( 3 = pp7) /OA'7 C 7] y«-( ( i + P y ) , i , ~ i + P y ) P y [ 8 ] ' OKY:XMAX-(pX)l2] [ 9 ] y ^ ^ ( p y ) [ 2 3 [ 1 0 ] XTAKE-XMAXpl [ i i ] y r ^ ^ ^ y w / u p i [ 1 2 ] fl [ 1 3 ] XC-1 [ 1 4 ] XLOOP:XCUBE-Xl \XC\ ] [ i s ] y c « - i [ 1 6 ] YLOOP:-(~YTAKE[YCj)/NEXTY [ 1 7 ] y c z / / i £ v y [ ; y c ? ; ] [18 ] C-XCUBEvYCUBE [19 ] fl CtfFC/X I F C 5,4tfF .45 EITHER ORIGINAL CUBE [20 ] -*•( ~ A / h / C-XCUBE) ICHECKY [21 ] X S M A ^ X O O [ 2 2 ] +NEXTX [23 ] CHECKY:-(~*/*/C=YCUBE)/CONSENS [ 2 4 ] IZTIKEL y c ] « - o [25] -+NEXTY [26] n CHECK IF C IS A CONSENSUS TERM: [27] CONSENS: -»•( 1*+/T-*/C) /NEXTY [28] c ? [ l ; > C [ l ; ] - ! F [29] C , [2 ; ]<-t?[2 ; ] - !r [30] CX-CvXCUBE [ 3 1 ] CY-CvYCUBE [32] CXEQX-*/A/CX=XCUBE ; 3 3 ] CYEQY-A/A/CY=YCUBE : 3 4 ] -+(~CXEQX*CYEQY)/Al !35] X . I i ' l A ' F ^ O O :36] y [ ; y c ; ] ^ c !37] -+NEXTX ;38] / 3 1 : - * ( ~ ( ~ C X F ^ ) A C , y F f i y ) / > 1 2 :39] y [ ; y C ; ] * C :40] . -*NEXTY .41] / ? 2 : ^ ( ~ C ^ F C ^ A ~ C , y F C y ) / A , F A ' 2 ' y 4 2 ] *[ >C" 43] n XCUBE-Xi iXC; ]-C -+XL00P ? 44] NEXTY: •+( ( y O - y C + 1 )syAf/3A-)/YLOOP 45] NEXTX:-((XC-XC+1)<XMAX)/X LOOP 46] Z < - U 2 M K F / [ 2 ] * ) , [ 2 ] y 2 M A : £ / [ 2 ] y V 245 v z*-x ORI y CD Z-TOA1XO(T06BIT X) ORVERB TO&BIT Y V V PP CD o PPI i 7 INDENT PPI AT;K [ 1] -*-(TREEhTYPEiAT', ] A.= 2 4 p l 0 1 0 0 1 1 0) / AND ,OR .KEY,NULL C 2 ] AND_: (INDENTp* ' ) .'AND* C 3] -*-</0.TW [ 4 ] OR: UNDENTp' '),'0R' [ 5 ] JOItf: fi DIST RECURSE [ 6] i¥«-0 [ 7 ] LOOP:(INDENT+3) PPI TREE&PTEiATl+K C 8] •+( (K<-K+l)<TREE&NKIDSlATl)/LOOP [ 9 ] +0 [ 1 0 ] KEY:(.INPENTp' ' ) , r , ' A'EY BIT ' , • ( ' X' *T«-, TO A 1 X 0 KEYL TREE t^PT RlATl ; ] ) i l [ 1 1 ] +0 [ 1 2 ] NULL:(INDENTp' •).' V V TESTAND\XiY;R [ 1 ] n-X-GETI, [ 2 ] •» [ 3 ] D-Y+-GEN [ 4 ] [ 5 ] /?«•-* AND1 Y [ 6 ] " [ 7 ] 'RESULT OF AND:' [ 8 ] R [ 9 ] fi TEST THAT RESULT IS INTERSECTION OF THE 2 COVERS [ 0 ] (^/(ONFOR R)-(0NF0R X) INTERSECT 0NF0R Y ) / ' * * * SUCCESS ***' V 246 V TESTOR;X',YiR [ l ] B-X+GEN [ 2 ] [ 3 ] U-Y+GEN [4] [ 5 ] R«-X 0R1 Y [ 6 ] [ 7 ] 'RESULT OF OR: ' [ 8 ] [ 9 ] n TEST THAT RESULT IS UNION OF THE 2 COVERS [ 0 ] {*/(0NF0R R)-(0NF0R X) UNION 0NF0R Y)/'*** SUCCESS ***' V V Z-T0bBIT X [ ] Z«-U=» l 1 ) ,[0.5] 0» V V Z-TOLMXO X [ 1 ] *(3=pp^)/0X [ 2 ] fl HAVE BEEN GIVEN JUST 1 CUBE [ 3 ] *«-( ( l i p * ) , l , " l + p^)pX [ 4 ] O A : : X [ 2 ; ; ] ^ [ 2 ; ; ] v Z [ i ; ; ] [ 5 ] Z+'X01' [1 + + /X] V 247 V RES-TRAVERSE ROOT;NUMKIDS;K [ 1 ] ' fl TO TRAVERSE AND/OR TREE AND RETURN KEY CONSTRAINT [ 2] TYPE-TREELTYPElROOT;] [ 3] ->•( */TYPE=bAND ) I AND [ 4] -»•( ^ /TYPE-LOR) 10R_ [ 5 ] -*•( ^ ITYPE-hKEY) I KEY [ 6] 'ERRONEOUS TREE TYPE' [ 7] 0*0 [ 8 ] AND'.NUMKIDS-TREELNKIDSlROOTl [ 9] K«-0 [ 1 0 ] 2 0 64 pO [ 1 1 ] AND LOOPiRES-RES AND TRAVERSE TREELPTRlROOTl+K [ 1 2 ] -»•( (K-K+1)<NUMKIDS) IANDLOOP [ 1 3 ] -»>0 [ 1 4 ] OR:NUMKIDS-TREELNKIDSlROOTl [ 1 5 ] K-O [ 1 6 ] i?£S<- 2 0 64 pO [ 1 7 ] ORLOOP:RES-RES OR TRAVERSE TREELPTRlROOTl+K [ 1 8 ] -*•( (K—K+l) <NUMKIDS) / ORLOOP [ 1 9 ] -*0 [ 2 0 ] KEY;RES- 2 1 64 pKEYl;TREELPTR[ROOT];] V V Z-TREE L [ 1 ] fl PRINTOUT ONE SLICE OF THE PARALLEL [ 2 ] n VECTORS WHICH REP THE TREE [ 3 ] Z«-( . (TREELTYPElL; ]A.