Cryptography-Digest Digest #541

2001-06-06 Thread Digestifier

Cryptography-Digest Digest #541, Volume #14   Wed, 6 Jun 01 19:13:01 EDT

  Crypto Survey May 2001 by Markku J. Saarelainen (Mark J S)
  Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen)
  Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel)

Subject: Crypto Survey May 2001 by Markku J. Saarelainen
Date: 6 Jun 2001 15:57:58 -0700


Cryptographic Survey, May 2001, Markku J. Saarelainen




The major societal development since the 1st and 2nd crypto surveys in
1996 and 1997 has been the removal of many regulatory barriers for
open trading of cryptographic products in the North America and
globally. In addition, the number of cryptographic applications and
component implementations has increased, while at the same time the
variety of different types of solutions has risen. This does not
necessarily mean the wider use of encryption in businesses and
personal activities. Many same or similar behavioral barriers for the
effective utilization of many security solutions still exist limiting
the protection of communications, data storage and networking. In
addition, the lack of the interoperability between solutions from
different suppliers tends to decrease the number of effective
cryptography users worldwide. It is clear that the awareness for
encrypted communication and protected information activities has
increased, while necessary regulatory changes for protecting entities
from security vulnerabilities has enabled cryptographic product
suppliers to satisfy market requirements in the U.S.A., in the North
America and globally. However, regulatory and cultural differences
exist from one nation or region to another creating a global
unbalanced situation of the security use, which has the reducing
effect on security practices and policy implementations of any global
entity in different regions. This impacts on the interoperability of
units of global entities. It is likely that there shall be greater
competing drives in the information technology market place between
different security strategies and approaches from different software
and hardware product and security suppliers.

QUESTION 1. In your opinion, what are the 5-10 most significant
applications of encryption technologies currently in commercial

1. HTTP over SSL (aka HTTPS) / SSL for credit card processing / SSL /
Web-activity privacy (SSL)
2. IPsec
3. RSA Secure ID (maybe)
4. Online Credit Card Processing  Financial Transfers
5. VPNs / Virtual Private Networks for widely distributed offices /
VPN for remote access to Intranet
6. Email encryption (via PGP/GPG or SMIME) / Encrypted Messages /
Email Privacy
7. Digital signing authentication of messages
8. Consensus and voting software (not now but give it 5 years)
9. Encrypted file systems for sensitive data
10. Signing software for installation
11. Signing email messages to show official authority
12. Wireless local area network encryption
13. Password protection/access control
14. Data protection
15. Session protection (VPN's)
16. Authentication and authorization / Customer authentication (e.g.
PIN checking)
17. Securing B2B file exchange
18. PKI
19. Remote secure teleworking
20. Digital signatures
21. Time-stamping

QUESTION 2. In your opinion, what are 5-10 main barriers currently
that may prevent the successful implementation and utilization
of encryption technologies in commercial enterprises? 

1. Ignorance of risks prevents purchase
2. Dishonest portrayal of product (i.e.: false security claims and
blatant product holes in end-to-end protection) promotes distrust in
the whole
3. Most products are a waste of time because they are not a
comprehensive solution - e.g.: why bother using PGP when there is
nothing in any NAI products to protect against back-office-style
electronic eavesdropping attacks?
4. Many people do not care about cryptography and/or security products
5. Having lived happily without serious protection for a long while,
most customers believe there is no point retrofitting an expensive
solution for a problem they do not have (and many of them are probably
6. Lack of knowledge by decision-maker
7. Low knowledge level of users
8. Lack of knowledge by computer scientists
9. Lack of complete standards (S/MIME to be extended, ...)
10. Cost
11. It is too hard to use / complexity / Not transparent enough and
made user hard to use.
12. Difficult and complex configurations

Cryptography-Digest Digest #541

2001-01-24 Thread Digestifier

Cryptography-Digest Digest #541, Volume #13  Wed, 24 Jan 01 15:13:00 EST

  Re: Some Enigma Questions ("David C. Barber")
  How much of this group's discussion violates the DMCA ("David C. Barber")
  Re: 3G crypto algorithms (Arturo)
  Re: How many bits of security can a password give? (Tom St Denis)
  Re: TSEPRNG, a secure RNG ? (Dan Parisien)
  Re: Transposition code (Richard Heathfield)
  Re: How much of this group's discussion violates the DMCA
  DES check values (58)
  Re: How much of this group's discussion violates the DMCA (Richard Heathfield)
  finding inverses and factoring (David A Molnar)
  Re: TSEPRNG, a secure RNG ? (Splaat23)
  Re: 3G crypto algorithms[Off-Topic: Asian Echelon] (Abe Lin)
  Re: Fitting Dynamic Transposition into a Binary World (John Savard)
  Re: DES check values (Splaat23)
  Re: How many bits of security can a password give? (Erik Runeson)
  Re: Cryptographic Camouflage (Darren New)
  Echelon in Asia. (Abe Lin)

