WO1999014889A1 - Improved block cipher method - Google Patents

Improved block cipher method Download PDF

Info

Publication number
WO1999014889A1
WO1999014889A1 PCT/US1998/019255 US9819255W WO9914889A1 WO 1999014889 A1 WO1999014889 A1 WO 1999014889A1 US 9819255 W US9819255 W US 9819255W WO 9914889 A1 WO9914889 A1 WO 9914889A1
Authority
WO
WIPO (PCT)
Prior art keywords
round
bits
bit
segment
data
Prior art date
Application number
PCT/US1998/019255
Other languages
English (en)
French (fr)
Inventor
Frank C. Luyster
Original Assignee
Luyster Frank C
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Luyster Frank C filed Critical Luyster Frank C
Priority to CA002302784A priority Critical patent/CA2302784A1/en
Priority to AU95690/98A priority patent/AU9569098A/en
Priority to EP98949350A priority patent/EP1016240A1/de
Publication of WO1999014889A1 publication Critical patent/WO1999014889A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/04Masking or blinding
    • H04L2209/046Masking or blinding of operations, operands or results of the operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption

Definitions

  • This invention relates to block cipher secret-key cryptographic systems and methods. More particularly, the invention relates to improvements in a secret-key cryptographic system and method which uses data-dependent rotations.
  • Cryptography is the science of securing communications and information. In recent years, the importance of cryptographic systems has been magnified by the explosive growth and deployment of telecommunications technology. Increasing volumes of confidential data are being transmitted across telecommunications channels and are being stored in file servers, where such data ranges from financial information to electronic votes. It is desired that systems provide security from unsanctioned or illicit interception or modification of such confidential information.
  • Encryption or encipherment is the process of disguising a communication to hide its content.
  • the communication which is known as plaintext is encrypted into what is known as ciphertext.
  • Decryption or decipherment is the inverse process of using the same secret-key values to recover the plaintext from the ciphertext output. While the two basic operations of encryption and decryption may be distinguished in practice, there is in general no necessary mathematical difference between the two operations, other than that they are inverse transformations of each other.
  • Ciphertext output of a secure block cipher has little or no statistical relation to its corresponding plaintext input. The output (or input) is uncorrelated to the input (or output).
  • Every bit of ciphertext output reflects every bit of the plaintext input and every bit of the key in a complex uncorrelated manner, just as every bit of recovered plaintext input reflects every bit of the ciphertext output and every bit of the key in a complex uncorrelated manner.
  • Block ciphers generally, are binary ciphers receiving inputs consisting of a fixed number of bits (a block of bits), and have outputs of the same fixed number of bits (an equal sized block of bits).
  • the input and output of such ciphers are one-to-one mappings: each ordered n-bit input is transformed by the block cipher into only one ordered n-bit output; and further, when the transformation is computed in reverse each ordered n-bit output may be transformed back into only one ordered n-bit input.
  • Secret key values are the values which influence the mapping of input to output provided by the block cipher. It is useful to divide secret keys into two categories: secret input keys and secret keys.
  • Secret input keys may be based on varied input from a user or the encryption system which may be of fixed or variable length, and a secret key is often a transformed secret key input.
  • a secret key is usually of fixed length.
  • a block cipher usually operates on a secret key, but in some cases may operate on an secret input key. If a block cipher first operates on a secret input key, potentially it may use some algorithm to transform the secret input key into a secret key in a standard format. Then, a block cipher expands the secret key to form subkeys whose length or number of bits exceeds that of the secret key.
  • Block ciphers are generally iterative and have many rounds in which the same operations are performed in the same manner.
  • the n-bit input into the block cipher may be called n-bit cipher input.
  • the result may be called n-bit cipher output.
  • the ordered binary input may be called n-bit cipher round input
  • the n-bit ordered binary output may be called n-bit cipher round output.
  • An n-bit cipher input or n-bit cipher output refers to the variable n-bit binary input or variable n-bit binary output of a binary block cipher.
  • Such n-bit cipher input and n-bit cipher output are typically plaintext input and ciphertext output.
  • key inputs or subkey values used by a binary block cipher are not variable binary inputs, but are generally fixed or predetermined values for a given use of the block cipher.
  • An n-bit cipher round input or n-bit cipher round output refers to the variable n-bit binary input or variable n-bit binary output of one (and typically of one operative round) round of a binary block cipher.
  • An operative round of a binary block cipher is an iterative round which calculates new values for each of x primary segments in the round, where x may vary in different operative rounds, where there are a total of n-bits in the x primary segments, and where the new values of the x primary segments determine the n-bit round output.
  • Operative rounds of a binary block cipher refer to iterative rounds which calculate new values for each of x primary segments in a given round, where x may vary in different rounds, where the n-bit cipher round output consists of these x segments of new values, and where the total of all bits of the x segments equals n bits.
  • Binary block ciphers are ciphers receiving inputs consisting of n ordered bits of input and have outputs of the same number of ordered bits (n bits).
  • a mapping of block cipher inputs to outputs reveals that every possible combination of n input bits from 2 ⁇ n possible combinations has only one corresponding combination of n output bits, and likewise every combination of n output bits from 2 A n possible combinations has only one corresponding combination of n input bits.
  • binary block ciphers transform input values to output values in a manner such that the mapping of this transformation relates the members of the set of all possible ordered input values of n- bits in a one-to-one manner with the members of the set of all possible ordered output values of n-bits.
  • a round segment is a segment within a round (and typically an operative round) of a binary block cipher which is part of n-bit cipher input or n-bit cipher output, or is calculated within a round or operative round the operative round and is intermediate between input and output; is affected by n-bit cipher round input; and affects n-bit cipher round output.
  • a first value in a calculation is said to affect a second value if, after taking into account the specifics of the particular calculation, a random change in all bits of the first value is likely to change at least one bit of the second value with a chance of at least one in three.
  • a one-to-one round segment is defined as a member of a one-to-one round segment set.
  • a one-to-one round segment set is defined as a set of ordered round segments in an operative round of a binary block cipher where it is true that each n-bit round input corresponds with only one possible result or group of particular values of the ordered segments of that set, and that any group of particular values of the ordered segments of that set correspond with only one possible n-bit round input.
  • the set of segments in the n-bit cipher output are a one-to-one round segment set.
  • the set of segments in any of the n-bit round input or the n-bit round output of each operative round are also one-to-one round segment sets.
  • block ciphers may linearly combine one-to-one round segments with subkeys, or rotate them by a predetermined number of bits, or rotate them by a data- dependent number of bits determined by some bits of another unrelated one-to-one round segment, or even combine them linearly with other unrelated one-to-one round segments, and generally such resulting output segments, which are sometimes intermediate values that do not affect n-bit output directly, are also one-to-one round segments.
  • primary segment values are more than just calculated round segment values which determine a n-bit round output.
  • a n-bit round input contains old or prior values of primary segments which are replaced over the course of an operative round.
  • Each such replacement value of a primary segment is a one-to-one function of the prior value, if all subkey values and all other primary segments are constant.
  • all primary segment values are one-to-one round segments. To increase security each operative round typically interacts one-to-one round segments and secret subkey values.
  • each of the x primary segments is typically a function of its prior segment modified by the combined interaction of at least one other one-to-one round segment and in some cases by a subkey segment for that round.
  • execution of block ciphers in microprocessors generally takes place using registers, i.e., the data locations in a microprocessor which are quickest at loading and storing data.
  • binary block ciphers are configured such that the usual segment operated on by the rounds of the block cipher is equal in size to the 32-bit or 64-bit registers of microprocessors which may compute the block cipher.
  • binary block ciphers use algorithms optimized for 32- bit or 64-bit registers but also they use algorithms which are optimized for the microprocessors of network servers, which are typically internet or intranet nodes.
  • network nodes usually must be capable of more than just encryption or decryption.
  • the majority of time and resources of such servers is allocated to other tasks.
  • it is critical that a block cipher well suited to this task be capable of quick bootup or startup and make minimal use of on-chip cache, which is one of the most critical resources of a server's microprocessor.
  • S-boxes are substitution boxes or, simply, look-up tables.
  • S-boxes provide output which is a nonlinear function of the input, based on a lookup table.
  • Small s-boxes are lookup tables with a small number of possible inputs. Often, small s-boxes have a small number of output bits as well. For example, each s-box of DES has 6-bit inputs or 64 possible inputs and 4-bit outputs or 16 possible output values. They do not require much memory; nor does it take long to load them in microprocessor memory.
  • S-boxes are generally stored in on-chip cache, generally the next quickest form of microprocessor memory after registers.
  • DES was the first significant example of a Feistel block cipher. Such block ciphers are named after Horst Feistel. Feistel block ciphers perform repetitive operations on a left half and right half of a block, respectively. This is convenient for execution in hardware and software when the number of registers is limited.
  • DES which is particularly relevant to the defined terms used herein is the fact it swaps its primary segments, also known in DES as cipher block halves. If the swaps are included, some equations which describe in a general way both segments being recalculated, are as follows, where LH means the left half, and RH means the right half: increment i by +1
  • xor indicates bitwise exclusive-or. It is an operator which interacts bits in identical positions. If Z equals X xor Y, the result of each bit in a given position in Z equals the exclusive-or of the two bits in the same positions in X and Y.
  • small s-boxes generally do not permit ciphers that are efficient, i.e., both fast and secure. Larger s-boxes are typically consistent with more efficient block ciphers. However, large s-boxes either use a significant percentage of on-chip cache (competing with other desired uses of on-chip cache), or they must be loaded prior to each use (which is time consuming). While use of larger s-boxes might increase the efficiency and speed of DES, it would also increase startup time and the use of on-chip cache.
  • Khufu and Khafre ciphers have the following structural characteristics: First, similar to other Feistel block ciphers, it is convenient to compute the ciphers using two registers which contain the bit-values of the left and right halves. In each round of the block cipher, each register of cipher data is recalculated. This process updates and modifies the initial value of each register, which is the old primary segment, and substitutes a new register value, which is a new primary segment. In this approach, each new primary segment is mapped one-to-one with its old primary segment, all subkey segments and other primary segments being equal.
  • each new primary segment reflects not only the corresponding old primary segment but also a small number of bits which are the least significant bits ("lsb") of the other register.
  • the lsb affect the new one-to-one round segment in a non- linear manner using s-boxes.
  • the s-boxes of Khufu and Khafre have 8-bit inputs and 32-bit outputs. They accept 8-bit inputs from the last calculated register, and their 32-bit outputs affect the new primary segment in the register currently being computed.
  • Khufu and Khafre ciphers are unlike most other Feistel block ciphers in that there is only one non-linear operation (i.e., an s-box operation) in each round; it accepts input from only a small fraction or small section of the one-to-one round segment (8 bits), and that non- linear operator potentially affects all the bits of the other one-to-one round segment.
  • This small section is generally less than thirty- five percent of the one- to-one segment which contains the small section.
  • This process of using in each round a small section of a recently calculated one-to-one round segment to affect the new one- to-one round segment in a non-linear manner may be called bit expansion of a small section.
  • Khufu and Khafre use rotation as an efficient means to move bits.
  • This operation may be necessary in some form when the only nonlinear operation of each round is an s-box operation which uses only a small fraction of bits from one- to-one round segment. Rotation can ensure that all bits eventually become input of the non-linear operation, and thus have some nonlinear effect on the cipher data.
  • Khufu requires considerable time to generate its s-boxes, and is a complex block cipher.
  • block ciphers historically has followed quick startup time and simplicity.
  • Khafre uses fixed s-boxes and is simpler than Khufu, but it appears it may use many large s-boxes and it is designed only to compute a 64-bit block cipher.
  • 64-bit block ciphers are generally insecure due to small block size.
  • Encryption Designing Encryption Algorithms for Optimal Software Speed on the Intel Pentium Processor". Fast Software Encryption - Fourth International Workshop, Leuven, Belgium, 1997, referred to herein as Schneier et al.). The algorithm was designed as part of a testbed of ideas about fast software rather than as a secure, simple, or practical block cipher.
  • the s-box receives input bits from the least significant bits ("lsb") of R[-2].
  • the new primary segment R[0] reflects the linear combination of other values and the s-box output using generally non-commutative operators and using round-and-register dependent rotation. Nevertheless, use of non-commutative operators does not appear to be structured efficiently; further, the register size of 32 bits each is too small to gain significant cryptologic strength from use of non-commutative operators; and finally, the sbox is not optimized and may be random and such sbox may have, given all possible input differences, a minimum number of output bit-differences which is too small to provide adequate differential strength.
  • Testl uses only one s-box to conserve on-chip cache. It is not adequately clear that this approach is secure. Repetitive use of the same s-box in the same manner is usually insecure. While use of non-commutative operations does alleviate this concern somewhat, the registers are too small (only 32 bits) for the non-commutative operators to provide much additional strength. The cipher's use of round-dependent rotation as specified in its F-table also alleviates this concern somewhat. Nevertheless, the round-dependent rotation schedule is fixed and known and hence may not provide adequate security given reuse of the same s-box in successive rounds if the s-box is known.
  • the bootup time of the cipher is increased substantially. Further, if such a s-box is generated randomly and hence not optimized to avoid potential flaws, there is also a potential risk of weak s-boxes.
  • RC5 a symmetric encryptional method known as "RC5" (see R. Rivest).
  • the RC5 Encryption Algorithm. Fast Software Encryption - Second International Workshop, Leuven, Belgium, pages 86-96. Springer-Verlag, 1995) is based on a different paradigm.
