IEEE TRANSACTIONS ON COMPUTERS, VOL. c-28, NO. 10, OCTOBER 1979

[15] L. S. Sekino, "Multiples concurrent updates," Proc. VLDB, pp.505-507, 1975.

[16] R. E. Stearns, P. M. Lewis, and D. J. Rosenkrantz, "Concurrencycontrol for data-base systems," in Proc. IEEE 17th Annu. Symp.Foundations of Computer Science, Oct. 1976.

[17] R. H. Thomas, "A majority concensus approach to concurrency con-trol for multiple copy data bases," Rep. 3733, Bolt, Beranek andNewman, Dec. 1977.

Erol Gelenbe was born in IstanbuL Turkey, in1945.He is the author of some forty articles pub-

lished in various computer and informationscience journals and has edited several books.His book (coauthored with I. Mitrani) on theAnalysis and Synthesis ofComputer System Modelswill be published by Academic Press. He is an

_ ~1 Associate Editor of the IEEE TRANSACTIONS ONSOFTWARE ENGINEERING and of Acta Informatica.His present interests are in the design and evalua-

747

tion of distributed multicomputer systems, and is Chairman of IFIP(Computer System Modeling). He is currently with the University ofParis, Orsay, France.

Kenneth C. Sevcik received the B.S. degree inmathematics in 1966 from Stanford University,Stanford, CA and the S.M. and Ph.D. degrees fromthe University of Chicago, Chicago, IL, in 1970and 1971, respectively.He is currently an Associate Professor of Com-

puter Science with a cross-appointment to Elec-trical Engineering at the University of Toronto,Toronto, Ont., Canada. He is a member and theformer Chairman of the Computer SystemsResearch Group. His research interests include

analytic models of computer systems for performance prediction, thedesign and evaluation of data management systems, and applications ofcomputers in medicine.

Structured Design of Substitution-PermutationEncryption Networks

JOHN B. KAM AND GEORGE I. DAVIDA, SENIOR MEMBER, IEEE

Abstract-In attempting to solve the problems of data security,researchers, and practititioners are placing increasing emphasis onencryption. An important class of encryption schemes is that ofsubstitution-permutation (SP) encryption networks. A variant of theSP network has been chosen by the National Bureau of Standards asthe data encryption standard. In this paper, we introduce the conceptof completeness, which captures the intuitive notion ofcomplexity ofSP networks. The completeness property is examined and atechnique for designigning complete SP networks is demonstrated.

Index Terms-Complete SP networks, data encryption standard,data security, encryption, substitution-permutation (SP) networks.

I. INTRODUCTIONTHE ADVENT of large data bases and computerTnetworks has led to increased interest in the area ofdatasecurity in general and the field of cryptography in particu-lar [2]-[6], [9]-[13].

Manuscript received March 13, 1978; revised December 6, 1978 andMay 21, 1979. The research was supported in part by the National ScienceFoundation under Grant MCS77-02156. Portions of the paper are re-printed from Foundations of Secure Computations, edited by DeMillo,Dobkin, Jones and Lipton, with the permission of Academic Press.

J. B. Kam is with the Department of Electrical Engineering and Com-puter Science, Columbia University, New York, NY 10027.G. I. Davida is with the Department of Electrical Engineering and

Computer Science, University of Wisconsin, Milwaukee, WI 53201.

Recently, a variant of the substitution-permutation (SP)encryption scheme developed by IBM [5] was adopted byNBS as the data encryption standard (DES). However, theDES is considered weak by several computer scientists,including Hellman [3], [10]. One of the main argumentsagainst DES is the smallness of the key size.We present a method for designing SP networks which

will ensure that the designed networks may be arbitrarilylarge and possess certain desirable properties that add moreinsight to the design of secure encryption devices.

