By E. F. Brickell, J. H. Moore, M. R. Purtill (auth.), Andrew M. Odlyzko (eds.)

This ebook is the court cases of CRYPTO 86, one in a chain of annual meetings dedicated to cryptologic study. they've got all been held on the college of California at Santa Barbara. the 1st convention during this sequence, CRYPTO eighty one, equipped by way of A. Gersho, didn't have a proper court cases. The complaints of the subsequent 4 meetings during this sequence were released as: Advances in Cryptology: complaints of Crypto eighty two, D. Chaum, R. L. Rivest, and A. T. Sherman, eds., Plenum, 1983. Advances in Cryptology: lawsuits of Crypto eighty three, D. Chaum, ed., Plenum, 1984. Advances in Cryptology: court cases of CRYPTO eighty four, G. R. Blakley and D. Chaum, eds., Lecture Notes in laptop technology #196, Springer, 1985. Advances in Cryptology - CRYPTO '85 court cases, H. C. Williams, ed., Lecture Notes in laptop technology #218, Springer, 1986. A parallel sequence of meetings is held each year in Europe. the 1st of those had its complaints released as Cryptography: court cases, Burg Feuerstein 1982, T. Beth, ed., Lecture Notes in laptop technology #149, Springer, 1983.

Chasm, R. L. Rivest, and A. T. Sherman, Plenum Press, New York (1983) pp. 89-96. 6. R. R. Jucncman, Privately circulated letter to Amerlcan cryptologlsts, March 1 , 1983. 7. " U. S. D c p t . Of Commerce, National Bureau of Standards, FIPS Pub. 74, April 1, 1981. 8. J. H. Moore and G . J. Simmons, "Cycle Structure of the DES f o r Keys Having Pallndromic (or Antipalindromic) Sequences O f Round Keys," Proceedings of Eurocrypt'ab, Linkl)plng, Sweden, May 20-22, 1986. PRIVATEKEY ALGEBRAIC-CODED CRYFTOSYSTEMS * T.

Multiplying this with the mod n~ inverse of S, ( M 1 ) gives Q(MP)-' . In a similar way, one can compute (MQ)(MP)-' from SA ( M 1) and S, (M3). Multiplying (MQ)(Mp)-'with the mod n~ inverse of Q(Mp)-'gives M(Mp)-'. This last number exponentiated with P gives S A ( M ) = M M - ' . In the next section we will examine in some detail the properties of the more promising variation which uses F I ( M , n )= M mod n and F2(M,n) = (uI+l)-l mod Nn). For convenience, this last scheme will be called DJ. 3.

That is we have 2" -2 choices for the second row. For the third row the choice is any vector linearly independent of the first two. Clearly it has (zk - 2 7 choices. Continuing this way, the number of non-singular matrices are given by the equality (Eq. 3). Since there are k terms in the product, the smallest of which is Zk-l, 46 the inequality is easily proved. An attack by exhaustive search for S, G and P is considered hopeless task due to the results of above Lemmas. 1)' can not be applied here because the average Hamming weight of (2,-Z,)P is about n 2, which is very large.