|
This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost. | |||
31 January 1999: Add Axel Horns message.
30 January 1999: Add messages by Jitze Couperus and Steve Bellovin
28 January 1999
To: cryptography@c2.net
Date: Thu, 28 Jan 1999 11:06:34 -0500
From: MCKAY john <mckay@cs.concordia.ca>
This I got from computer historian, Simon Lavington.
The (Manchester) Ferranti Mark I had a hardware random number
generator. This was specified by Alan Turing - (A copy of his
original Internal Report, dated 1949 I believe, still exists.)
The random number instruction was based on electron noise in a
thermionic diode. Turing's report even gives a possible circuit
diagram. The same strategy is used today in the UK Dept. of
National Savings' ERNIE Premium Bond machine.
Another curiosity of the Mark I's instruction set was a sideways
add ('population count'), also specified by Turing. I've always
assumed that the two instructions could be useful for cryptography -
eg for the generation of one-time coding pads and the testing of
decryption procedures.
[See S.H. Lavington's 1978 Comm ACM paper on the Manchester Mark
I and Atlas: http://www.computer50.org/kgill/mark1/lav.html ]
From: "Jitze Couperus" <Jitze.Couperus@cdc.com>
To: <cryptography@c2.net>
Subject: Re: Pop Count Instruction and cryptanalysis
Date: Thu, 28 Jan 1999 11:32:16 -0800
John Mckay wrote:
[Snip]
About the "sideways add" or pop-count instruction - indeed
Seymour Cray's first supercomputer (the Control Data 6600)
sported such an instruction, as did all subsequent Control
Data machines until the advent of the 180 series in the mid
'80s.
It was almost a tradition that one of the first of any new
faster CDC machine was delivered to a "good customer" - picked
up at the factory by an anonymous truck, and never heard
from again.
We always wondered what such an instruction might be useful for -
until one of the first of the 180 series (n'th generation successor
to the 6600) was delivered to such a customer, and cries of
anguish erupted that this machine didn't have such an instruction.
We scrambled and had to create a very tight code sequence within the
instruction stack that could be generated via a Fortran intrinsic
function.
Simon Lavington also mentions in his book that the venerable 6600
inherited some ideas from the Manchester Atlas. I never found out
what specifically - did the Atlas sport such an instruction? -
perhaps also inherited from Mark I?
I'm not sure if Cray's other machines (built after he left Control
Data) had such an instruction, but I'm told they did.
Jitze Couperus
Control Data Systems
To: cryptography@c2.net
Subject: Re: Pop Count Instruction and cryptanalysis
Date: Thu, 28 Jan 1999 15:35:04 -0500
From: Steve Bellovin <smb@research.att.com>
Jitze Couperus writes:
[Snip]
For years, I had heard the story about NSA liking that instruction.
But I never understood why, until I started working on plaintext
recognizers, and independently derived the need for it. See, for
example,
http://www.research.att.com/~smb/papers/probtxt.ps.
There are other instruction types that are useful for cryptanalysts.
The CDC Star had a lovely set of vector operations under masks. And
the Harvest add-on to the IBM 7030 (Stretch), described in a book by
Buchholz ("Planning a Computer System", McGraw-Hill, 1962) was intended
for NSA as well.
From: "Jitze Couperus" <Jitze.Couperus@cdc.com>
To: <cryptography@c2.net>
Subject: Re: Pop Count Instruction and crytanalysis
Date: Fri, 29 Jan 1999 13:15:23 -0800
A correspondent asked me if I could expound some more
on what I know about the use of the pop-count instruction.
The paper cited earlier in this thread by Steve Bellovin
tells you far more than I can, as well as a paper that
it cites in turn about "A Programmable Plaintext Recognizer".
However, and without boring through detail, I can perhaps
give a flavor of how it was used a long time ago and in a
manner that is interesting from a cryptanalysis perspective
- and given that it jibes with similar discussion in the
papers mentioned above.
In one of the first "interactive" environments supported
on the 6600 - the Intercom time-sharing system, we had
a utility that allowed one to search a text file for
some arbitrary character string - much as any text editor
allows today.
This was implemented approx. as follows. Each line of text
in the file had appended to it a 60-bit word, the contents
of which were a bit vector. If there were one or more
of the letter "A" in the line, bit 1 was set, if there
were one or more of the letter "B" in the line, then
bit 2 was set, etc... thus setting some sub-set of 36
bits coresponding to the characters A..Z and 0..9. Let's
call this word appended to each line its "thumbprint".
