1994-02-04 - Practical Pencil & Paper Encryption (computerizable)

Header Data

From: richardr@netcom.com (Richard L. Robertson)
To: cypherpunks@toad.com
Message Hash: 8cd31e4f596922024a84b60cd7d8b4152462404ab22ac687ae1e6c0595e7c17e
Message ID: <199402041738.JAA19453@mail.netcom.com>
Reply To: N/A
UTC Datetime: 1994-02-04 17:39:48 UTC
Raw Date: Fri, 4 Feb 94 09:39:48 PST

Raw message

From: richardr@netcom.com (Richard L. Robertson)
Date: Fri, 4 Feb 94 09:39:48 PST
To: cypherpunks@toad.com
Subject: Practical Pencil & Paper Encryption (computerizable)
Message-ID: <199402041738.JAA19453@mail.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



Bruce Schneier   <schneier@chinet.chinet.com>

     in Message-ID: <CEtKr4.7B7@chinet.chinet.com>
              Date: Wed, 13 Oct 1993 05:04:13 GMT
           Subject: Pencil and paper encryption algorithm

proposed a pencil-and-paper encryption algorithm that could be used
without computers, but was still secure against computer-aided
attacks.  

I answered with what I felt were several practical usage problems
with his proposed methodology that made it infeasible to reliably
encrypt and decrypt messages in a finite time.

During a much needed vacation from the practical realities of work
and life, I have attempted to come up with a simplified message
encryption algorithm that meets Bruce's criteria and is practical
in use.

I took as design constraints that an inexpensive (< $30) pocket
calculator was acceptable for performing any necessary
calculations, but that something as big and complex as an HP-48 or
an Apple Newton was unacceptable. I also changed the requirement
from "secure against computer-aided attacks" to "highly resistant
against computer aided attacks".

My first attempt used a simple, multiple memory, non-programmable
Radio Shack checkbook pocket calculator. While the methodology met
the "resistance" criterion, it failed the practical test of error-
free calculation in a finite time. It turned out to be possible to
get reliable encryption and decryption by applying the result
cross-checking techniques used in hand pencil-and-paper
calculation, however the time required for error-free encryption
was exorbitant.

By relaxing the design constraints to allow limited programmability
in the pocket calculator, I was able to adequately address the
problem of speed of error-free encryption calculations. 

The constraint that I adopted was that the calculator's program
steps must be simple and compact enough for the user to be able to
memorize and to be able to re-enter the program into the calculator
each time that it was used to encrypt or decrypt a message. I
believe that this satisfies the reasonable requirement that there
be no incriminating evidence left lying around in the calculator
between encryption sessions.

The following encryption procedure was tested using an $18 Radio
Shack Model EC-4021 programmable scientific calculator. The
algorithms were modified as necessary to conform to the practical
limitations of the calculator keypad and limited programming
capabilities.

With only moderate training time (a couple of hours) I was able to
reliably encrypt and decrypt messages at a rate of 8-10 characters
per minute. The primary speed limitation was the actual tran-
scription on the results by pencil onto paper.

I would appreciate any and all comments, criticisms, error corrections
and suggestions for improvements.


Richard Robertson           richardr@netcom.com

------------------------------------------------------------
            A "Pencil and Paper" Encryption Algorithm
                     for Pocket Calculators

              Copyright 1993   Richard L. Robertson

Contents

     A:   Encryption Confusion Generators
     B:   Substitution Cipher Technique
     C:   Transposition Cipher Technique
     D:   Encryption Key Management
     E:   Cryptographic Hardness
     F:   Message Encryption Example
     G:   Sample Message Key Generation



A:   Encryption Confusion Generators

The core confusion generator chosen is a variation on the non-
linear equation Logistic Difference Equation (LDE). This is
selected for its adequate PRNG properties and its simplicity of
calculation.

The standard basic LDE can be written as 

     X[n+1] = R * X[n] * (1 - X[n])
          where     R = 4, and
                    0 < X[n] < 1

While the output of the LDE has reasonable unpredictability, this
basic formulation has limited cryptographic usefulness, partly
because of limited sequence length and partly because the seed can
be derived with sufficient information about successive values,
even if "jitterized" (as described by Terry Ritter).

