Appendix A Symmetry Groups

Appendix ASymmetry Groups

A mathematical group G is a set of objects (the group's elements) with a binary op-eration denoted by "+" or by "*" defined on the elements that satisfies the followingrequirements.

1. Closure: for any a, b G G, the sum (a + b) is an element of G.2. Associativity: any a,b,c G G satisfies (a + b) + c = a + (b + c).3. Identity: there exists e G G such that for all a G (7 (a + e) = (e + a) = a.4. Inverses: for each a G G, there exists a unique element a~l G G such that a-fa"1 —

a"1 + a = e.5. If the group operation is commutative, i.e., if a + b = b + a for any a,b £ G, the

group is called Abelian.

Question: What's purple and commutes?

Answer: An Abelian grape.

Examples of groups:

1. The set of all the integers with integer addition. The identity element is the integer0. This is an infinite group.

2. The (finite) set of the integers 0, 1, 2,... ,m — 1 with modulo-m addition.3. The integers 1, 2,. .. ,g — 1 for a prime q with modulo-g multiplication.4. The set of all rotations in two dimensions under the operation: The sum of the two

rotations by a and (3 degrees is a rotation by a + (3 degrees.

The set (0,1, 2,3) with modulo-4 addition is a group denoted by G(4). It obeys the

448 Appendix A Symmetry Groups

addition table+0123

00123

11230

22301

33012

The order of a group (its cardinality) is the number of elements. It is denoted byord(G). The order of G(4) is 4.

A subgroup is a subset of the elements of a group that is closed under the group'soperation. A theorem by Lagrange states that if S is a subgroup of G, then ord(5)divides ord(G). For example, if S is the subgroup (0,1) of G(4), then ord(5) = 2divides ord(G(4)) = 4 and G(4) can be partitioned into the cosets S and S + 2.

This appendix deals with symmetry groups. The elements of such a group are sym-metry operations (or transformations) on an object; they are not numbers. Figure A.lashows four symmetric objects: a rhombus, a rectangle, a square, and a pentagon. Theterm symmetric means an object that retains its shape and location under certain trans-formations. A square, for example, is highly symmetric, because it preserves its shapeand position when rotated by a multiple of 90° or when reflected about the four axesshown by dashed lines in Figure A.lb. A rectangle is less symmetric because a rotationof 90° changes its shape from horizontal to vertical or vice versa.

b a b a b

c d c

(a)

(b)

Figure A . I : Symmetries of Rhombus, Square, and Pentagon.

c)

For simple geometric objects, it is possible to express rotations and reflections bylisting the new position of each vertex of the object. When the square is rotated 90°clockwise, for example, vertex a moves to b, b moves to c, and so on, which can beexpressed as the permutation

ab c dN

b c d a

Symmetry Groups 449

Reflections of the square about a vertical axis and about the main diagonal are expressedby

a b c d \ / a b e d '

b a d e / ' V a d c b

The connection between symmetry transformations and groups becomes clear when weconsider combinations of transformations.

The rectangle is transformed to itself after (1) a 0° rotation, (2) a reflection abouta central horizontal axis, (3) a reflection about a central vertical axis, and (4) a 180°rotation. Examining the diagram, the following properties become clear:

1. Transformation 1 followed by transformation i (or i followed by 1) is equivalent tojust transformation i for any i.

2. Any of the four transformations followed by itself returns the rectangle to its originalshape, so it is identical to transformation 1.

3. Transformation 3 followed by 2 is equivalent to 4.

An analysis of all the combinations of two transformations of the rectangle yieldsTable A.2a. The table can be considered the definition of a symmetry group of four ele-ments, because it specifies the group operation for the elements. A direct check verifiesthat element 1 (the null transformation) is the group's identity, that the operation isclosed, and that it is noncommutative. This symmetry group is denoted by D4 (D fordihedral, meaning bending the arms up; anhedral means the opposite).

(A dihedral group is a group whose elements correspond to a closed set of rotationsand reflections in the plane. The dihedral group with 2n elements is denoted by eitherDn or D2n- The group consists of n reflections, n — 1 rotations, and the identitytransformation.)

*1234

11234

22143

33412

44321

*01234567

001234567

112307645

223015476

330126754

446570213

557462031

665743102

774651320

*0123456789

00123456789

11234095678

22340189567

33401278956

44012367895

55678901234

66789540123

77895634012

88956723401

99567812340

(a) (b) (c)

Table A.2: The D4, D%, and D10 Symmetry Groups.

Similarly, the rhombus has limited symmetry. Its four symmetry transformationsare (1) the null transformation, (2) a reflection about the line bd, (3) a reflection about

450 Appendix A Symmetry Groups

line ac, and (4) a 180° rotation. An analysis of all the combinations of two of thesetransformations, however, results in the same symmetry group. Thus, even though therhombus and rectangle are different objects and their symmetry transformations aredifferent, we can say that they have the same symmetries and we call them isometric.

Intuitively, a square is more symmetric than a rectangle or a rhombus. There aremore transformations that leave it unchanged. It is easy to see that these are the fourrotations by multiples of 90° and the four reflections about the vertical, horizontal, andtwo diagonal axes. These eight transformations can be written as the permutations

_ / a b c d \ _ /abcd\ _ /ab c d\ _ / a b c d~ \ a b c d j ' " y b c d a y 5 \ c d a b y ' " " \ d a b c

_ _ / a b c d \ / a b c d \ / a b c d \ 7 __ / a c dy b a d c y ' y d c b a y y a d c b y y c b a d

which can immediately be used to construct the symmetry dihedral group Dg listed inTable A.2b.

Finally, the pentagon is used to create the larger symmetry group Dio, because ithas 10 symmetry transformations. Figure A.la shows that the pentagon is transformedto itself by any rotation through a multiple of 60°, while Figure A.lc shows that it canbe symmetrically reflected about five different axes. These ten transformations give riseto the DIQ symmetry group of Table A.2c (identical to Table 2.14a), and it is this groupthat is used by the Verhoeff check digit method of Section 2.11.

The mathematical sciences particularly exhibit order, symmetry, andlimitation; and these are the greatest forms of the beautiful.

—Aristotle, Metaphysica

Appendix BGalois FieldsThis appendix is an introduction to finite fields for those who need to brush up onthis topic. Finite fields are used in cryptography in the Rijndael (AES) algorithm andin stream ciphers. In the field of error-control codes, they are used extensively. TheReed-Solomon codes of Section 1.14 operate on the elements of such a field.

B.I Field Definitions and OperationsThe mathematical concept of a field is based on that of a group, which has been intro-duced at the start of Appendix A. A field F is a set with two operations—addition "+"and multiplication ax"—that satisfies the following conditions.

1. F is an Abelian group under the 4- operation.2. F is closed under the x operation.3. The nonzero elements of F form an Abelian group under x.4. The elements obey the distributive law (a -{- b)xc ~ axc-{- bxc.

Examples of fields are

1. The real numbers under the normal addition and multiplication;2. The complex numbers; and3. The rational numbers.

Notice that the integers do not form a field under addition and multiplicationbecause the multiplicative inverse (reciprocal) of an integer a is I/a, which is generallya noninteger. Also, a finite set of real numbers is not a field under normal addition andmultiplication because these operations can create a result outside the set. In order fora finite set of numbers to be a field, its two operations have to be defined carefully sothat they satisfy the closure requirement. Finite fields are intriguing because the finite

452 Appendix B Galois Fields

number of elements implies that the two operations could be performed by computersexactly (with full precision). This is why much research has been devoted to the use offinite fields in practical applications.

A Galois field, abbreviated GF, is a finite field. These fields were "discovered,"studied, and precisely defined by the young French mathematician Evariste Galois, andtoday they have many applications in fields as diverse as error-control codes, cryptog-raphy, random-number generation, VLSI testing, and digital signal processing. Galoishas proved that the size of a finite field must be a power m of a prime number q andthat there is exactly one finite field with any given size qm. This justifies talking aboutthe finite field with qm elements, and this field is denoted by GF(qm).

If m = 1, the size of the field GF(q) is a prime number q, its elements are theintegers 0, 1,... ,g — 1, and the two operations are integer addition and multiplicationmodulo q. The simplest examples are GF(2) and GF(3).

The simple field GF(2) consists of the two elements 0 and 1 and is the smallestfinite field. Its operations are integer addition and multiplication modulo 2, which aresummarized by

+01

001

110

X

01

000

101

Notice that the addition is actually an XOR and the multiplication is a logical AND.The next field is GF(3), whose elements are 0 ,1 , and 2. Its operations are integer

addition and multiplication modulo 3, summarized by the truth tables

+012

0012

1120

2201

X

012

0000

1012

2021

The additive inverse of 1 is 2 because 1 + 2 = 2 + 1 = 0. Similarly, the multiplicativeinverse of 2 is itself because 2x2 = 1.

o Exercise B.I: Write the addition and multiplication tables of GF(5).

He is the only candidate who gave poor answers. He knows absolutely nothing. I wastold that this student has an extraordinary capacity for mathematics. This astonishesme greatly, for, after his examination, I believed him to have but little intelligence orthat his intelligence is so well hidden that I was unable to uncover it. If he really iswhat he appears to be, I doubt very much that he will make a good teacher.

—French physicist Jean Claude Eugene Peclet, one of Galois's examiners in 1829.

o Exercise B.2: Compute the addition and multiplication tables of GF(4) as if 4 werea prime and show why these tables don't make sense.

B.I Field Definitions and Operations 453

If ra > 1, the elements of GF(qm) are polynomials of degree less than m overGF(g) [i.e., polynomials whose coefficients are elements of GF(g)], and the operationsare special versions of polynomial addition and polynomial multiplication. Hence, if thepolynomial am^\xrn~l + • • • + a\x + a$ is an element of GF(gm), then ao, ai , . . . ,am_iare elements of Galois field GF(q). The degree of the polynomial is the largest i forwhich ai ^ 0.

Adding elements of GF(qm) is easy. If the polynomials a{x) and b(x) are elementsof GF(qm), then the sum c(x) = a(x) + b(x) is a polynomial with coefficients Ci =(ai + bi) mod g. The sum is a polynomial whose degree is the greater of the degreesof a(x) and b(x), so it is an element of GF(qm). Also, the rule for addition impliesthat this operation is associative and that there is an identity (the polynomial whosecoefficients are all zeros).

o Exercise B,3: In order for GF(qm) to be a field, each element must have an additiveinverse. What is it?

Multiplying elements of GF(qm) is a bit trickier, because the normal multiplicationof two polynomials of degrees m and n results in a polynomial of degree ra + n. Multipli-cation of polynomials in GF(qm) must therefore be defined (similar to addition) modulosomething. In analogy to addition, which is done modulo a prime integer, multiplicationis performed modulo a prime polynomial. Such a polynomial is called irreducible. Muchas a prime number is not a product of smaller integers, an irreducible polynomial is nota product of lower-degree polynomials. The irreducible polynomials we are interested inare irreducible in GF(g), which means that such a polynomial cannot be factored intoa product of lower-degree polynomials in GF(q). (Note, A polynomial irreducible overGF(q) has no roots in GF(q). The opposite, however, isn't true. A polynomial with noroots in GF(q) may be reducible over GF(<?).) Section B.2 shows how to multiply twopolynomials modulo a third polynomial.

The polynomial x2 — 1 over the reals can be factored into (x — l)(x + 1), so itis reducible. Its relative, the polynomial x2 + 1, is irreducible over the real numbers.This same polynomial, however, is reducible over GF(2) because the polynomial product(x + l)(x + l), which equals xxx + lxx+xxl + lxl , can also be written x2 + (l + l)x + lxl,and in GF(2) this equals x2 + 1. Another example is the polynomial (x2 + x + I)2. Itis easy to verify that neither zero nor 1 are roots of this polynomial. It therefore doesnot have any roots in GF(2), but it is not irreducible in GF(2) because it is obviouslya product of two lower-degree polynomials.

o Exercise B.4: Show that the polynomial x8 +1 with coefficients in GF(2) is reducible.

No doubt this style and this efficiency were due to his peasant heredity. Perhaps alsoto the fact that manual work (whatever the demagogues may say) does not demanda veritable genius, since it is more difficult to extract a square root than a gorse root.

—Marcel Pagnol, Jean de Florette


The simplest example of a Galois field of the form GF(qm) for m > 1 is GF(22) =GF(4). Its elements are polynomials aix-\-ao over GF(2) (meaning that it has coefficientsthat are 0 or 1). If we denote such an element by the two bits a\ao, then the four fieldelements are 0 = 002 = Oxz+O, 1 = 012 = Oxx + 1, 2 = 102 = x+0, and 3 = 112 = x + 1.If we now select the polynomial x2-\-x + l, which is irreducible over GF(4), and multiplymodulo this polynomial, then the two field operations become

0 1 2 30 1 2 31 0 3 22 3 0 13 2 1 0

X

0123

00000

10123

20231

30312

The multiplication table shows that 2x2 = 3. In polynomial notation, element 2 is thepolynomial x and element 3 is x + 1 . This is why the product xxx, which over the realsis x2, equals x + 1 in GF(4).

Notice that the multiplication table implies that 23 = (2x2)x2 = 3x2 = 1, so wecan consider element 2 the cube root of unity. Over the real numbers, this cube root is(z\/3 — l)/2, which shows that the names 0, 1, 2, and 3 are arbitrary.

Choosing a different irreducible polynomial of degree m produces a different mul-tiplication table, but all the tables that can be generated in this way are isomorphic;they have the same essential structure in terms of the two operations and differ by thenames of the field's elements. However, as we already know, the names are arbitrary.

o Exercise B,5: Explain why GF(6) does not exist.

Another simple example is GF(23) = GF(8). Its elements are polynomials (I2X2 +a\x + ao with coefficients a in GF(2) (i.e., bits). We denote such an element by thethree bits a2aiao> so element 6 = IIO2 is the polynomial x2 -f x. Addition is simple:the sum of x2 + 1 and x + 1 is x2 + x + 1 + 1 = x2 +x. For multiplication, we select theirreducible polynomial x3 + x + 1. The results are summarized in Table B.I.

+01

CM

34567

001234567

1103

CM

5476

223016745

332107654

445670123

54761032

667452301

776

43210

X

01234

67

000000000

101

CM

34567

202463175

303657412

404376251

505142736

60671

Ox

324

7075

CM

1643

Table B.I: Addition and Multiplication in GF(8).

As an example, the GF(8) multiplication table indicates that 5x3 = 4, or in binary101 x 011 = 100, or in polynomial notation (x2 + l)(x + 1) = (x3 + x2 + x + 1) =


x2 mod (x3 + x + 1). The modulo operation results in the remainder of the polynomialdivision (x3 + x2 + x + \)/{x3 + x + 1).

o Exercise B,6: Choose some of the elements of the GF(4) and GF(8) multiplicationtables and show how they are computed.

o Exercise B,7: List the additive and multiplicative inverses of the eight elements ofGF(8).

The existence of the additive and multiplicative inverses makes it possible to sub-tract and divide field elements. To subtract a — 6, just add a to the additive inverse of b(since the additive inverse of 6 is 6 itself, subtraction in GF(8) is identical to addition).To divide a/6, multiply a by the multiplicative inverse of b.

The particular definition of multiplication in GF(qm) satisfies the requirements fora field. The product of two field elements is a polynomial of degree m — 1 or less, soit is an element of the field. The multiplication is associative and there is an identityelement, namely, the polynomial 1. In order to figure out the inverse of element p(x), wedenote by m(x) the particular irreducible polynomial that we use for the multiplicationand apply the extended Euclidean algorithm. This algorithm (next paragraph) findstwo polynomials a(x) and b(x) such that p(x)a(x) + m(x)b(x) = 1. This implies thata(x)p(x) mod m(x) = 1 or p~l{x) = a(x) mod m(x).

The extended Euclidean algorithm solves the following problem. Given two integersro and ri, find two other integers s and t such that s-ro + t-ri = gcd(ro, r\). This employsEuclid's algorithm, where in each iteration the current remainder Ti is expressed in theform Ti = SiTQ+tiTi. The signal for the last iteration is rm = gcd(ro, n ) = smro+£mri =s-To +t-T\. This algorithm can be expressed recursively as

s0 = 1, tQ = 0,

S l = 0 , *i = 1,

repeat

Si = Si-2 ~ Qi-lSi-li ti = ti-2 — Qi-lU-l,

for i = 2 ,3 , . . . .

As an example, we compute the extended Euclidean algorithm for ro = 126 and r\ = 23:

126 = 5-23 + 11, to = 0,23-2-11 + 1, ti = 1,11 - 11-1 + 0, t2 - 0 - 5 - 1 = - 5 ,

t3 = 1 — 2-(—5) = 11.

The Exponential Representation of Galois Fields. We start with the simplefield GF(g) and define the order of a field element. Let ft be an element in GF(q). Theorder of j3 is denoted by ord(/3) and is defined as the smallest positive integer m suchthat Pm = l.

It can be shown that if t is the order of ft for some j3 in GF(g), then t divides


In those days, my head was full of the romantic prose of E.T. Bell's Men of Math-ematics, a collection of biographies of the great mathematicians. This is a splendidbook for a young boy to read (unfortunately, there is not much in it to inspire agirl, with Sonya Kovalevsky allotted only half a chapter), and it has awakened manypeople of my generation to the beauties of mathematics. The most memorable chap-ter is called "Genius and Stupidity" and describes the life and death of the Frenchmathematician Galois, who was killed in a duel at the age of twenty. . . . "All nightlong he had spent the fleeting hours feverishly dashing off his scientific last will andtestament, writing against time to glean a few of the great things in his teeming mindbefore the death he saw could overtake him. Time after time he broke off to scribblein the margin CI have not time; I have not time,' and passed on to the next franticallyscrawled outline. What he wrote in those last desperate hours before the dawn willkeep generations of mathematicians busy for hundreds of years. He had found, onceand for all, the true solution of a riddle which had tormented mathematicians forcenturies: under what conditions can an equation be solved?"

—Freeman Dyson, Disturbing the Universe (1979)

An element with order (q — 1) in GF(g) is called a primitive element in GF(q).Every field GF(q) contains at least one primitive element a. The elements of GF(q)

can be represented as zero followed by the (q — 1) consecutive powers of any primitiveelement a:

0, a, a2, a 3 , . . . , aq~2, aq~\ aq = a , . . . .

This is the exponential representation of GF(q). Notice that we don't have to know thevalue of any particular root a. All we need is this particular sequence of powers of a.

A simple example is element 2 of GF(3). The multiplication table of GF(3) showsthat the smallest n for which 2n = l i s n = 2 — 3—1. Thus, element 2 is primitiveand GF(3) can be represented as the set (0,2,22 = 1). Another example is GF(5).Exercise B.I shows that element 2 of GF(5) is primitive because the smallest n forwhich 2n — 1 is?7, = 4 = 5 — 1. Hence, the exponential representation of GF(5) withrespect to 2 is (0,2, 22 - 4, 23 - 3,24 = 1).

o Exercise B.8: Show that 3 is also a primitive element of GF(5).

The exponential representation of Galois fields can be extended to fields GF(qm)where m > 1.

An irreducible polynomial p{x) of degree m in GF(g) is said to be primitive if thesmallest positive integer n for which p{x) divides xn — 1 is n = qm — 1.

It can be shown that the roots ctj of an rath-degree primitive polynomial p(x) inGF(q) have order qm — 1. This implies that the roots ctj of p{x) are primitive elementsin GF{qm). The exponential representation of GF(qm) can therefore be constructedfrom any of these roots.

As an example, we show the construction of the exponential representation ofGF(23). The polynomial p{x) = x3 + x + 1 is primitive in GF(2). Let a be anyroot of p(x) = x3 -f x + 1. From a3 + a + 1 = 0 we get a3 = a + 1 (this is done by


adding a + 1 to both sides, since in GF(2) 1 + 1 = 0) and from this, the exponentialrepresentation of GF(8) can be constructed (Table B.2). The second column of thetable is the power of a. These are the field elements in the exponential representation(notice how element zero is termed 7 in this representation). The rightmost columnslist the field elements in the polynomial representation.

The exponential representation listed in Table B.2 also makes it clear that thenonzero elements of any Galois field form a cyclic group.

exp polynomial representationrep

000001010100011110111101001

012436751

0 7 0a0 0 1a1 1 aa2 2 a2

3 o i i

a 6 a + 1a4 4 a2 + aa5 5 a3 + a2 = a2 + a + 1a6 6 a2 + la7 1

Table B.2: Exponential and Polynomial Representations of GF(8).

Which representation is better? The exponential representation (the second col-umn of Table B.2) is useful for multiplication. Adding two elements in this column(modulo 7) produces their product. Thus, a 4 x a 5 — a9 mod (2 -1) = a2. The polyno-mial representation (the rightmost three columns of Table B.2) is useful for addition.Thus, adding 4 + 7 mod 8 produces 3.

Notice that the sum (i.e., the XOR) of all the field elements is zero. This is ageneral result.

Notice also how all the powers of a are expressed in terms of a0 = 1, a1 = a, anda2. These three powers of a are the basis for the polynomial representation of GF(8).

A direct check using Table B.I shows that elements 2, 4, and 6 of GF(8) areprimitive. Each can be the a of Table B.2.

o Exercise B,9: Show that elements 2 and 3 of GF(4) are primitive elements of thisfield.

o Exercise B.10: Given that the polynomial x4 + x3 + 1 is primitive in GF(2), constructthe exponential representation of GF(24) = GF(16).

Any root a is therefore a generator of a finite field. A generator is defined as anelement whose successive powers take on every element of the field except the zero. It ispossible to check every field element for this property, but this process is time consuming.For example, we can test elements of GF(7) by computing successive powers modulo 7of each nonzero element. It is clear that element 1 cannot be a generator. Successivepowers of 2 modulo 7 produce 2, 22 = 4, 23 = 1, but 24 = 2, implying that 25 will be


4, the same as 22. Next, we try element 3. Its successive powers taken modulo 7 are 3,32 = 2, 33 = 6, 34 = 4, 35 = 5, and 36 = 1, which establishes 3 as a generator of thisfield.

The following discussion attempts to shed light on the nature of the elements ofGF(qm) and on the mysterious a. Perhaps the best way to understand finite fieldsand their elements is to consider algebraic equations of various degrees (Galois himselfdeveloped the concepts of groups and fields when trying to answer the question, "Underwhat conditions does an equation have a solution?"). Consider the linear (degree-1)equation 2x — 1 = 0. Its coefficients are integers, but its solution is not: it is therational number 1/2. Similarly, the quadratic equation x2 — 2 = 0 has the irrationalsolution x = y/2. Continuing along the same line, we examine the quadratic equationx2 + 1 = 0. Its coefficients are 0 and 1 (the coefficient of x is zero). If we consider thecoefficients real numbers, then the solutions are x2 = — 1 or x = ±\/^T. There is no realnumber whose square is —1, so we extend the concept of number and construct the fieldof complex numbers. We can say that when the equation x2 + 1 = 0 is over the reals, itssolutions are over the field of complex numbers. Alternatively, we can say that the basefield of our equation is the reals and the extension field is the complex numbers. Thisshows that the solutions of an equation may sometimes lie in a field different from thatof the coefficients. Thus, in order to solve an equation, we sometimes have to extendthe concept of numbers and develop new types of mathematical entities.

Next, we consider the equation x2 + x + 1 = 0. When we assume its coefficientsto be over the reals, the solutions are the complex numbers (—1 ± \/^3)/2. They areobtained by the well-known general solution of the quadratic equation. However, whenwe consider the coefficients elements of GF(2), we have to use GF(2) arithmetic to solveit. It is easy to see that no element of GF(2) is a solution. Trying x = 0 produces0x0 + 0 + 1 = 0 and trying x = 1 yields 1x1 + 1 + 1 = 0, both contradictions. Thus,we realize that the solutions are not in GF(2) and we have to extend our concept of afield. We therefore denote one of the two (unknown) solutions by a and observe that asatisfies a2 + a + l = 0 o r a 2 = a + l. We still don't know what mathematical entity ais, but we know that (1) a is neither 0 nor 1, since neither of those elements of GF(2)is a solution to our equation and (2) that the two solutions are a and a2 [the latter is asolution because a2 + a + l = (a + l) + a + l = (l + l)a + 1 + 1 = 0]. We don't knowhow to express a in terms of real or complex numbers. We don't even know if this ispossible. However, we also don't "know" what yf—1 is; it also cannot be expressed interms of elements of "simpler" fields. We simply accept the "existence" of yf—l and useit to perform calculations. In much the same way, we can accept the existence of a anduse it to denote elements of finite fields.

The entire finite field GF(22) can now be constructed as the 4-tuple (0,1, a, a2).Clearly, elements 0 and 1 are needed; they are the identities for the two operations.Elements a and a2 complete the field because higher powers of a reduce to 1, a, or a2.

B.2 Polynomial Arithmetic 459

B.2 Polynomial Arithmetic

This section describes the four arithmetic operations on polynomials, especially division,which is needed to compute one polynomial modulo another.

Polynomial Addition/Subtraction. Adding two polynomials is done by addingcorresponding coefficients. Thus, adding P(x) = X cT" aixi anc^ Q(x) = Z^o~ ^%x% isdone by adding (a + bi). Subtraction is done similarly by subtracting the coefficients(subtraction is defined over the reals, but in general, a field has only addition andmultiplication defined). A simple example is the sum (5x2 + 3x — 2) + (—x3 + x2 + 7)which over the reals equals —x3 + Qx2 + 3x + 5. It is clear that the degree of thepolynomial sum is max(m,n).

Polynomial Multiplication. Multiplying two polynomials P and Q is done bymultiplying every coefficient a* in P by every coefficient bj in Q, A simple exampleserves to make this clear

(x3 -3x + 4)(-x2 + 2x + l)

= x3(-x2 + 2z + 1) - 3x(~x2 + 2x + 1) + 4(-£ 2 + 2x + 1)

- (-x5 + 2xA + x3) + (3x3 - Qx2 - 3x) + (-4x2 + 8x + 4)

- - x 5 + 2x4 + 4x3 - 10x2 + 5 ^ + 4.