From: "David C. Barber" [EMAIL PROTECTED]
Subject: Re: Some Enigma Questions
Date: Wed, 24 Jan 2001 10:55:31 -0700

"John Savard" [EMAIL PROTECTED] wrote in message

 It still wouldn't be as secure as, say, DES.

One difference is that one could do a reasonable pencil+paper
encrypt/decrypt of an enigma message if the machine wasn't available.  Hard
to say the same about DES.(Yes, I know possible, but *much* harder.)

*David Barber*


From: "David C. Barber" [EMAIL PROTECTED]
Subject: How much of this group's discussion violates the DMCA
Date: Wed, 24 Jan 2001 11:00:29 -0700

I wonder how much of this group's current discussions about systems and how
they're broken is in violation of the Digital Millennium Copyright Act,
which prohibits any attempt to reveal or break even lame systems.

Any informed opinion(s) on this?

*David Barber*


Subject: Re: 3G crypto algorithms
Date: Wed, 24 Jan 2001 18:23:34 +0100

On Tue, 23 Jan 2001 14:06:25 +0100, Mok-Kong Shen [EMAIL PROTECTED]

Arturo wrote:

In a town not too far from mine there is an 
Echelon station.

Hmmm,  you mean Bad Aibling?  Or maybe some other I didn´t hear about?
Details, please.  I´m interested in the matter  (you can post here or drop me
some bytes at [EMAIL PROTECTED]; PGP keys available at keyservers).

It is possible in Germany for a government 
agency to lawfully but secretly install a microphone in 
one's home. Right now there is a little revision of the law 
underway to make the recording of telephone conversations 
an even more convenient task. 

And there´s an European-wide effort at Carvirorizing the old continent.
Just browse to for more details.
(Hint: Convention on Mutual Assistance In Criminal Matters, Title III:
"Interception of Communications").


From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: How many bits of security can a password give?
Date: Wed, 24 Jan 2001 17:57:34 GMT

In article 94mn7a$27r$[EMAIL PROTECTED],
  Erik Runeson [EMAIL PROTECTED] wrote:
 I'm doing some analysis on how many bits of security a password can

 For instance, if we take a password with 8 random characters (all lower
 case to simplify a bit), it is easy to assume that it would mean:
   8*8=64 bits of security (since each character is 8 bits).
 However, since there are only 26 lower case letters, the actual figure
   log2( 26^8 ) = 37.6 bits

 Of course, the whole issue gets a lot more complicated when you add
 upper case letters, numbers and other characters, as well as dealing
 with the fact that users rarely choose random passwords.

 Does anyone know any articles or other studies in this area?

You're generally right, but use the def'n of entropy to calc the bits of info
in a string instead of using an assumption.


Sent via


From: Dan Parisien [EMAIL PROTECTED]
Subject: Re: TSEPRNG, a secure RNG ?
Date: Wed, 24 Jan 2001 18:17:58 GMT

 An attacker might be able to force system load to be abnormally high.
 For some systems, this might result in deterministic round robin
 scheduling, such that the number of instructions given to each thread
 becomes known easily guessable to the attacker.

Maybe I'll explain the algorithm in more detail because this kind of attack 
has no effect on it.

Race conditions caused by multi-threaded programming causes a large amount 
of headaches to programmers. Why? Because there is no way (theoretically) 
of knowing in which order they will be executed (so you must place locks 
around shared data). That is entropy.