By revising the constraints slightly to

               3.99 < R < 4.0

the resulting output is "sub-chaotic" but still has very good PRNG
properties. Another advantage of using R < 4.0 is that rounding
errors in calculations do not cause any numerical values that
result in the PRNG sequence degenerating from calculation errors.
Extensive numerical trials on a 486 PC with 15-digit (decimal)
floating point calculations have not uncovered any values of R or
X[n] that result in short or degenerate PRNG sequences.

The average length of a pseudo-random sequence from a (modified)
LDE is a function of the number of digits of precision used in the
calculations. For 9-digit fractional numbers, the expected length
of a pseudo-random sequence is ~ 3 * 10^4 and there are ~ 3 * 10^4
independent sequences. The sequence length is adequate for pencil
and paper encryption since messages would rarely exceed 200
characters.

To develop a reasonably secure cryptographic methodology using the
modified LDE as the confusion generator, proceed as follows:

1 -  Select two non-linear (LDE) confusion generators

               G1 = R * X * (1 - X),  and
               G2 = R'* Y* (1 - Y)

               where R' = 0.999 * R (used because of limitations in
                                   the number of memory registers
                                   in the pocket calculator)

2 -  The cryptographic key (or seed) consists of the values

          R, X[0] and Y[0],  where

               0 < X[0]  < 1  is a 9-digit key
               0 < Y[0]  < 1  is a 9-digit key
               3.99 < R < 4.0 is a 7-digit key

     The total key length is 25 digits, giving a key space size of
     10^25.  The keys are short enough to be easily memorized.  (If
     you are not convinced of this assertion, consider how many
     phone numbers, PIN numbers, bank account numbers, etc that the
     average person routinely commits to memory)


3 -  Select a non-linear combiner for the output of two confusion
     generators.

          This is the first level of serious cryptographic
          strength.

     We will chose the function

          K = G1 <*> G2

          where <*> is the floating point multiplication operator
          with rounding (see Knuth, Seminumerical Algorithms for
          details).

               At little inspection will show that it is not possible to
     recover the values G1 and G2 from a given K because K is not
     uniquely factorable. The rounding performed during the
     multiplication discards information necessary for factoring.

     In fact, for any 0 < K < 1, *all* values of G1 > K are valid
     factors of K. Rephrased, for any K {0 < K < 1} and for any p
     {1 > p > K, there exists at least one q {1 > q > K} such that
     K = p <*> q.

          Note: Because of rounding, numbers of the form K =
          (1/b)^n (where b is the base) are the only
          exceptions to this statement. For K = (1/b)^n, q =
          1-(1/b)^n is not a factor of K. 

     Recovering a sequence of G1 and G2 values from a sequence of
     K values, and from that recovering the cryptographic keys R,
     X[0] and Y[0], requires solving a series of simultaneous non-
     linear high-order polynomial equations.  I am not aware of any
     practical way to do this in the literature.

     Brute force recovery of the sequence of n-digit G1 and G2
     values requires checking a minimum of 10^(n*3) n-tuples 
     {G1,G2,G'1,G'2,G''1,G''2} to determine which are possible
     solutions for the generator functions G1 and G2.

4 -  Choose a domain transformation from quasi-continuous floating
     point to the finite to select digits from K to use for data
     encryption.

          This is the second level of serious cryptographic
          strength.

     Choose any algorithm for selecting a cipher value K' of either
     1 or 2 digits from "around the middle" of the value K to use
     for performing the encryption. Because the confusion
     generators G1 and G2 are independent and have reasonably
     uniform digit distributions, the nonlinear combination K = G1
     <*> G2 also has a reasonably uniform digit distribution. 

     For any particular 1-digit value K', there are 10^8 possible
     values of K that could have generated it.  For any particular
     2-digit value K', there are 10^7 possible corresponding values
     for K.

5a - Use the sequence {K'} as the key for a Vigenere cipher

5b - Use the sequence {K'} to control a pseudo-random transposition
     cipher.

5c - Combine (5a) and (5b). Use (5a) to "bit-level" the message
     text, then use (5b) to superencipher the output of (5a).

          This would require two complete encryption steps and is
          probably too labor and time intensive to be worth while
          for pencil and paper encryption.

