WO2006116801A1 - Process of and apparatus for hashing - Google Patents

Process of and apparatus for hashing Download PDF

Info

Publication number
WO2006116801A1
WO2006116801A1 PCT/AU2006/000557 AU2006000557W WO2006116801A1 WO 2006116801 A1 WO2006116801 A1 WO 2006116801A1 AU 2006000557 W AU2006000557 W AU 2006000557W WO 2006116801 A1 WO2006116801 A1 WO 2006116801A1
Authority
WO
WIPO (PCT)
Prior art keywords
nlfsr
input
bit
bits
cryptographic
Prior art date
Application number
PCT/AU2006/000557
Other languages
French (fr)
Inventor
Sean O'neil
Original Assignee
Synaptic Laboratories Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2005902150A external-priority patent/AU2005902150A0/en
Application filed by Synaptic Laboratories Limited filed Critical Synaptic Laboratories Limited
Publication of WO2006116801A1 publication Critical patent/WO2006116801A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • H04L9/0668Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator producing a non-linear pseudorandom sequence

Definitions

  • the present invention relates to cryptographic primitives.
  • linear cryptographic function/as a function of any given number of inputs and any given number of outputs such that the relationship between every bit of output and every bit of input is a polynomial of a degree not higher than 1.
  • a typical linear cryptographic function is a set of bits each of which is the XOR of a number of input bits.
  • AU bijective linear cryptographic functions are reversible. (An illustration of the sense that the term 'polynomial' has in the present art is in the analysis of linear feedback shift registers which is set out at pages 372 to 379 of the book Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier, second edition, 1996.)
  • a cryptographic function is called reversible regarding a given input if the computational cost of finding the value of that input knowing the output and all other inputs is comparable with the computational cost of calculation of the cryptographic function itself.
  • Addition modulo 2 n , multiplication modulo 2 n and multiplicative inverse modulo 2 n are typical reversible nonlinear cryptographic functions.
  • a cryptographic function is called irreversible regarding a given input if the computational cost of finding the value of that input knowing the output and all other inputs is either computationally infeasible or extremely high compared with the computational cost of calculation of the cryptographic function itself, including both the bijective (potentially reversible) and the surjective functions in which information is irrecoverably lost (also known as epimorphism).
  • y x « ⁇ x (x rotated left by x bit) is an example of an irreversible nonlinear cryptographic function.
  • the reversibility of a nonlinear cryptographic function regarding any of its inputs is determined individually for each input. Any given nonlinear cryptographic function may be reversible regarding one input and irreversible regarding another or it can be either reversible or irreversible regarding all its inputs.
  • a block cipher is a reversible nonlinear cryptographic function regarding its plaintext input, but it is irreversible regarding its key, and a keyed cryptographic hash is irreversible regarding both its inputs, data and key.
  • a linear combination of nonlinear cryptographic functions is also a nonlinear cryptographic function.
  • a nonlinear cryptographic function of a linear combination of its inputs is also a nonlinear cryptographic function. Both these cases are referred to as ⁇ a nonlinear cryptographic function' in this specification and are marked according to their reversibility regarding the current block as one of the inputs.
  • a nonlinear cryptographic function is reversible regarding one of its inputs x, then a reversible linear or nonlinear combination of that input x or that function's output with any other input is also a nonlinear cryptographic function reversible regarding that input x.
  • a nonlinear cryptographic function is irreversible regarding one of its inputs x
  • a combination of one or more of its inputs and/or its output with any other cryptographic function, linear or nonlinear, reversible or irreversible is also irreversible regarding that input x.
  • 'balanced constant' refers to constants chosen as balanced log(N)-bit Boolean functions (consisting of 50% binary zero digits) with high nonlinearity and that satisfy other cryptographic properties including but not limited to those as described in the masters thesis 'On the Design of S-Boxes' by A. F. Webster and S. E. Tavares, Department of Electrical Engineering, Queen's University, guitarist, Ont. Canada, published in LNCS no. 218, pp. 523—534 (1986). Balanced constants are used as
  • a 'secret key' and 'symmetric secret key' refer to a key which is selected as a random number such that each of the bits in it are 'independent' of the other bits in the cryptographic sense.
  • Cryptographic hash functions have been implemented using various modes of operation for block ciphers.
  • Dedicated hash functions are the most commonly used type of hash functions. Examples of dedicated hash functions include MD5, SHA-I, SHA-256, SHA- 512. Tiger, Bear, etc. In all the above examples the data material is fed in only one function and only once.
