FlLE COMPRESSION
293
the message: this means that we need to save the tree along with the message
in order to decode it. Fortunately, this does not present any real difficulty.
It is actually necessary only to store the code array, because the radix search
trie which results from inserting the entries from that array into an initially
empty tree is the decoding tree.
Thus, the storage savings quoted above is not entirely accurate, because
the message can’t be decoded without the trie and we must take into account
the cost of storing the trie (i.e., the code array) along with the message.
Huffman encoding is therefore only effective for long files where the savings in
the message is enough to offset the cost, or in situations where the coding trie
can be precomputed and used for a large number of messages. For example, a
trie based on the frequencies of occurrence of letters in the English language
could be used for text documents. For that matter, a trie based on the
frequency of occurrence of characters in Pascal programs could be used for
encoding programs (for example,
“;”
is likely to be near the top of such a
trie). A Huffman encoding algorithm saves about 23% when run on the text
for this chapter.
As before, for truly random files, even this clever encoding scheme won’t
work because each character will occur approximately the same number of
times, which will lead to a fully balanced coding tree and an equal number of
bits per letter in the code.
I
294
1.
2.
3.
4.

5.
6.
7.
8.
9.
10.
Exercises
Implement compression and expansion procedures for the run-length en-
coding method for a fixed alphabet described in the text, using Q as the
escape character.
Could “QQ” occur somewhere in a file compressed using the method
described in the text? Could “QQ&” occur?
Implement compression and expansion procedures for the binary file en-
coding method described in the text.
The letter
“q”
given in the text can be processed as a sequence of
five-
bit characters. Discuss the pros and cons of doing so in order to use a
character-based run-length encoding method.
Draw a Huffman coding tree for the string “ABRACADABRA.” How
many bits does the encoded message require?
What is the Huffman code for a binary file? Give an example showing
the maximum number of bits that could be used in a Huffman code for a
N-character ternary (three-valued) file.
Suppose that the frequencies of the occurrence of all the characters to be
encoded are different. Is the Huffman encoding tree unique?
Huffman coding could be extended in a straightforward way
t,o
encode

in two-bit characters (using 4-way trees). What would be the main
advantage and the main disadvantage of doing so?
What would be the result of breaking up a Huffman-encoded string into
five-bit characters and Huffman encoding that string?
Implement a procedure to decode a Huffman-encoded string, given the
code and len arrays.
23. Cryptology
In the previous chapter we looked at methods for encoding strings of
characters to save space. Of course, there is another very important
reason to encode strings of characters: to keep them secret.
Cryptology, the study of systems for secret communications, consists of
two competing fields of study: cryptography, the design of secret communica-
tions systems, and cryptanalysis, the study of ways to compromise secret com-
munications systems. The main application of cryptology has been in military
and diplomatic communications systems, but other significant applications
are becoming apparent. Two principal examples are computer file systems
(where each user would prefer to keep his files private) and “electronic funds
transfer” systems (where very large amounts of money are involved). A com-
puter user wants to keep his computer files just as private as papers in his
file cabinet, and a bank wants electronic funds transfer to be just as secure
as funds transfer by armored car.
Except for military applications, we assume that cryptographers are “good
guys” and cryptanalysts are “bad guys”:
our goal is to protect our computer
files and our bank accounts from criminals. If this point of view seems some-
what unfriendly, it must be noted (without being over-philosophical) that by
using cryptography one is assuming the existence of unfriendliness! Of course,
even “good guys” must know something about cryptanalysis, since the very
best way to be sure that a system is secure is to try to compromise it yourself.
(Also, there are several documented instances of wars being brought to an

end, and many lives saved, through successes in cryptanalysis.)
Cryptology has many close connections with computer science and al-
gorithms, especially the arithmetic and string-processing algorithms that we
have studied. Indeed, the art (science?) of cryptology has an intimate relation-
ship with computers and computer science that is only beginning to be fully
understood. Like algorithms, cryptosystems have been around far longer
295
296
CHAPTER 23
than computers. Secrecy system design and algorithm design have a common
heritage, and the same people are attracted to both.
It is not entirely clear which branch of cryptology has been affected most
by the availability of computers. The cryptographer now has available a much
more powerful encryption machine than before, but this also gives him more
room to make a mistake. The cryptanalyst has much more powerful tools
for breaking codes, but the codes to be broken are more complicated than
ever before. Cryptanalysis can place an incredible strain on computational
resources; not only was it among the first applications areas for computers,
but it still remains a principal applications area for modern supercomputers.
More recently, the widespread use of computers has led to the emergence
of a variety of important new applications for cryptology, as mentioned above.
New cryptographic methods have recently been developed appropriate for such
applications, and these have led to the discovery of a fundamental relationship
between cryptology and an important area of theoretical computer science
that we’ll examine briefly in Chapter 40.
In this chapter, we’ll examine some of the basic characteristics of cryp-
tographic algorithms because of the importance of cryptography in modern
computer systems and because of close relationships with many of the algo-
rithms we have studied. We’ll refrain from delving into detailed implementa-
tions: cryptography is certainly a field that should be left to experts. While

