authentication are needed. And since any cryptographic hash is vulnerable to birthday attacks, the small 64-bit block size implies that we should be able to find two different messages with the same hash value by constructing and hashing "only" about 2 32 different messages. Another approach to message authentication is to use an authenticating block cipher; this is often a block cipher which has a large block, with some "extra data" inserted in an "authentication field" as part of the plaintext before enciphering each block. The "extra data" can be some transformation of the key, the plaintext, and/or a sequence number. This essentially creates a homophonic block cipher: If we know the key, many different ciphertexts will produce the same plaintext field, but only one of those will have the correct authentication field. The usual approach to authentication in a public key cipher is to encipher with the private key. The resulting ciphertext can then be deciphered by the public key, which anyone can know. Since even the wrong key will produce a "deciphered" result, it is also necessary to identify the resulting plaintext as a valid message; in general this will also require redundancy in the form of a hash value in the plaintext. The process provides no secrecy, but only a person with access to the private key could have enciphered the message. User Authentication The classical approach to user authentication is a password; this is "something you know." One can also make use of "something you have" (such as a secure ID card), or "something you are" (biometrics). The classic problem with passwords is that they must be remembered by ordinary people, and so carry a limited amount of uniqueness. Easy-to- remember passwords are often common language phrases, and so often fall to a dictionary attack. More modern approaches involve using a Diffie- Hellman key exchange, plus the password, thus minimizing exposure to a dictionary attack. This does require a program on the user end, however. Key Authentication In secret key ciphers, key authentication is inherent in secure key distribution. In public key ciphers, public keys are exposed and often delivered insecurely. But someone who uses the wrong key may unknowingly have "secure" communications with an Opponent, as in a man-in-the-middle attack. It is thus absolutely crucial that public keys be authenticated or certified as a separate process. Normally this implies the need for a Certification Authority or CA. Authenticating Block Cipher A block cipher mechanism which inherently contains an authentication value or field. Autokey A cipher whose key is produced by message data. One common form is "ciphertext feedback," where ciphertext is "fed back" into the state of the random number generator used to produce the confusion sequence for a stream cipher. Avalanche The observed property of a block cipher constructed in layers or "rounds" with respect to a tiny change in the input. The change of a single input bit generally produces multiple bit-changes after one round, many more bit- changes after another round, until, eventually, about half of the block will change. An analogy is drawn to an avalanche in snow, where a small initial effect can lead to a dramatic result. As originally described by Feistel: "As the input moves through successive layers the pattern of 1's generated is amplified and results in an unpredictable avalanche. In the end the final output will have, on average, half 0's and half 1's . . . ." [p.22] Feistel, H. 1973. Cryptography and Computer Privacy. Scientific American. 228(5): 15-23. Also see mixing, diffusion, overall diffusion, strict avalanche criterion, complete, S-box, and the bit changes section of the Ciphers By Ritter / JavaScript computation pages. Avalanche Effect The result of avalanche. As described by Webster and Tavares: "For a given transformation to exhibit the avalanche effect, an average of one half of the output bits should change whenever a single input bit is complemented." [p.523] Webster, A. and S. Tavares. 1985. On the Design of S-Boxes. Advances in Cryptology CRYPTO '85. 523-534. Also see the bit changes section of the Ciphers By Ritter / JavaScript computation pages. Back Door A cipher design fault, planned or accidental, which allows the apparent strength of the design to be easily avoided by those who know the trick. When the design background of a cipher is kept secret, a back door is often suspected. Similar to trap door. Balance A term used in S-box and Boolean function analysis. As described by Lloyd: "A function is balanced if, when all input vectors are equally likely, then all output vectors are equally likely." Lloyd, S. 1990. Properties of binary functions. Advances in Cryptology EUROCRYPT '90. 