  • counters for the purpose of generating spreading sequences are used extensively in communications applications.
  • Counters for the purpose of ensuring the minimal period of the generator to be of a certain guaranteed length are used extensively in cryptography.
  • Nonlinear feedback shift registers are known.
  • DeBruijn sequences of n bits generate sequences with 2" (also represented as 2 ⁇ ⁇ ) long periods. Construction of arbitrarily large DeBruijn sequences is an open problem, and the only known method to find them is by brute force, which to date remains infeasibie for n of 64-bit and over. Also, even if construction of large (80-bit or wider) DeBruijn generators was possible, all 80 bits of the counter state would have to be used as inputs into the feedback function and such a wide function would most probably be unable to compete in performance with the modern stream ciphers.
  • a NLFSR of 7i-bits in length will have 2 n/2 short loops on average.
  • An i-NLFSR has one loop, but unlike a DeBruijn sequence, its loop is not maximal length and there is one or a number of paths into the loop.
  • i-NLFSR natural identity
  • pi-NLFSR prime identity
  • the identity-NLFSRs are very useful in cryptographic applications as they can be initialized with a random value within the range of 0 to 2 n -l and the i-NLFSR is guaranteed to converge to a period of fixed length.
  • RNS-based residue number system based
  • LFSR and NLFSR have been used as accumulator functions in non-cryptographic applications.
  • Examples include Cyclic Redundancy Checksum, and nonlinear feedback shift registers as disclosed in "Test Response Compaction by an Accumulator Behaving as a Multiple Input Non-Linear Feedback Shift Register" by D. Bakalis et al. 5 published in
  • Such constructions are intended to detect errors introduced at random as a result of signal noise or random logic failure in a circuit and are not suitable for cryptographic hashing applications.
  • the present invention provides a process of updating the state of NLFSR, in which: the process receives input data; and bits of the input data linearly affect bits of the NLFSR state.
  • the present invention provides corresponding apparatus, signals, data and machine-readable substrates as are set out in the claims of this specification.
  • embodiments of the present invention outline a dual-purpose nonlinear data expansion technique by employing nonlinear feedback shift registers (NLFSR) with co-prime periods, which can be used to provide either one or both of 1) a guaranteed long period primarily required by stream ciphers and pseudo-random number generators (PRNG), and 2) a nonlinear expansion of a key, initialization vector (IV) and user message, required by ciphers, hash functions and message authentication codes.
  • NLFSR nonlinear feedback shift registers
  • figure 1 illustrates state transitions in accordance with one preferred embodiment of the present invention
  • figure 2 illustrates state transitions in accordance with another preferred embodiment of the present invention
  • figure 3 illustrates state transitions in accordance with yet another preferred embodiment of the present invention
  • figure 4 is a flow-chart illustrating operation of the embodiment of figure 3.
  • Figure 1 illustrates a preferred embodiment of the current invention.
  • Region 100 illustrates the bits 101 through 108 representing the internal state of a first i-NLFSR counter.
  • Region 110 illustrates the bits 111 through 118 representing the internal state of a second i-NLFSR counter.
  • the bit 123 is a bit of data to be expanded.
  • a i-NLFSR feedback function 109 takes as inputs bits 101, 103, 104, 106 and 108.
  • the value of bit 101 is saved as output bit 121
  • the value of bit 102 is shifted into bit 101
  • the value of bit 103 is shifted into bit 102
  • the value of bit 104 is shifted into bit 103
  • the value of bit 105 is shifted into bit 104
  • the value of bit 106 is shifted into bit 105
  • the value of bit 107 is shifted into bit 106
  • the value of bit 108 is shifted into bit 107
  • output of the feedback function 109 is linearly combined with bit 123 feeding the result back into bit 108.
  • a i-NLFSR feedback function 119 takes as inputs bits 111, 112, 116, 117 and 118.
  • the value of bit 111 is saved as output bit 122
  • the value of bit 112 is shifted into bit 111
  • the value of bit 113 is shifted into bit 112
  • the value of bit 114 is shifted into bit 113
  • the value of bit 115 is shifted into bit 114
  • the value of bit 116 is shifted into bit 115
  • the value of bit 117 is shifted into bit 116
  • the value of bit 118 is shifted into bit 117
  • output of the feedback function 119 is linearly combined with bit 123 feeding the result back into bit 118.
  • Figure 2 illustrates a preferred embodiment of the current invention utilizing a RNS counter 165 for the purpose of iterated expansion-compression of a 5-bit input state 130 consisting of the input bits 131, 132, 133, 134 and 135 storing five consecutive data bits.
  • the expansion function 140 consists of 6 i-NLFSR counters 141, 142, 143, 144, 145 and 146 with co-prime periods implemented according to the above-referenced co-pending Australian provisional patent applications 2005901987 and 2005902019 of which 4 of the i-NLFSR counters use bits 131 and 138 as their inputs.
