Looking at lattice codes in the Mackay book:
…
from
We obviously see the convergence to 1.6180 laid out in the table, above.
Speaking of gear wheels in ratio, what ratio maps to 1.618?
So for X, Y, Z below, compute X as Y/(1-Y), and Z as X-Y
So, p=0.6180340 most closely matches the decimal in the ratio of p/(1-p)
Of course, lets not forget:
from
For codes which valid codewords are defined in terms of certain run lengths, we have seen how an accumulator can transform a codeword such that it forms a valid codeword in a second alphabet. And, that differencing can reverse that process.
Can we see such structure and function in the DES algorithm?
from MacKay book from Davies and Price
For fun, let’s look at DES as two interlocked “wheels”, one which has teeth and the other which as 48. They turn in opposite directions. (Remember it’s a fun analogy, don’t model it directly!) it’s a bit like this:
What they do in “concert” is defined R-32. Though in lockstep, each analogous function is offset by 1 time period, as represented by an interlaced sequence generator (such as the previous memo). Rather than the system express a bias in the state transfer function base don the properties of base 2, we are concerned with the “DES bias” – the information lost between 48 and 32 bits.
View R as an instruction whose value is being computed as a result of this multi-dimensional interlacing. It’s job is to reprogram the 48bit differentiator, by permuting the boolean operations (in each sbox). This has the effect of setting up a new difficult-to-solve set of satifiability equations. Each round create an ever evolving set of boolean satisifiability equation of 8*16 = 128 terms.
That is, NSA showed IBM how to achieve what they sought for originally when using a 128bit key.
Total bullshit remember…
Concerning the global properties of graphs and the relationship between such graphs and “message passing algorithms”, I start to think of DES. Can any of this theory be applied to the paths taken by bits flowing through the DES substitution-permutation network(s).
In DES, I assume that the core SPN is a first “network”; and that a permutation of the output state (of round 1) after expansion acts to modify the round 1 network, making a second network that is duly used in round two. The algorithm generates a non-linear permutation over 16 bits that is – for which each set of 2 bits permute 4 other bits to that will in input to an sbox.
from
For fun, lets look at DES as a message passing network/algorithm, in which the sboxes are “processors”.
As we tunny wheel patterns, we need to look at ratios of dots and crosses, run lengths, and similar quantities in delta’ed and double-delta’ed bit spaces. So, its useful to cast these generally using 3 example metrics:
from
Lets look at what happens when we introduce asymmetr,t or bias in available path at different nodes:
from
From this diagram, we get a “trellis”,
formed from a repeating trellis primitive and its matrix transform (value == 1 when i.j –colum.row – has an arc). The primitive is as follows, in diagram and matrix form:
from
Something about the trellis reminds of the fiestel ladder (in a relatively novel guise):
see http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1997/CS/CS0890.pdf
Now, its useful to contrast the effect upon path-counts from a sequence of the “trellis primitives against a sequence of 4 DES rounds (or 4 applications DES itself, in the ladder-DES scheme):
from
(Fun to re-read http://www.schneier.com/paper-unbalanced-feistel.pdf, for nets of different weightings)
One sees from this simple state constraint how oen can interlace two sequences (of integers).
The following quote intrigued me – would the order of char codes listed in the Tunny report fit the description – where n = 5?
We can see the bijection (in the first 16 chars – if you imagine / (i.e. value zero) preceding the lot). But, I was hoping that the order would be natural –which it isn’t.
The i, ii, iii etc colored red are the number of crosses’s, after xor’ing the row with the bit patter for the ‘9’ character. The denary numbers in red is the resulting bit value treated as a binary number, with least significant digit rightmost. On the right, the denary numbers in green are the binary number itself (without being xor’d by 00100).
One sees the OCR error for ‘I’.
I had not expected to see the the “bigrams”, in such as 51, 32, (green)…as reflected in red.