The degree of the product polynomial is the sum of the degrees of the multiplied polyno-mials. [Notice that this example is done over the reals. When done over a different field,the rules may be different. When polynomials are multiplied over GF(2), for example,the arithmetic rule 1 + 1 = 0 applies.]

Polynomial Division. Dividing two integers produces a quotient and a remainder.If m and n are integers, then m mod n is the remainder of the integer division m -f- nand is therefore in the range [0, n — 1]. Similarly, if P and Q are polynomials, then thepolynomial division P-i-Q produces a quotient polynomial and a remainder polynomial.The latter is denoted by P mod Q, and its degree is less than that of Q. We illustratepolynomial division with an example. We use the compact notation (8, 5,4,1, 0) for thepolynomial xs+xb+xA+x + l and show the steps of dividing P = (13,11, 9,8,6, 5,4,3,0)by Q = (8,4,3,1,0).

Step 1: Divide x13/x8 to obtain x5. This is the highest term of the quotientpolynomial.

Step 2: Multiply (5) x (8,4, 3,1,0) to obtain (13, 9, 8,6,5).Step 3: Add modulo 2 (i.e., XOR) (13,11,9,8,6,5,4,3,0) and (13,9,8,6,5) to ob-

tain (11,4,3,0). Repeat the three steps for this polynomial.Step 4: Divide x11 /x8 to obtain x3. This is the second term of the quotient poly-

nomial.Step 5: Multiply (3) x (8,4, 3,1,0) to obtain (11,7,6,4,3),Step 6: XOR (11,4,3, 0) and (11,7, 6,4,3) to obtain (7,6, 0). This is the final result

P mod Q, since the next step would have to divide x7 by xs.


In Galois Fields, full of flowersprimitive elements dance for hoursclimbing sequentially through the treesand shouting occasional parities.The syndromes like ghosts in the misty dampfeed the smoldering fires of the Berlekampand high flying exponents sometimes are downedon the jagged peaks of the Gilbert bound.—S. B, Weinstein, IEEE Transactions on Information Theory (1971)

o Exercise B . l l : Compute the three polynomial divisions (quotients and remainders)(x5 + x2+x + l)/(x2 + l), (x 5 +x 2 + l)/(z2 + l), and (x4 +x3 + x)/(x4 + 1). Considerthe coefficients elements of GF(2) and add them modulo 2.

In expanding the field of knowledge webut increase the horizon of ignorance.

—Henry Miller

Appendix CCyclic Redundancy Codes

The idea of a parity bit is simple, old, and familiar to most computer practitioners. Aparity bit is the simplest type of error-detecting code. It adds reliability to a groupof bits by making it possible for hardware or software to detect certain errors thatoccur when the group is stored in memory, is written on a disk, or is transmitted overcommunication lines between computers. A single parity bit does not make the groupabsolutely reliable. There are certain errors that cannot be detected with a parity bit,but experience shows that even a single parity bit can make data transmission reliablein most practical cases.

The parity bit is computed from a group of n— 1 bits and then added to the group,making it n bits long. A common example is a 7-bit ASCII code that becomes 8 bitslong after a parity bit is added. The parity bit p is computed by counting the numberof ones in the original group, and setting p to complete that number to either odd oreven. The former is called odd parity and the latter is even parity. Instead of countingthe number of ones, odd parity can be computed as the exclusive OR (XOR) of then — 1 data bits.

Examples: Given the group of seven bits 1010111, the number of ones is 5, whichis odd. Assuming odd parity, the value of p should be 0, leaving the total number of Isodd. Similarly, the group 1010101 has four Is, so its odd parity bit should also be a 1,bringing the total number of Is to five.

Imagine a block of data where the most significant bit (MSB) of each byte is anodd parity bit, and the bytes are written vertically (Table C.la).

When this block is read from a disk or is received by a modem, it may containtransmission errors, errors that have been caused by imperfect hardware or by electricalinterference during transmission. We can think of the parity bits as horizontal reliability.When the block is read, the hardware can check every byte, verifying the parity. Thisis done by simply counting the number of ones in the byte. If this number is odd, the

462 Appendix C Cyclic Redundancy Codes

1 011010010 000010110 111100100 011011101 111011011 010011100 111010011 11010111

1 011010010 000010110 110100100 011011101 111011011 010011100 111010011 11010111

(b)

1 011010010 000010110 110101100 011011101 111011011 010011100 111010011 11010111

(c)

1 011010010 000010110 110101100 011011101 111011011 010011100 111010011 11010111

0 00011100

(d)

Table C.I: Horizontal and Vertical Parities.

hardware assumes that the byte is good. This assumption is not always correct, sincetwo bits may get corrupted during transmission (Table C.lc). A single parity bit is thususeful (Table C.lb) but does not provide full error-detection capability.

A simple way to increase the reliability of a block of data is to compute verticalparities. The block is considered to be eight vertical columns, and an odd parity bitis computed for each column (Table C.ld). If two bits in one byte get corrupted, thehorizontal parity will not detect the error, but two of the vertical parity bits will. Eventhe vertical bits do not provide complete error-detection capability, but they are a simpleway to significantly improve data reliability.

Vertical parity is the simplest example of a CRC. CRC stands for Cyclical Redun-dancy Check (or Cyclical Redundancy Code). It is a rule that specifies how to computethe vertical check bits (they are now called check bits, not just simple parity bits) fromall the bits of the data. Here is how CRC-32 is computed (CRC-32 is one of the manystandards developed by the CCITT). The block of data is written as one long binarynumber. In our example, this will be the 64-bit number

10110100l|00000101l|011110010|001101110| 111101101 |1O1OO111O|O111O1OO1|111O1O111.

The individual bits are considered the coefficients of a polynomial In our example, this

will be the degree-63 polynomial

P(x) = 1 x x63 + 0 x x62 + 1 x x61 + 1 x xm + • • • + 1 x x2 + 1 x xl + 1 x x°

This polynomial is then divided by the standard CRC-32 generating polynomial

When an integer M is divided by an integer iV, the result is a quotient Q (which isirrelevant for CRC) and a remainder i?, which is in the interval [0, iV — 1]. Similarly,when a high-degree polynomial P(x) is divided by a degree-32 polynomial, the resultis two polynomials: a quotient and a remainder. The remainder is a polynomial whose

Cyclic Redundancy Codes 463

degree is in the range [0,31], implying that it has 32 coefficients, each a single bit. (Ifthe degree of the remainder polynomial is less than 31, some of its leftmost coefficientsare zeros.) Those 32 bits are the CRC-32 code, which is appended to the block of dataas four bytes. As an example, the CRC-32 of a recent version of the file with the textof this Appendix is 586DE4FE16.

The CRC is sometimes called the fingerprint of the file. Of course, since it is a32-bit number, there are only 232 different CRCs. This number equals approximately4.3 billion, so in principle there are different files with the same CRC, but in practicethis is rare. The CRC is useful as an error-detecting code because it has the followingproperties.

1. Every bit in the data block is used to compute the CRC. This means that changingeven one bit may produce a different CRC.

2. Even small changes in the data normally result in very different CRCs. Experiencewith CRC-32 shows that it is very rare that introducing errors in the data does notchange the CRC.

3. Any histogram of CRC-32 values for different data blocks is flat (or very close toflat). For a given, nonmaliciously chosen data block, the probability of any of the232 possible CRCs being produced is practically the same.

Other common generating polynomials are CRC^x) = x12 4- x3 + x + 1 andCRCi6(x) = x16 + x 1 5 +x 2 + l. They generate the common CRC-12 and CRC-16 codes,which are 12 and 16 bits long, respectively.

All motion is cyclic. It circulates to the limits of itspossibilities and then returns to its starting point.

—Robert Collier

Appendix DProjects

The projects proposed here can serve either as extra work, voluntarily done by consci-entious readers, or as class projects, assigned and graded by the instructor.

Chapter 1: Error-Control Codes

1. Construct a 1-bit error-correcting Hamming code for 16-bit codes (m = 16).

2. Investigate the reliability of voting codes when the data is copied five times. Repeatthe analysis of Section 1.3 for five copies, identify the most probable case where thedecoder makes the wrong decision, and compute the probability of that case.

3. Search the Internet and the professional literature for the error-control code used toprotect data on DVDs.

Chapter 2: Check Digits For Error Detection

1. Find some ISBNs of books and compute the check digit of each.

2. Obtain software that prints barcodes, use it to print several barcodes, and then readthese manually.

3. According to Hamming ([Hamming 86], p. 27) the two most common errors humansmake, when keying numbers, dialing them, or reading and saying them, are transposingadjacent digits and changing a triplet of the form aab to abb. Select one of the checkdigit methods described in this chapter and try to estimate its reliability for the lattertype of error.

4. In addition to American Express, other financial and travel organizations such asBarclays, Visa, Citibank, and Thomas Cook also issue travelers checks. Select one ofthem and find out how it computes its check digit.

5. Try to use mathematical induction to prove that there are n! permutations of nobjects.

466 Appendix D Projects

Chapter 3: Statistical Methods

1. Figure 3.7 shows a Huffman code for the 26 letters. Use the figure to calculate theaverage size, entropy, and variance of this code.

2. Repeat Exercise 3.10 for another short string of your choice.

3. Search the Internet for a free source code of an arithmetic codec (a good place tostart is [faqs 04]) and adapt it to run on your computer.

4. Facsimile compression (Section 3.7) is vulnerable to transmission errors because ituses no error-control codes. Redesign this standard to use a simple error-correcting code,such as the SEC-DED code (Section 1.9). Implement your design and demonstrate itserror-correcting capabilities by sending data between computers and artificially corrupt-ing some bits.

Chapter 4: Dictionary Methods

1. Implement one of the dictionary compression methods of this chapter and exploreits behavior for random data and data that's close to random. Specifically, find outwhether random data is expanded when compressed by the algorithm.

2. The performance of the LZ77 method (Section 4.1) depends on the sizes of the searchand look-ahead buffers. Implement this method and experiment with different sizes ofthese buffers. The point is to find the best sizes for your implementation.

3. This chapter describes only a few of the many dictionary-based compression methodscurrently known. Use a reference, such as [Salomon 04], to study more such methods.

Chapter 5: Image Compression

1. Use a text on statistics to familiarize yourself with the statistical concepts of variance,covariance, and correlation.

2. Use a Web search engine for images to locate continuous-tone and discrete-toneimages on the Internet. In the latter type, identify those parts of the image (such asstraight lines and flat planes) that are the hallmarks of a discrete-tone image.

3. Study the main color models, such as RGB, HLS, and CMYK, and how to converta given color between them.

4. Write a program that takes a color image, separates its bitplanes and replaces thestandard binary codes of the pixels in each bitplane with Gray codes (Section 14.2.1).

5. In a programming language of your choice, write a program, similar to the one ofFigure 5.8, that rotates the pixels of an image and computes their distributions beforeand after the rotation.

Chapter 6: Basic Concepts of Cryptography

1. Search the cryptographic literature for encryption methods whose supposed securityturned out to be an illusion.

2. Search the Web for private and government organizations involved with secure codes.

Projects 467

Chapter 7: Monoalphabetic Substitution Ciphers

1. In a programming language of your choice, write a program to input several text filesand compute tables of digram and trigram frequencies.

2. Implement homophonic substitution codes based on the ideas of Exercise 7.6.

3. Search the Internet and the professional literature for monoalphabetic substitutionciphers not described in this chapter.

4. Implement one of the methods described in this chapter, use it to encrypt a large textfile and then try to manually break the code with letter frequencies and by applyingyour knowledge of the language.

Chapter 8: Transposition Ciphers

1. Implement the substitution-transposition combined cipher proposed at the start ofSection 8.6.

2. Design a 12 x 12 turning template with 36 holes and use it to encrypt long messages.

3. Implement the book method proposed on page 237 without the use of computers.Have some friends agree on a book and a formula and have each compute a new keyevery day for a week. Finally, compare the keys to see how robust this method is.

Chapter 9: Polyalphabetic Substitution Ciphers

1. Use a reference such as [Salomon 03] to study the traditional methods for breakingthe Vigenere cipher.

2. Complete Table 9.1 to include every digram.

3. Use wood or cardboard to construct the encryption device of Figure 9.2b.

4. Implement the variation on the Vigenere cipher described in Section 9.6.

Chapter 10: Stream Ciphers1. Implement one of the nonlinear stream ciphers described in Section 10.4.

2. Implement the SEAL stream cipher of Section 10.8. This algorithm makes extensiveuse of the 32-bit hexadecimal constant 000007f c, so part of your task is to test it withvarious other constants to find out whether the output is sensitive to this constant(different constants will produce different outputs, but the point is that some constantsmay produce nonrandom output).

3. (For those with interest in and access to hardware construction.) Construct thegenerators proposed in Exercises 10.7 and 10.8.

4. Section 10.7 discusses the Latin square combiner. Consult [Ritter 04] for the detailsof this method and implement it.

Chapter 11: Block Ciphers

1. Implement DES or obtain it from the Internet and experiment with weak keys.Encrypt a block of data with a weak key and then try to break that code.

2. Use the many cryptographic resources available on the Internet, as well as newbooks on cryptography, to study block ciphers not included in this chapter, such asAES (Rijndael) and IDEA.

468 Appendix D Projects

Chapter 12: Public-Key Cryptography

1. Virtually all public-key encryption software uses the RSA algorithm, but otheralgorithms exist that employ the concept of asymmetric key. Locate resources for theRabin and El Gamal methods and study them.

2. Study and implement a digital signature algorithm that uses the Diffie-Hellman-Merkle key exchange method. See, for example, the excellent site [Savard 03] for adescription.

3. Implement one of the threshold schemes of Section 12.5 for sharing secrets and useit in practice, sharing secrets with friends.

Chapter 13: Data Hiding

1. Examine several of the methods described in this chapter and the next one. For eachmethod, evaluate its embedding capacity, invisibility, undetectability, and robustness.

2. Use the resources available in [WatermarkingWorld 03] (such as FAQs, books, andlinks) to study methods for watermarking and how they can be defeated.

3. Use the source code in [Wayner 02] to implement a simple version of mimic functionsfollowing the basics of this method, described in Section 13.8.

Chapter 14: Data Hiding in Images

1. Implement the eight variants of LSB Encoding (Section 14.1) and evaluate theembedding capacity, invisibility, undetectability, and robustness of each.

2. Study the technique of Section 14.1.1 for hiding data in a color lookup table andapply it to the BMP graphics file format. For two current references for this usefulformat, see [Miano 99] and [Swan 93].

3. Search the Internet for new techniques for the lossless hiding of secret data in images.

4. The Patchwork method of Section 14.5 is based on slightly changing the bright-ness values of many pixels. Write a program that converts an image from RGB to aluminance-chrominance color space such as YCbCr and then changes the brightnessof certain regions by a certain amount, specified by the user. Experiment with thisprogram on a group of friends to find out the maximum amount of brightness changethat's still undetected by most persons.

5. The Zhao-Koch Method (Section 14.14) is based on partitioning the image intoblocks of 8x8 pixels each and hiding one bit in each block by modifying the pixels of theblock, if necessary. Implement this method and make the block size a user-controlledparameter. Experiment with different block sizes to find the strengths and weaknessesof small blocks and large blocks.

6. Project 4 of Chapter 3 is about implementing the fax compression standard withparity bits for added reliability. The present project asks you to implement the samemethod with the features discussed in Section 14.18 for data hiding.

Projects 469

Chapter 15: Data Hiding: Other Methods

1. Search the professional literature for new algorithms to hide data in other than textor image files.

2. Implement the steganographic file system as described in Section 15.7. Use thisimplementation to actually hide files on your computer, and demonstrate the usefulnessof such a system to friends.

But my grandmother had been obliged to abandon this project, at theinstance of my father who knew, whenever she organised any

expedition with a view to extracting from it the utmost intellectualbenefit that it was capable of yielding, what a tale there would be to

tell of missed trains, lost luggage, sore throats and broken rules.—Marcel Proust, Within a Budding Grove (1921)

Answers to ExercisesIf there's some magic in this world, it must bein the attempt of understanding someone else,sharing something. Even if it's almost impossibleto succeed, but who cares, the answer must be inthe attempt.—Julie Delpy as Celine in Before Sunrise (1995)

1.1: Bribe, gibe, glib, jibe, kibe, vibe, brie, babe, bab, bleb, lobe, blob, lube, blue,blub, lice, bide, life, like, bike, bile, lime, line, bine, blin, blip, lire, bise, bite, live, belie,bible, libre, libel, bribee, bribed, briber, bribes, and bolide.

1.2: The case where p is large, say 0.9, n = 2, and j = 1. In this case, pJ = 0.9and (1 — p)n~^ = 0.1. Including the term (1 — p)n~^ in this case is important, since itreduces the probability to one-tenth the size of p7.

1,3: The receiver for the (7,1) voting code makes the wrong decision when a set ofseven bits that should be identical features 4, 5, 6, or 7 bad bits. The probability ofthis happening is

= 7C4P4(l - p)3 ~ p)2 + 7 C 6 p 6 ( l - p) + 7C7p

7.

Substituting p = 0.01 yields pe = 3.4 x 10 7, implying that, on average, one error inevery 1/(3.4 x 10~~7) « 2.94 x 106 bits sent will not be detected and corrected. Thisshould be compared to one undetected bad bit in every 100 without the voting code.

1,4: Adding check bits makes the codewords longer, so they require more storage spaceand take longer to transmit. The key to data reliability is a tradeoff between the sizeof a codeword and its efficiency (the number of errors it can detect and/or correct).

472 Answers to Exercises

1.5: This code has a Hamming distance of 4, and one way of generating it is toduplicate code3.

1.6: It is identical to the Hamming code for a set of 256 symbols, except that infor-mation bit &12 is not needed.

1.7: Only codes that require information bit 617 and higher. The smallest such codehas the 12 information bits 63, 65, &6, 67, 69, 610, &n, &i2> &13> &14> 15> and 617. It cantherefore code a set of 212 = 4,096 symbols.

1.8: Append five artificial segments with data bits of zero and parity bits that will bedetermined by the data bits of segment n.

1.9: Figure Ans.l (compare with Figure 15.3) shows a simple, uniform wave sampledat precisely twice its frequency. It's easy to see that all the samples are identical, soplaying them back generates a fixed signal, very different from the original wave.

1

1 0 .

- 1

Time

1 2 3

Figure Ans.l: A Wrong Sampling Rate.

1.10: A general parabola can be expressed by its standard equation c\x2 + C2X + c^y +C4 = 0 or by its alternate equation c\y2 + C2X + c$y + C4 = 0. Given the three points(rci, 2/1), (#2> 2/2)> ami (#3,2/3), the two equations of the unique parabola passing throughthem are computed by solving the determinant equations

= 0.

X*

T2

x1X2X2

x yx\ 2/1

X2 2/2

%3 2/3

1111

= 0,

yV?vlvi

X

Xi

X2

%3

y2/1

2/2

2/3

1111

1.11: This is straightforward and Table Ans.2 lists the 14 codes.0000000 1111111

Table Ans.2: Fourteen CodesWith Hamming Distance 3.

1000110111000000111000100101100100100100110101010

0111001000111111000111011010011011011011001010101

Answers to Exercises 473

2,1: Given the 2-digit decimal integer A = d\d,2, a possible choice for n is 9. GivenA = 49, it is easy to compute T = (4 + 9) mod 9 = 4 and C = 9 — 4 = 5. However,the number 40 also satisfies T = (4 + 0) mod 9 = 4, so it has the same check digit 5.Thus, an error that corrupts 49 to 40 will not be detected. This check digit is thereforenot very reliable for reasons that have to do with 9 not being a prime number (this isexplained in the text).

2.2: A Web search yields few results. Among them isJoseph Muscat, Maltese Ports (1400-1800), Pubblikazzjonijiet Indipendenza, Malta2002, ISBN 99932-41-29-6. Price LM3 (3 Maltese lira).

2.3: A bit is a base-2 digit and there are two such digits, 0 and 1. Similarly, a trit is abase-3 digit, so there are three such digits, 0, 1, and 2. Imagine a 3-digit number G^c^di,where the digits are trits and the check digit is computed by T = 3^3 + 2^2 + d\ mod 4and / = 4 — T. Since the base 4 is a multiple of the weight 2, it is easy to come up with3-2 + 2-0 + 2 mod 4 = 0 and also 3-2 + 2-2 + 2 mod 4 - 0 . Thus, the two numbers 202and 222 have the same check digit.

2.4: The answer is trivial, so let's check the effect of 7 as a weight. Using 7 in additionto 1 and 3 doesn't improve the UPC check digit much. If two adjacent digits di anddi+i are assigned weights of 3 and 7, then swapping them alters T by 4(c^ — di+\), whichequals 20 whenever the difference \di — di+\\ is 5. Similarly, if two adjacent digits diand di+\ are assigned weights of 1 and 7, then swapping them alters T by Q(di — di+i),which equals 30 whenever the difference \di — di+i\ is 5.

2.5: This is 9781579550080 (A New Kind of Science, by Stephen Wolfram).

2.6: Either use three bar sizes (but this may lead to more errors in reading the bars) oruse six bars in a group. With two long and four short bars, there can be (2) = (4) = 15groups.

2.7: Perhaps the simplest proof of this is by induction.

2.8: The explicit representation of a is

01 2345678912468 13579

2.9: This product can be written as p = dx 102 = dx 2l x 5* where d is a digit and 2and 5 are primes. The prime 97 is therefore not any of the prime factors of p, so p isnot a multiple of 97.


3.1: The unary code satisfies the prefix property, so it can be used as a variable-sizecode. Moreover, the length of the unary code of the integer n is n bits, so it makessense to use it in cases where the input data consists of integers n with probabilitiesP(n) ~ 2~n. If the data lends itself to the use of the unary code, there is no need toexecute the Huffman algorithm, and the codes of all the symbols can easily and quicklybe constructed as unary codes before compression or decompression starts.

3.2: Figure Ans.3a,b,c shows the three trees. The code sizes (in bits per symbol) forthe trees are

(5 + 5 + 5 + 5-2 + 3-3 + 3-5 + 3-5 + 12)/30 = 76/30,

(5+ 5 + 4 +4-2 +4-3 +3-5 + 3-5 + 12)/30 = 76/30,

(6+ 6 + 5 +4-2 +3-3 +3-5 + 3-5 + 12)/30 = 76/30.

/2

AA B

30A

18 H/ \/ \8 10A A

5 E F G' \\

3A

C D

//5A

2 EA

A B

30A

18 H/ \

8 10

\ / \3 F G

/ \C D

/8

AA

3 DA2 C

AA B

30A

18 H/ \\10

, / \; F G

30/ \/ \

10 20/ \ / \5 F 8 H

A A2 E 3 G

A AA B C D

(a) (b) (c) (d)

Figure Ans.3: Three Huffman Trees For Eight Symbols.

3,3: After adding symbols A, B, C, D, E, F, and G to the tree, we were left withthe three symbols ABEF (with probability 10/30), CDG (with probability 8/30), andH (with probability 12/30). The two symbols with lowest probabilities were ABEF andCDG, so they had to be merged. Instead, symbols CDG and H were merged, creatinga non-Huffman tree.

3.4: The second row of Table 3.6 corresponds to a symbol whose Huffman code isthree bits long, but for which [-Iog20.3] = [1.737] = 2.

3.5: The size of the Huffman code of a symbol ai depends just on the symbol'sprobability Pi. This probability, however, depends indirectly on the size of the alphabet.In a large alphabet, symbol probabilities tend to be small numbers, so Huffman codes


are long. In a small alphabet, the situation is the opposite. This can also be understoodintuitively. A small alphabet requires just a few codes, so they can all be short; a largealphabet requires many codes, so some must be long.

3.6: Figure Ans.4 shows Huffman codes for 5, 6, 7, and 8 symbols with equal proba-bilities. In the case where n is a power of 2, the codes are simply the fixed-size ones. Inother cases the codes are very close to fixed-size. This shows that symbols with equalprobabilities do not benefit from variable-size codes. (This is another way of saying thatrandom text cannot be compressed,) Table Ans.5 shows the codes and their averagesizes and variances.

3.7: The number of groups increases exponentially from 2s to 2s+n = 2s x2 n .

3.8: The binary value of 127 is 01111111 and that of 128 is 10000000. Half the pixelsin each bitplane will therefore be 0 and the other half 1. In the worst case, each bitplanewill be a checkerboard, i.e., will have many runs of size one. In such a case, each runrequires a 1-bit code, leading to one codebit per pixel per bitplane, or eight codebits perpixel for the entire image, resulting in no compression at all. In comparison, a Huffmancode for such an image requires just two codes (since there are just two pixel values)and they can be 1 bit each. This leads to one codebit per pixel, or a compression factorof eight.

3.9: A symbol with high frequency of occurrence should be assigned a shorter codeand should therefore appear high in the tree. The requirement that at each level thefrequencies be sorted from left to right is arbitrary. In principle it is not necessary, butit simplifies the process of updating the tree.

3.10: Figure Ans,6 shows the initial tree and how it is updated in the 11 steps (a)through (k). Notice how the esc symbol gets assigned different codes all the time, andhow the different symbols move about in the tree and change their codes. Code 10, e.g.,is the code of symbol "i" in steps (f) and (i) but is the code of "s" in steps (e) and (j).The code of a blank space is 011 in step (h) but 00 in step (k).

The final output is s0i00rl00u1010000d011101000, a total of 5x8 + 22 = 62 bits.The compression ratio is thus 62/88 ~ 0.7.

3.11: A typical fax machine scans lines that are about 8.2 inches wide (« 208 mm).A blank scan line produces 1,664 consecutive white pels, making this run length verycommon.

3.12: These codes are needed for cases such as example 4, where the run length is 64,128, or any length for which a makeup code has been assigned.

3.13: Currently, there is no need for codes for longer runs. However, there may be faxmachines (now or in the future) built for wider paper, so the Group 3 code was designedto accommodate them.


n V

JL

o

O

6

5

ii

o

Q

6

5

6

7I

o

1

0

1

0

1

0

1

0

1

0

JL

2

Q

6

A

5

6

ii

o

oo

5

1

0

7

1

0

1

0

1

0

1

0

Figure Ans.4: Huffman Codes for Equal Probabilities.

CL2 0-3 (24 a7

Avg.

size Var.