  • Output of the expansion function 140 is saved as state 150 consisting of individual bits 151, 152, 153, 154, 155 and 156, which are linearly compressed by the XNOR operation 160 into the output bit 161.
  • the five NLFSR bits 135, 134, 133 and 132 are loaded with the values of bits 134, 132 and 131 respectively.
  • the bit 131 is loaded with the value of the next bit of the data to be processed or is initialized with a known constant.
  • the XNOR linear combiner 139 takes as its inputs bits 132 and 135 and produces an output bit 138.
  • i-NLFSRs 141 and 142 receive bit 131 as their inputs linearly combining it with one of the bits of their states and generating bits 151 and 152 as their respective outputs.
  • i-NLFSRs 143 and 144 receives bit 138 as their inputs linearly combining it with one of the bits of their states and generating bits 153 and 154 as their respective outputs.
  • i-NLFSRs 145 and 146 provide a guaranteed nonlinear difference in the output 150 between iterations, up to their combined total period length. They return bits 155 and 156 as their respective outputs.
  • the value of the input bit 131 is reset to a binary constant zero for the entire output stream. Subsequently, values of all the bits of 130 get permanently reset to a binary zero constant supplied as input to the i-NLFSRs 141 and 142. Subsequently, the XNOR operation 139 also constantly returns a binary 1 as its output value supplied as input to the i-NLFSR counters 143 and 144.
  • the value of input bit 131 is loaded with a message to be hashed. In the first iteration the value of input bit 131 will influence the counters 141 and 142. In the second and fifth iterations the original value of input bit 131 will shift into input bits 132 and 135 respectively and influence the counters 143 and 144.
  • the counters 141 and 142 are influenced once by each bit to be encoded.
  • the counters 143 and 144 are influenced twice by each bit to be encoded.
  • the counters 145 and 146 provide a guaranteed nonlinear difference in the output 150 between iterations independent from user input, up to their combined total period length.
  • Figure 3 partially illustrates a preferred embodiment of the current invention using two DeBruijn NLFSR counters.
  • a non-linear function 310 takes as inputs bits 302, 303, 304, 305 and 306.
  • a non-linear function 360 takes as input bits 352, 353, 354, 355 and 306.
  • a linear function 311 takes as input the output of 310 and bit 301.
  • a linear function 361 takes as input the output of 360 and the bit 351.
  • bit 301 is linearly combined 380 with the value of bit 353 and with the value of 351 to produce output bit 381, the value of bit 302 is shifted into bit 301, the value of bit 303 is shifted into bit 302, the value of bit 304 is shifted into bit 303, the value of bit 305 is shifted into 304, the value of 306 is linearly combined with the value of input bit 371 and shifted into 305, the output value of linear function 311 is shifted into 306, the value of bit 352 is shifted into bit 351, the value of bit 353 is shifted into bit 352, the value of bit 354 is shifted into bit 353, the value of bit 355 is shifted into 354, the value of 356 is shifted into bit 355, the value of 357 is linearly combined with the value of input bit 371 and shifted into 356, the output value of linear function 361 is shifted into 357.
  • the functions 310 and 311 produce a DeBruijn sequence of (2 ⁇ ⁇ )-l where a is 6 when the input 371 is a fixed constant and the state 300 is not zero.
  • the functions 361 and 360 produce a DeBruijn sequence of (2 ⁇ ⁇ )-l where b is 7 when the input 371 is a fixed constant and the state 360 is not zero.
  • the combination of the two DeBruijn NLFSR states 380, when input 371 is a fixed constant and state 300 and 360 are not zero form an RNS counter with a period (2 ⁇ (a+b))-l .
  • Figure 4 illustrates the process of operation for the embodiment of figure 3.
  • Label 401 illustrates the start of the process.
  • Process 402 initializes the DeBruijn NLFSR states 300 and 350 with balanced constants.
  • Process 403 performs a round update function.
  • the shift register 300 executes, with the feedback function 311 updating bit 306 and the linear combiner 315 taking as input the value of bit 371 and 306 updating bit 305.
  • the shift register 350 executes, with the feedback function 361 updating bit 357 and the linear combiner 361 taking as input the value of bit 371 and 357 updating bit 356.
  • the linear function 380 accepts as input 301, 353 and 351 producing output 381.
  • Decision 404 determines if there is more input to be hashed. If 404 is false, execution returns to step 603. No output material is released.
  • Label 405 illustrates the termination of the process.
  • the RNS counter used for the combined purpose of data expansion and counting is a part of a larger cryptographic component.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Nonlinear Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Detection And Prevention Of Errors In Transmission (AREA)
  • Compression, Expansion, Code Conversion, And Decoders (AREA)

