We now turn to the study of small differences in the link, given a fixed plaintext block. Figure 12 follows the format of figure 9. Here, however, a pair of encryptions is performed in which one member of the pair is initialized with a given link, and the other member of the pair is initialized with a link which differs from the given link in one and only one position. The all-0 plaintext is used in both encryptions. Note that differences in the link rapidly invade all of both the link and the block information.
One possible strategy of attack on CA-1.0 would be to concentrate first on discovering the link key, in the hope of subsequently mounting a known-link-key attack on the block key. It is not possible to use chosen-plaintext methods on the encryption of the link. The ``plaintext" is the set of random link bits generated within the encryption apparatus to begin encryption of the block. These bits are considered to be physically secure, no more open to inspection by the cryptanalyst than the bits of the secret key. Indeed, these bits may have a higher level of security than the key itself since even the legitimate users of the system do not have access to the link bits. Hence known-link-plaintext attacks are ruled out as well. Then there is the possibility of choosing block plaintext or ciphertext, and attempting to infer the operations in the link area from their effect on the block area. Again, the link operations are unaffected by changes in the block area, indeed, the link operations would be carried out in exactly the same way were there no block encryption to drive. The cryptanalyst wishing to effectively manipulate the link is left with inventing strategies for choosing link ciphertext.
Choosing link ciphertext is a very difficult way to acquire knowledge about the link key. The transformation which carries the link information from input to output of each subround is a permutation on 320-bit items. This permutation is the composition of two permutations, one determined by the block key, the other by the link key. In the properly functioning cryptosystem the inputs are chosen randomly, hence the outputs, the link ciphertexts, are random as well.
To see this, consider first the transformation on the link performed during the inverse iteration of the link-key determined toggle rule. This is obviously a permutation since it is deterministic and 1-1 onto. All 320-bit string in the domain of this transformation are possible by hypothesis. These are simply the 320-bit strings that are randomly generated to initialize encryption. The 320 bits include the 128-bit block and the 192-bit link for link encryption. The output of the link encryption is another 320-bit string. The process is deterministic so there is one and only one output for each input. So, to prove that the transformation is a permutation, we must show that there is an input for each possible output. To do so, we explicitly construct the input that is the preimage of an arbitrary output.
Let c be an arbitrary but definite
link-encryption ciphertext. The following algorithm
constructs the link input that enciphers to c under the link-key determined toggle rule
.
Here, without loss
of generality, 
is assumed to be left-toggle.
Sites in the ciphertext are numbered from right to left, beginning
at 0. n iterations of 
are used
in the subround.
1) Produce a ciphertext 
by encrypting an arbitrary link-block
and link-link using 
. Set i to 1.
2) Find the rightmost site j at which 
differs from c.
If there are no differences, stop.
3) Flip the bit at position j in 
, as well as all the bits which
are directly determined by this bit under forward iteration of the
rule. These bits are found at position
j-((n-h)*
) at the h-th iteration forward, where 
is the radius
of the rule 
.
4) Starting with the last position in which a
change was produced in step 3), propagate this changes leftward
using the rule 
applied in the inverse direction.
Continue inverse iterating until have produce a new n-iteration
ciphertext. This new ciphertext agrees with the target ciphertext
at all positions up to and including j. Increment i.
5) Return to step 2.
In essence, this algorithm works since in inverse iteration of a toggle rule changes propagate only in one direction, in this case, to the left. This means that once a bit to the right has been properly set, and the influence of all resulting changes taken into account, the bit never needs to be revisited.
By iterating the same argument on the encryption with the block key, we have the desired result that the transformation from input link to output link via the composition of link encryption and block encryption is a permutation. By hypothesis the statistics on the input are uniform, so the output statistics are as well.
By the same reasoning and for fixed link input,
block encryption is also a permutation, but on 384-bit objects.
The inputs are the block plaintexts and the outputs are the block ciphertexts.
Moreover, for fixed link input, non-uniform distributions on the input plaintexts
will be reflected in non-uniform distributions on the output ciphertexts. Cryptanalysts
could produce such non-uniformities by choosing block plaintext. Still, these
non-uniformities will not be seen in practice since they are averaged
over all possible initial links. The number of possible initial links
(
) is too large to permit significant non-uniformities to be
survive in the average.