II. BACKGROUND AND DEFINITIONSThe model we will use for SP networks is essentially the

same as that described by Feistel [6]. In general, each SPnetwork has three parameters:

1) n =_ the number of input (output) bits of the SPnetwork

2) k =- the number of input (output) bits for each substi-tution box

3) g =_ the number of substitution-permutation stages.

Fig. 1 illustrates an SP network where n = 9, k = 3, g = 3.

0018-9340/79/1000-0747$00.75 (D 1979 IEEE

IEEE TRANSACTIONS ON COMPUTERS, VOL. c-28, NO. 10, OCTOBER 1979

1 Jr 4 -Ciphertext Output =

(c1c2c3c4c5c6c7c8c9)

Fig. 1. A sample SP network.

In general, each substitution box (S-box) S,j is a logicalcircuit that implements a one-one correspondence f: {0,lk+ {0, 1}, and different Sij's may implement differentone-one correspondence functions. It is obvious that eachSP network is itself a one-one correspondence function F:{O, 1}" _+ {O, l}n.

In actual applications, we have to guard against thepossibility that the internal structures of all S-boxes andpermutation may become known to cryptanalysts. To insuresecurity in such situations, we may modify the design of theencryption network by having two S-boxes for each Sij andby including a key register which has as many bits as thenumber of Si s in the network. To encrypt a message, theuser enters the key into the key register, so that one ofthe two S-boxes is selected for each Sij according tothe values of the corresponding key bit. Fig. 2 illustrates anSP network with the modification and key registerincorporated.

It has been argued that this class of encryption schemes issusceptible to attack using exhaustive search of the keyspace, when the key size is small [3]. One obvious remedy tothis potential weakness is to enlarge the key size by increas-ing the number of S-boxes.

In this paper, we present a design scheme for constructingarbitrarily large SP networks which will always satisfy somedesirable properties for all possible key values.The following notation is useful in describing the

networks:

Fig. 2. A sample SP network with a choice of two S-boxes for each S,

Encryption Key: K= k1, , km where m = g x (n/k).Plaintext: P= Ps, . pn-

Encrypted Output: C= c1, , cn.For brevity, the encrypted output of an SP network will bedenoted by C = SP(P), where P is the input.

III. DESIGN CRITERIA

Following common practice, we may evaluate thestrength of an SP network by its robustness-against knownplaintext cryptanalytic attacks. The strength of the networkis measured by the difficulty in determining the key used,assuming

1) the internal structure of the SP network is known tothe cryptanalyst and

2) the cryptanalyst has obtained some plaintext-ciphertext pairs, with all cryptograms obtained from thecorresponding plaintexts using the same key.That is, it should be difficult to determine the key directly

from plaintext-ciphertext pairs even with the knowledge ofthe internal structure of the SP network.To guard against the know-plaintext cryptanalytic attack,

we can see intuitively that the following property is desirablefor SP networks:

For every possible key value, every output bit ci of the SPnetwork depends on all input bits pl, p,,P and not just aproper subset of the input bits.

-

L

II

i

748

9Fl.

11

1-1

P;l

rl)XIw

;ql1'..)1--

P;lN)r1l)XI

rl)wN'

Li

LOtQXI

LOw

KAM AND DAVIDA: SUBSTITUTION-PERMUTATION ENCRYPTION NETWORKS

k input bits Stage 1

1 2 3

i

k8411 *

1 2 3

k output bits

Fig. 3. An S-box.

The following are some arguments indicating why theabove property is advantageous. Let us suppose that an SPnetwork does not satisfy the property and for some value ofthe key, some output bit cj depends only on a few input bits.By observing a significant number of plaintext-ciphertextpairs, the cryptanalyst may be able to detect the relationamong the cj and the corresponding small subset of inputbits. The cryptanalyst may subsequently use this informa-tion to facilitate the identification ofthe key value. However,if a network satisfies the above property, it becomes hard toidentify the relation between a particular output bit cj withthe input bits, because cj depends on all of them.We next define a formal property of one-one functions

which captures the intuitive notion of total dependency asdescribed in the property above.