Abstract

A process of updating the state of NLFSR receives input data; and bits of the input data linearly affect bits of the NLFSR state.

Description

Process of and apparatus for hashing
Field of the invention
The present invention relates to cryptographic primitives.
Background of the invention The present application claims priority from our Australian provisional patent application number 2005902150, the contents of which are incorporated herein by reference.
The terms 'comprises' and 'comprising' when used in this specification are to be taken to specify the presence of stated features, integers, steps or components but do not preclude the presence or addition of one or more other features, integers, steps, components or groups thereof.
We define a linear cryptographic function/as a function of any given number of inputs and any given number of outputs such that the relationship between every bit of output and every bit of input is a polynomial of a degree not higher than 1. A typical linear cryptographic function is a set of bits each of which is the XOR of a number of input bits. AU bijective linear cryptographic functions are reversible. (An illustration of the sense that the term 'polynomial' has in the present art is in the analysis of linear feedback shift registers which is set out at pages 372 to 379 of the book Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier, second edition, 1996.)
A cryptographic function is called reversible regarding a given input if the computational cost of finding the value of that input knowing the output and all other inputs is comparable with the computational cost of calculation of the cryptographic function itself. Addition modulo 2n, multiplication modulo 2n and multiplicative inverse modulo 2n are typical reversible nonlinear cryptographic functions.
A cryptographic function is called irreversible regarding a given input if the computational cost of finding the value of that input knowing the output and all other inputs is either computationally infeasible or extremely high compared with the computational cost of calculation of the cryptographic function itself, including both the bijective (potentially reversible) and the surjective functions in which information is irrecoverably lost (also known as epimorphism). y = x «< x (x rotated left by x bit) is an example of an irreversible nonlinear cryptographic function.
The reversibility of a nonlinear cryptographic function regarding any of its inputs is determined individually for each input. Any given nonlinear cryptographic function may be reversible regarding one input and irreversible regarding another or it can be either reversible or irreversible regarding all its inputs.
For example, a block cipher is a reversible nonlinear cryptographic function regarding its plaintext input, but it is irreversible regarding its key, and a keyed cryptographic hash is irreversible regarding both its inputs, data and key.
A linear combination of nonlinear cryptographic functions is also a nonlinear cryptographic function. A nonlinear cryptographic function of a linear combination of its inputs is also a nonlinear cryptographic function. Both these cases are referred to as ς a nonlinear cryptographic function' in this specification and are marked according to their reversibility regarding the current block as one of the inputs.
If a nonlinear cryptographic function is reversible regarding one of its inputs x, then a reversible linear or nonlinear combination of that input x or that function's output with any other input is also a nonlinear cryptographic function reversible regarding that input x.
If a nonlinear cryptographic function is irreversible regarding one of its inputs x, then a combination of one or more of its inputs and/or its output with any other cryptographic function, linear or nonlinear, reversible or irreversible is also irreversible regarding that input x.
In this specification we use the term 'balanced constant' to refer to constants chosen as balanced log(N)-bit Boolean functions (consisting of 50% binary zero digits) with high nonlinearity and that satisfy other cryptographic properties including but not limited to those as described in the masters thesis 'On the Design of S-Boxes' by A. F. Webster and S. E. Tavares, Department of Electrical Engineering, Queen's University, Kingston, Ont. Canada, published in LNCS no. 218, pp. 523—534 (1986). Balanced constants are used as
'magic numbers'. (See for example page 243 of Schneier Applied Cryptography, Second Edition 1992).
In this specification we use the terms a 'secret key' and 'symmetric secret key' to refer to a key which is selected as a random number such that each of the bits in it are 'independent' of the other bits in the cryptographic sense.
Cryptographic hash functions have been implemented using various modes of operation for block ciphers. Dedicated hash functions are the most commonly used type of hash functions. Examples of dedicated hash functions include MD5, SHA-I, SHA-256, SHA- 512. Tiger, Bear, etc. In all the above examples the data material is fed in only one function and only once.
Methods of hashing that employ the use of two independent hash functions and the use of delayed expansions of the plaintext are disclosed in our co-pending Australian provisional patent application number 2005902149 entitled Process of and Apparatus for Hashing, the content of which is incorporated herein by reference.
The present application is related to our co-pending Australian provisional patent applications numbers 2005901987 and 2005902019, both entitled Process of and Apparatus for Counting, the contents of each of which are incorporated herein by reference.
As is explained in those above-referenced co-pending applications, counters for the purpose of generating spreading sequences are used extensively in communications applications.
Counters for the purpose of ensuring the minimal period of the generator to be of a certain guaranteed length, such as maximal distance linear feedback shift registers, are used extensively in cryptography.
