WO2003104969A2 - Procedes permettant d'ameliorer l'imprevisibilite d'une sortie de generateurs de nombres pseudo aleatoires - Google Patents

Procedes permettant d'ameliorer l'imprevisibilite d'une sortie de generateurs de nombres pseudo aleatoires Download PDF

Info

Publication number
WO2003104969A2
WO2003104969A2 PCT/DK2003/000375 DK0300375W WO03104969A2 WO 2003104969 A2 WO2003104969 A2 WO 2003104969A2 DK 0300375 W DK0300375 W DK 0300375W WO 03104969 A2 WO03104969 A2 WO 03104969A2
Authority
WO
WIPO (PCT)
Prior art keywords
value
computations
array
data
mathematical
Prior art date
Application number
PCT/DK2003/000375
Other languages
English (en)
Other versions
WO2003104969A3 (fr
Inventor
Mette Vesterager Petersen
Hans Martin Boesgaard SØRENSEN
Original Assignee
Cryptico A/S
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cryptico A/S filed Critical Cryptico A/S
Priority to AU2003232162A priority Critical patent/AU2003232162A1/en
Priority to JP2004511973A priority patent/JP2005529364A/ja
Priority to EP03756974A priority patent/EP1532515A2/fr
Priority to CA002488514A priority patent/CA2488514A1/fr
Publication of WO2003104969A2 publication Critical patent/WO2003104969A2/fr
Publication of WO2003104969A3 publication Critical patent/WO2003104969A3/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/582Pseudo-random number generators
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/08Computing arrangements based on specific mathematical models using chaos models or non-linear system models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/001Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using chaotic signals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • H04L9/0668Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator producing a non-linear pseudorandom sequence
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/582Pseudo-random number generators
    • G06F7/586Pseudo-random number generators using an integer algorithm, e.g. using linear congruential method

Definitions

  • the present invention relates to aspects of improving unpredictability of pseudo-random numbers which originate from numerical computations in mathematical systems comprising at least one function, in particular a non-linear function.
  • the mathematical system may be a non-linear system of differential equations which exhibits chaotic behavior.
  • the invention is useful in encryption and decryption in, e.g., electronic devices.
  • Cryptography is a generally used term covering science and technology concerned with transforming data, such transforming of data being performed with the aim of allowing for storing and transmitting of the data while preventing unauthorized access to the data.
  • the data are made non-comprehensible for any other person but the intended recipient or recipients of the data. Accordingly, cryptography plays an increasingly more important role in the protection of intellectual property, including copyright protection, as the technological advancements require safe transmission and storage of huge amounts of data.
  • the specific transformation of data is dependent on an input to the algorithm, a so-called key.
  • the sender and the recipient of the data have an appropriate set of keys, the sender and the recipient are able to correctly encrypt and decrypt the data while any third person who may gain access to the encrypted data is not able to view a properly decrypted version of the encrypted data, as she or he is not in possession of an appropriate key.
  • a block cipher is a cryptographic algorithm which splits an original set of data into a plurality of blocks of a given size, e.g. 64 bits per block. Mathematical and logical operations are performed on each block, whereby the original amount of data is usually transformed into blocks of pseudo-random data. In case decryption is initiated with the correct decryption key, the original data can be re-called by reversing the mathematical and logical operations used for encryption.
  • a pseudo-random number generator In a (synchronous) stream cipher, a pseudo-random number generator generates, based on a key, a sequence of pseudo-random numbers, the sequence being referred to as a keystream.
  • the keystream is mixed, by arithmetic and/or logical operations, with a plurality of sub-sets of the original set of data, the sum of sub-sets of data defining the original data to be encrypted. The result of the mixing is the encrypted data.
  • SUBSTITUTE SHEET may be decrypted by repeating the procedure in such a way that the pseudo-random sequence is extracted from the encrypted data, so as to arrive at the original, decrypted data.
  • the plaintext is often mixed with the keystream by use of a logical operator, most often by the so-called XOR operator, also referred to as the "exclusive or" operator, which is symbolized by the ⁇ symbol.
  • Utilization of the XOR operator on a plaintext and a pseudo-random keystream yields a ciphertext.
  • an identical keystream is generated, and the XOR operator is now utilized on the keystream and the ciphertext, resulting in the original plaintext.
  • the identical keystream can only be generated by using the key on which the keystream for encryption was initially based.
  • public key systems have been developed, such systems being characterized by a pair of asymmetric keys, i.e. a public key and a private key, the two keys being different.
  • the public key is usually used for encryption
  • the private key is usually used for decryption.
  • the private and the public key correspond to each other in a certain manner.
  • the key which is used for encryption cannot be used for decryption, and vice versa.
  • the public key may be published without violating safety in respect of accessibility of the original data. Accordingly, when transmitting encrypted data via a computer communications network, the recipient of the data first generates a set of keys, including a public and a private key.
  • the public key for example, is then provided to the sender of the data, whereas the private key is stored at a secure location.
  • the sender of the data utilizes the public key for encrypting the original data, and the encrypted data are then transferred to the recipient.
  • the private key which corresponds to the public key previously utilized for encryption, is provided to the decryption system which processes the encrypted data so as to arrive at the original decrypted data.
  • Public key systems are primarily used for transmitting keys which are utilized in, e.g., block or stream ciphers, which in turn perform encryption and decryption of the data.
  • the methods of the present invention are applicable to cryptographic methods and cryptographic systems, in particular but not exclusively to stream cipher algorithms, block cipher algorithms, Hash functions, and MAC (Message Authentication Code) functions.
  • Such methods, functions and algorithms may include pseudo-random number generators which are capable of generating pseudo-random numbers in a reproducible way, i.e. in a way that results in the same numbers being generated in two different cycles when the same key is used as an input for the pseudo-random number generator in the two cycles.
  • a chaotic system normally governs at least one state variable X, the numerical solution method of such a system normally comprising performing iteration or integration steps.
  • the solution X n at a given instant is dependent on the initial condition X 0 to such an extent that a small deviation in X 0 will result in a huge deviation in the solution X n , the system often being referred to as exhibiting sensitivity on initial conditions.
  • the pseudo-random number generator i.e. the algorithm numerically solving the chaotic system, to give a reproducible stream of pseudo-random numbers, the exact initial condition Xo must be known.
  • the initial condition X 0 used in the numerical solution of the chaotic system is derived from the key entered by a user of the cryptographic system, thereby allowing the same stream of pseudo- random numbers to be generated for e.g. encryption and decryption of data.
  • Lyapunov exponents measure the rates of divergence or convergence of two neighboring trajectories, i.e. solution curves, and can be used to determine the stability of various types of solutions, i.e. determine whether the solution is for example periodic or chaotic.
  • a Lyapunov exponent provides such a measure from a comparison between a reference orbit and a displaced orbit. Iterates of the initial condition x 0 are denoted the reference orbit, and the displaced orbit is given by iterates of the initial condition x 0 + y 0 , where y 0 is a vector of infinitely small length denoting the initial displacement.
  • Lyapunov exponents each one characterizing orbital divergence or convergence in a particular direction.
  • a positive Lyapunov exponent indicates chaos.
  • the type of irregular behavior referred to as hyperchaos is characterized by two or more positive Lyapunov exponents.
  • Numerical calculation of Lyapunov exponents may be performed according to the suggested method in T.S. Parker and L.O. Chua: Practical Numerical Algorithms for Chaotic Systems, pp. 73-81.
  • Even more irregular systems than hyperchaotic systems exhibit so-called turbulence, which refers to the type of behaviour exhibited by a system having a continuous spectrum of positive Lyapunov exponents. Turbulence may be modeled by partial differential equations, for example the well-known Navier-Stokes equations.
  • US 5,048,086 assigned to Hughes Aircraft Company is related to an encryption system based on chaos theory.
  • floating-point operations are used.
  • PCT Application WO 98/36523 assigned to Apple Computer, Inc. discloses a method of using a chaotic system to generate a public key and an adjustable back door from a private key.
  • the need for establishing rules of precision during computations on a chaotic system is mentioned.
  • the document states, as an example, that a specified floating point or fixed point precision can be identified along with specific standards for round-off.
  • PCT application WO 01/50676 assigned to Honeywell Inc. discloses a non-linear cryptographic isolator for converting a so-called vulnerable keystream into a so-called protected keystream.
  • the non-linear filter cryptographic isolator includes a multiplier for performing a multiplication function on the vulnerable keystream to provide a lower partial product array and an upper partial product array, and a simple unbiased operation for combining the lower partial product array and the upper partial product array to provide the protected keystream.
  • the Mandelbrot set is computed by means of the below mapping:
  • Intel utilizes a constant decimal separator position in their computations.
  • a so-called 5.11 is utilized, i.e. a 16 bit number is utilized wherein the decimal separator is placed after the 5'th bit, "5" referring to 5 bits after the decimal separator, "11” referring to 11 bits after the decimal separator.
  • Pseudo-random numbers generators as those used in cryptography should, while allowing for reproducibility of a sequence of pseudo-random numbers, generally be as unpredictable as possible.
  • an internal state of a mathematical system underlying the generator should contain as little information as possible concerning other internal states of the mathematical system. For example, the information that a particular value "Xi" was contained in state variable "X" at iteration No. i should not in a predictable manner lead to another value "X j " which was contained in the variable "X" at another iteration, iteration No. j.
  • problems with small periods can arise in the sense that a certain degree of predictability may arise if or when the mathematical system becomes periodic. In a cryptographic system this is a serious problem since it will have the effect that data will be encrypted repeating the same block of pseudorandom data which comprises security.
  • the present invention provides four aspects, preferred embodiments of which improve security by improving unpredictability:
  • the present invention provides, in a further independent aspect: 5. Concurrent encryption and identification value generation (claims 56-61).
  • a first aspect of the present invention provides a method for repeatedly performing computations in a mathematical system which exhibits a positive Lyapunov exponent, comprising varying at least one parameter of the mathematical system after a certain number of computations.