The distance is a constant 4…which seems a bit of a coincidence, since we got here from looking at the field of Integer.4. As they would no doubt say at the time, any time there is a change in “sign” of I3 (b2 in modern conventions), add/subtract its contribution. As it changes most quickly, one sees the grouping effect. Since its moved from b0 position to the b2 position, this accounts for the factor of 4.
Interesting to see in the General Report on Tunny on the topic of wheel breaking a sample of Colossus output in which the letters pair up, as above (e.g.(/9) (HT)(OM)..).
I’ve never been particularly interested in enigma codebreaking, except in order to understand its role in setting the thinking for colossus.
We have to remember there were math models that proceeded Tunny, particularly when analyzing the impact of enigma’s steckering on cycles:
It seems useful to consider fixed points more generally, trying to capture the genesis of the weights of evidence process:-
…
Less about counting and more about modeling structures, it fun to read
from
see http://www.combinatorics.org/Volume_9/PDF/v9i1n2.pdf
According to certain tests, DES is not a group:
The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space M = {0, l}64. If this set of permutations were closed under functional composition, then DES would be vulnerable to a known-plaintext attack that runs in 228 steps, on the average. It is unknown in the open literature whether or not DES has this weakness.We describe two statistical tests for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition. The first test is a “meet-in-the-middle” algorithm which uses O[¿K) time and space, where K is the size of the key space. The second test, a novel cycling algorithm, uses the same amount of time but only a small constant amount of space. Each test yields a known-plaintext attack against any finite, deterministic cryptosystem that generates a small group.The cycling test takes a pseudo-random walk in the message space until a cycle is detected. For each step of the pseudo-random walk, the previous ciphertext is encrypted under a key chosen by a pseudo-random function of the previous ciphertext. Results of the test are asymmetrical: long cycles are overwhelming evidence that the set of permutations is not a group; short cycles are strong evidence that the set of permutations has a structure different from that expected from a set of randomly chosen permutations.Using a combination of software and special-purpose hardware, we applied the cycling test to DES. Our experiments show, with a high degree of confidence, that DES is not a group.
B S Kaliski, Jr., R L Rivest, A T Sherman. See http://portal.acm.org/citation.cfm?id=20120
———
Incidentally, we get a nice reference to Davies and Price, with auto-referencing…
Rather than simply ask: at what point the iterated round function assures that any 1 bit difference in input alters 50% of the output bits, perhaps we should ask the following.
If the inputs and outputs are values from differenced alphabets, at what point is it true that one bit of difference in that input set changes 50% of the bits in the delta-output value?
(To make a differenced alphabet, take the input (output) vector of the DES “shift register” and xor each bit coordinate, much as was done in Tunny era.)
Its 1930, and you are building mathematical models of rotors (circles) and their points (enigma contacts, tunny/sturgeon wheel patterns). You want to be able to model the rotation of a rotor, particularly one that is “stepping” irregularly as in Tunny runs with the X2 limitation in effect.
Lets recall what Bauer is teaching (yet again), requiring one to distinguish between monoalphabetic and monographic. In short, it is a single collection of 4 bits, or 2 collections of 2-bits? He is characterizing how folks thought, in the 1930 design schools.
“Decrypted Secrets”, F. Bauer
As a tool, what does analysis of Z4 give us, when modeling stepping actions of rotor machines (e.g. X2 limitations on stepping)?
so, speaking of non-linearity and aligned notions such as lineary independence etc (since we started out focusing on matroids BECAUSE they are general models for linear independence), we seem to be able to go a bit beyond the General Report on Tunny by studying
In particular, we note “continuance” of the very themes and techniques discussed in the General Report on Tunny:-
I think we have lots to learn from Tunny, yet. even more from Sturgeon T.52e, and then the Russian modifications post war.
looking at the original markup and formatting
http://www.alanturing.net/turing_archive/archive/t/t05/TR05-004.html
This helps understand better the process of initial break in when the X2 limitation is in effect:
I got to take Peter Cameron’s math course for first year Computer Science undergrads, by proxy. (I had to tutor folks who were present en vivo.) Lets see what he teaches on the topic of certain applied polynomial forms:
Since it talks about matroids, we might as well know what one is!