Nonlinear feedback shift registers (NLFSR) are known. DeBruijn sequences of n bits generate sequences with 2" (also represented as 2Λή) long periods. Construction of arbitrarily large DeBruijn sequences is an open problem, and the only known method to find them is by brute force, which to date remains infeasibie for n of 64-bit and over. Also, even if construction of large (80-bit or wider) DeBruijn generators was possible, all 80 bits of the counter state would have to be used as inputs into the feedback function and such a wide function would most probably be unable to compete in performance with the modern stream ciphers.
In contrast, the above-referenced co-pending Australian provisional patent applications 2005901987 and 2005902019 disclose a new class of nonlinear feedback shift registers that we describe as identity-NLFSR (i-NLFSR).
A NLFSR of 7i-bits in length will have 2n/2 short loops on average. An i-NLFSR has one loop, but unlike a DeBruijn sequence, its loop is not maximal length and there is one or a number of paths into the loop.
We described two classes of i-NLFSRs; natural identity (ni-NLFSR) for periods of natural numbers and a sub-category called prime identity (pi-NLFSR) for periods of prime lengths.
The identity-NLFSRs are very useful in cryptographic applications as they can be initialized with a random value within the range of 0 to 2n-l and the i-NLFSR is guaranteed to converge to a period of fixed length. A number of such i-NLFSR's with periods {pi,p2,p$,...pm} can be trivially combined in a single module by the skilled reader of this specification resulting in a counter with a period up top = LCM (pι,p,p3,.../>»,), where LCM is the Least Common Multiple of all the periods of the m smaller i-NLFSRs. Thus the pi-NLFSR and ni-NLFSR with large prime factors make excellent moduli for residue number system based (RNS-based) counters as described in our above-referenced co-pending Australian provisional patent application.
LFSR and NLFSR have been used as accumulator functions in non-cryptographic applications. Examples include Cyclic Redundancy Checksum, and nonlinear feedback shift registers as disclosed in "Test Response Compaction by an Accumulator Behaving as a Multiple Input Non-Linear Feedback Shift Register" by D. Bakalis et al.5 published in
Proceedings International Test Conference 2000, October 03-05 2000.
Such constructions are intended to detect errors introduced at random as a result of signal noise or random logic failure in a circuit and are not suitable for cryptographic hashing applications.
One cryptographic hash function using LFSRs is found in the paper by H. Krawczyk, LFSR-based hashing and authentication, in "Advances in Cryptology ~ CRYPTO '94", Y. G. Desmedt, ed., Lecture Notes in Computer Science 839 (1994), 129-139.
Summary of the invention
In one aspect, the present invention provides a process of updating the state of NLFSR, in which: the process receives input data; and bits of the input data linearly affect bits of the NLFSR state.
In other aspects, the present invention provides corresponding apparatus, signals, data and machine-readable substrates as are set out in the claims of this specification.
It will thus be seen that embodiments of the present invention outline a dual-purpose nonlinear data expansion technique by employing nonlinear feedback shift registers (NLFSR) with co-prime periods, which can be used to provide either one or both of 1) a guaranteed long period primarily required by stream ciphers and pseudo-random number generators (PRNG), and 2) a nonlinear expansion of a key, initialization vector (IV) and user message, required by ciphers, hash functions and message authentication codes.
Brief description of the drawings
In order that the present invention may be more readily understood, preferred embodiments of it are described by reference to the drawings in which: figure 1 illustrates state transitions in accordance with one preferred embodiment of the present invention; and figure 2 illustrates state transitions in accordance with another preferred embodiment of the present invention; figure 3 illustrates state transitions in accordance with yet another preferred embodiment of the present invention; and figure 4 is a flow-chart illustrating operation of the embodiment of figure 3.
Descriptions of preferred embodiments of the invention Figure 1 illustrates a preferred embodiment of the current invention. Region 100 illustrates the bits 101 through 108 representing the internal state of a first i-NLFSR counter. Region 110 illustrates the bits 111 through 118 representing the internal state of a second i-NLFSR counter. The bit 123 is a bit of data to be expanded.
A i-NLFSR feedback function 109 takes as inputs bits 101, 103, 104, 106 and 108. On each iteration, the value of bit 101 is saved as output bit 121, the value of bit 102 is shifted into bit 101, the value of bit 103 is shifted into bit 102, the value of bit 104 is shifted into bit 103, the value of bit 105 is shifted into bit 104, the value of bit 106 is shifted into bit 105, the value of bit 107 is shifted into bit 106, the value of bit 108 is shifted into bit 107, and output of the feedback function 109 is linearly combined with bit 123 feeding the result back into bit 108.
A i-NLFSR feedback function 119 takes as inputs bits 111, 112, 116, 117 and 118. On each iteration, the value of bit 111 is saved as output bit 122, the value of bit 112 is shifted into bit 111, the value of bit 113 is shifted into bit 112, the value of bit 114 is shifted into bit 113, the value of bit 115 is shifted into bit 114, the value of bit 116 is shifted into bit 115, the value of bit 117 is shifted into bit 116, the value of bit 118 is shifted into bit 117, and output of the feedback function 119 is linearly combined with bit 123 feeding the result back into bit 118.
