JP2688659B2 - Encryption system for digital cellular communication - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION Reference to Related Applications This application is pending US patent application serial number 556,102 entitled "Continuous Cryptographic Synchronization for Cellular Communication Systems," and "Resynchronization of Cryptographic Systems During Handoff." Also includes related subject matter in pending US patent application Ser. No. 556,103, both filed July 20, 1990 and also filed July 23, 1990. Such applications and the disclosures therein, which also contain subject matter related to pending U.S. Patent Application No. 556,890, "Collation System for Digital Cellular Communications," are hereby incorporated by reference. To do.

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to digital cellular communication systems, and more particularly to methods and apparatus for encryption of data communication in such systems.

History of the Prior Art Cellular wireless communication is perhaps the fastest growing segment of the global telecommunications industry. Cellular wireless communication systems include only a small fragment of the telecommunications system currently in operation, but this fragment is steadily increasing,
It is widely believed that in the not-so-distant future, it will represent the majority of the entire telecommunications market. This belief is that to connect with subscribers in the network,
It is based on limitations inherent in traditional telephony networks that rely primarily on wiring technology. Standard home or office telephones are connected, for example, via a maximum length telephone line at a wall outlet or telephone jack.
Similarly, wires connect the telephone outlets to the telephone company's intra-section switching office. Therefore, the range of action of the telephone user is limited not only by the length of the telephone line but also by the availability of an operable telephone outlet, that is, an outlet connected to the intra-zone switching office. In fact, the emergence of cellular radio systems overcomes these limitations and allows the telephone user to move around, without sacrificing his ability to effectively communicate with others.
Or it may depend in large part on his desire to give him the freedom to move out of his home or office. In a typical cellular communication system, a user, or a vehicle of the user, carries a relatively small wireless device, which communicates with a base station, and other mobile stations in the system and within a public switched telephone network (PSTN). Connect the user to the landline side of.

A significant disadvantage of existing cellular wireless communication systems is the ease with which analog wireless transmissions can be intercepted. In particular, some or all of the communication between the mobile station and the base station can be monitored without authentication, simply by tuning an appropriate electronic receiver to the single or multiple frequencies of communication. is there. Thus, anyone who is interested in accessing and eavesdropping on such a receiver can in fact violate the privacy of the communication, with the will and without any reproach. Efforts have been made to make electronic eavesdropping illegal, but the confidentiality of such behavior means that most if not all of the eavesdropping remains undetected, and therefore punishment and deterrence. Means no. The possibility that a competitor or enemy decides to "tune" to a seemingly personal telephone conversation has so far prevented the proliferation of cellular wireless communication systems and has remained unchecked; Such systems will continue to threaten the ability to foster business and government applications.

Recently, it has become clear that future cellular wireless telecommunications systems will be implemented using digital rather than analog technology. The switch to digital has been mandated primarily by considerations related to system speed and capacity. A single analog or voice radio frequency (RF) channel can accommodate from four to six digital or data RF channels. Thus, by digitizing the interaction before transmission over the voice channel, the channel capacity, and consequently the overall system capacity, can be increased dramatically without increasing the bandwidth of the voice channel. . As a corollary, the system can handle a significantly larger number of mobile stations at a significantly lower cost.

Switching from an analog to a digital cellular radio system somewhat improves the likelihood of lack of confidentiality of communication between base stations and mobile stations, but the risk of electronic eavesdropping is
Far from eradication. This is because it is possible to configure a digital receiver that can decode the digital signal and generate the original dialogue. Although the hardware will be more complex and more expensive than analog transmission, very personal or highly sensitive conversations in digital cellular radio systems will be intercepted by third parties, The possibility remains that it can be used and cause harm to users of the system. Further, the actual possibility of a third party eavesdropping on a telephone conversation would rule out cellular telecommunications as a particular government means of communication. Certain business users may likewise be sensitive to the likelihood of lack of confidentiality as well. Therefore, in order for the cellular system to be a viable alternative to conventional electrical wire networks, communication confidentiality must be achieved on at least some circuits.

Various solutions have been proposed to mitigate confidentiality issues caused by wireless transmission of sensitive data. One known solution is implemented by some existing communication systems and involves a cryptoalgorithm.
Is used to encrypt (scramble) digital data into an incomprehensible form prior to transmission. For example, Rick Grehan from June 1990
Pages 311-324 of a paper entitled "Cloaks and Data" in the Bytes of the Journal concerns a general discussion of cryptographic systems. In most currently available systems, speech is digitized and processed by an encryption device to convert the communication signal, which appears to be virtually random or pseudo-random, until it is decrypted at an authorized receiver. Generate. The particular algorithm used by the encryption device may be a proprietary algorithm or an algorithm found in the public domain. Another background to such technology is Scientific America's 146–167 dated August 1979.
Page of Martin E. Hellman
It can also be found in the n) paper entitled "Mathematics of Cryptography Using Public Keys".

1977, US National Bureau
of Standards) published a cryptographic algorithm defined as the Data Encryption Standard (DES). Federal Information Processing Standards Publication of the National Technical Information Service (FIPS PUB 46) (197
7 years). The DES encryption method uses a well-known mathematical algorithm, and uses a stream of random numbers and 64
And a data encryption key consisting of a binary number of bits. Digital data, typically in ASCII format, is converted into a seemingly random sequence of bits. Encrypted data is decrypted according to standard DES decryption procedures only if the encryption key, which is either a 64-bit binary number, is also known to the recipient of the encrypted data. . Since DES encryption and decryption procedures are well known, key confidentiality is important to the effective use of DES.

Commercial devices that implement DES encryption / decryption typically use the data to be encrypted as the first input, and
It is in the form of an integrated circuit that accepts a key of bits as a second input. Most such devices supply the encrypted data as a third input to the DES device,
It operates in cipher feedback mode (CFB), which prevents the transmission of repetitive encrypted data sequences when the data being encrypted contains a repeating sequence of the same characters. The main advantage of CFB encryption of data is the self-synchronization of encrypted data. However, a major disadvantage of CFB devices operating over the RF link is the reduction of mobile station operating range due to the doubling of errors associated with receiver sensitivity. That is, one error in the transmission of an encrypted block of data will, on average, cause an error in half the bits in the decrypted data, resulting in a vastly extended transmission error rate. Therefore, the mobile station must stay within some limited range of the base station in an attempt to avoid false reception of transmitted data bits with a sufficiently high signal-to-noise ratio. is there. Double error occurs in CFB mode because the erroneously received bits are continuously fed back to the decryptor until the error has propagated through and the receiver resyncs accordingly. .