To test the theory that threads get scheduled differe

Cryptography-Digest Digest #541

2000-08-26 Thread Digestifier

Cryptography-Digest Digest #541, Volume #12  Sat, 26 Aug 00 11:13:01 EDT

  Re: cryptlib (Matt Johnston)
  Re: PGP 6.5.8 test: That's NOT enough !!! (Keith)
  Re: Serious PGP v5  v6 bug! ("gleu")
  Re: Bytes, octets, chars, and characters ("David Thompson")
  Re: Best way! ([EMAIL PROTECTED])
  Re: PRNG Test Theory ([EMAIL PROTECTED])
  Re: Serious PGP v5  v6 bug! (Keith)
  Re: Best way! ("Big Boy Barry")
  Quake III Arena authentication (Mathew Hendry)
  Re: stegonographic overuse (John Savard)
  Re: You _DONT_ want a quantum computer. (John Savard)
  Re: Best way! ([EMAIL PROTECTED])
  Re: Best way! ([EMAIL PROTECTED])
  Re: PGP 6.5.8 test: That's NOT enough !!! ("Michel Bouissou")
  Re: PROMIS-software for worldwide spy network by US/Isreal (Timothy M. Metzinger)

From: Matt Johnston [EMAIL PROTECTED]
Subject: Re: cryptlib
Date: Sat, 26 Aug 2000 20:29:57 +0800

Rémi FOREST wrote:

 Does anyone here use cryptlib
 ( ) for programming ?
 How secure is it ?

I haven't actually used it, but i believe that it has a fairly good 
reputation, as does the author.

Matt Johnston.


Subject: Re: PGP 6.5.8 test: That's NOT enough !!!
Date: Sat, 26 Aug 2000 05:56:32 -0700
Reply-To: "Keith" [EMAIL PROTECTED]


On Sat, 26 Aug 2000 12:49:17 +0200, Michel Bouissou 
 8o87bf$p7m$[EMAIL PROTECTED] wrote:

Where previous versions would show this key as having an ADK, and use
the forged ADK, the "fixed" PGP 6.5.8 shows the forged key as being a
normal, valid key, without any ADK.

There is no way for PGP to detect a forged key. That is what a signature and
trust values are for. As long as PGP removes and/or doesn't recognize the
forged ADK on a tampered key, which will lead to the encryption of a file or
message to the forged ADK, then that is the proper action. 

Version: PGPfreeware 6.5.8 for non-commercial use
Comment: pgp keys available at


Best Regards,

Where do you discover free software for Windows? Strongsignals DOT COM is a 
great place to start:   "If a man hasn't discovered
something that he will die for, he isn't fit to live." --Martin Luther King, Jr


From: "gleu" [EMAIL PROTECTED]
Subject: Re: Serious PGP v5  v6 bug!
Date: Sat, 26 Aug 2000 13:57:36 +0100

Ralf Muschall [EMAIL PROTECTED] wrote in message
 Ron B. [EMAIL PROTECTED] writes:

  as the perfect employee.  If Jane is has a heart attack, has a fatal
  accident or for other reasons beyond her control is not available to
  decrypt important data, the company may have legitmate reasons to

 Then it should be simple to ask the sender to resend the message,
 encrypted with Jane's successor's (or chief's) public key. In this
 situation, the sender has full power to decides who may read his
 messages, not some third person not authorized by him.

And what about the not-so-perfect employee which the company decides to sack
and the company still wishes to have access to the employee messages/data
... because they are relevant and legitimately belong to the company ?

 Remember that pgp is not for ecrypting locally stored data, like
 backups etc. (symmetric methods are better for this purpose), but only
 for the safe *transport* of messages.



From: "David Thompson" [EMAIL PROTECTED]
Crossposted-To: comp.lang.c,alt.folklore.computers
Subject: Re: Bytes, octets, chars, and characters
Date: Sat, 26 Aug 2000 13:03:44 GMT

John Savard [EMAIL PROTECTED] wrote :
 However, in the past, it had been customary to refer to a six-bit area
 in a computer's memory, where such an area was the span of memory
 occupied by a character of a text, as a character.

Not necessarily six bits.  It is usual to refer to the storage for one
(fixed-length) character code as a character, yes, of course,
and six bits is enough for one (Roman