  • Khufu and Khafre RC5 uses no s-boxes. This fact eliminates the need to reserve large segments of on-chip cache in order to store the s-boxes.
  • RC5 may be more practical to encrypt or decrypt standard packets of data, usually only 48 bytes each, received from the internet or other digitized phone networks. Such encryption or decryption may take place without having to allocate any time to transferring large s-boxes into on-chip cache.
  • RC5 is a Feistel block cipher which appears to be the first to use data-dependent rotation in a relatively efficient manner.
  • a primary distinguishing feature of RC5 is the way in which, to calculate new one-to-one round segments, it rotates that segment in a variable, i.e., data-dependent, manner depending on particular bit-values in another one-to-one round segment.
  • This data-dependent rotation is the operation which provides the cryptographic strength of RC5. It permits RC5 to eliminate s-boxes.
  • S-boxes are nonlinear and may act in a complex data-dependent manner. For example, an s-box may affect some bits in a nonlinear manner based on the values of some other bits. If RC5 did not use rotation in a data-dependent manner, it appears it would need s-boxes or some other operation which acts in a data-dependent manner.
  • a first block 10 contains plaintext input consisting of n bits at the start of the iterative enciphering process.
  • Each plaintext input block is divided up into two primary segments, 12 (RO) and 14 (Rl), each of which contain n/2 bits.
  • RO primary segment
  • Rl Rr
  • a 64-bit version of RC5 divides its input into two 32-bit block halves.
  • each such block half or one- to-one primary round segment is to be contained in one 32-bit microprocessor register, which is the register size of most modern microprocessors.
  • RC5 Prior to beginning the iterative process, RC5 adds (blocks 16 and 18) one subkey value, Kl and K2, to each primary segment, RO and Rl . Each value of Kl and
  • K2 can be the same or different. Similar to the one-to-one round segments, each such key value contains n/2 bits.
  • RC5 performs the first of many rounds of encryption. Each round of encryption computes new values of the primary segments RO and Rl . Each computation of the two primary segments is similar in form, even though it has different inputs and outputs and is stored in different registers.
  • each round uses xor (blocks 20 and 22) to combine the segments RO and Rl .
  • it extracts (block 24) a given number of bits ("f ' bits) from the least significant bits of the right primary segment Rl. For example, if f is 5 bits, it would extract the 5 least significant bits ("lsb") of Rl in order to provide one input used by the variable rotation.
  • the number of lsb in a one-to-one round segment is that number which permits as many different rotations as are possible for a primary segment.
  • a 64-bit block has two primary segments of 32 bits each.
  • the total number of different values of V extracted from the lsb of Rl may be as many 2 ⁇ f, or in this example 2 A 5, possible bit-values.
  • the "least significant bits" which affect a rotation are crytographically speaking the most significant bits of each round.
  • the xored values in the left primary segment RO are rotated (block 26) by V, i.e., the value of the lsb.
  • V i.e., the value of the lsb.
  • a subkey K3 for this half round.
  • the resulting one-to-one primary round segment is the new value of RO (block 30) in the first round.
  • This process is then repeated in the second half round to calculate the right primary segment Rl using the new value of RO.
  • the round uses xor (block 22) to combine the values of its primary segment Rl with that of the other primary segment RO. Next, it extracts the given number of bits ("f ' bits) from the least significant bits of RO.
  • Each round of RC5 is only part of a complete encryption of one plaintext block. Many rounds are generally necessary depending on block size. This number of rounds selected depends on block size and the users desire for security, but is typically greater than 8 and less than 64.
  • the ciphertext value for segments RO (block 40) and Rl (block 42) are generated, which are then combined to generate ciphertext consisting of n bits (block 44).
  • Each round of RC5 in FIGURE 1 may also be expressed as two equations, Equations 4 and 5 below, where each equation determines the bit-values of one primary segment and where each such segment corresponds to half a block.
  • RC5 does not swap its one-to-one primary round segments between calculating each such segment. Consequently, RC5 requires fewer clock cycles for a given number of new segment values and also it is easier to understand. Similar to DES, in RC5 each new value of a primary segment is a one-to-one function of its prior value given that the other one-to-one round segment and the subkeys are constant. Incidentally, in RC5 every round segment calculated in each round, with the possible exception of the value V which controls the data-dependent rotation, is a one-to-one round segment.
  • the structure of RC5 ensures that the same operations affect each primary round segment: (1) the nonlinear operation of data-dependent rotation affects each primary segment RO and Rl based on the small section bits of the other primary segment, (2) the linear combination of the two primary segments using xor affects each primary segments RO and Rl, and (3) modification by a new subkey value affects each primary segment RO and Rl.
  • decryption is the inverse of encryption. All the same steps are repeated but in reverse order. Decryption uses ciphertext output as input and recovers the values of the plaintext inputs.
  • the decryption equations (Equations 6 and 7) of RC5 are simply the inverse of the encryption equations:
  • good bits which indicates the degree to which cumulative linear combination (i.e., the process of combining round segments in a linear manner to produce a new round segment) of round segments does or does not introduce good bits to affect a rotation.
  • Good bits are those bits from cipher input which affect the small section of the segment which controls second round nonlinear activity but which do not affect the small section of the segment which controls first round nonlinear activity.
  • this bit-tracing calculation of good bits is applied to decryption equations such input may be ciphertext which is ordinarily thought of cipher output, just as the output of the last round may be plaintext.
  • the definition of good bits measures the number of small section bits which definitely control the nonlinear activities of each round which do not in general also control the nonlinear activities of the preceding round. For this reason, the number of good bits measures the inflow in each round of fresh or new data from linear diffusion which influence the nonlinear activities.
  • the block cipher has a property which may be called new small section data in successive rounds.
  • the total number of calculated good bits is zero since those segments should be excluded from the calculation of good bits.
  • the calculation of good bits is based on whichever equation (encryption or decryption) generates a greater number of good bits. This greatest number of good bits provides a rough measure of the strength of the block cipher in the area of data-dependence and bit-diffusion.
  • a typical differential attack on a block cipher relies on the fact that some bit inputs fail to affect other bit values in a block cipher.
  • a good example of block cipher encryption may therefore illustrate in simplified manner how a typical differential attack might work.
  • differential attacks are effective because they use self-cancellation to extend the power of the differential method over multiple rounds.
  • differential characteristics which have a high probability of self-cancellation in the operative rounds of the block cipher, where after several rounds of encryption there is a high probability that the output bit-difference between the two encryptions equals the initial bit-difference.
  • Cryptanalysts are generally able to use such self-cancellation of input differences between two related encryptions to find differential characteristics that can with a certain probability pass through multiple rounds unaffected by the block cipher. It turns out that when assuming the bit input differences shown above the best probability of bits canceling out is seen in every third new register value (RO in the 1st round, Rl in the 2nd round, RO in the 4th round, Rl in the fifth round, etc.). It is possible to examine a simplified example which illustrates this type of differential analysis. First, it is useful to calculate a base case using RC5 in which nothing of cryptographic interest occurs. Using the plaintext input shown above where all bits equal 0, it is useful to assume that all subkey bit values also equal 0.
  • the interesting step in creating a useful illustration of the behavior of RC5 is to allow certain non-zero input bits.
  • the new one-to-one round segments in succeeding rounds of this example based on an input or input-difference which has some non-zero bits illustrates the differential behavior of the cipher.
  • FIGURE 2 wherein the blocks are numbered as in FIGURE 1 , with the numbers in the second round being designated with a prime
  • FIGURE 2 a simple example in which given input values where some bits are modified from the base case to non-zero bits, the non-zero bits pass through two rounds of RC5 encryption with little or no effect upon the other bits is shown.
  • all key values and most of the input values are equal to 0.
  • This example is similar to the differential input difference shown above. Only the fifth bit of each register, i.e., each block half, has a value of 1.
  • every third primary segment or half round of RC5 contains bits in which any non-zero input bits have canceled out and all bits are equal to 0.
  • this self-cancellation property reduces the effort required to break the cipher.
  • a block cipher may iterate through potentially a large number of rounds, and yet the output may depend primarily on only eight plaintext bits and on those subkeys which influence the one-to-one round segments associated with those plaintext bits. This suggests that the block cipher violates a requirement of a secure block cipher in that every output bit depends on every bit of plaintext input and on every bit of key input.
  • variable cipher data circulate in such a manner such that in certain rounds (where in general one round is a number of steps large enough that the number of data-dependent rotations is at least as great as the number of primary round segments in the block cipher) there exists a small set of potentially stagnant or isolated stationary variable bits in specified bit-positions which control the number of bits of all data-dependent rotations ("specified isolated bits") where by definition a) only that set of specified isolated bits in the specified bit- positions can control the data-dependent rotations, and b) only that set of specified isolated bits in the specified bit-positions can affect, using generally other data- dependent operations, the values of the specified isolated bits in the same specified bit- positions.
  • the number of specified isolated bits is the smallest number possible assuming any possible data-dependent rotations. This means, assuming that those data-dependent rotations occur, there is a minimum number of specified isolated bits where only those bits can control the degree of data-dependent rotations in the block cipher, and only those specified isolated bits can affect their own values when using other data-dependent operations (such as using xor and addition).
  • RC5-32 In the case of RC5-32 (i.e., using the example shown above and in FIGURE 2 which has a 32-bit block size and two 16-bit halves), in one round there are 8 specified isolated bits, which are the least significant 4-bits of each of the two round segments, where in that round only the 8 specified isolated bits affect data-dependent rotations, and assuming a data-dependent rotation of zero bits the specified isolated bits are affected only by the specified isolated bits in that round.
  • this number of specified isolated bits is invariant as the number of rounds increases. In other words, given an infinite number of rounds, it is still theoretically possible that in RC5 an input bit might not affect a data-dependent rotation.
  • the number of specified isolated bits is a small fraction of the number of bits in the n-bit variable cipher data block (in this example, the 8 specified isolated bits are only 25 percent of the total of 32-bits in the total data block).
  • the weakness of RC5-32 can be seen using Equations 4 and 5.
  • the specified isolated bits are in the least significant 4 bits in bit-positions 0 through 3 of each of the block halves RO and Rl . Only bits in these positions can affect the data-dependent rotations.
  • the xor of the block halves combines the bit-positions 0 through 3 in each of the block halves, to produce a result where its least significant 4 bits in bit-positions 0 through 3 depend only on the specified isolated bits.
  • Cipher attacks which limit their analysis of RC5 to plaintext inputs which prevent rotations from occurring in the initial rounds are said to take advantage of weak subkeys. All subkeys of ciphers depending on data-dependent rotation have some plaintext inputs for which this is true, though it is easier to use this type of attack when the rotations depend on as few plaintext inputs as possible. Similarly, cipher attacks which limit their analysis of RC5 to input values which provide rotations which cancel out some input differences with a high probability are said to take advantage of differentially weak subkeys. It may be that all subkeys of ciphers using data-dependent rotations have plaintext inputs for which this is true, though it is easier to use this type of attack when such rotations depend on as few plaintext inputs as possible.
  • RC5 may depend primarily on only some subkey values and some cipher input bits.
  • An unrelated potential weakness of RC5 is that it has a complex and somewhat slow key expansion method. This method requires roughly nine operations per subkey, or eighteen operations per round, in order to expand RC5's input key. Efficient encryption and decryption of standard 48-byte digital network packets requires quick key expansion. It should be noted it is not accidental that the key expansion method in RC5 is somewhat slow. In particular, RC5 uses a complex nonlinear method using data- dependent rotations to expand its key.
  • the robust quality of encryption using this method resists attacks by sophisticated algorithms which detect and take advantage of weak subkeys to determine the keys of the cryptographic system.
  • the block cipher of the present invention uses no more on-chip cache than necessary, and uses its s-boxes in a secure manner.
  • the data encryption system for encrypting an n-bit block of input in a plurality of rounds of the present invention, where n is preferably 128 bits or more.
  • the data encryption system includes a computing unit for the execution of each round; memory for storing and loading segments; a bit-moving function capable of rotating bits (or of otherwise moving bits into different positions) of one-to-one round segments by predetermined numbers of bits; a linear combination function which provides new round segments using a round operator generally from a first algebraic group to combine two different round segments; and a nonlinear function which affects a round segment based on a value which depends on bits from another round segment, where both round segments are different round segments from the same one-to-one round segment set.
  • a round operator is a mathematical operation capable of being carried out in a microprocessor in computing an operative round, such as addition, subtraction, bitwise exclusive-or, or rotation.
  • Both embodiments of the present invention are block ciphers with cipher data blocks preferably of at least 128 bits, which are either Feistel ciphers or near-Feistal ciphers.
  • the Feistal ciphers divide the data block up into no more than two block halves of SZ bits, wherein the halves are primary round segments and SZ is a value as small as 64 and as large as 128.
  • the near-Feistel block ciphers divide the data block into no more than two large segments, each containing 64 or 128 bits, and a third small primary round segment not to exceed 20 bits. In practice, this means that both embodiments of the current invention use mathematical operations computable on a microprocessor which act on either a 64-bit or a 128-bit segment of cipher data.
  • Embodiments of this Feistel or near-Feistel approach generally modify each of the primary round segments in each round of calculation in the same way, typically using operations which modify all the bits of the large primary round segments in single linear operations. While the present invention is not restricted to use of a Feistel or near-Feistel approach, this approach is generally beneficial to the security of the cipher.