  • the parameter which may, e.g., be a counter, may vary independently of the mathematical system and may cause the mathematical system to produce output periods which are longer than if the parameter would not have been varied, or it may cause the mathematical system to exhibit periodic behaviour with periods which are so long that, in any practical application, the mathematical system will not repeat itself.
  • the parameter may be repeatedly varied throughout computations in the mathematical system.
  • floating-point refers to the fact that the decimal separator is moving at calculations, caused by the varying exponent.
  • floating point arithmetic is defined differently on various processor architectures causing different handling of precision and rounding off.
  • the present inventors have realised that, instead of floating-point numbers, fixed-point numbers can be used.
  • computations such as iterations in the mathematical system, which usually comprises at least one function and is expressed in discrete terms, are performed by means of at least one fixed-point number. All computations may be performed as fixed-point or integer computations.
  • a fixed-point number is represented as an integer type number on a computer, where a virtual decimal point or separator (also referred to as an imaginary decimal separator) is introduced "manually", i.e. by the programmer, to separate the integer part and the fractional part of the real number.
  • a virtual decimal point or separator also referred to as an imaginary decimal separator
  • calculations on fixed-point numbers are performed by simple integer operations, which are identical on all processors in the sense that the same computation, performed on two different processors, yields identical results on the two processors, except for possible different representations of negative numbers.
  • Such possible different representations may occur as a consequence of some processors utilizing ones complement and other processors utilizing twos complement.
  • these operations are also usually faster than the corresponding floating point operations.
  • the use of fixed-point variables is further discussed in section B below.
  • the mathematical system may comprise at least one non-linear map or at least one non- linear equation, or a set of non-linear maps or a set of non-linear equations, as discussed further below, cf. in particular section C.
  • the counter referred to above may be increased at each iteration in the mathematical system, in which case a maximum value may be defined for the counter.
  • the method may thus comprise resetting the counter to a minimum value once the counter has reached said maximum value, whereby the counter varies with a certain period.
  • this does not necessarily mean that the mathematical system also varies with a period. Resetting the counter avoids overflow in the system.
  • multiple parameters may be employed. Some of such multiple parameters may be dynamic, i.e. varying, whereas others may be static, i.e. constant.
  • a constant parameter may for example be generated from a seed value provided to the mathematical system, such as an encryption key.
  • the variation of a first one of the parameters, such as of a counter may be dependent from the variation of a second one of said counters in such a way that the period of the first counter is different from the period of the second counter.
  • the variation of each individual one of the counters may be dependent from the variation of at least another one of said counters so as to obtain a period of the counters which is longer than the period which would have existed if each individual counter would not have been dependent from the variation of another counter.
  • the one or more counters may be increased linearly or by any other function.
  • the computations performed by the first aspect of the invention may be used for generating pseudo-random numbers, which may be used in any kind of cryptography and/or identification value generation.
  • the invention provides a method for manipulating a first set of data in a cryptographic system, the first set of data comprising a first and a second number of a first and a second bit size A and B, respectively, the method comprising:
  • the fourth number may be used for generating or updating a pseudo- random number as the output of the cryptographic system.
  • SUBSTITUTE SHEET It has been found that a general multiplication function has good cryptographic properties. These properties are good mixing, i.e. most input bits affect all output bits, and poor linear approximations. Furthermore, the multiplication has the property that the number of bits of the output is the same as the total number of bits in the inputs, i.e. if a number of bit-size A is multiplied with a number of bit size B then the output is of bit size A+B. This larger bit size enables further manipulation of the output, such that the final output is of a bit size smaller than A+B, for instance A or B. Thereby improved cryptographic properties for the manipulated multiplication function may be achieved, i.e. all input bits affect all output bits, and all linear approximations are very poor.
  • the first and second number may have different bit sizes, for example 8 and 16 bit. However, for practical reasons it may be desirable that the first and second numbers are of the same bit size.
  • each of the first and second number may be a 32-bit number, in which case the third number is a 64-bit number, consisting of 32 most significant and 32 least significant bits.
  • the fourth number may then, for example, consist of the 32 most significant bits of the 64-bit number.
  • the first set of data may consist of a single number, such as a number assigned to a variable, and the first number may thus equal the second number, so that the step of multiplying comprises squaring the first number.
  • Such squaring may be advantageous as compared to other multiplication functions implying the multiplication of two different numbers, as it requires handling of a single variable only. Further, the squaring of a number of a certain bit size A results in a number, referred to above as the third number, of bit size 2-A. Thus, by applying a manipulation to the third number to obtain the fourth number of another bit size, such as bit size A, further complexity is added to cryptographic systems incorporating the method of the second aspect of the invention.
  • the squaring is further advantageous, as it - when performed on small processors, such as 8- or 16-bit processors - requires fewer operations than multiplying two different numbers whereby computational resources may be saved.
  • multiplication of two different 32-bit numbers requires sixteen 8-bit multiplications, whereas the squaring of a 32-bit number only requires ten 8-bit multiplications.
  • a keystream of a satisfactory quality may be directly generated as a pseudo-random output by means of simple operations, such as by XOR operations.
  • the squaring function does not normally result in a certain result more often than it results in other results.
  • the multiplication of two different numbers may results in the result zero every time one of the two numbers being multiplied has the value zero.
  • the squaring function may have a reduced bias towards a certain result, in particular towards zero, as compared to other multiplication functions.
  • bias towards zero may leak information concerning an input to the multiplication, as it reveals that one of the two inputs to the multiplication operation most likely was zero.
  • the fourth number may itself represent a pseudo-random number which is used as the output of the cryptographic system.
  • the fourth number may be used as an input for further computations, such as iterations in a mathematical system, following which a pseudo-random number or other output of the cryptographic system is derived.
  • one or more state variables may be iterated in a mathematical system.
  • a counter or variable may be added to each or some of the state variables in each or some of the iterative steps, as described further below.
  • the step of multiplying may comprise identical operations in each iterative step, or it may, alternatively, comprise different operations.
  • the step of multiplying may comprise squaring a variable x, whereas in one or more subsequent iterative steps, the step of multiplying may comprise multiplying variable x with another variable y.
  • a value assigned to each of the state variables may be updated as a function of at least one value of the same and/or another state variable, for example according to the general formula subscript i denoting the i'th iteration, x and y denoting the state variables.
  • the step of manipulating preferably comprises using as well most significant bits of the third number as least significant bits.
  • the manipulating may comprise a logical or arithmetic operation.
  • One logical operation which is easily applied is the XOR function which may, e.g., be applied on a number of most significant bits and an equal number of least significant bits.
  • the XORing may be performed bitswise, in which case each bit of the most significant bits may be XORed with a bit of the least significant bits.
  • the XOR operation may thus be performed N times, resulting in a result of bit size N .
  • the step of manipulating may be performed by applying an operation to bits of two or more different numbers.
  • the step of manipulating may comprise XORing bits of one number x m with bits of another number x p , one or both of x m and x p representing the third number.
  • an arithmetic operation may be performed bitwise.
  • the first and second number may be derived from a set of data to be encrypted or decrypted, in which case the fourth number may be used to generate an encrypted or decrypted representation of the second set of data, such as plaintext or ciphertext, for example in a block cipher algorithm or in an algorithm for determining an identification value for identifying a set of data.
  • the method according to the second aspect of the invention may also be applied for generating an identification value for identifying a second set of data.
  • at least one of the first and second number is derived from the second set of data, so that the fourth number is used for generating an identification value identifying the second set of data.
  • identification value may be a hash value or a cryptographic check-sum which identifies the set of data, cf. for example Applied Cryptography by Bruce Schneier, Second Edition, John Wiley & Sons, 1996.
  • the hash function is usually referred to as a MAC function (Message Authentication Code).
  • at least one of the first and second number may be derived from a cryptographic key, i.e. an input value for an algorithm of the cryptographic system which is used for initializing iterations.
  • the first number may equal the second number, in which case the step of multiplying comprises squaring the first number.
  • the state variable may be updated as a function of the fourth number, or as a function of a permutation of the fourth number, such permutation comprising, e.g., bitwise rotation of the bits of the fourth number.
  • the step of multiplying may be performed multiple times, each multiplication being performed on a number which represents or is a function of one of a plurality of state variables, the step of multiplying thereby resulting in a plurality of third numbers.
  • the step of manipulating may result in an array comprising a plurality of fourth numbers, whereby at least one state variable may updated as a function of at least two of the fourth numbers.
  • At least one of the first and second number may be a state value Xj to which there is added a variable parameter value, such as a counter .
  • the step of multiplying may thus comprise squaring (Xj+ ), X, denoting a state variable or an array of state variables, and denoting the counter or an array of counters.
  • the at least one parameter may be repeatedly varied at predetermined intervals in the computations.
  • a counter may be added to the fourth number or to a number which is a function of the fourth number to result in an updated state variable X
  • the step of multiplying may comprise a plurality of multiplication functions resulting in a plurality of numbers of bit size A+B, whereby the step of manipulating may comprise combining at least one of the bits of a first one of the plurality of numbers with at least one of the bits of a second one of the plurality of numbers.
  • the plurality of multiplication functions may comprise at least one squaring operation, whereby the step of manipulating may comprise combining at least one of the P most significant bits of a first one of the plurality of numbers with at least one of the Q least significant bits of a second one of the plurality of numbers.
  • the step of multiplying is usually performed in a mathematical system in which at least one state variable is being iterated, most often in a system in which two or more state variables are being iterated.
  • values assigned to each of the at least two state variables may be updated as a function of at least one value of the same and/or another state variable.
  • At least one of the first and second number may be derived from a set of data to be encrypted or decrypted, whereby the fourth number may be used for generating an encrypted or decrypted representation of the set of data. Likewise, the fourth number may be used for generating an identification value identifying the set of data. At least one of the first and second number may be derived from a cryptographic key.
  • the method of the second aspect of the invention may advantageously be applied in a system/method, wherein an identification value for identifying a set of data is determined, and wherein a set of data is concurrently encrypted/decrypted, e.g., by means of a pseudorandom number generator in which numerical computations are performed in a mathematical system, cf. the below discussion of the fifth aspect of the invention.
