** **

There are two main goals in cryptography.

- Guaranteeing confidentiality of information.
**ENCIPHERING** - Providing
methods that make error detection and evidence of tampering possible.
**AUTHENTICATION**

** **

Consequently, since cryptosystems are typically based on secret keys, the storing and distribution of these secret keys is a central part of cryptography.

Geometry fits into the development and study of cryptosystems in the following ways. As opposed to relying on unintelligible complexity or unproven assumptions, the cryptosystems based on geometric methods provide provably high levels of security that are simply realizable.

What follows is an introduction to basic notions and terms
in** **cryptography. Once the basics
have been established, a method for enciphering using a hyperplane of a
d-dimensional projective space of order 2 will be introduced.

We have the following set-up.

A **sender** wants to send **data **to a **recipient ** in such a way that confidentiality is
ensured, and if this confidentiality is compromised, there must be a way of
recognizing this. Enter cryptography.

We have essentially two distinct motives for intercepting
the **data** sent.

- A
third party which will be called an attacker wants only to read the
**data**. **PASSIVE ATTACK** - A third party wants not only to read the
data, but also wants to alter that
**data**. **ACTIVE ATTACK**

Protection from a **passive attack **can be attained
using the method of **enciphering**.
In order to talk about **enciphering** we must have a few terms. The **data** as it sits in the hands of
the **sender **before it is sent under the protection of the encipherment
will be referred to as **plaintext** (or **cleartext**). A **key **will be used to encipher the **plaintext**
which will then be sent as **ciphertext** (which may be referred to as the **message**). The **key **will be produced using an **algorithm**.

To realize the mechanism of **encipherment** we must
make the following properties inherent in the parameters described above. Let
f : = **algorithm**,
k : = **key**, d : =
**data**, c : = **cleartext**. For each k there is an invertible function f_{k} which maps a plaintext
d onto a ciphertext c = f_{k}(d).
In other words:

The **sender** computes
c = f_{k}(d) and the **recipient** computes f_{k}^{-1}(c) = f_{k}^{-1}(f_{k}(d)) = d.

We will think of the algorithm having the following two properties.

- f
^{1}is easily computed and applied. - Not knowing k makes it very difficult to reconstruct d which corresponds to c.

An **active attack** requires that the **recipient**
employ an ** authentication code ** to d
= f_{k}^{-1}(f_{k}(d)). Typically this is done by applying a
cryptographic algorithm f to
d which verifies that there is
in fact some cleartext mapped to
d under f.

Clearly f must have the following properties.

- f is easily applicable.
- f must be such that it is difficult for
an
**active attacker**to create a message that will get past it.

This topic will discussed in another section.

Security considerations, in regards to cryptography, are
based on the **principle of Kerckhoffs**, which says one must deal with the
possibility that the attacker knows the algorithm. The attacker must never know the key.

Security considerations, and therefore the construction of cryptosystems, must deal with the following three basic means of attack.

- The
**known ciphertext attack**:**messages**. - The
**known plaintext attack**: the attacker knows a set of the**data**together with the corresponding**message**. - The
**chosen plaintext attack**is one in which the attacker has control over what**data**together with its corresponding**ciphertext**she gets.

From the above the importance of both enciphering and authentication becomes clear. One could consider both being used together as the optimal way to ensure both secrecy and certainty of messages transmitted over potentially public media.

** **

What follows is a representation of how secrecy can be
attained and proven using projective geometry as a tool. Using the **first representation theorem**,
PG(*d*,2) will be constructed using GF(2^{d+1}) in such a way that the generation
of our **key** will be known to have the properties needed that ensure
optimal secrecy. In order to
accomplish this, the following concepts will be introduced: **stream ciphers** (**data**, **messages**,
and **keys** will be thought of as streams of 0s and 1s), the **one-time
pad** (a cryptosystem in which a given key is used only once), and **Singer
cycles** (if GF(2^{d+1})
is one we will be happy). Also the
concept of **perfect secrecy** will be defined.