  • the block size is at least 128 bits, that such block size be predetermined (rather than of variable or perhaps text-dependent size), and related to these points, it is preferred that the minimum size of the round segments rotated by the a data-dependent variable rotation function is at least 32 bits.
  • Feistel block ciphers are not randomly designed, but have regularly repeating rounds in which identical operations occur in a similar manner. Such Feistel block ciphers have the best record of security and popularity in the field of encryption.
  • DES is an aging, but still viable encryption standard which is a Feistel block cipher.
  • RC5 is a new paradigm using data-dependent rotations in a Feistel block cipher.
  • one embodiment of this invention uses relatively non-commutative operators for sbox output combination and for linear diffusion in a Feistel or near-Feistel block cipher.
  • the nonlinear function is a variable rotation function executable on the computing unit which generally rotates a one-to-one round segment by a value which depends on a preselected number of bits from a preselected location of a different one-to-one round segment from the same one-to-one round segment set.
  • the nonlinear function is an s- box and the system generally includes a s-box linear combination function which uses a round operator generally from a second algebraic group executable on the computing unit which combines a one-to-one round segment with the output of an s-box lookup of a value which depends on a preselected number of bits from a preselected location in a different one-to-one round segment from the same one-to-one round segment set, wherein the first algebraic group is preferably non-commutative with the second algebraic group.
  • all embodiments of the system of the present invention have a subkey combining function in each round which provides new round segments by combining a round segment typically linearly with a subkey segment, where the number of times the subkey function is used in the operative rounds and in the qualified operative rounds of the cipher is roughly equal to the number of times in such rounds the nonlinear function is used, or in any case is at least half of the number of times in such rounds the nonlinear function is used.
  • Qualified operative rounds of a binary block cipher refer to operative rounds of the block cipher which exhibit some particular, generally good, cryptographic properties.
  • FIGURE 1 is an algorithmic flow chart of RC5 encryption in accordance with the prior art
  • FIGURE 2 is an example illustrating two rounds of RC5 encryption assuming particular plaintext input and subkey values in accordance with the prior art
  • FIGURE 3 is an algorithmic flow chart of an encryption method using data-dependent rotation in accordance with the present invention
  • FIGURE 4 is an example which illustrates two rounds of the encryption method of FIGURE 3, assuming input and subkey values used in FIGURE 2, in accordance with the present invention
  • FIGURE 5 is an algorithmic flow chart of a method for subkey generation for block ciphers using data-dependent rotation in accordance with the present invention
  • FIGURE 6 is an algorithmic flow chart of an encryption method using data-dependent rotation in accordance with an alternate embodiment of the present invention
  • FIGURE 7 is an algorithmic flow chart of an encryption method using an s-box in accordance with another alternate embodiment of the present invention
  • FIGURE 8 is an example illustrating two rounds of the encryption method of
  • FIGURE 7
  • FIGURE 9 is an algorithmic flow chart of an encryption method using an s-box in accordance with still another alternate embodiment of the present invention.
  • FIGURE 10 is an algorithmic flow chart of a method for complex subkey generation in accordance with the present invention.
  • FIGURE 11 is an algorithmic flow chart of a method for complex subkey generation to a generative block cipher using s-boxes in accordance with the present invention
  • FIGURE 12 is a column listing of examples of ineffective and effective fixed rotation as it applies to data-dependent rotation in accordance with the present invention
  • FIGURE 13 is a block diagram of a hardware embodiment of the method of the encryption method using data-dependent rotation in accordance with the algorithmic flow chart of FIGURE 6;
  • FIGURE 14 is an algorithmic flow chart of an encryption method using an s-box in accordance with another alternate embodiment of the present invention.
  • FIGURE 3 an algorithmic flow chart for one round of the cryptographic system of the present invention is generally shown.
  • the present invention is primarily intended to be practiced in a computing unit, such as a microprocessor, and the primary segments stored in memory.
  • a first block 50 contains a n-bit cipher input (e.g., plaintext) at the start of the iterative enciphering process.
  • Each input block is divided up into x, in the present example x equals 2, primary round segments 52 (RO) and 54 (Rl), where typically each contain n/x bits.
  • the value of x may vary in each round, but it is generally preferred that x be the same in all operative rounds.
  • the value of x can be any integer of at least two, preferably an integer of from 2 to 4.
  • x equals 2 in all rounds; for the purposes of this example, x will be assumed to be 2.
  • a 128-bit version of the cryptographic system divides its input into two 64-bit primary round segments or block halves. In the present example, each block half is computed in one 64-bit register.
  • linear combination operators are used and they are designated herein as L1,L2,L3,L4, etc.
  • Such linear operators are, at a minimum, round operators, i.e., operators computable using mathematical operators capable of being carried out on most microprocessors.
  • Linear Operators are drawn from the list of all operators computed as part of the instruction set of a typical microprocessor which have two inputs, and examples of linear operators include addition, subtraction, SIMD addition, SIMD subtraction, bit-wise exclusive-or, and either addition or subtraction executed in parallel (e.g., MMX-style addition of 2 segments of 32-bits each from two 64-bit registers).
  • Linear Operators are restricted to those operators computed as part of the instruction set of a typical microprocessor which have the properties that (1) given two inputs with an equal probability of containing O's and l's, the output of the operator contains generally an equal probability of O's and l's, and (2) given that either input is constant, the output is a one-to-one function of the other input. More specifically, they are instructions executable on a computing unit having two input segments typically of unsigned integers and one output segment which is typically an unsigned integer, such as addition, xor, addition or subtraction in parallel (such as MMX-style addition of two
  • a segment is a fixed number of ordered bits, where that number is an integer of at least 2.
  • Linear combination operators which are called for simplicity linear operators, are restricted to mathematical operations where: (1) given two input segments with an equal probability that each input bit of the segments may be 0 or 1 , the output segment has generally an equal probability that each of its output bits may be a 0 or 1, and (2) given that either input is constant, the output is a one-to-one function of the other input which is not constant.
  • linear combination operators used in block ciphers are computed almost without exception using modular arithmetic, where the modulus of the calculation usually reflects the number of bits in the segment being computed.
  • any linear operation may be substituted for any other linear operation in any round, and no round must use the same linear operators in the same way as the preceding round. Nevertheless, for simplicity and in some cases to optimize the security of the cipher to defend against certain attacks, it is preferred to select linear operators from certain algebraic groups where the same linear operators are used for the same purposes in each round.
  • indirect linear combination will encompass both linear combination and predetermined 1 : 1 operations.
  • a 1 : 1 predetermined linear transformation (“1 :1 PLT”) is a predetermined operation from the 1:1 transformation group consisting of ⁇ predetermined direct linear combination, predetermined bit-rotation, predetermined bit-permutation, and predetermined 1 : 1 reversible bit-diffusion ⁇ on a particular variable value of cipher data such that its output is mapped 1 -to- 1 with its input value.
  • a fixed rotation of a variable segment by a predetermined number of bits is a 1 : 1 PLT.
  • a linear combination of a particular variable value with a predetermined key value is a 1 : 1 PLT.
  • Linear combinations and 1:1 PLT's by themselves do not result in any significant increase in crytographic security because such functions lack the non-linear aspect of "confusion".
  • Linear combination of a first and second variable value can mean the direct combination of the values using linear operators. Direct examples of such combination usually involve use of certain linear combination operators (such as xor, addition, subtraction, SIMD addition, SIMD subtraction).
  • indirect linear combination means a calculation which involves a combination of direct linear combinations and 1 :1 PLT's, subject to three conditions.
  • each input segment into the calculation is of equal size (an equal number of bits) and where that segment and all 1:1 PLT's of that segment affect the output of the calculation one time only (as an input into a direct linear combination).
  • Indirect linear combination is like the root of a tree. It does not feed into the tree in two different places.
  • indirect linear combination may use any number of 1 : 1 PLT's
  • in practice well-designed block ciphers using indirect linear combination of Q variable segments limit the use of 1 : 1 PLT's per such linear combination to a number no greater than (Q+l).
  • An example of indirect linear combination includes (1) operating on a first variable segment with a fixed rotation and (2) on a second segment by adding to it a predetermined subkey value, prior to combining the results of these two predetermined operations using a linear combination operator.
  • Another example is a direct linear combination of a first variable segment with a second variable segment where the resulting sum is an input into a predetermined bit-permutation, where the output of the calculation is the output of the bit-permutation.
  • a first variable segment is added to a predetermined rotation of a second variable segment and then xored with a bit-permutation of the first variable segment, where the output of the calculation is the final xor result.
  • one input segment affects the output is two different ways. Hence, there is a violation of one of the three conditions.
  • the linear operator which is said to combine the two values is that linear combination operator which combines the two results of the 1:1 PLT operations.
  • the result of the process has the two properties that (1) given two inputs with an equal probability of containing O's and l's, the result of the process contains generally an equal probability of O's and l's, (2) given that either input is constant, the output is a 1 :1 function of the other input.
  • variable values are said to be linearly combined, such a statement by definition does not require that the values be directly combined as they may be indirectly combined; however, it does make clear that the combination of the two variable values takes place without using any non-linear operations (such as data- dependent sbox use, data-dependent rotates, data-dependent-shifts, or data-dependent multiplication).
  • linear combination and being “linearly combined” refer to direct linear combination, unless it is stated or implied that indirect linear combination is also a possibility.
  • variable values there also may be direct or indirect linear combination of three variable values.
  • this is an indirect example of linear combination, it means that at least one variable segment in the calculation was operated on by a 1 :1 PLT.
  • two linear combination operators are generally required to combine three variable values.
  • the three variable values would generally be operated on (after any initial 1 : 1 PLT operations) by two linear operators in order to produce a combined single linear result.
  • Such indirect linear combination of three variables values may occur even though one of the variable values may be a nonlinear function of the other variable values.
  • the combination of values can be a linear combination of the three potential input values even though the source of one of the three variable values may in fact be a nonlinear function of another.
  • a linear combination of a substitution box result, with two block halves is a linear combination of its three input values even though the substitution box result may reflect certain bits in one of the block halves in a non-linear manner.
  • the description of a calculation as a direct or indirect linear combination refers to the details inside the calculation and does not inform us whether the inputs into the calculation are biased, correlated, or are a nonlinear function of other inputs into the calculation.
  • the result of the process has the two properties that (1) given three inputs with an equal probability of containing O's and l's, the result of the process contains generally an equal probability of O's and l's, (2) given that any two of the three inputs are constant, the output is a 1:1 function of the variable input.
  • the present invention linearly combines (block 56) using operator LI at the right primary round segment, Rl, with a first subkey value, Kl .
  • the present invention performs the first of many rounds of encryption. Each round of encryption computes new values for its primary segments RO and Rl .
  • Subkeys are an expansion of a cipher key. Typically, the expansion transforms a given fixed number of bits to a much greater number of bits. Such subkey values are used often in predetermined particular rounds of a block cipher.
  • a round segment is a segment which is a segment of bits of n-bit round input, or a segment of bits of n-bit round output, or a segment of bits calculated in a cipher round which is affected by n-bit round input, and which affects n- bit round output, where the word affect or affected indicates that when a first segment affects a second segment, a random change in the first segment will change at least one bit in the second segment with a chance of at least one in three.
  • Both RO and Rl are primary segments, and are also one-to-one round segments. In fact, except for the small sections of bits which determines the data-dependent rotation, all variable segments in each round of this embodiment are one-to-one round segments.
  • the round calculates (block 58) a new value from a rotation of the right round segment Rl by a predetermined number of bits (typically rotation to the right by "f ' bits), referred to as fixed rotation. It linearly combines (block 60) using operator L2, this intermediate round segment with subkey K2 for this half round to produce a new intermediate round segment. It then linearly combines (block 62) using operator L3, the round segment RO and the new intermediate round segment to provide a replacement value for the primary round segment RO.
  • a given number of bits is extracted (block 64) from the least significant bits of the right round segment Rl .
  • a one-to-one round segment set is a set of ordered round segments in an operative round where it is true that each n-bit round input corresponds with only one possible ordered result insofar as the particular values of the ordered segments of that set are concerned, and that any particular ordered result insofar as the particular values of the segments are concerned corresponds with only one n-bit round input.
  • a one-to-one round segment is a round segment which is parf of a one-to-one round segment set. Then, the left primary round segment RO is rotated (block 66) by V, the value determined by the lsb to provide a replacement value for the primary round segment RO (block 68) which is also a one-to-one round segment.
  • the round calculates (block 70) an intermediate round segment from a rotation of the other register RO by f. It linearly combines (block 72) using the operator L4, this intermediate segment with subkey K3 for this half round to produce a new intermediate round segment. It linearly combines (block 74) the right primary round segment, Rl, and the new intermediate round segment to produce a replacement value for the primary segment Rl .
  • a primary segment of an operative round is a segment of the new value of which is calculated to be part of its n-bit round output, and where typically the n-bit round input contains an old or prior value of the same segment, where throughout the round there are one or more new replacement values of the primary segment calculated where each new replacement value is a one-to-one function of its prior value, if all subkey values and all other primary segments are constant. Generally, all primary segment values are one-to-one round segments.