A beautifully written survey can be read at https://www.math.lsu.edu/~oxley/dominic3.pdf.
So lets get back to clunking around in the dark, despite being mathematically blind from birth. fortunately, we get to stumble on the second paragraph:
Seems a shame to stick my own drivel in all this, but we seem nicely set up to look a a sequence of DES rounds one in which the sequencing is like a faltung. Furthermore, as we saw with fast HWT (specifically the fast variant), we may need to reindex rows of matrices. If, in order to ensure the avalanche effect (a measure of independence or dis-order, ultimately) applies to the distribution of both an alphabet and its delta, we conjecture that the faltung nature of a series of round functions can re-index the binary operations of an sbox, we can see from this very formulation how it MIGHT be that there are 16 (and not 15..) rounds of DES necessary for resistance to differential attach simply because there are 16 binary operators orderings to be generated by the “weight enumerator”.
Anyway, Cameron nicely states the basic theory of error-correcting code, and I even followed 99% of it up to and including
As boxers X and Y would say, A is the set of weight classes. X is the great dot hope, while Y is the great cross hope. We of course saw all this being applied, albeit with less refined academic presentation, in the General Report on Tunny. This enables us now to juxtapose a quote from the report against the traditional worked example of the Hamming code from the paper:
from
http://www.cs.cmu.edu/~venkatg/teaching/codingtheory/notes/notes8.pdf
to
I half read the paper http://www.cs.cmu.edu/~venkatg/pubs/papers/ldpc.pdf. Its all getting way beyond my math skills.
generalizing from sinusoids to fourier as a general tool:
and then
from http://errorcorrectingcodes.wordpress.com/2010/02/09/notes-5-2-proof-of-the-first-mrrw-bound/#more-177 and then “General Report on Tunny”
(General Report on Tunny)
But, getting back to characteristics and dual codes:
Applying an apocryphal method of design, I slept and dreamed that its best to ignore the feistel ladder rendition of the structure of the data encryption algorithm and focus on the Davies and Price book’s “electronics circuit” rendition.
So here it is (probably again)
As I recall, the dream was pointing out
The argument above seems to say that one needs the convergence condition (measured as avalanche) to be satisfied not only in the original alphabet (D, in tunny thinking) but also in delta-D (in tunny speak). Remember, D is an implied, virtual space, in the Shannon sense.
The mixing (via products and sums) has a 2-dimensional nature that is. it has to hold for the natural binary encoding and the gray code encoding of the serial bit stream, at the same time.
http://www.squint.org/qci/QINFO-book-nielsen-and-chuang-toc-and-chapter1-nov00.pdf
I don’t find it runs counter to my common sense. The DES algorithm on a digital computer is very physical; and yet captures the same kind of continuum of state. One can look at it as a quantum simulator…of 64 qubits!
If the enemy intercepts the cryptogram he can calculate from it the a posteriori probabilities of the various possible messages and keys which might have produced this cryptogram. This set of a posteriori probabilities constitutes his knowledge of the key and message after the interception. “Knowledge” is thus identified with a set of propositions having associated probabilities. The calculation of the a posteriori probabilities is the generalized problem of cryptanalysis.
The original paper goes on:
Lets focus on the genetic algorithm properties of DES (as assumed). The function is to re-weight the probability networks each round – changing the “configuration” of the system that defines how state is perceived (in the quantum sense). There is a fixed graph, but we can change the weight attached to each arc.
We have to remember Shannon’s master thesis – which focused on series and parallel networks as means of representing product and addition operations, and/or logics, etc. Lets view, from the quote, “product” and “weighted addition” in this framework of thinking.
