And the "two-sided" KS statistic is: K = SQRT(N) * MAX( ABS( S(x[j]) - F(x[j]) ) ) = MAX( K + , K - ) It appears that the "one-sided" KS distribution is far easier to compute precisely, and may be preferred on that basis. See the Kolmogorov-Smirnov section of the Ciphers By Ritter / JavaScript computation pages. Latency A form of delay. Typically a hardware term, latency often refers to the time need to perform an operation. In the past, operation delay has largely been dominated by the time taken for gate switching transistors to turn on and off. Currently, operation delay is more often dominated by the time it takes to transport the electrical signals to and from gates on long, thin conductors. The effect of latency on throughput can often be reduced by pipelining or partitioning the main operation into many small sub-operations, and running each of those in parallel, or at the same time. As each operation finishes, that result is latched and saved temporarily, pending the availability of the next sub-operation hardware. The result is throughput limited only by the longest sub-operation instead of the overall operation. Latin Square A Latin square of order n is an n by n array containing symbols from some alphabet of size n, arranged such that each symbol appears exactly once in each row and exactly once in each column. Also see Latin square combiner and orthogonal Latin squares. 2 0 1 3 1 3 0 2 0 2 3 1 3 1 2 0 Also see: Latin Squares: A Literature Survey, in the Literature Surveys and Reviews section of the Ciphers By Ritter page. Latin Square Combiner A cryptographic combining mechanism in which one input selects a column and the other input selects a row in an existing Latin square; the value of the selected element is the combiner result. A Latin square combiner is inherently balanced, because for any particular value of one input, the other input can produce any possible output value. A Latin square can be treated as an array of substitution tables, each of which are invertible, and so can be reversed for use in a suitable extractor. As usual with cryptographic combiners, if we know the output and a specific one of the inputs, we can extract the value of the other input. For example, a tiny Latin square combiner might combine two 2-bit values each having the range zero to three (0 3). That Latin square would contain four different symbols (here 0, 1, 2, and 3), and thus be a square of order 4: 2 0 1 3 1 3 0 2 0 2 3 1 3 1 2 0 With this square we can combine the values 0 and 2 by selecting the top row (row 0) and the third column (column 2) and returning the value 1. When extracting, we will know a specific one (but only one) of the two input values, and the result value. Suppose we know that row 0 was selected during combining, and that the output was 1: We can check for the value 1 in each column at row 0 and find column 2, but this involves searching through all columns. We can avoid this overhead by creating the row-inverse of the original Latin square (the inverse of each row), in the well-known way we would create the inverse of any invertible substitution. For example, in row 0 of the original square, selection 0 is the value 2, so, in the row-inverse square, selection 2 should be the value 0, and so on: 1 2 0 3 2 0 3 1 0 3 1 2 3 1 2 0 Then, knowing we are in row 0, the value 1 is used to select the second column, returning the unknown original value of 2. A practical Latin square combiner might combine two bytes, and thus be a square of order 256, with 65,536 byte entries. In such a square, each 256- element column and each 256-element row would contain each of the values from 0 through 255 exactly once. Layer In the context of block cipher design, a layer is particular transformation or set of operations applied across the block. In general, a layer is applied once, and different layers have different transformations. As opposed to rounds, where a single transformation is repeated in each round. Layers can be confusion layers (which simply change the block value), diffusion layers (which propagate changes across the block in at least one direction) or both. In some cases it is useful to do multiple operations as a single layer to avoid the need for internal temporary storage blocks. LFSR Linear Feedback Shift Register. Linear Like a line; having an equation of the form ax + b . There are various ways a relationship can be linear. One way is to consider a, x, and b as integers. Another is for them to be polynomial elements of GF(2 n ). Yet another is to consider a to be an n by n matrix, with x and b as n-element vectors. There are probably various other ways as well. Linearity also depends upon our point of view: For example, integer addition is linear in the integers, but when expressed as mod 2 operations, the exact