  • the system linearly combines (block 82) using the last linear operator of the rounds the left primary round segment RO, with the last subkey value, Klast.
  • the ciphertext value for segments RO (block 84) and Rl (block 86) are complete, and are then combined to provide ciphertext consisting of n bits, i.e., a n-bit cipher output (block 88).
  • each new primary one-to-one segment RO and Rl there is a nonlinear function, which in this case is data-dependent rotation, which calculates a new one-to-one segment by modifying a one-to-one round segment from a particular one-to-one segment set based on a value which depends on preselected bits in a preselected location of a different one-to-one round segment from the same one-to- one segment set.
  • a nonlinear function which in this case is data-dependent rotation, which calculates a new one-to-one segment by modifying a one-to-one round segment from a particular one-to-one segment set based on a value which depends on preselected bits in a preselected location of a different one-to-one round segment from the same one-to- one segment set.
  • the value depends on a number of bits less than thirty- five percent of the size of the one-to-one round segment in the chain, i.e., a small section of the segment
  • each primary round segment RO and Rl there is a subkey combining function, which produces a modified round segment from a round segment.
  • the subkey has generally the same number of bits as the round segment being modified, this embodiment of the invention has a property referred to herein as adjustment by a full-sized subkey. Achieving this fourth property appears beneficial and perhaps necessary for block ciphers using data-dependent rotation.
  • the linear operators in this embodiment of the invention may be any linear operator. Further, the linear operators may differ in different rounds, and thus be round dependent.
  • L2 could be xor
  • L3 could be addition (in the modulus of the round segment)
  • L4 could be xor
  • L5 could be addition (in the modulus of the round segment), which one can represent as ⁇ L2:xor, L3:+, L4:xor, L5:+ ⁇ in each round.
  • linear operators in such a way that in each round when a given linear function is used for a particular function, the linear operator used is always the same.
  • addition might be used as the operator which does all linear combination of one-to-one round segments
  • xor is used as the operator which does all linear combination of round segments and subkeys. This is the specific approach adopted in the preferred embodiment of the invention.
  • use of addition for all linear combinations in the round is also believed to be secure.
  • all linear operators could be xor, this option may be less secure.
  • each primary segment is an indirect linear combination of two primary segments.
  • the new value of each primary segment is an indirect combination of its value with another primary segment, where that other segment is combined linearly with a subkey prior to the linear combination of round segments.
  • the combination with a predetermined subkey is an example of a 1 : 1 PLT.
  • placement of the subkey values is flexible; it could have been placed anywhere in the round where it would affect a round segment.
  • the new round segment value is a linear combination of round segments derived from other round segments.
  • Such derivation can involve a 1 :1 PLT such as combination with a subkey as shown above. Or it may be simpler or more complex.
  • a general statement of the embodiment is to observe that it calculates a new value of a particular primary round segment which is a direct or indirect linear combination of round segments derived from two round segments, one of which is the current value of the particular primary round segment, and the other is most of the bits of some other primary round segment.
  • Such derivations can be a direct identity transformations of the two input round segments, or they can be more complex. If the derivations are not a 1 :1 PLT of the input round segments, it is preferred generally that each such derivation be solely from its input round segment, or perhaps that each such derivation be solely a 1 : 1 function of its input round segment.
  • a derivation of a second value from a first value means that the first value is at least one of the variable and predetermined data sources which may affect the calculation of the second value
  • a derivation of a second value solely from a first value means that the first value is the only variable data source which affects the calculation of the second value, even though there may be multiple predetermined values such as subkey values which also affect the calculation of the second value
  • (3) a derivation of a second value as a 1 : 1 function of a first value means that the first value is the only variable data source which affects the calculation of the second value, and that the second value is a 1 :1 function of the first value
  • (4) a derivation of a second value as a 1 : 1 PLT of a first value means that a predetermined number of 1 : 1 PLTs, which may be
  • derivation of a second value from a first value under definition #4 is a subset of definition #3; similarly, definition #3 is a subset of definition #2; similarly, definition #2 is a subset of definition #1.
  • Each round of the present invention may also be expressed as two equations, where each equation determines the value of one primary round segment, i.e., where i is the index of the round and is incremented by x between rounds, e.g., incremented by 2.
  • Equations 8 and 9 ignore the first and final xors of the subkeys Kl and Klast to the plaintext input and ciphertext output.
  • Decryption is the inverse of encryption. In the present invention all the same steps are repeated but in reverse order. Decryption uses ciphertext output as input and recovers the values of the plaintext inputs. Of course, as noted above, what is herein called the decryption operation can be used for encryption, and vice versa.
  • the decryption equations (Equations 8 and 9) of the present invention are the inverse of the encryption equations:
  • the number of bits of fixed rotation, f is as large as the size of number of bits which determine the data-dependent rotation, which equals the log base 2 of the bit-size of the round segment (such as 5 bits if there are two primary segments and the size of each such round segment is 32 bits, or 6 bits if the size of each rotated round segment is 64 bits).
  • f the number of bits of fixed rotation, rotated either to the left or to the right, is (z-l),z, or (z+1) bits.
  • Equation 8 we look at the specified isolated bits of the input RO, those must be variably rotated by a value of zero bits in order that the specified isolated bits affect no output bits in bit-positions which are not part of the specified isolated bits (in bit positions other than 0 through 5).
  • bit-position 6 is not one of the assumed specified isolated bits, and yet it is affecting the specified bit-positions in bits 0 through bit 5. This contradicts the definition of the term specified isolated bits as it demonstrates that the bits are not isolated but are affected by other bits for all possible variable data-dependent rotations.
  • use of the predetermined bit-moving operations generally ensures that every input bit of the block cipher can affect a rotation within 10 or 20 rounds regardless of what variable data-dependent rotations may occur.
  • predetermined bit-moving operators may be inserted anywhere into a block cipher, one may test for an indication that the placement of the bit-moving operations is beneficial.
  • the number of specified isolated bits is equal or nearly equal to the bit-size of the variable cipher data block, one has confirmation that the structure or placement of the predetermined operations in the block cipher is appropriate.
  • the number of specified isolated bits equals the size of the n-bit variable data block, which is to say there is no small subset of isolated bits in the cipher.
  • the block cipher In order for the use of fixed rotation or other predetermined bit-moving operations in the block cipher to achieve a certain minimal standard, it is preferred that use of such predetermined operation permits the block cipher to increase its number of specified isolated bits to a minimum number of bits which is greater than 50 percent of the size of the n-bit variable data block. It is better still if the number of specified isolated bits is greater than 80 percent of the bit-size of the n-bit variable data block.
  • the fixed rotation has an input which is a round segment, and that the output of the fixed rotation is a round segment. Further, some of the bits of the input to the fixed rotation are variable; and at least some of the bits of its output affect n-bit round output.
  • fixed rotation by a non-zero number of bits may generally be placed anywhere in the round function without reducing its benefits to security.
  • fixed rotation is just one type of bit-moving operation.
  • Fixed rotations are just one type of predetermined bit- permutation.
  • the benefits of fixed rotation by non-zero numbers of bits to the security of block ciphers using data dependent rotation is not restricted to fixed rotations, but rather such security benefits can result from use of all predetermined bit-moving operations in general, including predetermined non-identity bit-permutations. And hence the function used need not be a fixed rotation, and may instead be any kind of non-identity predetermined bit-moving operations.
  • the bit-moving operation or function may also be a logical or arithmetic bit- shift operation.
  • Predetermined circular bit rotation operations and predetermined bit- shift operators both use predetermined rotation.
  • logical or arithmetic shift operations drop or discard bits when they are rotated over the start or end of a round segment.
  • a predetermined logical shift operation is equal to a combination of a predetermined bit-rotation with a predetermined bitwise AND operation with a constant value also called a bit-mask operation.
  • predetermined circular rotations may be derived a class of predetermined non-identity rotation operators which include not only predetermined circular rotations but also logical bit-shift and arithmetic bit- shift.
  • discussion to follow helps to show that from predetermined non- identity bit-permutations may be derived a class of predetermined bit-moving operators which includes not only non-identity bit-permutations but also modified bit- permutations where, for example, not all input bits affect output bits.
  • predetermined circular rotations are a member of both such classes, and also the class of predetermined non-identity rotation operators is a subset of the class of predetermined bit-moving operators.
  • bit-moving is used generally to describe operations executed in software or hardware which move bits, by which it is meant that a given input bit in a given position is "moved", i.e., that input bit solely determines the value an output bit in a different position.
  • a variable rotation might be called a bit-moving operation (particularly if the number of bits of the variable rotation is non-zero).
  • a predetermined operator which moves at least 1 input bit in a given bit-position in a predetermined manner to a different bit-position in its output executable in software or in hardware which: a) includes or comprises a predetermined non-identity bit-permutation as a way to move one or more bits, and b) may optionally include use of the operators predetermined bit-concatenation, predetermined bit-discarding, and partial masking using bitwise AND and bitwise OR.
  • a predetermined non-identity bit-permutation is a bit- permutation which has at least one input bit in a given bit-position which determines the value of an output bit in a different bit-position.
  • Predetermined non-identity bit- permutations do not operate on or combine their bits and only permute the order of their bits, and they are predetermined 1 : 1 transformations where each input bit solely determines one output bit, and when calculated or traced backwards, each output bit solely determines one input bit.
  • this definition does not in all cases require that a predetermined bit-moving operation must use a predetermined non-identity permutation as part of its calculation, as alternative ways of expressing the calculation may exist which do not require use of a predetermined non-identity permutation. In such cases, there will exist a mathematically or cryptographically equivalent expression which does use a predetermined non-identity bit-permutation functionally as a means to move one or more bits. Note also that it is preferred that a predetermined bit-moving operation move more than 1 bit into a new bit-position; this would be either inefficient or insecure.
  • f is the log base 2 of the bit-size of the round segment being variably rotated. Even better, it is preferred that it move a number of bits into new positions which equals the bit-size of a round segment being variably rotated.
  • predetermined bit- moving operators or predetermined non-identity rotation operators are used to improve the security of bit-diffusion such that all bits in the data block can affect a variable data- dependent rotation, to make use of only a small number of bits of the output of the predetermined bit-moving operator.
  • predetermined bit- moving operators or predetermined non-identity rotation operators are used to improve the security of bit-diffusion such that all bits in the data block can affect a variable data- dependent rotation
  • a predetermined bit-permutation has an equal number of input bits and output bits.
  • a predetermined bit-moving operator might be a predetermined bit- permutation with a variable input where that variable input is concatenated with an invariant empty field filled with zeros using a bit-concatenation operator, such that the output includes those zeros and is larger than the variable input.
  • some of the output bits from a bit-permutation might be discarded using a bit- discarding operator, and thus the output of a predetermined bit-moving operation might be smaller than its input.
  • non- identity bit-permutations with bit-wise AND and bit-wise OR operations such that some but not all bits are "masked out” and their values are replaced by constant values such as 0 or 1.
  • predetermined bit-moving operations include the rotation operators, which include predetermined circular bit-rotation by non-zero numbers of bits and predetermined bit-shifting by non-zero numbers of bits (either logical or arithmetic bit-shift, although generally logical bit-shift is preferred to arithmetic bit- shift), predetermined non-identity bit-permutation operators such as predetermined non-identity byte-permutations, byte-order reversal operations.
  • Examples of operations which are not predetermined bit-moving operations include variable bit-rotation, variable bit-shift, addition, subtraction, multiplication, bitwise- AND, bitwise-OR, xor.
  • predetermined bit-moving operations all have inverses and may be xored with their "bit-moving inverses" to cancel out the effect of any bit-movement, and provide an identity transformation of their inputs as a result.
  • bit-moving inverses may be xored with their "bit-moving inverses" to cancel out the effect of any bit-movement, and provide an identity transformation of their inputs as a result.
  • predetermined non-identity rotation operators use of fixed, i.e., predetermined, circular bit-rotation (or its mathematical or cryptographic equivalent using other operators such as bit-shift operators) is generally preferred to use of predetermined non-identity rotation operators.
  • predetermined non-identity rotation operators or its mathematical or cryptographic equivalent using other operators
  • predetermined bit-moving operations is critical.
  • bit-moving operators or related mathematically equivalent operators are derived from use either of fixed circular bit-rotation or of predetermined non-identity bit-permutation.
  • the cipher is either insecure or inefficient.
  • the fixed rotation directly or indirectly affects the size of the set of bits which control the data-dependent rotations. By increasing the number of specified isolated bits, which is the minimum size of the set of bits which controls the data-dependent rotation, the fixed rotation helps to provide adequate linear diffusion.
  • Khufu which uses larger sboxes with more output bits than input bits, and uses fixed rotation as a novel means of ensuring all sbox output bits eventually become an sbox input was a novel and ingenious design which took advantage of the strengths of the microprocessor for efficient, secure encryption.
  • bit-permutation is a way of ensuring in general that at least one bit from each different sbox is assigned to each sbox input in the next round.