** **

**Data** d must be encoded as a binary string,
i.e., d = d_{1}, d_{2}, d_{3}, . . . , where
d* _{i}* is an element of {0,1}.

Our **key**
k will also be a binary string,
i.e., k = k_{1}, k_{2}, k_{3}, . . . ,
where k* _{i}* is an element of {0,1}; this will be called the

The **data ** d
will be enciphered using the **one-time pad**.

Definition: **one-time pad.**

** **

*Let * d*
and * k*
both be binary strings. The ciphertext * c

* *

c = (d_{1} + k_{1}, d_{2} + k_{2}, d_{3} + k_{3}, . . .
)mod2 = c_{1},
c_{2},
c_{3},
. . .

*Decryption is identical to encryption.*

c = c_{1}, c_{2}, c_{3}, . . . *implies* d = (c_{1} + k_{1}, c_{2} + k_{2}, c_{3} + k_{3}, . . .)mod2.

*Remark: *Note
that if the **key-stream** is random, then even if an attacker knows k_{1}, . . . , k_{n} the only way
to get the next bit of the stream is to guess.
This is essentially the concept of **perfect secrecy**.

Definition: **perfect
secrecy**.

*The probability of obtaining * k_{i}*given either the corresponding * d_{i}*or
the corresponding* c_{i}*is no better than obtaining *k_{i}*while not knowing either.*

Using the **one-time pad** and the **stream cipher**
it is clear that the **key stream** must be at least as long as the **data-stream**. This is in fact a theorem by C. Shannon.

Theorem: **Shannons
theorem**.

*In any perfect enciphering system the number of keys is
at least as large as the number of the possible cleartexts.*

*Sketch Proof.*
Observe that for each d and each c there must be at
least one k that maps d onto
c. If there were a d
and a c that could not be mapped to each other by
any key, an attacker, by observing c,
knows that the corresponding cleartext is
not d. This violates the definition of **perfect
secrecy**.

Fix c.
Since each possible cleartext can be mapped onto c
by at least one key, the number
of keys must be as large as the number of cleartexts. Otherwise there would be confusion as to whether c
gets pulled back by f^{-1} to
d or to d.

The focus here is on the use of the **one-time pad**
together with the **stream cipher**, and the goal is to attain **perfect
secrecy**. With this and the remark
from above in mind it is now time to consider the creation of the **key-stream**. The **key-stream**, in order to attain
optimal security, must be random.
However a truly random **key-stream** would have the following
disadvantages: it would be impossible for a machine to generate such a sequence
since the finiteness forces periodicity, and a truly random sequence would be
difficult to use to pull back c to
d.

In order to attain the security needed, and since k
cannot be truly random, the concept of **pseudo-random **must be
introduced. A **pseudo-random **sequence is a periodic sequence, which
repeats forever, characterized by *n *the smallest positive integer such that
the sequence repeats after the *n*th position. Any periodic sequence is said to be **generated** by a **cycle**
C of length *n.*

*Example. *The sequence 001101011001101011001101011 . . . is a sequence generated by the cycle (001101011). Notice that, since the sequence is repeated
forever, the cycle (011010110) also works; as does the cycle (101011001).

Now the issue of generating **key-streams** has been
reduced to the construction of **pseudo-random** sequences. In order to construct these sequences, the
postulates of Golomb will be needed.

(**G1**)** ***The
numbers of *0

To formulate the next postulate, the notions of **string**
and ** gap** must be introduced. A **string** is a sequence of 1s
preceded and followed by 0s. A **gap **is
a sequence of 0s preceded and followed by 1s.

*Example.* The
sequence C = 011101100101000 has one gap of length 2, and two strings of length
1.

(**G2**)** ***For
each nonnegative integer i, the number of
strings of length i and the number of gaps of length i differ by at most
*1.

For the final postulate, consider the idea of taking a **cycle**
C and performing a left (cyclic) shift of all the elements by *a *positions. This shift will be denoted by C(*a*). Refer to first example of a pseudo-random
sequence, and note that this does not change the overall sequence. However,
C and C(*a*) will differ term by term. Define the **out-of-phase-autocorrelation **function by

AC(*a*)
= (Agreements - Disagreements)/*n*
where the sequence of period *n* is being compared with the shifted
sequence C(*a*). The **autocorrelation
**is **out-of-phase** if *n *does not divide *a*.