Another known technique of data encryption that does not suffer from the error doubling problems encountered in the CFB mode of operation is counter addressing (CA). In the CA mode of operation, a keystream generator is used to generate a pseudo-random keystream bit by processing an encrypted key containing a plurality of key data bits. The keystream is then used by the encryption device to encrypt the data signal. Typically, the keystream is a non-alternative OR (XO
R) The logic gate adds the data signal bit by bit (modulo-2) and scrambles to generate a binary data signal. This scrambled signal adds the same keystream generated simultaneously by the same keystream generator initialized with the same binary encryption key to the scrambled signal (modulo-2 ), It is descrambled. In this way, the encryption device can be "addressed" by a pseudo-random counter. Therefore, in CA mode, continuous bit synchronization between the scrambler and the descrambler is required for proper operation of the descrambler key generator without the need for periodic key generator data transfers. ,Needed. Unfortunately, bit synchronization over the RF channel in cellular radio systems is very difficult to maintain due to the ray-ray fading phenomenon caused by multi-path interference patterns caused by reflections from obstacles near the receiving equipment. Is. One error bit in the transmission through the decryption circuit, which is out of phase with the encryption circuit, and the output produced by the receiver are meaningless. CA technology is generally not suitable for encryption of wireless links, which must be stronger against bit transmission errors.

The difficulties associated with continuous bit synchronization have led to the use of "time of day" or "frame number" driven keystream generators. Such a keystream generator can be synchronized to a time-of-day counter, ie hours, minutes and seconds, or a simple numeric counter,
The encryption and decryption circuits can then continue to send the current count even if one goes out of sync with the other.

In a system that utilizes a time-of-day or frame number driven keystream generator, the value of each bit in the pseudo-random keystream must be the same in the encryption key to increase the confidentiality of the communication. Preferably as a function of the value of the key bit of In this way, a person trying to descramble an encrypted signal must "disassemble" or "decrypt" all of the bits in the encryption key, which may be around 50 to 100 bits or more. . This type of keystream usually incorporates a count of time-of-day counters,
It is generated by mathematically expanding the encrypted keywords depending on the algorithm selected. However, if each bit of the encryption key affects each bit in the key stream, and the key stream adds to the data stream bits one by one, then the number of keyword expansion calculations required per second is It is enormous and can easily exceed the real-time computing capabilities of the system. Although the degree of computation required suggests the use of supercomputers, the cost of supercomputers for this purpose is prohibitive. Therefore, what is needed is a method and apparatus that uses a conventional microprocessor and achieves keystream expansion at the speed of a conventional microprocessor.

SUMMARY OF THE INVENTION In one aspect, the present invention comprises a method of generating a pseudo-random bit sequence for use in encrypting digital data. The method is each a function of at least some of the selected key bits,
Generating a plurality of multi-bit values and storing each of the plurality of multi-bit values in a separate location in memory,
Contains. In response to each cycle of operation, a sequence of numbers is generated in the register by incrementing the current value contained in the register. A multi-bit sequence of numbers is cyclic according to a first preselected algorithm, each value being a function of at least one of the multi-bit values stored in said memory and the value contained in said register. Calculated to. The value obtained as a result of each calculation cyclically resets the contents of the register, and the multi-bit keyword that is a function of the value obtained as a result of each calculation is extracted cyclically. The multi-bit keyword is continuously incorporated in the pseudo random bit string. In one embodiment, the generated multi-bit values are
It is a function of all selected key bits.

In another aspect, the invention includes a cellular communication system having a cryptographic subsystem with a keystream generator using a secret key to generate a pseudo-random keystream in two stages. First, the secret key is expanded according to an algorithm to generate a lookup table, which is stored in memory. Secondly, the circuit uses a register count with a key,
Used in combination with the data stored in the lookup table to generate a pseudo-random keystream, which is mixed with the data before transmission. The system of the present invention uses a time-of-day driven counter with data stored in a lookup table, both of which are used to generate the keystream. Such counters at both the transmitter and receiver can be periodically resynchronized in the event of loss of synchronization.

In yet another aspect, the present invention includes a digital cellular communication system in which digital data streams transmitted and received by base stations and mobile units are cryptographically encoded to provide telecommunications confidentiality. The system provides a means for adding a binary bit pseudo-random key stream to the information that carries the digital signal of each transmitter and receiver in the system to create a digital data stream that is transmitted and received within the system. Incorporated. The means for generating a pseudo-random keystream of binary bits as a function of a plurality of selected secret keys each generates a plurality of multi-bit values that is a function of at least some of the selected key bits. Means are provided for storing each of the plurality of multi-bit values in a separate location in memory. Means for generating a sequence of numbers in the register increments the current value contained in the register in response to each operating cycle. The system further comprises a first preselected sequence of multi-bit values, each of which is a function of at least one of the multi-bit values stored in memory and a value contained in the register. According to the algorithm described above, a means for cyclically calculating and a means for cyclically resetting the contents of the register with the value obtained as a result of each calculation are provided. A multi-bit keyword, which is a function of the value obtained as a result of each calculation, is cyclically extracted and of binary bits used to cryptographically encode and decode the transmitted and received digital data streams. Combined into a pseudo-random keystream.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention may be better understood, and its numerous objects and advantages made apparent to those skilled in the art by referencing the following drawings. FIG. 1 is a schematic representation of a cellular wireless communication system including a mobile switching center, a plurality of base stations, and a plurality of mobile stations. FIG. 2 is a schematic block diagram of the equipment of a mobile station used in accordance with one embodiment of the system of the present invention.

FIG. 3 is a schematic block diagram of the equipment of a base station used in accordance with one embodiment of the system of the present invention.

FIG. 4 is a schematic block diagram of a key stream generator of the prior art.

FIG. 5 is a schematic block diagram of a key stream generation circuit of the encryption system configured according to the present invention. And FIG. 6 is a schematic block diagram of a second expansion stage of the keystream generator shown in FIG.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT Referring first to FIG. 1, there is illustrated a conventional cellular wireless communication system of the type to which the present invention generally pertains. In FIG. 1, any geographic area
It can be seen as divided into multiple continuous radio coverages, cells C1-C10. Although the system of FIG. 1 is shown as including only ten cells, it will be clearly understood that in practice the number of cells will be much higher.