In summary, the steps for calculating the encryption sequence K'
are as follows:

               X [n+1] = R * X[n] * (1 - X[n])
               Y [n+1] = .999 * R * Y[n] * (1 - Y[n])

               K [n+1] = X[n+1] * Y[n+1]
               K'[n+1] = 1 or 2 low-order digits of int (10^5 * K[n+1])


B:   Substitution Cipher Technique

In this system, the key consists of a series {K'} of 2-digit values
that is as long as the message. These are added to the plaintext
message characters modulo 100, considered the alphabet as numbered
from Sp=00, A=01 to Z=26, etc. This is your basic Vigenere cipher
with the cipher key as long as the message.

Decryption performs the same series of steps on the ciphertext
message characters except that subtraction modulo 100 is used.

Given that the K' form an unpredictable sequence, this is
equivalent to a one-time pad Vernam cipher where the one-time pad
does not have to be transmitted to the receiver. The message
recipient can regenerate the series {K'} from knowledge of the
cipher key <R,X[0],Y[0]>. 

The only problems that need to be addressed are the resistance of
the sequence {K'} to computer-assisted attack and how to manage the
necessary set of secret keys {<R,X[0],Y[0]>}, since one key-tuple
is consumed by each message.


In summary, the steps for encrypting a message M are as follows:

        compute K[n] as described above
        C[n] = 2 low-order digits of int (10^5 * K[n]) + M[n]

        where  M[n] is the nth plaintext character, and
               C[n] is the nth ciphertext character


and the steps for decrypting a ciphertext C are as follows:

        compute K[n] as described above
        M[n] = 2 low-order digits of 
               int (100001 - (10^5 * K[n]) + C[n])

        where  M[n] is the nth plaintext character, and
               C[n] is the nth ciphertext character

C:             Transposition Cipher Technique

In this system, the key consists of a series {K'} of 1-digit values
that is longer than the message.

     1 -  Write down the plaintext message into blocks of length 10
          (because the calculator operates in decimal mode). Repeat
          the message at least once because the algorithm will
          encipher more characters than are in the message. The
          exact number of excess characters enciphered is random
          but bounded.

          If the message text is:
               "Now is the time for all good men to come to the
               aid of their party."

          then this is written in blocks of 10 as:

                       1234567890

                       |Now is the|
                       | time for |
                       |all good m|
                       |en to come|
                       | to the ai|
                       |d of their|
                       | party.Now|
                       | is the ti|
                       |me for all|

           Repeat the message text as required.

     2 -  Calculate the sequence of 1-digit numbers {K'}

     3 -  For each value K', select and output the next unused
          character in column K'. Mark the selected character as
          used.

     4 -  Repeat this process until all characters in the base
          message have been transmitted.


Decryption proceeds as follows:

     1 -  Calculate the sequence of 1-digit numbers {K'}

     2 -  Get the next ciphertext character and place it in the
          next available column K'

     3 -  Repeat this process for all ciphertext characters.

     4 -  The row in which that last character is placed is the
          last row of the message. Discard any rows following that
          row because they are just random padding added by the
          encryption algorithm.

Transposition ciphers are substantially harder to attack than
substitution ciphers and normally require a lot of hand work. 
Normally they are attacked by anagramming when there is some
knowledge of the expected message contents.

I would assert, based on a moderate literature search, that this
pseudo-random transposition has no known effective methods for
attack because there are no fixed column boundaries and character
positions are pseudo-random. 

If the cryptographic key <R,X[0],Y[0]> is changed with each message
there should be no way short of brute force anagramming or a brute
force key space search to break this cipher because the
cryptographic cipher values are never exposed for cryptanalysis.


D:   Key Management

     To make the subsitution cipher encryption useful the key must
     be changed with each message because it is a one-time pad
     method. The encryption method has already addressed and
     eliminated the need for the sender to transmit a copy of the
     OTP to the receiver by having the receiver independently
     recreated the OTP used to encrypt the message. 

     While having a separate, unique encryption key for each
     message is less important for the transposition cipher, it
     does strengthen the cipher against any attack if the key can
     be easily changed for each message.  

     In order to not have to transmit each key used to generate the
     OTP for each message to the receiver, a technique must be
     developed that provides a similar facility. If this can be
     accomplished, then the only secret that the sender and
     receiver must share is a single, small master key. Sharing a
     small amount of secret information is a fairly easy problem to
     solve in practice.