  • bit-permutation is a way of ensuring in general that at least one bit from each different sbox is assigned to each sbox input in the next round.
  • bit-permutation is sophisticated and reflects the insights of IBM and the NSA in the 1970's.
  • bits are called good bits and they control the number of bits of data-dependent rotation in the given round.
  • This number of good bits (2f) is more than half of the 2f-bits which affect the variable rotations of each round. Consequently, the system of the present invention has the property called new small section data in successive rounds.
  • One feature of this embodiment which permits a number of good bits greater than zero (i.e., greater than the number of good bits of RC5) is its use of active and effective fixed rotation in its iterative rounds. It is important to understand that use of the term active fixed rotation does not mean fixed rotation passively as means of accessing a small number of bits. Active fixed rotation is fixed rotation where if the output of a fixed rotation round operator produces z bits, most bits of the output and preferably at least (z-2) bits affect the n-bit round output of that round.
  • Effective fixed rotation has a different meaning. It refers to use of fixed rotation in effective manner. Effective use of fixed rotation in the iterative rounds of a block cipher using data-dependent rotation is use which is not directly commutative with use of fixed rotation. In other words, it is ineffective use of fixed rotation if it occurs on top of or in sequence with rotation of a similar one-to-one round segment using data- dependent rotation.
  • column A shows a simple example illustrating ineffective fixed rotation.
  • column A is an example of an unproductive one-to-one segment rotation chain.
  • An unproductive one-to-one segment rotation chain is a chain of at least three round segments wherein the following properties are true without regard to whether the block cipher (encryption) or its inverse (decryption) is calculated: (1) each round segment except for the last segment in the chain affects the next round segment in the chain and no other round segments, (2) each round segment except for the first one is determined by a round operator whose input sources are selected from the group consisting of the previous round segment in the chain, subkey values, any data-dependent values which determine the rotation of the data-dependent operators in the chain, and (3) the chain includes the input round segments and output round segments of particular instances of each of two functions, a fixed rotation function and a data-dependent rotation function.
  • An unproductive one- to-one segment rotation chain is defined herein as a chain of at least three round segments 200, 202, 204 wherein the following properties are true without regard to whether the block cipher is computed normally (often called encryption) or in its inverse mode (often called decryption): (1) each round segment of the chain except for the last segment of the chain affects the next round segment of the chain and affects no other round segments, (2) each round segment of the chain except for the first round segment of the chain is determined by a round operator whose inputs are selected from a group consisting of and limited to the previous round segment in the chain, subkey values, and any values which determine the degree of data-dependent rotation, and (3) the chain includes both the input round segments and the output round segments of particular instances of each of two functions, a fixed rotation function and a data- dependent rotation function. Any fixed rotation where its output segment (or its input segment) is a round segment in an unproductive one-to-one segment rotation chain is ineffective fixed rotation.
  • predetermined rotations by non-zero numbers of bits are ineffective fixed rotation if they are part of an unproductive one-to-one segment rotation chain.
  • non- identity bit-permutations or logical bit-shifts are used in a manner equivalent with bit- rotations, they may classified as ineffective if they are part of an unproductive one-to- one segment rotation chain.
  • All other uses of predetermined bit-rotations by non-zero numbers of bits, non-identity bit-permutations, and bit-shifts are classified as effective bit-rotation (even if the predetermined bit-moving operation is not, strictly speaking, bit-rotation).
  • column B in FIGURE 12 there is an external input into a chain of segments 206, 208, 210, 212, while the input is from a subkey value.
  • column B is also an unproductive one-to-one segment rotation chain and any fixed rotation with an output round segment in this chain is ineffective fixed rotation.
  • Another indirect or tentative way to confirm the increase in strength associated with the present invention is to compare different indicators in two different scenarios.
  • the number of bits of fixed rotation equals zero.
  • the number of good bits equals zero, and in general not all input bits affect a rotation given any number of rounds for some subkeys.
  • the number of bits of fixed rotation equals f.
  • the number of good bits is 2f, and, not taking into account any possible self-cancellation of input bits, all plaintext input bits affect a rotation regardless of the values of the subkeys after roughly n/xf rounds.
  • FIGURE 4 wherein the blocks are numbered as in FIGURE 3, with the numbers in the second round being designated with a prime
  • a simple example is shown in which a given input passes through two rounds and is modified by it despite simple subkeys in which all values equal 0.
  • the bits which determine rotations in this example are not based solely on the initial lsb of the plaintext input segments.
  • This example reflects a cryptographic system in which the variable rotations depend on many different subkey and input values.
  • variations in the present invention include using values of x other than 2 in certain or in all rounds (i.e., more than 2 primary segments), and using linear combination operators other than those shown above in the preferred embodiment.
  • variations in secure binary block ciphers including but not limited to: (1) the source of bits affecting non-linear activity, (2) changes in the number of bits of fixed rotation, (3) reversing the direction of the data-dependent rotation, (4) a different order of computing primary round segments (5) new or different key expansion methods, (6) different key placement in the equations, (7) alternative placement of the fixed rotation, (8) achieving nonlinear bit expansion with an s-box instead of data-dependent rotation, (9) other key expansion methods associated with more complex subkey generation.
  • FIGURE 3 is shown having certain bits extracted from the least significant bits of one-to-one round segments for purposes of obtaining f bits to affect a variable rotation
  • extraction of bits from the least significant bits may not always be preferred.
  • Such an extraction of bits from the least significant bits generally requires nothing more than one mask operation.
  • extract bits from anywhere else in a register generally requires both a fixed rotation and a mask operation.
  • the present invention may not be so limited as microprocessor technology advances.
  • Intel MMX operations are believed to permit extraction of bits from preselected locations in certain registers other than the lsb as efficiently as extraction of bits from the lsb. Consequently, in the present invention it is preferred to extract bits which have nonlinear effects from the lsb or from other bit locations from which bits may be extracted efficiently.
  • FIGURE 3 is shown with fixed rotation to the right by f bits (where f is generally equal to 6 bits given a 128-bit block cipher), it will be appreciated that the rotation can also function by rotating to the left.
  • the fixed rotation is typically based in the number of bits, f, required to select a new position for a data-dependent segment (e.g., 6 bits permits 2 ⁇ 6 possible rotations, which is the segment size for a 128-bit block with 2 block half primary segments of 64-bits each).
  • a fixed rotation rightward or leftward by a number of bits less than f is generally less secure than rotation by 6.
  • fixed rotation by an intermediate value greater than 6 or less than 58 appears in some cases to be less secure than fixed rotation by 6, although it may in some cases be as secure or perhaps even more secure than fixed rotation by 6.
  • fixed rotation by 32 bits would generally be less secure than fixed rotation by 6 bits. More generally, as mentioned previously, such number of bits of such predetermined or fixed rotation may vary according to each round and to the particular segment being calculated in each round.
  • the direction of data-dependent rotation in the preferred embodiment is to the right by a number of bits determined by the data-dependent value.
  • data-dependent value can also determine data-dependent rotation to the left. Neither leftward or rightward data-dependent rotation is believed to be more secure than the other.
  • FIGURE 3 a system is shown in which in the first half of each round the round operators modify the left primary round segment RO, and then in the second half of each round the round operators modify the right primary round segment Rl .
  • the first half round might modify the right primary round segment Rl
  • the second half round might modify the left primary round segment RO.
  • the present invention is most effective if in a given round at any point the primary round segment being modified currently is different than the primary round segment which was last modified (i.e., it is preferred not to modify the same primary round segment twice in the same way without first modifying the other primary round segment in that way at least once).
  • this method can benefit block ciphers using fixed rotation where such fixed rotation is round-dependent.
  • This method also and in particular benefits block ciphers using data-dependent rotation, especially where such data-dependent rotation uses active effective fixed rotation.
  • FIGURE 5 an algorithmic flow chart is shown which demonstrates this novel simple and secure linear method which calculates the subkeys for each round of the block cipher using data-dependent rotation in its operative rounds shown in FIGURE 3 or FIGURE 6.
  • a fixed key size of k bits (block 90) which may be a function of an input key is defined.
  • An input key is ordered bits determined by a user or system, which are typically secret, i.e. non-public, which are input to a cipher and are in general to influence the behavior of the cipher.
  • An input key may be of variable length, and sometimes it is necessary to compress, or condense or even to expand an input key prior to use by a cipher. Such compression of a large input key into a cipher key used by the cipher can be particularly helpful when the input key bits may not be entirely random and may be auto-correlated.
  • a cipher key is ordered bits, often called key bits, which are a transformed input key, using any particular transformation which may be specified by a cipher.
  • the key is usually of fixed length or a fixed number of bits, but may be of variable length. But in any case, this key expansion method starts with key bits, and does not restrict any operations which may convert key input bits to key bits. It divides the key bits up into y registers, where y most often equals two, and assigns k/y bits into each of the key segments, e.g., KA (block 92) and KB (block 94).
  • each of the subkeys is the sum of one of the key segments and of a round and segment dependent predetermined value typically from a fixed table ("fixed table"), shown as blocks 96 and 98.
  • a fixed table typically a fixed table
  • the subkeys when the subkeys are used in the block cipher, those subkeys reflecting the value of KA have a direct effect on the right primary round segment Rl calculated in various rounds, and subkeys reflecting the value of KB have a direct effect on the left primary round segment RO calculated in various rounds.
  • Due to linear mixing of cipher data in the block cipher (the property of cumulative linear combination), both key segments KA and KB also have indirect effects on the primary round segments of RO and Rl .
  • the y sets of values of the fixed table should be checked to assure that the fixed table values in each set are not all the same.
  • Varying the fixed table values ensures that, when using the approach shown in FIGURE 5, there is an adequate number of distinct or different values in the resulting subkey values.
  • all subkey values were equal to, in hexadecimal, 0123456789abcdef, potentially every round of the block cipher might act the same given identical round inputs. This would indicate a weak subkey schedule.
  • the key expansion system in such a manner and with a list of predetermined values which contain many distinct values or which are otherwise selected such that for randomly provided keys (and for randomly provided key inputs) there is a 99 percent chance or better that a minimal standard is achieved in which the key expansion system produces a list of at least 10 subkeys in total which are used in the operative rounds of the block cipher, where such resulting subkeys are not all the same value, and if fact there are at least 5 distinct, i.e. different, subkey values in that list of subkeys (where such subkey values are as small as 16 bits and as large as 64 bits).
  • the key expansion system shown in FIGURE 5 achieves this minimal standard 100 percent of the time given at least 5 distinct predetermined values in the fixed table; virtually all other secure key expansion methods used by other block ciphers also achieve this minimal standard; other ways of achieving this minimal standard may be apparent to one of ordinary skill in the art.
  • any differences computed from a set of fixed table values should ideally be based on subtracting each fixed table value from its prior value.
  • any differences computed from a set of fixed table values should be based on xoring each fixed table value and its prior value. If no such prior value exists, the difference value should be excluded from the appropriate set of difference values.
  • linear combination operator As shown in FIGURE 5, it may be preferred to use just one linear combination operator, rather than using various round-and-segment dependent operators. Further, it may be preferred, in some circumstances, that the linear operator which combines the key segments and fixed table values is non-commutative with the linear operator in the block cipher which combines round segments with the subkeys. Still further, it may be preferred that such a linear combination operator which provides subkeys under this method provides all the subkeys used by the block cipher for which the subkeys are generated.
  • the above specific method subkeys may in general be expressed as the output of an operator having two inputs, where one such input is a key segment and the other input is a predetermined value.
  • this arrangement is one in which one input is a key-dependent segment, and another input is a predetermined value or constant value.
  • the subkey value it is not strictly necessary for the subkey value to be a combination using some operator applied to a key segment and a predetermined value. Rather, using this method, it is acceptable if the new subkey value is affected by a combination, using some operator, of some other previously calculated subkey and a new predetermined value, as long the value of the previously calculated subkey is key-dependent.
  • This method then, produces a new subkey value affected by an operator output, where such operator has two inputs, one input is a key-dependent segment and the other operator is a new predetermined value. Accordingly, it may be preferred that the new predetermined value does not affect a previously calculated subkey value on which the new subkey value depends. Further, it may be preferred that each such operator has two inputs with an equal number of bits, and that such operators are linear.
  • the number of bits of output of operators and the number of bits of subkeys generated from the k-bit key is approximately one bit of mathematical operator output per bit of subkeys generated (e.g., such as the one linear combination operation per subkey generated in FIGURE 5).
  • a minimal number of mathematical operations, including any operations to convert the input key to the k-bit key is desired.
  • the ratio of bits of mathematical operation output to bits of subkeys generated is generally less than 2 to 1 and is preferably a ratio close to 1 to 1, to provide simple, fast, and secure subkey generation.
  • a maximum ratio of 3.5 to 1 is contemplated by the present invention, whereby higher ratios are not believed to provide the advantages of the present invention.
  • the innovative aspect of the key expansion method described herein is the surprising result that using the combination of: a) a simple generally linear subkey generation method, and b)a block cipher using data-dependent rotation of round segments, it is possible to produce secure subkey segments from a key in spite of very low ratios of operation output bits to subkey bits.