Associated with and located within each of cells C1-C10 is a base station shown as a corresponding one of a plurality of base stations B1-B10. Each of the base stations B1-B10 comprises a transmitter, a receiver and a controller, as is well known in the art. In FIG. 1, base stations B1-B10
Are located at the center of cells C1-C10, respectively, and are equipped with omnidirectional antennas. However, in another configuration of the cellular radio system, the base stations B1-B10 are located near the periphery,
Otherwise, it may be located away from the center of cells C1-C10, and may be omni-directional or unidirectional.
C10 can be illuminated with wireless signals. Therefore,
The representation of the cellular radio system in FIG. 1 is for illustration purposes only and is not intended as a limitation on possible implementations of the cellular radio system.

With continued reference to FIG. 1, a plurality of mobile stations M1-M10
Will be found in cells C1-C10. Again, only ten mobile stations are shown in FIG. 1, but it will be appreciated that in practice the actual number of mobile stations will be much larger and will always exceed the number of base stations. Further, in some of the cells C1-C10, the mobile stations M1-M10 are not found, but the mobile stations M1-M10
Whether 10 is present in any one of the cells C1-C10 depends on whether the mobile station M1 wanders from one position to another position in one cell, or from one cell to an adjacent or nearby cell. It will be understood that it follows each individual desire of the M10. Each of the mobile stations M1-M10 is one of the base stations B1-B10.
One or more and via the mobile switching center MSC can initiate or receive a telephone call. The mobile switching center MSC comprises, via a communication link, for example a cable, each of the exemplary base stations B1-B10 and a fixed public switched telephone network (PSTN), not shown, or an integrated system digital network (ISDN) facility. Connected to a similar fixed network. The relevant connection between the mobile switching center MSC and the base stations B1-B10 or between the mobile switching center MSC and the PSTN or ISDN is
Although not fully shown in FIG. 1, it is well known to those skilled in the art. Similarly, a cellular radio system
It may be provided with one or more mobile switching centers and each additional mobile switching center may be connected to a different group of base stations and other mobile switching centers via a cable or wireless link. , Is known.

Each of the cells C1-C10 is assigned to a plurality of voice or speech channels and at least one access or control channel. The control channel is used to control or supervise the operation of the mobile station according to information transmitted to and received from those units.
Such information may include incoming call signals, outgoing call signals, page signals, page signals as the mobile station moves out of radio coverage of one cell and into radio coverage of another cell. Response signals, location registration signals, voice channel assignments, maintenance commands, and "hand-off" commands can be included. The control or audio channels can operate in either an analog or digital mode, or a combination thereof. In digital mode, analog messages such as voice or control signals are converted to a digital signal representation before transmission over an RF channel. Pure data messages, such as those generated by a computer or by a digitized audio device, may be formatted and transmitted directly over a digital channel.

In a cellular radio system using time division multiplexing (TDM), multiple digital channels can share a common RF channel. The RF channel is divided into a series of "time slots", each containing a burst of information from a different data source, and separated from each other by a guard time, wherein the time slots are well-known in the art. Are grouped into "frames". The number of time slots per frame varies depending on the bandwidth of the digital channel that has been attempted to be accommodated by the RF channel. A frame consists of, for example, three time slots, each assigned to one digital channel. In one embodiment of the invention discussed herein, one frame is specified to include three time slots. However, the teachings of the present invention apply to cellular wireless systems utilizing any number of time slots per frame.
It will be clearly understood that they are equally applicable.

Referring now to FIG. 2, there is shown a schematic block diagram of the equipment of a mobile station used in accordance with one embodiment of the present invention. The equipment illustrated in FIG. 2 is used for communication over digital channels. The audio signal detected by the microphone 100 and used for communication by the mobile station is provided as input to a speech coder 101, which converts the analog audio signal into a digital data bit stream. The data bitstream is then divided into data packets or messages according to the time division multiple access (TDMA) technique of digital communications. High-speed related control channel (FA
(CCH) generator 102 exchanges control or supervision messages with base stations in the cellular radio system. Conventional FACCH generators operate in a “blank and burst” manner, which silences user frame data and reduces FACC
The control messages generated by the H generator 102 are transmitted at a high rate.

In contrast to the blank and burst operation of FACCH generator 102, a slow associated control channel (SACCH) generator 103
Exchanges control messages with the base station continuously. SACC
The output of the H generator is assigned a fixed byte length, eg, 12 bits, and is included as part of each time slot in the message sequence (frame). Channel coder 104, 105, 106, speech coder 101, FACCH generator 1
02 and the SACCH generator 103, respectively. Each of the channel coders 104, 105, 106 employs a convolutional encoding technique that protects the significant data bits in the speech coder and the most significant bit in the speech coder frame, eg, 12 bits, in order to compute a 7-bit error check. Error detection and recovery is done by manipulating the incoming data using a cyclic redundancy check (CRC) where bits are used.

Referring again to FIG. 2, channel coder 104, 105
Is used for time division multiplexing of the digitized confirmation message with the FACCH supervisory message and is connected to the multiplexer 107. The output of the multiplexer 107 is coupled to a 2-burst interleaver, which converts each data message transmitted by the mobile station (eg, a message containing 260 bits) into two consecutive time slots arranged in two consecutive time slots. Divide into equal but distinct parts (each part contains 130 bits). In this way, the deterioration effect of Reyleigh fading can be significantly reduced. The output of the 2-burst interleaver 108 is
The data to be transmitted is provided to adder 109 where the data to be transmitted is encrypted bit by bit by logical modulo-2 addition with a pseudo-random key stream generated according to the system of the invention described below. Be transformed into The output of the channel coder 106 is provided as input to a 22-burst interleaver 110. The 22-burst interleaver 110 divides the SACCH data into 22 consecutive time slots, each occupied by one byte of 12 bytes of control information. The interleaved SACCH data forms one of the inputs to burst generator 111. Another input to burst generator 111 is provided by the output of modulo-2 adder 109. The burst generator 111 produces a "message burst" of data, each of which has a time slot identifier (TI), a digital verification color code (DVC), as described further below.
C), including control or supervision information, and data to be transmitted.