5 0.200 111 110 101 100 0 2.6 0.64

6 0.167 111 110 101 100 01 00 2.672 0.2227

7 0.143 111 110 101 100 011 010 00 2.86 0.1226

8 0.125 111 110 101 100 011 010 001 000 3 0

Table Ans.5: Huffman Codes for 5-8 Symbols.


Initial tree0|esc

(a) Input: s. Output: V.escsi 01

esc si

(b) Input: i. Output: 0'i\escii1 s\ 0| |1

1 si

0| | 1esc il

(c) Input: r. Output: 00V.escri 1 i\ 2s\ —>escv\ \i\S\2

si

il

01esc r l

si

01esc

il

r l

(d) Input: u- Output: 100'u'-esc ui 1 ri 2ii si 3 —>escui 1 ri si ii 2 2

01 |1si 3

0| |12 il

01

01

I 11 r l

I 1

01esc

1 1 [0 Hrl si

ul

esc u l

Figure Ans.6: Exercise 3.10. Adaptive Huffman Example: Part I.

il


(e) Input: s. Output: 10.escui 1 r i S2%\ 2 3 —>esc ui 1 ?*i i\ S2 2 3

(f) Input: i. Output: 10.esc ui l r i Z2S2 2 4

rl i2 s2

dl

(g) Input: d. Output: OOO'd'.esc d\ 1 ui 2 r i *2 S2 3 4 —»

dl

Figure Ans.6: Exercise 3.10. Adaptive Huffman Example: Part II.


(h) Input: u . Output: Oil.

esc d\ 1 u2 v\ 3 %2 s2 4 4 —>

esc d\ 1 r i u2 2 Z2 ^2 4 4

(i) Input: i. Output: 10.

esc d\ 1 T\ u2 2 %<$ 52 4 5 —>

I n u2 2 52i3 4 5

Figure Ans.6: Exercise 3.10. Adaptive Huffman Example: Part


(j) Input: s. Output: 10.

escdi l r i u22s 3 i 346

(k) Input: u- Output: 00.

esc <ii 1 r i u3 2 S3 Z3 5 6 —>

escd\ 1 T\ 2U3 53^3 5 6

Figure Ans.6: Exercise 3.10. Adaptive Huffman Example: Part IV.


3.14: The codes of Table 3.18 have to satisfy the prefix property in each column butnot between the columns. This is because each scan line starts with a white pel, sowhen the decoder inputs the next code, it knows whether it is for a run of white orblack pels.

3.15: The code of a run length of one white pel is 000111 and that of one black pel is010. Two consecutive pels of different colors are therefore coded into nine bits. Sincethe uncoded data requires just two bits (01 or 10), the compression ratio is 9/2 = 4.5(the compressed stream is 4.5 times longer than the uncompressed one—a significantexpansion).

3.16: Figure Ans.7 shows the modes and the actual code generated from the two lines.

JDDD] • • • • • • • • • • • •• • I I I• • • • • • •T T T Tvertical mode

-1 0

I I010 1

horizontal mode

3 white 4 black

001 1000 011

Tpass

code

I0001

T Tvertical mode

+2 -2I I

000011 000010

Thorizontal mode. ,

4 white 7 black

I i I001 1011 00011

T

Figure Ans.7: Two-Dimensional Coding Example

3.17: Table Ans.8 shows the steps of encoding the string a2a2a2a2. Because of thehigh probability of a2, the low and high variables start at very different values andapproach each other slowly.

a2 0.0 + (1.0 - 0.0) x 0.023162=0.0231620.0 + (1.0 - 0.0) x 0.998162=0.998162

a2 0.023162 + .975 x 0.023162=0.045744950.023162 + .975 x 0.998162=0.99636995

a2 0.04574495 + 0.950625 x 0.023162=0.067763226250.04574495 + 0.950625 x 0.998162=0.99462270125

a2 0.06776322625 + 0.926859375 x 0.023162=0.089231243093750.06776322625 + 0.926859375 x 0.998162=0.99291913371875

Table Ans.8: Encoding the String a2a2a2a2.

3.18: It can be written either as 0.1000... or 0.0111...

3.19: In principle, the eof symbol has to be included in the original table of frequenciesand probabilities. This symbol is the last to be encoded, and decoding it serves as asignal for the decoder to stop.


3.20: The encoding steps are simple (see first example on page 96). We start withthe interval [0,1). The first symbol a2 reduces the interval to [0.4,0.9), the second oneto [0.6,0.85), the third one to [0.7,0.825), and the eof symbol to [0.8125,0.8250). Theapproximate binary values of the last interval are 0.1101000000 and 0.1101001100, sowe select the 7-bit number 1101000 as our code.

The probability of the string ua2a2a2eor is .(0.5)3 x 0.1 = 0.0125, but since— log2 0.125 « 6.322, it follows that the theoretical minimum code size is 7 bits.

4.1: The size of the output file is 7V[48-28P] = 7V[48-25.2] = 22.87V. The size of theinput file is, as before, AON. The compression factor in such a case is 40/22.8 « 1.75.

4.2: The decoder doesn't know whether the encoder has selected the first match or thelast match, but the point is that the decoder does not need to have this information!The decoder simply reads tokens and uses each offset to locate a string of text in thesearch buffer without having to know whether the string was a first or a last match.

4.3: The next step matches the space and encodes the string ue,

sirusidue|astmajiueasilyute => (0,0,a

and the next one matches nothing and encodes the a.

4.4: This is straightforward. The resulting steps are listed in Table Ans.9.

Dictionary151617181920

Ljt

easesusea

Token(4, t )(0, e)(8, s)(16,s)(4, s)(4, a)

Dictionary212223242526

u s ick

u s ea l

s(eof)

Token(19,i)(0, c)(0, k)(19,e)(8, 1)(1, (eof))

Table Ans.9: Next 12 Encoding Steps in LZ78.

4.5: Table Ans.10 summarizes the steps. The output emitted by the encoder is

97 (a), 108 (1), 102 (f), 32 (u), 101 (e), 97 (a), 116 (t), 115 (s), 32 (u), 256 (al), 102(f), 265 (alf), 97 (a),

and the following new entries are added to the dictionary:

(256: al), (257: If), (258: f ), (259: ue), (260: ea), (261: at), (262: t s ) ,(263: s ), (264: ua), (265: alf), (266: fa), (267: alfa).


I

aa l1

Iff

f

uuee

eaa

a tt

t ss

indiet?

YNYNYNYNYNYNYNY

newentry

256-al

257-lf

258-f

259-ue

260-ea

261-at

262-ts

output

97

108

102

32

101

97

116

(a)

(1)

(f)

(w)

(e)

(a)

(t)

I

su

uaa

a la l f

ffaa

a la l f

alf aa

a,eof

indiet?

NYNYYNYNYYYNYN

newentry

263-s

264-ua

265-alf

266-fa

267-alfa

output

115 (s)

32 (u)

256 (al)

102 (f)

265 (alf)

97 (a)

Table Ans.10: LZW Encoding of a l f u ea ts u a l f a l f a.

4,6: The encoder inputs the first a into I, searches, and finds a in the dictionary. Itinputs the next a but finds that Ix, which is now aa, is not in the dictionary. Theencoder therefore adds string aa to the dictionary as entry 256 and outputs the token97 (a). Variable I is initialized to the second a. The third a is input, so Ix is the stringaa, which is now in the dictionary. I becomes this string, and the fourth a is input.Ix is now aaa, which is not in the dictionary. The encoder therefore adds string aaato the dictionary as entry 257 and outputs 256 (aa). I is initialized to the fourth a.Continuing this process is straightforward.

The result is that strings aa, aaa, aaaa,... are added to the dictionary as entries256, 257, 258,..., and the output is

97 (a), 256 (aa), 257 (aaa), 258 (aaaa), . . .

The output consists of pointers pointing to longer and longer strings of a's. Thus, thefirst k pointers point at strings whose total length is 1 + 2 + • • • + k = (k + k2)/2.

Assuming an input file that consists of 1 million a's, we can find the size of thecompressed output file by solving the quadratic equation (k + k2)/2 = 1000000 forthe unknown k. The solution is k « 1414. The original 8-million-bit input is thuscompressed into 1414 pointers, each at least 9 bits (and in practice, probably 16 bits)long. The compression factor is thus either 8M/(1414 x 9) « 628.6 or 8M/(1414 x 16) «353.6.

This is an impressive result, but such input files are rare (notice that this particularinput can best be compressed by generating an output file containing just " 1000000 a"and without using LZW).

4.7: We simply follow the decoding steps described in the text. The results are as


follows:1. Input 97. This is in the dictionary so set I—a and output a. String ax needs to besaved in the dictionary but x is still unknown..2. Input 108. This is in the dictionary, so set J—1 and output 1. Save al in entry 256.Set 1=1.3. Input 102. This is in the dictionary, so set J—f and output f. Save If in entry 257.Set I=f.4. Input 32. This is in the dictionary, so set J~ u and output u- Save f in entry 258.Set I=U'5. Input 101. This is in the dictionary, so set J=e and output e. Save ue in entry 259.Set I=e.6. Input 97. This is in the dictionary, so set J—a and output a. Save ea in entry 260.Set I=a.7. Input 116. This is in the dictionary, so set J= t and output t. Save at in entry 261.Set I=t .8. Input 115. This is in the dictionary, so set J=s and output s. Save t s in entry 262.Set I=t .9. Input 32, This is in the dictionary, so set J = u and output u. Save s in entry 263.Set I=u .10. Input 256. This is in the dictionary, so set J=a l and output al. Save ua in entry264. Set I=al.11. Input 102. This is in the dictionary, so set J=f and output f. Save alf in entry265. Set I=f.12. Input 265. This has just been saved in the dictionary, so set J—alf and outputalf. Save fa in dictionary entry 266. Set I—alf,13. Input 97. This is in the dictionary, so set J^a and output a. Save alf a in entry267 (even though it will never be used). Set I=a.14. Read eof. Stop.

4.8: We assume that the dictionary is initialized to just the two entries (1: a) and (2:b). The encoder outputs

1 (a), 2 (b), 3 (ab), 5(aba), 4(ba), 7 (bab), 6 (abab), 9 (ababa), 8 (baba),...

and adds the new entries (3: ab), (4: ba), (5: aba), (6: abab), (7: bab), (8: baba), (9:ababa), (10: ababab), (11: babab),.. .to the dictionary. This behavior is regular, so itcan easily be analyzed and the kth output pointer and dictionary entry predicted, butthe results are not worth the effort required.

4,9: The answer to Exercise 4.6 illustrates the relation between the size of the com-pressed file and the size of the largest dictionary string for the "worst case" situation(input that creates the longest strings). For a 1 Mbyte input stream, there will be 1,414strings in the dictionary, the largest of which is 1,414 symbols long.

5.1: No. An image with no redundancy is not necessarily random. Page 60 discussestwo types of image redundancy, the more important of which is pixel correlation. In


rare cases, an image may have little or no correlation between its pixels and yet benonrandom and even interesting.

5.2: Figure Ans.ll shows two 32x32 matrices. The first one, a, has random (andtherefore decorrelated) values and the second one, 6, is its inverse (and therefore withcorrelated values). Their covariance matrices are also shown, and it is obvious thatmatrix cov(a) is close to diagonal (the off-diagonal elements are zero or close to zero),whereas matrix cov(6) is far from diagonal. The Matlab code for this figure is alsoincluded.

5.3: No. If pixel values are in the range [0,255], a difference (Pi — Qi) can be at most255. The worst case is where all the differences are 255. It is easy to see that such acase yields an RMSE of 255.

5.4: The code of Figure 5.9 yields the coordinates of the rotated points

(7.071,0), (9.19,0.7071), (17.9,0.78), (33.9,1.41), (43.13,-2.12)

(notice how all the y coordinates are small numbers) and shows that the cross-correlationdrops from 1729.72 before the rotation to —23.0846 after it. A significant reduction!

5.5: The Mathematica code of Figure Ans.12 produces the 8 DCT coefficients 140,- 7 1 , 0, - 7 , 0, - 2 , 0, and 0. They are quantized to 140, - 7 1 , 0, 0, 0, 0, 0, and 0, towhich the IDCT is applied. The result is 15, 20, 30, 43, 56, 69, 79, and 84. Theseare close to the original values, with a maximum difference of 4. Figure Ans.12 listsMathematica code for this example.

Clear[Pixl, G, Gq, RecP];C r [ i J :=If [i==0, Sqrt[2] /2 , 1] ;DCT[iJ :={(l/2)Cr[i]Sum[Pixl[[x+l]]Cos[(2x+l)i P i /16] , {x,0,7,1}]};IDCT[xJ :={(l/2)Sum[Cr[i]Gq[[i+l]]Cos[(2x+l)i Pi/16] , { i ,0 ,7 ,1}]} ;Pixl={ll ,22,33,44,55,66,77,88};G=Table[SetAccuracy[N[DCT [m]],0], {m,0,7}]Gq={140.,-71,.0,0,0,0,0,0};RecP=Table[SetAccuracy[N[IDCT[m]],0], {m,0,7}]

Figure Ans.12: Mathematica Code for One-Dimensional DCT Example.

5.6: Looking at Figure 5.16, it is obvious that the block can be represented as a linearcombination of the 8 x 8 patterns in the leftmost column of the figure. These eighttransform coefficients will therefore be the only nonzero ones among the 64 coefficients.The actual calculation yields the eight weights 4, 0.72, 0, 0.85, 0, 1.27, 0, and 3.62 forthe patterns of this column.


cov(a) cov(b)

a=rand(32); b=inv(a);figure(l), imagesc(a), colormap(gray); axis squarefigure(2), imagesc(b), colormap(gray); axis squarefigure(3), imagesc(cov(a)), colormap(gray); axis squarefigure(4), imagesc(cov(b)), colormap(gray); axis square

Figure Ans. l l : Covariance Matrices of Correlated and Decorrelated Values.


5.7: Figure Ans.l3a is a uniform 8x8 image with one diagonal line above the maindiagonal. Figure Ans.l3b,c shows the first two steps in its pyramid decomposition. Itis obvious that the transform coefficients in the bottom right subband (HH) indicate adiagonal artifact located above the main diagonal It is also easy to see that subbandLL is a low-resolution version of the original image.

1212121212121212

1612121212121212

1216121212121212

1212161212121212

1212121612121212

(

1212121216121212

a)

1212121212161212

1212121212121612

1412121212121212

1214141212121212

1212121414121212

1212121212141412

40000000

04400000

(b)

00044000

00000440

131212122000

13131212

Ito

200

121313120

Ito

20

121213130022

20004000(

22004400

c)

02200440

00220044

Figure Ans.13: The Subband Decomposition of a Diagonal Line.

5 . 8 : T h i s is s h o w n b y m u l t i p l y i n g t h e l a r g e s t n - b i t n u m b e r , 1 1 . . . 1, b y 4, w h i c h isn

easily done by shifting it two positions to the left. The result is the n + 2-bit number1 1 . . . 100.

5.9: The zigzag sequence of these coefficients is 1118,2, 0, —2,0,..., 0, — 1,0,..., 0.13 46

5.10: Perhaps the simplest approach is to manually figure out the zigzag path and torecord it in an array zz of structures, where each structure contains a pair of coordinatesfor the path as shown, for example, in Figure Ans.14.

(0,0)(2,1)(1,4)(3,3)(4,3)(3,5)(7,2)(6,5)

(0,1)(3,0)(2,3)(2,4)(5,2)(2,6)(7,3)(7,4)

(1,0)(4,0)(3,2)(1,5)(6,1)(1,7)(6,4)(7,5)

(2,0)(3,1)(4,1)(0,6)(7,0)(2,7)(5,5)(6,6)

(1,1)(2,2)(5,0)(0,7)(7,1)(3,6)(4,6)(5,7)

(0,2)(1,3)(6,0)(1,6)(6,2)(4,5)(3,7)(6,7)

(0,3)(0,4)(5,1)(2,5)(5,3)(5,4)(4,7)(7,6)

(1,2)(0,5)(4,2)(3,4)(4,4)(6,3)(5,6)(7,7)

Figure Ans.14: Coordinates for the Zigzag Path.


If the two components of a structure are zz . r and zz. c, then the zigzag traversalcan be done by a loop of the form

for (i=0; i<64; irow:=zz[i] .r ; col :=zz[ i ] .c. . .data_unit[row][col] . . . }

5.11: The third DC difference, 5, is located in row 3, column 5, so it is encoded as

5.12: Thirteen consecutive zeros precede this coefficient, so Z = 13. The coefficientitself is found in Table 5.32 in row 1 column 0, so R = 1 and C = 0. Assuming thatthe Huffman code in position (R, Z) = (1,13) of Table 5.33 is 1110101, the final codeemitted for 1 is 1110101|0.

6.1: We know that m can be one of the 12 numbers 1, 3, 5, 7, 9, 11, 15, 17, 19, 21,23, and 25. These numbers are of the form 2n + 1 for certain nonnegative integers n,but m = 2n + 1 implies (m — l)/2 = n, so (m — l)/2 is a nonnegative integer. Fromthis we conclude that

13m mod 26 - (13 + 13(ra - 1)) mod 26 - (13 + 2 6 ^ — i ] mod 26

- (13 + 26n) mod 26 - 13.

We therefore conclude that any multiplicative cipher transforms "n" into "N."

6.2: For m = 1, there are 25 such keys, because a = 0 is the only value that results in afixed point. For the 11 values m > 1, odd values of a result in no fixed points. There are13 such values, so the total number of no-fixed-point affine ciphers is 25 + 11x13 = 168.

To see why odd values of a have this property, we observe that a fixed point, i.e.,the case x = x-m + a mod 26, is equivalent to x(m — 1) = —a mod 26. Since m isrelatively prime to 26, it is odd, implying that m — 1, and therefore also the left-handside, x(m — 1), is even. In order for a solution to exist, the right-hand side must alsobe even. If the right-hand side (i.e., a) is odd, there are no solutions to the fixed-pointequation x = x-m + a mod 26, so there are no fixed-point ciphers for those keys.

6.3: The inverse of y = x-23 + 7 mod 126 is

x = 23~1(y-7) mod 126

= 2 3 " 1 mod 126(y - 7) mod 126

- 11(2/- 7) mod 126

- lly - 7 7 mod 126

= l l y + 49 mod 126.


6-4: The number of 64-bit keys is 264 - 18,446,744,073,709,551,620 or approximately1.8x 1019. The following examples illustrate the magnitude of this key space.

1. 264 seconds equal 584,942,417,355 years.2. The unit of electrical current is the Ampere. One Ampere is defined as 6.24xlO18

electrons per second. Even this huge number is smaller than 264.3. Even light, traveling (in vacuum) at 299,792,458 m/s, takes 61,531,714,963 sec-

onds (about 1,951 years) to cover 264 meters. This distance is therefore about 1951light years.

4. In a fast, 5 GHz computer, the clock ticks five billion times per second. In oneyear, the clock ticks 5'109-(3-107) = 1.5-1017 times.

5. The mass of the sun is roughly 2«1031 kg and the mass of a single proton isapproximately 1.6710"27 kg. There are therefore approximately 1058 protons in the sun.This number is about 2193, so searching a keyspace of 193 bits is equivalent to trying tofind a single proton in the sun (ignoring the fact that all protons are identical and thatthe sun is hot). The proverbial "needle in a haystack" problem pales in comparison.

6. The term femto, derived from the Danish femten, meaning fifteen, stands for10~15. Thus, a femtometer is 10~15 m, and a cubic femtometer is 10~45 cubic meters,an incredibly small unit of volume. A light year is 1016 meters, so assuming that theuniverse is a sphere of radius 15 billion light years, its volume is (4/3)TT(15X109X1016)3 =1.41372 x 1079 cubic meters or about 10124 cubic femtometers. This is roughly 2411, sosearching a keyspace of 411 bits is like trying to locate a particular cubic femtometer inthe entire universe.

These examples illustrate the power of large numbers and should convince anyrational person that breaking a code by searching the entire key space is an illusion.As for the claim that "there is a chance that the first key tried will be the right one,"for a 64-bit keyspace this chance is 2"64. To get a feeling for how small this number is,consider that light travels 1.6 x lO""11 meters (about the size of 10 atoms laid side byside) in 2~64 seconds.

7.1: Regardless of the particular monoalphabetic cipher used, once the ciphertext isready, a computer counts the number of times each symbol appears and appends randomsymbols to the ciphertext such that each symbol appears the same number of times.Thus, if the most common symbol occurs 768 times in the ciphertext and symbol Aappears 269 times, the random text will include 768 — 269 = 499 occurrences of A. Theprocess of deciphering results in the plaintext, followed by random gibberish that caneasily be identified and discarded.

7.2: For tables of digrams and trigrams in English and other languages, see [Gaines 56].

7.3: Figure Ans.15 illustrates such an alternative. The 26 letters are placed in a 5x5grid (where I and J share the same place), where each grid location can be describedby horizontal and vertical segments and an optional dot.

7.4: Follow each letter in the key polybiuscher with its first successor that is stillnot included in the key. Thus, p should be followed by q and o should be followed by p,


A

F'

LQ .V

B

"G

•M.Rw

cH

N

§X

D

IJ*

O

T.

Y'

E

*K

P.U

%

Figure Ans.15: A Variant Of The Pigpen Cipher.

but because p is already included in the key (as are q, r, and s), the o is followed by t .This process produces first the 22-letter string pqotlmyzbcikuvswhnef rx which is thenextended in the same way to become the 25-letter string paqdogtlmyzbcikuvswhnef rx.

7.5: F0 -> MF, LX -> PU, L0 -> SM, WM -> HL, EXciphertext is FOLLOWMEEARLY -> MFPUSMHLNEATZY.

-> NE, EA -> AT, YX -> ZY. The

7.6: The simplest choice is to use 3-digit numbers, where the leftmost digit is 0 or1. Thus the numbers are 000 through 199. A more sophisticated approach selects 200binary prefix codes (Section 3.3) and assigns the short codes to the common letters.

7.7: An integer TV in the range [a, b] can be converted to an integer in the range [c, d]by the transformation

round ( (N - a) - ~ + c ) .V b~a )

A simpler method is to use a generator that generates random real numbers R in therange [0,1], For each R, the value [12 x R\ is examined. If it is in the right range (inthe interval [1,3] for a D), then it is used; otherwise, another random R is generatedand examined.

8.1: A space-filling curve completely fills up a square (or, in general, part of amulti-dimensional space) by passing through every point in it. It does this by chang-ing direction repeatedly. Figure Ans.l6a-c shows examples of the well-known Hilbert,Sierpinski, and Peano curves. It is obvious that any square can be completely scannedby such a curve. Each space-filling curve is defined recursively and can be refined to filla square grid of any size.

8.2: Collection can be done by diagonals, zigzags, or a spiral, as suggested by Fig-ure 8.3. Collecting the plaintext of Figure 8.5 by diagonals from top right to bottomleft results in the ciphertext BEJAIDHOCGNRFKQMPL. (See also Exercise 8.1.) There are,of course, many other ways to scan a square, such as going down the first column, upthe second column, and alternating in this way.

8.3: After removing the spaces, the string is cut in two equal parts WAITF0RMEA andTMIDNIGHT, that are interlaced to form the ciphertext WtAmliTdFnOiRgMhEtA (wherethe lowercase letters make it easy to recognize symbols from the second half).


U][U~\J]

LJIJULJI(a) (b) (c)

Figure Ans.16: The Hilbert, Sierpihski, and Peano Curves.

8.4: A transposition method encrypts by a permutation, and the result of two consec-utive permutations is another permutation. Thus, just combining several transpositionmethods does not, by itself, increase security. A combination of transposition ciphersmay be more secure than any of its individual methods if the methods being combineduse keys. A combination of several methods requires several keys, and the security pro-vided by such a combination may be equivalent to that provided by a long key. Also,combining a transposition method and a substitution method (as in Section 8.6) mayresult in improved encryption.

8.5: This is trivial. The Caesar shift of one position results in the simple permutationabcdefghijklmnopqrstuvwxyzBCDEFGHIJKLMNOPQRSTUVWXYZA

which obviously has one cycle.

8.6: The three groups are BFIKMRV03, DLNQU2579, and GJ0SXZ148.

8.7: In an 8 x 8 template there should be 8 • 8/4 — 16 holes. The template is writ tenas four 4 x 4 small templates, and each of the 16 holes can be selected in four ways. Thetotal number of hole configurations is therefore 41 6 = 4,294,967,296.

8.8: The letter D is the fourth one in the alphabet, implying tha t the template sizeshould be 4 x 4 . Of its 16 squares, only 16/4 = 4 should be holes. The first four lettersof the key are DOGO, so they produce the numeric string 1324. The resulting templateis shown in Figure Ans.17.

13

z

24

CO

•£»

2 IICN

I I- 1

K>

CO

Figure Ans.17: A 4 x 4 Turning Template.


8.9: For 12 November 2001, the weighted sum is

50 • 1 + 51 • 2 + 52 • 1 + 53 • 1 + 54 • 0 + 55 • 1 - 312

and 312 mod 190 = 122. Thus, the page number is 123.

8.10: The second key is six letters long, so the initial rectangle has six columns. Thelength of the ciphertext is 32 letters. The quotient of 32 ~ 6 is 5, so the rectangle has5 + 1 = 6 rows. The remainder is 2, so the first two columns are full (six rows each)and the remaining four columns have five rows each. The second key is TRIPLE, whichcorresponds to the numeric sequence 652431. The ciphertext starts with the 5-letterstring thbnc that's written into the last column (whose number is 1). This column hasjust five rows. The ciphertext continues with the 5-letter string r t t t n that is placed inthe third column (the one labeled 2), and so on. After six steps, the rectangle looks likethe one in Figure 8.10b, and a similar process ends up with the rectangle of Figure 8.10a.Reading this rectangle in rows yields the plaintext.

8.11: Two simple variations on AMSCO are shown in Figure Ans.18. They are easyto figure out. AMSCO has been named after its developer, A. M. Scott, so if your nameis Claude Isaac Fairchild, you would name your cipher CIFAIR.