= 2 4 P 1 0 1 0 0 1 1 0 ) T < 4 3-p'ANDOR KE Y<S) '),' ' , (wTREELPTRlL'] ) , ' ' ,lTREE LNKIDSl L] V V Z-MIN1 UNION MIN2 [ 1 ] n SET UNION OF 2 VECTORS OF MINTERM NUMBERS [ 2 ] Z-ZlkZ-MINl,MIN2l [ 3 ] Z«-( ( Z i Z ) = i p Z ) / Z V END OF APPENDIX 248 EXAMPLE OF TREE TRAVERSAL ************************* V S A P L CLEAR WS DLOAD SEARCH SAVED 23:18:53 02/05/83 WSSIZE IS 1890896 /* DISPLAY THE TREE STRUCTURE */ PP OR. AND OR AND XXXXXXXXXXXXXXXXXXXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXX C 28 ) "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1XC 55) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXC 48) KXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXO( 56 ) XXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC9) XXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 23) AND XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXXC 44) XXXXXXXXXXXXXXXXXXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 27) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXXXXXXXXXX C 36) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC57D XXXXXXXXXXXXXXXOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC16 ) XXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC11) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXC 45 3 XXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX C 5) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0XXXXXXXXC48) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1XXC 54 ) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXC 54 ) XXXXXXXXXXXXXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 2 2) D XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1XXXXXXXXC 48 3 XXXXXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC14] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX C 57) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOX C 55) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 57) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXXX C 43) OR ~SAND 249 © V\ AND XXXXXXXXXXXXXXXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 24) XXXXXXXXXXXXXXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 2 3 3 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX C 57) XXXXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC13] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXC 47 3 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXC 55) ND XXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX( 24 ) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1XXXXXXXXXXXXXXC42) XXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 24 3 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXXXXXXXXXXXC 35 3 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 57 3 QXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC13 OR AND XXXXXXXOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 8) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1XXXXXXXXXXXXXXXXXC 39 3 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 57 3 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX1XXXXXXXXXXXXXXXXX C 39 3 XXXXXXXXOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC9] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXXXXXXXXXXXC 35) AND XXXXOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX15) XXXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC12) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXXXXXXXXXXXXXXC 42 3 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOXC 55) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC 57) XXXXXXXXXXXX1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX[133 /* TRAVERSE THE TREE */ TO_1XO TRAVERSE 1 XXXXXXXX1XXXXXXXXXXXX10XXXX1XXXXXXXXXXXXXXXXXXXOXXXXXX10 XXXXXXXX1XXXXXXXXXXXXXOXXXX1XXXXXXXXXXXXXXOXXXXOXXXXXX10 XXXXXXXXXX1XXXXOXXXXX1XXXX1XXXXXXXXOXXXXXXXOXXXXXXXXXXXX XXXXXXXXXX1XXXXOXXXXXXXXXX1XXXXXXXXOXXXXXXOOXXXXXXXXXXXX XXXXXXXOOXXX1XXXXXXXXX11XXXXXXXXXXOXXX1XXXXXXXOXXXXXXXOX XXXXOXXXXXX11XXXXXXXXX11XXXXXXXXXXXXXXXXXOXXXXOXXXXXXXOX OXXXXXXOOXXXXXXXXXXXXXXOXXXXXXXXXXOXXX1XX1XXXXXXXXXXXXXX )OFF 250
- Library Home /
- Search Collections /
- Open Collections /
- Browse Collections /
- UBC Theses and Dissertations /
- Bidirectional heuristic search and spectral S-box simplification...