Definition: Give a one-one correspondencef: {O, 1}" -+ {O,1}5,f is said to be complete if, for every i, j E {1, , n}, thereexist two n-bit vectors X1, X2 such that X1 and X2 differonly in the ith bit andf(X1) differs fromf(X2) at least in thejth bit.

Definition: A substitution box S is said to be complete ifthefunction implemented by S is complete. Similarly, an SPnetwork is said to be complete if the function implementedby the network is complete for all key values.

IV. AN ALGORITHM FOR CONSTRUCTINGCOMPLETE SP NETWORKS

In this section, we will present a scheme of efficientimplementation of arbitrarily large complete SP networks.In order to minimize unnecessary details in the presentationand proofs, we are going to show only the case for oneparticular key value. In this case each S j corresponds to theS-box chosen by the particular key bit.

Stage j

Stage j+l

I j+l,I * * *

Fig. 4. Bit correspondence.

Fig. 5. An output from COMP n= 33 = 27.

The input (output) bits ofa single S-box are labeled from 1through k, as shown in Fig. 3.For each stage j, the output bits of that stage are grouped

into partitions of ki bits. Similarly, the input bits of stagej + 1 are grouped into partitions of ki+ ' bits. In the algor-ithm to follow, connection is made between k partitions ofstage j and the corresponding partition of stage j + 1, as inFig. 4.We next present an algorithm for constructing a complete

SP network assuming all the S-boxes are complete. For thecase k = 3, g = 3, see Fig. 5.

Algorithm COMPPurpose: To construct an n-bit complete SP network

using k-bit complete substitution boxes, where n is of theform kg, with k > 3 and g . 1.

749

IEEE TRANSACTIONS ON COMPUTERS, VOL. c-28, NO. 10, OCTOBER 1979

Input: g stages of complete S-boxes where the stages are

labeled 1 through g,and every stage has kg-' S-boxes.Output: A complete n-bit SP network.Comments: In the first stage each partition has only one

S-box. In subsequent stages the number of S-boxes in eachpartition is as follows:

Let Pi = # of S-boxes in each partition of stage j, thenPj+1 = k * Pj.FOR STAGE j:= 1 TO g- 1 DO

n

FOR Partition i 1=I TO - k STEP k DO-kJ

Connect the output bits of partitions i through i + k - 1of stage j to the input bits of partition [ilk] of stagej + 1 as

follows:

connect the output bits of partition i of stage j to theinput bit 1 of each box in partition, ri/kl of stage j + 1.Similarly, connect the output bits of partition i + q ofstage to the input bit q ofeach box in ri/kl ofstagej + 1,where 1 < q < k.END

END

For each stage j, and for each partition i, where 1 < i <n/k3, we define

AFFECT [j, i]-{S ,,kj-1 * i- )+ 19 S 1,k- 1 * ()}

Intuitively, each output bit of the partition i of stage jdepends on all and only those input bits of those S-boxes ofAFFECT [U, i] in stage 1 (see Fig. 6).Lemma 1: The value of each output bit x of partition i of

stage j is independent of the values of the inputs to stage 1

which are not in AFFECT [U, i].Proof: By induction on the number of stages.

Lemma 2: For every input bit x of partition i of stagej,there exists 2kj- 1 ks-bit vectors that can be used to initializethe ki input bits of AFFECT [j, i] such that x = 1' regardless ofthe values of the rest of the input bits. Similarly, this is truefor x = 0.

Proof: It follows from the fact that for all one-one

correspondencef= {O, 1} -+ {O, 1}Z and for eachj there are

exactly 2Z/2 Z-bit vectors Vs such that bitj off(V) is equalto 1.

Theorem 1: Let SP be a network such that each Sij consistsof two complete S-boxes. If the connection is performedaccording to algorithm COMP, then for any key value, thefunction implemented is complete.