The notion of product encompasses a universal (all products); i.e. a unity probability. The notion of weighted (n-ary) addition considers n component probabilities of that unity, and a comparator (on the “amplitude” of probabilities) that forces the state of T, the sum of R and S, to be well-defined always.
(Now, doesn’t T looks a little like the formulae we looked at earlier in the day for superposition of particles, including particles with entangled state.)
Perhaps we can be fanciful, with a DES quantum interpretation! In genetically evolving the stochastic process, so as to interdict differential analysis, the SPN has to self-modify. Perhaps we interpret the core network as embodying either a product or an addition.
Lets view each of the 8 sboxes as one sturgeon SR relay, considering the 6-ary input. It sets according to the parity of those inputs. IF there is even parity, we apply the product rule as bit flows through the relay to the input of the next sbox, which has the same behavior in the next round as this.. If there is odd parity, we apply the addition rule, in which the weight of the 6 bits directs now how the network evolves, and thus how it influences the following sbox’s behavior when processing that same bit.\
Now, in DES we don’t literally see the sboxes generating new values – after all they control the required flow of the SPN. So, its in the interaction of the key bits, the data bits, and the state that has to “effectively” change the sbox values, or rather the behaviour of the sbox. Of course, this can be only by varying the input, which is an xor.
Now, xor is a non-linear operation, when viewed algebraically. From what we learned from the linear cryptanalysis modeling, however, we can also look at it as a weighting/reweighting operator.
Now, didn’t we spend an hour earlier looking a fast walsh-hadamard transform that has the side-effect of uncorrelating sequencies in a signal, all based on (a refined notion of) parity? perhaps we look at the output “configuration” of F() as a parameterized transform that, when applied to the inputs of the sboxes, has the effect of re-indexing the 16 boolean operations per sbox. it permutes the selection of wheels in the sturgeon sense, before (again in the sturgeon sense) the (pentagon) wheel combing logic does its thing.
can we look at product (of the data transformation and the sboxes) as a specialized operation in a specialized algebra, in which product is defined as a convergence process – defined by the avalanche condition? After all, Shannon says his total operations are a linear associative algebra, which set includes multiplication operators that are convergent in nature.
schneier, at http://www.docstoc.com/docs/document-preview.aspx?doc_id=76713390
if we look at E(), can we say that the two inner bits are inducing a shannon product of two rounds whereas (due to the definition of the E() function) the two outer bits are inducing a shannon sum of two rounds? Its not that the sum forces a choice of 1 or the other; but that two operations are undertaken, at different weightings (i.e. different sboxes).
Perhaps we can build on Shannon further.
Can we look at Ti and Tj-1 as the two hamiltonians that drive CDEF bit flows? One sees that the two hamiltonians are complementary in some sense. CAn one look at Tk as the third hamiltoniam then? Did the notion of pure system combining several transforms mean that several wheel combining logics are in effect, in parallel. And, its this interpretation at odds with viewing the transformations as a serial process for the plaintext?
The interpretation still holds when adding in the notion that the 3 transformation acting as a system must be equivalent to a fourth transformation in terms of producing the required a posteriori probability distribution. But, this also means that such fourth transform can be one of the 3, in recursive fashion.
Now, this is not the interpretation intended, I’m sure. Shannon’s original formulation feels much more like Bauer’s conception of the world of transforms – a sequence of monoalphabetics, each tied to a particular subcycle within the
from http://en.scribd.com/doc/7316237/Friedrich-L-Bauer-Decrypted-SecretFriedrich-L
Even Schneier leverages the term “pure”, in relation to the properties of “algebraic structure” and discussion of group’y’ness:
Its clear Shannon was thinking (and modeling) generally.
If we think of DES round function as having a side-effect of generating a “new unknown type of cipher” on the fly (as the state xor’d with key implements the “hilbert choice operator” to select the boolean equations of each sbox), then it could fit the above design concept. Its forcing the cryptanalyst into a searching a world of expanding possibilities.
