MUX-based functional units, ignoring A, B and result lines
In this essay I intend to explore the binary functions of two bits and their possible use in cryptography. I shall, nonetheless, try to keep the maths simple.
A binary function is defined by a truth table. Let's take a familiar example, logical AND, and display the truth table.
| A | B | A & B |
|---|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 0 |
| 1 | 0 | 0 |
| 1 | 1 | 1 |
| A | B | A op B |
|---|---|---|
| 0 | 0 | b0 |
| 0 | 1 | b1 |
| 1 | 0 | b2 |
| 1 | 1 | b3 |
We see that we can characterise a function by a 4-bit number, using the number bAbB to refer to a bit in a specific number. And there are obviously only 16 different 4-bit numbers.
Curiously, this very idea of numbering functions show up in a lot of
places, though the most obvious (and still unexplained) place would be
in the X11 GraphicsContext data structure, where the GCFunction member
is exactly this (the function tables are described in the
XCreateGC(3x) man page on my machine), though there is no explanation
of why each number gives the logic function it does.
MUX-based functional units, ignoring A, B and result lines
Thinking about it, we will want a function that has a numbering above in one of these ways: 01xx or 10xx ; xx01 or xx10. This is so we have a way of figuring out the plain-text (the B above) when we have a bit of the key (the A above). Looking at the signatures we want, we find that there are four possible functions, tabled below:
| K | P | P | K^P | !P | K==P |
|---|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 1 | 1 |
| 0 | 1 | 1 | 1 | 0 | 0 |
| 1 | 0 | 0 | 1 | 1 | 0 |
| 1 | 1 | 1 | 0 | 0 | 1 |
Looking at these four functions, we can see that two are patently unsuitable, because they don't involve the key bit, at all (one is P as-is, the other is the complement of P) and are therefore not really of cryptographic interest. One is about as secure as ROT-13, the other as secure as ROT-26.
That leaves us with two possible functions, XOR and EQL. On the surface, they're both equally suitable, though there is a crucial difference. Looking at how to go from C (the cipher-text) to P (plain-text) given K (key), we can just use XOR again, if we started with XOR. If we have EQL, we can still recover the plain-text, it's just a bit hairier. This makes the encryption method and the decryption method asymmetric and that means you need to know if you're encrypting or decrypting. Messy and failure-prone.
The fact that there's no more expressive power with the EQL-based stream cipher means there's no actual advantage using it over XOR (same expressiveness, one less convenient aspect).
This is possible, but is, essentially, the same as just XOR-ing the two key bits together, then use that as the key (at least if you take 0 to mean XOR and 1 to mean EQL).
So, in short, no EQL is of no cryptographic interest. It does the job, but it's more cumbersome than XOR and it isn't interesting for being combined with XOR.
It is possible that a bit stream using three key bits for each bit of plain-text might be of interest, but I imagine it would reduce to being no harder to analyse than a plain single bit key for single-bit plain-text XOR encryption and would require more key generation (pseudo-random and thus having its own set of problems) or longer one-time-pad (cumbersome and expensive).
This is one of Ingvar's essays