Proof: Given a particular value of the key, we shallprove by induction on the number of stages j that, for anyoutput bit x of partition i of stage j and for every bit y ofAFFECT [U, i], there exist at least two ks-bit vectors differingonly at bit y such that when the input bits of AFFECT

[U, i] are initialized by these vectors, then the correspondingvalues of the output bit x differ regardless of the values ofthe input bits outside of AFFECT [U, i].

Basis: (j= 1), the claim is true because each S-box isassumed to be complete.

Stage 1

Stage j-1

AFFECT[ j,i]

AFFECTI j-l,k*(i-l)+qlYI A\

| ** * | |S-box |

FFETj-,k*(i-)+ FCj-l,k*(i-l)+q j-l,k*i)

zi..

S-box

S tage j

4Fig. 6.

Induction Step (j > 1): Let x be an arbitrary output bit ofpartition i of stage j and let y be an arbitrary input bit ofAFFECT [j, i]. Now, y is in one and only one of theAFFECT [j- 1, k * (i- 1) + 1], **, AFFECT [j- 1, i *k].Assume that y is in AFFECT [j- 1, k * (i - 1) + q] (see Fig.6).

According to algorithm COMP, the qth input bit of theS-box in stage j containing x is connected to an output bit zqof the partition k * (i - 1) + q of stage j- 1 (see Fig. 6).

Since the S-box containing the output bit x is complete,then there exist two k-bit vectors: V1 = (V 1, V2, ' * * , Vq * * *, Vk),V2 = (vI, V2, , vqV, ** Vk) such that the output x takes on thevalues 1 and 0 when the input of the S-box containing x isinitialized by V, and V2, respectively.By Lemma 2, for each Zr, where r + q, there exists at least

one kj-'-bit vector Wr to initialize AFFECT [U-1,k * (i - 1) + r] such that Zr will have the value v,. Further-more, by the inductive hypothesis, there exist at least twokj-'-bit vectors W., W., which may be used to initializeAFFECT [j- 1, k * (i - 1) + q] such that the two vectorsdiffer only at input bit y, and the output bit zq has the value0and 1, respectively. Hence, W, W2 Wq Wk and W, W2...Wq Wk are the two vectors which can be used to initializeAFFECT [j, i] such that W1, W2 .. Wq * Wk and W, W2 * W,

Wk differ only at input bit y and the output bit x ofpartition i of stage j has the value 0 and 1, respectively.Finally, AFFECT [g, i] encompasses all input bits at stage 1.The above proof holds for any key value since Algorithm

COMP is independent of the value of the key, and all S-boxesare complete. Hence, the theorem follows. OI

750

--7AFFECT[j-l,k*ilAFFECT[j-l,k*(i-l)+Il

__IV

KAM AND DAVIDA: SUBSTITUTION-PERMUTATION ENCRYPTION NETWORKS

Definition: Two n-bit vectors are said to be i-different ifthey differ only at bit i.

Definition: Let f be a one-one correspondence mapping{o, i}" _+ {o, l}n. We define Qij off to be the set of pairs ofvectors

Qij = {(V, V') (V and V' are i-different)

A (f(V) and f(V') differ in at least bit j)}.We also define the multiplicity off to be the integer M,

M = min I Qii X

101

100

1 < i, j < n.

Algorithm COMP is good in the following sense. If themultipli-city ofthe individual S-box is high, then the resultingSP network also has a very high multiplicity.

Theorem 2: Let E be an n-bit SP network constructed bythe Algorithm COMP, where n = kg. Ifthe multiplicity ofeachS-box in SiJ is greater than or equal toM for all i and j, thenthe one-one correspondencef: {0, 1}" -* {0, 1}" achieved byE, for any key value, has multiplicity

g-1> mg J7[ 2(k'1)(k- 1) = lJ(2kg-(k- 1)(g- 1)-k)

i=O

Proof: We need to prove by induction on the number ofstages j that for each output bit x in partition i of stage j andfor each input bit y ofAFFECT [U, i], there is a set Q of at least

j-1Mi f 2(k' 1)(k -1

i=O

pairs of y-different ks-bit vectors such that if AFFECT [j, i] isinitialized by any pair (V, V') E Q, the output bit x will havedistinct values for the two cases.

