EP1872515A1 - Prozess und vorrichtung zum zählen - Google Patents

Prozess und vorrichtung zum zählen

Info

Publication number
EP1872515A1
EP1872515A1 EP06721408A EP06721408A EP1872515A1 EP 1872515 A1 EP1872515 A1 EP 1872515A1 EP 06721408 A EP06721408 A EP 06721408A EP 06721408 A EP06721408 A EP 06721408A EP 1872515 A1 EP1872515 A1 EP 1872515A1
Authority
EP
European Patent Office
Prior art keywords
nlfsr
generated
bits
state
bit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP06721408A
Other languages
English (en)
French (fr)
Inventor
Sean O'neil
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Synaptic Laboratories Ltd
Original Assignee
Synaptic Laboratories Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2005901988A external-priority patent/AU2005901988A0/en
Application filed by Synaptic Laboratories Ltd filed Critical Synaptic Laboratories Ltd
Publication of EP1872515A1 publication Critical patent/EP1872515A1/de
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/582Pseudo-random number generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • H04L9/0668Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator producing a non-linear pseudorandom sequence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations

Definitions

  • the present invention relates to cryptographic primitives.
  • the term 'counter' is used to mean a set of bits, the set being of a fixed size b. Those bits represent a number, which in turn is the value of the counter. That value increments in a deterministic manner by the operation of a defined process on the bits. Irrespective of the initial state of the set of bits, the value of the counter will eventually reach a value to which, after further incrementing, it will eventually return.
  • Counters for the purpose of generating spreading sequences are used extensively in communications applications.
  • Counters for the purpose of ensuring the minimal period of the generator to be of a certain guaranteed length are used extensively in cryptography.
  • NLFSR nonlinear feedback shift registers
  • i-NLFSR identity-NLFSR
  • a NLFSR of «-bits in length will have 2 n/2 short loops on average.
  • An i-NLFSR has one loop, but unlike a DeBruijn sequence, its loop is not maximal length and there is one or a number of paths into the loop.
  • i-NLFSR natural identity
  • pi-NLFSR prime identity
  • the identity-NLFSRs are very useful in cryptographic applications as they can be initialized with a random value within the range of 0 to 2 n -l and the i-NLFSR is guaranteed to converge to a period of fixed length.
  • LCM Least Common Multiple of all the periods of the m smaller i-NLFSRs.
  • our present invention provides a process of incrementing a counter, comprising updating the state of a n-bit NLFSR by a nonlinear feedback function, such that the length of each loop of the NLFSR is greater than 1 and is not a power of 2
  • NLFSRs with maximum length periods of 2 ⁇ n and NLFSRs with periods of 2 ⁇ (n-l) and a single fixed point (a second period of length 1) are known, a combination of such NLFSRs cannot be used to construct counters with arbitrarily long guaranteed periods for all initial states.
  • Embodiments of the current invention allow construction of counters with arbitrarily long periods for all initial states if smaller NLFSRs as herein described with long preferably co-prime loops and without any fixed points are combined together with a linear or bijective nonlinear output combiner.
  • embodiments of the present invention accordingly guarantee a minimal period length while also ensuring presence of desirable cryptographic properties in the counter output.
  • the present invention provides corresponding apparatus, signals, data and machine-readable substrates as are set out in the claims of this specification.
  • Figure 1 illustrates a NLFSR process that may be used to execute i-NLFSR.
  • the input 500 consists of six bits of input 501, to 506.
  • the ordered intermediate state 510 consists of six bits of intermediate input 511 through 516.
  • the ordered output 520 consists of six bits of output 521 through 526.
  • the region 519 illustrates a 1-bit clockwise rotation.
  • All six bits of the input 500 are supplied to the nonlinear feedback function 530 generating 1 bit of output stored in the intermediate state 510.
  • the remaining five bits of intermediate state 512 through 516 are assigned the input values 502 through 506 from the input 500 respectively.
  • the intermediate state 510 is rotated clockwise by one bit resulting in the state 520.
  • any single bit of the state 520 may be released as output.
  • the state 520 is fed back as the input 500 in the next iteration of the illustration.
  • either the sequence of input bits 501 to 506 or the sequence of output bits 521 to 526 could be considered to be the contents of registers.