  • the invention provides method for manipulating a first set of data in a cryptographic system, the first set of data comprising a first and a second number, the method comprising:
  • manipulating may be applied in the method according to the second aspect of the invention.
  • the step of combining may comprise any manipulating discussed above in connection with the method according to the second aspect of the invention, for example a logical operation, such as an XOR operation, or an arithmetic operation.
  • the output of the cryptographic system may be any output discussed above in connection with the second aspect of the invention.
  • the method of the third aspect of the invention results in an improved mixing of numbers in a cryptographic system, in particular in a pseudo-random number generator.
  • the method is useful in connection with any cryptographic system, including those described herein.
  • a method for generating a periodic sequence of numbers in a cryptographic system in which computational steps are repeatedly performed comprising updating, in each computational step i, an array of counters, the counters being updated by a logical and/or by an arithmetic function, whereby, at each computational step, a carry value is added to each counter in the array, and wherein the carry value added to the first counter in the array, c 0 , is obtained from at least one of: a selected computation of a value of the array of counters, a value which is a function of a counter value at a previous computational step.
  • the method comprises updating, in each computational step i, an array Q of counters q #1 , the counters being updated as: where:
  • l+1 is a carry value resulting from the computation of C-- 1FI+1
  • N J is a constant
  • sequences of numbers generated by the method according to the fourth aspect of the invention preferably has a period which is so long that the sequence of numbers generated, in most practical applications, does not become periodic, i.e. that any sequence of numbers generated is not repeated.
  • c is constantly incremented by 1 until it reaches the value N-1, and in the following iteration c restarts from zero.
  • the period of c is equal to N.
  • the single bits in the number have, however, different periods.
  • the least significant bit, c [0] is successively added the value 1, and will thereby repeatedly obtain the values 0 and 1, i.e. have a period of 2. For every second incrementation this will give rise to a carry being added to the next bit in the register, c [1] , which thereby will have a period of 4.
  • the Deriod will be ⁇ iven bv 2 J+1 .
  • Such a system suffers from the disadvantage that all bits, except the most significant, have periods smaller than the total period N.
  • Another disadvantage is that the dynamic behaviour of the bits is rather predictable. For instance, the value of the least significant bit changes at every iteration. Thereby, even though the value at a given iteration is not known, the value will be the opposite in the following iteration. Also, the value of the most significant bit will change only when half of the period N has passed. This means that the value of the most significant bit is constant for a long time, resulting in poor non-predictability characteristics which are crucial in cryptographic systems.
  • the counter with carry feedback in a single-dimensional system, may be defined by:
  • Ci+i q + a + d, mod N,
  • q is the value of the counter at step i
  • q + i is the value of the counter at step i+1
  • a is a constant number
  • dj is the value of the feedback carry at step i
  • N is a large number usually equal 2 to the power of the register size of the processor on which computations are being performed.
  • the period of the counter system with carry feedback can be proven as follows.
  • the purpose of the counter system is to generate a sequence of numbers with a given long period, wherein each binary value at each bit-position have the same period as
  • the application of the long periodic sequence is to ensure that the internal state of the stream cipher has a large period.
  • the values at each bit position in C have relatively high frequencies, i.e. changes often.
  • the values of the counter bits are secret, for instance when they are applied as part of the input to a stream cipher with an internal state, the exploitation of any relation between the output of the stream cipher and the values of the bits, is additionally complicated since the values of the bits change relatively often.
  • the value A may be appropriately chosen by ensuring that the product of (N 0 *N 2 *...*N n . 1 )-l and a concatenated value of the values a ⁇ are mutually prime.
  • the concatenated value of the values a j is determined as a single sequence of bits a n . ⁇ a n . 2 ...ao, cf. the below example.
  • connection to the single counter system with carry feedback is easily obtained by concatenating all constants and concatenating all counter elements, and thereby performing the calculations on these 256-bit numbers, i.e. with modulus 2 256 .
  • the counter system with carry feedback as discussed above may be applied for using the counter values as a periodic input for a cryptographic function, e.g. : - Using the counter values as input to a stream cipher or pseudo-random-number- generator with an internal state. - Using the counter values as part of the input in a computation of an identification value.
  • an internal state of a cryptographic system is updated as a function of the counter values, e.g. by adding a counter value to an internal state. Such update may be performed before the computation of a next-state value or subsequent to the computation of a next-state value.
  • An output function may then be applied to the current or the next internal state in order to generate a pseudo-random output, often referred to as a "keystream".
  • the following pseudo code illustrates a preferred embodiment of the computation of multiple counters, the pseudo code illustrating a single iteration of the counter:
  • d- may be a carry value resulting from the computation of c n - ⁇ , ⁇ , i.e. the latest carry value computed at a preceding iterative step.
  • the number c may be successively incremented by the constant value a, and the value of the carry register d. If c becomes larger than a value N, N is subtracted from the number, i.e. modulus N, and the value in the carry register is set to 1. If the number is less than N, the value in the carry register is set to
  • dj may be a carry value determined in the same iteration, that is: firstly a constant is added to the first counter, the carry from this operation and a constant are then added to the next counter in the chain and so forth. This procedure is continued until and including the last counter in the chain, the carry from this last addition is then added to the first counter, and if a carry occurs it is added to the next counter and so on.
  • the procedure is illustrated in the following pseudo-code:
  • the computational steps which are performed in the cryptographic system usually comprise an iterative procedure in which an array of state variables, X, is repeatedly iterated so that at least one value assigned to a position in the array of state variable X at computational step i+1 is a function of:
  • the method of the second aspect of the invention may advantageously be applied in a system/method, wherein an identification value for identifying a set of data is determined, and wherein a set of data is concurrently encrypted/decrypted, e.g., by means of a pseudorandom number generator in which numerical computations are performed in a mathematical system, cf. the below discussion of the fifth aspect of the invention.
  • the invention provides a method for generating an output in a cryptographic system, the method combining the general concepts underlying the second and the fourth aspects of the invention.
  • computational sequences may be performed as an iterative procedure wherein an array of state variables, X, is repeatedly iterated so that at least one value assigned to a position in the array of state variables X at iteration step i+1 is a function of:
  • the above method combines the qualities of the methods according to the second and fourth aspects of the invention, i.e. good mixing of bits and long counter periods, with the overall aim of improving unpredictability.
  • the invention provides a method of determining an identification value for identifying a set of data and for concurrently encrypting and/or decrypting the set of data.
  • the method preferably comprises performing numerical computations in a mathematical system exhibiting a positive Lyapunov exponent, the method further comprising at least one of the following steps:
  • resulting number representing at least one of: a. at least a part of a solution to the mathematical system, and b. a number usable in further computations involved in the numerical solution of the mathematical system,
  • SUBSTITUTE SHEET - optionally determining an updated value for the identification value based on the resulting number, whereby various parts of the set of data or modifications thereof may be used as input in the step of determining,
  • Encryption and/or decryption and determining the identification value may be performed in the same process or in distinct processes, i.e. for example in such a way that the entire set of data is processed in order to obtain an intermediate result which is then used as an input for further computations which yield the identification value and the encrypted and/or decrypted version of the set of data.
  • the method may comprise: - expressing the mathematical system in discrete terms,
  • the computations include the at least one variable expressed as a fixed-point number, fixed-point variables and numbers being discussed further above in connection with the first aspect of the invention and in section B below.
  • the identification value may be further modified following encryption and/or decryption of the entire set of data.
  • Encryption/decryption and determination of the identification value can take place at the same time or in parallel.
  • the identification value can be a hash value, a check-sum or a MAC (Message Authentication Code), see the above description.
  • the calculation of identification value and the encryption process takes place sequentially. However, it can also be done in one working process or instance, in parallel or at the same time. This may be done in order to reduce the number of computations and/or to be able to process a sequence of data as it becomes available or is given to an algorithm which embodies the mathematical system, or to increase ease-of-use.
  • the identification value can be calculated with or without a key.
  • the identification value may be related to a specific message, i.e. the message must be used as input to the algorithm. Instead of first encrypting the message and then running through the entire message again to calculate the identification value, the two methods may be combined, i.e. in each iteration of the mathematical system, a pseudo-random number may be extracted and combined with the message in order to encrypt/decrypt, after which the identification value may be updated. After each iteration this intermediate identification value may be stored.
  • a mathematical system may be defined, the mathematical system exhibiting a positive Lyapunov exponent.
  • the method may comprise the following steps: 1. Defining a key/seed value.
  • the method may comprise the following steps: 1. Defining a key/seed value.
  • step 2-3 until the entire message has been used in the computations performed on the mathematical system and the message. 5. Determining the final identification value from variables in the mathematical system.
  • - message may be plaintext or ciphertext
  • - message may be used as input to some or all of the calculations, - the pseudo-random number may be used to encrypt/decrypt the message by means of logical and/or artithmetical operations,
  • - at least one variable is expressed in fixed-point format.
  • step 3 above is substituted by the step of manipulating a block or part of message in order to encrypt and/or decrypt it.
  • the calculation of the identification value is dependent on a key.
  • a cryptographic key (as described for a stream cipher) is used as an initialization value. This key, or part thereof, is also used to initialize the identification value.
  • SUBSTITUTE SHEET 4 Using a function, F H , to obtain a new value for the identification value, given the extracted bits, the selected bits of the data, message or plaintext and the old value of the identification value.
  • Steps 1 through 5 are repeated until all bits are encrypted.
  • the system may be iterated further to extract more pseudo-random bits.
  • the generated identification value can be combined with the encrypted message, and the result can e.g. be transmitted over the Internet to a receiver.
  • the algorithm When decrypting and recalculating the identification value, the algorithm is initialized in same manner as for encryption. Then the following steps are performed:
  • the system may be iterated further to extract more pseudo-random bits. Further computations may be performed on the identification value to obtain a final identification value.
  • the present invention also extends to any apparatus and to any computer program for carrying out all the methods of the invention, including electronic devices incorporating digital signal processors.