Thus the single input bit 123 is supplied as input to two different nonlinear expansion functions. Figure 2 illustrates a preferred embodiment of the current invention utilizing a RNS counter 165 for the purpose of iterated expansion-compression of a 5-bit input state 130 consisting of the input bits 131, 132, 133, 134 and 135 storing five consecutive data bits. The expansion function 140 consists of 6 i-NLFSR counters 141, 142, 143, 144, 145 and 146 with co-prime periods implemented according to the above-referenced co-pending Australian provisional patent applications 2005901987 and 2005902019 of which 4 of the i-NLFSR counters use bits 131 and 138 as their inputs. Output of the expansion function 140 is saved as state 150 consisting of individual bits 151, 152, 153, 154, 155 and 156, which are linearly compressed by the XNOR operation 160 into the output bit 161.
On each iteration of the process, the five NLFSR bits 135, 134, 133 and 132 are loaded with the values of bits 134, 132 and 131 respectively. The bit 131 is loaded with the value of the next bit of the data to be processed or is initialized with a known constant. The XNOR linear combiner 139 takes as its inputs bits 132 and 135 and produces an output bit 138.
i-NLFSRs 141 and 142 receive bit 131 as their inputs linearly combining it with one of the bits of their states and generating bits 151 and 152 as their respective outputs. i-NLFSRs 143 and 144 receives bit 138 as their inputs linearly combining it with one of the bits of their states and generating bits 153 and 154 as their respective outputs. i-NLFSRs 145 and 146 provide a guaranteed nonlinear difference in the output 150 between iterations, up to their combined total period length. They return bits 155 and 156 as their respective outputs.
In a preferred mode of operation of embodiments of the current invention used as a part of a stream cipher, the value of the input bit 131 is reset to a binary constant zero for the entire output stream. Subsequently, values of all the bits of 130 get permanently reset to a binary zero constant supplied as input to the i-NLFSRs 141 and 142. Subsequently, the XNOR operation 139 also constantly returns a binary 1 as its output value supplied as input to the i-NLFSR counters 143 and 144. As long as the inputs to the i-NLFSR counters 141, 142, 143 and 144 remain constant, all six i-NLFSR counters will maintain their respective co-prime identity periods, resulting in the RNS counter 165 having its full period equal to the product of periods of all six i-NLFSR counters. In a preferred mode of operation of the current invention used as a part of a hash function, the value of input bit 131 is loaded with a message to be hashed. In the first iteration the value of input bit 131 will influence the counters 141 and 142. In the second and fifth iterations the original value of input bit 131 will shift into input bits 132 and 135 respectively and influence the counters 143 and 144. The counters 141 and 142 are influenced once by each bit to be encoded. The counters 143 and 144 are influenced twice by each bit to be encoded. The counters 145 and 146 provide a guaranteed nonlinear difference in the output 150 between iterations independent from user input, up to their combined total period length.
Figure 3 partially illustrates a preferred embodiment of the current invention using two DeBruijn NLFSR counters.
A non-linear function 310 takes as inputs bits 302, 303, 304, 305 and 306. A non-linear function 360 takes as input bits 352, 353, 354, 355 and 306. A linear function 311 takes as input the output of 310 and bit 301. A linear function 361 takes as input the output of 360 and the bit 351. On each iteration, the value of bit 301 is linearly combined 380 with the value of bit 353 and with the value of 351 to produce output bit 381, the value of bit 302 is shifted into bit 301, the value of bit 303 is shifted into bit 302, the value of bit 304 is shifted into bit 303, the value of bit 305 is shifted into 304, the value of 306 is linearly combined with the value of input bit 371 and shifted into 305, the output value of linear function 311 is shifted into 306, the value of bit 352 is shifted into bit 351, the value of bit 353 is shifted into bit 352, the value of bit 354 is shifted into bit 353, the value of bit 355 is shifted into 354, the value of 356 is shifted into bit 355, the value of 357 is linearly combined with the value of input bit 371 and shifted into 356, the output value of linear function 361 is shifted into 357.
The functions 310 and 311 produce a DeBruijn sequence of (2Λα)-l where a is 6 when the input 371 is a fixed constant and the state 300 is not zero. The functions 361 and 360 produce a DeBruijn sequence of (2Λδ)-l where b is 7 when the input 371 is a fixed constant and the state 360 is not zero. The combination of the two DeBruijn NLFSR states 380, when input 371 is a fixed constant and state 300 and 360 are not zero form an RNS counter with a period (2Λ(a+b))-l .
Figure 4 illustrates the process of operation for the embodiment of figure 3. Label 401 illustrates the start of the process. Process 402 initializes the DeBruijn NLFSR states 300 and 350 with balanced constants.
Process 403 performs a round update function. The shift register 300 executes, with the feedback function 311 updating bit 306 and the linear combiner 315 taking as input the value of bit 371 and 306 updating bit 305. The shift register 350 executes, with the feedback function 361 updating bit 357 and the linear combiner 361 taking as input the value of bit 371 and 357 updating bit 356. The linear function 380 accepts as input 301, 353 and 351 producing output 381.
Decision 404 determines if there is more input to be hashed. If 404 is false, execution returns to step 603. No output material is released.
Label 405 illustrates the termination of the process.
In a preferred embodiment of the current invention, the RNS counter used for the combined purpose of data expansion and counting is a part of a larger cryptographic component.
Although detailed embodiments, with a number of variations, which incorporate the teachings of the present invention, have been shown and described in detail herein, those skilled in the art can readily devise many other embodiments and applications of the present invention that still utilize these teachings.