In the tunny and sturgeon era, we learned how folks approximated. Linearity could be adduced from data, and the likes of turingismus showed how to search out linear equations. On a more practical level, statistic provided an inference method allowing signals in the properties of plaintext to be teased out of ciphertext, on given machines with certain biases.
In the DES era, we learn from elementary texts that the purpose of the non-linearity of the sbox substitution is to counter methods such as linear cryptanalysis. Furthermore, the design of the transposition circuits exists to construct networks, using diffusion to counter counter sequential analytical methods. The combination of substitution and transposition network exists to mix the plaintext.
In the post-DES world, we have learned much about the other features of the data encryption algorithm. We have learned to address related key (and subkeys) and have understood how the integrity features of key wrapping work to defeat related key properties in differential analysis of round functions. In the likes of how KEA and skipjack are interlaced (originally in the capstone chip), we see how the world of key agreement protocols deliver integrity and how the method deriving a usable skipjack key from agreed key delivers complementary integrity, ensuring there is divisibility in the middle of the integrity chain. (Im not sure I wrote that well!) From agreed key, we have to get confidence (via ingerity proofs) in the derived key, the wrapped key, and thence the operational key that drives an integrity service (such as mic’ing a message).
We have learned how a self-generating codebook self-modifies the cipher to defeat differential cryptanalysis at source. And, we have seen a characterization of the expansion function as optimizing the production of the avalanche condition AND addressing related subkeys (due to the different dimensions of subkey and input spaces).
We have seen, in the analysis of the GOST key schedule arguments for eliminating structure in subkeys, and yet in such as triple-DES with independent keys, we have seen how to ensure that multiple runs of the block cipher NEED to introduce dependencies between key bits so that rounds in one encrypt and one decrypt run to not undermines each other.
We saw, in the analysis of conditionals, the impact of the Fiestel swaps when contemplating that the use of the swap operation would be key (i.e. flexibly data) driven, per round.
And, through I’ve forgotten what precisely the measure countered, it was important that the previous round value input to the current round function was injected between permutation and the expansion. Intuitive, this is to help drive the self-modifying nature of the algorithm, so it has genetic algorithm properties helping creating a new codebook-generator as a side-effect of each round. Each round would re-weight the stochastic process, rather than alter the network connections (obviously). This changes the leakage areas in the hamming sphere space(s), thereby altering the nature of the random walk undertaken by each plaintext bit as it wander through the evolving network. (OK – getting more fanciful, now…)
I did a course on “image processing” – at a time when the techniques were beyond what a PC could really perform. Also, the teacher was frightened of using math (since we didn’t have the necessary foundations).
Its all rather easier WITH the math!
We can go from the “tape view”
http://fourier.eng.hmc.edu/e161/lectures/convolution/index.html
to the rectangle view:
http://fourier.eng.hmc.edu/e161/lectures/convolution/index.html
About the only think I learned new was the nicer, modern, formulation of the art. Probably should not over quote this, since it’s a book on active sale:
from 
now to the (tunny) meat:
counting comes into play, of course. Colossus seemed well provisioned to only count certain bit positions of Chi, of course (ignoring counts from as-yet doubted bits, as one went through all the tape’s relative positions)
Folks then build a rectangle (!):
We get cumulative measure s, that reminds me a bit of faltung’ing and the “implicit” definition of the proportional bulge concept:
In some of unquote text, one even see arguments similar to “chains” of “reliable” witnesses, when considering the relation between probability and the likelihood a logical position is true (or false).