  • the invention also extends to data derived from any method and/or computer program of the present invention and any signal containing such data do also fall within the scope of the appended claims. It should further be understood that any feature, method step, or functionality described below in connection with the further aspects of the invention discussed below may be combined with the method of the first aspect of the invention.
  • SUBSTITUTE SHEET deterministic way, i.e. in a way that results in the same pseudo-random number being generated in two different executions of a pseudo-random number generating algorithm when the same key or seed value is used as an input for the pseudo-random number generating algorithm in the two executions.
  • a mathematical system may comprise a system which expresses certain relations between variables.
  • relations may be constituted by mathematical operations, including discrete operations, such as binary and/or logical operations.
  • mathematical operations may comprise multiplication, division, addition, subtraction, involution, AND, OR, XOR, NOT, shift operations, modulus (mod), truncation and/or rounding off.
  • Numerical computations may involve computations in which numbers are manipulated by mathematical operations.
  • a counter is herein defined as a variable which may serve as a parameter in a mathematical system.
  • the counter is continuously iterated and updated by means of a mathematical function.
  • a mathematical function may, e.g., be a simple addition, where q +1 represents the counter value at iteration step i+1, q represents the counter value at iteration step i, and a a number added to q.
  • the function may alternatively be more sophisticated and include linear and/or non-linear operations and/or logical operations.
  • the counter varies independently of the mathematical system in which the counter is used as a parameter.
  • a computer readable data carrier should be understood as any device or media capable of storing data which is accessible by a computer or a computer system.
  • a computer readable data carrier may, e.g., comprise a memory, such as RAM, ROM, EPROM, or EEPROM, a CompactFlash Card, a MemoryStick Card, a floppy or a hard disk drive, a Compact Disc (CD), a DVD, a data tape, or a DAT tape.
  • Signals comprising data derived from the methods of the present invention and data used in such methods may be transmitted via communications lines, such as electrical or optical wires or wireless communication means using radio or optical transmission.
  • communications lines such as electrical or optical wires or wireless communication means using radio or optical transmission. Examples are the Internet, LANs (Local Area Networks), MANs (Metropolitan Are Networks), WANs (Wide Area Networks), telephone lines, leased lines, private lines, and cable or satellite television networks.
  • the term "electronic device” should be understood as any device capable of processing data by means of electronic or optical impulses.
  • Examples of applicable electronic devices to the methods of the present invention are: a processor, such as a CPU, a microcontroller, or a DSP (Digital Signal Processor), a computer or any other device incorporating a processor or another electronic circuit for performing mathematical computations, including a personal computer, a mainframe computer, portable devices, smartcards, chips specifically designed for certain purposes, e.g., encryption.
  • Further examples of electronic devices are: a microchip adapted or designed to perform computations and/or operations, and a chip which performs binary operations.
  • SUBSTITUTE SHEET Processors are usually categorized by: (a) the size of data that is operated on (b) the instruction size and (c) the memory model. These characteristics may have different sizes, normally between 4 and 128 bit (e.g. 15, 16, 32, 64 bit) and not limited to powers of two.
  • processor covers any type of processor, including but not limited to:
  • Microcontroller also called “embedded processor”.
  • embedded processor usually refers to a small processor (usually built with fewer transistors than big processors and with limited power consumption). Examples of microcontroller architectures are:
  • CPU32 / 68k e.g. 68000 Dragonball produced by Motorola
  • Other processors which are typically used in different kinds of computer and control systems, examples of architectures being:
  • - ARM e.g. ARM10, StrongARM
  • CPU32 / 68k e.g. 68000, 68030, 68040 e.g. produced by Motorola
  • IA32 e.g. the x86 family produced by Intel (e.g. i486, Pentium), AMD (e.g. K6, K7), and Cyrix)
  • MIPS e.g. R4000, R10000 produced by SGI
  • PA-RISC e.g. 8000, produced by HP
  • register should be understood as any memory space containing data, such as a number, the memory space being for example a CPU register, RAM, memory in an electronic circuit, or any data carrier, such as a hard disk, a floppy disk, a Compact Disc (CD), a DVD, a data tape, or a DAT tape.
  • data such as a number
  • the memory space being for example a CPU register, RAM, memory in an electronic circuit, or any data carrier, such as a hard disk, a floppy disk, a Compact Disc (CD), a DVD, a data tape, or a DAT tape.
  • the present invention also relates to, in independent aspects, data derived from the methods of the present invention. It should also be understood that where the present invention relates to methods, it also relates to, in independent aspects, computer programs being adapted to perform such methods, data carriers or memory means loaded with such computer programs, and/or computer systems for carrying out the methods.
  • SUBSTITUTE SHEET in one aspect, which constitutes an independent aspect of the present invention, a method of performing numerical computations in a mathematical system comprising at least one function, the method comprising the steps of: - expressing the mathematical system in discrete terms,
  • a subset of a number may be regarded as a part of that number, such as some, but not necessarily all digits or bits of the number.
  • the 8 least significant bits of a 16-bit number may be regarded as a subset of the 16-bit number.
  • extracting covers, but is not limited to: outputting the number or subset in question, for example as a keystream or a part of a keystream or as any other final or intermediate result of a computational process; storing the number or subset in question in a register, for example in order to allow for further use thereof, such as for further computations, on the subset.
  • the mathematical system may comprise a continuous system, for example a system of differential equations, it may also or alternatively comprise a system which is originally defined in discrete terms, for example in the case of a map.
  • the at least one function of the mathematical system may be non-linear, as discussed in more detail in section C below.
  • the subset of digits comprises k bits of an m-bit number, k ⁇ m, for example extracting 8 bits of a 32-bit number.
  • the number from which the subset is extracted and/or the extracted set of data may be expressed as one or more binary number, octal number, decimal numbers, hexadecimal number, etc.
  • the k bits may be the least significant bits of the number, or it may be k bits selected from predetermined or random positions within the
  • SUBSTITUTE SHEET number from which the bits are extracted. For example, from a 64-bit number, bits Nos. 42, 47, 53, 55, 56, 57, 61, and 63 may be extracted, or bits Nos. 47-54.
  • one or more computations may be performed as floating-point operations.
  • the step of expressing at least one variable of the mathematical system as a fixed-point number may thus comprise converting a floating-point type number to an integer type number, optionally performing a certain manipulation on the integer number, for example truncating it, and converting the integer number back to a floatingpoint type number.
  • the methods of the invention may be applied for encryption and decryption, modulation of radio waves, synchronization of chaos in picture and sound signals so as to reduce noise, data compression, in control systems, watermarking, steganography, e.g. for storing a document in the least significant bits of a sound file, so as to hide the document in digital transmission.
  • SIM-cards and smart cards exhibit weaknesses to power analysis attacks, which exploits the fact that the power consumption is directly related to the arithmetic functions performed by the processor.
  • a program for executing one of the methods described herein may randomly execute some operations which only function is to disrupt the systematic power consumption.
  • the pseudo-random number generator may be used to determine the operations to be performed.
  • the pseudo-random number generator can be used to generate keys for other encryption algorithms, i.e. asymmetric or public-key algorithms. For example, it could be used to generate pseudo-random numbers used to calculate at least one prime number. In this way it is possible to generate the public and private key pair used in the RSA algorithm.
  • the term "resulting number" should be understood as any number occurring in the computations. More than one resulting number may be obtained.
  • the resulting number may, as stated above, be a part of the solution to the mathematical system and/or an intermediate result, i.e. a number assigned to any variable or parameter of the mathematical system or to any other variable or parameter used in the computations.
  • the resulting number or a part thereof may be extracted, for example as a pseudo-random number for use in an encryption/decryption system.
  • one or more mathematical and/or logical operations may be performed on the resulting number or on a plurality of resulting numbers, so as to obtain a further number which is extracted.
  • resulting number all or only selected bits in a binary representation of the resulting number may be extracted. It should be understood that a number generated from selected bits of a number occurring in the computations may be referred to as the resulting number. Thus, the term "resulting number" also covers any part of a number occurring in the computations.
  • the methods of the invention are, as discussed above, useful in cryptography, for example in the following implementations: a symmetric encryption algorithm, a public key (or asymmetric key) algorithm, a secure or cryptographic Hash function, or a Message
  • MAC SUBSTITUTE SHEET Authentication Code
  • - Authorization e.g. to allow permission to perform certain tasks or operations.
  • Nonrepudiation to provide proof of participation in an electronic transaction, for example to prevent that a first person A sends a message to a second person B and subsequently denies that the message has been sent.
  • Digital signatures are used for this purpose. The generation of a digital signature may incorporate the use of a public key algorithm and a hash function.
  • Hash function provides a kind of digital fingerprint wherein a small amount of data serves to identify other data, usually a set of data which is considerably larger than the aforementioned small amount of data.
  • Hash functions are usually public functions wherein no secret keys are involved.
  • Hash functions can also provide a measure of authentication and integrity. They are often essential for digital signature algorithms and for protecting passwords, as a Hash value of a password may be used for password control instead of the password itself, whereby only the hash value and not the password itself needs to be transmitted, e.g. via a communications network.
  • a Hash function employing a secret key as an input is often referred to as a MAC algorithm or a "keyed Hash function".
  • MAC algorithms are used to ensure authentication and data integrity. They ensure that a particular message came from the person or entity from whom it purports to have come from (authentication), and that the message was not altered in transit (integrity). They are used in the IPsec protocols (cf. RFC 2401 available on http://www.rfc-editor.org on 6 June 2003), for example to ensure that IP packets have not been modified between when they are sent and when they reach their final destination. They are also used in all sorts of interbank transfer protocols.
  • the methods of the invention may be implemented in a Hash or a MAC algorithm.
  • a Hash or a MAC algorithm calculates a checksum of an amount of data of an arbitrary length, and gives the checksum as a result.
  • the process should be irreversible (oneway), and a small change of an input value should result in a significantly different output. Accordingly, the sensitivity to data input should be high.
  • a Hash function does not use a key as a seed value
  • a MAC algorithm uses such a key which represents or determines a seed value for the algorithm, whereby the result depends on the key.
  • the Hash function relies on a constant value, for example certain bits from the number ⁇ .