it’s not difficult to “keep people honest” by encrypting things with a simple
cryptographic algorithm, it is dangerous to rely upon a method implemented
by a non-expert.
Rules of the Game
All the elements that go into providing a means for secure communications
between two individuals together are called a cryptosystem. The canonical
structure of a typical cryptosystem is diagramed below:
“attack
at dawn”
The sender (S) wishes to send a message (called the plaintezt) to the
receiver (R). To do so, he transforms the plaintext into a secret form suitable
CRYPTOLOGY
for transmission (called the ciphertext) using a cryptographic algorithm (the
encryption method) and some key (K) parameters. To read the message,
the receiver must have a matching cryptographic algorithm (the decryption
method) and the same key parameters, which he can use to transform the
ciphertext back into the plaintext, the message. It is usually assumed that
the ciphertext is sent over insecure communications lines and is available to
the cryptanalyst (A). It also is usually assumed that the encryption and
decryption methods are known to the cryptanalyst: his aim is to recover the
plaintext from the ciphertext without knowing the key parameters. Note that
the whole system depends on some separate prior method of communication
between the sender and receiver to agree on the key parameters. As a rule,
the more key parameters, the more secure the cryptosystem is but the more
inconvenient it is to use. This situation is akin to that for more conventional
security systems: a combination safe is more secure with more numbers on the
combination lock, but it is harder to remember the combination. The parallel
with conventional systems also serves as a reminder that any security system
is only as secure as the trustworthiness of the people that have the key.
It is important to remember that economic questions play a central role

in cryptosystems. There is an economic motivation to build simple encryption
and decryption devices (since many may need to be provided and complicated
devices cost more). Also, there is an economic motivation to reduce the
amount of key information that must be distributed (since a very secure and
expensive method of communications must be used). Balanced against the cost
of implementing cryptographic algorithms and distributing key information
is the amount of money the cryptanalyst would be willing to pay to break
the system. For most applications, it is the cryptographer’s aim to develop a
low-cost system with the property that it would cost the cryptanalyst much
more to read messages than he would be willing to pay. For a few applications,
a “provably secure” cryptosystem may be required: one for which it can be
ensured that the cryptanalyst can never read messages no matter what he is
willing to spend. (The very high stakes in some applications of cryptology
naturally imply that very large amounts of money are used for cryptanalysis.)
In algorithm design, we try to keep track of costs to help us choose the best
algorithms; in cryptology, costs play a central role in the design process.
Simple Methods
Among the simplest (and among the oldest) methods for encryption is the
Caesar cipher: if a letter in the plaintext is the Nth letter in the alphabet,
replace it by the (N +
K)th
letter in the alphabet, where
K
is some fixed
integer (Caesar used
K
= 3). For example, the table below shows how a
message is encrypted using this method with K = 1:
298 CHAPTER 23
Plaintext: ATTACK AT DAWN

Ciphertext: BUUBDLABUAEB X 0
This method is weak because the cryptanalyst has only to guess the value
of K: by trying each of the 26 choices, he can be sure that he will read the
message.
A far better method is to use a general table to define the substitution
to be made: for each letter in the plaintext, the table tells which letter to put
in the ciphertext. For example, if the table gives the correspondence
ABCDEFGHI JKLMNOPQRSTUVWXYZ
THE QUICKBROWNFXJMPDVRLAZYG
then the message is encrypted as follows:
Plaintext: ATTACK AT DAWN
Ciphertext: HWH OTHVTQHAF
This is much more powerful than the simple Caesar cipher because the crypt-
analyst would have to try many more (about
27!
>
1028)
tables to be sure
of reading the message. However, “simple substitution” ciphers like this are
easy to break because of letter frequencies inherent in the language. For ex-
ample, since E is the most frequent letter in English text, the cryptanalyst
could get good start on reading the message by looking for the most frequent
letter in the ciphertext and assuming that it is to be replaced by E. While
this might not be the right choice, he certainly is better off than if he had to
try all 26 letters. He can do even better by looking at two-letter combinations
(“digrams”): certain digrams (such as QJ) never occur in English text while
others (such as ER) are very common. By examining frequencies of letters
and combinations of letters, a cryptanalyst can very easily break a simple
substitution cipher.
One way to make this type of attack more difficult is to use more than