Cryptography-Digest Digest #541

2000-04-13 Thread Digestifier

Cryptography-Digest Digest #541, Volume #11  Thu, 13 Apr 00 13:13:01 EDT

  Where to post treatise? ([EMAIL PROTECTED])
  Re: Regulation of Investigatory Powers Bill (Jill)
  Re: Regulation of Investigatory Powers Bill (Jill)
  Re: O(...) - Newbie question (Bob Silverman)
  Re: Where to post treatise? (David A Molnar)
  Re: Is AES necessary? (Jerry Coffin)
  Re: SHA2 (Francois Grieu)
  Re: SHA2 (Diet NSA)
  Re: Is AES necessary? (Mok-Kong Shen)
  Q: NTRU's encryption algorithm (Mok-Kong Shen)
  TDMA CAVE encryption (Matt Linder)
  Re: OAP-L3: Semester 1 / Class #1 All are invited. (Lincoln Yeoh)
  Re: Cipher Contest Update (Boris Kazak)
  Re: new Echelon article (Diet NSA)
  Re: Q: Entropy (James Felling)
  Re: GSM A5/1 Encryption (Lincoln Yeoh)
  Re: Q: Inverse of large, sparse boolean matrix, anyone? (Bob Silverman)
  Re: Encode Book? (James Felling)
  Re: Q: Inverse of large, sparse boolean matrix, anyone? (Bob Silverman)
  Re: Miami Herald article about ATM ripoffs (Lincoln Yeoh)

Subject: Where to post treatise?
Date: Thu, 13 Apr 2000 14:30:53 GMT

Hi all,
I 've invented a pretty good data encryption algorithm and I have
written a treatise about it. But I don't know where to post the
treatise. What magazines are standard in this respect ? Can you suggest?

Sent via
Before you buy.


Subject: Re: Regulation of Investigatory Powers Bill
Date: Thu, 13 Apr 2000 16:12:25 +0100

I would suggest that the 'protest' files of random data that I suggested
in an earlier posting are not generated by any current encryption
algorithm for the following reason.
Lets suppose that a number theorist discovers a detectable signature in
data encrypted by algorithm 'X',
where X is Blowfish, PGP, etc.  This may not allow decryption but
nevertheless will detect the hand of the algorithm in the data.  You
will then have a data file that the authorities can determine to be the
product of algorithm 'X' but for which you can provide no meaningful key
I would favour the use of genuine random data created by diode noise,
radioactive decay or some other genuinely random source.  Failing that I
would use a strong random number generator rather than an encryption
algorithm.  Cryptography is powerfully counter-intuitive and what seem
like good ideas can be fundamentally broken.  If you use random data for
this purpose and new analysis methods come along then these will only
serve to show that the file *is* random data.  This is by far the safest
course in a very complex and poorly understood field.

Andrew Le Couteur Bisson


Subject: Re: SHA2
Date: Thu, 13 Apr 2000 15:10:31 GMT

Mark Wooding [EMAIL PROTECTED] wrote:
 I'd like to propose AHS, for Advanced Hash Standard.  But then again,
 I'm feeling a bit childish today.

No, no, no. All acronyms should be one of the following:

1. Recursive, such as GNU, LAME, etc. SHS - SHS is a Hashing Standard.

2. Begin with YA, such as innumerable programs. YASHA.

3. Be totally incomprehensible, such as UTC. HAS - letters jumbled to
   appease part of the standards body.

4. As a last resort, you can add a prefix letter denoting your name,
   or mix and match the above three.



Subject: Re: Regulation of Investigatory Powers Bill
Date: Thu, 13 Apr 2000 16:17:13 +0100

Further to my previous posting I believe that suitable, genuinely random
data can be obtained, free of charge, from the SETI screensaver

Andrew Le Couteur Bisson


From: Bob Silverman [EMAIL PROTECTED]
Subject: Re: O(...) - Newbie question
Date: Thu, 13 Apr 2000 15:07:01 GMT

In article 8d3dqn$4i0$[EMAIL PROTECTED],
  Bryan Olson [EMAIL PROTECTED] wrote:
 Bob Silverman wrote:

  A function f(x) is said to be O(g(x))  [read as 'order of g(x)']
  if  lim n-- oo  of  |f(x)/g(x)|  c   for some constant c.

 There's a problem with that definition in that |f(x)/g(x)|
 may always be less than c for sufficiently large x, but the
 limit as x-oo may not exist. (I'm assuming the use of "n"
 was a typo.   Yes. Bob)
I left off the limes superior...  It should have been  lim, or
lim sup

  In other words  f(x) grows at a rate which is bounded by a constant
  times the rate at which g(x) grows  as x becomes sufficiently large.

 The definition I know of is:

f(x) is O(g(x)) if and only if there exist some c
and n such that,
0 = f(x) = c*g(x)  whenever  x = n.

This does not work either.  