We throw at little sturgeon thinking in (for the 5 linear relations between the 12 SR relays, when generating the transposition key)::
The rest of the chapter is a good read (as is the following chapter).
pretty clear…
how the matrix is formed, and how it models line levels:
Then, there is a very effective picture on walsh-hadamard (that captures the recursion in the kernel) that shows the cross over between two halves of a binary sequence. Also note how the mixing works with two inputs and two outputs:
Lets recall that we need sequency. So, to convert to gray code (for sequency lookup as part of fast WHT)
where
http://fourier.eng.hmc.edu/e161/lectures/wht/node3.html
Thus, we end up with the sequency-ordered WHT:
We then get a nice worked example of analyzing a signal in terms of its “sequencies”
I don’t fully understand the last picture (on linear combinations, given the spectrum), but its pretty!
let’s learn a little about quantum gates from the quantum simulation paper (even though we are getting off track). Not a lot to quote (for our purposes); but it does lead to
http://www.ibm.com/developerworks/linux/library/l-quant/index.html
and then to
http://www.squint.org/qci/QINFO-book-nielsen-and-chuang-toc-and-chapter1-nov00.pdf
(sigh. So much to read… and its all yummy.)
We have a solid understanding now of hadamard and Walsh – linking back to Fourier “description” of the faltung correlations/convolutions used to “theorize” about why the processes actually used to break Tunny messages back in 1944 actually worked.
We also saw how a diffusion transform was applied in Grover’s algorithm to implement the “inversion about average” method. We can understand this transform further by investigating a simulation in digital computing land. We also get an indirect lesson on quantum notation schemes.
above and below from
Reflecting that relations between 2 entangled parties is analogous to p and q=(1-p) in the land of probabilities, lets get used to notation:
concerning state representation methods, one applies the wave function to modulate information about position, building on the spin states. Thus PSI+(x) acts functionally on a “value” that has 2 elements: both x-ness (position) and +-ness (spin); similar similarly for PSI-(x).
Getting to combinatorics:
Ok. With this, I’m no longer terrified of the strange notation. We have a functional language, and the ability to compute inner and outer products etc. Thinking back to 1940, probability, faltungs (combining functions) and early quantum thinking, it makes sense to reinforce:
And, speaking of 1940s:
We get to exit the rabbit hole, by pointing to
Ok, now onto Hadamard.
Given what we learned earlier on how walsh and hadamard kernels relate, its fun to see a nice, pithy characterization:
Of course, this relates directly back to the General Report on Tunny – where folks used similar idea to describe the (discrete) fourier transform of a proportional bulge (of a propositional function).
We can juxtapose the two (2010, 1945) now (where N=5 in Tunny land):
(see https://yorkporc.wordpress.com/2011/07/30/non-sinusoidal-fourier-trace-map-bent-functions/ for right hand picture credits)
The topic of specifically generalizing work on walsh transforms is informative. It helps reveal the inner nature:
in summary
all above quotes from http://www.scribd.com/doc/18091224/Generalized-Walsh-and-Hadamard-Transform
Now generalizing:
http://www.scribd.com/doc/18091224/Generalized-Walsh-and-Hadamard-Transform
Can we imagine taking the 2 uniform DES Hamiltonian graphs and looking at each of them as one half a (wire-frame) sphere? Lets recall how quaternions operate, on the unit sphere.
Can we imagine the 3rd Hamiltonian graph of DES defining connections within that bounded space?
The idea is that the sphere thus defined is a surface that allows us to formulate a 1-dimensional projection onto 64 binary bits. The nature of the sphere is such that it mixes spatially and ensures that any final ciphertext is dependent on all bits of plaintext and key.
From “transpositions of wires” don’t we naturally link to cipher boxes transposing bit positions?
It seems more useful to look at the core coding theory of the T.52, where one sees the gray code flip (between O and U, classes 0,12 and 3,4,5 – in each Horizontal impulse stream. (I cannot find bit pattern for char ‘+’, note, in the tunny table)
from http://www.rutherfordjournal.org/article010106.html (upper) and General Report on Tunny (lower)
let me correct that: the + char code is at 5, ringed green.