  • a part of the data to which the Hash function is applied may be used as a seed value.
  • a Hash/MAC algorithm may be implemented as follows:
  • Other chaotic systems may be employed, such as the Lorenz system which is discussed in detail hereinafter.
  • the message is incorporated in the system as a component thereof.
  • the parameters ⁇ and ⁇ and the initial value x 0 may be predetermined and/or derived from the message. In the case of a MAC algorithm, the parameters ⁇ and ⁇ and the initial value x 0 may, completely or partially, be determined by the secrete key.
  • the system is iterated until the end of the message is reached.
  • the last calculated value of x or part thereof, such as the least significant digits, is denoted, for example, the Hash value, the MAC or the checksum. Alternatively, a number of additional iterations may be performed prior to extracting the resulting number. Instead of or in addition to extracting the last calculated value of x, certain bits which have been ignored in the computations may be extracted as the Hash value.
  • the way of introducing the message, m, into the dynamical system can be varied.
  • a part of the message may be used to influence the x-variable in each iteration.
  • Such influence may, e.g., be achieved by XORing certain bits of the message into the least significant digits of x.
  • Hash/MAC functions For further details concerning Hash/MAC functions, reference is made to Applied Cryptography by Bruce Schneier, Second Edition, John Wiley & Sons, 1996.
  • the key used for decryption is different from the key used for encryption.
  • a key-generation function generates a pair of keys, one key for encryption and one key for decryption.
  • One of the keys is private, and the other is public. The latter may for example be sent in an unencrypted version via the Internet.
  • the encryption key may constitute or contain parameters and/or initial conditions for a chaotic system.
  • a plaintext is used to modulate the chaotic system which is irreversible unless initiated by the private key.
  • a mathematical system is used which has dynamics which are inverse to the dynamics of the system used for encryption.
  • a fixed-point number type is denoted ⁇ ( ⁇ . ⁇ ) where ⁇ is the number of bits used to hold the integer part, and ⁇ the number of bits to hold the fractional part.
  • the values of and ⁇ , and thus the position of the decimal point, are usually predetermined and stationary.
  • the fixed-point number can be either unsigned or signed, in which case ⁇ is denoted U or S respectively. In the latter case, a bit is needed to hold the sign, thus + ⁇ +1 bits are needed to hold S( ⁇ . ⁇ ).
  • U( . ⁇ ) is [0;2 ⁇ -2 " ⁇ ]
  • the range of S( ⁇ . ⁇ ) is [-2 ⁇ ;2 ⁇ -2 " ⁇ ].
  • the resolution of the fixed-point numbers is thereby 2 " ⁇ .
  • the position of the decimal separator in a fixed-point number is a weighting between digits in the integer part and digits in the fraction part of the number. To achieve the best result of a calculation, it is usually desired to include as many digits after the decimal separator as possible, to obtain the highest resolution. However, it may also be important to assign enough bits to the integer part to ensure that no overflow will occur. Overflow is loading or calculating a value into a register that is unable to hold a number as big as the value loaded or calculated. Overflow results in deletion of the most significant bits (digits) and possible sign change.
  • the position of the decimal separator may be assigned at design time.
  • the possible range of the number, for which the position is to be chosen is preferably analyzed.
  • the position of the decimal point may vary between different fixed-point variables.
  • addition and subtraction operations require input numbers with similar positions.
  • Right shift by n bits corresponds to a conversion from ⁇ ( ⁇ . ⁇ ) to ⁇ ( ⁇ +n. ⁇ -n).
  • Left shift by n bits will convert ⁇ ( ⁇ . ⁇ ) to ⁇ ( ⁇ -n. ⁇ +n). Conversion of unsigned numbers is done by logical shift operations, whereas arithmetical shifts are used for signed numbers.
  • Multiplication and division do not require arguments with similar positions of the decimal separators.
  • the numerator is expanded as it must have twice the length of the denominator and the result.
  • S( ⁇ +c+l. ⁇ +d) is replaced by U( ⁇ +c. ⁇ +d).
  • Exceeding digits in the multiplication compared to the predetermined result format are cut off to match the target register size.
  • a fixed-point number may be handled by representing the integer part of the fixed point number in one register, and representing the fractional part in another register.
  • a fixed-point variable is defined as an integer type number with an imaginary decimal separator, an integer being defined as a number without digits after the decimal separator.
  • real numbers are represented by inserting the imaginary decimal separator (or decimal point) at some fixed predetermined position within an integer, for example four digits from the left.
  • the position might be changed as a consequence of a mathematical operation on the number.
  • the position may also be forced to be changed by use of a logical operation.
  • fixed-point numbers are integers, on which a virtual decimal separator is imposed.
  • the number consists of a so-called “integer part”, referring to the bits before the decimal separator, and a “fraction part” referring to the bits after the decimal separator.
  • integer part referring to the bits before the decimal separator
  • fraction part referring to the bits after the decimal separator.
  • bits are also referred to as digits and wee versa.
  • means may be provided for determining a suitable location of the decimal separator.
  • the program, circuit or device may, during computations, detect possible overflow and, in the case of a possible overflow being detected, change the number of bits on either side of the decimal separator, i.e. the location of the decimal separator in a register which stores the variable or variables in question. This change may be performed by moving the decimal separator one or more positions to the left or to the right. Preferably as many bits as possible are used to the right of the decimal separator in order to minimize the number of possible unused bits in the register and thereby to obtain an optimal accuracy in the computations.
  • SUBSTITUTE SHEET device needing to make considerations concerning accuracy and overflow in a design or programming phase.
  • a test program may be provided which determines when or where in the computations overflow will occur or is likely to occur, so that a programmer or designer of the program may fix the position of the decimal separator in one or more variables such that no overflow occurs, whereby, in the final implementation, no determination of possible overflow is needed.
  • the determination of possible overflow may also be incorporated in the final implementation as an additional safeguarding feature.
  • the programmer or designer may choose to implement changing of the decimal separator at fixed, predetermined stages in the computations.
  • a real number may be expressed by means of one or more fixed-point numbers.
  • the other one may be expressed by means of any other type of number, such as a floating-point or an integer number.
  • the computations involving the variable expressed as a fixed-point number may possibly include computations on other types of variables, including one or more variables expressed as other kinds of numbers, such as floating point numbers and integer numbers.
  • decimal numbers may be expressed as integer type numbers where an imaginary decimal separator is placed in the number. In cases where floating-point variables are used, truncation/rounding errors are not performed identically on different types of processors.
  • the mathematical system may be a discrete or a continuous system.
  • Various types of mathematical systems are discussed below.
  • the computations may involve at least a first and a second fixed-point number, each fixed- point number having a decimal separator, wherein the decimal separator of the first fixed- point number is positioned at a position different from the position of the decimal separator of the second fixed-point number.
  • the decimal separator of the first and second fixed-point number may be positioned at selected positions.
  • the resulting number may be expressed as a variable selected from the group consisting of: an integer number, a floating point number, and a fixed-point number.
  • the mathematical system may comprise one or more differential equations, or one or more discrete maps or mappings.
  • the mathematical system may comprise one or more ordinary differential equations and/or one or more partial differential equations.
  • discrete mappings the mathematical system may comprise one or more area-preserving maps and/or one or more non area- preserving maps. At least one function of the mathematical system may be non-linear.
  • the method is also applicable to other types of functions or equations, including integral equations.
  • the at least one non-linear differential equation or mapping may exhibit chaotic behavior, i.e. it may have at least one positive Lyapunov exponent, in which case the method may comprise computing a Lyapunov exponent at least once during the mathematical computations.
  • the method may advantageously be applied in a pseudo-random number generating method, such as in an encryption/decryption method.
  • At least one Lyapunov exponent may be computed at least once during the mathematical computations in order to determine whether the mathematical system exhibits chaotic behavior. If this is not the case, e.g. if the computed Lyapunov exponent is not positive, the computations may be interrupted and resumed from other initial values and/or other parameters.
  • the at least non-linear differential equation or mapping preferably governs at least one state variable, X, which may be a function of at least one independent variable, t.
  • the mathematical system may comprise one or more of the following systems:
  • dissipative flows including the Lorenz system, coupled Lorenz systems, the R ⁇ ssler system, coupled R ⁇ ssler systems, hyper chaotic R ⁇ ssler system, the Ueda system, simplest quadratic dissipative chaotic flow, simplest piecewise linear dissipative chaotic flow
  • Non-autonomous systems including forced systems, such as the forced Duffing's equation, forced negative resistance oscillator, forced Brusselator, forced damped pendulum equation, coupled pendulums, forced double-well oscillator, forced Van de Pol oscillator,
  • - maps which are piecewise linear in any dimension, such as a tent map, an asymmetric tent map, 2x modulo 1 map, and also the Anosov map, the generalized Baker's map, the Lozi map, as well as higher order generalizations and/or couplings of piecewise linear maps
  • polynomial maps quadrature or higher
  • a logistic map including a logistic map, the Henon map, higher order generalizations and/or couplings of polynomial map, e.g. N coupled logistic maps, N coupled Henon maps,
  • Trigonometric maps including a Sine circle map, a Sine map, the Chirikov standard map, the Yale map, the standard map, and Higher order generalizations and/or couplings of trigonometric maps,
  • the R ⁇ ssler system referred to above has the form: dx
  • the Henon map referred to above has the form:
  • the Anosov map often referred to as the cat map having the form:
  • the map is composed of two steps; i) a linear matrix multiplication, ii) a non-linear modulo operation, which forces the iterates to remain within the unit square. It is possible to generalize the Anosov maps to an arbitrary number of variables. Furthermore, the matrix may have arbitrary coefficient only limited by the requirement of being area-preserving and having at least one positive Lyapunov exponent for the system. These exponents can be calculated analytically for such systems. For more details, reference is made to A.J. Lichtenberg and M.A. Lieberman, Regular and Chaotic Dynamics, Springer 1992 (p.305).
  • Systems of arbitrarily high dimension may be constructed by coupling systems of lower dimensions, referred to as subsystems.
  • the subsystems can be identical or different. They can e.g. be different by using different parameters in the various subsystems, and/or they may be different by employing different equations.