  • the total number of possible Boolean functions for 530 is equal to 2 raised to the power 2", also represented as 2 A (2 ⁇ n).
  • a Boolean function of 3 inputs can be represented as a look-up table of 2 3 (8) of its possible output values, and there are 2 8 (256) possible 3-input functions.
  • a search for a suitable NLFSR feedback function either brute-forces all the 2 ⁇ (2 ⁇ n) possible Boolean functions that could be chosen for the non-linear feedback function 530 or selects random functions from the range of valid Boolean functions testing the properties of the generated NLFSR as follows.
  • a simple searching process first creates a true/false table for each of the possible 2" entries of the NLFSR and sets each entry of the table mapping to a state of the NLFSR as false.
  • the initial internal state of the NLFSR is set to zero and the table entry corresponding to the state zero of the NLFSR is set as true to indicate that the NLFSR has reached this position.
  • the NLFSR is then executed updating the current state of the NLFSR.
  • the bit in the table corresponding to the current state of the NLFSR is queried. If the entry is false, the NLFSR under test has not transitioned to this state before, and the entry is set true and the process proceeds to execute and test the next state of the NLFSR. If the entry is true, the NLFSR has returned to a position previously visited.
  • the length of the loop is determined by counting the number of NLFSR executions required before the NLFSR returns back to the current position.
  • the remaining states are used as initial states of the NLFSR to find all other loops.
  • a process generates an index that increments sequentially through all possible states, querying the table to determine if the NLFSR has previously visited the state. If the entry is false, the NLFSR is initialized to the respective state. The NLFSR is then executed until it can determine if the NLFSR state matches a state marked as true in the table, or if another loop is discovered. If the NLFSR loops back on itself the NLFSR under test is not an i-NLFSR. If the NLFSR state matches a state in the table marked as true, it indicates that the index location tested converges to a position on the original loop. In that case the NLFSR is executed again starting from the same position but marking bits in the table corresponding to the new states as true. After that the remaining index positions are tested in the same way.
  • the discovered loop is called the identity loop and the NLFSR is an i-NLFSR.
  • the i-NLFSR is classified as a pi-NLFSR if the period length of the identity loop is a prime number. Alternatively, if the period length of the identity loop is not a prime number, the i-NLFSR is classified as a ni- NLFSR.
  • This naive type of search process may be used in principle for any nonlinear function with a feedback to search for i-NLFSR constructions, including parallel feedback NLFSRs.
  • a simple heuristic rule which is suitable in many NLFSR constructions, particularly of the type in figure 1, is that periods with long lengths are usually generated with balanced Boolean functions, which significantly reduces the total search space.
  • two additional heuristic rules are applied to generate i-NLFSR constructions of the type in figure 1: the least significant bit of the balanced Boolean function should be true, and the most significant bit of the balanced Boolean function should be false.
  • an alternate well known searching technique is to use a randomized searching process. Additional search optimization techniques are preferably used like dismissing potential i-NLFSR candidates with short periods without checking for other loops. Other preferred techniques additionally use processes that-select the type of Boolean functions more likely to generate i-NLFSRs by limiting them to Boolean functions that work best for smaller constructions.
  • Figure 2 illustrates the three-bit Boolean function 3x1 truth table represented in binary as 01110111b as is implemented in a 3 -bit variation of the circuit in figure 1.
  • the convention by which we arrive at the representation of 0111011 Ib is as follows. First, we consider the three-bit input to the Boolean function as if they were three contiguous bits representing a number. The input 111 to the Boolean function would represent the decimal number 7, the input 110 to the Boolean function would represent the decimal number 6, and so on up to the input 000 to the Boolean function representing the decimal number zero.
  • the eight possible states of the three-bit finite state machine in figure 2 are illustrated as 0 through 7.
  • the i-NLFSR has a period of 5 (which is a prime number) and its identity loop is the sequence of state transitions ⁇ 4, 6, 7, 3, 1, 4, ... ⁇ .