same computation producing the exact same results is not considered linear. In cryptography the issue may not be as much one of strict mathematical linearity as it is the "distance" between a function and some linear approximation (see Boolean function nonlinearity). True linear functions are used because they are easy and fast, but they are also exceedingly weak. Of course XOR is linear and trivial, yet is used all the time in arguably strong ciphers. But a design using linear components must have other nonlinear components to provide strength. Linear Complexity The length of the shortest Linear Feedback Shift Register which can produce a given sequence. Also see: Linear Complexity: A Literature Survey, in the Literature Surveys and Reviews section of the Ciphers By Ritter page. Linear Feedback Shift Register An efficient structure for producing sequences, often used in random number generator applications. In an n-element shift register (SR), if the last element is connected to the first element, a set of n values can circulate around the SR in n steps. But if the values in two of the elements are combined by exclusive-OR and that result connected to the first element, it is possible to get an almost-perfect maximal length sequence of 2 n -1 steps. (The all-zeros state will produce another all-zeros state, and so the system will "lock up" in a degenerate cycle.) Because there are only 2 n different states of n binary values, every state value but one must occur exactly once, which is a statistically- satisfying result. Moreover, the values so produced are a perfect permutation of the "counting" numbers (1 2 n -1). A Linear Feedback Shift Register + + + + + + + + + + "a0" +-<-| a5 |< | a4 |<-*-| a3 |< | a2 |< | a1 |< + | + + + + | + + + + + + | | v | + > (+) + 1 0 1 0 0 1 In the figure we have a LFSR of degree 5, consisting of 5 storage elements a[5] a[1] and the feedback computation a[0]=a[5]+a[3]. The stored values may be bits and the operation (+) addition mod 2. A clock edge will simultaneously shift all elements left, and load element a[1] with the feedback result as it was before the clock changed the register. Each SR element is just a time-delayed replica of the element before it, and here the element subscript conveniently corresponds to the delay. We can describe this logically: a[1][t+1] = a[5][t] + a[3][t]; a[2][t+1] = a[1][t]; a[3][t+1] = a[2][t]; a[4][t+1] = a[3][t]; a[5][t+1] = a[4][t]; Normally the time distinction is ignored, and we can write more generally, for some feedback polynomial C and state polynomial A of degree n: n a[0] = SUM c[i]*a[i] i=1 The feedback polynomial shown here is 101001, a degree-5 poly running from c[5] c[0] which is also irreducible. Since we have degree 5 which is a Mersenne prime, C is also primitive. So C produces a maximal length sequence of exactly 31 steps, provided only that A is not initialized as zero. Whenever C is irreducible, the reversed polynomial (here 100101) is also irreducible, and will also produce a maximal length sequence. LFSR's are often used to generate the confusion sequence for stream ciphers, but this is very dangerous: LFSR's are inherently linear and thus weak. Knowledge of the feedback polynomial and only n element values (from known plaintext) is sufficient to run the sequence backward or forward. And knowledge of only 2n elements is sufficient to develop an unknown feedback polynomial. This means that LFSR's should not be used as stream ciphers without in some way isolating the sequence from analysis. Also see jitterizer and additive RNG. Linear Logic Function A Boolean switching or logic function which can be realized using only XOR and AND types of functions, which correspond to addition mod 2 and multiplication mod 2, respectively. Logic A branch of philosophy related to distinguishing between correct and incorrect reasoning. Even an invalid argument can sometimes produce a correct conclusion. But a valid argument must always produce a correct conclusion. Also devices which realize symbolic logic, such as Boolean logic, a logic of TRUE or FALSE values. Also see: subjective, objective, contextual, absolute, inductive reasoning, deductive reasoning, and fallacy. Logic Function . long, thin conductors. The effect of latency on throughput can often be reduced by pipelining or partitioning the main operation into many small sub-operations, and running each of those in parallel,. element is the combiner result. A Latin square combiner is inherently balanced, because for any particular value of one input, the other input can produce any possible output value. A Latin. values from 0 through 255 exactly once. Layer In the context of block cipher design, a layer is particular transformation or set of operations applied across the block. In general, a layer is