  • the coupling can be a function of one or more of the state variables in the individual subsystems. Several types of coupling exist, including local and global coupling.
  • Local coupling implies that the individual subsystems are affected through a coupling by some but not all the subsystems in the entire system.
  • Examples of local couplings are unidirectional and bi-directional coupling, which implies that the coupling is a function of one and two subsystems, respectively.
  • map lattices can by constructed.
  • An example of such a system with a local unidirectional copuling is the following ⁇ /-dimensional system:
  • a usual choice of local coupling can be the diffusive coupling, referring to a type of coupling proportional to the difference between two subsystems. This can be defined as:
  • the term global coupling refers to situations where all subsystems are coupled to each other, sometimes termed an all-to-all coupling. This can, for instance, be achieved by letting the
  • SUBSTITUTE SHEET coupling be a function of the mean field, i.e. the average of all the subsystems. This is defined by:
  • the coupling function can be any linear or non-linear function of the subsystems.
  • Another type of local coupling is the unidirectional local coupling, where a given state is coupled to one of its neighbouring states. This can for example be defined as: x. ⁇ f( ⁇ .) + ⁇ g(x i _ 1 ),i s ⁇ [l,M] where g is either a linear or non-linear function. For the linear case, the system is simply defined by:
  • each individual system is coupled to all other systems. This could be done in the following way: Xi ⁇ f(x,)+ ⁇ g(x 1 , x 2 ,x 3 ...x M ),i s [l, M] where g is a function of all states in the system and g can be a linear or nonlinear function. Furthermore g can be a linear or nonlinear function of a subset of the M states.
  • a map lattice which is a type of coupled maps may be employed.
  • denotes a variable on a lattice (represented by an N-dimensional array of points), the lattice being a ID array with M points.
  • Each point on the lattice is updated according to the function on the right hand side of the arrow, where the function f may for example be the logistic map.
  • neighbouring points on the lattice couple linearly, where the linear coupling is adjusted by the parameters ⁇ and ⁇ .
  • Boundary conditions refer to the way lattice elements 1 and M are treated.
  • the parameters may be constant or variable, variable parameters contributing, e.g., to the results of the computations being more unpredictable which may be useful in a pseudo-random number generating method or in an encryption/decryption method.
  • the computations may comprise numerically iterating the non-linear function, the iteration being based on an initial condition X 0 of the state variable X.
  • the step of performing computations may comprise numerically integrating the non-linear differential equations by repeatedly computing a solution X n+1 based on one or more previous solutions X m , m ⁇ n+1, and a step length, ⁇ T n , of the independent variable, t.
  • a solution X n+1 based on one or more previous solutions X m , m ⁇ n+1, and a step length, ⁇ T n , of the independent variable, t.
  • at least one initial condition, X 0 , of the state variable, X, and an initial step length, ⁇ T 0 are provided.
  • the step length may be given before the computations are initiated, or it may be computed as the computations proceed.
  • the initial step length, ⁇ T 0 may be computed from the initial condition X 0 .
  • the step length may vary between equations in a system. It may for example differ from one equation to another.
  • the step length vector ⁇ T is used to represent the step length for each equation in the system.
  • the ⁇ T vector has the same dimension as the system.
  • n is the step length used in the computation of x n+ ⁇
  • ⁇ t y , n is the step length used in the computation of y n+1 , ⁇ t z , n is the step length used in the computation of z n+1 .
  • the step length ⁇ T may be constant or may vary throughout the computations.
  • at least one of the elements ( ⁇ t x , n , ⁇ t Y ⁇ n , ⁇ t z , n ) of the step length ⁇ T may be a function of one or more numbers involved in or derived from the computations.
  • at least one of the elements ( ⁇ t X/n , ⁇ t y , n , ⁇ t z , n ) of the step length ⁇ T may be a function of at least one solution, X m , which is a current or previous solution to the mathematical system.
  • At least one of the elements ( ⁇ t x , n , ⁇ t y , n , ⁇ t z , n ) of the step length ⁇ T is a function of at least one step length, ⁇ T m , which is a current or previous integration step.
  • the varying step length ⁇ T may be used in any numerical solution of differential equations, and accordingly -there is disclosed a method of numerically solving differential equations using a variable step length.
  • the variable step length may contribute to improving the security of the system, i.e. to make the resulting keystream more unpredictable.
  • the initial condition X 0 and/or the initial step length ⁇ T 0 may be calculated from or represent a seed value.
  • at least a part of the initial condition X 0 and/or at least a part of the initial step length ⁇ T 0 may be calculated from or represent an encryption key.
  • at least a part of at least some of the parameters of the mathematical system may be calculated from or represent a seed value or an encryption key.
  • the key may be a public or a private key.
  • the extracted set of data may comprise a pseudo-random number which may be used for encryption.
  • a plurality of numbers resulting from the computations may be extracted.
  • the step of extracting may comprise extracting one or more numbers derived from a number, k, of bits of the resulting number, such as the k least significant bits from the resulting number or numbers, which contributes to the unpredictability of the derived number.
  • the k bits extracted may for example be derived by applying a modulus or a logical "and" function to the resulting number or numbers.
  • the step of extracting may comprise extracting k bits at predetermined or variable positions in the resulting number.
  • the number k may be an integer value selected from in the range between 8 and 128, such as 16-64, such as 24-32.
  • the extracted numbers may be derived by means of different values of k, which further contributes to the unpredictability of the derived number.
  • the extracted number or numbers may be manipulated by means of arithmetic and/or logical operations, so as to obtain a combined set of data.
  • One or more of the extracted numbers and/or the combined set of data may be combined with original data in an arithmetic and/or logical operation, so as to encrypt the original data.
  • one or more of the extracted numbers and/or the combined set of data may be combined with encrypted data in a arithmetic and/or logical operation, so as to decrypt the encrypted data and obtain the original data.
  • the arithmetic and/or logical operation may comprise an XOR operation, multiplication or addition.
  • the arithmetic and/or logical operation may comprise addition of the original data and the combined set of data for encryption, and subtraction of the combined set of data from the encrypted data for decryption.
  • the arithmetic and/or logical operation comprises subtraction of the combined set of data from the original data for encryption, and addition of the combined set of data and the encrypted data for decryption.
  • the extracted set of data comprises data derived from a plurality of numbers
  • one set of bits for example the k least significant bits may be extracted from one number
  • other bits for example the 47th - 54th bit in a 64-bit number
  • the computations may involve data representing a block of plaintext, so that the plaintext and a key is entered into, e.g., an encryption system which gives the ciphertext as an output.
  • the extracted set of data may be used to define at least one operation on a block of plaintext in the block-cipher encryption and decryption system.
  • the methods described herein may be applied in a block-cipher algorithm, wherein a block of plaintext is divided into two sub-blocks, and one sub-block is used to influence the other, for example where a modified version of a first block (or a part thereof) is used to influence the other (or a part thereof), e.g., by an XOR function.
  • Such an algorithm is generally referred to as a Feistel Network, cf. Applied Cryptography by Bruce Schneier, Second Edition, John Wiley & Sons, 1996.
  • the first sub-block or the modified version thereof may be transformed by a Hash function relying on the method, the Hash function being given a cryptographic key as an input.
  • a new cryptographic key may be given as input to the Hash function.
  • the same cryptographic key may be given to the Hash function in all rounds.
  • the cryptographic key may vary from block to block, for example by giving the same cryptographic key as an input in all rounds for each block, or by giving different cryptographic keys as inputs for each block and for each round.
  • the extracted data may be used as a decryption or an encryption key.
  • the extracted set of data from one of the systems may be used to generate keys or used as keys for the other system.
  • the extracted data may also be used in generation of data representing a digital signature, and/or in watermarking of digital data.
  • the electronic device may comprise an electronic processing unit having a register width, whereby the method may comprising the steps of: - expressing at least one integer number of a bit width larger than said register width as at least two sub-numbers each having a bit width which is at most equal to said register width,
  • computations on numbers of a width smaller than the register width of the processor may also be performed, whereby an operation, for example a logical AND, may be performed, so that the upper half of, e.g., a 64-bit register is not used for computations on 32-bit numbers.
  • an operation for example a logical AND
  • the most significant bit of, e.g., the 32-bit number may be copied into the upper 32 bits of the 64-bit register.
  • the integer numbers usually comprise or represent the fixed-point number or numbers used in the computations.
  • a fixed-point number expressed in terms of an integer type number may represent a real number.
  • a method of detecting periodic behavior in the solution of a mathematical system comprising at least one non-linear function governing at least one state variable with respect to at least one independent variable, comprises:
  • resulting numbers 3representing at least parts of solutions to the mathematical system
  • the step of determining whether a current solution or a particular one of the solutions stored in the array is substantially identical to one or more other solutions stored in the array preferably comprises determining whether the solutions are completely identical.
  • the step of determining may comprise determining whether only some of the entries of X are substantially identical.
  • each entry in the array may contain a solution having an age which is growing by array level, Aj, O ⁇ i ⁇ n, and the method may comprise:
  • the number of times an old value stored at the i'th level has been overwritten by a new value without the old value being transferred to the i+l'st level may be counted, the i'th predetermined criterion being fulfilled if the old value has not been transferred for a predetermined number of times.
  • the predetermined number of times may be the same for all levels of the array, A, or it may vary between the levels.
  • the predetermined number of times for the i'th level of the array, A may for example be dependent on one or more values stored in the array, such as when there occurs a change of sign in one or more of the values.
  • the step of determining whether a current solution or a particular one of said solutions stored in the array is substantially identical to one or more other solutions stored in the array may only be performed when a test criterion is fulfilled.
  • the test criterion may be fulfilled when the sign of at least one state variable changes from + to -, or from - to +, or both.
  • the test criterion may also be fulfilled when there occurs a change of sign of at least one derivative of at least one state variable with respect to at least one independent variable, in which case the method further comprises computing the derivative.
  • a test value may be computed from the at least one state variable and/or from the derivative, the test criterion being based on the test value.