Transmitted in each of the time slots in one frame are the time slot identifier (TI) used for time slot identification and receiver synchronization, and digital audio to ensure that the appropriate channel is being decoded. Color code (DVCC). In the example frame of the present invention, 1
A set of three different 28-bit TIs is defined, one for each time slot, while the same 8-bit DVCC is transmitted in each of the three time slots. TI and DVCC
Is provided in the mobile station by the sync word / DVCC generator 112 connected to the burst generator 111, as shown in FIG. The burst generator 111 has a modulo-2 adder 109,
22-burst interleaver 110 and sync word / DVCC generator
Combine 112 outputs, each data (260 bits),
12 for SACCH information (12 bits), TI (28 bits), coded DVCC (12 bits), and a total of 324 bits that can be integrated according to the timeslot format specified by EIA / TIA IS-54. Generates a series of message bursts consisting of

Each of the message bursts is, as discussed above, one
It is transmitted in one of three time slots included in one frame. The burst generator 111 has an equalizer 113
, Which provides the necessary timing to synchronize the transmission of one time slot with the transmission of the other two time slots. The equalizer 113 detects a timing signal sent from the base station (master) to the mobile station (slave), and thereby synchronizes the burst generator 111. Equalizer 113 can also be used to check the values of TI and DVCC. The burst generator 111 is 20m
s frame counter 114, which is
It is used to update the encryption code applied by the mobile station every 20 ms, ie every frame transmitted. The encryption code uses a mathematical algorithm and under the control of a key 116 that is unique for each mobile station, the encryption unit 1
Generated by fifteen. This algorithm can be used to generate a pseudo-random key stream according to the present invention and as discussed further below.

The message burst generated by the burst generator 111 is provided to the RF modulator 117 as an input. RF
Modulator 117 is used to modulate the carrier frequency according to a π / 4-DQPSK technique (π / 4 shifted, differentially encoded quadrature phase shift key). The use of this technique is that the information transmitted by the mobile station is differentially encoded, i.e., two bit symbols have four possible changes in phase, + or -π / 4 and + or -3π / 4, which implies transmission. The carrier frequency for the selected transmission channel is provided by a transmission frequency synthesizer 118 to an RF modulator 117.
The burst modulated carrier signal output of the RF modulator 117 is
Amplified by output amplifier 119 and transmitted via antenna 120 to the base station.

The mobile station receives a burst-modulated signal from a base station via an antenna 121 connected to a receiver 122. The receiver carrier frequency for the selected receive channel is generated by receive frequency synthesizer 123 and provided to RF demodulator. RF demodulator 124 is used to demodulate the received carrier signal into an intermediate frequency signal. This intermediate frequency signal is further demodulated by the IF demodulator 125,
Restore the original digital information as it existed before the π / 4-DQPSK modulation. This digital information then passes through the equalizer 113 to the symbol detector 126 where the equalizer
Convert the 2-bit symbol format of the digital data provided by 114 into a single bit data stream.

Symbol detector 126 produces two separate outputs: a first output consisting of digitized speech data and FACCH data, and a second output consisting of SACCH data. The first output is provided to a modulo-2 adder 127 connected to a 2-burst deinterleaver 128. Modulo-2 adder 127 is used to encrypt unit 1
Decipher the encrypted transmitted data by subtracting, bit by bit, a pseudo-random keystream connected to the transmitter and used by the transmitter in the base station to encrypt the data. Used for.
The modulo-2 adder 127 and the 2-burst deinterleaver 128 reconstruct the speech / FACCH data by assembling and reconstructing the information obtained from the digital data in two consecutive frames. The 2-burst deinterleaver 128 includes two channel decoders 12
9, 130, which are convolutionally encoded speech / FACCH using the reverse process of coding
Decode the data and check the cyclic redundancy check (CRC) bit to determine if an error has occurred. The channel decoders 129, 130 detect the difference between the speech data on the one hand and the FACCH data on the other hand and direct the speech data and the FACCH data to the speech detector 131 and the FACCH detector 132, respectively. The speech detector 131 is a channel decoder 1
The speech data provided by 29 is processed according to a speech coder algorithm, eg, VSELP, and generates an analog signal representing the speech signal transmitted by the base station and received by the mobile station. next,
Prior to the broadcast by the speaker 133, the quality of the analog signal can be improved using a filtering technique. Any FA detected by the FACCH detector 132
The CCH message is also sent to the microprocessor 134.

The second output (SACCH data) of the symbol detector 126 is
22-supplied to burst deinterleaver 135. 22−
The burst deinterleaver 135 performs reassembly and reconstruction of SACCH data spread over 22 consecutive frames. The output of the 22-burst deinterleaver 135 is provided as an input to a channel detector 136. S
The ACCH message is detected by the SACCH detector 137,
Control information is transferred to the microprocessor 134.

The microprocessor 134 controls the activities of the mobile station and the communication between the mobile station and the base station. According to the message received from the base station, a decision is made by the microprocessor 134 and a measurement is made by the mobile station. The microprocessor 134 also has a terminal keyboard input and display output unit 138. The keyboard and display unit 138 allows a user of the mobile station to exchange information with the base station.

Referring now to FIG. 3, there is shown a schematic block diagram of the equipment of a base station used in accordance with the present invention.
When comparing the equipment of the mobile station shown in FIG. 2 to the base station equipment shown in FIG. 3, many of the equipment used by the mobile station and the base station are substantially different in structure and function. It is shown that they are the same. For the sake of convenience and consistency, such identical equipment will be numbered in FIG. 3 with the same reference numerals used in connection with FIG. 2, but with a dash (') in FIG. We will distinguish them by adding.

However, there are some minor differences between the mobile station and the base station equipment. For example, the base station has two receiving antennas 121 'instead of only one. Associated with each of the receiving antennas 121 'is a receiver 122', an RF demodulator
124 'and the IF demodulator 125'. Further, the base station
Programmable frequency combiner (combiner) 118A '
Which is connected to a transmission frequency synthesizer 118 '. Frequency combiner 118A 'and transmit frequency synthesizer 118' perform the selection of the RF channel used by the base station according to the applicable cellular frequency reuse plan. The base station, however, does not have a user keyboard and display unit similar to the user keyboard and display unit 138 at the mobile station. But,
It includes a signal level meter 100 'connected to measure the signals received from each of the two receivers 122' and to provide an output to the microprocessor 134 '. There are other differences in equipment between the mobile station and the base station, which are well known in the art.

The preceding discussion has focused on the operating environment of the system of the present invention. Hereinafter, a specific description of a specific embodiment of the present invention will be described. As disclosed above and used hereinafter, the term "keystream" refers to, for example, RF
A channel, such as a channel, digitally encoded prior to transmission or storage on a medium, vulnerable to unauthorized access, a pseudo-random sequence of binary bits used to encrypt a message or data signal or Means a bit block. "Key stream generator"
Means a device that generates a key stream by processing a secret key consisting of a plurality of bits. Encryption can be performed simply by modulo-2 addition of the key stream to the encrypted data. Similarly, decryption may be performed by modulo-2 subtraction of an identical copy of the keystream from the encrypted data.