Q4

cOME

U6

HOME

Al

IMME

L3

DIAT

I2

ELYA

T5

LLIS

Y7

LOST

Q4

CODIS

U6

MIAL

Al

EHTOS

L3

0ELT

I2

MEY

T5

IAL

Y7

MML

Figure Ans.18: Two Variations on AMSCO.

9.1: Assume that the key is an integer with digits d\d,2 •.. dk- To encode plain symboli, examine digit di. If it is in the interval [0,4], encode symbol i with cipher alphabet1; otherwise, encode it with cipher alphabet 2. When plain symbol k + 1 is reached, goback to key digit d\.

9.2: The first key letter, 1, selects row 6, where c is replaced by U. The second keyletter, o, selects row 8, where cipherletter H replaces plainletter o and vice versa.

9.3: We ignore the rightmost column for now. Without this column, the table consistsof 27 rows, each a shifted copy of its predecessor. The bottom row is identical to thetop row. This creates a table that is symmetric about the diagonal that starts at thebottom-left corner and goes toward the top-right corner. It is this symmetry that makesit easy to use the table. Because of this symmetry, we can either start on the left, slideto the right, stop, and slide up or we can start at the top, slide down, stop, and slideto the left, and end up at the same letter. The rightmost column is identical to theleftmost column and is added as the last step in the construction of the table.


9.4: A string of 26 letters specifies a permutation of the 26 letters because we canenvision it written under the string ab. . .z. The idea is to find a permutation a thatdoesn't equal any of the 25 powers cr2, a3,... , a26. The table whose rows are the powersfrom a to a26 will have 26 different rows and will be fully specified by a*, which is astring of 26 letters.

9.5: BUTuWILLuSHEuDECRYPTuMOREuAFGHAN is another good key. It is short and easyto memorize, and it produces the 20-letter string BUTWILSHEDCRYPMOAFGN. Appendingthe six remaining letters JKQVXZ to this string results in the permutation

abcdefghijklmnopqrstuvwxyzBUTSHEWILDCRYPMOAFGNJKQVXZ

9.6: The four integers relatively prime to 8 are 1, 3, 5, and 7. They generate thefollowing permutations:

fabcdefgh\ (abcdefgh\ (abcdefgh\ (abcdefgh

\a b c d e f g hj \a d g b e h c f ) \a f c h e b g d) \a h g f e d cb

9.7: Equation (9.5) implies

(1X3-2X0)-1 o - mod 26 = 9 o - mod 26 =

9 '

9.8: Imagine a plaintext that's 38 letters long. The first 36 letters can easily beencrypted and decrypted. Encrypting the remaining two letters is also easy, but de-crypting them must be done by examining 25 strings of ciphertext and selecting the onewhose first two letters are the last two plainletters. This may be ambiguous. Interest-ingly enough, a purely numeric sequence may sometimes make sense as, for example, in1984 1949, which may refer to the book 1984, written in 1949.

9.9: The following table illustrates the idea of balanced codes.ETAOINSHRDLUMWYFCGBPKVXQJZ01234567890122109876543210

The digit 0 is assigned to the most common and also the least common letters, The 1 isassigned to the second most common and the second least common letters, and so on.

9.10: Yes, as is easy to see by examining the following examples (notice the twooccurrences of 22 in the ciphertext and how they produce different plaintexts):

Plaintext 66 05 66 11 61 Ciphertext _ 22 61 88 22 27Key 66 66 22 11 66 Key 66 66 22 11 66

Ciphertext 22 61 88 22 27 Plaintext 66 05 66 11 61


9.11: Each pi in the sum Y^i v\ ls a probability, so it lies in the interval [0,1], implyingthat p\ cannot be bigger than pi. The sum Yyf * Pi equals 1, so the sum ]T 6P2% cannotexceed 1. On the other hand, this sum cannot be less than 0.038, as shown below, sothis sum lies in the right interval and is therefore a probability.

In order to place the lower limit of 0.038 on our sum, we observe that

26 / 1 x 2 26 26 26 1 26 Q 26 na 26 1

4^V 26/ ~ i ^ ^ + ^ ^ ~ < ^ P * 2 6 Z ^ + 2 6 2 " ^ 26'

which implies that

26 26

10.1: The logical operation XNOR (the inverse of XOR, denoted by ©) also has theproperty: If B = A®K, then A = B®K.

10,2: We denote the ith bits of the plaintext, the keystream, and the ciphertext bydi, ki, and C{ = di 0 ki, respectively. We assume that the keystream is random, i.e.,P(ki = 0) = 0.5 and P(ki = 1) = 0.5. The plaintext isn't random, so we assume thatP(di = 0) = p, which implies P(di = 1) = 1 — p. Table Ans.19 summarizes the fourpossible cases of di and hi and their probabilities. The values of Ci and their probabilitiesfor those cases are also listed. It is easy to see from the table that the probability ofCi being 0 is P(a = 0) = p/2 + (1 - p)/2 = 1/2, and similarly P{c{ = 1) = 1/2. Theciphertext produced by the Vernam cipher is therefore random, which makes this simplemethod unbreakable.

di P(di) ki P{h) ^ P(ci)

0011

pV

1-p1-p

0101

1/21/21/21/2

0110

p/2p/2

(1 -p)/2(1 -p)/2

Table Ans.19: Truth Table of a Vernam Cipher.

10,3: The average word size in English is 4-5 letters. We therefore start by examining4-letter words. There are 26 letters, so the number of combinations of 4 letters is264 = 456,976. A good English-language dictionary contains about 100,000 words.Assuming that half these words have 4 letters, the percentage of valid 4-letter words is50000/264 « 0.11. The percentage of 5-letter words is obtained similarly as 50000/265 w0.004. Random text may therefore have some short (2-4 letters) words, and very few5-6 letter words, but longer words would be very rare.


10.4: Any 4-stage shift register where the rightmost stage is not a tap will serve. Insuch a shift register, the state 0001 is followed by 0000 regardless of which of the threeleft stages are taps.

10,5: The rightmost and leftmost stages of this shift register are taps. Therefore, adirect check produces the following 15-state sequence:

1000 1100 1110 1111 0111 1011 0101 1010 1101 0110 0011 1001 0100 0010 0001.

10.6: The truth table of a basic Boolean function with 2 inputs has 4 elements(Table 10.1), so there can be 24 = 16 Boolean functions of 2 inputs. Similarly, thetruth table of a Boolean function with n inputs has 2n elements, so there can be22n such tables. For n = 8, for example, the (huge) number of Boolean functions is

8

10.7: The output sequence of R\ is the 7-bit repeating string 1001011. The outputstring of R2 is the string 110101111000100 with a 15-bit period. The output of R3

is the 31-bit periodic string 1001010110000111001101111101000. The final output is1011101010100001011110110001110.

10.8: The output sequence of Ri is the 7-bit periodic sequence 0011101. The outputsequence of R2 is the 31-bit sequence 1010000100101100111110001101110. The finaloutput is 10000101111101110.

10.9: If location a of the table contains byte value a, then no special information isneeded to construct the inverse table. It should be identical to the forward table.

11.1: The key is implicit in the particular table used. In the case of 3-bit blocks, forexample, the table has 8 entries, so there can be 8! tables, and all the parties using thiscipher have to agree upon which table to use.

11.2: Yes, if the cipher has enough rounds. In principle, it is possible to design a blockcipher where each bit in the cipherblock is a function of all the bits of the plainblock.

11.3: The fact that an XOR is its own inverse is exploited. The XOR of (A © B) withB produces A.

11.4: The hexadecimal values of the four keys are

0101010101010101, 1F1F1F1F0E0E0E0E, E0E0E0E0F1F1 F1F1, FEFEFEFEFEFEFEFE.

12.1: When an encrypted message is sent by Alice to Bob, it can be intercepted byEve and copied. When the key is later sent, Eve may intercept it and use it to decryptthe message.


12.2: Mixing salt and pepper is a one-way operation in practice (in principle, they canbe separated). Heat flow from high to low temperature in a closed system is a one-wayprocess in principle. Giving birth is one-way in principle, while squeezing glue out of atube is one-way in practice.

12.3: This is a direct result of the properties of the modulo function. In step 3, Alicecomputes

(3a mod 13 - (56 mod 13)a mod 13 - 5 6 a mod 13,

and Bob computes the identical expression

ab mod 13 = (5a mod 13)6 mod 13 - ba'b mod 13.

12.4: The final key is computed, in step 3, as La'b mod P (or, identically, as Lb'a modP), so it is an integer in the range [0, P — 1]. Thus, there are only P possible valuesfor the key, which is why P should be large. If we allow values L greater than P, thena user may accidentally select an L that is a multiple of P, which results in a key of0, thereby providing an eavesdropper with useful information. If P is a prime and ifL < P, then P is not a prime factor of Lx, so Lx mod P cannot be zero.

12.5: We arbitrarily select q = 10 and the two slopes a\ = 1 and a2 = 2. The twolines passing through point (5,10) are computed by 10 = 1 x 5 + &i —•> b\ = 5 and10 = 2x 5 + 62 —* 2 = 0. Each of the two individuals involved receives one of the twopairs (1,5) and (2,0).

12.6: Denoting the secret by a, we select a number b at random and consider (a, b) aline pair (i.e., a slope and a y-intercept). We then select n different random values Xiand compute a yi for each by means of yi = axi + b. The n pairs (x , yi) are points onthe line y = ax + 6, and they are distributed to the n participants in the secret. Anytwo of them can use their two points to compute (a, 6).

One restriction is that the slope a should not be zero. The line y = Ox + b is ahorizontal line where all the points have the same y-coordinate b. This does not meanthat any participant will be able to obtain the secret a single-handedly (after all, theydo not know that the line is horizontal), but it is cryptographically weak. Anotherrestriction is that no point should have an x-coordinate of zero. If we know that point(0,yi) is on a line, then b can be obtained from the basic equation yi = a-0 + b. Thisdoes not disclose the secret a, but it amounts to providing the opponent with a clue.

12.7: We randomly select the two values q = 1 and r = 2 and compute three planesthat pass through the point (5,1,2). For the first plane, we select A = 1, B = 2,and C — 3, to obtain D = —13. For the second plane we randomly select A = 0,B = 2, and C = — 1, and obtain D — 0. Similarly, we select for the third plane A = 1,B - 0, and C = 2, to obtain D = - 9 . The three quartets (1,2,3,-13), (0,2,-1,0)and (1,0,2,-9) are handed to the three individuals. Point (5,1,2) is obtained whenthe three simultaneous equations x + 2y + 3z — 13D = 0, 2y — z = 0, and x + 2z — 9 = 0are solved.


13.1: Data can be compressed because its original representation has redundancies.Secret data can be embedded in a cover in "holes" that exist in the cover becauseof redundancies. Thus, redundancy plays a central role in both fields (as well as inerror-correcting codes).

13,2: Any phrase with the word love may indicate the letter N. Any phrase with amention of speed may indicate the letter E, and any phrase including the name Johnmay indicate a D. Thus, the text "Make haste. With love. John" indicates the wordEND.

13.3: The check digit is zero because

0x10 + 3x9 + 8x8 + 7x7 + 9x6 + 8x5 + 6x4 + 8x3 + 2x2 = 286-26x11.

13.4: The text "hidden letters will defy simple codebreaking" looks innocent. Thesesix words have 2, 2, 1, 2, 2, and 3 syllables, respectively, thus hiding the two triplets221 and 223.

13.5: The data is "meet me at nine," hidden in the second letter of every word.

13.6: A direct check reveals the bits OOdOddOdOdOdddOldOlOldd, where d stands forundefined.

13.7: An alternative solution is to have dictionary types with 2, 4, 8, 16, etc. words.If one bit remains to be hidden, a 2-word dictionary type is used to hide it regardlessof the dictionary type that is specified by the current syntax rule for the next step.

13.8: This is straightforward. The sentences are "Alice is sending clean data," "Aliceis sending clean clothes," "Alice is sending dirty data," "Alice is sending dirty clothes,"then the same four sentences with "Alice is receiving,.." instead of "sending," and theneight more sentences with "Bob" instead of "Alice," for a total of 16 sentences.

14.1: Use the same cover image only once. If two modified versions of the same imagefall into the wrong hands, they may provide precious clues for the hiding algorithm.

14.2: Select two images. Use any of the approaches to produce pixel indexes, and hidethe odd-numbered data bits in the pixels of one image and the even-numbered data bitsin the pixels of the other image. This idea can be extended to three or more images, Inits extreme version, it employs many images (perhaps stored as a personal image galleryin the sender's Web site) and hides one bit in each image.

14.3: The simplest method is to embed the data at the top of the image, then embedit again lower in the image, and so on, until the bottom of the image is reached. Thedecoder retrieves all the copies and compares them. The voting principle (Section 1,3)can be applied to correct errors. A slightly different approach is to use multiple imagesand hide one copy of the data in each image.


14.4: The bitmap size for this case is 3 x 210 x 210 = 3 x 220 = 3 Mbytes.

14.5: The results are shown in Table Ans.20 together with the Matlab code used tocalculate them.

432100000000001000100001100100001010011000111

Gray0000000001000110001000110001110010100100

43210010000100101010010110110001101

onio01111

Gray011000110101111

onio01010010110100101000

432101000010001100101001110100101011011010111

Gray1100011001110111101011110111111110111100

432101100011001110101101111100111011111011111

Gray1010010101101111011010010100111000110000

Table Ans.20: First 32 Binary and Gray Codes.

a=linspace(0,31,32); b=bitshift(a,-l);b=bitxor(a,b); dec2bin(b)

Code For Table Ans.20.

14.6: The permutation 0 «-> 2, 1 <-> 3, up to 253 *-> 255.

14.7: There are (2™ i) ways to choose 2r — 1 objects from a set of m-n objects. Wecan assign the integers from 1 to 2r — 1 to the first 2r — 1 elements of W, and this canbe done in (2r — 1)! ways. We can then choose each of the remaining m • n — (2r — 1)elements at random from the set of (2r — 1) valid integers, and this can be done in(2r — i)™'™-^-1) ways. The total number of ways to choose matrix W is therefore

m-n ( 2 r -

For m = n = 8 and r = 5, this number is

1012.397 • 10

too big to allow for a brute force approach where every possible W is checked.

15.1: Each 0 would result in silence and each sample of 1 would result in the sametone. The result would be a nonuniform buzz. The amplitude is constant but thefrequency varies. It is low when the sound contains long runs of zeros and ones.


15.2: The experiment should be repeated with several persons, preferably of differentages. The person should be placed in a sound-insulated chamber and a pure tone offrequency / should be played. The amplitude of the tone should be gradually increasedfrom zero until the person can just barely hear it. If this happens at a decibel value<i, point (d, / ) should be plotted. This should be repeated for many frequencies until agraph similar to that in Figure 15.4a is obtained.

15.3: This is trivial. The filter coefficients are h(0) = 1 and h(2) = (3. The combinedsignal is produced by y(j) = x(j)h(0) + x(j — 2)h(2).

15.4: By definition, F2 has the value X 2 x C - [0,1,1,1,O]C = C\ 0 C2 © C3 = 1010.To change it to 1101, we need the difference vector D = 1010 © 1101 = 0111. Thecomputation described in the text yields

[0,1,1,1]-

•oooi-100001010111.0100.

-oooo-011101110111.0000.

=

-oooi-111100100000.0100.

A direct check verifies that the new value of F2 is K2xC = 1101 and that the two olderfiles Fo = KoxC = 1100 and Fi = KxxC = 1110 haven't changed. This result hasbeen achieved because rows Ci, C2, and C% of C were modified such that the XORs ofany two of them have been preserved.

15.5: We assume that the probability of a 1-bit is greater than 0.5. Therefore, regard-less of the size of the region, the bit configuration with the highest probability is that ofall Is. When the size of the region is odd, this configuration has an odd number of Is,so it has a parity of 1 and thus contributes to the probability of interest, raising it above0.5. For an even-sized region, this bit configuration has an even number of bits and sois not included in the probability we compute, resulting in low probability (below 0.5).

B.I: Since 5 is a prime, both addition and multiplication in GF(5) are done modulo5. The tables are

+01234

001234

112340

223401

334012

440123

X

01234

000000

101234

202413

303142

404321


B.2: It is easy to add and multiply numbers modulo 4 and produce the tables

+0123

00123

11230

22301

33012

X

0123

00000

10123

20202

30321

The multiplication table doesn't make sense, since 2x1 = 2x3 and 2x0 = 2x2. Elements 1and 3 cannot be obtained by multiplying 2 by another element. Also, element 2 doesn'thave a multiplicative inverse. This happens because 4 is not a prime and field element 2is a factor of 4. Trying to define multiplication in GF(6) leads to similar results, because2 and 3 are factors of 6.

B.3: The additive inverse of a polynomial a(x) is itself because the coefficients of thesum a(x) + a(x) are either 0 + 0 or 1 + 1 = 0.

B.4: It is easy to show that xs + 1 = (x4 + I)2

(x4 + \){x4 + 1) - x4 x x4 + xA x 1 + 1 xx4 + 1 x 1 = xs + x4 x (1 + 1) + 1 - xs + 1.

B.5: GF(6) does not exist because 6 is not a prime and cannot be expressed as aninteger power of a prime.

B.6: We start with the product 2 x 2 in GF(4). In binary this is 10 x 10 and inpolynomial notation it is (x + 0)(x + 0). This equals x2, and x2 mod (x2 + x + 1) is thepolynomial x + 1, which in our notation is II2 or 3. (See Section B.2 and especiallyExercise B.ll for polynomial modulo computations.) Another example in GF(4) is theproduct 2x3, which is x(x + 1) = x2 + x. When computed modulo x2 + x + 1, the resultis 1. The last example is the product 5x6 in GF(8). This is the polynomial product(x2 + l)(x2 + x). It equals x4 + x3 + x2 + x, which when computed modulo x3 + x + 1yields a remainder of x + 1 or 0112 = 3.

B.7: A look at Table B.I shows that the additive inverse (in some sense it is the"negative") of each element is itself. The multiplicative inverses (reciprocals) of theseven nonzero elements are 1, 5, 6, 7, 2, 3, and 4. Notice that 0 does not have areciprocal and may sometimes be considered its own inverse.

B,8: The multiplication table of GF(5) (Exercise B.I) shows that the smallest n forwhich 3n = l i s n ~ 4 = 5—1. Hence, the exponential representation of GF(5) withrespect to 3 is (0,3,32 - 4,33 = 2,34 = 1).

B,9: This is easy. The multiplication table of GF(4) shows that the smallest n suchthat 2n — 1 is 3 = 4 — 1, and the same is true for element 3.


B.10: Let a be any root of x4 + x3 + 1. From a4 + a3 + 1 = 0 we get a4 = a3 + 1 andthe entire exponential representation of GF(16) can be constructed from this relation(Table Ans.21). Notice how the first four powers of a (elements 1, 2, 4, and 8) form abasis for the polynomial representation of GF(16).

expo.repr.0

a0

a1

a2

a3

a4

a5

a6

a7

1501234567

po

01aa2

a3

a3-a3-a3-a3-

lynomiai repr*

1-1\-a + 11- a2 + a + 1Yoc2 +a

esentati

000000010010010010001001101111111110

on

012489

111514

expo.repr.

a 8

a 9

a1 0

a11

a12

a13

a14

a1 5

89

1011121314

po.

a2

a2

a3

a3

oi-

cx2

a3

1

lynomiai r<

+ a + l+ 1+ a+ c*2 + l

f - 1+ a+ a2

epresentc

01110101101011010011011011000001

ition

75

101336

121

Table Ans.21: Exponential and Polynomial Representations of GF(16).

The only exercise some people get is jumping to conclusions, running down theirfriends, side-stepping responsibility, and pushing their luck!

—Anonymous

B. l l : A polynomial division can be summarized in a form similar to the long divisionof integers, so Figure Ans.22 employs this form to summarize the results of the threedivisions. Figure Ans.22a shows a quotient of (x 3 +x+l) and a remainder (modulo) of 0.Figure Ans.22b has the same quotient and the modulo x. The quotient of Figure Ans.22cis 1 and

X

X2 + \ XX5+X3

the modulo is (x3 + x -

3+x +15+ a ;2+ a ; + 1

X3+X2+X+lx3-\-x

X2 + l

-1 ) .

X2 + lxb+x3

X3+X +1

x5+a;2+l

X3+X2 + lx3-\-x

X2+X + l

X4 + lX4 + l

1

X4 +X3+X

X3+X + \

(a) (b) (c)

Figure Ans.22: Three Polynomial Divisions.


Polynomial DivisionIf f{x) and d(x) •=/=• 0 are polynomials, and the degree of d{x) is less than or equal tothe degree of /(x), then there exist unique polynomials q(x) and r(x), such that

and such that the degree of r(x) is less than the degree of d(x). In the special casewhere r(x) — 0, we say that d(x) divides evenly into f(x).

Those who think they have not time for bodily exercisewill sooner or later have to find time for illness.

—Edward Stanley,

Glossary

Adaptive compression. A compression method that modifies its operations and/orits parameters according to new data read from the input stream. Examples are theadaptive Huffman method of Section 3.6 and the dictionary-based methods of Chapter 4.(See also Semiadaptive compression.)

Adversary. The eavesdropper, the opponent, the enemy, or any other mischievousperson who tries to compromise our security.

AES. Advanced Encryption Standard, adopted by NIST as a replacement for the DES.

Affine cipher. The term affine refers to a linear function, a function of the formf(x) = ax + b, where b is nonzero. The affine cipher (in the Introduction) is an extensionof the basic Caesar cipher, where a plainletter is multiplied by a key before the Caesarkey is added to it. (See also Affine transformations, Caesar cipher.)

Affine transformations. Two-dimensional or three-dimensional geometric transforma-tions, such as scaling, reflection, rotation, and translation, that preserve parallel lines.(See also Affine cipher.)

Algorithm. A mathematical procedure where a task is executed in a finite sequence ofsteps.

Alice. A term for the first user of cryptography in discussions and examples. Bob'sassociate.

Alphabet. The set of all possible symbols in the input stream. In text compression thealphabet is normally the set of 128 ASCII codes. In image compression it is the set ofvalues a pixel can take (2, 16, 256, or anything else). (See also Symbol.)

Anagram. A word, phrase, or sentence formed from another by rearranging its letters:"erects" is an anagram of "secret."

504 Glossary

In Bruce Schneier's definitive introductory text Applied Cryptography he introducesa table of dramatis personae headed by Alice and Bob. Others include Carol (aparticipant in three- and four-party protocols), Dave (a participant in four-partyprotocols), Eve (an eavesdropper), Mallory (a malicious active attacker), Trent (atrusted arbitrator), Walter (a warden), Peggy (a prover) and Victor (a verifier).These names for roles are either already standard or, given the wide popularity ofthe book, may be expected to quickly become so.

— The New Hacker's Dictionary, ver. 4.2.2

Arithmetic coding. A statistical compression method (Section 3.8) that assigns one(normally long) code to the entire input stream, instead of assigning codes to the in-dividual symbols. The method reads the input stream symbol by symbol and appendsmore bits to the code each time a symbol is input and processed. Arithmetic coding isslow, but it compresses at or close to the entropy, even when the symbol probabilitiesare skewed. (See also Model of compression, Statistical methods.)

ASCII code. The standard character code on all modern computers (although Unicodeis becoming a competitor). ASCII stands for American Standard Code for InformationInterchange. It is a (1 + 7)-bit code, meaning 1 parity bit and 7 data bits per symbol.As a result, 128 symbols can be coded (see appendix in the book's Web page). Theyinclude the upper- and lowercase letters, the ten digits, some punctuation marks, andcontrol characters. (See also Unicode.)

Asymmetric algorithm. A cryptographic algorithm where different keys are used forencryption and decryption. Most often a public-key algorithm.

Asymmetric key. A cryptographic technique where encryption and decryption use dif-ferent keys.

Attack. An approach used by a codebreaker to decrypt encrypted data or to revealhidden data. An attack may use brute force, where every key is tried, or a sophisticatedapproach such as differential crypt analysis. An attacker may use only known ciphertextor known ciphertext and plaintext.

Authentication. The process of verifying that a particular name really belongs to aparticular entity.

Authenticity. The ability to ensure that the given information was in fact produced bythe entity whose name or identification it carries and that it was not forged or modified.

Back door. A feature in the design of an algorithm that permits those familiar with thefeature to bypass the security of the algorithm. The term trapdoor refers to1 a similarfeature.

Barcodes. A decimal code expressed as a combination of black and white bars of variouswidths. It employs a check digit for added reliability (see UPC and Section 2.2).

Glossary 505

Bark. Unit of critical band rate. Named after Heinrich Georg Barkhausen and used inaudio applications. The Bark scale is a nonlinear mapping of the frequency scale overthe audio range, a mapping that matches the frequency selectivity of the human ear.

Bi-level image. An image whose pixels have two different colors. The colors are nor-mally referred to as black and white, "foreground" and "background," or 1 and 0. (Seealso Bitplane.)

Bitplane. Each pixel in a digital image is represented by several bits. The set of all thekth bits of all the pixels in the image is the kth bitplane of the image. A bi-level image,for example, consists of two bitplanes. (See also Bi-level image.)

Bitrate. In general, the term bitrate refers to both bpb and bpc. In MPEG audio,however, this term is used to indicate the rate at which the compressed stream is readby the decoder. This rate depends on where the stream comes from (such as disk, com-munications channel, memory). If the bitrate of an MPEG audio file is, e.g., 128Kbps.then the encoder will convert each second of audio into 128K bits of compressed data,and the decoder will convert each group of 128K bits of compressed data into one sec-ond of sound. Lower bitrates mean smaller file sizes. However, as the bitrate decreases,the encoder must compress more audio data into fewer bits, eventually resulting in anoticeable loss of audio quality. For CD-quality audio, experience indicates that thebest bitrates are in the range of 112Kbps to 160Kbps. (See also Bits/char.)

Bits/char. Bits per character (bpc). A measure of the performance in text compression.Also a measure of entropy. (See also Bitrate, Entropy.)

Bits/symbol. Bits per symbol. A general measure of compression performance.

Block cipher. A symmetric cipher that encrypts a message by breaking it down intoblocks and encrypting each block. DES, IDEA, and AES are block ciphers.