Open Collections
UBC Theses and Dissertations
Featured Collection
UBC Theses and Dissertations
Bidirectional heuristic search and spectral S-box simplification for the cryptanalysis of the NBS Data… Gullichsen, Eric Alexander 1983
pdf
Notice for Google Chrome users:
If you are having trouble viewing or searching the PDF with Google Chrome, please download it here instead.
If you are having trouble viewing or searching the PDF with Google Chrome, please download it here instead.
Page Metadata
Item Metadata
Title | Bidirectional heuristic search and spectral S-box simplification for the cryptanalysis of the NBS Data Encryption Standard |
Creator |
Gullichsen, Eric Alexander |
Publisher | University of British Columbia |
Date Issued | 1983 |
Description | Details of the National Bureau of Standards Data Encryption Standard (DES) are examined, and the strength of the cryptosystem found to lie in its substitution box (S-box) components. An unsuccessful attempt is made to discover symmetries in the S-box functions under permutation and/or complementation of variables. The problem of cryptanalyzing DES is then shown to be equivalent to a problem of tree search. Techniques which can reduce the number of tree nodes which need be visited to effect a cryptanalysis are, investigated. The linearization of the S-box functions by coefficient translations in the Hadamard spectral domain is found to be highly effective in reducing search tree size. For a bidirectional tree search which employs the linearized S-boxes, the number of nodes which need be visited to cryptanalyze DES is shown to be on the order of the key space size. The use of an AND/OR search tree structure with key bit constraints stored at the leaves ensures that each node need be visited only once. Given that the work involved in visiting a node is less than that required for a key trial, this key search method represents an improvement over the cryptanalytic technique of exhaustive key search. |
Genre |
Thesis/Dissertation |
Type |
Text |
Language | eng |
Date Available | 2010-04-20 |
Provider | Vancouver : University of British Columbia Library |
Rights | For non-commercial purposes only, such as research, private study and education. Additional conditions apply, see Terms of Use https://open.library.ubc.ca/terms_of_use. |
DOI | 10.14288/1.0051850 |
URI | http://hdl.handle.net/2429/23939 |
Degree |
Master of Science - MSc |
Program |
Computer Science |
Affiliation |
Science, Faculty of Computer Science, Department of |
Degree Grantor | University of British Columbia |
Campus |
UBCV |
Scholarly Level | Graduate |
AggregatedSourceRepository | DSpace |
Download
- Media
- 831-UBC_1983_A6_7 G85.pdf [ 11.03MB ]
- Metadata
- JSON: 831-1.0051850.json
- JSON-LD: 831-1.0051850-ld.json
- RDF/XML (Pretty): 831-1.0051850-rdf.xml
- RDF/JSON: 831-1.0051850-rdf.json
- Turtle: 831-1.0051850-turtle.txt
- N-Triples: 831-1.0051850-rdf-ntriples.txt
- Original Record: 831-1.0051850-source.json
- Full Text
- 831-1.0051850-fulltext.txt
- Citation
- 831-1.0051850.ris
Full Text
Cite
Citation Scheme:
Usage Statistics
Share
Embed
Customize your widget with the following options, then copy and paste the code below into the HTML
of your page to embed this item in your website.
<div id="ubcOpenCollectionsWidgetDisplay">
<script id="ubcOpenCollectionsWidget"
src="{[{embed.src}]}"
data-item="{[{embed.item}]}"
data-collection="{[{embed.collection}]}"
data-metadata="{[{embed.showMetadata}]}"
data-width="{[{embed.width}]}"
data-media="{[{embed.selectedMedia}]}"
async >
</script>
</div>
Our image viewer uses the IIIF 2.0 standard.
To load this item in other compatible viewers, use this url:
https://iiif.library.ubc.ca/presentation/dsp.831.1-0051850/manifest