(**G3**) The **out-of-phase
autocorrelation **has the same value for all *a*.

The postulates of Golomb are essentially the best way we to formalize the concept of random.

Now we know what to make our **pseudo-random** sequences
look like, but are there any methods for constructing them? As promised the properties of projective
spaces, focusing on the characteristics of hyperplanes within them, will be
used to construct such sequences. This
construction requires the concept of the **Singer cycle**.

Theorem: **Singer
cycles.**

** **

*Let ***P** = PG(*d*,2) *be a finite Desarguesian projective space
of dimension* *d and order *2*.
Then ***P** *has a collineation group ***S*** called the Singer cycle, with
the following properties:*

**S***is a cyclic group.***S***is sharply transitive on the set of points (and on the set of hyperplanes) of***P**.

** **

*Proof.* By the
**first representation theorem** we can represent **P** as P(V), where V
is a (*d* + 1)-dimensional vector space over K = GF(2). Because the field F = GF(2^{d}^{+1}) is a (*d* + 1)-dimensional vector space over K,
we can choose V = F = GF(2^{d}^{+1}). The points of
**P** are the vectors different from zero, hence F^{*} = F \ {0}.

In
order to make his work, F must be constructed as follows. Let
x be a root of the field GF(2^{d}^{+1}). Then
x is a root of an irreducible
polynomial *f*(*y*) of degree
n+1 over GF(2). Let *f*(*y*)
= *y*^{n}^{+1 }+ *c*_{n}y* ^{n}* + . . . +

The generating element of the Singer cycle is x. Define the mapping s(g) = x Χ g, where g is an element of F. Now we have s(0) = 0, and s is a permutation of F \ {0}. Since x is primitive, s generates a cyclic group

**S**** =
**{1, x, x^{2}, . . . } of order 2* ^{d + 1}* 1. Since
x

By
construction, s is a bijection of the set of points of **P** onto
itself. It must be shown that s

maps triples of
collinear points onto triples of collinear points. Let u, v, and
w be distinct elements of F^{*} such that the corresponding points of
**P **are collinear. Then u + v = w.
So we have s(u)
+ s(v)
= x Χ
u + x Χ
v = x Χ
(u + v) = x Χ
w = s(w).

Therefore s is a collineation of **P**. Also by construction, the powers of s successively
map the points of **P** onto each other.

Q.E.D.

If the points of **P **are labeled by the integers 1, 2,
. . . , *v*, such that the map _{} corresponds directly
to the generating element of the **Singer cycle**, then the following
theorem provides a method for construction a **pseudo-random** sequence that
can be used as our **key-stream**.

Theorem: **C from a
hyperplane**.

*Let *C = (*a*_{1}, *a*_{2}, . . . , *a** _{v}*)

*Sketch Proof. *The
number y of 1s in C is equal to the number of points in **H**;
therefore

y
= 1+ 2 + 4 + . . . + 2* ^{d}* 1.

The number z of
0s in C is equal to the number
of points not in **H**; therefore

z = *v*
y = 2* ^{d + 1}*
1 (2

Thus z y = 1,
and (**G1**) holds.

*Claim 1: The
incidence vector *C * of ***H
*** has one string of length d
and *2^{i}*strings of length d *
1 *i *(*i *= 0, 1, . . . *d*
-- 2).

*Claim 2: The
incidence vector *C * of ***H
*** has one gap of length d* + 1* and *2^{i}*gaps of length d * 1 *i *(*i
*= 0, 1, . . . *d* -- 2).

Thus, given these claims are true, it is easy to see that (**G2**)
is satisfied.