Cryptography-Digest Digest #541

1999-11-10 Thread Digestifier

Cryptography-Digest Digest #541, Volume #10  Wed, 10 Nov 99 22:13:03 EST

  Re: One-time-pad simulator. (William Rowden)
  Re: Build your own one-on-one compressor (Mok-Kong Shen)
  Re: Build your own one-on-one compressor (Mok-Kong Shen)
  Encode It 1.03 CRACKED 1 month after released ("Alexander PUKALL")
  Re: Signals From Intelligent Space Aliens?  Forget About It. (Anthony Stephen Szopa)
  Re: Signals From Intelligent Space Aliens?  Forget About It. (SCOTT19U.ZIP_GUY)
  Re: Build your own one-on-one compressor (Tom)
  Re: Proposal: Inexpensive Method of "True Random Data" Generation (Coen Visser)
  Re: Research suggestion? (David A Molnar)
  Re: Re: How protect HDisk against Customs when entering Great Britain (JD)
  Re: Proposal: Inexpensive Method of "True Random Data" Generation ("james d. hunter")

From: William Rowden [EMAIL PROTECTED]
Subject: Re: One-time-pad simulator.
Date: Wed, 10 Nov 1999 21:25:22 GMT

  trifthen [EMAIL PROTECTED] wrote:
 Here's the crypted text:

 Z.Rs/a5Ll,Rr!Ut Xw"Rp"HoyBYv Vs!:

I won't claim to be an expert, but I have a comment below.  First,
however, I want to quote "Cryptography FAQ 02/10: Net Etiquette":

 2.3. How do I present a new encryption scheme in sci.crypt?
 ``I just came up with this neat method of encryption. Here's some
  FHDSIJOYW^%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a
 doubt questions like this are the most annoying traffic on
 So what do you do if you have a new encryption scheme? First of
 all, find out if it's really new. Look through this FAQ for
 references and related methods. Familiarize yourself with the
 literature and the introductory textbooks.

 Here's a short overview of how my random number generator works, as
 it's crucial to the system:
 Find current value of length.
 Take this value and add 21 to separate it enough from the
   data stream. (length = len + 21)
 Take first character of the key. (string)
 Mod string by length.
 While there is still key left
   Get the next character in the key. (next)
   Take the result of the previous mod, and append next. (new)
   Mod new by length. (result)
 increment length.
 Return final mod.

 It does this for every character in the original text, hence it makes
 a one-time-pad based on the original text.

Code would help; I don't understand the relationship between the
plaintext and your "pad."  Which of the values above are influenced by
the plaintext?

In any event, I'll venture the opinion that your last sentence sounds
more like a complicated autokey rather than a one-time-pad.  I've read
that Vigenere invented a simple autokey system in 1585.  Similar to
your hex key, his system also had a "priming" key to begin enciphering.
An attack (developed by Bassieres) relies on finding in the ciphertext
the correlations between the plaintext and the key (the actual key, not
the priming key).  Some think Vigenere "almost" invented the
one-time-pad; he recognized that a key as long as the message was a Good
Thing.  To be a true one-time-pad, however, the key would have to be (at
least) uncorrelated to the plaintext.

Additionally, while it is easy to design your own pseudo-random number
generator, it is difficult to create one that is cryptographically
strong.  Is your PRNG linear?

 If you want to see my actual code, just tell me and I'll
 show it to you.

Again I'll quote the FAQ:

 If you really think your system is secure, and you want to get some
 reassurance from experts, you might try posting full details of
 your system, including working code and a solid theoretical
 explanation, to sci.crypt.

Have fun with your system.  I wish you luck.
Damages claimed for unsolicited commercial email (RCW19.86  47USC227)
PGP key: until 2000-08-01
Fingerprint: FB4B E2CD 25AF 95E5 ADBB  DA28 379D 47DB 599E 0B1A

Sent via
Before you buy.