  • this method does not assume use of any particular method to convert key input bits to key segments. Such conversion may involve either expansion or compression of the key input values. Such conversion may for example accept variable size key inputs. Once such key inputs are converted into the appropriate size key block by whatever method, then this key expansion method as specified above divides the key data up into y segments and expands the key segments into subkeys using predetermined values which typically are from a fixed table. Finally, it is preferred that there is no simple linear or affine or other non-random statistical relationship between the bits of the predetermined values or fixed table, and that the such bits have roughly equal probabilities, i.e., are unbiased.
  • the flow chart of FIGURE 5 is the equivalent of the subkey equations below. These equations may provide the values of all subkeys used in the main embodiment from key segments KA and KB. Such subkeys identified below as Subkey[i] or Subkey[i+1], are generally in the equations of the block cipher which uses such subkeys identified as Key[i] or Key[i+1].
  • the equations use an index value i, where i is incremented by x (i.e., by 2) between each iteration or round, similar to the other equations previously discussed:
  • This method requires only 1 mathematical operation per subkey, and should be over three times as fast as most key expansion methods in generating subkeys. Assuming that subkeys are not precalculated and stored in cache for packet encryption, typical subkey expansion may require 30 percent or more of the time required to encrypt a standard packet of 48 bytes. This method for key-expansion may increase the combined speed of key-expansion and encryption for each 48-byte packet by roughly 20 percent.
  • As to what varied source of numbers should be used in the fixed table there are many possibilities. It might be preferred to use well known, trusted random numbers to load the fixed table, such as from the RAND tables which contain a million random numbers which were published in 1955. Or perhaps using the value of pi (3.14159, etc.). Alternatively, it might be preferred to fill the fixed table with optimized values, which should minimize the chance of any differentially weak subkeys.
  • FIGURE 3 shows the segments xored with subkey values after they are rotated by a fixed amount.
  • modification by subkey values could have taken place. It is believed that the exact placement of the subkey segments in the algorithm is not critical to the security of the block cipher.
  • a different approach may be adopted, as described in the following encryption equations,
  • the main reason subkey value is combined with an intermediate one-to-one round segment rather than with a primary round segment directly is not to increase the security of the block cipher, but rather to accommodate the pipelining of modern microprocessors. There can be a delay in microprocessors between obtaining the lsb of a register and using it to affect a nonlinear activity. Extracting a subkey from a list and combining it linearly with a round segment are useful steps to take while waiting for a nonlinear result from a microprocessor.
  • FIGURE 6 another embodiment of the cryptographic system and method in which there is a different placement of the active, effective fixed rotation is shown.
  • a block 110 of plaintext input of n bits is divided up into two equal size primary round segments or half blocks of n/2 bits, RO (block 112) and Rl (block 114).
  • this alternative embodiment linearly combines (block 116) using the operator LI the right segment Rl with the first subkey segment Kl .
  • the first of a plurality of rounds of encryption (preferably in excess of 8 rounds) are performed. Each round of encryption computes new values of the primary segments RO and Rl .
  • Each computation of the two primary segments in each encryption round is similar in form, even though it has different inputs and outputs, uses different subkeys, and uses different registers.
  • Both RO and Rl are primary segments, and are also one-to-one round segments. Except for the small sections of bits which determines the data-dependent rotation, all variable segments in each round of this alternative embodiment are one-to-one round segments.
  • To compute the primary round segments RO and Rl in the first half round the following procedure is used. First, combine (block 118) linearly using the operator L2 the register Rl with the subkey K2 to produce an intermediate segment value. Combine (block 120) linearly using operator L3 that intermediate segment with RO producing a replacement value of primary segment RO.
  • Each such round in which new one-to-one round segments for R0 and Rl are computed is only part of the process. Many rounds are necessary depending on block size and the users desire for security, but this number of rounds is typically between 8 and 64 rounds, with at least 5 of such rounds incorporating the described process, and such rounds are herein called qualified operative rounds; some users may select a larger number of rounds, such as 128 rounds. Indeed, there is no true upper limit to the number of rounds which can be employed, with the tradeoff being that more rounds reduce the speed of calculation.
  • the systems adds (combines) (block 142) the left segment RO with the last subkey value, Klast.
  • the ciphertext value for segments RO (block 144) and Rl (block 146) are complete, and are then transferred as ciphertext consisting of n bits, i.e., a n-bit cipher output (block 148).
  • this alternate embodiment also has the properties of: (1) bit expansion of a small section, (2) adjustment by a full sized subkey,
  • the block cipher has the property of new small section data in successive rounds. Eighth a highly secure block cipher for bulk encryption of large files using s- boxes is presented.
  • this variation and method of encryption extracts g bits from a preselected location such as the lsb of each segment as input into a nonlinear s-box.
  • the number of bits which control the non-linear process is g bits. Further, it may be preferred when using this method to select a number of bits of fixed rotation equal to g bits.
  • Each plaintext input block 150 of n input bits is plaintext input.
  • Each plaintext input block 150 is divided up into two one-to-one primary round segments 152 and 154, i.e., block halves, each of which contain n/2 bits.
  • a 128-bit version of the cryptographic system divides up its input into two 64-bit one-to-one round segments, RO (block 152) and Rl (block 154) respectively.
  • Both RO and Rl are primary segments, and are also one-to-one round segments. In fact, except for the small sections of bits which are s-box input, the round segments of s-box output, all variable segments in each round of this embodiment are one-to-one round segments.
  • the method shown in FIGURE 7 takes the right primary round segment Rl and linearly combines (block 156) it using operator LI with a subkey segment Kl.
  • the first of a plurality of rounds of encryption (preferably equal to or exceeding 5 rounds) are performed. Each round of encryption computes new values of the one-to-one primary round segments RO and Rl. Each computation of the two primary segments is similar in form, even though it has different inputs and outputs and uses different registers.
  • Extract (block 158) the least significant g bits of Rl.
  • Each such round in which new primary round segments R0 and Rl are computed is only part of the process. Many rounds may be necessary depending on block size and the users desire for security, but this number of rounds is typically between 8 and 64 rounds, with at least 5 of such rounds incorporating the described process, and such rounds are herein called qualified operative rounds; some users may select a larger number of rounds, such as 128 rounds. Indeed, there is no true upper limit to the number of rounds which can be employed, with the tradeoff being that more rounds reduce the speed of calculation.
  • this alternative embodiment linearly combines (block 182) the left one-to-one round segment RO with the last subkey segment, Klast. Then the ciphertext value for segments RO (block 184) and Rl (block 186) are complete and are transferred as ciphertext consisting of n bits, i.e., a n-bit cipher output (block 188).
  • the operators which linearly combine the one-to-one round segments with each other should in general be non- commutative with the operators which combine the s-box output with one-to-one round segments.
  • the following equations are a practical implementation of this approach and they use the algebraic group of addition to linearly combine one-to-one round segments with each other, and xor to linearly combine s-box output with one-to-one round segments,
  • decryption is the inverse of encryption. All the same steps are repeated but in reverse order. Decryption uses ciphertext output as input and recovers the values of the plaintext inputs.
  • this alternate embodiment using an s-box also has the properties of: (1) bit expansion of a small section, (2) adjustment by a full sized key, (3) cumulative linear combination, and (4) non-commutative one-to-one round segment interactions.
  • Variations of this cipher exist that are believed to be weaker than those variations shown as the preferred variations where potentially: (1) an sbox output determined by some bits of one block half is combined with that block half linearly prior to linear combination with the other half, and (2) logical shift instructions may be used instead of rotate instructions.
  • R0 (s-box[ 1 sb(R0+key [i])] xor (RO shifted by 8 bits))+Rl Eq. 30
  • Rl (s-box[lsb(Rl+key[i+l]) xor (rl shifted by 8 bits))+R0 Eq. 31
  • this present invention when using sbox lookups is one which is a block cipher which recalculates the value of each primary round segment as a generally linear combination of itself, which we may call the prior round segment value, the value of another round segment, which may be called the other round segment, and an sbox value.
  • This statement makes no restrictions on the order of linear operations, or which generally linear operations are performed, or any restrictions on what additional operations including nonlinear operations are performed.
  • this cipher using sboxes illustrate this general structure in which values of each primary round segment are modified with indirect or direct linear combinations of three values: (1) a round segment which is generally 64 bits or more and contains at least 50 variable bits (over 75 percent of the bits) which are from or are derived from a 1 : 1 PLT of the prior round segment value, (2) another round segment which is generally 64 bits or more and contains at least 50 variable bits (over 75 percent) which are from or are derived from a 1 : 1 PLT of the other round segment value, (3) the sbox output or a 1 :1 PLT of it or derived from a 1 :1 PLT of it, which is dependent on data from the n-bit cipher data block, and the sbox output generally contains 64 bits or more.
  • FIGURE 8 wherein the blocks are numbered as in FIGURE 7, with the numbers in the second round being designated with a prime
  • an example in which two rounds using an s-box is shown in which a given input passes through two rounds of the invention and is modified by it despite simple subkeys in which all values equal 0.
  • the bits which determine s-box output in this example are not based solely on the initial lsb of the plaintext input segments.
  • This example reflects a cryptographic system in which the s-box outputs depend on many different subkey and input values.
  • the s-box cipher method minimizes problems such as pipeline optimization in microprocessor chips and "address generation interlock".
  • a certain amount of time is required between loading a pointer and using it.
  • a pointer is an address in an s-box or lookup table.
  • three intermediate operations are computed between determining the input into the s-box and using the s-box output. These operations are: rotating a one-to-one round segment by a fixed number of bits, reading a subkey segment from a table, and xoring the rotated segment by the subkey value.
  • s-box cipher method it may be preferable when using this s-box cipher method to ensure that the sizes of the s-box input (g bits) and its fixed rotation (which may also equal g bits) are relatively prime to the segment size. In particular, it may be preferred that both are odd (as the segment size is typically even, and a power of 2). Further, it may also be preferable if the segment size divided by s-box input size g is nearly equal to an odd number, or in any case that the register size is not exactly divisible by g. For current microprocessors, a preferred block configuration might use an s-box input size of 9-bits or 11 -bits, with a fixed rotation of an equal number of bits, and with a block size of either 64 bits or 128 bits.
  • the size of the s-box input (g bits) and its fixed rotation (typically g bits) equals 8 bits.
  • the loss in potential theoretical efficiency of using values not necessarily prime to the register size may be offset by the speed and practicality of 8-bit rotations on certain processors. If such an s-box input size and rotation are adopted which are not relatively prime to the segment size, it may be preferable to use an alternative fixed rotation method as shown in FIGURE 9, which is discussed hereinafter.
  • the s-box output is much larger than its input, it is generally possible to optimize the s-box such that for an s-box with a 32-bit output, or even better a 64+-bit output, for all possible s-box outputs the minimum number of bit differences is roughly one quarter or more of the s-box output size.
  • the optimization of the sboxes used with this method is based on permutations. This method ensures that each of 8 output bytes (each of the bytes is a contiguous or consecutive section of 8 bits) provides an output change of at least 1 bit for any and all sbox input differences.
  • This method of building the sbox either using permutations or any sbox generation method with the same easily measurable property, wherein such that contiguous or consecutive sections of bits (of 20 bits or less) have a bit-output difference of at least 1 bit for any 1 bit input-difference, ensures the block cipher has considerable differential strength when the sbox output is 64-bits or more.
  • Such differential strength is also increased if the sbox optimization method also guarantees a minimum number of output bit-differences for any input difference, preferably where that minimum is greater than that expected by chance (as seen in the embodiment SteelTalon with a minimum output bit difference of about 18 bits).
  • sbox optimization methods which generally guarantee a minimum number of output bit-differences for all possible input differences which is better than that expected by chance, or which guarantee a minimum output difference of at least 1 bit in consecutive or contiguous sections of 20 bits or fewer, are synergistic with the structure of a block cipher in which new values of a first primary round segment are calculated based on the direct or indirect linear combination of three values: a) a first variable segment reflecting or derived solely from the value of the first primary round segment, b) a second variable segment reflecting or derived from the value of another different primary round segment, and c) an sbox value of at least 64 bits whose input is dependent on some bits from the n-bit cipher data.
  • Any bit-differences of any s-box outputs affect potential carry operations related to addition or subtraction by the time any round segments affected by the s-box are linearly combined with other round segments. These carry operations are data-dependent and are non-commutative with xor, which is another operator affected by the s-box output.
  • the property of non-commutative one-to-one round segment interactions which makes this possible is generally associated with the property of cumulative linear combination of segments discussed hereinbefore.
  • Variations in this s-box alternative embodiment which in general should not affect the security adversely in a significant way includes but is not limited to: some changes in the number of bits of active fixed rotation, alternative linear combination operators, new or different key expansion methods, different key placement in the equations, and alternative placement of the fixed rotation.
  • FIGURE 9 an algorithmic flow chart for one round of the cryptographic system and method using s-boxes in accordance with an alternate embodiment is generally shown. The system and method is similar to that shown and described with reference to FIGURE 7, however the fixed rotation is relocated.
  • An initial block 190 of n input bits is plaintext input.
  • Each plaintext input block 190 is divided up into two one-to-one primary round segments, 192 and 194, i.e., block halves, each of which contains n/2 bits.
  • a 128-bit version of the cryptographic system divides up its input into two 64-bit one-to-one round segments, RO (block 192) and Rl (block 194) respectively. Both RO and Rl are primary segments, and are also one-to-one round segments.