  • the states 2, 5 and 0 converge onto the identity loop.
  • Figure 3 illustrates the 4x1 truth table of the Boolean function represented in binary as 0110000100011001b as implemented in a 4-bit variation of the circuit in figure 1.
  • the 16 possible states of a 4 bit finite state machine are illustrated as 0 through 15.
  • the i-NLFSR has a period of 11 (which again is a prime number) and its identity loop is the sequence of state transitions ⁇ 0, 8, 12, 6, 3, 9, 4, 10, 5, 2, 1, 0, ... ⁇ .
  • the states 13, 14, 15, 7 and 11 all converge onto the identity loop.
  • Figure 4 illustrates the Boolean function 4x1 truth table represented in binary as 0011010011010001b as implemented in a 4-bit variation of the circuit in figure 1.
  • the 16 possible states of a 4-bit function are illustrated as 0 through 15.
  • the i-NLFSR has a period of 11 (a prime number) and its identity loop is the sequence of state transitions ⁇ 0, 8, 4, 10, 13, 14, 7, 11, 5, 2, 1, 0, ... ⁇ .
  • the states 3, 9, 12, 15 and 6 all converge onto the identity loop in one transition.
  • i-NLFSR guarantees that regardless of the initial state, it will converge to the identity period.
  • i-NLFSR are independent of the type of NLFSR construction used to execute them.
  • i-NLFSR are known to exist for every natural number 2 through 2" bits, including DeBruijn sequences according to NLFSR engines shown in Figure 1.
  • Figure 5 illustrates another preferred embodiment of the current invention known to generate i-NLFSR sequences.
  • the reference number 600 indicates an input of 33 bits, only eight bits 601, 602, 603, 604, 605, 606, 607 and 608 of which are illustrated in the drawing.
  • the reference number 610 indicates an internal state of 33 bits, only eight 611, 612, 613, 614, 615, 616, 617 and 618 of which are illustrated in the drawing.
  • the reference number 620 indicates an output of 33 bits, only eight 621, 622, 623, 624, 625, 626, 627 and 628 of which are illustrated in the drawing.
  • the region 619 illustrates the intermediate state 610 being rotated by 1 bit in a clockwise fashion to generate the output 620.
  • the nonlinear feedback function 630 takes as input the least significant bit 601 of input 600 and the most significant bit 608 of 600. A range of 0 to (the length of state 600 - 3) additional bits are selected as input.
  • Figure 5 illustrates the nonlinear feedback function 630 adapted to receive four additional inputs from 600.
  • the single bit output of 630 is stored in intermediate state 611.
  • the remaining 32 intermediate bits 612 through 618 are assigned the 32 values from the range of 602 through 608 respectively.
  • the 33 bits of intermediate state 610 are rotated by 1 bit in a clockwise fashion.
  • ni-NLFSR and pi-NLFSR with very long periods approaching 2" for internal states of n bits are known to exist according to NLFSR engines as shown on Figure 5.
  • Figure 6 illustrates an alternate preferred embodiment of the current invention known to generate i-NLFSR sequences.
  • the reference number 700 indicates a state of 32 bits, eight bits of which 701, 702, 703, 704, 705, 706, 707 and 708 are shown in the drawing.
  • the reference number 710 indicates an intermediate state of 32 bits, eight of which 711, 712, 713, 714, 715, 716, 717 and 718 are shown in the drawing.
  • the reference number 720 indicates an output of 32 bits, eight bits of which 721, 722, 723, 724, 725, 726, 727 and 728 are shown in the drawing.
  • the region of the drawing that is indicated by reference number 719 partially illustrates the intermediate state 710 of 32 bits being rotated by 2 bits in a clockwise fashion.
  • the nonlinear feedback function 730 takes as input the least significant bit 701 and the most significant bit 708 of input 700. A range of 0 to (the length of state 700 - 3) additional bits are selected as input to the feedback function 730.
  • Figure 6 illustrates the nonlinear feedback function 730 as receiving four additional bits from input 700.
  • the two bits of output of 730 are stored in intermediate state 710 in 711 and 712.
  • the remaining 30 intermediate bits 712 through 718 are assigned the 30 values from the range of 603 through 708 respectively.
  • the 32 bits of intermediate state 710 are rotated by 2 bits in a clockwise fashion.
  • Any rotation from 1 to n-1 bits can be selected and any choice of two or more bits of the state can be used as input to the feedback function 730 updating the internal state 700 of the NLFSR engine.
  • i-NLFSRs are known to exist according to NLFSR engines shown in Figure 6.
  • Figure 7 illustrates a process according to a preferred embodiment of the current invention.
  • the portion of the drawing that is indicated by reference number 900 shows five finite state machines that implement the remainders of an RNS counter.