     Inspection of the method for generating the encryption
     confus*ion sequence shows a way to accomplish the desired key
     management. Consider the sequence of values {K[i]}.  It is
     obvious from the earlier discussion that there are only two
     ways to be able to predict subsequent values K[n+1] from the
     series of values {K[1] ... K[n]}:

       -  obtain the generating seeds for G1 and G2 by brute force
          examining sets of possible values {G1[i],G2[i]} obtained
          by factoring {K[i]}. This would require examining at
          least ~ 10^24 (2^80) possible sets {G1[i],G2[i]} and as
          such is not feasible with current computing technology.

       -  obtain the generating seeds for G1 and G2 by solving a
          set of simultaneous high-order nonlinear system of
          equations. This is an extremely hard problem that is not
          (as far as my literature search has taken me) amenable to
          solution at this time.

     In  order to make the problem slightly harder for the crypt-
     analyst, the key generation algorithm chosen will not use the
     sequence {K[i]} directly so as not to expose the actual values
     K[n], but will use K[n] as a starting point for another
     nonlinear combiner. Again, the algorithms have been adjusted
     to compensate for the limitations of the pocket calculator.

To generate a cryptographically (reasonably) secure sequence of
encryption keys using the modified LDE as the confusion generator,
proceed as follows:

1 -  Select two non-linear (LDE) confusion generators

               G1 = R * X * (1 - X),  and
               G2 = R'* Y* (1 - Y)

               where R' = 0.999 * R (used because of limitations in
                                   the number of memory registers
                                   in the pocket calculator)

2 -  The master cryptographic key (or seed) consists of the values

        R, X[0] and Y[0],  where

               0 < X[0] < 1   is a 9-digit key
               0 < Y[0] < 1   is a 9-digit key
               3.99 < R < 4.0 is a 7-digit key

     The total key length is 25 digits, giving a key space size of
     10^25.  The keys are short enough to be easily memorized.  (If
     you are not convinced of this assertion, consider how many
     phone numbers, PIN numbers, bank account numbers, etc that the
     average person routinely commits to memory)


3 -  Select a non-linear combiner for the output of two confusion
     generators.

          This is the first level of serious cryptographic
          strength.

     We will chose the function

          K = G1 <*> G2

          where <*> is the floating point multiplication operator
          with rounding (see Knuth, Seminumerical Algorithms for
          details).

4 -            To generate the Nth message key iterate the basic sequence
     generator N times. Then use the values K[N] ... to alter the
     generator parameters R, X and Y as follows:

               R <- 3.99 + (K[n]/100)
               X <- K'[n+1] where K'[i] <> K[i] because the
                              generating parameters are different
               Y <- K'[n+2]
               R <- 3,99 + (K'(n+3)/100)

5 -  The final resulting values <R,X,Y> become the cryptographic
     key for the Nth message being encrypted or decrypted and are
     used as described above for message encryption and decryption.
     Only the value N must be transmitted with the message, not the
     values of the message key <R,X,Y>, because the receiver can
     recreate the message key from N and the master key shared by
     the sender and receiver.

     The only additional requirement for security is that no key be
     reused. This is easy to implement by having the sender number
     the messages as they are encrypted. The receiver verifies that
     a message is valid by rejected any message where the message
     number N is less than the message number of the last message
     received. This will prevent replay attacks in the event that
     an opponent obtains a message key.

In summary, the steps for calculating the encryption key <R,X,Y>
for the Nth message are as follows:

          Repeat N times:
               X [i+1] = R * X[i] * (1 - X[i])
               Y [i+1] = .999 * R * Y[i] * (1 - Y[i])
               K [i+1] = X[i+1] * Y[i+1]
               {end repeat}

          R <- 3.99 + (K[N]/100)
             calculate K[N+1]
          X <- K'[N+1]
             calculate K'[N+2]
          Y <- K'[N+2]
             calculate K'[N+3]
          R <- 3.99 + (K'[N+3]/100)

     The message encryption key conists of the values <R,X,Y> at
     the conclusion of this calculation.


E:   Cryptographic Hardness

Key space searches:

     The key space size is ~ 10^25 (~ 2^80), which is too large for
     brute force search with currently available computing
     resources.
     Because the key values are random 9-digit numbers there is no
     possible dictionary attack.


Known Plaintext:

     A known plaintext attack will immediately give the cipher
     sequence {K'}. However, an absolute minimum of 3 sequential
     values of the sequence {K} are needed to derive the encryption
     key <R,X[0],Y[0]>. For the 2-digit sequence {K'} used in the
     substitution cipher, this requires checking the validity of
     the encryption keys derived from the (at least) 10^21 (2^70)
     possible triples {K1,K2,K3}. This is well beyond current
     computational capabilities.