Block coding. A general term for image compression methods that work by breaking theimage into small blocks of pixels and encoding each block separately. JPEG (Section 5.9)is a good example, since it processes blocks of 8x8 pixels.

Block decomposition. A method for lossless compression of discrete-tone images. Themethod works by searching for, and locating, identical blocks of pixels. A copy B of ablock A is compressed by preparing the height, width, and location (image coordinates)of Ay and compressing those four numbers by means of Huffman codes. (See alsoDiscrete-tone image.)

Block matching. A lossless image compression method based on the LZ77 sliding win-dow method originally developed for text compression. (See also LZ methods.)

BMP. BMP is the native format for image files in the Microsoft Windows operatingsystem. It has been modified several times since its inception but has remained stablefrom version 3 of Windows. BMP is a palette-based graphics file format for images with1, 2, 4, 8, 16, 24, or 32 bitplanes. It uses a simple form of RLE to compress images with4 or 8 bitplanes.

506 Glossary

Bob. A term used for the second user in cryptographic discussions and examples.Alice's associate.

BPCS steganography. A sophisticated algorithm for hiding data bits in individualbitplanes of an image. (See Section 14.2.)

Caesar cipher. A cipher where each letter is replaced by the letter located cyclically npositions in front of it in the alphabet. (See also AfRne cipher.)

Camouflage. A term in steganography. Any steganography method that hides a datafile D in a cover file A by scrambling D and then appending it to A.

Check bits. Bits that are added to data to increase its redundancy and thus make itmore reliable. Most check bits are parity bits, but in principle a check bit may beselected at random. (See also Parity bits.)

Check digit. An extra digit appended to an important number (such as a credit cardnumber) that provides redundancy and can detect many common errors that may occurwhen the number is keyed, dialed, read, or pronounced. See Chapter 2.

Checksum. A numeric value used to verify the integrity of a block of data. (See CRC.)

Chrominance. Components of color. They represent color in terms of the presence orabsence of blue (Cb) and red (Cr) for a given luminance intensity. (See also Luminance.)

Cipher. A key-based algorithm that transforms a message between plaintext and ci-phertext. A cryptographic algorithm.

Ciphertext. Data after being encrypted with a cipher, as opposed to plaintext.

Circular queue. A basic data structure (Section 4.1.1) that moves data along an arrayin circular fashion, updating two pointers to point to the start and end of the data inthe array.

Code (in cryptography). A cryptographic technique that uses a codebook to replacewords and letters in the plaintext with symbols from the codebook.

Codec. A term used to refer to both encoder and decoder.

Codes. A code is a symbol that stands for another symbol. In computer and telecom-munications applications, codes are virtually always binary numbers. The ASCII codeis the de facto standard, although the new Unicode is used on several new computersand the older EBCDIC is still used on some old IBM computers. (See also ASCII, Code,Unicode.)

Combiner. A mechanism that mixes two data items into a single result. The XORoperation is a common combiner because it is reversible. Other examples are the Geffegenerator and the summation generator. (See Latin square combiner, Geffe generator,and Section 10.4.)

Compact disc error control. A special version of the Reed-Solomon code design for usein a CD. (See Section 1.11 and Reed-Solomon codes.)

Glossary 507

Compression factor. The inverse of compression ratio. It is defined as

p size of the input streamcompression factor = —— .

size of the output stream

Values greater than 1 mean compression, and values less than 1 imply expansion, (Seealso Compression ratio.)

Compression gain. This measure is defined as

reference size1001oge compressed size'

where the reference size is either the size of the input stream or the size of the compressedstream produced by some standard lossless compression method.

Compression ratio. One of several measures that are commonly used to express theefficiency of a compression method. It is the ratio

size of the output streamcompression ratio = —; .

size of the input stream

A value of 0.6 means that the data occupies 60% of its original size after compression.Values greater than 1 mean an output stream bigger than the input stream (negativecompression).

Sometimes the quantity 100 x (1 — compression ratio) is used to express the quality ofcompression, A value of 60 means that the output stream occupies 40% of its originalsize (or that the compression has resulted in a savings of 60%), (See also Compressionfactor.)

Confidentiality. Ensuring that information is not disclosed to people who aren't au-thorized to receive it.

Confusion. The part of an encryption algorithm that modifies the correspondence be-tween plain symbols and cipher symbols. (See also Diffusion.)

Context. The TV symbols preceding the next symbol. A context-based model usescontext to assign probabilities to symbols.

Context-free grammar (CFG). A set of rewriting (or production) rules used to gener-ate strings of various patterns. CFGs are used by the steganographic method MimicFunctions to generate innocuous text files that hide data. (See Mimic functions.)

Continuous-tone image. A digital image with a large number of colors such that ad-jacent image areas with colors that differ by just one unit appear to the eye as havingcontinuously varying colors. An example is an image with 256 grayscale values. Whenadjacent pixels in such an image have consecutive gray levels, they appear to the eye asa continuous variation of the gray level. (See also Bi-level image, Discrete-tone image,Grayscale image.)

508 Glossary

Correlation. A statistical measure of the linear relation between two paired variables.The values of R range from —1 (perfect negative relation) to 0 (no relation), to +1(perfect positive relation).

Cover (in steganography). A piece of data in which another datum is hidden. Alsoknown as a host, or a carrier.

CRC. An error-detecting code (Appendix C) based on polynomial operations. It isappended to a block of data to increase its error-detection and correction capabilities.(See Checksum.)

The CRC result is an excellent (but linear) hash value corresponding to the data. Com-pared with other hash alternatives, CRCs are simple and straightforward. They arewell understood. They have a strong and complete basis in mathematics, so there canbe no surprises. CRC error-detection is mathematically tractable and provable withoutrecourse to unproven assumptions. Such is not the case for most cryptographic hashconstructions.

Cryptanalysis. The science and art of breaking encryption (recovering plaintext fromciphertext when the key is unknown).

Cryptanalyst. One who tries to break encrypted codes.

Cryptographer. One who develops encryption methods.

Cryptography. The art and science of using mathematics to obscure the meaning ofdata by applying transformations to the data that are impractical or impossible toreverse without the knowledge of some key. The term comes from the Greek for "hiddenwriting."

Cryptology. The branch of mathematics concerned with secret writing in all its forms.It includes cryptography, cryptanalysis, and steganography.

Indiman drew from a locked drawer in the big centre-table the long strip of bluishpaper covered with its incomprehensible dashes. "One of the oldest of devices forsecret writing," he remarked. "This slip of paper was originally wrapped about acylinder of a certain diameter and the message traced upon it, and it can only bedeciphered by rerolling it upon another cylinder of the same diameter. Easy enoughto find the right one by the empiric method—I mean experiment. Once you recognizethe fundamental character of the cryptogram the rest follows with ridiculous certainty.Behold!"

—Van Tassel Sutphen, The Gates of Chance

Cryptoperiod. The amount of time a particular key is used. Sometimes refers to theamount of data encrypted with it.

Cryptosystem. An encryption and decryption algorithm (cipher), together with all itspossible plaintexts, ciphertexts, and keys.

Glossary 509

Data encryption standard (DES). A block cipher based on the work of Horst Feistelin the 1970s that is widely used in commercial systems. DES is a 64-bit block cipherwith a 56-bit key organized in 16 rounds of operations.

Data hiding. See Steganography.

Data key. A cryptographic key that encrypts data, as opposed to a key that encryptsother keys. Also called a session key.

Decibel. A logarithmic measure that can be used to measure any quantity that takesvalues over a very wide range. A common example is sound intensity. The intensity(amplitude) of sound can vary over a range of 11-12 orders of magnitude. Instead ofusing a linear measure, where numbers as small as 1 and as large as 1011 would beneeded, a logarithmic scale is used, where the range of values is [0,11].

Decipher. To transform an encrypted message (ciphertext) back to the original mes-sage (plaintext).

Decode. To decipher.

Decoder. A decompression program (or algorithm).

Decryption. To extract encrypted data and make it readable. To decipher. (See alsoDecipher, Decode, Encryption.)

DES. See Data Encryption Standard.

Dictionary-based compression. Compression methods (Chapter 4) that save pieces ofthe data in a "dictionary" data structure (normally a tree). If a string of new data isidentical to a piece already saved in the dictionary, a pointer to that piece is output tothe compressed stream. (See also LZ methods.)

Differential cryptanalysis. A technique for attacking a cipher by feeding it carefullyselected plaintext and watching for patterns in the ciphertext.

Diffie-Hellman (DH). A public-key cryptography algorithm that generates a sharedsecret key between two entities after they publicly share some randomly generated data.

Diffusion. An important principle of encryption. Changing one plain-symbol will changeadjacent or nearby cipher-symbols. In a block cipher, diffusion propagates bit changesfrom one part of a block to other parts of the same block. Diffusion is achieved bymixing, and the step-by-step process of increasing diffusion is described as avalanche.(See also Confusion.)

Digital signature. Data value generated by a public-key algorithm based on the contentof a block of data and on a private key. It generates an individualized checksum.

Digram. A pair of consecutive symbols.

510 Glossary

Discrete cosine transform (DCT). A variant of the discrete Fourier transform (DFT)that produces just real numbers. The DCT (Sections 5.6.2 and 5.9.2) transforms a setof numbers by combining n numbers to become an n-dimensional point and rotatingit in n-dimensions such that the first coordinate becomes dominant. The DCT and itsinverse, the IDCT, are used in JPEG (Section 5.9) to compress an image with acceptableloss, by isolating the high-frequency components of an image so that these can later bequantized. (See also Transform.)

Discrete-tone image. A discrete-tone image may be bi-level, grayscale, or color. Suchimages are (with few exceptions) artificial, having been obtained by scanning a docu-ment or grabbing a computer screen. The pixel colors of such an image do not varycontinuously or smoothly but have a small set of values such that adjacent pixels maydiffer much in intensity or color. (See also Block decomposition, Continuous-tone im-age.)

Discrete wavelet transform. The discrete version of the continuous wavelet transform.A wavelet is represented by means of several filter coefficients, and the transform is car-ried out by matrix multiplication (or a simpler version thereof) instead of by calculatingan integral. (See also Decomposition.)

EAN-13. A 13-digit barcode that may replace UPC as the standard for labeling prod-ucts. The rightmost digit is a check digit that adds redundancy and thereby increasesreliability when the barcode is scanned. (See also Barcodes, UPC, and Section 2.2.2.)

Embedding capacity. A concept in steganography. A measure of the amount of datathat can be hidden in a cover.

Encipher. To transform an original message (plaintext) to an encrypted message (ci-phertext).

Encode. To encipher.

Encoder. A compression program (or algorithm).

Encryption. The transformation of plaintext into ciphertext through a mathematicalprocess.

Entropy. The entropy of a single symbol ai is defined (in Section 1.1) as — Pi\og2P%,where Pi is the probability of occurrence of ai in the data. The entropy of ai is thesmallest number of bits needed, on average, to represent symbol a . Claude Shannon,the creator of information theory, coined the term entropy in 1948, since this term isused in thermodynamics to indicate the amount of disorder in a physical system. (Seealso Entropy encoding, information theory.)

Entropy encoding. A lossless compression method where data can be compressed suchthat the average number of bits/symbol approaches the entropy of the input symbols.(See also Entropy.)

Error-control codes. A general term for error-detecting and error-correcting codes.

Glossary 511

Error-correcting code. Codes that increase data reliability for errors by adding redun-dancy. Such codes can automatically correct certain errors and can also detect (but notcorrect) more serious errors.

Error-detecting code. Codes that increase data reliability for errors by adding redun-dancy to the data. Such codes can automatically detect (but not correct) certain errors.

Eve. A term used in cryptography discussions and examples for the ubiquitous eaves-dropper.

Exclusive-OR (XOR). A logical (Boolean) operation that is also its own inverse, whichmakes it useful in cryptography. It is identical to adding two bits modulo 2.

Facsimile compression. Transferring a typical page between two fax machines can takeup to 10-11 minutes without compression. This is why the ITU has developed severalstandards for compression of facsimile data. The current standards (Section 3.7) are T4and T6, also called Group 3 and Group 4, respectively. (See also ITU.)

Factor. Given an integer JV, a factor is any integer that divides it without a remainder.

Factoring. The process of finding the prime factors of an integer.

Feistel cipher. A special class of iterated block ciphers where the ciphertext is calcu-lated from the plaintext by repeated application of the same transformation (called around function).

Field. A set of mathematical entities satisfying certain rules. Finite fields, also calledGalois fields (Appendix B), are used in cryptography in the Rijndael (AES) algorithmand in stream ciphers. They are also used to design sets of channel codes with a givenHamming distance. (See also Group.)

Function. A mathematical relationship between two values called the input and theoutput such that for each input there is precisely one output.

Galois field. See Field.

Geffe generator. A method used by nonlinear stream ciphers to combine two streamsof pseudorandom bits. (See Combiner and Section 10.4.)

Generating polynomials. Special polynomials used to generate sets of channel codeswith a given Hamming distance.

GIF, An acronym that stands for Graphics Interchange Format. This format was devel-oped by CompuServe Information Services in 1987 as an efficient, compressed graphicsfile format that allows for images to be sent between computers. The original versionof GIF is known as GIF 87a. The current standard is GIF 89a. (See also Patents.)

Giga. The quantity giga is defined as 230 = 1,073,741,824. In contrast, a billion isdefined (in the United States) as 109. (See Mega.)

Golomb code. The Golomb codes consist of an infinite set of parametrized prefix codes.They are the best ones for the compression of data items that are distributed geomet-rically. (See also Unary Code.)

512 Glossary

Gray codes. These are binary codes for the integers, where the codes of consecutiveintegers differ by one bit only. Such codes are used when a grayscale image is separatedinto bitplanes, each a bi-level image. (See also Grayscale image,)

Grayscale image. A continuous-tone image with shades of a single color. (See alsoContinuous-tone image.)

Group. A set of mathematical entities obeying certain rules, (See Field.)

Hamming check digits. An error-correcting method that corrects single-digit errors ina decimal number by appending check digits to it. See Section 2.10.

Hamming codes. A type of error-correcting code for 1-bit error correction, where it iseasy to generate the required parity bits. (See also SEC-DED codes.)

Hamming distance. The Hamming distance of two binary codes is the number of po-sitions where the two codes differ. The Hamming distance of a set of codes is themaximum distance of all the pairs of codes in the set. It is easy to show that a codewith a Hamming distance of d +1 can detect all <i-bit errors and a code with a Hammingdistance of 2d + 1 can also correct all d-bit errors.

Hashing. An operation that scrambles the bits of a data item to obtain a value thatcan be used as a pointer to a data structure called a hash table.

Hide and seek. Steganography software to hide data in the least significant bits of animage. (See also LSB and Section 15.10.2.)

Hill cipher. A polyalphabetic cipher that employs the modulus function and techniquesof linear algebra. (See Section 9.10.)

Homophonic substitution cipher. A cryptographic technique where each plainletterhas several potential cipherletters that can replace it. The word comes from the Greekfor the same sound. (See Section 7.10.)

Therefore, though the whole point of his "Current Shorthand" is that it can expressevery sound in the language perfectly, vowels as well as consonants, and that yourhand has to make no stroke except the easy and current ones with which you writem, n, and u, 1, p, and q, scribbling them at whatever angle comes easiest to you, hisunfortunate determination to make this remarkable and quite legible script serve alsoas a Shorthand reduced it in his own practice to the most inscrutable of cryptograms.

—George Bernard Shaw, Pygmalion (1916)

Huffman coding. A popular method for data compression (Section 3.5). It assigns a setof "best" variable-size codes to a set of symbols based on their probabilities. It servesas the basis for several popular programs used on personal computers. Some of themuse just the Huffman method, while others use it as one step in a multistep compressionprocess. The Huffman method is somewhat similar to the Shannon-Fano method. It

Glossary 513

generally produces better codes, and like the Shannon-Fano method, it produces bestcode when the probabilities of the symbols are negative powers of 2. The main differencebetween the two methods is that Shannon-Fano constructs its codes from top to bottom(from the leftmost to the rightmost bits), while Huffman constructs a code tree fromthe bottom up (building the codes from right to left). (See also Statistical methods.)

IBM check digit. A sophisticated error-detection scheme that employs a single checkdigit to detect certain errors in an arbitrary number of data digits. (See also Barcodesand Section 2.8.)

IDEA. A patented block cipher developed by James Massey and Xuejia Lai in 1992. Ituses a 128-bit key and 64-bit blocks. IDEA uses no internal tables and is known mostlybecause it is used in PGP. (See also Pretty good privacy (PGP).)

Information theory. A mathematical theory that quantifies information. It shows howto measure information so that one can answer the question "How much informationis included in this piece of data?" with a precise number! Information theory is thecreation, in 1948, of Claude Shannon, of Bell Labs. (See also Entropy.)

Inline encryptor. A hardware product that automatically encrypts all data passingalong a data link.

International Data Encryption Algorithm (IDEA). (See IDEA.)

Invisibility. A measure of the quality of a steganographic method.

Involution. Any mapping that is its own inverse.

ISBN. The international standard book number (ISBN) is an identifying number that isassigned to virtually every book published. It employs a check digit for added reliability(see Section 2.1).

ISO. The International Standards Organization. This is one of the organizations re-sponsible for developing standards. Among other things, it is responsible (together withthe ITU) for the JPEG and MPEG compression standards. (See also ITU.)

ITU. The International Telecommunications Union, the new name of the CCITT, is aUnited Nations organization responsible for developing and recommending standardsfor data communications (not just compression).

JFIF. The full name of this method (Section 5.9.8) is JPEG File Interchange Format.It is a graphics file format that makes it possible to exchange JPEG-compressed imagesbetween different computers. The main features of JFIF are the use of the YCbCr triple-component color space for color images (only one component for grayscale images) andthe use of a marker to specify features missing from JPEG, such as image resolution,aspect ratio, and features that are application specific.

514 Glossary

JPEG. A sophisticated lossy compression method (Section 5.9) for color or grayscalestill images (not movies). It also works best on continuous-tone images, where adjacentpixels have similar colors. One advantage of JPEG is the use of many parameters,allowing the user to adjust the amount of data loss (and thus also the compressionratio) over a very wide range. There are two main modes: lossy (also called baseline)and lossless (which typically gives a 2:1 compression ratio). Most implementationssupport just the lossy mode. This mode includes progressive and hierarchical coding.

The main idea behind JPEG is that an image exists for people to look at, so when theimage is compressed, it is acceptable to lose image features to which the human eye isnot sensitive.

The name JPEG is an acronym that stands for Joint Photographic Experts Group. Thiswas a joint effort by the CCITT and the ISO that started in June 1987. The JPEGstandard has proved successful and has become widely used for image presentation,especially in Web pages.

Kerckhoffs' principle. An important principle in cryptography. It states that the se-curity of an encrypted message must depend on keeping the key secret and should notdepend on keeping the encryption algorithm secret.

Key. Information (normally secret) used to encrypt or decrypt a message in a distinctivemanner. A key may belong to an individual or to a group of users.

Key distribution. The process (or rather the problem) of safely distributing a crypto-graphic key to a (possibly large) group of authorized parties.

Key escrow. A scheme for storing copies of cryptographic keys so that a third, autho-rized party can recover them if necessary to decrypt messages.

Key space. The number of possible key values. For example, there are 264 key valuesfor a 64-bit key. (See Exercise 6.4.)

Kraft-MacMillan inequality. A relation that says something about unambiguousvariable-size codes. Its first part states: Given an unambiguous variable-size code,with n codes of sizes L , then

The second part states the opposite: Given a set of n positive integers (Li, L2, . . . , Ln)that satisfy the above inequality, there exists an unambiguous variable-size code suchthat Li are the sizes of its individual codes. Together, both parts say that a code isunambiguous if and only if it satisfies the above inequality.

Laplace distribution. A probability distribution similar to the normal (Gaussian) dis-tribution, but narrower and sharply peaked. The general Laplace distribution withvariance V and mean m is given by

1 /

Wexp I ""V v 'x ~ m

Glossary 515

Experience seems to suggest that the values of pixels in many images are Laplace dis-tributed, which is why this distribution is used in some image compression methods.

Latin square combiner. A cryptographic combining algorithm. In a simple Latin squarecombiner algorithm, two consecutive plaintext symbols A and B are used to select athird symbol C from the square and the resulting ciphertext consists of either A and Cor B and C. (See also Combiner and Section 10.7.)

LFSR. A simple, efficient technique to produce a large number of pseudorandom bits.(See Stream cipher, Shift register, and Section 10.3.)

Lossless compression. A compression method where the output of the decoder is iden-tical to the original data compressed by the encoder. (See also Lossy compression.)

Lossy compression. A compression method where the output of the decoder is differentfrom the original data compressed by the encoder but is nevertheless acceptable to a user.Such methods are common in image and audio compression, but not in text compression,where the loss of even one character may result in ambiguous or incomprehensible text.(See also Lossless compression, Subsampling.)

LSB. The least significant (rightmost) bit of a data item. (See also LSB encoding,MSB.)

LSB encoding. Steganographic methods that hide data in the least significant bits ofan image. (See also Hide and seek, BPCS, LSB, Steganography, S-tools, Stego, andSection 14.1.)

Luminance. A component of color. Roughly speaking, luminance corresponds to bright-ness as perceived by the human eye. (See also Chrominance.)

LZ methods. All dictionary-based compression methods are based on the work ofJ. Ziv and A. Lempel published in 1977 and 1978. Today, these are called the LZ77 andLZ78 methods, respectively. The ideas of Ziv and Lempel have been a source of inspi-ration to many researchers, who generalized, improved, and combined them with RLEand statistical methods to form many commonly used adaptive compression methodsfor text, images, and audio. (See also Block matching, Dictionary-based compression,Sliding-window compression.)

LZW. This is a popular variant (Section 4.4) of LZ78, developed by Terry Welch in 1984.Its main feature is eliminating the second field of a token. An LZW token consists ofjust a pointer to the dictionary. As a result, such a token always encodes a string ofmore than one symbol. (See also Patents.)

Mega. Mega is defined as 220 = 1,048,576. In contrast, a million is defined as 106. (SeeGiga.)

Mimic functions. A steganographic method that uses context-free grammars to gen-erate innocuous text files that hide data. (See Context-free grammar (CFG) and Sec-tion 13.8.)

516 Glossary

Monoalphabetic substitution cipher. A cryptographic algorithm with a fixed substi-tution rule. (See Chapter 7.)

MSB. The most significant (leftmost) bit of a data item. (See also LSB.)

Multiple encryption. The process of encrypting an already encrypted ciphertext. Suchsecondary encryption should be done with a different key, not the key used for the firstencryption. Multiple encryption may involve more than two encryption steps. Themain advantage of multiple encryption is that the input to the second encryption stepis the output of the first step, so it is ciphertext that looks random. An attack on thesecond encryption step should therefore produce something that looks random, makingit extremely hard for the codebreaker to decide whether the attack was successful.Multiple encryption also helps to protect the cipher from a known plaintext attack.

National Computer Security Center (NCSC). A United States government organiza-tion that evaluates computing equipment for high-security applications.

National Institute of Standards and Technology (NIST). An agency of the UnitedStates government that establishes national standards.

National Security Agency (NSA). A branch of the United States Department of De-fense responsible for intercepting foreign communications and for ensuring the securityof United States government communications.

Network encryption. Cryptographic services applied to data above the data linklevel but below the application software level in a network. This allows cryptographicprotections to use existing networking services and existing application software in away that's transparent to the user.

Nomenclator. A cipher that consists of a list where each entry associates a letter,syllable, word, or name with a number. Encryption is done by finding a plain word inthe list and replacing it by the corresponding number. If a word is not found in the list,its syllables or letters are individually replaced by numbers.

Nonrepudiation. Accountability. An important but unachievable goal of cryptography.The idea that the reception of a message cannot later be denied by the receiver. Today,after more than a decade of trying to achieve nonrepudiation by technical means, mostworkers in this area have given up and admit that this goal can be achieved only bylegal means.

Nyquist rate. The minimum rate at which an analog signal (a wave) has to be sampled(i.e., digitized) in order not to lose information when the samples are played back.

One-time pad. A random sequence of bits that is as long as the message itself and isused as a key. Alternative definition: A Vernam cipher in which one bit of new, purelyrandom key is used for every bit of data being encrypted. (See Vernam cipher.)

Parity bits. Bits that are added to data for increased reliability. Given a group ofbits, the number of Is in the group is counted and the parity bit is chosen to makethis number odd (for odd parity) or even (for even parity). (See also Check bits andSection 1.5.)

Glossary 517

Patents. A mathematical algorithm can be patented if it is intimately associated withsoftware or firmware implementing it. Several compression methods, most notably LZW,have been patented, creating difficulties for software developers who work with GIF,UNIX compress, or any other system that uses LZW. (An anonymous reviewer's com-ment: GIF was actually patented twice, once by Welch and again by Miller and Wegman.In addition, the LZW patent has now expired.) (See also GIF, LZW.)

Pel, The smallest unit of a facsimile image; a dot. (See also Pixel.)

Periodic codes. Channel codes designed to correct bursts of errors.

Permutation. Any arrangement or rearrangement of symbols or data items.

Pixel. The smallest unit of a digital image; a dot. (See also Pel.)

Plaintext. An as-yet unencrypted message.

Polyalphabetic substitution. A cryptographic technique where the rule of substitutionchanges all the time.

Polynomial, A function of the form Pn{x) = a$ + a\x + CL2X2 + • • • + anxn. Polynomials

are simple functions that have many practical applications.

PPM. A compression method that assigns probabilities to symbols based on the context(long or short) in which they appear. (See also Prediction.)

Prediction. Assigning probabilities to symbols. (See also PPM.)

Pretty good privacy (PGP). Encryption software developed by Philip Zimmermann.PGP (version 2) encrypts a message with the IDEA algorithm and uses public-keycryptography to encrypt the IDEA key. Today (late 2004) GnuPG and OpenPGP arecommonly used. (See IDEA and Section 12.4.)

Prime. Any positive integer that's evenly divisible only by itself and by 1. The number1 is considered neither prime nor nonprime. The integer 2 is the only even prime. Primenumbers have important applications in public-key cryptography.

Private key. The key used to decrypt messages in any implementation of public-keycryptography.