From: Mok-Kong Shen [EMAIL PROTECTED]
Crossposted-To: comp.compression
Subject: Re: Build your own one-on-one compressor
Date: Wed, 10 Nov 1999 22:22:52 +0100

Tim Tyler wrote:
 In sci.crypt Mok-Kong Shen [EMAIL PROTECTED] wrote:
 : As I said previously, for such numerical coding the compression is
 : already so good that one need not (at least in the first
 : experimental phase) consider the aspect of word freqeucies.
 I doubt this.  I expect non-dictionary words will typically bulk up the messages
 by a larger factor than they are compressed by, for (say) email messages.
 It may be possible to develop a scheme that (roughly) breaks even on the
 compression stakes - bu

Cryptography-Digest Digest #541

1999-05-13 Thread Digestifier

Cryptography-Digest Digest #541, Volume #9   Thu, 13 May 99 10:13:05 EDT

  Cryptography FAQ (05/10: Product Ciphers) ([EMAIL PROTECTED])

Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (05/10: Product Ciphers)
Date: 13 May 1999 13:28:51 GMT

Archive-name: cryptography-faq/part05
Last-modified: 94/06/07

This is the fifth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to 
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography 
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, 
sci.answers, and news.answers every 21 days.


5.1. What is a product cipher?
5.2. What makes a product cipher secure?
5.3. What are some group-theoretic properties of product ciphers?
5.4. What can be proven about the security of a product cipher?
5.5. How are block ciphers used to encrypt data longer than the block size?
5.6. Can symmetric block ciphers be used for message authentication?
5.7. What exactly is DES?
5.8. What is triple DES?
5.9. What is differential cryptanalysis?
5.10. How was NSA involved in the design of DES?
5.11. Is DES available in software?
5.12. Is DES available in hardware?
5.13. Can DES be used to protect classified information?
5.14. What are ECB, CBC, CFB, OFB, and PCBC encryption?

5.1. What is a product cipher?

  A product cipher is a block cipher that iterates several weak
  operations such as substitution, transposition, modular
  addition/multiplication, and linear transformation. (A ``block
  cipher'' just means a cipher that encrypts a block of data---8 bytes,
  say---all at once, then goes on to the next block.) The notion of
  product ciphers is due to Shannon [SHA49]. Examples of modern
  product ciphers include LUCIFER [SOR84], DES [NBS77], SP-networks
  [KAM78], LOKI [BRO90], FEAL [SHI84], PES [LAI90], Khufu and Khafre
  [ME91a]. The so-called Feistel ciphers are a class of product
  ciphers which operate on one half of the ciphertext at each round,
  and then swap the ciphertext halves after each round. LUCIFER,
  DES, LOKI, and FEAL are examples of Feistel ciphers.

  The following table compares the main parameters of several product 

  cipher   |   block length   |   key bits   |   number of rounds
  LUCIFER  128   12816
  DES   645616
  LOKI  646416
  FEAL  64   1282^x, x = 5
  PES   64   128 8

5.2. What makes a product cipher secure?

  Nobody knows how to prove mathematically that a product cipher is
  completely secure. So in practice one begins by demonstrating that the
  cipher ``looks highly random''. For example, the cipher must be
  nonlinear, and it must produce ciphertext which functionally depends
  on every bit of the plaintext and the key. Meyer [MEY78] has shown
  that at least 5 rounds of DES are required to guarantee such a
  dependence. In this sense a product cipher should act as a ``mixing''
  function which combines the plaintext, key, and ciphertext in a
  complex nonlinear fashion.

  The fixed per-round substitutions of the product cipher are
  referred to as S-boxes. For example, LUCIFER has 2 S-boxes, and DES
  has 8 S-boxes. The nonlinearity of a product cipher reduces to a
  careful design of these S-boxes. A list of partial design criteria
  for the S-boxes of DES, which apply to S-boxes in general, may be
  found in Brown [BRO89] and Brickell et al. [BRI86].

5.3. What are some group-theoretic properties of product ciphers?

  Let E be a product cipher that maps N-bit blocks to N-bit blocks.
  Let E_K(X) be the encryption of X under key K. Then, for any fixed K,
  the map sending X to E_K(X) is a permutation of the set of N-bit
  blocks. Denote this permutation by P_K. The set of all N-bit
  permutations is called the symmetric group and is written S_{2^N}.
  The collection of all these permutations P_K, where K ranges over all
  possible keys, is denoted E(S_{2^N}). If E were a random mapping from
  plaintexts to ciphertexts then we would expect E(S_{2^N}) to generate
  a large subset of S_{2^N}.

  Coppersmith and Grossman [COP74] have shown that a very simple
  product cipher can generate the alternating group A_{2^N} given a
  sufficient number of rounds. (The alternating group is half of the
  symmetric group: it consists of all ``even'' permutations, i.e., all
  permutations which can be written as an even number