124-139. There is some desire to generalize this definition to describe multiple-input functions. (Is a function "balanced" if, for one value on the first input, all output values can be produced, but for another value on the first input, only some output values are possible?) Presumably a two-input balanced function would be balanced for either input fixed at any value, which would essentially be a Latin square or a Latin square combiner. Balanced Block Mixer A process or any implementation (for example, hardware, computer software, hybrids, or the like) for performing Balanced Block Mixing. Balanced Block Mixing The block mixing mechanism described in U.S. Patent 5,623,549 (see the BBM articles on the Ciphers By Ritter page). A Balanced Block Mixer is an m-input-port m-output-port mechanism with various properties: 1. The overall mapping is one-to-one and invertible: Every possible input value (over all ports) to the mixer produces a different output value (including all ports), and every possible output value is produced by a different input value; 2. Each output port is a function of every input port; 3. Any change to any one of the input ports will produce a change to every output port; 4. Stepping any one input port through all possible values (while keeping the other input ports fixed) will step every output port through all possible values. If we have a two port mixer, with input ports labeled A and B, output ports labeled X and Y, and some irreducible mod 2 polynomial p of degree appropriate to the port size, a Balanced Block Mixer is formed by the equations: X = 3A + 2B (mod 2)(mod p), Y = 2A + 3B (mod 2)(mod p). This particular BBM is a self-inverse or involution, and so can be used without change whether enciphering or deciphering. One possible value for p for mixing 8-bit values is 100011011. Balanced Block Mixing functions probably should be thought of as orthogonal Latin squares. For example, here is a tiny nonlinear "2-bit" BBM: 3 1 2 0 0 3 2 1 30 13 22 01 0 2 1 3 2 1 0 3 = 02 21 10 33 1 3 0 2 1 2 3 0 11 32 03 20 2 0 3 1 3 0 1 2 23 00 31 12 Suppose we wish to mix (1,3); 1 selects the second row up in both squares, and 3 selects the rightmost column, thus selecting (2,0) as the output. Since there is only one occurrence of (2,0) among all entry pairs, this discrete mixing function is reversible, as well as being balanced on both inputs. Cryptographic advantages of balanced block mixing include the fact that each output is always balanced with respect to either input, and that no information is lost in the mixing. This allows us to use balanced block mixing as the "butterfly" operations in a fast Walsh-Hadamard transform or the well-known FFT. By using the mixing patterns of these transforms, we can mix 2 n elements such that each input is guaranteed to affect each and every output in a balanced way. And if we use keying to generate the tables, we can have a way to mix huge blocks in small nonlinear mixing tables with overall mixing guarantees. Also see Mixing Cipher, Dynamic Substitution Combiner, Variable Size Block Cipher, and the Active Balanced Block Mixing in JavaScript page of the Ciphers By Ritter / JavaScript computation pages. Balanced Combiner In the context of cryptography, a combiner mixes two input values into a result value. A balanced combiner must provide a balanced relationship between each input and the result. In a statically-balanced combiner, any particular result value can be produced by any value on one input, simply by selecting some appropriate value for the other input. In this way, knowledge of only the output value provides no information not even statistical information about either input. The common examples of cryptographic combiner, including byte exclusive- OR (mod 2 polynomial addition), byte addition (integer addition mod 256), or other "additive" combining, are perfectly balanced. Unfortunately, these simple combiners are also very weak, being inherently linear and without internal state. A Latin square combiner is an example of a statically-balanced reversible nonlinear combiner with massive internal state. A Dynamic Substitution Combiner is an example of a dynamically or statistically-balanced reversible nonlinear combiner with substantial internal state. Base-64 A public code for converting between 6-bit values 0 63 (or 00 3f hex) and text symbols accepted by most computers: 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 A B C D E F G H I J K L M N O P 1 Q R S T U V W X Y Z a b c d e f 2 g h i j k l m n o p q r s t u v 3 w x y z 0 1 2 3 4 5 6 7 8 9 + / use "=" for padding Bel . large block, with some "extra data" inserted in an "authentication field" as part of the plaintext before enciphering each block. The "extra data" can be some transformation. Mixer is formed by the equations: X = 3A + 2B (mod 2)(mod p), Y = 2A + 3B (mod 2)(mod p). This particular BBM is a self-inverse or involution, and so can be used without change whether enciphering. balanced relationship between each input and the result. In a statically-balanced combiner, any particular result value can be produced by any value on one input, simply by selecting some appropriate