  • the 5 remainders 901, 902, 903, 904 and 905 are selected from finite state machine with periods selected according to our above-referenced co-pending Australian provisional patent application.
  • the five moduli in 900 are i-NLFSRs.
  • Remainder 901 releases one bit of state 911 every round.
  • Remainders 902, 903, 904, 905 each release on bit of state 912, 913, 914 and 915 respectively every round.
  • Function 920 takes five inputs from the outputs of 911, 912, 913, 914, and 915 and releases one bit 921 every round.
  • the function 920 is a 5-to-l XOR operation which ensures that each of the 5 moduli in 900 contribute to the total period length as released in bit 921.
  • the operation 920 performs a nonlinear function releasing a single bit output 921.
  • the nonlinear operation 920 is calculated as (911 XOR 912 XOR 913 XOR (914 AND 915)) releasing 1 bit of output 921.
  • the periods of 911, 912, 913 are guaranteed and the functions 914 and 915 further reduce predictability of the output.
  • a linear combination of RNS moduli can be used to guarantee a certain minimal period length in addition with other moduli that can be used to increase the guaranteed period length as well as the randomness properties of the output.
  • FIG 8 illustrates another preferred embodiment of the current invention.
  • Module 940 is a RNS counter as described in figure 7 releasing one bit of output on every round.
  • the Module 950 is a nonlinear bijective accumulator taking one bit of input releasing one bit of output as described in our above-referenced co-pending Australian provisional patent application, consisting of 12 bits of internal state 952 through 963 and a single key input bit 951.
  • the sequence generated by 940 is hashed in a lossless bijective fashion in 950. In the current illustration it takes 12 rounds to load 12 bits of unique state from 940. In a preferred embodiment a full 12 rounds of RNS output 940 is loaded into the 950 to initialize the module 950, then for each addition round of RNS output 940 one bit of state 965 is released as output.
  • the module 950 increases the randomness properties of the
  • RNS counter output while ensuring a certain minimal period length.
  • the i-NLFSR used in RNS counters are selected by evaluating the linear complexity of the nonlinear feedback function as a NxI substitution box. That is, a heuristic process generates several unique i-NLFSRs with equal identity periods and selects the i-NLFSR with the strongest nonlinear feedback function. This process is repeated for each of the i-NLFSR moduli used in a remainder number system (RNS) counter.
  • RNS remainder number system
  • the i-NLFSRs used in RNS counters are selected by evaluating the randomness of the output of each i-NLFSR.
  • a heuristic process generates several unique i-NLFSRs with equal identity periods.
  • the engine is executed releasing every bit, every second bit, every third bit and so on and testing the output streams with a number of randomness tests.
  • the i-NLFSR that better passes the randomness tests is selected. If multiple i-NLFSR have equivalent randomness properties one may be selected at random or the entire RNS set can be subjected to further randomness testing as described above.
  • the i-NLFSRs are selected by evaluating the number of states that directly join onto the identity period.
  • a heuristic process generates several unique instances of i-NLFSRs with equal identity periods. For each i-NLFSR the number of unique joins is counted and the i-NLFSR with the lowest number of collisions is selected.
  • the heuristic searching process selects NLFSR that have i loops such that each of the i loops is larger than t period, and such that any state not on the i loops converges to one of the i loops; where t is larger than 2 (n/2) .
  • the selection of values oft larger than T- n 2 ' ensures that the counters perform significantly better than the expected average performance of randomly chosen functions.
  • the i-NLFSR replaces a maximal distance linear feedback shift register used for the purpose of generation of spreading sequences.
  • a RNS counter comprising of at least two i-NLFSR remainders replaces a chaotic sequence generator.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Nonlinear Science (AREA)
  • Compression, Expansion, Code Conversion, And Decoders (AREA)
  • Complex Calculations (AREA)
EP06721408A 2005-04-20 2006-04-20 Prozess und vorrichtung zum zählen Withdrawn EP1872515A1 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
AU2005901988A AU2005901988A0 (en) 2005-04-20 Process of and Apparatus for Counting
AU2005902030A AU2005902030A0 (en) 2005-04-22 Process of and Apparatus for Counting
PCT/AU2006/000528 WO2006110955A1 (en) 2005-04-20 2006-04-20 Process of and apparatus for counting