  • the test criterion may for example be fulfilled when there occurs a change of sign in the test value or in a derivative of the test value, or predetermined values may be provided.
  • a method of generating a pseudo-random number comprises:
  • V extracting, as the pseudo-random number, a number derived from at least one number which has occurred during the computations.
  • the seed value may be a user-defined value, such as an encryption/decryption key in case the method is applied in an encryption/decryption method.
  • the pseudo-random number may be extracted as a number derived from the k digits of the one or more numbers which have occurred during the computations, e.g. the k least significant bits or k selected bit from the one or more numbers.
  • the method may comprise repeating steps IV) and V) until a given amount of pseudorandom numbers has been generated.
  • a given amount of pseudo-random numbers may be generated and stored in a memory of the electronic device as a spare seed value, which may, e.g., be used if periodic behavior is detected by the above method or by another method.
  • the given amount of pseudo-random numbers may be stored internally in an algorithm.
  • the method may further comprise a method for detecting periodic behavior as discussed above.
  • the method for generating a pseudo-random number may comprise, if the step of: determining whether a current solution or a particular one of said solutions stored in the array is substantially identical to one or more other solutions stored in the array
  • SUBSTITUTE SHEET reveals that the current solution or the particular solution is identical to one or more other solutions, interrupt the pseudo-random-number generation, i.e. interrupting repetition of steps IV) and V), use the spare seed value as the seed value in the step II), resume the pseudo-random-number generation, i.e. resuming repetition of steps IV) and V).
  • a spare encryption/decryption key may be used if periodic behavior is detected.
  • a given amount of pseudo-random numbers may be generated and stored, in a memory of the electronic device, as a new spare seed value.
  • Each level in the array, A is preferably reset prior to step IV), when steps IV) and V) are initiated with a new seed value at step II).
  • a method of encrypting a set of original data into a set of encrypted data comprises the steps of:
  • IV) performing computations including the at least one variable expressed as a fixed- point number and obtaining, from the computations, a resulting number, the resulting number representing at least one of: a. at least a part of a solution to the mathematical system, and b. a number usable in further computations involved in the numerical solution of the mathematical system, V) extracting, as the pseudo-random number, a number derived from at least one number which has occurred during the computations,
  • step A a sub-set of the original data may be separated from the set of data, and step B) may be performed on the sub-set of data. This step may be repeated until a plurality of sub-sets which in common constitute the entire set of original data have been encrypted.
  • the pseudo-random number may be extracted as a number derived from the k bits of the one or more numbers which have occurred during the computations, e.g. the k least significant bits or k selected bits.
  • SUBSTITUTE SHEET Steps IV) and V) may be repeated until a given amount of pseudo-random numbers has been generated.
  • a given amount of pseudo-random numbers may be generated and stored in a memory of the electronic device as a spare encryption key.
  • a number resulting from or occurring in at least one integration or iteration step of the computations may be stored as a spare encryption key.
  • the spare encryption key may, e.g., be used if encryption is interrupted due to the occurrence of periodic behavior in the solution to the mathematical system. In case no output of the spare encryption key is needed, it may be stored internally in an encryption algorithm. When the method is used for decryption, the spare key is a decryption key.
  • the method may comprise a method for detecting periodic behavior, in which case the method for encrypting may comprise, if the step of determining whether a current solution or a particular one of said solutions stored in the array is substantially identical to one or more other solutions stored in the array reveals that the current solution or the particular solution is identical to one or more other solutions, interrupt the pseudo-random number generation, i.e. interrupting repetition of steps IV) and V), use the spare encryption key as the encryption key in step II), resume the pseudo-random number generation, i.e. resuming repetition of steps IV) and V).
  • a given amount of pseudo-random numbers may be generated and stored in a memory of the electronic device as a new spare encryption key.
  • each level in the array, A is reset prior to step IV), when steps IV) and V) are initiated with a new seed value at step II).
  • a method of decrypting a set of encrypted data which has been encrypted by the method discussed above comprises the steps of: a) performing step A) as defined above in connection with the encryption method, so as to extract the same pseudo-random number as extracted in step V) of the encryption method, b) manipulating the encrypted data and the pseudo-random number by means of arithmetic and/or logical operations, so as to obtain the original, i.e. decrypted, version of the data.
  • a sub-set of the encrypted data may be separated from the set of encrypted data, and in case the sub-set of data has been encrypted by the above encryption method, the method of decrypting may comprise performing steps a) and b) on the sub-set of data. This step may be repeated until a plurality of sub-sets which in common constitute the entire set of encrypted data have been decrypted.
  • Any of the steps of the encryption method may be applied in an identical manner when decrypting the encrypted data as during the previous sequence of encrypting the original data.
  • a method of generating a pseudo-random number comprises, in one instance: I) expressing a mathematical system in discrete terms,
  • Computations in the two or more instances may be performed either at the same time, or successively.
  • the computations in the two or more instances may be performed by executing instructions which process a plurality of computations at the same time, or by executing instructions which only process a single computation at a time.
  • pseudo-random number generation in a plurality of instances in parallel may, in some cases, be faster than if the steps are performed in one instance only, in particular if the hardware on which the method is executed supports parallel processing.
  • a larger key length in encryption may be applied than if only one instance were used. For example, one part of an encryption key may be used for a first instance, and another part of the encryption key may be used for a second instance.
  • Mathematical systems of arbitrarily high dimension may be constructed by coupling systems of lower dimension, referred to as subsystems.
  • N logistic maps can be coupled, yielding an N-dimensional system.
  • the coupling mechanism can be engineered by including either linear or non-linear coupling functions in the N different maps corresponding to the N different variables.
  • the coupling function in the map governing one variable may or may not depend on all other variables.
  • the coupling can be carried out by substituting one of the N variables into one or more of the N-1 remaining maps.
  • Two or more logistic maps may be coupled through linear coupling terms.
  • the parameters ⁇ t and ⁇ 2 in front of the coupling terms control the strength of the coupling, i.e. the degree of impact that each one of the two logistic maps has on the other one.
  • SUBSTITUTE SHEET Numbers or data may be transmitted between the plurality of instances at least while performing step IV) for each of the instances. The same applies to step V).
  • the method may comprise combining, by use of arithmetic and/or logical operations, a plurality of pseudo-random numbers extracted at step V) in each of the instances into a common pseudo-random number.
  • Parameter and/or variable values, or parts thereof, may be exchanged between the two instances.
  • x n+ ⁇ of one instance and x n+1 of another instance may be exchanged after each iteration step, or x n+1 of one instance may be exchanged with y n+1 of another instance.
  • the step length ⁇ t n may be exchanged between the two instances.
  • the exchange of variable or parameter values may also be achieved by performing logical and/or arithmetic operations on a value of a first instance before using that value for modifying a value of a second instance.
  • a method of performing numerical computations in a mathematical system comprising at least one function may comprises the steps of: - expressing the mathematical system in discrete terms,
  • the step of performing computations comprising: - repeatedly computing a solution X n+1 based on at least one previous solutions X m , m ⁇ n+1, whereby the step of performing computations is initiated based on at least one initial condition, X 0 , of the state variable, X, the method further comprising:
  • the cryptographic key may further be used for initializing parameters of the mathematical system.
  • a method of determining an identification value for identifying a set of data comprises performing numerical computations in a mathematical system comprising at least one function, the method comprising the steps of:
  • the above method may be regarded a Hash function or Hash algorithm which have been discussed in detail above.
  • the identification value may be constituted by a number of extracted numbers which have been extracted at different computational stages in the numerical computations. Extraction may occur at each computational step or at each iteration step, or it may occur only at selected computational stages.
  • identification value may be a hash value or a cryptographic check-sum which identifies the set of data, cf. for example Applied Cryptography by Bruce Schneier, Second Edition, John Wiley & Sons, 1996.
  • the hash function is usually referred to as a MAC function (Message Authentication Code).
  • the mathematical system may comprise a differential equation, such as a partial differential equation or an ordinary differential equation, or a discrete mapping, such as an area- preserving map or a non area-preserving map.
  • the mathematical system may comprise at least one non-linear mapping function governing at least one state variable X.
  • a non-linear mapping function may for example comprise a logistic map of the form wherein ⁇ is a parameter, x n+ ⁇ is the value of state variable x at the (n+l)'th stage in the computations, and x n is the value of state variable x at the n'th stage in the computations.
  • SUBSTITUTE SHEET is the value of state variable x at the n'th stage in the computations, and m n contains a representation of an n'th portion of the set of data.
  • a cryptographic key may be used for at least partially determining at least one of the following: ⁇ , ⁇ and an initial value x 0 of state variable x.
  • the mathematical system may comprise a set of non-linear mapping functions, such as: - an Anosov map of the form:
  • the mathematical system may comprise at least one non-linear differential equation and/or a set of non-linear differential equations.
  • the mathematical system has at least one positive Lyapunov exponent, whereby a certain degree of irregular or chaotic behavior is achieved, whereby randomness properties of the system and security are enhanced.
  • At least one Lyapunov exponent may be computed at least once during the mathematical computations in order to determine whether the mathematical system exhibits chaotic behavior. If this is not the case, e.g. if the computed Lyapunov exponent is not positive, the computations may be interrupted and resumed from other initial values and/or other parameters.
  • the at least non-linear differential equation preferably governs at least one state variable, X, which is a function of at least one independent variable, t.
  • the set of non-linear differential equations may for example comprise a Lorenz system.
  • a method of performing numerical computations in a mathematical system comprising at least one function comprises the steps of:
  • a resulting number representing at least one of: a. a part of a solution to the mathematical system, and b. a number usable in further computations involved in the numerical solution of the mathematical system,
  • the step of assigning a value within the range may be seen as a modulus function.
  • the steps of the method may thus provide deliberate overflow, e.g. in order to enhance randomness properties of an encryption/decryption system and/or in order to make it more difficult to derive information about internal states of the mathematical system from encrypted data.
  • the above method may thus be a part of a pseudo-random number generating method which, e.g., generates pseudo-random numbers for use in at least one of encryption and decryption.
  • the mathematical system preferably has at least one positive Lyapunov exponent.