Basis (j= 1):

m1 n1 2(k'-1)(k-1) = M.i=O

Hence, the basis follows directly from the assumption thateach S-box has multiplicity M.

Induction Step (j > 1): Let us assume y is in AFFECT [ - 1,k * (i - 1) + q] and the inputs to the S-box containing theoutput bit x of stage j are connected to the output bit Zr ofpartition k * (i-1) + r of stagej- 1, where 1 < r < k (seeFig. 6).By assumption, the S-box containing x has multi x

plicity . M. Select one such pair ofvectors (v 1 V2 ... Vq ** Vk)(V1 V2 -.. Vq ... Vk) which differ only in bit q. Then thecorresponding output bit x will differ. By Lemma 2, there are2k- 1 I vectors that may be used to initialize eachAFFECT [j-1, k * (i- 1) + r)], where (1< r < k) and(r * q), such that the output bit zr has the value vr. By theinduction hypothesis, there are at least

j-2mjP 171 2(ki-1)(k-1)

i=O

pairs ofvectors which can be used to initialize AFFECT j- 1,k * (i-1) + q] such that z, has the value 0, 1 for each pair.

000

111

011

010

Fig. 7. The three pairs for the case k = 3.

Hence, the total number of pairs is at least

j-l= M [lJ 2(k'- l)(k- 1) k

i=O

To ensure that the design is meaningful, we will show thatthere exists many complete one-one functionf: {O, 1}k_+ {o,1}" for each value k . 3. We shall present a scheme forconstructing many complete functions for each value of k. Itshould be noted that this scheme is by no means exhaustive.

Theorem 3: For each k > 3, there exists many one-onefunctions f: tO, Il}k + o, i}k which are complete.

Proof: For each k > 3, the 2" binary k-bit vectors can bepartitioned into 2"k1 pairs of k-bit vectors of the formY=t(Y'i, Y')1.<i<2k- 1}, where the vector Yi is thecomplement of Y. On the other hand, we are going to showthat we can use the 2k distinct vectors to construct many setsof k pairs of k-vectors of the form

V = J(Vj, Yj) (1 < j < k) A (Vj and VJ are j-different)}.For each set V, a complete one-one functionfcan easily beconstructed by defining a one-one correspondencefwith theproperty that

(V1< i,j < k) f(VJ'))=Y where (Vj, Vj) E V and

(1Y, Yj) e Y

It should be noted that there are 2` ' distinct pairs of k-bitvectors that are complement of each other. Hence, there aremany ways of defining a one-one correspondence once theparticular set of t(Vj, Vj) Vj and Vj arej-different, 1 < j < k}has been chosen.

Basis (k = 3): A set of 3 pairs may be chosen as shown inFig. 7. Other sets may be chosen similarly.

751

752

Induction Step (k = r + 1): We may partition the 2r+(r + 1)-vectors into 2 groups Go and G1, where

Go ={X I X is an (r + 1)-vector with the (r + 1)st bit being 0}

G, =Y Y is an (r + l)-vector. with the (r + l)st bit being I}.

By induction hypothesis, we can find 2r distinct vectors fromGo to form

Vr = {(Vj, V) I (1 < j < r) A (Vj and VJ are j-different)}.Since Go = (2r± 1)/2 vectors and Vr may be formed by usingonly 2r vectors, there must be vector X E Go which is notone of the 2r vectors used by above when r > 3. (Again, thereare many possible choices for X.) Hence, V14 I = Vr u {X,X'}, where X' E G1 is (r + 1)-different from X forms a Vneeded for the case m = r + 1. LI

It is known [21] that linear or affine encryption functionscan be broken more easily. In the next theorem, we are goingto show that a complete one-one correspondence is neitherlinear nor affine.