     Since each key <R,X[0],Y[0]> is used only once, possession of
     the key for one message does not give the opponent any direct
     value in a known plaintext attack. To determine the key for
     subsequent messages, at least 3 successive keys must be
     accumulated in order for the cryptanalyst to attack the key
     management.

Chosen Plaintext:

     No advantage over known plaintext.

Key Management:

     Same problems (or worse) for the cryptanalyst as aKnown
     Plaintext attack.

Differential Cryptanalysis:

     I don't see that this is applicable because the key changes
     with each message.


F:   Message Encryption Example:

     Sample message to be enciphered

           "Now is the time for all good men to come to
           the aid of their party."

     Message buffer is padded with repeats of the message, but
     it would be better to pad with randomly chosen text.

     The encryption calculations were performed on a Radio Shack
     Model EC-4021 programmable scientific calculator.

           Image of Message Text Buffer

     =========================================
     : 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 :
     =========================================
0    | N | O | W |   | I | S |   | T | H | E |
     +---+---+---+---+---+---+---+---+---+---+
1    |   | T | I | M | E |   | F | O | R |   |
     +---+---+---+---+---+---+---+---+---+---+
2    | A | L | L |   | G | O | O | D |   | M |
     +---+---+---+---+---+---+---+---+---+---+
3    | E | N |   | T | O |   | C | O | M | E |
     +---+---+---+---+---+---+---+---+---+---+
4    |   | T | O |   | T | H | E |   | A | I |
     +---+---+---+---+---+---+---+---+---+---+
5    | D |   | O | F |   | T | H | E | I | R |
     +---+---+---+---+---+---+---+---+---+---+
     |   | P | A | R | T | Y | . | N | O | W | <- Message ends at
     =========================================    this line
7    |   | I | S |   | T | H | E |   | T | I |
     +---+---+---+---+---+---+---+---+---+---+ Buffer is loaded with
8    | M | E |   | F | O | R |   | A | L | L | repeated copies of the
     +---+---+---+---+---+---+---+---+---+---+ message text
9    |   | G | O | O | D |   | M | E | N |   |
     +---+---+---+---+---+---+---+---+---+---+
10   | T | O |   | C | O | M | E |   | T | O |
     +---+---+---+---+---+---+---+---+---+---+
11   |   | T | H | E |   | A | I | D |   | O |
     +---+---+---+---+---+---+---+---+---+---+
12   | F |   | T | H | E | I | R |   | P | A |
     +---+---+---+---+---+---+---+---+---+---+
13   | R | T | Y | . | N | O | W |   | I | S |
     +---+---+---+---+---+---+---+---+---+---+
14   |   | T | H | E |   | T | I | M | E |   |
     +---+---+---+---+---+---+---+---+---+---+
15   | F | O | R |   | A | L | L |   | G | O |
     +---+---+---+---+---+---+---+---+---+---+
16   | O | D |   | M | E | N |   | T | O |   |
     +---+---+---+---+---+---+---+---+---+---+
17   | C | O | M | E |   | T | O |   | T | H |
     +---+---+---+---+---+---+---+---+---+---+
18   | E |   | A | I | D |   | O | F |   | T |
     +---+---+---+---+---+---+---+---+---+---+
19   | H | E | I | R |   | P | A | R | T | Y |
     +---+---+---+---+---+---+---+---+---+---+

============================================================

     Substitution Encipherment of Sample Text

     The Message Encryption Key 

            X[0] = 0.123456789     register K1
            R    = 3.995678901     register K2
            Y[0] = 0.234567891     register M

            Calculator set to No Rounding (2nd Fn - Tab - .)
                       ie, show all decimal digits

     Substitution Cipher Character Translation Table

            Sp 00   J  10     T  20
            A  01   K  11     U  21
            B  02   L  12     V  22
            C  03   M  13     W  23
            D  04   N  14     X  24
            E  05   O  15     Y  25
            F  06   P  16     Z  26
            G  07   Q  17     .  27
            H  08   R  18
            I  09   S  19      