The Rutherford document goes on to focus on the logic of “wheel” combining, given use of the SR relays specifically. lets have have a look how (bit) weights, weighting functions (generally), graphs and their matrix form relate to each other:
via and from http://www.rutherfordjournal.org/article010106.html
so, we see from the first table above that wheels DCBA are controlled (collectively) by the two wheels above the group (EF). Then, each other wheel (e.g. E) is controlled by the two wheels above it. The control functions are split between dots and crosses, with no obvious pattern as to which dots and which crosses from a given wheel (pair) influence the successor wheel.
http://www.codesandciphers.org.uk/documents/wffishnotes/wf021.HTM describes this more fully:
The pentagram “encoding” reminds me a
little of the DES cycles. Perhaps now we can _semantically_ distinguish the arcs that are on the surface of the sphere” from the arcs that cross the sphere. Can we learn from the semantics of the pentgram model, and its relation to “Baudot classes” (and the weights that define those classes)? Do we recall the 32*32*32 quantum model, in which we had 2 probability sets represented along 2 edges, and 1 set cross the interior of the cube (which we then sliced)?
lets look at the semantics, as described by the Rutherford reporter:
The graph in Fig. 10 is constructed from the wheel combining logic in Fig. 3. In the graph in Fig. 10 the SR relays are represented by the vertices and the controlling wheel output channels by the edges which join in a given vertex. The graph quickly reveals the relationship between the different SR relays; it shows the topology of the circuit clearly.
[…]In the BP Pentagon the vertices are numbered from 1 to 5 in a clockwise manner, while the sides and diagonals are labeled by the lower case letters a-j.
Well let’s do that, for some arbitrary assignment of the lower case letters (then figure why the modern reporter re-labeled things).
so what does this mean? SR1 (1) has 4 output channels (e,a,I,f)? does it mean wheel a is stepped when relays 1 and 2 are both in state a (assuming each relay has 2**4 states, from 4 bits)? Anyways, the idea is clear. The graph encodes the desired logic.
ok. lets break down and read the solution. First we notice something. the distribution of crosses in output channels I, II… V shows some symmetry in the row space, and reminds me of our tunny chart in the column space. There are 3 columns of all crosses, and 2 columns of two crosses, that are column-wise complementary.
Now, earlier text is pretty clear, and we see how SR4 node models the table:
Its not a 2**4 function however. It’s a odd-parity sets relay mode, for 4 inputs. (This helps explain ECM’s method for creating/constraining its probability stream generator.)
Let’s look now at case of SR5 xor SR9. SR5 sets on the odd-parity of 1,9,II, V as the table says. Similarly, SR9 sets on odd-parity of 1,9, I, and III. Clearly, 1 and 9 are common (meaning any odd parity from one set of 1,9 would be cancelled out by the other), leaving I, III, II, V – which matches the earlier table – that xors SR9 with SR5.
I can see how, similarly, the pairs of relays exploit the fact that the 13579 output channels are arranged so they cancel out, leaving only some 4 of the roman wheels to contribute.
The pentagon for the wheels 13579 is an inverse of the permutor’s coding wheel in some sense, much like the 2 outer hamiltonians (b0,b1 and b4,b5, in the 6 bits of input to an sbox) controlling the data flow in the DES engine are similarly complementary.
Hmm. They are labeled CD, EF – not AB, EF. But regardless (of that minor misconception on my part) can we take the union of those two graphs and by analogy say that “relay 1” is set as a function of output channels 5, 2, 8 and 6? – where an sbox is an “output channel??
And, then we add in 7 and 4, then, giving what is required – 6 distinct sbox contribute to the 6 bit input of an sbox? Well, given these are just expressions of the networks, its not surprising this all works out! But, its nice to trace it all from T.52 symmetry, for CDEF.
(DES diagrams from Davis and Price, by the way.)
Peter's ruminations 
You must be logged in to post a comment.