Theorem 4: Letfbe a one-one correspondence mappingto, 1}" -+ {o, l}". Iff is complete, then f does not satisfy thefollowing property:

Property 1: (3H E (0, 1)n)(3n x n matrix M) x[f(A) = ((A)M) 3 H] for all A E {O, 1}".

Proof: We are going to show that f does not satisfyProperty 1 by contradiction.Assume f is complete and satisfies Property 1. By the

completeness of f, we know that (Vi, j, 1 < i, j < n)(3X,X' E {o, 1}n)[(X and X' are i-different) A (f(X) and f(X')differ at least in the bit j)].

Sincef(X) = f(X'G 14), where Yx is an n-bit vector with a1 only in the ith position. By the assumption thatfis affine,f(X)= X'M)Yc MGMeH and f(X')= X'Me3H. Sincef (X) andf(X') differ in bitj, this implies that bitj of YiM is 1.Since j is arbitrarily chosen, we conclude that

YM= 111 . 1.n

Similarly we may conclude that

YjM= 111 1n

forj $ i. This contradicts the assumption thatfis a one-onecorrespondence. Hence, f does not satisfy Property 1. LI

Corollary 1: Letfbe a one-one correspondence mapping{O, 1}" -* {0, l}". Iff is complete, thenf is neither linear nor abit-permutation function.

In order to increase the key size of a network, we maymodify the SP network by allowing the output ofeach stage iof the network to be EXCLUSIVE-ORed with an arbitrary n-bitvector Vi. In Fig. 8, we show a modified version of the SPnetwork from Fig. 5 with the EXCLUSIVE-OR facility incor-porated. Before we encrypt a message using the network inFig. 8, we have to initialize the key and all V,s. Our next

IEEE TRANSACTIONS ON COMPUTERS, VOL. C-28, NO. 10, OCTOBER 1979

I I_______<-: I v1 = (v1 lv1,2 ...v1,27) 1

] l V2= (v2,1v2,2 ... v2,27)

]:: [V3 = {v3,1v3,2 *--.v3,27) i

Fig. 8. The extension of an output from COMP with the EXCLUSIVE-ORfacility included.

results show that the additional facility does not affect thecompleteness property.Lemma 3: If f is a complete one-one correspondence

mapping {0, I}'-+ {O, 1}' and g is a new function defined as

follows:

(VA e {O, 1}k)[g(A) =f(A) 3 H]where H is a fixed vector E {O, 1}", then g is complete andhas the same multiplicity as f

Proof: The proof is obvious and is omitted. ElTheorem 5: Let E be an n-bit SP network constructed by

the Algorithm COMP. Let E' be a network obtained fromE bythe inclusion of EXCLUSIVE-OR facility. E' is complete and hasthe same multiplicity of E.

Proof: It follows directly from Lemma 3 and The-orem 1. c]

In examining the complete functions, we are able to derivesome interesting properties true for SP networks in general.

Definition: For a fixed k . 3 and n = kg, we define (Sp)itobe the class of all functions, not necessarily complete,realizable by using SP networks with i stages, where eachstage has kg-' S-boxes and S-box has k input bits.Lemma 4: Letfbe in (SP)', ifX and X' are j-different for

some 1 < j < n, thenf(X) andf(X') differ in at most kL bits.Proof: Simple induction on i. [1

Theorem 5:

(SP)' c( c(SP)'ccc(SP)' .-(5p)-

Proof: The fact that (Sp)i' (SP)'+ 1 follows from thefact that one can simulate an n-bit i-stage network by ann-bit (i + 1)-stage network by making the first stage of the(i + 1)-stage network an identity function.

A

I

vM&

I1I'

1;111..