Generally speaking, the keystream generator sends (or sends) a relatively small number of secret bits, or secret keys represented by elements 116 and 116 ', represented by elements 115 and 115' in FIGS. 2 and 3, respectively. It provides a mechanism to extend to a significantly larger number of keystream bits used to encrypt a data message prior to storage. To decrypt an encoded message, the receiver must "know" the index to the key stream bits that were used to encrypt the message. In other words, the receiver not only has the same key stream generator and generates the same key stream bits as the transmitter, but also when properly decoding the message, the receiver's key stream generator It must be operated synchronously with the generator. Typically, synchronization is achieved by periodically transmitting the contents of each internal memory element, such as bits, blocks or message counters, that participated in the generation of key stream bits from the encoding system to the decoding system. However, synchronization can be simplified by using arithmetic bit block counters, such as binary counters, and incrementing those counters by an amount each time a new block of key stream bits is generated. Such a counter can form part of a real-time, ie, hour, minute, second, clock chain. Key stream generators that rely on the latter type of counter are known as "Time of Day" driven key stream generators, cited above.

The exact method used for bit-by-block or block-by-block advancing of the keystream generator, and the particular method used to synchronize the transmit circuitry with the receive circuitry is described in "For Cellular Communication Systems" above. Note that it is the subject of pending patent application serial no. 556,102 entitled "Continuous Cryptographic Synchronization". The system of the present invention is directed to the effective implementation of an effective encryption system, which can be used, for example, to protect digital communications over RF channels in cellular telecommunications systems, as described in detail below. It is a thing. The encryption system includes a key stream generator that generates a significant number of key stream bits by performing a number of Boolean operations per second on a plurality of key bits contained in a secret key. . The keystream generator of the present invention can be implemented using integrated circuits having a simple microprocessor architecture.

Referring now to FIG. 4, a schematic block diagram of a prior art keystream generator can now be seen. The optional block counter 201 is a combinational logic circuit 202
To the first multi-bit input. A plurality of 1-bit memory elements, namely flip-flops M ₁ , M ₂ , M ₃ ... M _N , provide a second multi-bit input to the combinational logic circuit. 1
Some of the output of the combinational logic circuit 202 consisting of bits of the output _{d 1, d 2, d 3} ...... d N is fed back to the flip-flop M ₁ ~M _N. After each clock pulse in a series of bit clock input pulses supplied to the flip-flop M ₁ ~M _N, the output d ₁ to d _N are each flip-flop M ₁ ~M _N
Next state. By suitable construction of the combinatorial logic circuit 202, flip-flops M ₁ -M are formed so as to form a straight binary counter, a linear feedback shift register implementing a maximum length sequence, or any other form of linear or non-linear continuous counter. _N can be configured. In each case, the state of each of the flip-flops M ₁ -M _N at the receiver end and the state of the block counter must be identical to the state of the corresponding element at the transmitter end. A reset or synchronization mechanism 204 is used to synchronize the receiver with the transmitter.

Continuing with reference to FIG. 4, a plurality of secret key bits k1,
k2, k3 ... kn form the third multi-bit input to combinational logic 202. The number n of secret key bits is always in the region of 100 bits plus or minus (+/-) 2. Each of the secret keys k1-kn is at least
It is desirable to have the potential to affect each of the bits in the keystream. Otherwise, if eavesdropping, only a small subset of the secret key bits k1-kn would need to be decrypted to decrypt and monitor the encrypted data. The risk of unauthorized interception, however, is that the value (logical state) of each bit in the key stream is not only the value of a particular secret key bit, but also the value of all other secret key bits, as well as the block counter 201.
, And other internal memory states can be greatly reduced. Heretofore, establishing such dependencies has involved an outrageous number of Boolean operations. For example, assume that the secret key consists of 100 secret key bits. As each of these secret key bits affects each bit in the keystream,
A total of 100 combinatorial operations per keystream bit would be required. Therefore, in order to generate 10,000 key stream bits, a total of 1 million combination operations are required, and each key stream bit is further reduced by 1
The number would be even greater if it also depended on one or more internal memory states. One of the objects of the present invention is
The goal is to significantly reduce the number of combination operations required for each key stream bit, while maintaining the dependence of each key stream bit on each of the secret key bits.

According to the invention, the generation of thousands of pseudo-random keystream bits, for example from 100 secret key bits, can be seen as a multi-stage expansion process. A plurality of extension stages are cascaded together, each having a successively smaller extension ratio. The expansion by the first stage is performed less frequently than by the subsequent stages in order to minimize the number of logical (Boolean) operations required per keystream bit. In addition, the first extension stage is configured to provide multiple output bits that are highly dependent on secret key bits, further reducing the number of logical operations that must be performed in subsequent stages.

Referring now to FIG. 5, there is now seen a schematic block diagram of a keystream generator system constructed in accordance with the teachings of the present invention. Multiple sensitive key bits k1, k
2, k3 ... Are provided as inputs to the first stage extension 205. The key bits k1, k2, k3 ... Input can also include some, but preferably all, of the secret key bits k1, k2, k3 ... kn. Additionally or optionally, the input to the first stage extension 205 is the output of a message counter or block counter, a date-time stamp representing the time at the start of a frame or the number of block counts,
Or, other variable outputs that can be synchronized by the sender and receiver can be included. Any internal memory output that changes slowly over time can be used as an input to the first stage extension 205. First
Slowly varying inputs are desirable because the stage expansion 205 must be performed occasionally, for example once per message.

The extension 205 of the first stage has secret key bits k1, k2, k
Produces output that is significantly larger in size than a number of 3 .... This expanded output is stored in memory element 206 and accessed by combinational logic 207. Combinatorial logic 207 provides a second stage extension, as described more fully below. The output of counter or register 208 forms the input to combinational logic 207. Register 208 is initialized to a new start state prior to the occurrence of each block of key stream bits. Initial value generator 209 provides register 208 with its starting state. This starting state is different for each particular block of keystream bits, but is a function of the block number of that particular block and can also be a function of some combination of the secret key bits k1-kn.

The first output 210 of the combinational logic 207 is
Will be fed back. Output 210 becomes the new state of register 208 after each cycle of operation. The second output 211 of the combinational logic 207 forms the key stream bits that will be mixed with the data stream, as shown in FIGS. 2 and 3 above. The number of key stream bits generated per cycle at the output 211 can be any multiple of two, ie, 8, 16, 32, 56, and so on. Such bits will be collectively referred to as “keywords”. Output 211 before reinitialization of register 208
Some or all of the keywords generated in are grouped into key blocks 212. Key block 212, for example, prior to re-initializing register 208,
It consists of all keywords generated every cycle or every other cycle.