In order to show (**G3**) we must show the **out-of-phase
autocorrelation** is constant. This
will be done using the fact that s is a
collineation of **P**. This means
that C and C(*a*) are both incidence vectors of a the same
hyperplane. Moreover C(*a*) is the incidence vector of s* ^{a}*(

(**G3**) easily follows.
Let A be the number of positions in which C and C(*a*)
coincide. I.e., A = the number common
1s plus the number of common 0s; which is equivalent to saying: the number of
points that lie on both **H** and **H **plus** **the number of points that are not on
either **H **or **H**. ** **Observe:

A = 2^{d}^{ 1} 1 + 2* ^{d}* 2

We also have

D (#
terms of C and C(*a*) that disagree) = *v* A = 2^{d}^{ + 1} 1 (2* ^{d}* 1) = 2

Given the above, the **out-of-phase autocorrelation **is
given by 1/(2^{d+}^{1} 1). Therefore (**G3**) is satisfied.

(sort of) Q.E.D.

An example will make this theorem more clear. The skeleton proof of the theorem was needed
in order to establish the fact that *Claim 1* and *Claim 2* establish
(**G3**). This will be crucial for
the example.

*Example.*
Make PG(3,2) from GF(2^{4}). (Recall PG(*d*,2)
is coordinatized by V = F = GF(2^{d}^{ +1}).)
Let *f*(x) be a primitive polynomial, irreducible over the field,
given by *f*(y) = y^{4} + y + 1. Let *f*(x)
be a root of the polynomial, hence *f*(x) = 0.

Thus x^{ 4 }= x +
1, the successive powers of x
will determine the elements of PG(3,2). The powers of x will correspond to some polynomial of the
form *a*_{3}x^{3} + *a*_{2}x^{2} + *a*_{1}x^{1} + *a*_{0, } where *a** _{i}* is an element of GF(2).
Thus we have a

x^{0}
= 1 *a*_{1}: 0001

x^{1}
= x *a*_{2}: 0010

x^{2}
= x^{2}
*a*_{3}: 0100

x^{3}
= x^{3} *a*_{4}: 1000

x^{4}
= x + 1 *a*_{5}: 0011

x^{5}
= x^{2}
+ x *a*_{6}: 0111

x^{6}
= x^{3}
+ x^{2} *a*_{7}: 1100

x^{7}
= x^{3}
+ x + 1 *a*_{8}: 1011

x^{8}
= x^{2}
+ 1 *a*_{9}: 0101

x^{9}
= x^{3}
+ x *a*_{10}: 1010

x^{10}
= x^{2}
+ x + 1 *a*_{11}: 0111

x^{11}
= x^{3}
+ x^{2}
+ x *a*_{12}: 1110

x^{12}
= x^{3}
+ x^{2}
+ x + 1 *a*_{13}: 1111

x^{13}
= x^{3}
+ x^{2}
+ 1 *a*_{14}: 1101

x^{14}=
x^{3} +
1 *a*_{15}: 1001

x^{15}
= 1

We have 2^{4} 1 elements different from zero.

Now let **H **= < 0001, 0010, 0011, 0100 >, and
C = (*a*_{1},
*a*_{2},
. . . , *a** _{v}*)
be the incidence vector of

So by inspecting the
*a** _{i}*s, it is possible to determine what C
will be for the

Here we have C =
(111011001010000). Verify that, in
accordance with C*laim* *1* from the last theorem, there is 1 string
of length 3, there are 2 strings of
length 1, and there is 1 string of length 2.
Also verify that, in accordance with *Claim 2* of the above theorem
there is 1 gap of length 4, there are 2 gaps of length 1, and there is 1 gap of
length 2. These claims establish (**G2**);
(**G3**) and (**G1**) were established in the theorem.

In summary, in order to create a **key-stream** that
looks random (but is actually **pseudo-random**) we must satisfy the
postulates of Golomb. This can be done
by constructing PG(*d*,2) from a vector space over GF(2^{d}^{ + 1}) using the
**Singer cycle** to create and order the elements of PG(*d*,2). C, the seed for the **pseudo-random**
sequence, is the incidence vector of a hyperplane in **P**. Cleary the longer the seed for the
sequence, the better the security.
Therefore the security is in some sense a function of the dimension of
our projective space, since the order is fixed at 2.