      Plain Text converted to decimal representation

     =========================================
     : 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 :
     =========================================
0    | 14| 15| 23| 00| 09| 19| 00| 20| 08| 05|
     +---+---+---+---+---+---+---+---+---+---+
1    | 00| 20| 09| 13| 05| 00| 06| 15| 18| 00|
     +---+---+---+---+---+---+---+---+---+---+
2    | 01| 12| 12| 00| 07| 15| 15| 04| 00| 13|
     +---+---+---+---+---+---+---+---+---+---+
3    | 05| 14| 00| 20| 15| 00| 03| 15| 13| 05|
     +---+---+---+---+---+---+---+---+---+---+
4    | 00| 20| 15| 00| 20| 08| 05| 00| 01| 09|
     +---+---+---+---+---+---+---+---+---+---+
5    | 04| 00| 15| 06| 00| 20| 08| 05| 09| 18|
     +---+---+---+---+---+---+---+---+---+---+
6    | 00| 16| 01| 18| 20| 25| 27| * |         <-  * := EOM
     +---+---+---+---+---+---+---+---+


     Cipher Text in decimal representation

     =========================================
     : 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 :
     =========================================
0    | 03| 96| 69| 02| 83| 49| 28| 31| 22| 13|
     +---+---+---+---+---+---+---+---+---+---+
1    | 21| 63| 92| 03| 90| 45| 72| 08| 26| 34|
     +---+---+---+---+---+---+---+---+---+---+
2    | 15| 65| 62| 01| 34| 84| 50| 12| 62| 83|
     +---+---+---+---+---+---+---+---+---+---+
3    | 07| 41| 71| 33| 72| 64| 38| 96| 73| 25|
     +---+---+---+---+---+---+---+---+---+---+
4    | 16| 96| 06| 57| 93| 39| 8 | 47| 60| 96|
     +---+---+---+---+---+---+---+---+---+---+
5    | 29| 49| 88| 37| 39| 37| 61| 24| 68| 38|
     +---+---+---+---+---+---+---+---+---+---+
6    | 60| 90| 25| 96| 67| 84| 65| * |         <-  * := EOM
     +---+---+---+---+---+---+---+---+



============================================================


     Transposition Encrypted Message Text

     The Message Encryption Key 

          X[0] = 0.123456789       register K
          R    = 3.995678901       register K2
          Y[0] = 0.234567891       register M

          Set calculator rounding to 0 decimal digits
                  (2nd Fn - Tab - 0)

                  ie, show only integer portion of answer

            Encrypted message in blocks of 10 letters

                       |HO T NR IT||AM ES OWOT|
                       | FE D EMLD||IF LOG  M |
                       |HC ORN  AE||OIOTOE MEI|
                       |TFTN TA LO||TE APH. DR|
                       |OSC ITW IE||Y|*               <-* := EOM

     =========================================
     : 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 :
     =========================================
0    | H | O |   | T |   | N | R |   | I | T |
     +---+---+---+---+---+---+---+---+---+---+
1    | A | M |   | E | S |   | O | W | O | T |
     +---+---+---+---+---+---+---+---+---+---+
2    |   | F | E |   | D |   | E | M | L | D |
     +---+---+---+---+---+---+---+---+---+---+
3    | I | F |   | L | O | G |   |   | M |   |
     +---+---+---+---+---+---+---+---+---+---+
4    | H | C |   | O | R | N |   |   | A | E |
     +---+---+---+---+---+---+---+---+---+---+
5    | O | I | O | T | O | E |   | M | E | I |
     +---+---+---+---+---+---+---+---+---+---+
6    | T | F | T | N |   | T | A |   | L | O |
     +---+---+---+---+---+---+---+---+---+---+
7    | T | E |   | A | P | H | . |   | D | R |
     +---+---+---+---+---+---+---+---+---+---+
8    | O | S | C |   | I | T | W |   | I | E |
     +---+---+---+---+---+---+---+---+---+---+
9    | Y | * |                                 <- * := EOM
     +---+---+
 