The conventional implementation of the keystream generator system depicted in FIG. 5 and discussed above requires a number of complex combinatorial logic circuits, which may include multiple logic gates, namely, AND, OR. Those skilled in the art will appreciate that, if implemented separately by interconnecting (i.e.)), it would be a huge and expensive chip, useful only for very specific applications. Arithmetic and logic units (ALUs), on the other hand, are a standard component of various small, low cost, and versatile microprocessors. The present invention provides means for realizing all necessary combinational logic functions using such an ALU.

A conventional ALU operates under the control of a program and combines any two 8-bit or 16-bit binary words with ADD, SUBTRACT, BITWISE EXCLUSIVE OR, AND,
OR can be performed. If the ALU is used to continuously implement all of the Boolean functions required in the apparatus of FIG. 5, the ALU operating speed measured for the number of complete cycles per second that can be performed will be significantly It will be reduced. The multi-stage expansion used in the system, however, provides program instructions per cycle, from the most frequently executed combinatorial logic 207 to the infrequent periodic computation of large numbers of key-dependent functions in the first stage expansion 205. By minimizing the number, that is, the number of times the ALU is utilized, an excessive reduction in ALU speed is prevented. By the word "large" in the preceding sentence, we mean, for example, a degree of magnitude greater than the number n of secret key bits.

Once register 208 is initialized with a starting value, combinational logic 207 produces a stream of keywords at output 211, and register 208 outputs a feedback value 210.
Each time it is loaded again in, it keeps generating additional keywords. However, there may be difficulties that can impair the integrity of the keyword generation process. For example, if the contents of register 208 were to always return to their initial values, the keyword sequence generated so far would be repeated again. Similarly, when the contents of register 208 return to a value already found at the occurrence of the current key block (which need not be the initial value), the system is said to have performed a "short cycle". For reasons previously suggested, for example, due to the ease of unauthorized deciphering, the occurrence of a single key block, repeated occurrences of the keyword sequence, or the occurrence of a short-circuit cycle,
Not desirable. Further, the contents of the register 208 are
If, after generating a certain point, for example the Mth keyword, and equals a certain value that existed or would be present after the occurrence of another key block, the two key blocks will be identical thereafter, which is also desirable. Not an event.

Therefore, register 2 associated with combinational logic 207
08 (“combination logic / register combination”)
When operating continuously a certain number of times, (i) rather than generating a cycle shorter than the number of keywords per block,
And (ii) a unique keyword string should be generated for each unique start state of the register 208. In order to satisfy the latter requirement, it is sufficient that two different start states cannot converge on the same state. Further, both of the above requirements may apply regardless of the contents of memory 206. As described in more detail below, the present invention alleviates these problems and enhances the integrity of the keyword generation process.

When the state transition diagram of a combinatorial logic / register combination has a branching point that converges, such a combination executes backwards through such a branching point because of the ambiguity as to which path to take. You cannot do it. Thus, showing that the process of processing a combination is unambiguous or reversible is proof that the convergent branch does not exist in its state diagram.
Such a process is described and discussed below.

Referring now to FIG. 6, a partial schematic block diagram of the second extension stage of the key stream generator shown in FIG. 5 can now be seen. The register 208 in FIG. 5 is divided into three byte length registers 208A, 208B and 208C in FIG. The registers 208A, 208B, 208C can be, for example, 8-bit registers. Register 208A, 208
B, Following initialization of 208C, a new state value is calculated from the following equation:

(1) A '= A # [K (B) + K (C)] (2) B' = B # R (A) (3) C '= C + 1 where A'is the new state value for register 208A. Where B'is the new state value for register 208B, C'is the new state value for register 208C, A is the current state value for register 208A, and B is the current state value for register 208B. Is the state value, C is the current state value for register 208C, + means word length modulo addition, eg byte side modulo-256 addition, # is + (as defined above ), Or the exclusive OR (XOR) of bitwize, and K (B)
Is the value K located at the address B of the memory 206 shown in FIG. 5, and K (C) is the value K located at the address C of the memory 206 shown in FIG.

Note: Each of the values K stored in the memory 206 has already been calculated by the first stage extension 205 shown in FIG.
It became a complex function of all secret key bits. R (A)
Is the value located at address A in the fixed lookup table R. Also, the bits of A are provided as inputs to a combinational logic block that produces an output R. The look-up table R, or alternatively, the combinatorial logic block, must provide a number of output bits greater than or equal to the word length of A and less than or equal to the word length of B. Both A and B are 8
If it is a bit byte, for example, R is also an 8-bit byte and the lookup table R will contain 256 values.

The value R must have a 1: 1 mapping from input to output. That is, each possible state of the input bit is:
Must be assigned to only one output value. This is R
It guarantees that the function is reversible, which further guarantees that the whole process can be reversed by the following relations:

(1) C = C-1 (2) B = B ## R '(A) (3) A = A ## [K (B) + K (C)] where-is a word-length modulo subtraction Where ## is the inverse of #, ie,-(as defined above)
Or bitwise XOR, and R 'is a 1: 1 look-up table, or the inverse of combinatorial logic R.

This reversibility indicates that there is no convergence bifurcation point in the state transition diagram of the combination logic / register combination described above, thus ensuring that all start states generate a unique keyword sequence. I have. Furthermore, if C is 1
This process guarantees a minimum cycle length since it is only incremented by 1 and does not return to its initial value after 2W iterations (W is the word length used). For example, if all of the values A, B, C, R, and K are 8-bit bytes, the minimum cycle length is 256. When one keyword (byte) is extracted for each repetition (cycle), a total of 256 bytes can be extracted without fear of incomplete repetition of the column. On the other hand, if a keyword is extracted once every two repetitions, a total of 128 keywords can be extracted without a halfway repetition of the column. By the word "extraction" in the previous two sentences,
Keyword collection and key block 212 in FIG.
Means the arrangement in the key block. A specific method of keyword extraction that can be used in the present invention is described shortly.

With respect to FIG. 6, the process for calculating the output 210 of the combinational logic 267, which is fed back to the register 208, has been described. Generally speaking, any one of the intermediate quantities A, B or C can be directly extracted and used as a keyword in each iteration. Assuming that S = (A, B, C) represents the current state of the combinational logic / register combination, following initialization to S0, a series of states S
The transition would be 0, S1, S2, S3, S4, S5, S6, S7 ... However, in the calculation of the subsequent key block, if the register is initialized to, for example, S2,
The resulting columns S2, S3, S4, S5, S6, S7 ... are identical to the first column shifted by two keywords (S0, S1). Thus, if the values A, B, C from state S are used directly as keywords, such identity may appear between different key blocks. To prevent this, the system of the present invention modifies each of the extracted values according to the position of the value in the key block so that if the same value is extracted at a different keyword position in another block, Try to get different keywords.
An exemplary method for achieving the latter objective is described below.