Claims

Claims:
1. A cryptographic process of updating the state of NLFSR, in which: the cryptographic process receives input data; and bits of the input data linearly affect bits of the NLFSR state.
2. A cryptographic process as claimed in claim 1 , in which the NLFSR is a part of a larger RNS-based counter.
3. A cryptographic process as claimed in claim 1 or claim 2, in which the states of at least two NLFSRs are updated.
4. A cryptographic process as claimed in claim 3, in which: the input data linearly affects bits of a first NLFSR and a second NLFSR3 and the first and the second NLFSRs are different.
5. A cryptographic process as claimed in claim 4, in which the bits of the input data linearly affect bits of the second NLFSR with a delay.
6. A cryptographic process as claimed in claim 3, in which an input bit is supplied into a first NLFSR and the same input bit is supplied as input into a second
NLFSR.
7. A cryptographic process as claimed in claim 3 or claim 6, in which at least one NLFSR has a large guaranteed minimum period when its data input is fixed to a constant value and its output is combined with at least one additional NLFSR from the at least two NLFSRs.
8. A cryptographic process, as claimed in any one of claim 3, claim 6 or claim 7, in which an input bit is stored, and that input bit is supplied as a input at to least two NLFSR, such that the input bit is supplied into a first NLFSR at a delayed time from the input into a second NLFSR.
9. A cryptographic process as claimed in any one of claim 3, claim 6, claim 7 or claim 8, where at least one NLFSR is an i-NLFSR.
10. A cryptographic process in as claimed in any one of claim 3, claim 6, claim 7 claim 8, or claim 9, in which at least one NLFSR which accepts input updates two bits of state every iteration, a first bit updated as the output of a nonlinear feedback function accepting as input bits of the NLFSR state and a second bit of state linearly combining a bit of NLFSR state with an input bit
11. Data which has been generated by encryption according to a process comprising the process of any one of the preceding claims.
12. Data which has been generated by decryption according to a process comprising the process of any one of claims 1 to 10.
13. Pseudo-random sequences which have been generated according to a process comprising the process of any one of claims 1 to 10.
14. A machine readable substrate carrying data which has been generated according to a process comprising the process of any one of claims 1 to 10.
15. A signal carrying data which has been generated according to a process comprising the process of any one of claims 1 to 10.
16. Apparatus for encoding a digital input, which apparatus performs a process comprising a process according to any one of claims 1 to 10.
17. Apparatus for decoding a digital input, which apparatus performs a process comprising a process according to any one of claims 1 to 10.
PCT/AU2006/000557 2005-04-29 2006-05-01 Process of and apparatus for hashing WO2006116801A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2005902150 2005-04-29
AU2005902150A AU2005902150A0 (en) 2005-04-29 Process of and Apparatus for Hashing

Publications (1)

Publication Number Publication Date
WO2006116801A1 true WO2006116801A1 (en) 2006-11-09

Family

ID=37307518

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2006/000557 WO2006116801A1 (en) 2005-04-29 2006-05-01 Process of and apparatus for hashing

Country Status (2)

Country Link
TW (1) TW200708027A (en)
WO (1) WO2006116801A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103748986B (en) * 2008-07-14 2009-08-12 中国科学院数据与通信保护研究教育中心 A kind of one-way cipher Hash Value generates method and apparatus
CN101620523B (en) * 2009-07-29 2011-04-13 深圳国微技术有限公司 Random number generator circuit
EP2192521A3 (en) * 2008-11-24 2014-08-13 Pitney Bowes, Inc. Method and system for securing communications in a metering device
CN104238995A (en) * 2013-06-21 2014-12-24 中国人民解放军信息工程大学 Non-linear feedback shift register
JP2017524291A (en) * 2014-06-27 2017-08-24 テレフオンアクチーボラゲット エルエム エリクソン(パブル) Cryptographic checksum generation

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4852023A (en) * 1987-05-12 1989-07-25 Communications Satellite Corporation Nonlinear random sequence generators
US5703952A (en) * 1992-12-30 1997-12-30 Telstra Corporation Limited Method and apparatus for generating a cipher stream
US6167553A (en) * 1996-07-17 2000-12-26 Ericsson Inc. Spiral scrambling
GB2386523A (en) * 2002-03-15 2003-09-17 Eternity Licensing Ltd Symmetric key cryptosystem
US20040107353A1 (en) * 2001-06-26 2004-06-03 Fr Ance Telecom Cryptographic method of protecting an electronic chip against fraud
US6748410B1 (en) * 1997-05-04 2004-06-08 M-Systems Flash Disk Pioneers, Ltd. Apparatus and method for modular multiplication and exponentiation based on montgomery multiplication
EP1441313A1 (en) * 2003-01-24 2004-07-28 France Telecom Public key cryptographical method for protecting an electronic chip against fraud