============================================================


            Decrypted Transposition Message

     =========================================
     : 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 :
     =========================================
0    | N | O | W |   | I | S |   | T | H | E |
     +---+---+---+---+---+---+---+---+---+---+
1    |   | T | I | M | E |   | F | O | R |   |
     +---+---+---+---+---+---+---+---+---+---+
2    | A | L | L |   | G | O | O | D |   | M |
     +---+---+---+---+---+---+---+---+---+---+
3    | E | N |   | T | O |   | C | O | M | E |
     +---+---+---+---+---+---+---+---+---+---+
4    |   | T | O |   | T | H | E |   | A | I |
     +---+---+---+---+---+---+---+---+---+---+
5    | D |   | O | F |   | T | H | E | I | R |
     +---+---+---+---+---+---+---+---+---+---+
6    |   | P | A | R | T | Y*| . | N | O | W | * := Last char
     +---+---+---+---+---+---+---+---+---+---+                received
7    |   | I | S |   |           |   | T | I |
     +---+---+---+---+           +---+---+---+    all partially
8    | M | E |   | F |           | A | L |         filled rows 
     +---+---+   +---+           +---+---+         after the row 
9    |   |       | O |           | E |                           with the last
     +---+       +---+           +---+                           char received
10   | T |       | C |           |   |                           are discarded
     +---+       +---+           +---+
11   |   |                       | D |
     +---+                       +---+
12                               |   | 
                                 +---+

     The actual shape of any particular received message block will
     vary randomly with the key and the length of the message
     transmitted.  


============================================================



     Transposition column selection table

     The Message Encryption Key 

          X[0] = 0.123456789       register K1
          R    = 3.995678901       register K2
          Y[0] = 0.234567891       register M

          Set calculator rounding to 0 decimal digits
               (2nd Fn - Tab - 0)

               ie, show only integer portion of answer


     =========================================
     : 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 :
     =========================================
0    | 9 | 2 | 7 | 2 | 4 | 1 | 9 | 1 | 5 | 8 |
     +---+---+---+---+---+---+---+---+---+---+
1    | 1 | 4 | 4 | 1 | 6 | 6 | 6 | 3 | 8 | 4 |
     +---+---+---+---+---+---+---+---+---+---+
2    | 4 | 4 | 0 | 1 | 8 | 9 | 5 | 9 | 2 | 1 |
     +---+---+---+---+---+---+---+---+---+---+
3    | 3 | 7 | 1 | 3 | 7 | 5 | 6 | 1 | 1 | 0 |
     +---+---+---+---+---+---+---+---+---+---+
4    | 6 | 7 | 1 | 8 | 4 | 2 | 3 | 8 | 9 | 8 |
     +---+---+---+---+---+---+---+---+---+---+
5    | 5 | 9 | 3 | 2 | 9 | 7 | 4 | 0 | 0 | 0 |
     +---+---+---+---+---+---+---+---+---+---+
6    | 1 | 4 | 5 | 8 | 8 | 9 | 8 | 2 | 9 | 3 |
     +---+---+---+---+---+---+---+---+---+---+
7    | 6 | 8 | 5 | 3 | 2 | 7 | 7 | 8 | 8 | 0 |
     +---+---+---+---+---+---+---+---+---+---+
8    | 4 | 3 | 4 | 1 | 2 | 5 | 0 | 8 | 0 | 2 |
     +---+---+---+---+---+---+---+---+---+---+
9    | 6 | 7 | 2 | 1 | 1 | 2 | 6 | 4 | 1 | 3 |
     +---+---+---+---+---+---+---+---+---+---+
10   | 2 | 6 | 6 | 1 | 8 | 9 | 5 | 1 | 2 | 8 |
     +---+---+---+---+---+---+---+---+---+---+



G:   Sample Message Key Generation


     The Master Encryption Key 

            X[0] = 0.567890123     register K1
            R    = 3.998901234     register K2
            Y[0] = 0.345678912     register M

            Calculator set to No Rounding (2nd Fn - Tab - .)
                       ie, show all decimal digits

     Calculate the Message Encryption Key for the 5th message

         Repeat calculation of K[i] 5 times
                K[1] = 0.886684581
                K[2] = 0.025546435
                K[3] = 0.246545962
                K[4] = 0.268216342
                K[5] = 0.589846665

          R <- 3.99 + (K[5]/100) = 3.995898467
                K'[6] = 0.337260078
          X <- K'[6] = 0.337260078
                K'[7] = 0.83623299
          Y <- K'[7] = 0.83623299
                K'[8] = 0.208478335
          R <- 3.99 + (K'[8]/100) = 3.992084783

     The resulting Message Encryption Key for message #5 is:

          X[0] = 0.381353099       register K1
          R    = 3.992084783       register K2
          Y[0] = 0.546680583       register M





Thread