The Ideal Cipher
In 1883, the most famous work by Auguste Kerckhoffs, after whom the
cryptanalytic technique of
superimposing multiple messages enciphered with the same running key is
named, was published: La Cryptographie Militare (Military
Cryptography). This book set forth six desiderata for systems of
- A cipher should be unbreakable. If it cannot be theoretically proven
to be unbreakable, it should at least be unbreakable in practice.
- If the method of encipherment becomes known to one's adversary, this
should not prevent one from continuing to use the cipher.
- It should be possible to memorize the key without having to write it
down, and it should be easy to change to a different key.
- Messages, after being enciphered, should be in a form that can be sent
- If a cipher machine or code book or the like is involved, any such
items required should be portable, and usable by one person without
- Enciphering or deciphering messages in the system should not cause
mental strain, and should not require following a long and complicated
These six desiderata, as they are phrased, are directly applicable to
pencil-and-paper ciphers. Some of the concerns they raise do not seem as
important today, when the ubiquitous personal computer stands ready to
assist the cryptographer.
It may be noted that I have rather heavily paraphrased Kerckhoffs in my
listing of his six dicta above. The second dictum originally stated that
"compromise of the system should not inconvenience the participants".
While my paraphrase makes explicit the usual way in which this dictum is
understood, there is at least one other way in which the users of
a cryptosystem could be inconvenienced by compromise of the algorithm
During the Second World War, the highly-secure American cipher machine
SIGABA was handled with extreme physical security. One of the reasons for
this was that it was so secure that if an enemy had discovered how it
worked, although that probably would not allow that adversary to begin
messages encrypted on the SIGABA, it would enable the adversary to copy
the principle, and thus deprive the Allies of the intelligence they had
been able to obtain from solving even the highest-level German and
Japanese cipher systems.
Hence, satisfying the first dictum too well caused it to fail the
second dictum in a less usual manner.
In any case, as amended for the computer era, Kerckhoff's desiderata
might look like this:
- That a cipher should be unbreakable, in practice if
not in theory, needs no modification as a statement of what is desired.
However, only the one-time-pad, or a cipher essentially equivalent
to the one-time-pad,
is known to be secure in theory at present, and there are
good reasons to believe that such ciphers will remain the only ciphers that can be
proven to be unbreakable.
There are a number of other ciphers can be proven to be
as hard to break as certain classes of difficult problems in mathematics
are to solve. But what can't be proven at present (and what may possibly even
remain forever unprovable) is that those "difficult
problems", such as factoring the product of two large primes,
will indefinitely continue to require enough time to inconvenience the cryptanalyst
as new discoveries are made in mathematics.
- That the security of a cipher system should depend on the key and not
the algorithm has become a truism in the computer era, and this one is the
best-remembered of Kerckhoff's dicta. The original reason for this
however, is not due to some magical distinction between "key" and
"algorithm". Rather, it follows from the later conditions imposed on the
key: it must be short, and easy to abandon for a new key. A cryptographic
algorithm can meet neither of those conditions. Hence, it should not be
part of the key, because then the key would be bulky and hard to change.
However, there is also a fundamental distinction between key and algorithm
which, even if Kerchoff considered it when he wrote this
desideratum, was not likely to have been one of the major considerations
behind it, although it relates to the first desideratum, and which is
generally used today as the main rationale for this requirement. Unlike a
key, an algorithm can be studied and analyzed by experts to determine if
it is likely to be secure. An algorithm that you have invented yourself
and kept secret has not had the opportunity for such review.
- With today's computer technology, that allows a cipher with a key 56
bits in length, as used with DES, to be easily broken by brute force (by
merely trying every possible key) it would appear that a dictum advocating
that keys should be short is entirely obsolete. But if we rephrase the
requirement to indicate the reasons behind it, we find that the concern is
still valid. The secret key, on which the security of one's messages
depends, should not be of a size (or form) that prevents it from being
stored, and exchanged in ways that effectively protect it from compromise.
And it may also be noted that public-key cryptography, which allows the
two participants to avoid having to exchange their private keys, and which
allows them to use a fresh session key for each message, contributes to
the ease of meeting this requirement. And on the other hand, the
require the exchange of keys at an inconvenient time, once the available
key is exhausted.
- Enciphered messages should be in a form suitable to transmission
by means of whatever communications medium is intended to be used, or
convenient to use. This may mean the Internet or a fiber-optic link
instead of the telegraph, but the principle remains sound.
- In order for a cipher to satisfy the first rule, it seems impossible
to avoid having to use a piece of apparatus for encipherment, the digital
computer. Computers certainly do exist that are portable and which are
easily used by one person today. As apparatus can also cause problems by
arousing suspicion, it would be an advantage in this area if one's cipher
could be carried out with the aid of a computer program in BASIC that one
could type in from memory.
- Again, it seems that for a cipher to remain unbreakable by today's
standards, the algorithm used would have to be intricate and complicated.
However, it is also true that we now have computers to do all the hard
work. One of the reasons that a cipher should not be too complicated is
to avoid problems caused by error in the encipherment of messages. Hence,
this dictum could be considered to recommend that ciphers with unfavorable
error-propagation characteristics should be avoided, since transmission
errors can also make it necessary to retransmit a message. And this
relates more directly to the cipher itself than to simply note that any
encryption program, like any other computer program, should have a good
Thus, I claim that all six of Kerckhoffs' desiderata, not just those
whose relevance is most often acknowledged at the present time, still
retain at least some degree of importance, when correctly understood.
But it is true that the ones regarded as obsolete have retained less
of their importance as stated, although the reasons behind them remain
valid in a different form.
Table of Contents