  • variable segments in each round of this embodiment are one-to-one round segments.
  • the method shown in FIGURE 9 takes the right primary round segment Rl and linearly combines (block 196) it using operator
  • Each round of encryption computes new values of the one-to-one primary round segments RO and Rl.
  • Each computation of the two primary segments is similar in form, even though it has different inputs and outputs and uses different registers.
  • Extract (block 198) the least significant g bits of Rl. Use these as input into the s-box lookup table. Assign the value of the s-box output to register V.
  • Linearly combine (block 200) using operator L2 segment R0 with segment V to produce a replacement primary round segment R0.
  • Linearly combine (block 202) using operator L3 the right round segment with K2 to form a new intermediate segment.
  • linearly combine (block 204) using operator L4 this new intermediate segment with R0 (where R0 now reflects segment V (block 210)).
  • compute a one-to-one segment by rotating (block 214) the register Rl rightward by g bits.
  • Each such round in which new primary round segments RO and Rl are computed is only part of the process. Many rounds may be necessary depending on block size and the users desire for security, but this number of rounds is typically between 8 and 64 rounds, with at least 5 of such rounds incorporating the described process, and such rounds are herein called qualified operative rounds; some users may select a larger number of rounds, such as 128 rounds. Indeed, there is no true upper limit to the number of rounds which can be employed, with the tradeoff being that more rounds reduce the speed of calculation.
  • this alternative embodiment linearly combines (block 224) the left one-to-one segment RO with the last subkey segment, Klast. Then the ciphertext value for segments RO (block 226) and Rl (block 228) are complete and are transferred as ciphertext consisting of n bits, i.e., a n-bit cipher output (block 230).
  • FIGURE 10 another alternative embodiment providing a key expansion method is shown.
  • This expansion method is applicable to all block ciphers in general. It is particularly appropriate to block ciphers for bulk encryption where attaining the quickest possible bootup time is not generally necessary.
  • subkeys for use in a block cipher are generated from the one-to- one round segments of various rounds 240 - 242 of a generative block cipher in which key segments are input into the generative block cipher as if they are plaintext input.
  • Subkeys generated using this method are mapped one-to-one with the secret key segments, but are complex unco ⁇ elated functions of such secret key segments. As a result, it will be futile to apply related key attacks or similar key-based analytical methods to attack a block cipher using the subkeys output from this subkey generation method.
  • the key segments input into the generative block cipher contain n bits.
  • the key is input into the generative block cipher as n-bit cipher input.
  • this generative block cipher is similar in form to the block cipher which uses the subkeys produced by this key expansion method.
  • the key expansion block cipher typically uses as input 2 segments of n/2-bits each. The key value mentioned above determines the values of these two round segments.
  • the generative block cipher also uses known but generally random values from a fixed table 244 to modify one-to-one round segments in order to provide some necessary irregularity in each round.
  • Such known values affect the segments of the generative block cipher the same in general as subkeys would in a secret key block cipher.
  • the injection of adequate irregularity into each round 240 - 242 makes related-key attacks impossible and makes the resulting key expansion more secure. It is preferred in calculating this key expansion that the ratio of the number of known typically random segments to the number of subkeys calculated is 1 to 1 or greater.
  • the fixed table of known values should be as large or larger than the table of calculated subkeys called the subkey expansion table. While the fixed table is initially loaded with constant values prior to key expansion, it may in fact be stored in the same memory space in the microprocessor as the key expansion table and may use the same variable name.
  • any fixed s-box tables as a fixed table of known values to inject adequate irregularity into the subkey generation process where the calculation of new subkey values may replace the known s-box table such that each new subkey is also a new s-box output segment
  • any such known or predetermined values which inject irregularity into the subkey generation process need not be from a fixed table, but may for example be calculated by a linear feedback shift register or other mathematical expansion method.
  • q is simply a constant increment which is typically chosen to ensure that after generation when the subkey segment results are accessed during block encryption using a different increment, such as 1 , each successive subkey segment accessed (or each pair of subkeys) is generally uncorrelated to the previous subkey value (or to the previous pair of subkeys). If the subkey segments are read from the subkey expansion table using an increment of 1 , it may be preferred if q is an integer which equals roughly plus or minus the square root of the size of the fixed table, but where q is relatively prime to the size of the fixed table.
  • each input of a fixed table value has a corresponding output subkey value which is taken from a primary round segment in the generative block cipher.
  • An initial key block 250 of n input bits is key input.
  • Each key input block is divided up into two one-to-one primary round segments 252 (KO) and 254 (Kl), i.e., block halves, each of which contain n/2 bits.
  • the first of a plurality of rounds are performed.
  • Each round computes new subkey values of the one-to-one primary round segments KO and Kl .
  • Each computation of the two primary segments is similar in form, even though it has different inputs and outputs and uses different registers.
  • Extract block 256
  • the least significant g bits of Kl the least significant g bits of Kl.
  • this key expansion method it is possible to generalize this key expansion method to generate subkeys from a variable number of secret key segments.
  • the number of generative primary segments is at least 2, and may be as large as desired but ideally is between 2 and 4.
  • This generalized method for the generative block cipher calculates a new primary segment for register]]] from a prior segment of register!]] where j is an index which increments from 0 to (x-1) before repeating.
  • S is the number of fixed table segments used per generative subkey expansion, and it is typically the number of subkey segments output per generative subkey expansion from new primary round segments.
  • F[i] is the table of constant values
  • Subkey[i] is the resulting subkey expansion table, where i is an index incremented from 0 to (s-1) before repeating.
  • a register Cxor is a cumulative xor of all other primary segments or registers except for the current primary segment being calculated at register[j] . Note in the equations below that the equation for Cxor updates its value for each new value of index j. The initialization equations are not discussed for the following equations for they are readily determined by one skilled in the art.
  • an algorithmic flow chart for one round of the cryptographic system and method using relatively non-commutative linear operators in which an s-box affects the block data with an operator that is non-commutative with an operator used to achieve robust linear diffusion in accordance with an alternate embodiment is generally shown.
  • the algorithm is a symmetric Feistel block cipher which allows a variable number of rounds to permit variable security levels, and a block size of at least 128 bits.
  • An initial block 300 of n input bits is plaintext input, wherein the n is at least
  • Each plaintext input block 300 is divided up into two one-to-one primary round segments, 302 and 304, i.e., block halves, each of which contains n/2 bits.
  • a 128-bit version of the cryptographic system divides up its input into two 64- bit one-to-one round segments, R0 (block 302) and Rl (block 304) respectively.
  • Both RO and Rl are primary segments, and are also one-to-one round segments.
  • all variable segments in each round of this embodiment are one-to-one round segments.
  • the method shown in FIGURE 14 next performs the first of a plurality of rounds of encryption (preferably equal to or exceeding 5 rounds).
  • Each round of encryption computes new values of the one-to-one primary round segments RO and Rl.
  • Each computation of the two primary segments is similar in form, even though it has different inputs and outputs and uses different registers.
  • To compute the first half round i.e., to compute the primary round segment RO, the following procedure is used. Extract (block 306) the least significant 8 bits of Rl.
  • Exclusive-or (block 308) the right round segment with subkey segment K [2R] (block 311) to form a new intermediate segment.
  • SIMD add (block 312) segment V with segment RO that is rotated rightward by 8 bits (block 314) to produce a replacement primary round segment RO.
  • Exclusive- or (block 316) the round segment Rl with the replacement primary round segment RO to form a new intermediate segment.
  • shift block 318) the round segment Rl leftward by 1 bit and then exclusive-or (block 320) this shifted round segment Rl with the new intermediate segment R0. The result is the new value of primary segment R0 (block 322).
  • SIMD add (block 330) segment V with new segment Rl that is rotated rightward by 8 bits (block 332) to produce a replacement primary round segment Rl .
  • Exclusive-or (block 334) the new round segment RO with the replacement primary round segment Rl to form a new Rl.
  • shift leftward (block 336) the new round segment RO leftward by 2 bits and then exclusive-or (block 338) this shifted round segment RO with the new segment Rl .
  • the result is the new value of primary segment Rl (block 340).
  • each such round in which new primary round segments RO and Rl are computed is only part of the process. Many rounds may be necessary depending on block size and the users desire for security, but this number of rounds is typically between 8 and 64 rounds, with at least 5 of such rounds incorporating the described process, and such rounds are herein called qualified operative rounds; some users may select a larger number of rounds, such as 128 rounds. Indeed, there is no true upper limit to the number of rounds which can be employed, with the tradeoff being that more rounds reduce the speed of calculation.
  • Rl (block 344) are ciphertext consisting of n bits, i.e., a n-bit cipher output (block 346).
  • Odd Round index LS8(RH) xor Skey[i] Eq. 40
  • RH 8>»RH Eq. 44
  • RH (RH + Sbox[index]) xor LH Eq. 45
  • Even Round index LS8(RH) xor Skey[i + 2] Eq. 46
  • Odd Round index LS8(LH) xor Skey[i+1] Eq. 58
  • Skey2 would typically be an output of the same key expansion which generates Skeyl (although Skey2 contains 64 output bits in each word which is larger than the 8 output bits in each byte of Skey), which is to say that the values of Skey2 may for example be the encrypted output of a two-step master key expansion process where the encryption used in such key expansion has fixed inputs and has session key values which in general are generated by a linear key expansion process using round-dependent shift operations, and where the variation shown immediately above could be used to compute the encryption used in the key expansion process.
  • FIGURE 14 Another variation on FIGURE 14 is a less compact and possibly more efficient version, which uses extra initial and final key operations plus bit-shifting every other round as follows:
  • each input bit difference is guaranteed to cause a change in s-box input within 8 rounds
  • each bit diffuses linearly in a robust manner to affect most bits after roughly 8 rounds
  • the bitwise variability of its nonlinear s-box operation exceeds the number of bits of its s-box input.
  • bit input changes in the method are guaranteed to cause a substantial affect on nonlinear input in a small number of rounds.
  • bit input changes in the method are guaranteed to cause a substantial affect on nonlinear input in a small number of rounds.
  • 8 rounds after 128 bits of cipher data affect the s-box inputs, any input difference affects the output of an s-box.
  • the extra shift operations every even round combined with the xor diffusion operations result in smooth effective bitwise linear diffusion.
  • the bitwise variability of its nonlinear operator generally exceeds the number of bits input into its box.
  • the present invention can be embodied in the from of computer-implemented processes and apparatuses for practicing those processes.
  • the present invention can also be embodied in the form of computer program code embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other computer-readable storage medium, wherein, when the computer program code is loaded into and executed by a computer, the computer becomes an apparatus for practicing the invention.
  • the present invention can also be embodied in the form of computer program code, for example, whether stored in a storage medium (electronic, magnetic or optic), loaded into and/or executed by a computer, or transmitted over some transmission medium, such as over electrical wiring or cabling, through fiber optics, or via electromagnetic radiation, wherein, when the computer program code is loaded into and executed by a computer, the computer becomes an apparatus for practicing the invention.
  • the computer program code segments configure the microprocessor to create specific logic circuits.
  • FIGURE 13 An example of which shows how the present invention may be embodied in hardware is generally shown in a block diagram in FIGURE 13.
  • the block diagram is illustrative of a circuit for employing the encryption method using data-dependent rotation in accordance with the algorithmic flow chart of FIGURE 6. Specifically, the block diagram illustrates the circuitry necessary to encrypt one round.
  • a block of plaintext input of n bits is divided up into two equal size primary round segments or half blocks of n/2 bits, RO (block 380) and Rl (block 382).
  • RO block 380
  • Rl block 382
  • Each computation of the two primary segments in each encryption round is similar in form, even though it has different inputs and outputs, uses different subkeys, and uses different registers.
  • To compute the primary round segments RO and Rl in the first half round the following procedure is used.
  • the shift register rotates the replacement value of Rl by the value representative of the LSB of R0.
  • the resulting value of Rl is the new value of Rl (block 412).
  • predetermined rotation circular bit rotation
  • bit-permutations and bit-shifts especially bit-permutations and bit-shifts
  • keys and bit moving operations have been described with respect to various embodiments of the present invention, one skilled in the art will appreciate that additional keys and predetermined or variable bit moving operations (e.g., fixed or variable rotations and fixed or variable shifts) may generally be used. And, while the embodiments of the present invention have not used certain cryptographic operations, nothing restricts the use in the embodiments of such operators, restricts the type of key-dependent sbox transformations permitted, requires in all cases use of secret keys, or restricts use of the block ciphers as stand-alone encryption functions.
  • additional keys and predetermined or variable bit moving operations e.g., fixed or variable rotations and fixed or variable shifts
  • a standard fixed sbox called in the block cipher embodiments which use an sbox may be modified bytewise prior to use by a simple method such as bytewise rotor encryption, or otherwise modified using generally any method, in order to provide a key-dependent sbox.
  • block ciphers in the embodiments were shown using a secret key as a means of encryption (or perhaps to calculate a message authentication code), it is possible to use the same block ciphers where any key values are publically known as hash functions.
  • block cipher embodiments have been shown as stand-alone functions which encrypt plaintext to ciphertext and vice-versa, they may also of course be used as components of stream ciphers or other cryptographic tools.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
PCT/US1998/019255 1997-09-17 1998-09-16 Improved block cipher method WO1999014889A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CA002302784A CA2302784A1 (en) 1997-09-17 1998-09-16 Improved block cipher method
AU95690/98A AU9569098A (en) 1997-09-17 1998-09-16 Improved block cipher method
EP98949350A EP1016240A1 (de) 1997-09-17 1998-09-16 Verfahren zur verbesserten blockverschlüsselung