PRNG. A pseudorandom number generator. This is a hardware device or a softwareprocedure that uses deterministic rules to generate a sequence of numbers that passestests of randomness. (See Pseudorandom numbers, Random numbers.)

Pseudorandom numbers. A sequence of numbers that appears to be random but isconstructed according to deterministic rules. (See PRNG, Random numbers.)

Public key. The key used to encrypt messages in any implementation of public-keycryptography.

Public-key algorithm. A cipher that uses a pair of keys, a public key and a privatekey, for encryption and decryption. Also called an asymmetric algorithm.

518 Glossary

Public-key cryptography. Cryptography based on methods involving a public key anda private key.

Public-key cryptography standards (PKCS). Standards published by RSA Data Se-curity that describe how to use public-key cryptography in a reliable, secure, and inter-operable fashion.

Public-key steganography. Steganography based on methods involving a public keyand a private key. (See Section 15.9.)

Quantum cryptography. An approach to cryptography using the Heisenberg uncer-tainty principle to generate any number of true random bits and thereby achieve abso-lute security.

Random numbers. A sequence of numbers that passes certain statistical random-ness tests. Only a sequence can be random. A single number is neither random nornonrandom. (See also PRNG, Pseudorandom numbers.)

Redundancy. This term is normally defined as a needless repetition of an act or asthe attribute of being superfluous and unneeded. Source codes are based on decreasingthe redundancy of data representation, while channel codes add reliability to data byincreasing its redundancy.

Reed-Solomon Codes. Channel codes based on the strength of geometric figures suchas a straight line or a parabola. (See also Section 1.14 and Compact Disc Error Control.)

RLE. A general name for methods that compress data by replacing a run length ofidentical symbols with one code, or token, containing the symbol and the length of therun. RLE sometimes serves as one step in a multistep statistical or dictionary-basedmethod.

Robustness. A measure of the ability of a steganographic algorithm to retain the dataembedded in the cover even after the cover has been subjected to various modificationsas a result of lossy compression and decompression or of certain types of processing suchas conversion to analog and back to digital.

RSA Data Security, Inc. (RSADSI). The company [RSA 04] primarily engaged inselling and licensing public-key cryptography for commercial purposes.

S-box. A substitution box used by many block ciphers as part of the substitution-permutation network of the cipher. Such a box is a table that has internal connectionsbetween its inputs and outputs. For any bit pattern sent as input to the box, a certainbit pattern emerges as output.

S-tools. Software for hiding data in the least significant bits of an image or an audiofile. (See also LSB and Section 15,10.3.)

SEC-DED codes. A Hamming code with an extra parity bit. It can correct all 1-bitand detect all 2-bit errors. (See also Hamming codes and Section 1.9.)

Glossary 519

Secret-key algorithm. Cryptographic algorithm that uses the same key to encryptdata and to decrypt data. Also called a symmetric algorithm.

Secure socket layer (SSL). A protocol enabling the secure transfer of sensitive infor-mation on the Internet. The sensitive data is encrypted by a block cipher, and the SSLprotocol is used to select a random key for each transfer and communicate it securelythrough unsecure channels.

Security. The process of protecting vital information from prying eyes. This is doneeither by encryption or hiding.

Semantic methods. Steganographic methods that hide data in a cover text by slightlymodifying semantic elements of the text, such as word usage. (See Syntactic methods.)

Semiadaptive compression. A compression method that uses a two-pass algorithm,where the first pass reads the input stream to collect statistics on the data to be com-pressed, and the second pass performs the actual compression. The statistics (model)are included in the compressed stream. (See also Adaptive compression.)

Shift register. An array of simple storage elements (normally flip-flops or latches) wherethe value of each element is moved into the next (or the previous) element. Such registers(implemented in either software or hardware) are used by many stream ciphers. (SeeLFSR, Stream cipher.)

Signal-to-noise ratio (SNR). A measure of invisibility (or its opposite, detectability)of hidden data.

Sliding window compression. The LZ77 method (Section 4.1) uses part of the previ-ously seen input stream as the dictionary. The encoder maintains a window to the inputstream and shifts the input in that window from right to left as strings of symbols arebeing encoded. The method is thus based on a sliding window. (See also LZ methods.)

Spread-spectrum steganography. A steganographic method that hides data bits inan image by adding noise to image pixels and hiding one bit in each noise componentwithout changing the statistical properties of the noise.

Statistical methods. These methods (Chapter 3) work by assigning variable-size codesto symbols in the data, with the shorter codes assigned to symbols or groups of symbolsthat appear more often in the data (i.e., that have a higher probability of occurrence).(See also Variable-size codes, Huffman coding, and Arithmetic coding.)

Steganographic file system. A method to hide a data file among several other datafiles. The hidden file can be retrieved with a password, but someone who does not knowthe password cannot see the hidden file, cannot extract it, and cannot even find outwhether the file exists. (See Section 15.7.)

Steganography. The art and science of hiding information, as opposed to cryptography,which hides the meaning of the information.

Stego. Software for hiding data in the least significant bits of an image. (See also LSBand Section 15.10.1.)

520 Glossary

Stream cipher. A cipher that encrypts one bit at a time. (See LFSR, Shift register.)

Subsampling. Subsampling is, possibly, the simplest way to compress an image. Oneapproach to subsampling is simply to ignore some of the pixels. The encoder may, forexample, ignore every other row and every other column of the image, and write theremaining pixels (which constitute 25% of the image) on the compressed stream. Thedecoder inputs the compressed data and uses each pixel to generate four identical pixelsof the reconstructed image. This, of course, involves the loss of much image detail andis rarely acceptable. (See also Lossy Compression.)

Substitution cipher. A cipher that replaces letters of the plaintext with another set ofletters or symbols, without changing the order of the letters.

Symbol. The smallest unit of the data to be compressed. A symbol is normally a bytebut may also be a bit, a trit {0,1, 2}, or anything else. (See also Alphabet.)

Symmetric cryptography. A cryptographic technique where the same key is used forencryption and decryption,

Syntactic methods. Steganographic methods that hide data in a cover text by slightlymodifying syntactic elements of the text, such as punctuation. (See Semantic methods.)

Transform. An image can be compressed by transforming its pixels (which are corre-lated) to a representation where they are decorrelated. Compression is achieved if thenew values are smaller, on average, than the original ones. Lossy compression can beachieved by quantizing the transformed values. The decoder inputs the transformedvalues from the compressed stream and reconstructs the (precise or approximate) orig-inal data by applying the opposite transform. Image transforms are also important insteganography. (See also Discrete cosine transform, Discrete wavelet transform.)

Transposition cipher. A cipher where the plaintext letters are rearranged in a differentpermutation.

Trapdoor. See Back door.

Trit. A ternary (base 3) digit. It can be 0, 1, or 2.

Turing machine. A theoretical model of a computing device, proposed by Alan Turing.

Unary code. A way to generate variable-size codes in one step. The unary code ofthe nonnegative integer n is defined (Section 3.3.1) as n — 1 ones followed by one zero(Table 3.3). There is also a general unary code. (See also Golomb code.)

Undetectability. A measure of the quality of a steganographic method.

Unicode. A new international standard code, the Unicode, has been proposed, and isbeing developed by the international Unicode organization (www.unicode.org). Uni-code uses 16-bit codes for its characters, so it provides for 216 = 64K = 65,536 codes.(Notice that doubling the size of a code much more than doubles the number of possiblecodes. In fact, it squares the number of codes.) Unicode includes all the ASCII codes

Glossary 521

in addition to codes for characters in foreign languages (including complete sets of Ko-rean, Japanese, and Chinese characters) and many mathematical and other symbols.Currently, about 39,000 out of the 65,536 possible codes have been assigned, so there isroom for adding more symbols in the future.

The Microsoft Windows NT operating system has adopted Unicode, as have also AT&TPlan 9 and Lucent Inferno. (See also ASCII code, Codes.)

UPC. A 12-digit barcode that's used to label products in the United States. Therightmost digit is a check digit which adds redundancy and thereby increases reliabilitywhen the barcode is scanned. (See also Barcodes, EAN-13, and Section 2.2.1.)

Variable-size codes. These are used by statistical methods. Such codes should satisfythe prefix property (Section 3.3) and should be assigned to symbols based on theirprobabilities. (See also Statistical methods.)

Vector quantization. This is a generalization of the scalar quantization method. Itis used for both image and sound compression. In practice, vector quantization iscommonly used to compress data that has been digitized from an analog source, suchas sampled sound and scanned images (drawings or photographs). Such data is calleddigitally sampled analog data (DSAD).

Verhoeff check digit. A sophisticated error-detection method that uses a check digit todetect all single-digit and adjacent-digits transpositions in integers of arbitrary lengths.(See Section 2.11.)

Vernam cipher. Cipher developed for encrypting teletype traffic by computing the ex-clusive OR of the data bits and the key bits. This is a common approach to constructingstream ciphers. (See One-time pad.)

Vigenere cipher. A historically important polyalphabetic cipher where a letter-squareand a key are used to determine the rule of substitution for each plainletter.

Voting codes. Channel codes that work by transmitting an odd number of copies ofthe data. The receiver compares the copies and corrects errors if it finds that more thanhalf the copies are identical.

Watermarking. A steganographic term. A small amount of data that indicates owner-ship, authorship, or another kind of relationship between the cover and a person or anorganization.

Weak key. A key value that results in easy breaking of a cipher. The various weak keysof DES are well known. (See Section 11.3.1).

XOR. See Exclusive OR.

Zjsr. The set of integers modulo iV, i.e., {0 ,1 , . . . , N - 1}. The notation Z^ denotes theset of integers {a £ Zn\ gcd(a, N) = 1}.

522 Glossary

Zip barcode. An 11-digit barcode printed on many letters to help the post office sortthe letters. The rightmost digit is a check digit that adds redundancy and therebyincreases reliability when the barcode is scanned. (See also Barcodes and Section 2.3.)

As for my mother, perhaps the Ambassador had not the type of mindtowards which she felt herself most attracted. I should add that his

conversation furnished so exhaustive a glossary of the superannuatedforms of speech peculiar to a certain profession, class and period; a

period which, for that profession and that class, might be said not tohave altogether passed away; that I sometimes regret that I have notkept any literal record simply of the things that I have heard him say.

—Marcel Proust, Within a Budding Grove (1921)

Bibliography

Abramson, N. (1963) Information Theory and Coding, New York, McGraw-Hill

ACA (2003) is URL http://www.und.nodak.edu/org/crypto/crypto/.

Aegean Park Press (2001) is URL http://www.aegecmparkpress.com/.

AFAC (2003) is URL http://www-vips.icn.gov.ru/.

Ahmed, N., T. Natarajan, and R. K. Rao (1974) "Discrete Cosine Transform," IEEETransactions on Computers C-23:90-93.

AMS (2004) is URL http://www.ams.org/new-in-math/cover/errors4.html

Anderson, K. L., et al., (1987) "Binary-Image-Manipulation Algorithm in the ImageView Facility," IBM Journal of Research and Development 31(1):16-31, January.

Anderson, Ross, Roger Needham, and Adi Shamir (1998) "The Steganographic FileSystem," in David Aucsmith (ed.) Proceedings of the Second Information Hiding Work-shop, IWIH, pp. 73-82, April. Also available from URLhttp://citeseer.nj.nee.com/anderson98steganographic.html.

Arnold, Michael, Martin Schmucker, and Stephen D. Wolthusen (2003) Techniques andApplications of Digital Watermarking and Content Protection, Boston, Artech House.

Aura, Tuomas (1996) "Practical Invisibility in Digital Communication," in Proceedingsof the Workshop on Information Hiding, Cambridge, England, May 1996, pp. 265-278,Lecture Notes in Computer Science 1174, New York, Springer Verlag. Also availablefrom URL http://www.tcs.hut.fi/Personnel/tuomas.html.

Barker, Wayne G. (1984) Cryptanalysis of Shift-Register Generated Stream Cipher Sys-tems, Laguna Hills, Calif., Aegean Park Press, vol. C-39.

Barker, Wayne G. (1989) Introduction to the Analysis Of The Data Encryption Standard(DES), Laguna Hills, Calif., Aegean Park Press, vol. C-55.

524 Bibliography

Barker, Wayne G. (1992) Cryptanalysis of the Single Columnar Transposition Cipher,Laguna Hills, Calif., Aegean Park Press, vol. C-59.

Bassia, P. and I. Pitas (1998) "Robust Audio Watermarking in the Time Domain," inIX European Signal Processing Conference (EUSIPCO'98), Rhodes, Greece, vol. I, pp.25-28, 8-11 September.

Bauer, Priedrich Ludwig (2002) Decrypted Secrets: Methods and Maxims of Cryptology3rd edition, Berlin, Springer Verlag.

BBB (2003) is URL www.bbbonline.com.

Bender, W., D. Gruhl, N. Morimoto, and A. Lu (1996) "Techniques for Data Hiding,"IBM Systems Journal, 35(3,4)313-336.

Berlekamp, Elwyn R. (1968) Algebraic Coding Theory, New York, McGraw-Hill.

Blakley, G. R. (1979) "Safeguarding Cryptographic Keys," in AFIPS Conference Pro-ceedings, 48:313-317.

Bogert, B. P., M. J. R. Healy, and J. W. Tukey (1963) "The Quefrency Alanysis ofTime Series for Echoes: Cepstrum, Pseudo-Autocovariance, Cross-Cepstrum, and SapheCracking," in Proceedings of the Symposium on Time Series Analysis, Rosenthal, M.(ed.), New York, John Wiley, pp. 209-243.

BPCS (2003) is URL http://www.know.comp.kyutech.ac.jp/BPCSe/file BPCSe-principle.html.

Busch, C, W. Funk, and S. Wolthusen (1999) "Digital Watermarking: From Conceptsto Real-Time Video Applications," IEEE Computer Graphics and Applications, ImageSecurity, January/February, pp. 25-35.

Cain, Thomas R., and Alan T. Sherman (1997) "How to Break Gifford's Cipher," Cryp-tologia, 21(3)237-286, July.

Campbell, K. W., and M. J. Wiener (1993) "DES Is Not a Group," Advances in Cryp-tology, CRYPTO '92, New York, Springer Verlag, pp. 512-520.

Chen Yu-Yuan, Hsiang-Kuang Pan, and Yu-Chee Tseng (2000) "A Secure Data HidingScheme for Two-Color Images," in IEEE Symposium on Computers and Communica-tions, ISCC 2000, pp. 750-755. Also available (in PDF format) from URLhttp://citeseer.nj.nee.com/chenOOsecure.html

Childs, J. Rives (2000) General Solution of the ADFGVX Cipher System, Laguna Hills,Calif., Aegean Park Press, vol. C-88.

Chomsky, Noam, and George A. Miller (1958) "Finite State Languages," Informationand Control, 1(2)91-112, May.

Cleary, J. G., and I. H. Witten (1984) "Data Compression Using Adaptive Coding andPartial String Matching," IEEE Transactions on Communications COM-32(4):396-402,April.

Bibliography 525

Conceptlabs (2004) is URL http://www.conceptlabs.co.uk/alicebob.html.

Coppersmith, Donald, and Philip Rogaway (1994) "A Software-Optimized EncryptionAlgorithm," Fast Software Encryption, Cambridge Security Workshop Proceedings, NewYork, Springer-Verlag, pp. 56-63.

Coppersmith, Donald, and Philip Rogaway (1995) "Software-Efficient PseudorandomFunction and the Use Thereof for Encryption," United States Patent 5,454,039, 26September.

Cox, Ingemar J., Joe Kilian, Tom Leighton, and Talal Shamoon (1996) aA Secure, Ro-bust Watermark for Multimedia," Workshop on Information Hiding, Newton Institute,Cambridge University, May. Also available in PDF format from URLftp://ftp.nj.nee.com/pub/ingemar/papers/cam96.zip.

Cox, Ingemar J. (2002) Digital Watermarking, San Francisco, Morgan Kaufmann.

Crap (2003) is URL http://www.mat .dtu.dk/people/Lars.R.Knudsen/crap.html.

Cryptologia (2003) is URL http://www.dean.usma.edu/math/pubs/cryptologia/.

Cryptology (2003) is URL h t tp : / / l i n k . springer. de/l ink/service/journals/00145/.

cypherpunks (2004) is ftp://ftp.csua.berkeley.edu/pub/cypherpunks/steganography/.

CSE (2001) is URL http://www.cse.dnd.ca/.

CSE (2003) is URL http://www.cse.dnd.ca/.

DES (1999) is ht tp: / /csrc.nist .gOv/publicat ions/f ips/f ips46-3/fips46~3.pdf.

Despan (2004) is URL http://www.oneoffcd.com/info/historycd.cfm.

DSD (2003) is URL http://www.dsd.gov.au/.

Dunham W. (1990) Journey Through Genius: The Great Theorems of Mathematics,New York, John Wiley.

Ekstrand, Nicklas (1996) "Lossless Compression of Gray Images via Context Tree Weight-ing," in Storer, James A. (ed.), DCC '96: Data Compression Conference, Los Alamitos,CA, IEEE Computer Society Press, pp. 132-139, April.

FAQS (2004) is URL http://www.faqs.org/faqs/compression-faq/partl/.

Feig, Ephraim N,, and Elliot Linzer (1990) "Discrete Cosine Transform Algorithms forImage Data Compression," in Proceedings Electronic Imaging '90 East, pages 84-87,Boston, MA.

Feige, Uriel, Amos Fiat, and Adi Shamir (1988) "Zero Knowledge Proofs of Identity,"Journal of Cryptology, 1(2)77-94.

Feistel, Horst (1973) "Cryptography and Computer Privacy," Scientific American, 228(5)15-23, May.

Flannery, Sarah, and David Flannery (2001) In Code: A Mathematical Journey, Work-man Publishing Company.

526 Bibliography

Fraimhofer (2001) is URL ht tp: / /syscop. igd.fhg.de/ .

FreeBSD Words (2003) is URL ftp://www.freebsd.org/usr/share/dict/words.

Pridrich, Jiri (1998) "Image Watermarking for Tamper Detection," in Proceedings of theInternational Conference on Image Processing, ICIP '98, Chicago, October.

Pridrich, Jiri (1999) "Methods for Tamper Detection in Digital Images," in Proceedingsof the ACM Workshop on Multimedia and Security, pp. 19-23, Orlando, Fla., October.

Punet (2003) is URL ftp://nic.funet.fi/pub/graphics/misc/test-images/.

Gaines, Helen Fouche (1956) Crypt analysis: A Study of Ciphers and Their Solutions,New York, Dover.

Gallian,, J. A. (1989) "Check Digit Methods," International Journal of Applied Engi-neering Education, 5(4):503-505.

Gallian,, J. A. (1991) "The Mathematics of Identification Numbers," College Mathe-matics Journal, 22(3):194-202.

Gardner, Martin (1972) "Mathematical Games," Scientific American, 227(2): 106, Au-gust.

Garfinkel, Simson (1995) PGP: Pretty Good Privacy, Sebastopol, Calif., O'Reilly.

GCHQ (2003) is URL http://www.gchq.gov.uk/.

Gifford, David K., et al. (1985) "The Application of Digital Broadcast Communicationsto Large-Scale Information Systems," IEEE Journal on Selected Areas in Communica-tions, SAC-3(3)457-467, May.

GnuPG (2004) is http://www.gnupg.org/.

Goettingen (2004) is URL http://www.num.math.uni-goettingen.de/Lehre/Lehrmaterial/Vorlesungen/Informatik/1998/skript/texte/abthesis.html.

Golay, Marcel (1949) "Notes on Digital Coding," Proceedings of the IRE, 37:657.

Golay, Marcel (1954) "Binary Coding," Transactions of the IRE (IEEE), PGIT-423-28.

Golomb, S. W. (1966) "Run-Length Encodings," IEEE Transactions on InformationTheory IT-12(3):399-401.

Golomb, Solomon W. (1982) Shift Register Sequences, 2nd edition, Laguna Hills, Calif.,Aegean Park Press.

Gonzalez, Rafael C , and Richard E. Woods (1992) Digital Image Processing, Reading,Mass., Addison-Wesley.

Grafica (1996) is URL http://www.sgi.com/grafica/huffmaui/.

Gray, Frank (1953) "Pulse Code Communication," United States Patent 2,632,058,March 17.

Bibliography 527

Gruhl, Daniel, Walter Bender, and Anthony Lu (1996) "Echo Hiding," in InformationHiding: First International Workshop, Lecture Notes in Computer Science, volume1174, R. J. Anderson, ed., pp. 295-315, Springer-Verlag, Berlin,

Guillou, Louis, and Jean-Jacques Quisquater (1988) "A Practical Zero-Knowledge Pro-tocol Fitted to Security Microprocessors Minimizing Both Transmission and Memory,"in Advances in Cryptology, Eurocrypt '88 Proceedings, pp. 123-128, Berlin, Springer-Verlag.

Gutenberg (2004) is URL http://www.gutenberg.net/.

Hamming, Richard (1986) Coding and Information Theory, 2nd edition, EnglewoodCliffs, NJ, Prentice-Hall.

Heath, F. G. (1972) "Origins of the Binary Code," Scientific American, 227(2):76,August.

Hill, Raymond (1986) A First Course In Coding Theory, New York. Oxford UniversityPress.

Hinsley, F. H., and Alan Stripp (eds.) (1992) The Codebreakers: The Inside Story ofBletchley Park, Oxford, Oxford University Press.

Huffman, David (1952) "A Method for the Construction of Minimum RedundancyCodes," Proceedings of the IRE, 40(9):1098-1101.

Hunter, R., and A. H, Robinson (1980) "International Digital Facsimile Coding Stan-dards," Proceedings of the IEEE, 68(7):854-867, July.

ISBN (2004) is URL ht tp: / /www.isbn-internat ional .org/en/ ident i f iers / , filea l l iden t i f i e r s .h tml

Johnson, Neil F., et al. (2001) Information Hiding: Steganography and Watermarking—Attacks and Countermeasures, Advances in Information Security, volume 1, Boston,Kluwer Academic.

Kahn, David (1996) The Codebreakers: The Comprehensive History of Secret Commu-nications from Ancient Times to the Internet, revised edition, New York, Scribner.

Katzenbeisser, Stefan, and Fabien A. P. Petitcolas (eds.) (2000) Information Hid-ing Techniques for Steganography and Digital Watermarking, Norwood, Mass., ArtechHouse.

Kerckhoffs, Auguste (1883) "La Cryptographic Militaire," Journal des Sciences Mili-taires, 9:5-38, 161-191, January-February. Also available in html format from URLhttp://www.petitcolas,net/fabien/kerckhoffs/la_cryptographie jnilitaire_i.htm.

Kirtland, Joseph (2000) Identification Numbers and Check Digit Schemes, The Mathe-matical Association of America.

Konheim, Alan G. (1981) Cryptography: A Primer, New York, John Wiley and Sons.

Knuth, Donald E. (1984) The TftXBook, Reading, Mass., Addison-Wesley.

528 Bibliography

Knuth, D. E. (1985) "Dynamic Huffman Coding," Journal of Algorithms 6:163-180.

Kundur, Deepa, and Dimitrios Hatzinakos (1997) "A Robust Digital Image Watermark-ing Scheme Using Wavelet-Based Fusion," in Proceedings of the IEEE InternationalConference On Image Processing, Santa Barbara, Calif., 1, pp. 544-547, October.

Kundur, Deepa, and Dimitrios Hatzinakos (1998) "Digital Watermarking Using Mul-tiresolution Wavelet Decomposition," Proceedings of the IEEE International ConferenceOn Acoustics, Speech and Signal Processing, Seattle, Wash., 5, pp. 2969-2972, May.

Larson, P. A., and A. Kajla (1984) "Implementation of a Method Guaranteeing Retrievalin One Access," Communications of the ACM, 27(7)670-677, July.

Lelewer, D. A., and D. S. Hirschberg (1987) "Data Compression," Computing Surveys19(3):261-297. Reprinted in Japanese BIT Special issue in Computer Science (1989),16-195. Available at h t tp : //www. ics . uci . edu/~dan/pubs/DataCompression. html.

Levy, Steven (2001) Crypto, New York, Viking.

Lin, Shu, and Daniel J. Costello (1982) Error Correcting Coding: Fundamentals andApplications, Englewood Cliffs, N.J., Prentice-Hall.

Linde, Y., A. Buzo, and R. M. Gray (1980) "An Algorithm for Vector QuantizationDesign," IEEE Transactions on Communications, COM-28:84-95, January.

Loeffler, C, A. Ligtenberg, and G. Moschytz (1989) "Practical Fast 1-D DCT Algo-rithms with 11 Multiplications," Proceedings of the International Conference on Acous-tics, Speech, and Signal Processing (ICASSP '89), pp. 988-991.

McDonald, Andrew D., and Markus G. Kuhn (1999) "StegFS: A Steganographic FileSystem for Linux," in Proceedings of Information Hiding, New York, Springer-Verlag,LNCS 1768, pp. 463-477. Also available from h t tp : //www.mcdonald.org.uk/StegFS/.

Mandelbrot, Benoit (1982) The Fractal Geometry of Nature, San Francisco, W. H.Freeman.

Marking, Michael P. (1990) "Decoding Group 3 Images," The C Users Journal, pp. 45-54, June.

MathWorld (2003) is html file Gram-SchmidtOrthonormalization.html in URLhttp://mathworld.wolfram.com/.

McConnell, Kenneth R. (1992) FAX: Digital Facsimile Technology and Applications,Norwood, Mass., Artech House.

Merkle, R. C, and M. Hellman (1981) "On the Security of Multiple Encryption," Com-munications of the ACM, 24(7)465-467.

Miano, John (1999) Compressed Image File Formats, New York, ACM Press and Addison-Wesley.

Moffat, Alistair (1990) "Implementing the PPM Data Compression Scheme," IEEETransactions on Communications COM-38(11): 1917-1921, November.

Bibliography 529

Moffat, Alistair, Radford Neal, and Ian H. Witten (1998) "Arithmetic Coding Revis-ited," ACM Transactions on Information Systems, 16(3):256-294, July.

NCM (2003) is URL http://www.nsa.gov/museum/.

Newton, David E. (1997) Encyclopedia of Cryptology, Santa Barbara, Calif., ABC-Clio.