Let N be the number of keywords in the key block currently being calculated, and let S = (A, B, C) be the current state of register 208 in the iteration where keyword N is being extracted. The value of the keyword W (N) can be calculated as follows.

W (N) = B + 'K [A + N] where + means XOR and +' means either + (defined immediately above) or word length-modulo addition.

Other suitable exemplary methods for keyword extraction are:
The following may be included.

W (N) = B + K [R (A + N)] or W (N) = R [A + N] K [B + N].

The exact nature of the keyword extraction method is not essential to the operation of the present invention, but in order to obtain the best cryptographic properties according to the system of the present invention, the value of the extracted keyword must be a key block. To be a function of their respective positions in
Recommended.

As can be seen from the above description of various embodiments of the system of the present invention, a pseudo-function that is a function of a selected number of secret key bits, among other parameters, and is used to encrypt a digital information stream. A random bit string,
Methods and means are included to reduce the amount of specific logic hardware required to occur. The system involves, under program control, general purpose arithmetic and logic unit (ALU) time sharing, of the type commonly found in conventional microprocessor integrated circuit chips. The system pre-computes and stores in memory a set of digital values that are numerically larger than the number of original input key bits, to allow for a selected complexity of dependence on the key bits. , Minimize the number of ALU operations required per output bit.
Each of the stored digital values is a different and complex logical function of the key bit and optionally also a function of other parameters. The digital values stored in the memory are used as a look-up table in subsequent calculation steps that are performed many times to generate a number of pseudo-random output bits. The pseudo-random bit sequence generator of the system of the present invention, in the pre-calculation of digital values,
It will be appreciated that many other variables can be used with the secret keyword. For example, the following parameters can be used for this purpose: Message number, sender identification code or phone number, intended recipient identification code or phone number, time of day,
The date, the counter value at the beginning of the message, the phone number, a random number exchanged between the interlocutors, or other bits or quantities for the consent means that the sender and receiver have.

Based on the discussion above, the system first initializes the states of a number of flip-flops or register stages that form the inputs to a combinatorial logic circuit that calculates the next state of a set of values, It will be obvious to use pre-calculated and stored digital values. And
The calculated values are transferred to the register stage at the completion of the calculation of the next state, and their new values are used by the combinatorial logic as a new starting state to repeatedly generate a series of additional states to generate the logical value. It is further combined to form the desired output pseudo-random bit string.

The flip-flop or register stage is at least as agreed among the interlocutors, such as the identification code or block count of the block of pseudo-random bits currently being generated and, optionally, some or all of the secret key bits. May depend on other parameters,
Initialized to one value. This dependency of the initialization value preferably, but not necessarily, produces a unique initial register state for each unique block identification number.

The subgroup of bits generated at each transition of the register / combined logic state machine between each successive state is not only the register state but also the position of the subgroup within the pseudo-random bit block currently being generated by the machine. Is a function. The state machine ensures that different starting states cannot be in the same intermediate state in one subsequent iteration, by differentiating each block identification code or code used to initialize the register stage of the state machine. It is guaranteed to generate a unique pseudo-random bit string within a particular block for a block number.

From the above description, the state machine of the present invention consists of a number of register stages connected to combinatorial logic circuits,
It will also be seen that it employs a key-dependent lookup table with arbitrary content and exhibits cyclic behavior in successive iterations. The guaranteed minimum cycle length is ensured by defining that a subgroup of register stages performs a defined cyclic sequence, e.g., at least the minimum length, regularly incrementing binary counting sequence. To be done.

The state machine also has one or more fixed look-up tables in it, with which the interlocutor agrees, and has a 1: 1 mapping property from input address to output address, so It is possible.

The preceding description has presented only certain specific embodiments of the invention. However, one of ordinary skill in the art appreciates that many modifications and changes can be made without departing substantially from the spirit and scope of the invention. It is therefore clearly understood that the form of the invention described herein is merely exemplary and is not intended as a limitation on the scope of the invention as defined in the following claims. Should be.

Claims (27)

