The Ideal Cipher
In 1883, the most famous work by Auguste Kerckhoffs, after whom the
cryptanalytic technique of
superimposing multiple messages enciphered with the same running key is
named, was published: La Cryptographie Militare (Military
Cryptography). This book set forth six desiderata for systems of
encryption.
- A cipher should be unbreakable. If it cannot be theoretically proven to be unbreakable, it should at least be unbreakable in practice.
- If the method of encipherment becomes known to one's adversary, this should not prevent one from continuing to use the cipher.
- It should be possible to memorize the key without having to write it down, and it should be easy to change to a different key.
- Messages, after being enciphered, should be in a form that can be sent by telegraph.
- If a cipher machine or code book or the like is involved, any such items required should be portable, and usable by one person without assistance.
- Enciphering or deciphering messages in the system should not cause mental strain, and should not require following a long and complicated procedure.
These six desiderata, as they are phrased, are directly applicable to
pencil-and-paper ciphers. Some of the concerns they raise do not seem as
important today, when the ubiquitous personal computer stands ready to
assist the cryptographer.
It may be noted that I have rather heavily paraphrased Kerckhoffs in my
listing of his six dicta above. The second dictum originally stated that
"compromise of the system should not inconvenience the participants".
While my paraphrase makes explicit the usual way in which this dictum is
understood, there is at least one other way in which the users of
a cryptosystem could be inconvenienced by compromise of the algorithm
used.
During the Second World War, the highly-secure American cipher machine
SIGABA was handled with extreme physical security. One of the reasons for
this was that it was so secure that if an enemy had discovered how it
worked, although that probably would not allow that adversary to begin
cryptanalyzing
messages encrypted on the SIGABA, it would enable the adversary to copy
the principle, and thus deprive the Allies of the intelligence they had
been able to obtain from solving even the highest-level German and
Japanese cipher systems.
Hence, satisfying the first dictum too well caused it to fail the
second dictum in a less usual manner.
In any case, as amended for the computer era, Kerckhoff's desiderata
might look like this:
- That a cipher should be unbreakable, in practice if
not in theory, needs no modification as a statement of what is desired.
However, only the one-time-pad, or a cipher essentially equivalent
to the one-time-pad,
is known to be secure in theory at present, and there are
good reasons to believe that such ciphers will remain the only ciphers that can be
proven to be unbreakable.
There are a number of other ciphers can be proven to be
as hard to break as certain classes of difficult problems in mathematics
are to solve. But what can't be proven at present (and what may possibly even
remain forever unprovable) is that those "difficult
problems", such as factoring the product of two large primes,
will indefinitely continue to require enough time to inconvenience the cryptanalyst
as new discoveries are made in mathematics.
- That the security of a cipher system should depend on the key and not
the algorithm has become a truism in the computer era, and this one is the
best-remembered of Kerckhoff's dicta. The original reason for this
requirement,
however, is not due to some magical distinction between "key" and
"algorithm". Rather, it follows from the later conditions imposed on the
key: it must be short, and easy to abandon for a new key. A cryptographic
algorithm can meet neither of those conditions. Hence, it should not be
part of the key, because then the key would be bulky and hard to change.
However, there is also a fundamental distinction between key and algorithm
which, even if Kerchoff considered it when he wrote this
desideratum, was not likely to have been one of the major considerations
behind it, although it relates to the first desideratum, and which is
generally used today as the main rationale for this requirement. Unlike a
key, an algorithm can be studied and analyzed by experts to determine if
it is likely to be secure. An algorithm that you have invented yourself
and kept secret has not had the opportunity for such review.
- With today's computer technology, that allows a cipher with a key 56
bits in length, as used with DES, to be easily broken by brute force (by
merely trying every possible key) it would appear that a dictum advocating
that keys should be short is entirely obsolete. But if we rephrase the
requirement to indicate the reasons behind it, we find that the concern is
still valid. The secret key, on which the security of one's messages
depends, should not be of a size (or form) that prevents it from being
handled,
stored, and exchanged in ways that effectively protect it from compromise.
And it may also be noted that public-key cryptography, which allows the
two participants to avoid having to exchange their private keys, and which
allows them to use a fresh session key for each message, contributes to
the ease of meeting this requirement. And on the other hand, the
one-time-pad may
require the exchange of keys at an inconvenient time, once the available
key is exhausted.