Nicetext (2004) is URL http://www.nicetext.com/.

NSA (2003) is URL http://www.nsa.gov/.

NSA (2004) is http://www.nsa.gov/venona/.

Nyquist, Harry (1928) aCertain Topics in Telegraph Transmission Theory," Transac-tions of the AIEE, 47(3):617-644, April.

OpenPGP (2004) is http://www.openpgp.org/.

Palmer, Roger C. (1995) The Bar Code Book, 3rd edition, Peterborough, N.H., HelmersPublishing,

Pasco, R. (1976) "Source Coding Algorithms for Fast Data Compression," Ph.D. dis-sertation, Dept. of Electrical Engineering, Stanford University, Stanford, Calif.

Pennebaker, William B. and Joan L. Mitchell (1992) JPEG Still Image Data Compres-sion Standard, New York, Van Nostrand Reinhold.

Petitcolas (2003) is URL http://www.petitcolas.net/fabien/stegcinography/bibliography/.

Pfitzmann, B. (1996) "Information Hiding Terminology," in Information Hiding, NewYork, Springer Lecture Notes in Computer Science, 1174:347-350.

Phillips, Dwayne (1992) "LZW Data Compression," The Computer Application Journal,Circuit Cellar Inc., 27:36-48, June/July.

PKCS (2004) is http://www.rsasecurity.com/rsalabs/node.asp?id=2124.

Podilchuk, C. I., and W. Zeng (1997) "Digital Image Watermarking Using Visual Mod-els," in Proceedings of the IS&T/SPIE Conference on Human Vision and ElectronicImaging II, 3016, pp. 100-111, February.

Pohlmann, Ken (1985) Principles of Digital Audio, Indianapolis, Ind., Howard Sams.

Pohlmann, Ken C. (1992) The Compact Disc Handbook, 2nd edition, A-R Editions, Inc.

Polster, Burkard (1998) A Geometrical Picture Book, New York, Springer Verlag.

Press, W. H., B. P. Flannery, et al. (1988) Numerical Recipes in C: The Art of Sci-entific Computing, Cambridge, Cambridge University Press. (Also available on-line byanonymous ftp from http://www.nr.com/.)

Rao, K., and J. J. Hwang (1996) Techniques and Standards for Image, Video, and AudioCoding, Upper Saddle River, N.J., Prentice-Hall, pp. 273-322.

530 Bibliography

Reed, Irving S., and Gustave Solomon (1960) "Polynomial Codes over Certain FiniteFields," SIAM Journal of Applied Mathematics, 8(10):300-304.

Rescorla, Eric (2000) SSL and TLS: Designing and Building Secure Systems, Reading,Mass., Addison Wesley.

RFC804 (2003) is URL http://www.faqs.org/rfcs/rfc804.html.

rfcl321 (2003) is URL http://www. ietf .org/rf c/rf cl321 . txt .

Rissanen, Jorma (1976) "Generalized Kraft Inequality and Arithmetic Coding' IBMJournal of Research and Development, 20:198-203, May.

Ritter (2004) is URL http://www.ciphersbyritter.com/ARTS/PRACTLAT.HTM.

Rivest, R. (1991) "The MD4 Message Digest Algorithm," in Menezes, A. J., and S. A.Vanstone, (eds.), Advances in Cryptology: CRYPTO '90 Proceedings, pp. 303-311, NewYork, Springer-Verlag.

Rivest, R. (1992) "The MD4 Message Digest Algorithm," RFC 1320, MIT and RSAData Security, Inc., April.

Rosen, Kenneth et al. (2000) Handbook of Discrete and Combinatorial Mathematics.Boca Raton, Fla., CRC Press.

RSA (2001) is URL h t tp : //www. rsasecuri ty . com/rsalabs/challenges/f actoring/file f aq.html.

RSA (2004) is URL http://www.rsasecurity.com/.

Rubin, F. (1979) "Arithmetic Stream Coding Using Fixed Precision Registers," IEEETransactions on Information Theory 25(6):672-675, November.

Salomon, David (1999) Computer Graphics and Geometric Modeling, New York, Springer-Verlag.

Salomon, David (2003) Data Privacy and Security, New York, Springer-Verlag.

Salomon, David (2004) Data Compression: The Complete Reference, 3rd edition, NewYork, Springer-Verlag.

Savard (2003) is URL http://home.ecn.ab. ca/~jsavard/crypto/jscrypt .htm.

Schneier, Bruce (1993) "Fast Software Encryption," in Cambridge Security WorkshopProceedings, pp. 191-204. New York, Springer-Verlag. Also available fromhttp://www.counterpane.com/bfsverlag.html.

Schneier, Bruce (1995) Applied Cryptography: Protocols, Algorithms, and Source Codein C, 2nd edition, New York, John Wiley.

Schneier, Bruce (2003) is URL http://www.counterpane.com/crypto-gram.html.

Schotti, Gaspari (1665) Schola Steganographica, Jobus Hertz, printer. Some page photosfrom this old book are available at URLhttp://www.cl.cam.ac.uk/~fapp2/steganography/steganographica/index.html.

Bibliography 531

Shamir, Adi (1979) "How to Share a Secret," Communications of the ACM, 22(11):612-613, November.

Shannon, Claude E, (1949) "Communication Theory of Secrecy Systems," Bell SystemTechnical Journal, 28:656-715, October.

Shannon, Claude E. (1951) "Prediction and Entropy of Printed English," Bell SystemTechnical Journal, 30:50-64, January.

Simovits, Mikael J. (1996) The DES, an Extensive Documentation and Evaluation, La-guna Hills, Calif., Aegean Park Press, vol. C-68.

Singh, Simon (1999) The Code Book, New York, Doubleday.

Sinkov, A. (1980) Elementary Crypt analysis: A Mathematical Approach (New Mathe-matical Library, No, 22), Washington, D.C., Mathematical Assn. of America.

Sorkin, Arthur (1984) "Lucifer, A Cryptographic Algorithm," Cryptologia, 8(1):22-41,January. An addendum is in 8(3)260-261.

Stallings, William (1998) Cryptography and Network Security: Principles and Practice,Englewood Cliffs, N.J., Prentice-Hall.

Steganosaurus (2004) is URL http://www.fourmilab.to/stego/.

Stego (2004) is URL http://www.stego.com/.

Stollnitz, E. J., T. D. DeRose, and D. H. Salesin (1996) Wavelets for Computer Graphics,San Francisco, Morgan Kaufmann.

Storer, J, A., and T, G. Szymanski (1982) "Data Compression via Textual Substitution,"Journal of the A CM 29:928-951.

Swan, Tom (1993) Inside Windows File Formats, Indianapolis, IN, Sams Publications.

Thomas, Steven A. (2000) SSL and TLS Essentials: Securing the Web, New York, JohnWiley.

Trithemius, Johannes (1606) Steganographia. Available (for private use only) from URLhttp://www.esotericarchives.com/tritheim/stegano.htm.

Tseng, Yu-Chee, and Hsiang-Kuang Pan (2001) aSecure and Invisible Data Hiding in2-Color Images," IEEE Infocom 2001. Also available from URLhttp://www.ieee-infocom.org/2001/paper/20.pdf.

UCC (2004) is URL http://www.uc-council.org/.

Unicode Standard (1996) The Unicode Standard, Version 2.0, Reading, Mass., Addison-Wesley.

Unicode (2003) is URL http://www.unicode.org.

Verhoeff, Jacobus (1969) "Error Detecting Decimal Codes," Mathematical Center Tract29, Amsterdam.

532 Bibliography

Vinzant, Carol (1999) "What Hidden Meanings Are Embedded in Your Social SecurityNumber?," Fortune, 139, p. 32, January 11.

Vitter, Jeffrey S. (1987) "Design and Analysis of Dynamic Huffman Codes," Journal ofthe ACM, 34(4):825-845, October.

WatermarkingWorld (2003) is located at URL http://www.watermarkingworld.org/.

Weinberger, M. J., G, Seroussi, and G. Sapiro (1996) "LOCO-I: A Low Complexity,Context-Based, Lossless Image Compression Algorithm," in Storer J., (ed.), Proceedingsof Data Compression Conference, Los Alamitos, Calif., IEEE Computer Society Press,pp. 140-149.

Welch, T. A. (1984) "A Technique for High-Performance Data Compression," IEEEComputer, 17(6):8-19, June.

Winters, S. J. (1990) "Error Detecting Schemes Using Dihedral Groups," UMAP Jour-nal, ll(4):299-308.

Witten, Ian H,, Radford M. Neal, and John G. Cleary (1987) "Arithmetic Coding forData Compression," Communications of the ACM, 30(6):520-540.

Wayner, Peter (1992) "Mimic Functions," Cryptologia, XVI(3): 193-214, July.

Wayner, Peter (2002) Disappearing Cryptography, 2nd edition, London, Academic Press.

Wu, M. Y., and J, H. Lee (1998) "A Novel Data Embedding Method for Two-ColorImages," in Proceedings of the International Symposium on Multimedia InformationProcessing, December.

Xia, Xiang-Gen, Charles G. Boncelet, and Gonzalo R. Arce (1998) "Wavelet-TransformBased Watermark for Digital Images," Optics Express 3(12):497-511, December 7.

Zhao, J., and E. Koch (1995) "Embedding Robust Labels into Images for CopyrightProtection," in Proceedings of the International Conference on Intellectual PropertyRights for Specialized Information Knowledge and New Technologies, August 21-25,Vienna, Austria, Oldenbourg Verlag, pp. 242-251. Also available in PDF format fromURL http://citeseer.nj.nee.com/zhao95embedding.html.

Zimmermann, Philip (1995) PGP Source Code and Internals, Cambridge, Mass., MITPress.

Zimmermann, Philip (2001) is http://www.philzimmermann. com/.

Ziv, J., and A. Lempel (1977) "A Universal Algorithm for Sequential Data Compres-sion," IEEE Transactions on Information Theory, IT-23(3):337-343.

Ziv, J., and A. Lempel (1978) "Compression of Individual Sequences via Variable-RateCoding," IEEE Transactions on Information Theory IT-24(5):530-536.

Outside of a dog, a book is man's bestfriend. Inside of a dog it's too dark to read.

—Groucho Marx

IndexWhenever possible, the index indicates the part of the book (channel codes, sourcecodes, or secure codes) to which an index item belongs. Thus, the words "check digit"qualify index item "airline tickets," while "anagram" is identified as a transpositioncipher. A special effort was made to include full names (first and middle names insteadof initials) and dates of persons mentioned in the book.

1984 (novel), 4932-pass compression, 519$(ra), Euler function, 204, 253ZN, 318, 521

Abel, Niels Henrik (1802-1829), 328absolutely secure ciphers, 206-208AC coefficients (of a transform), 151Adams, Ansel (1902-1984), 196Adams, Douglas (1952-2001), 132, 139adaptive arithmetic coding, 107-110, 140adaptive compression, 61, 73adaptive Huffman coding, 61, 81-87, 503ADC (analog-to-digital converter), 422additive cipher, 204-206ADFGVX cipher, 239-240, 256Adleman, Leonard M. (1945-), 315Advanced Encryption Standard (AES), 307,

308, 451, 467, 503, 511AES, see Advanced Encryption Standardaffine cipher, 204-206, 253, 503

fixed point, 206, 488airline tickets (check digit), 47, 52Alberti, Leon Battista (1404-1472), 243Alice (generic name of person A), 202alphabet

definition of, 63, 503in cryptography, 201

ambiguity (in ciphers), 262-263Amis, Kingsley (1922-1995), 232Ampere (electrical current), 489AMSCO cipher, 239, 492anagram (as a transposition cipher), 231Anderson, Jeremy S., 267Aristotle, (384-322 B.C.), 450arithmetic coding, 95-107, 504, 519

adaptive, 107-110, 140in JPEG, 180, 192QM coder, 180, 192

arithmetic of polynomials, 459-460ASCII (character code), 59-60, 63, 116, 135,

461, 504, 506, 520asymmetric compression, 62, 112, 115attack (on encrypted or hidden data), 504audio compression, 61

frequency masking, 425-428LZ, 113, 515temporal masking, 425, 428

audio watermarkingecho hiding, 431-434time domain, 429-431

audio, digital, 422-425

534 Index

authentication, 199, 320, 326-332Feige-Fiat-Shamir protocol, 330-331Guillou-Quisquater, 331Schnorr, 332zero-knowledge protocols, 329

author's email address, ixavalanche effect (in block ciphers), 294, 509

Babbage, Charles (1791-1871), 250back door, 504Back, Adam, 317background pixel (white), 505Bacon, Sir Francis (1561-1626), 266, 295Bacon's biliteral cipher, 350balanced binary tree, 108bank checks (check digit), 48-49barcodes, 39-46, 504

EAN, 41EAN-13, 42-43, 510ISBN, 44UPC, 41-42, 521Zip, 44-46zip, 522

Bark (unit of critical band rate), 427, 505Barkhausen, Heinrich Georg (1881-1956),

428, 505and critical bands, 427

Bartlebooth, Percival (fictional), viiBauer, Friedrich L. (1924-), 242Bazeries, Etienne (1846-1931), 259Beaufort cipher, 246-247Beaufort, Sir Francis (1774-1857), 246Berlekamp, Elwyn (1940-), 29bi-level image, 77, 138, 139, 143, 505Bierce, Ambrose (1842-1914), ixBillings, Josh, 67binary search, 108, 110

tree, 116, 117, 119binary tree

balanced, 108complete, 108

bit budget (definition of), 62bitplane, 505

definition of, 138bitrate (definition of), 62, 505bits (interleaved), 6bits per bit (bpb, hiding capacity), 62, 363bits/char (bpc), 62, 505bits/symbol, 505

Blair, Eric Arthur (George Orwell, 1903-1950), 325

Blelloch, Guy, 76blind cover (in steganography), 345block ciphers, 197, 289-309

DES, 296-309block coding, 505block decomposition, 142, 505block matching (image compression), 505Blowflsh (block cipher), 289BMP (graphics file format), 374, 441, 468,

505BMP file compression, 505Bob (generic name of person J3), 202book cipher, 203, 290bpb, see bits per bitbpc, see bits/characterBPCS (image steganography), 367, 375-378,

506bpp (bits per pixel), 62, 63break-even point in LZ, 119British Government Communications Head-

quarters (GCHQ), 202Brown, Andy (S-Tools), 441Brown, Rita Mae (American writer), 95Browne, Sir Thomas (1605-1682), 199Buffy the Vampire Slayer, 73Buonarroti, Miguel Angel (Michelangelo

1475-1564), 105Burton, Robert (1577-1640), 445

Caesar cipher, 203-206, 247, 250, 251, 503,506

Caesar, Julius (100-44 B.C.), viii, 203camouflage (in steganography), 351, 506Card, Orson Scott (1951-), 414Cardano, Girolamo (1501-1576), 247Carlyle, Thomas (1795-1881), 309Carroll, Lewis (1832-1898), 6cartoon-like image, 139Casanova, Giacomo Girolamo (1725-1798),

314CCITT, 88, 178, 513, 514CD (compact disc), 19-23, 506

error correction in, 24-29channel coding, viii, 3channel coding theorem, viiiChapman, Mark T. (Nicetext), 354

Index 535

check bits, 9-10, 506check digit, 2, 35-58

airline tickets, 47, 52banking checks, 48-49barcodes, 39-46, 504credit cards, 49definition of, 35-37, 506Hamming, 53-55, 512IBM, 49-52, 513ISBN, 37-39, 52, 513multidigit, 52-53postal money orders, 46VerhoefT, 56-58, 450, 521

checks (bank), 48-49Chinese remainder theorem, 318Chomsky, Avram Noam (1928-), 359Christie, Samuel Hunter (1784-1865), 218chromaticity diagram, 181chrominance, 172, 385, 388, 468, 506

eye not sensitive to, 179Churchill, Sir Winston Leonard Spencer

(1874-1965), 132CIE, 181

color diagram, 181ciphers

ADFGVX, 239-240, 256absolutely secure, 206-208additive, 204-206affine, 204-206, 253, 503ambiguity, 262-263AMSCO, 239, 492Bacon's biliteral, 350Beaufort, 246-247block, 197, 289-309Blowfish, 289book, 203, 290Caesar, 203-206, 503definition of, 200, 506Delastelle, 221Delastelle trifid, 223DES, 289, 296-309double Playfair, 220-221double transposition, 237-238El Gamal, 468Eyraud, 254-256Feistel, 292, 293Four winds, 229fractionating, 220-222Greek cross, 229

Gronsfeld, 251-252Hill, 256-258, 512homophonic substitution, 224-226, 467,

512IDEA, 289, 319, 467, 513Jefferson, 258-259knock, 218Lucifer, 295-296M-94, 260monoalphabetic substitution, 197, 213-

216, 516multiplex, 258multiplicative, 204-206Myszkowsky, 239nihilistic, 218nomenclator, 201, 516one-time pad, 206-208, 266, 273, 322, 439,

516pigpen, 216-217Playfair, 218-221polyalphabetic substitution, 197, 243-267,

316, 517Polybius monoalphabetic, 217-218, 224,

239-240Polybius polyalphabetic, 263-264polyphonic, 258, 262-263Porta, 244-245product, 292public key, 197public-key, 314-320, 518Rabin, 468rail fence, 229RC5, 289Rijndael, 289Rotl3, 203, 232RSA, 315-319, 468secure, 199-320self-reciprocal, 244-245stream, 197, 272-287, 451, 511, 520strip, 260-262TDEA, 271, 296-309transposition, 197, 227-242, 520trifid fractionating, 223Trithemius, 247-248Vernam, 208, 273, 290, 516, 521Vigenere, 249-252, 257, 521

ciphertextdefinition of, 201

536 Index

written in groups of 5, 202circular queue, 115-116, 506Clay, Henry, 80clock-controlled generator (shift register),

277, 280-281CMYK color space, 138code overflow (in adaptive Huffman), 86codec (compressor/decompressor), 61, 506codes

(n,/c), 5and geometry, 31-34check bits, 9-10, 506definition of, 506EBCDIC, 506error-correcting, 4-34, 510error-detecting, 4-34, 510Golay, 30-31Golomb, 71-73Hamming, 1, 14-16, 512Hamming distance, 1, 5, 11-13, 512overhead, 11parity bits, 1, 10-11, 516periodic, 1, 18, 517phased-in binary, 83prefix,139-141, 490Reed-Solomon, 1, 22, 24-29, 451, 506, 518reliable, 4-34SEC-DED, 16-18, 466, 518secure, 3unary, 71, 188variable-size, 69-71, 79, 82, 86, 88, 95, 111,

139, 141, 262, 475, 490unambiguous, 514

voting, 6-8, 521collating sequence, 116Collier, Robert (1885-1950), 463color images, 138

and grayscale compression, 172color lookup table (in steganography), 373-

374, 468color space, 181columnar transposition ciphers, 235-240

double encryption, 237combiner (in stream ciphers), 272, 281, 506Comite Consultatif International Telegraphique

et Telephonique (CCITT), 462common errors introduced by humans, 36companding (compressing/expanding), 61complete binary tree, 108

completeness effect (in block ciphers), 294,295

complex methods (diminishing returns), 178compression factor, 63, 172, 507compression gain, 507compression performance measures, 62-63compression ratio, 62, 507

in UNIX, 122known in advance, 145, 146

compressor (definition of), 61CompuServe Information Services, 511computer arithmetic, 180confidentiality, 199, 326confusion (in cryptography), ix, 294, 507context (definition of), 507context-free grammars, 359-363, 507context-tree weighting, 142continuous-tone image, 138, 507, 512, 514convolution, 163, 432, 434correlation, 508

coefficient (Pearson), 136of pixels, 378, 384, 420of video frames, 420

correlations, 137between pixels, 60, 77, 147, 484between quantities, 136

covariance, 137cover (in steganography), 341, 343, 346, 497,

508as noise, 344escrow, 344

CPT (data hiding in binary image), 408-411CRC (cyclic redundancy code), 30, 275, 327-

328, 461-463, 508credit cards (check digit), 49cross correlation of points, 147cryptanalysis (definition of), 199, 508cryptanalyst (definition of), 199, 508cryptographer (definition of), 199, 200, 508cryptography, 3, 199-320

as overt secret writing, 199, 341authentication, 504definition of, 199, 508Diffie-Hellman-Merkle key exchange, 312-

314, 468index of coincidence, 264-267PGP, 319-320, 517public-key, 197, 314-320, 440, 518

Index 537

quantum, 518rules of, 199, 208-209, 217, 241, 247, 250,

273, 275, 323, 514cryptology (definition of), 508cryptoperiod, 508cumulative frequencies, 103, 104, 107curves (space-filling), 229, 490cyclic notation of permutations, 50-51, 232,

491

D\Q symmetry group, 450D4 symmetry group, 449D$ symmetry group, 450DAC (digital-to-analog converter), 423Dali, Salvador (1904-1989), 5Darwin, Charles Robert (1809-1882), 135,

240data compression

adaptive, 61, 73and irrelevancy, 134and redundancy, 59-61, 134asymmetric, 62, 112, 115block decomposition, 142dictionary-based methods, 111-132, 135diminishing returns, 178fax, 73, 88-95, 139, 466

ID, 882D, 92group 3, 88

imageprinciple of, 135, 139-142progressive, 142, 172-178

intuitive methods, 145-146JPEG, 178-193logical, 111lossless, 61, 515lossy, 61, 365, 515MLP, 141model, 63, 176move-to-front, 61nonadaptive, 61patents, 517performance measures, 62-63progressive image, 142, 172-178quadtrees, 139run length encoding, 76, 78, 135, 139, 140semiadaptive, 61, 73, 81, 519small numbers, 188, 192space filling, 139

statistical methods, 112, 135subsampling, 145symmetric, 62, 112, 180two-pass, 61, 81, 96, 192, 519vector quantization, 145-146, 173wavelets, 142, 155

data encryption algorithm (DEA), 296data encryption standard (DES), 289, 296-

309, 505, 509challenges, 306-308

data hiding (steganography), viii, 341-443data structures, 86, 115-117, 121, 127, 128,

506queues, 115-116

Davida, George I. (Nicetext), 354DC coefficient (of a transform), 151, 181, 187,

188, 192decibel (dB), 143, 509decoder, 509

definition of, 61decompressor (definition of), 61decorrelated pixels, 136, 141, 146, 147decorrelated values (and covariance), 137decryption (unique), 201Delastelle fractionation cipher, 221Delastelle trifid cipher, 223Delastelle, Felix Marie (1840-1902), 221Delia Porta, Giambattista (15357-1615),

244, 247Delpy, Julie (1969-), 471deniability (and shared secrets), 322dictionary-based methods, 111-132, 135, 509differencing, 192Diffie, Bailey Whitfield (1944-), 312, 314, 315Diffie-Hellman-Merkle key exchange, 312-

314, 326, 468, 509diffusion (in cryptography), ix, 294, 509digest (of a message), 334digital audio, 422-425digitally sampled analog data, 521digrams, 67, 216, 509

frequencies, 67self-reciprocal, 244

discrete cosine transform (DCT), 155-161,179, 184-186, 387, 388, 393, 398, 420, 510

blocky artifacts in, 184discrete wavelet transform (DWT), 510discrete-tone image, 138, 505, 510

538 Index

distribution of letters, 214DOS (operating system), 442double Playfair cipher, 220-221double transposition cipher, 237-238downsampling, 179Drucker, Peter Ferdinand (1909-), 141Durant, William Crapo (1861-1947), 173dynamic dictionary, 111dynamic substitution cipher, 281-283Dyson, Freeman (1923-), 456

EAN (European article numbering) bar-codes, 41 42-43, 510

ear (human), 425-428EBCDIC (character code), 116, 506echo hiding (audio data hiding), 431-434Edison, Thomas Alva (1847-1931), 431Einstein, Albert (1879-1955), 216El Gamal public-key method, 468Elias, Peter (1923-2001), 96Ellis, James H., British cryptographer (?-

1997), 316email address of author, ixembedding capacity (in steganography), 343,

510encoder, 510

definition of, 61entropy, 68

encrypt-decrypt-encrypt (EDE) mode, 308encryption (multiple), 516encryption (unique or not unique), 201, 224energy

concentration of, 150of a distribution, 150

English text, 112frequencies of letters, 215word start, 241

English, statistical properties of, 216, 241entropy, 74, 95, 106

definition of, 68-69, 510entropy encoder, 68error metrics in image compression, 143-145error-correcting codes, 4-34, 510, 511

in a CD, 24-29error-detecting codes, 4-34, 461, 510, 511escape code (in adaptive Huffman), 82escrow cover (in steganography), 344Euclid's algorithm, 205

extended, 205, 455

Euler function $(n) , 204, 253Eve (generic name of eavesdropper), 202exclusive OR (XOR), 321, 435, 461, 511, 521eye (and brightness sensitivity), 137, 183Eyraud cipher, 254-256Eyraud, Charles, 254EZW (image compression), 178

Fabyan, George (1867-1936), 266, 267facsimile compression, 73, 88-95, 139, 415,

466, 511ID, 882D, 92group 3, 88

factor of compression, 63, 172, 507Farber, Dave, 24Favors, Donna A., 415fax images (data hiding in), 415, 468Feige-Fiat-Shamir identification protocol,

330-331Feistel ciphers, 292, 293Feistel, Horst, Lucifer designer (1915-1990),

292, 295, 297Feynman, Richard Phillips (1918-1988), 424field (in mathematics), 445, 451-460, 511file allocation table (FAT), 442fingerprinting (digital data), 343, 348finite-state machines, 77fixed point affine ciphers, 206, 488floppy disk (format of), 442foreground pixel (black), 505Four winds cipher, 229Fox, Paula, 386fractionating ciphers, 220, 221, 223

Morse code, 222Freese, Jerry, 373frequencies

cumulative, 103, 104, 107of pixels, 151-152of symbols, 79, 81, 83, 84, 86, 96, 97

inLZ77, 115frequency domain, 427frequency masking, 425-428frequency of eof, 99Friedman, Elizebeth (nee Smith 1892-1980),