I / ---l I I

v

EDfl

I

I

KAM AND DAVIDA: SUBSTITUTION-PERMUTATION ENCRYPTION NETWORKS

To prove that (SP)' c (SP)"'1, for 1 < i < g - 1, we onlyhave to show that there exists fE (SP)",l such that f(X)differs fromf(X') in more than kz places for somej-differentX and X'. The existence offcan be shown by construction ofa (i + 1)-stage SP network using the Algorithm COMP, whereall input S-boxes are all identical and have the followingproperty:

It is easy to show that the function g achieved by the SPnetwork has the property that

g(OO 00) differs from g(OO 01)n

in exactly k+ I bits. n

V. CONCLUSIONIn this paper, we have presented a general scheme which

enables us to design arbitrarily large complete SP networks.We have also investigated some ramifications of the com-

pleteness property. We are currently exploring other proper-ties of complete functions as well as SP networks in general.

REFERENCES[1] G. Davida, D. Linton, R. Szelag, and D. Wells, "Database security,"

IEEE Trans. Software Eng., Nov. 1978.[2] G. Davida, T. Mahar, and J. Kam, "Design and analysis of a class of

ciphers," IEEE Int. Symp. Inform. Theory, Ronnebey, Sweden, 1975.[3] W. Diffie and M. Hellman, "Exhaustive cryptanalysis of the NBS

data encryption standard," Computer, pp. 74-84, Dec. 1977.[4] , "New directions in cryptography," IEEE Trans. Inform.

Theory, pp. 644-654, Nov. 1976.[5] H. Feistel, "Cryptography and computer privacy," Scientific Ameri-

can, May 1973.[6] Federal Register, vol. 40, no. 149, Aug. 1, 1975.

753

[7] L. Hoffman and W. Miller, "Getting a personal Dossier from a sta-tistical databank," Datamation, pp. 74-75, May 1970.

[8] J. Kam and J. Ullman, "A model of statistical database security,"ACM TODS, Mar. 1977.

[9] R. Merkle and M. Hellman, "Hiding information in oneway func-tions and trapdoor knapsacks," IEEE Trans. Inform. Theory, Sept.1978.

[10] R. Morris, N. Sloane, and A. Wyner, "Assessment of the NationalBureau of Standards' Data Encryption Standard," Bell TelephoneLab. Memo, Dec. 1976.

[11] R. Rivest, L. Adleman, and A. Shamir, "A method for obtainingdigital signatures and public key cryptosystems," Comnnun. Assoc.Comput. Mach., vol. 21, no. 2, 1978.

[12] C. Shannon, "Communication theory of secrecy systems," Bell Syst.Tech. J., vol. 28, pp. 656-715, 1949.

[13] A. Wyner, "The wiretap channel," Bell Syst. Tech. J., vol. 54, 1975.

John B. Kam received the B.S. degree from Col-umbia University, New York, NY, in 1972, andthe Ph.D. degree from Princeton University,Princeton, NJ, in 1976, both in computer science.He is currently an Assistant Professor of Elec-

trical Engineering and Computer Science atColumbia University. His research interests in-clude compiler optimization, database design,and data security.

George 1. Davida (SM'76) received the B.S., M.S.,and Ph.D. degrees in electrical engineering fromthe University of Iowa, Iowa City, in 1967, 1969.and 1970, respectively.From 1970 to 1978 he was with the Depart-

ment of Electrical Engineering and ComputerScience of the University of Wisconsin at Mil-waukee. He is currently on leave and is ProgramDirector, Theoretical Computer Science, Na-tional Science Foundation. His research interestsinclude data security, privacy, and databases.

Dr. Davida is a member of the Association for Computing Machinery.He is on the Governing Board of the IEEE Computer Society and wasChairman of its Distinguished Visitor Program. He is currently Chairmanof Computer Society's Technical Committee on Security and Privacy.

n