There are 24 bits left over - more about that later.
Now to search for any line containing some search
string, all you have to do is create a similar thumbprint
for the search string, and loop through the thumbrints
of the lines in the text file, checking each against your
search thumbrint. "Checking" in this sense means doing a
logical "AND" between the two to extract matching bits,
and then counting how many bits matched - hence the pop-count
instruction.
A "hit" would of course only be tentative. It does not
tell you that the line in question contains the actual string
you are looking for - only that the line contains somewhere some
(count of) the characters contained in your search string.
This little loop can however be coded in an extremely tight
manner to fit in the instruction stack (equivalent to instruction
cache in today's technology) thus allowing a very fast winnowing
of interesting text lines that can then be examined more closely.
The actual instructions used within the loop also made good use
of the parallelism offered by the separate functional units
of the 6600 cpu - and in later machines - pipelining.
The extra 24 bits were used in other applications (of similar
ilk) to reflect not single characters, but the occurrence of
certain digraphs in the text line. Thus bit 40 in the the
thumbprint might indicate whether a given "interesting" digraph
did or did not occur in a given line.
Later the border between the 36 bits and 24 bits within the
60-bit word was moved and successively tuned. Certain bits
of the original 36 were commoned up - i.e. a particular bit
might indicate the presence of any of Z, X, or Q because
maybe they are relatively uncommon. This would free up two
more bits for use as digraph flags - and so on.
Then, in another place, the whole mechanism was turned on
its head. It wasn't used to *look for* a certain character
string, but rather to *reject* certain lines of text as
being uninteresting. (Others might use the word "implausible"
here.) Furthermore, the concept of a thumbprint per "line of
text" was refined to support differing granularity of the
thumbprinting, and of course the size of the thumbprint
itself, as 64 bits became a more common word-size.
Some 30 years later, I find the paper cited by Steve Bellovin
on "Probable Plaintext Cryptanalysis" to be extrememely
interesting - in particular it cites another paper
about "A Programmable Plaintext Recognizer". This is
the only open documentation I have ever come across that
discusses this kind of mechanism in any detail.
Jitze
To: cryptography@c2.net
Subject: Re: Pop Count Instruction and crytanalysis
Date: Fri, 29 Jan 1999 22:22:52 -0500
From: Steve Bellovin <smb@research.att.com>
Jitze Couperus writes:
>
> Some 30 years later, I find the paper cited by Steve Bellovin
> on "Probable Plaintext Cryptanalysis" to be extrememely
> interesting - in particular it cites another paper
> about "A Programmable Plaintext Recognizer"*. This is
> the only open documentation I have ever come across that
> discusses this kind of mechanism in any detail.
Thanks for a very interesting article. The other paper you cite
is by David Wagner and myself, and can be found at
* http://www.research.att.com/~smb/papers/recog.ps (or .pdf).
To: cryptography@c2.net
Date: Sat, 30 Jan 1999 14:39:10 +0100
Subject: Re: Pop Count Instruction and cryptoanalysis
From: Horns@t-online.de (Axel H. Horns)
Inspired by this thread I remember that in the late 70ies I attended
a lecture on "COMPASS", the assembler language for CDC Computers, at
the University of Hannover (Germany), the computing center of which
being equipped with two CDC 6600 and one CYBER 76 mainframes in
those days. The professor had explicitely noticed that there was no
obvious use for a hardware-accelerated poupulation count opcode but
he had not suggested to look on utilization for cryptography.
From this lecture I own a copy of "CONTROL DATA CYBER 70 SERIES -
6000 SERIES - 7600 COMPUTER SERIES" pocket manual "COMPASS VERSION
3" printed in 1973.
This document clearly states that in the CYBER 70 Models 74 and 6600
Computers, the opcode "47" for "population count" was executed by the
DIVIDE UNIT. Contrary, the CYBER 70 Models 76 and 7600 Computers had
a separete POPULATION COUNT UNIT.
If I understood the opcode table correctly the respective opcode was
executed in one or two clock cycles (very fast; the same as shift
opcodes).
Hence, it looks like as if there has been some kind of evolution.
The NSA first had demanded the implementation of the "population
count" opcode and they got it in a more economical way by using the
hardware of the divide unit. The NSA software using this opcode must
have been very successfull; otherwise they would not have been able
to require to be provided with a separate hardware unit which I
think was *very* expensive in those days (The core CPU of said CYBER
model was made up of modularized and encapsulated printed circuit
boards equipped with discrete transistors, AFAIK).
Axel H Horns