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4852023A (en) * 1987-05-12 1989-07-25 Communications Satellite Corporation Nonlinear random sequence generators
US5703952A (en) * 1992-12-30 1997-12-30 Telstra Corporation Limited Method and apparatus for generating a cipher stream
US6167553A (en) * 1996-07-17 2000-12-26 Ericsson Inc. Spiral scrambling
US6748410B1 (en) * 1997-05-04 2004-06-08 M-Systems Flash Disk Pioneers, Ltd. Apparatus and method for modular multiplication and exponentiation based on montgomery multiplication
US20040107353A1 (en) * 2001-06-26 2004-06-03 Fr Ance Telecom Cryptographic method of protecting an electronic chip against fraud
GB2386523A (en) * 2002-03-15 2003-09-17 Eternity Licensing Ltd Symmetric key cryptosystem
EP1441313A1 (en) * 2003-01-24 2004-07-28 France Telecom Public key cryptographical method for protecting an electronic chip against fraud

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DIMITRAKOPOULOS G. ET AL.: "Bit Serial Test Pattern Generation by an Accumulator behaving as a Non-Linear Feedback Shift Register", IEEE INTERNATIONAL ON-LINE TESTING WORKSHOP (IOLTW'02), 2002, XP010601421 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103748986B (en) * 2008-07-14 2009-08-12 中国科学院数据与通信保护研究教育中心 A kind of one-way cipher Hash Value generates method and apparatus
EP2192521A3 (en) * 2008-11-24 2014-08-13 Pitney Bowes, Inc. Method and system for securing communications in a metering device
CN101620523B (en) * 2009-07-29 2011-04-13 深圳国微技术有限公司 Random number generator circuit
CN104238995A (en) * 2013-06-21 2014-12-24 中国人民解放军信息工程大学 Non-linear feedback shift register
JP2017524291A (en) * 2014-06-27 2017-08-24 テレフオンアクチーボラゲット エルエム エリクソン(パブル) Cryptographic checksum generation
US10313125B2 (en) 2014-06-27 2019-06-04 Telefonaktiebolaget Lm Ericsson (Publ) Generating cryptographic checksums

Also Published As

Publication number Publication date
TW200708027A (en) 2007-02-16

Similar Documents

Publication Publication Date Title
US8275125B2 (en) Method for designing a secure hash function and a system thereof
AU702766B2 (en) A non-deterministic public key encryption system
US20080056490A1 (en) Encryption Processing Apparatus, Encryption Processing Method, and Computer Program
US8086860B2 (en) Method for preventing and detecting hash collisions of data during the data transmission
EP1510028A1 (en) Advanced encryption standard (aes) hardware cryptographic engine
Kara et al. A new class of weak keys for blowfish
US20060098815A1 (en) Methods of encoding and decoding data
WO2006110954A1 (en) Process of and apparatus for counting
WO2006116801A1 (en) Process of and apparatus for hashing
Karthik et al. A new design paradigm for provably secure keyless hash function with subsets and two variables polynomial function
Gholipour et al. A pseudorandom number generator with keccak hash function
Arnault et al. X-FCSR–a new software oriented stream cipher based upon FCSRs
Diedrich et al. Comparison of Lightweight Stream Ciphers: MICKEY 2.0, WG-8, Grain and Trivium
US20060098816A1 (en) Process of and apparatus for encoding a signal
Stegemann Extended BDD-based cryptanalysis of keystream generators
Fúster-Sabater et al. Strategic attack on the shrinking generator
Rose et al. The t-class of SOBER stream ciphers
Matsumoto et al. Cryptanalysis of cryptmt: Effect of huge prime period and multiplicative filter
Caballero-Gil et al. New attack strategy for the shrinking generator
Mattsson Stream cipher design
Dey Stream Ciphers
Orumiehchiha Cryptanalysis of lightweight cryptographic algorithms
Jattke et al. MICKEY 2.0 & WG-8
Khairallah et al. Introduction and Background
Tiwari Design of Cryptographic Hash Functions based on MD and MD Variant

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

NENP Non-entry into the national phase

Ref country code: RU

WWW Wipo information: withdrawn in national office

Country of ref document: RU

122 Ep: pct application non-entry in european phase

Ref document number: 06721437

Country of ref document: EP

Kind code of ref document: A1

WWW Wipo information: withdrawn in national office

Ref document number: 6721437

Country of ref document: EP