Publications (1)

Publication Number Publication Date
EP1872515A1 true EP1872515A1 (de) 2008-01-02

Family

ID=37114633

Family Applications (1)

Application Number Title Priority Date Filing Date
EP06721408A Withdrawn EP1872515A1 (de) 2005-04-20 2006-04-20 Prozess und vorrichtung zum zählen

Country Status (3)

Country Link
EP (1) EP1872515A1 (de)
TW (1) TW200707276A (de)
WO (1) WO2006110955A1 (de)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201025095A (en) * 2008-12-31 2010-07-01 Giantplus Technology Co Ltd Touch-control LCD device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3911216A (en) * 1973-12-17 1975-10-07 Honeywell Inf Systems Nonlinear code generator and decoder for transmitting data securely
US3911330A (en) * 1974-08-27 1975-10-07 Nasa Nonlinear nonsingular feedback shift registers
US5365588A (en) * 1993-03-12 1994-11-15 Hughes Aircraft Company High speed encryption system and method
DE10339999B4 (de) * 2003-08-29 2005-07-14 Infineon Technologies Ag Pseudozufallszahlengenerator

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2006110955A1 *

Also Published As

Publication number Publication date
WO2006110955A1 (en) 2006-10-26
TW200707276A (en) 2007-02-16

Similar Documents

Publication Publication Date Title
Biryukov et al. Equihash: Asymmetric proof-of-work based on the generalized birthday problem
EP1820295B1 (de) S-boxen
US7092525B2 (en) Cryptographic system with enhanced encryption function and cipher key for data encryption standard
Aagaard et al. ACE: An authenticated encryption and hash algorithm
JP5831202B2 (ja) 個体別情報生成装置及び個体別情報生成方法
Bertoni et al. Radiogatun, a belt-and-mill hash function
Xiao et al. 2-Adic complexity of two classes of generalized cyclotomic binary sequences
US20070165847A1 (en) Defined-distribution pseudo-random number generator
James et al. An implementation of modified lightweight advanced encryption standard in FPGA
Mihaljević et al. A cellular automaton based fast one-way hash function suitable for hardware implementation
WO2006110954A1 (en) Process of and apparatus for counting
Nawaz et al. A 32-bit RC4-like Keystream Generator
Shamir et al. Guaranteeing the diversity of number generators
Daemen et al. A hardware design model for cryptographic algorithms
EP1872515A1 (de) Prozess und vorrichtung zum zählen
Isobe et al. Slide cryptanalysis of lightweight stream cipher RAKAPOSHI
Diedrich et al. Comparison of Lightweight Stream Ciphers: MICKEY 2.0, WG-8, Grain and Trivium
WO2006116801A1 (en) Process of and apparatus for hashing
Modi et al. Effective hardware architectures for LED and PRESENT ciphers for resource-constrained applications
Biryukov et al. Equihash: asymmetric proof-of-work based on the generalized birthday problem (full version)
CN113946313B (zh) Lookup3哈希算法的处理电路、芯片和终端
Park et al. Fully Parallel, One-Cycle Random Shuffling for Efficient Countermeasure in Post-Quantum Cryptography
Nikhil et al. Hardware implementation of quasigroup based encryption
Shi et al. Modeling Attack Resistant Arbiter PUF based on Dynamic Finite Field Matrix Multiplication scheme
Hayes Non-Cryptographic Hash Functions: Focus on FNV

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20071107

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20080503