- Enciphered messages should be in a form suitable to transmission
by means of whatever communications medium is intended to be used, or
convenient to use. This may mean the Internet or a fiber-optic link
instead of the telegraph, but the principle remains sound.
- In order for a cipher to satisfy the first rule, it seems impossible
to avoid having to use a piece of apparatus for encipherment, the digital
computer. Computers certainly do exist that are portable and which are
easily used by one person today. As apparatus can also cause problems by
arousing suspicion, it would be an advantage in this area if one's cipher
could be carried out with the aid of a computer program in BASIC that one
could type in from memory.
- Again, it seems that for a cipher to remain unbreakable by today's standards, the algorithm used would have to be intricate and complicated. However, it is also true that we now have computers to do all the hard work. One of the reasons that a cipher should not be too complicated is to avoid problems caused by error in the encipherment of messages. Hence, this dictum could be considered to recommend that ciphers with unfavorable error-propagation characteristics should be avoided, since transmission errors can also make it necessary to retransmit a message. And this relates more directly to the cipher itself than to simply note that any encryption program, like any other computer program, should have a good user interface.
Thus, I claim that all six of Kerckhoffs' desiderata, not just those
whose relevance is most often acknowledged at the present time, still
retain at least some degree of importance, when correctly understood.
But it is true that the ones regarded as obsolete have retained less
of their importance as stated, although the reasons behind them remain
valid in a different form.
« C’est une belle journée pour les Montréalais, soutient
» le ministre. Ces investissements stimuleront la crois-
» sance économique. »
Unlike English, French does not set off unquoted material within a quotation by using a second set of quotation marks. Compare:
« C’est une belle journée pour les Montréalais, soutient le ministre. Ces investissements stimuleront la croissance économique. »
“This is a great day for Montrealers”, the minister maintained. “These investments will stimulate economic growth.”
For clarity, some newspapers put the quoted material in italics:
« C’est une belle journée pour les Montréalais, soutient le ministre. Ces investissements stimuleront la croissance économique. »
The French Imprimerie nationale (cf. Lexique des règles typographiques en usage à l'Imprimerie nationale, presses de l'Imprimerie nationale, Paris, 2002) does not use different quotation marks for nesting quotes:
« Son « explication » n’est qu’un mensonge », s’indigna le député.
“His ‘explanation’ is just a lie”, the deputy protested.
In this case, when there should be two adjacent opening or closing marks, only one is written:
Il répondit : « Ce n’est qu’un « gadget ! ».
He answered: “It's only a ‘gizmo’.”
The use of English quotation marks is increasing in French and usually follows English rules, for instance in situations when the keyboard or the software context doesn't allow the use of guillemets. The French news site L'Humanité uses straight quotation marks along with angle ones.
English quotes are also used sometimes for nested quotations:
« Son “explication” n’est qu’un mensonge », s’indigna le député.
“His ‘explanation’ is just a lie”, the deputy protested.
But the most frequent convention used in printed books for nested quotations is to style them in italics. Single quotation marks are much more rarely used, and multiple levels of quotations using the same marks is often considered confusing for readers:
« Son explication n’est qu’un mensonge », s’indigna le député.
Il répondit : « Ce n’est qu’un gadget ! ».
Further, running speech does not use quotation marks beyond the first sentence, as changes in speaker are indicated by a dash, as opposed to the English use of closing and re-opening the quotation. (For other languages employing dashes, see section Quotation dash below.) The dashes may be used entirely without quotation marks as well. In general, quotation marks are extended to encompass as much speech as possible, including not just non-spoken text such as “he said” (as previously noted), but also as long as the conversion extends. However, the quotation marks end at the last spoken text, not extending to the end of paragraphs when the final part is not spoken.
« Je ne vous parle pas, monsieur, dit-il. : — Mais je vous parle, moi ! » s’écria le jeune homme exaspéré de ce mélange d’insolence et de bonnes manières, de convenance et de dédain.
(Dumas, Les trois mousquetaires)
“I am not speaking to you, sir”, he said.
“But I am speaking to you!” cried the young man, exasperated by this combination of insolence and good manners, of protocol and disdain.