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US5914297P 1997-09-17 1997-09-17
US60/059,142 1997-09-17
US6299297P 1997-10-23 1997-10-23
US60/062,992 1997-10-23
US6433197P 1997-10-30 1997-10-30
US60/064,331 1997-10-30

Publications (1)

Publication Number Publication Date
WO1999014889A1 true WO1999014889A1 (en) 1999-03-25

Family

ID=27369592

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1998/019255 WO1999014889A1 (en) 1997-09-17 1998-09-16 Improved block cipher method

Country Status (3)

Country Link
EP (1) EP1016240A1 (de)
AU (1) AU9569098A (de)
WO (1) WO1999014889A1 (de)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1172965A2 (de) * 2000-07-12 2002-01-16 Kabushiki Kaisha Toshiba Verschlüsselungsvorrichtung, Entschlüsselungsvorrichtung, Vorrichtung zur Erzeugung eines erweiterten Schlüssels und zugehöriges Verfahren und Aufzeichnungsmedium
SG92735A1 (en) * 1999-08-31 2002-11-19 Toshiba Kk Extended key generator, encryption/decryption unit, extended key generation method, and storage medium
GB2345229B (en) * 1998-12-23 2003-12-03 Motorola Ltd Method for encrypting data
WO2004056035A1 (de) * 2002-12-13 2004-07-01 Giesecke & Devrient Gmbh Verschlüsselungsverfahren
US7051201B2 (en) 2002-03-15 2006-05-23 International Business Machines Corporation Securing cached data in enterprise environments
CN1777089B (zh) * 2005-11-24 2010-11-17 上海森田科学技术研究所有限公司 一种复数移相加密解密方法
US8311216B2 (en) 2007-11-19 2012-11-13 China Iwncomm Co., Ltd. Packet cipher algorithm based encryption processing device
WO2016156378A1 (en) * 2015-03-30 2016-10-06 Irdeto B.V. Crytographic processing
US20180062828A1 (en) * 2016-09-01 2018-03-01 Cryptography Research, Inc. Protecting block cipher computation operations from external monitoring attacks
CN109598134A (zh) * 2018-12-07 2019-04-09 北京宏思电子技术有限责任公司 一种分组加密算法的高速运行方法和高速运行装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5724428A (en) * 1995-11-01 1998-03-03 Rsa Data Security, Inc. Block encryption algorithm with data-dependent rotations
US5727062A (en) * 1995-07-06 1998-03-10 Ritter; Terry F. Variable size block ciphers
US5838796A (en) * 1996-01-11 1998-11-17 Teledyne Industries, Inc. Statistically optimized bit permutations in interated block substitution systems

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5727062A (en) * 1995-07-06 1998-03-10 Ritter; Terry F. Variable size block ciphers
US5724428A (en) * 1995-11-01 1998-03-03 Rsa Data Security, Inc. Block encryption algorithm with data-dependent rotations
US5838796A (en) * 1996-01-11 1998-11-17 Teledyne Industries, Inc. Statistically optimized bit permutations in interated block substitution systems

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2345229B (en) * 1998-12-23 2003-12-03 Motorola Ltd Method for encrypting data
SG92735A1 (en) * 1999-08-31 2002-11-19 Toshiba Kk Extended key generator, encryption/decryption unit, extended key generation method, and storage medium
US6891950B1 (en) 1999-08-31 2005-05-10 Kabushiki Kaisha Toshiba Extended key generator, encryption/decryption unit, extended key generation method, and storage medium
EP1172965A2 (de) * 2000-07-12 2002-01-16 Kabushiki Kaisha Toshiba Verschlüsselungsvorrichtung, Entschlüsselungsvorrichtung, Vorrichtung zur Erzeugung eines erweiterten Schlüssels und zugehöriges Verfahren und Aufzeichnungsmedium
EP1172965A3 (de) * 2000-07-12 2003-06-18 Kabushiki Kaisha Toshiba Verschlüsselungsvorrichtung, Entschlüsselungsvorrichtung, Vorrichtung zur Erzeugung eines erweiterten Schlüssels und zugehöriges Verfahren und Aufzeichnungsmedium
US7194090B2 (en) 2000-07-12 2007-03-20 Kabushiki Kaisha Toshiba Encryption apparatus, decryption apparatus, expanded key generating apparatus and method therefor, and recording medium
US7051201B2 (en) 2002-03-15 2006-05-23 International Business Machines Corporation Securing cached data in enterprise environments
WO2004056035A1 (de) * 2002-12-13 2004-07-01 Giesecke & Devrient Gmbh Verschlüsselungsverfahren
CN1777089B (zh) * 2005-11-24 2010-11-17 上海森田科学技术研究所有限公司 一种复数移相加密解密方法
US8311216B2 (en) 2007-11-19 2012-11-13 China Iwncomm Co., Ltd. Packet cipher algorithm based encryption processing device
WO2016156378A1 (en) * 2015-03-30 2016-10-06 Irdeto B.V. Crytographic processing
US20180062828A1 (en) * 2016-09-01 2018-03-01 Cryptography Research, Inc. Protecting block cipher computation operations from external monitoring attacks
US10771235B2 (en) * 2016-09-01 2020-09-08 Cryptography Research Inc. Protecting block cipher computation operations from external monitoring attacks
US11743028B2 (en) 2016-09-01 2023-08-29 Cryptography Research, Inc. Protecting block cipher computation operations from external monitoring attacks
CN109598134A (zh) * 2018-12-07 2019-04-09 北京宏思电子技术有限责任公司 一种分组加密算法的高速运行方法和高速运行装置
CN109598134B (zh) * 2018-12-07 2023-05-30 北京宏思电子技术有限责任公司 一种分组加密算法的高速运行方法和高速运行装置

Also Published As

Publication number Publication date
EP1016240A1 (de) 2000-07-05
AU9569098A (en) 1999-04-05

Similar Documents

Publication Publication Date Title
US6199162B1 (en) Block cipher method
Alenezi et al. Symmetric encryption algorithms: Review and evaluation study
Gueron et al. Fast garbling of circuits under standard assumptions
US6259789B1 (en) Computer implemented secret object key block cipher encryption and digital signature device and method
US6185679B1 (en) Method and apparatus for a symmetric block cipher using multiple stages with type-1 and type-3 feistel networks
US6185304B1 (en) Method and apparatus for a symmetric block cipher using multiple stages
US8504845B2 (en) Protecting states of a cryptographic process using group automorphisms
US9189425B2 (en) Protecting look up tables by mixing code and operations
US6189095B1 (en) Symmetric block cipher using multiple stages with modified type-1 and type-3 feistel networks
US8787563B2 (en) Data converter, data conversion method and program
CN107147487B (zh) 对称密钥随机分组密码
US20130067212A1 (en) Securing implementation of cryptographic algorithms using additional rounds
US10148425B2 (en) System and method for secure communications and data storage using multidimensional encryption
EP1016240A1 (de) Verfahren zur verbesserten blockverschlüsselung
Biham et al. Rectangle attacks on 49-round SHACAL-1
US20040120521A1 (en) Method and system for data encryption and decryption
Brown et al. Introducing the new LOKI97 block cipher
US7103180B1 (en) Method of implementing the data encryption standard with reduced computation
Chan et al. On the resistance of new lightweight block ciphers against differential cryptanalysis
CN111262685B (zh) 一种新型密钥生成的Shield分组密码实现方法、装置及可读存储介质
Noura et al. DKEMA: GPU-based and dynamic key-dependent efficient message authentication algorithm
Mahdi Design and implementation of proposed BR encryption algorithm
Henricksen et al. The HKC authenticated stream cipher (Ver. 1)
Das et al. New Key-Dependent S-Box Generation Algorithm on AES
Abubaker et al. DAFA-A Lightweight DES Augmented Finite Automaton Cryptosystem

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH HU IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 1998949350

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2302784

Country of ref document: CA

Ref country code: CA

Ref document number: 2302784

Kind code of ref document: A

Format of ref document f/p: F

NENP Non-entry into the national phase

Ref country code: KR

WWP Wipo information: published in national office

Ref document number: 1998949350

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWW Wipo information: withdrawn in national office

Ref document number: 1998949350

Country of ref document: EP