one table. A simple example of this is an extension of the Caesar cipher called
the Vigenere cipher: a small repeated key is used to determine the value of K
for each letter. At each step, the key letter index is added to the plaintext
letter index to determine the ciphertext letter index. Our sample plaintext,
with the key ABC, is encrypted as follows:
Key: ABCABCABCABCAB
Plaintext: ATTACK AT DAWN
Ciphertext: BVWBENACWAFDX P
CRYPTOLOGY
299
For example, the last letter of the ciphertext is P, the 16th letter of the
alphabet, because the corresponding plaintext letter is N (the 14th letter),
and the corresponding key letter is B (the 2nd letter).
The Vigenere cipher can obviously be made more complicated by using
different general tables for each letter of the plaintext (rather than simple
offsets). Also, it is obvious that the longer the key, the better. In fact, if the
key is as long as the plaintext, we have the
V&am
cipher, more commonly
called the one-time pad. This is the only provably secure cryptosystem known,
and it is reportedly used for the Washington-Moscow hotline and other vital
applications. Since each key letter is used only once, the cryptanalyst can
do no better than try every possible key letter for every message position,
an obviously hopeless situation since this is as difficult as trying all possible
messages. However, using each key letter only once obviously leads to a severe
key distribution problem, and the one-time pad is only useful for relatively
short messages which are to be sent infrequently.
If the message and key are encoded in binary, a more common scheme
for position-by-position encryption is to use the “exclusive-or” function: to
encrypt the plaintext, “exclusive-or” it (bit by bit) with the key. An attractive

feature of this method is that decryption is the same operation as encryption:
the ciphertext is the exclusive-or of the plaintext and the key, but doing
another exclusive-or of the ciphertext and the key returns the plaintext.
Notice that the exclusive-or of the ciphertext and the plaintext is the key.
This seems surprising at first, but actually many cryptographic systems have
the property that the cryptanalyst can discover the key if he knows the
plaintext.
Encryption/Decryption Machines
Many cryptographic applications (for example, voice systems for military
communications) involve the transmission of large amounts of data, and this
makes the one-time pad infeasible. What is needed is an approximation to
the one-time pad in which a large amount of “pseudo-key” can be generated
from a small amount of true key to be distributed.
The usual setup in such situations is as follows: an encryption machine
is fed some cryptovariables (true key) by the sender, which it uses to generate
a long stream of key bits (pseudo-key). The exclusive-or of these bits and
the plaintext forms the ciphertext. The receiver, having a similar machine
and the same cryptovariables, uses them to generate the same key stream to
exclusive-or against the ciphertext and to retrieve the plaintext.
Key generation in this context is obviously very much like random number
generation, and our random number generation methods are appropriate for
key generation (the cryptovariables are the initial seeds of the random number
300
CHAPTER 23
generator). In fact, the linear feedback shift registers that we discussed in
Chapter 3 were first developed for use in encryption/decryption machines
such as described here. However, key generators have to be somewhat more
complicated than random number generators, because there are easy ways to
attack simple linear feedback shift registers. The problem is that it might be
easy for the cryptanalyst to get some plaintext (for example, silence in a voice

system), and therefore some key. If the cryptanalyst can get enough key that
he has the entire contents of the shift register, then he can get all the key
from that point on.
Cryptographers have several ways to avoid such problems. One way is to
make the feedback function itself a cryptovariable. It is usually assumed that
the cryptanalyst knows everything about the structure of the machine (maybe
he stole one) except the cryptovariables, but if some of the cryptovariables are
used to “configure” the machine, he may have difficulty finding their values.
Another method commonly used to confuse the cryptanalyst is the product
cipher, where two different machines are combined to produce a complicated
key stream (or to drive each other). Another method is nonlinear substitution;
here the translation between plaintext and ciphertext is done in large chunks,
not bit-by-bit. The general problem with such complex methods is that they
can be too complicated for even the cryptographer to understand and that
there always is the possibility that things may degenerate badly for some
choices of the cryptovariables.
Public-Key Cryptosystems
In commercial applications such as electronic funds transfer and (real) com-
puter mail, the key distribution problem is even more onerous than in the
traditional applications of cryptography. The prospect of providing long
keys (which must be changed often) to every citizen, while still maintain-
ing both security and cost-effectiveness, certainly inhibits the development of
such systems. Methods have recently been developed, however, which promise
to eliminate the key distribution problem completely. Such systems, called
public-key cryptosystems, are likely to come into widespread use in the near
future. One of the most prominent of these systems is based on some of the
arithmetic algorithms that we have been studying, so we will take a close look
at how it works.
The idea in public-key cryptosystems is to use a
“phone