(57) [Claims] 1. A method of generating a pseudo-random bit sequence for use in encrypting digital data, the pseudo-random bit sequence being a function of a plurality of selected key bits, each at least the selected key. Generating a first plurality of multi-bit values that is a function of some of the bits, storing each of the first plurality of multi-bit values in memory, and a second plurality of multi-bit values. Storing each of the above in a look-up table, and generating a sequence of numbers in the register having the current value at a particular time by changing the current value contained in the register in response to each iteration of the operation. And at least one of a plurality of multi-bit values stored in the lookup table or the memory and at least one of the generated numbers contained in the register. Iteratively calculating a sequence of multi-bit values consisting of each value that is a function of and according to a first preselected algorithm; and calculating the current value contained in the register as the result of each calculation. Repeatedly resetting using a value obtained as, a step of repeatedly calculating a multi-bit keyword that is a function of a value obtained as a result of each multi-bit value calculation, and at least some of the multi-bit keywords are consecutively calculated. Generating the pseudo-random bit sequence in combination with. 2. The method of claim 1, wherein the pseudo random bit string used for encryption of digital data is generated, wherein the steps of generating a first plurality of multi-bit values are each selected. The method including the step of generating a first plurality of multi-bit values that is a function of all of the key bits. 3. A method as claimed in claim 1 for generating a pseudo-random bit sequence used for the encryption of digital data, the method comprising the additional step of periodically initializing the current value contained in the register. . 4. The method of claim 1, wherein the step of generating a first plurality of multi-bit values comprises generating the pseudo-random bit sequence used for encryption of digital data. At least some of
Generating a first plurality of multi-bit values, each value being a function of both a value contained in a counter that is periodically incremented at a slower rate compared to the iteration of the calculation. , Said method. 5. A digital communication system in which a stream of transmitted and received digital data is cryptographically encoded to provide telecommunications confidentiality, wherein a binary bit pseudo-random key stream is provided in at least one of the systems. Means for adding to the information carrying the digital signal of the transmitter and at least one receiver to create a stream of digital data to be transmitted and received within the system; and a means for generating the pseudo-random key stream of binary bits. A stream generating means for storing each of a plurality of multi-bit values in a separate location, and changing the current value contained in the register in response to each operating cycle to generate a sequence of numbers in the register. Generating means, at least one of the plurality of stored multi-bit values and the register Means for iteratively calculating a sequence of multi-bit values consisting of each value that is a function of the numbers contained in and according to a first preselected algorithm, and the contents of the register as a result of each calculation. Means for repeatedly resetting using the obtained value, means for repeatedly calculating a multi-bit keyword that is a function of the value obtained as a result of each multi-bit value calculation, and at least some of the multi-bit keywords. Means for generating a pseudo-random keystream of the binary bits in continuous combination; and the keystream generating means comprising :. 6. The digital communication system according to claim 5, wherein the keystream generating means further comprises means for generating the pseudo-random keystream of binary bits as a function of a plurality of secret key bits selected. Said digital communication system further comprising means for generating a plurality of multi-bit values, each being a function of at least some of said selected key bits, and storing each of said plurality of multi-bit values in a separate location. The system, wherein the means includes means for storing each of the plurality of generated multi-bit values. 7. The digital communication system of claim 5, further comprising means for periodically initializing the contents of the register. 8. A method for reducing the amount of logical hardware required to generate a pseudo-random bit stream used to encrypt a stream of digital information, the pseudo-random bit stream being selected from a plurality of selected. Storing a set of digital values that is a function of the key bits and is greater in number than the number of selected key bits, each digital value being at least some logical function of the key bits. And storing a sequence of multi-bit values each of which is a function of at least one of the digital values stored in the memory under control of a program using a general purpose microprocessor to iteratively calculate. , Combining at least a portion of the sequence of calculated multi-bit values to generate the pseudo-random bit sequence It said method comprising a floor, a. 9. The method of claim 8, wherein the step of storing in memory reduces the amount of logic hardware required to generate the pseudo-random bit sequence, each step comprising: storing at least some of the selected key bits. Generating a plurality of multi-bit values that is a function of, and storing each of the plurality of multi-bit values in a separate location in memory. 10. The method of claim 9, wherein the step of generating a plurality of multi-bit values each reduces the selected key by reducing the amount of logic hardware required to generate the pseudo-random bit sequence. The method, comprising generating a plurality of multi-bit values that are a function for all of the bits. 11. The method of claim 9, wherein the amount of logic hardware required to generate the pseudo-random bit sequence is reduced by changing the current value contained in the register in response to each operating cycle. The method further comprising the step of generating a sequence of numbers. 12. The method of claim 11, wherein the step of iteratively calculating a sequence of multi-bit values reduces the amount of logic hardware required to generate the pseudo-random bit sequence, the stored digital value. Repeatedly calculating a sequence of multi-bit values each of which is a function of at least one of the values and at least a portion of the generated numbers contained in the register according to a first preselected algorithm. And repeatedly resetting the current value contained in the register with the value resulting from each calculation. 13. The method of claim 11, further comprising the additional step of periodically initializing the present value contained in the register to reduce the amount of logic hardware required to generate the pseudo-random bit sequence. The method comprising. 14. The method of claim 9, wherein the step of generating a plurality of multi-bit values reduces the amount of logic hardware required to generate a pseudo-random bit string of the selected key bits. At least some
Generating a plurality of multi-bit values consisting of each value that is a function of both, a value contained in a counter that is periodically incremented at a slow rate compared to the cyclical repetition of the calculation, The method. 15. A method of generating a pseudo-random bit sequence used to encrypt digital data, the method comprising: generating a plurality of multi-bit values; and storing the plurality of multi-bit values in separate locations. Generating a sequence of numbers in the register having a current value at a particular time by changing a current value contained in the register in response to each of the repeating operations; Iteratively calculating a sequence of multi-bit values consisting of a value and each value that is at least a function of the generated numerical value according to a first preselected algorithm; Repeated resetting with the resulting value of the bit value calculation, and a multi-bit key that is a function of the value resulting from each multi-bit value calculation. It said method comprising the steps of repeatedly computing over de, at least a portion of said multi-bit keywords combined continuously, and a step of generating said pseudo-random bit sequence. 16. The method of claim 15, generating a pseudo-random bit string used to encrypt digital data, wherein the pseudo-random bit string is a function of a plurality of selected key bits. Further comprising the step of generating a plurality of multi-bit values, each of which is a function of at least some of the selected key bits, the step of storing the plurality of multi-bit values in separate locations,
Storing the each of the generated multi-bit values in a separate location in memory. 17. The method of claim 16, wherein the step of generating a plurality of multi-bit values comprises generating a pseudo-random bit sequence used to encrypt digital data.
The method comprising the step of generating a plurality of values, each value being a function for all of the selected key bits. 18. The method of claim 15 for generating a pseudo-random bit sequence used to encrypt digital data, the method comprising the additional step of periodically initializing a current value contained in the register. Method. 19. The method of claim 16, wherein the step of generating a plurality of multi-bit values comprises generating a pseudo-random bit sequence used to encrypt digital data.
A plurality of respective values that are a function of both at least some of the selected key bits and a value contained in a counter that is periodically incremented at a slow rate compared to the periodic repetition of the calculation Generating the multi-bit value of the method. 20. A method of generating a cryptographic variable used in a communication system, the variable being a function of a plurality of selected key bits, the number being greater than the number of the selected key bits. Storing a large plurality of multi-bit values in memory, initializing a register to a selected initial multi-bit value, and repeatedly calculating a new multi-bit value for the register according to an algorithm. And at least some of the bits of the new register value calculated in each iteration are at least some of the bits of the previous register value and at least some of one of the multi-bit values stored in the memory. Combining at least a portion of the calculated register value with the step resulting from combining And generating the variable. 21. The method of claim 20, wherein the memory comprises a look-up table. 22. The method of claim 21, wherein the register comprises a plurality of 8-bit registers and the lookup table comprises 256 values. 23. The method of claim 20, wherein at least some of the plurality of multi-bit values stored in the memory have the function of secret data. 24. A cryptographic variable generating system, wherein the variable is a function of a plurality of selected key bits, the plurality of multi-bits being greater in number than the number of the plurality of selected key bits. Means for storing a value in memory; means for initializing a register to a selected initial multi-bit value; means for repeatedly calculating a new multi-bit value for said register according to an algorithm, each of which comprises: At least some bits of the new register value calculated in the iteration combine at least some bits of the previous register value with at least some bits of one of the multi-bit values stored in the memory. A means for generating the variable by combining the resulting means with at least a portion of the calculated register value. A system, comprising: 25. The system of claim 24, wherein the memory includes a look-up table. 26. The system of claim 25, wherein the register comprises a plurality of 8-bit registers and the lookup table comprises 256 values. 27. The system of claim 24, wherein at least some of the plurality of multi-bit values stored in the memory have the function of secret data.