267Friedman, William (Wolfe) Frederick (1891-

1969), 258, 259, 264, 267

Index 539

Puller, Thomas (1608-1661), 84

gain of compression, 507Galois fields, 29, 445, 451-460, 511Galois, Evariste (1811-1832), 328, 452Gaskell, Elizabeth (1810-1865), 221Gauss's theorem, 318Gaussian distribution, 514Geffe generator (in stream ciphers), 277, 506,

511generating polynomials, 29-30, 511generation of permutations, 252-254geometry for generating codes, 31-34German (letter frequencies), 216GIF (graphics file format), 374, 441, 511

and LZW patent, 517data hiding in, 384

Gifford pseudorandom number generator,279

giga (definition of), 511Giovanni, Yolande Cornelia (Nikki, 1943-),

16GnuPG (free PGP), 319, 517Golay codes, 30-31Golay, Marcel J. E. (1902-1989), 31Golomb code, 71-73, 511gpg (and PGP), 320graphical image, 138Gray codes, 375, 378-380grayscale image, 138, 140, 143, 512-514grayscale image compression (extended to

color images), 172Greek cross cipher, 229Greene, Henry Graham (1904-1991), 252,

351Gronsfeld cipher, 251-252group

Abelian, 447definition of, 309, 447-448multiplicative, 318symmetry, 447-450

group (in mathematics), 512group 3 fax compression, 88, 511group 4 fax compression, 88, 511GUI, 134Guillou-Quisquater identification protocol,

331

Haar transform, 155

halftoning (and fax compression), 91Hamming codes, 1, 14-16, 512Hamming decimal check digits, 53-55, 512Hamming distance, 1, 5, 11-13, 512Hamming, Richard Wesley (1915-1998), v,

11, 17hash functions (secure), 368hashing, 127, 131, 512

MD5, 334, 337-340Hawthorne, Nathaniel (1804-1864), 122hearing (properties of), 425-428Hellman, Martin E. (1945-), 312Herd, Bernd (LZH), 113hide and seek (steganography software), 367,

441, 512hierarchical coding (in progressive compres-

sion), 173hierarchical image compression, 181, 192Hightower, Cullen, 13Hilbert space-filling curve, 490

and steganography, 367Hill cipher, 256-258, 512Histiaeus (and intuitive steganography), 349HLS color space, 138homophonic substitution codes, 224-226,

467, 512Huffman coding, 60, 74-79, 88, 89, 91, 92,

95, 512, 519adaptive, 61, 81-87, 503alternatives to, 73, 474and wavelets, 164, 170code size, 79-80for images, 78in JPEG, 180, 187not unique, 74semiadaptive, 81two-symbol alphabet, 76variance, 75

Huffman, David (1925-1999), v, 68, 70, 74,78

human auditory system (HAS), 417, 425-428human visual system (HVS), 143, 395, 402human voice (range of), 425Hutting, Franz (fictional), vii, viii

IBM check digit, 49-52, 513IDEA (block cipher), 289, 319, 441, 467, 513image, 138

540 Index

bi-level, 77, 138, 143, 505bitplane, 505cartoon-like, 139color, 138continuous-tone, 138, 507, 514definition of, 138discrete-tone, 138, 505, 510frequencies of, 151-152graphical, 138grayscale, 138, 140, 143, 512-514resolution of, 138steganography, 365-369, 468synthetic, 138transforms, 146-172types of, 138-139

image compression, 61, 133-196block decomposition, 142dictionary-based methods, 135error metrics, 143-145EZW, 178fax, 88-95, 139, 466intuitive methods, 145-146JPEG, 178-193lossy, 134LZ, 113MLP, 141principle of, 135, 139-142progressive, 142, 172-178

median, 177quadtrees, 139reasons for, 134RLE, 135, 139, 140self-similarity, 142space filling, 139SPIHT, 178statistical methods, 135subsampling, 145wavelets, 142, 155

image transforms, 520index of coincidence, 264-267inequality (Kraft-MacMillan), 514information theory, viii, 513

and increased redundancy, 5and redundancy, 59

innocuous text (steganography), 354-358integrity, 199, 326-328interleaved bits, 6International Electrotechnical Committee,

419

International Standard Book Number, seeISBN

International Standardization Organization(ISO), 419

International Telecommunications Unionand MPEG, 419

intuitive methods for image compression,145-146

inverse discrete cosine transform, 155-161,184-186, 485

invisibility (in steganography), 343, 513invisible ink (for data hiding), 349involutary permutations, 50, 232, 244-245,

290, 381involution, 513irrelevancy (and lossy compression), 134ISBN (international standard book number),

37-39, 52, 237, 349, 513ISBN barcodes, 44ISO, 178, 513, 514ITU, 511, 513ITU-R, 183

recommendation BT.601, 183ITU-T, 88

and fax training documents, 73, 88recommendation T.4, 88recommendation T.6, 88, 511

Jefferson cipher, 258-259Jefferson, Thomas (1743-1826) and cryptog-

raphy, 258-259JFIF, 194-196, 513JPEG, 151, 155, 178-193, 505, 513, 514

and progressive image compression, 173blocky artifacts in, 184

JPEG 2000, 183, 398JPEG images (data hiding in), 387-392JPEG-LS, 71, 193

Kahn, David A. (1930-), 265Kasiski, Friedrich Wilhelm (1805-1881), 250Kawaguchi, Eiji (BPCS steganography), 375Kerckhoffs' principle, 208-209, 217, 247, 297,

345, 514Kerckhoffs, Auguste, see Nieuwenhoffkey (in cryptography), 514

asymmetric, 314, 468, 504, 517bad choice of, 252

Index 541

distribution problem, 206, 208, 247, 271,311, 314, 316, 514

private, 517public, 197, 314-320, 517symmetric, 314, 520weak, 304-305, 521

key (in steganography), 345key space, 208, 514

exhaustive search of, 209, 489keyword in transposition ciphers, 232, 235-

240knight's tour (as a transposition cipher), 228knock cipher, 218Kraft-MacMillan inequality, 514

Lagrange, Joseph-Louis (1736-1813), 448Lai, Xuejia, 513Laplace distribution, 141, 369, 385, 514Laplace transform (of image pixels), 369latches (SR), 274Latin square

combiner, 283-284, 467, 515ideal, 260in cylinder ciphers, 260in self-reciprocal tables, 244

Lempel, Abraham (1936-), 113, 515Lena (image), 147, 368letter distribution in a language, 214letter frequencies

English, 215German, 216Portuguese, 216transposition ciphers, 227

Levenstein, Aaron, 110Levy, Steven, 312Lewis, Clive Staples (1898-1963), 386lexicographic order, 116LIFO, 131linear feedback shift registers (LFSR), 274-

277, 515lockstep, 82, 126logarithm

discrete, 332information function, 68, 107used in metrics, 143

logical compression, 111lossless compression, 61, 515lossless data hiding, 380-384lossy compression, 61, 365, 515

Lotstein, Michael (1970-), 248LSB (least significant bit), 365, 380, 515LSB encoding (image steganography), 365-

369, 468, 515Lucifer (predecessor of DES), 295-297luminance, 183, 385, 388, 468

CIE (Y), 183definition of, 183eye sensitive to, 183use in PSNR, 143

luminance chrominance color space, 142, 145,179

luminance component of color, 137, 142, 172,179-183, 186, 189, 420, 515

LZ77, 113-116, 123, 466, 505, 515, 519deficiencies, 119

LZ78, 113, 119-123, 515LZC, 122LZH, 113LZSS, 116-119LZW, 122-132, 515

decoding, 126patented, 123, 517UNIX, 122

M-138 strip cipher, 262M-94 cylinder cipher, 260Machado, Romana (Stego developer), 365,

441magic square (as a transposition cipher), 228Malkevitch, Joseph, 32Mandelbrot, Benoit B. (1924-), 442MandelSteg (steganography software), 442-

443Maor, Eli, 231Markov model, 142Maroney, Colin (hide and seek), 441Marx, Groucho (Julius Henry 1890-1977),

532Massey, James, 513Matlab software, properties of, 147Mauborgne, Joseph O., 260MD5 hashing, 334, 337-340mean square error (MSE), 143measures of compression efficiency, 62-63median, definition of, 177mega (definition of), 515Merkle, Ralph C , 312

542 Index

Michelangelo (Michaelangelo), see Buonar-roti

MICR [magnetic ink character recognition]font, 48

Miller, Henry (1891-1980), 460mimic functions (steganography), 358-363,

468, 515MLP (image compression), 141MMR coding, 92model

adaptive, 176Markov, 142of PPM, 110of probability, 96probability, 107

modems (V.32 protocol), 82modulus, 237, 274, 330

and XOR, 281as a one-way function, 312, 316, 329in finite fields, 501in the Hill cipher, 256-257, 512

monoalphabetic substitution ciphers, 197,213-216, 516

extended, 218-238Morse code (in cryptography), 222, 239Motil, John Michael, 80move-to-front method, 61

and wavelets, 164, 170MP3 audio compression, 62MPEG, 513MPEG-1, 155, 183MPEG-2 video compression (data hiding),

417, 419-422MSB (most significant bit), 516multidigit check digits, 52-53multifid alphabet, 223multiple encryption, 516multiplex cipher, 258multiplicative cipher, 204-206music scores (watermarking), 417-419Myszkowsky cipher, 239Myszkowsky, E., 239

Nadin, Mihai, 291nanometer, 181National Institute of Standards and Technol-

ogy (NIST), 296, 308, 503, 516National Security Agency (NSA), 202, 354,

516

Netscape Communications, Inc. (SSL devel-opers), 333, 337

Nicolaides, Kimon, 10Nietzsche, Friedrich Wilhelm (1844-1900),

347Nieuwenhoff, Jean Guillaume Hubert Victor

Prangois Alexandre Auguste Kerckhoffsvon (1835-1903), 208, 209, 345

nihilistic cipher, 218(n, k) codes, 5Nobel, Alfred Bernhard (1833-1896), 443noise

in a binary image, 387, 404in a color image, 387

nomenclator (secure code), 201, 516nonadaptive compression, 61nonlinear combination generator (shift regis-

ter), 277-279nonlinear feedback shift registers (NFSR),

277-281nonlinear filter generator (shift register), 277,

279-280nonrepudiation, 199, 326, 328, 516Nyquist rate, 19, 424, 516Nyquist theorem, 19, 424

oblivious cover (in steganography), 345Ohaver, M. E., 222, 245Oldenburg, Claes Thure (1929-), 142one-time pad cipher, 206-208, 266, 273, 440,

516and shared secrets, 322in steganography, 439

one-way function, 312, 314, 315, 437OpenPGP (nonproprietary PGP), 319, 517Orben, Robert, 49orthogonal matrix, 155orthogonal transforms, 147, 151-163orthonormal matrix, 147, 150overhead of a code, 11Ovid (Publius Ovidius Naso), 431

Pagnol, Marcel (1895-1974), 406, 453Painvin, Georges-Jean, breaker of ADFGVX

cipher (1886-1982), 240, 256palette (definition of), 373pangram (sentence with all 26 letters), 252parity, 461

Index 543

vertical, 462parity bits, 1, 10-11, 516Pascal, Blaise (1623-1662), 340patchwork (statistical steganography), 369,

385-386, 468patents of algorithms, 517pay load (in steganography), 343peak signal to noise ratio (PSNR), 143-145Peano space-filling curve, 490

in steganography, 367Peclet, Jean Claude Eugene (1793-1857), 452pel (in fax compression), 88, 138Pemberton, John Styth (1831-1888) Coca-

Cola inventor, 320perfect shuffle (as a transposition cipher), 269periodic codes, 1, 18, 517permutations, 50-51, 517

automatically generated, 252-254by a key, 232, 235-236consecutive, 491cyclic notation, 50-51, 232, 491involutary, 50, 232, 244-245, 290, 381monoalphabetic substitution ciphers, 213multiplying, 50, 253random, 250transposition ciphers, 197, 227-242

Petitcolas, Fabien A. P., 342PGP, see pretty good privacyphased-in binary codes, 83phrase (in LZW), 123Picasso, Pablo Ruiz y (1881-1973), 154pigpen cipher, 216-217pixels

background, 505correlated, 135, 147, 420correlations of, 60, 484decorrelated, 136, 141, 146, 147definition of, 138, 517foreground, 505frequencies of, 151-152

placebo (in cryptography), 218plaintext

ambiguities in, 202definition of, 201

plane (equation of), 324plausible deniability, 434, 435Playfair cipher, 218-221Playfair, Baron Lyon (1818-1898), 218Poe, Edgar Allan (1809-1849), 208, 214

points (cross correlation of), 147polyalphabetic substitution ciphers, 197,

243-267, 517compared to RSA, 316

Polybius cipherand transposition, 239-240monoalphabetic, 217-218, 224Morse code, 240polyalphabetic, 263-264

polynomialsand CRC, 462and secret sharing, 324-325arithmetic, 459-460definition of, 517generating, 29-30, 511primitive, 275

polyphonic ciphers, 258, 262-263Porchez, Jean-Frangois (1964-), 226Porta cipher, 244-245Portuguese (letter frequencies), 216postal money orders (check digit), 46PPM, 517prediction, 517prefix codes, 139-141, 490prefix property, 521

definition of, 70prefix rule (for variable-size codes), 222, 263pretty good privacy (PGP), 319-320, 517prime numbers (definition of), 517primitive polynomial (in cryptography), 275probability

model, 63, 96, 107, 176of a string, 68-69of a symbol, 68-69

product cipher, 292progressive image compression, 142, 172-178

lossy option, 173median, 177MLP, 141SNR, 173

projective planes, 31-34projects for self study, 465-469Proust, Marcel Valentin Louis George Eu-

gene (1871-1922), 469, 522pseudorandom number generator, 396, 397,

517Gifford, 279

pseudorandom numbers, 274, 517

544 Index

psychoacoustics, 425-428public-key cryptography, 314-320, 326, 440public-key steganography, 351, 417, 440, 518pulse code modulation (PCM), 425pyramid (wavelet image decomposition), 165,

400, 401pyramid coding (in progressive compression),

173

QM coder, 180, 192quadtrees, 139quantization

image transform, 141, 147, 520in JPEG, 186-187scalar, 145vector, 145-146, 173, 521

quantization (steganography), 384-385quantum cryptography, 518queue (data structure), 115-116, 506

Rabin public-key method, 468rail fence cipher, 229random data, 60, 76random numbers (pseudorandom), 274, 517raster order scan, 139, 141, 147, 172ratio of compression, 62, 507RC5 block cipher, 289redundancy

and data compression, 59-61, 134, 518and reliable codes, 1, 5-30, 518definition of, 59in algebraic codes, 497in artificial languages, 259in compressed data, 375in error-correcting codes, 511in natural languages, 259in steganography, 369origin of term, ixspatial, 135

Reed, Irving S. (1923-), 24Reed-Solomon codes, 1, 22, 24-29, 451, 506,

518reflected Gray code, 140, 466, 512relative encoding in JPEG, 181reliable codes, 4-34repetition in cryptography, 250resolution of images (defined), 138RGB color space, 137, 138, 142, 145, 179,

181, 183, 185, 196, 373, 374, 388

Rijndael (AES), 289, 467Rivest, Ronald L., 315RLE, 89, 135, 139, 140, 518

and wavelets, 164, 170in JPEG, 180

robust frequency domain watermarking, 393-395

robustness (in steganography), 343-345, 347,389, 518

Rochefoucauld, Prangois de la (1613-1680),363

Roman numerals, 146root mean square error (RMSE), 143ROT13 cipher, 203, 232rotation matrix, 147, 155, 161

is orthonormal, 150, 151RSA cryptography, 315-319, 468

cycling attack, 318multiplicative property of, 318

RSA Laboratories, 319run length encoding, 76, 78, 135, 139, 140,

187

S-box, 290-293, 296, 301, 303, 304, 518S-Tools (steganography software), 441-442,

518Salk, Jonas (1914-1995), 14sampling of sound, 422-425Saravanan, Vijayakumaran, 185Sassoon, Vidal (1928-), 119scalar quantization, 145Schneier, Bruce (1963-), 198

crypto-gram, 210Schnorr identification protocol, 332Schotti, Gaspari (1608-1666), 252, 341, 350Schwartau, Winn, 258Schwartzkopf, Melvin (as a bad choice of

key), 252SEAL stream cipher, 284-287SEC-DED codes, 16-18, 466, 518secrets (sharing), 320-326, 468

deniability, 322secure codes

cryptography, 3, 199-320steganography, 341-443, 519watermarking, 348

secure hash algorithm (SHA-1), 284, 334secure hash functions, 368

Index 545

secure socket layer, see SSLself-complementary magic square (as a trans-

position cipher), 228self-reciprocal ciphers, 244-245self-similarity in images, 142semantic methods (in steganography), 353,

519semiadaptive compression, 61, 73, 81, 519semiadaptive Huffman coding, 81Seutonius (Gaius Seutonius Tranquillus 70?-

130? B.C.), 203Shakespeare, William (1564-1616), 359

letter frequencies, 214, 215Nicetext, 358

Shamir, Adi, 315Shannon, Claude Elwood (1916-2001), v,

viii, 5, 17, 68, 510, 513Shannon-Fano method, 512sharing secrets, 320-326, 468

deniability, 322threshold scheme, 320

Shaw, George Bernard (1856-1950), 512shift registers, 519

clock-controlled generator, 277, 280-281linear, 274-277, 515nonlinear, 277-281nonlinear combination generator, 277-279nonlinear filter generator, 277, 279-280

sibling property, 83, 84Sierpinski curve, 490signal-to-noise ratio (SNR), 144

in steganography, 344, 519signal-to-quantization noise ratio (SQNR),

144Silver, Bernard, 40skewed probabilities, 99sliding window compression, 113-119, 466,

505, 519small numbers (easy to compress), 164, 188,

192Smirnoff, Yakov (1951-), 2SNAFU (acronym), 201SNR progressive image compression, 173software for steganography, 440-443

hide and seek, 367, 441, 512MandelSteg, 442-443S-Tools, 441-442, 518Stego, 366, 441, 519

Soh, Raymond, 9

Solomon, Gustave (?-1996), 24sound sampling, 422-425source coding, vii, 3space-filling curves, 139

as transposition cipher, 229, 490sparseness ratio, 63, 172spatial frequency (of pixels in an image), 403spatial redundancy, 135spectral selection (in JPEG), 181SPIHT (image compression), 178spread spectrum steganography, 393, 396,

519SR latch, 274SSL (secure socket layer), 332-337, 519SSL certificates, 334-338stack (data structure), 131Stalin, Joseph Vissarionovich (Dzhugashvili,

1879-1953), 83standard (wavelet image decomposition), 165standards of television, 172Stanley, Edward (1799-1869), 502static dictionary, 111, 112, 122statistical methods, 112, 135, 519statistical model, 96, 111steganalysis (definition of), 199steganographic file system, 321, 417, 434-

438, 469, 519steganography, 341-443, 519

and compression, 344, 497applications of, 346-347as covert secret writing, 199, 341binary images, 365, 404-419blind cover, 345BPCS, 506camouflage, 506color lookup table, 373-374, 468definition of, 199embedding capacity, 343, 510escrow cover, 344hiding data in text, 352-363intuitive methods, 348-350invisibility, 343, 513lossless, 380-384LSB encoding, 515mimic functions, 515oblivious cover, 345payload, 343public key, 351, 417, 440, 518

546 Index

pure, 351quantization, 384-385robust frequency domain watermarking,

393-395robustness, 344secret, 351semantic methods, 353, 519signal-to-noise ratio (SNR), 344, 519simple digital methods, 351-363software, 440-443spread spectrum, 519steganographic file system, 321, 417, 434-

438, 469, 519steganosaurus, 354stego-key, 345syntactic methods, 353, 520tamper resistance, 344traitor tracing, 346transform domain, 365, 387-403, 520ultimate, 417, 439-440undetectability, 343, 520watermarking, 346, 393-395, 398-403, 521

steganosaurus (steganography software), 354Stego (steganography software), 366, 441,

519stego-key (in steganography), 328, 345stegoimage, 365Stimson, Henry Lewis, (1867-1950), 211stone-age binary (unary code), 71Storer, James Andrew (1953-), 116stream ciphers, 197, 272-287, 451, 511, 520

combiner, 272, 281, 506, 511dynamic substitution, 281-283Latin square combiner, 283-284, 467, 515SEAL, 284-287

strip ciphers, 260-262M-138, 262

subband transform, 147, 163-172subsampling, 145, 520substitution ciphers, 203

consecutive, 292substitution-permutation (SP) ciphers, 290-

292successive approximation (in JPEG), 181summation generator (in stream ciphers),

278, 506Sutphen, Van Tassel (1861-1945), 508syllables (encryption of), 226symmetric compression, 62, 112, 180

symmetry groups, 36, 56, 447-450syntactic methods (in steganography), 353,

520synthetic image, 138Syrus, Publilius, 34Szymanski, T., 116

Taine, Hippolyte A. (1828-1893), 238tamper resistance watermarking, 396-397TAOSWCIHBD (letters at start of word),

241taps (wavelet filter coefficients), 502Tartaglia (Niccolo Fontana, 1499-1557), 329television (standards used in), 172temporal masking, 425, 428ternary digit (trit), 218TE& (and data hiding), 352-353text

data hiding in, 352-363English, 112

text compressionHuffman coding, 74LZ, 515LZ methods, 113statistical methods, 73

text files (no lossy compression), 61Thatcher, Margaret Hilda (1925-), 347Thomson, Roy Herbert (Lord Thomson of

Fleet 1894-1976), xvthreshold scheme (for secret sharing), 320,

326Tobias, Andrew, 49tokens

dictionary methods, 111in LZ77, 113, 114in LZ78, 119, 120in LZSS, 116, 118in LZW, 122

TP (data hiding in binary image), 411-414training (in data compression), 73, 88, 89traitor tracing (in steganography), 346transform domain (data hiding in), 365, 387-

403, 520transforms

AC coefficients, 151DC coefficient, 151, 181, 187, 188, 192definition of, 146discrete cosine, 155-161, 179, 184-186, 510

Index 547

H&ar, 155images, 146-172, 520inverse discrete cosine, 155-161, 184-186,

485orthogonal, 147, 151-163subband, 147, 163-172

transposition ciphers, 197, 227-242, 520anagram, 231columnar, 235-240combined, 231consecutive, 292drawbacks of, 240-242knight's tour, 228letter frequencies, 227magic square, 228self-complementary magic square, 228space-filling curves, 229, 490turning template, 233-235

trapdoor, 504, 520tree

adaptive Huffman, 81-84binary search, 116, 117, 119

balanced, 116, 118skewed, 116, 118

Huffman, 74, 75, 79, 81-84, 513Huffman (decoding), 86Huffman (overflow), 86Huffman (rebuilt), 84LZ78, 121

overflow, 121LZW, 127, 131mult i way, 127traversal, 74

triedefinition of, 121LZW, 127

trigrams, 67, 216self-reciprocal, 244

triple data encryption standard (TDEA),271, 296-309

trit (ternary digit), 218, 520definition of, 473

Trithemius cipher, 247-248Trithemius, Johannes Heidenberg (1462-

1516), 247, 341, 349Tukey, John Wilder (1915-2000), 17Turing machine, 520turning template transposition ciphers, 233-

235

Twain, Mark (1835-1910), 87two-pass compression, 61, 73, 81, 96, 192, 519

UCC, see uniform code councilUlam, Stanislaw (1909-1984), 65ultimate steganography, 417, 439-440unary code, 71, 188, 520

general, 520uncertainty principle (and quantum cryptog-

raphy), 518undetectability (in steganography), 343, 520Unicode (character code), 59, 116, 269-270,

504, 506, 520Uniform Code Council (UCC), 40Uniform Grocery Product Code Council

(UGPCC), 40Uniform Product Code Council (UPCC), 40universal product code (UPC), 40UNIX

compact, 81compress, 122, 517

UPC barcode, 41-42, 521

V.32 (modem protocol), 82variable-size codes, 67-71, 79, 82, 86, 111,

262, 475, 519, 521in fax compression, 88unambiguous, 514

variance, 137as energy, 150of Huffman codes, 75

vector quantization, 145-146, 173, 521Verhoeff check digits, 56-58, 450, 521Verhoeff, Jacobus (Koos, 1927-), 36, 56Vernam cipher (one-time pad), 208, 273, 290,

516, 521Vernam, Gilbert S. (1890-1960), 208, 273Verne, Jules Gabriel (1828-1905), 202Viaris, Gaetan Henri Leon de (1847-1901),

259Vigenere cipher, 249-252, 254, 257, 521

index of coincidence, 264-267nonshift variant, 250

Vigenere, Blaise de (1523-1596), 249voting codes, 6-8, 521

Walker, John (steganosaurus), 354Walsh-Hadamard transform, 153

548 Index

watermarking, 327digital data, 348in steganography, 346, 393-395, 398-403,

521music scores, 417-419tamper resistance, 396-397

Watt, William W., 99wavelet image decomposition

pyramid, 165, 400, 401standard, 165

wavelet-based watermarking, 398-403Kundur-Hatzinakos, 400-403

wavelets, 142, 155discrete transform, 510

Wayner, Peter, 359, 363weak keys, 304-305, 521Web site of this book, ixWeinstein, Stephen B., 460Welch, Terry A., 122, 515Wheatstone, Sir Charles (1802-1875), 218Wilson, Earl, 49Wilson, Tom (Ziggy), 172Wilson, Woodrow (1856-1924), 287

Wolfram, Stephen (1959-), 473Woodland, Norman Joseph, 40Wostrowitz, Eduard Fleissner von (turning

template cipher), 233Wu Lee method (data hiding in binary im-

age), 407-408www (Web), 179, 514

YCbCr color space, 137, 183, 185, 194, 373,385, 388, 468

YIQ color model, 172YPbPr color space, 185

zero-knowledge protocols, 329zero-probability problem, 176Zhao-Koch Method (data hiding in binary

image), 404-406, 468zigzag sequence, 139

in JPEG, 186, 187, 487Zimmermann, Philip R., PGP developer

(1954-), 319, 517Zip (postal) barcodes, 44-46, 522Ziv, Jacob (1931-), 113, 515

A good book has no ending.—R.D. Cumming

Appendix A Symmetry Groups

Documents

Transcript of Appendix A Symmetry Groups