book” of encryp-
tion keys. Everyone’s encryption key (denoted by P) is public knowledge: a
person’s key could be listed, for example, next to his number in the telephone
book. Everyone also has a secret key used for decryption; this secret key
(denoted by S) is not known to anyone else. To transmit a message M, the
sender looks up the receiver’s public key, uses it to encrypt the message, and
then transmits the message. We’ll denote the encrypted message (ciphertext)
CRYPTOLOGY
by C=P(M). The receiver uses his private decryption key to decrypt and read
the message. For this system to work we must have at least the following
properties:
(4
S(P(M))=M for every message M.
(ii) All (S,P) pairs are distinct.
(iii) Deriving S from P is as hard as reading M.
(iv)
Both S and P are easy to compute.
The first of these is a fundamental cryptographic property, the second two
provide the security, and the fourth makes the system feasible for use.
This general scheme was outlined by W. Diffie and M. Hellman in 1976,
but they had no method which satisfied all of these properties. Such a
method was discovered soon afterwards by R. Rivest, A. Shamir, and L.
Adleman. Their scheme, which has come to be known as the RSA public-
key cryptosystem, is based on arithmetic algorithms performed on very large
integers. The encryption key P is the integer pair (N,p) and the decryption
key S is the integer pair
(N,s),
where
s
is kept secret. These numbers are

intended to be very large (typically, N might be 200 digits and p and
s
might
be 100 digits). The encryption and decryption methods are then simple: first
the message is broken up into numbers less than N (for example, by taking
lg N bits at a time from the binary string corresponding to the character
encoding of the message). Then these numbers are independently raised to a
power modulo N: to encrypt a (piece of a) message M, compute C = P(M) =
MPmod N, and to decrypt a ciphertext C, compute M = S(C) = C”mod
N. This computation can be quickly and easily performed by modifying the
elementary exponentiation algorithm that we studied in Chapter 4 to take
the remainder when divided by N after each multiplication. (No more than
2 log N such operations are required for each piece of the message, so the
tot,al
number of operations (on 100 digit numbers!) required is linear in the number
of bits in the message.)
Property (iv) above is therefore satisfied, and property (ii) can be easily
enforced. We still must make sure that the cryptovariables N, p, and
s
can be
chosen so as to satisfy properties (i) and (iii). To be convinced of these requires
an exposition of number theory which is beyond the scope of this book, but
we can outline the main ideas. First, it is necessary to generate three large
(approximately loo-digit) “random” prime numbers: the largest will be
s
and
we’ll call the other two x and y. Then N is chosen to be the product of x
and y, and p is chosen so that ps mod (x
-
l)(y

-
1) = 1. It is possible to prove
that, with N, p, and
s
chosen in this way, we have
Mps
mod N = M for all
messages M.
More specifically, each large prime can be generated by generating a large
random number, then testing successive numbers starting at that point until
302 CHAPTER 23
a prime is found. One simple method performs a calculation on a random
number that, with probability
l/2,
will “prove” that the number to be tested
is not prime. (A number which is not prime will survive 20 applications of
this test less than one time out of a million, 30 applications less than 1 time
out of a billion.) The last step is to compute p: it turns out that a variant of
Euclid’s algorithm (see Chapter 1) is just what is needed.
Furthermore,
s
seems to be difficult to compute from knowledge of p (and
N), though no one has been able to prove that to be the case. Apparently,
finding p from
s
requires knowledge of x and
y,
and apparently it is necessary
to factor N to calculate x and y. But factoring N is thought to be very
difficult: the best factoring algorithms known would take millions of years to

factor a 200-digit number, using current technology.
An attractive feature of the RSA system is that the complicated com-
putations involving N, p, and
s
are performed only once for each user who
subscribes to the system, which the much more frequent operations of encryp-
tion and decryption involve only breaking up the message and applying the
simple exponentiation procedure. This computational simplicity, combined
with all the convenience features provided by public-key cryptosystems, make
this system quite attractive for secure communications, especially on computer
systems and networks.
The RSA method has its drawbacks: the exponentiation procedure is ac-
tually expensive by cryptographic standards, and, worse, there is the linger-
ing possibility that it might be possible to read messages encrypted using the
method. This is true with many cryptosystems: a cryptographic method must
withstand serious cryptanalytic attacks before it can be used with confidence.
Several other methods have been suggested for implementing public-key
cryptosystems. Some of the most interesting are linked to an important class
of problems which are generally thought to be very hard (though this is not
known for sure), which we’ll discuss in Chapter 40. These cryptosystems
have the interesting property that a successful attack could provide insight on
how to solve some well-known difficult unsolved problems (as with factoring
for the RSA method). This link between cryptology and fundamental topics
in computer science research, along with the potential for widespread use of
public-key cryptography, have made this an active area of current research.
rl