  • a further method of performing numerical computations in a mathematical system comprising at least one function comprises: - expressing the mathematical system in discrete terms,
  • This method constitutes an independent aspect of the present invention.
  • the resulting number is usually a fixed-point number having a fixed position of the decimal separator.
  • the position of the decimal separator in the resulting number may be corrected after the computation has been completed.
  • a third possibility is to correct the position of the decimal separator before and after performing the computation. This may be relevant if not all positions to the left of the decimal separator in the resulting number are used, and it is desired to maintain a relatively higher resolution in the computations than the resolution of the resulting number.
  • the resulting number is desired to have a S(10.21) format.
  • the addition of, say, two S(7.24) format numbers may be performed in a S(8.23) format which then is converted to the S(10.21) format resulting number.
  • the carry from the second and third least significant bits in the arguments may influence the result.
  • a method of performing numerical computations in a mathematical system comprising at least one function comprises the steps of:
  • - obtaining, from said computations, a resulting number, the resulting number representing at least one of: a. at least a part of a solution to the mathematical system, and b. a number usable in further computations involved in the numerical solution of the mathematical system.
  • a circuit for performing numerical computations in a non-linear mathematical system comprising at least one function
  • the circuit being designed or programmed so that the mathematical system, in the circuit or in the computer program code, is represented in modified terms in such a way that at least a selected one of the numerical computations involves an integer operation, whereby said selected numerical computation in a non-modified representation of the mathematical system would require one or more floating point operations or controlling the positioning of a decimal separator in one or more fixed-point numbers
  • the circuit being designed or programmed so that said selected computation is substituted by at least one substitute computation on one or more integer numbers, whereby the mathematical system, in the circuit or in the computer program code, is represented in such a way that the at least one substitute computation requires no positioning of an imaginary decimal separator.
  • the mathematical system may exhibit chaotic behavior.
  • SUBSTITUTE SHEET method comprising, in the circuit or in a computer program segment according to which the circuit operates, the steps of:
  • Fig. 1 is an illustration of a cryptographic method employing a squaring function of a state variable x
  • Fig. 2 is an illustration of a next-state function including a counter increment
  • Fig. 3 is an illustration of the system of Fig. 1 with coupling
  • Fig. 4 is an illustration of a system with counter incrementation
  • Fig. 5 is an illustration of an encryption/decryption process
  • Fig. 6 is an illustration of a sequence for encrypting, transmitting and decrypting electronic data
  • Fig. 7 is an illustration of an encryption sequence in a block cipher system
  • Fig. 8 is an illustration of an encryption sequence in a stream cipher system
  • Fig. 9 is an illustration of the key elements in an encryption/decryption algorithm
  • Fig. 10 is a plot of a numerical solution to a Lorenz system
  • Fig. 11 is an illustration of key extension by padding
  • Fig. 12 illustrates a possible method of simultaneously computing two or more instances of identical or different chaotic systems
  • Fig. 13 illustrates the principle of performing a check for periodic solutions
  • SUBSTITUTE SHEET Fig. 14 shows a mathematical system with a periodic solution
  • Fig. 15 illustrates transport between levels in the coordinate cache which stores previously calculated coordinates
  • Figs. 16-18 illustrate various criteria for the detection of periodic solutions
  • Fig. 19 contains an illustration of a method for multiplication of 16-bit numbers on an 8-bit processor
  • Figs. 20-27 are flow charts showing the operation of one embodiment of an encryption method
  • Fig. 28 is an illustration of a mathematical system which may be employed in the methods of the present invention.
  • Figs. 1-5 illustrate various aspects and embodiments of the methods of the invention.
  • stream ciphers produce a stream of pseudo-random bits specified by a key. This stream of bits is referred to as the keystream, and encryption is performed by bitwise XOR'ing a plaintext with the keystream to obtain the ciphertext. The resulting ciphertext is decrypted by reproducing the same keystream specified by the same key and XOR'ing the ciphertext with this keystream to obtain the plaintext.
  • an embodiment of a Pseudo Random Number Generator may be built upon 512 internal bits divided between eight 32-bit state variables and eight corresponding 32-bit counter variables, which are incremented and added to the state variables at each iteration.
  • the PRNG works by iterating a system of eight coupled equations based on a non-linear function and extracting 128 bits from the eight state variables after each iteration.
  • the algorithm is initialized by expanding the 128-bit key into 512 bits which are used to setup both the eight state variables and the eight counter values.
  • the system defined by the next-state function shown in Fig. 1, is then iterated four times in order to diminish correlation between the state variables and the key.
  • the counter values are modified by XOR'ing them with the state variables in order to obtain the initial counter value.
  • a function in the following referred to as the "g-function" may be employed, the g-function squaring a 32-bit number resulting in a 64-bit number, from which the upper 32-bits and the lower 32-bits are XOR'ed, cf. Fig. 1.
  • the g-function is used in the system of eight coupled equations, the system being iterated once in order to generate a new state from which 128-bits of random data are extracted. Before each iteration the counter values are incremented according to the counter system
  • k s and k l6 imply that the coupling includes permutations of the 32-bits, i.e. for a permutation k
  • the expression k x g(x t ) implies that some or all bits in the number g(x.) are mixed.
  • k s indicates that the permutation in question is a 8-bit left rotation
  • k u likewise indicates a 16-bit left rotation.
  • Fig. 3 illustrates such a coupled system.
  • A ⁇ ⁇ , ⁇ x ,..., ⁇ ⁇ ) may for example be a 256 bit constant integer partitioned into eight 32-bit integers.
  • Fig. 4 illustrates the counter incrementation.
  • 128 bits of keystream are extracted by XOR'ing different state variables.
  • the upper 16 bits and the lower 16-bits from two different state variables may be XOR'ed creating a total of eight 16 bit combinations resulting in 128-bits of random data.
  • the keystream is XOR'ed with the plaintext/ciphertext to encrypt/decrypt.
  • Fig. 5 illustrates such an encryption/decryption process.
  • IV Initialization Vector
  • the data may be divided into packages, and a unique IV is transmitted along with each package, whereby each package can be decrypted individually, even if other packages are lost.
  • the data to be encrypted/decrypted is divided into sections, and each section is associated with a unique IV.
  • the cipher is firstly setup by use of the key, and thereafter the internal state of the mathematical system is changed in an unpredictably way, as function of the IV. These changes may be performed on counters, on the state values or on both.
  • the output of the cipher is then a function of both the key and the IV, and thereby a given section or package can be encrypted/decrypted, without iterating multiple times.
  • a master state of the mathematical system is created by a usual setup procedure, and subsequently a counter state is manipulated as follows: the 64-bit IV is expanded to 256-bits and XOR'ed on the counter values, and the system is then iterated a number of times to make all bits in the state dependent on all bits in the IV.
  • Fig. 6 is a general illustration of a sequence for encrypting, transmitting and decrypting digital data.
  • Fig. 7 is an illustration of an encryption sequence in a block cipher system, and
  • Fig. 8 is an illustration of an encryption sequence in a stream cipher system, block cipher and stream cipher systems being discussed in the above discussion of the background of the invention.
  • the algorithm is applicable for most purposes in data encryption/decryption.
  • the nature of the algorithm favours encryption of data streams or other continuous data, such as large files, live or pre-recorded audio/video, copyrighted material (e.g. computer games or other software) and data for storage (e.g. backup and/or transportation).
  • the speed of the algorithm makes it particularly suitable for these purposes. Because of the calculation method, the algorithm is also useable on very small processors.
  • PSSRC Pseudo-Random Sequence Stream Cipher system
  • PSSRC systems are characterized by a pseudo-random number generator (the content of the outer boxes on Fig. 9), which generates a sequence of data, which is pseudo-random, based on a binary key.
  • This sequence the so-called keystream, cf. Fig. 9, is used for the encryption and decryption.
  • the keystream is unique for each possible key.
  • SUBSTITUTE SHEET The integrity of the encrypted data is lying in the key capable of decrypting the ciphertext. Therefore it must be difficult to guess the key. To ensure this, the basic design of the algorithm is using a key of at least 128 bit. A key-size of 128 bit gives approximately 3.4-10 38 different keys.
  • the algorithm uses a system, which exhibits chaotic behaviour, such as a Lorenz system, which consists of the following three ordinary differential equations:
  • Fig. 10 shows a plot of a numerical solution to a Lorenz system.
  • the parameters are typically determined from a seed value, such as an encryption key or a part of an encryption key.
  • algorithms embodying the method of the present invention are designed so that only parameter values within predefined intervals are made possible, whereby it is ensured that the probability of the system having a positive Lyapunov exponent is high. Accordingly, the mathematical system will have a high probability of exhibiting chaotic behavior.
  • the Lyapunov exponent may additionally or alternatively be determined at the beginning or during the mathematical computations, so as to be able to detect non-chaotic behavior of the solution to the mathematical system.
  • the mathematical system could as well be another continuous system (such as the R ⁇ ssler system) or a discrete map (such as the Henon map).
  • the integration is performed using a numerical integration routine.
  • the numerical integration routine calculates the solution at discrete mesh points, e.g. by using the Euler method or a Runge-Kutta method.
  • the continuous non-dependent variables (such as time t or space s) are discretized. This process refers to replacing the continuous interval [a;b] with a set of discrete points. In such a system,
  • Fig. 12 illustrates a possible method of simultaneously computing two or more instances of the same system or different systems, such as chaotic systems.
  • the method confers higher computational speed and improved security, and a larger key may be used.
  • there should be some kind of communication or coupling between the two systems like for example exchange of step length, such as exchange of ⁇ t x , ⁇ t y , and/or ⁇ t z .
  • the internal variables are in the basic design 32 bits wide each, but any variable width could be used.
  • 192 bits (in the basic design) are used to represent an internal state of the generator given by a set of the internal variables.
  • the padding of the 128 bits key up to 192 bits should be done in such a way as to avoid illegal values, i.e. to ensure that all variables contain allowed values, and as to avoid that bits from the key are ignored.
  • the padding may include inserting predetermined values of zeros and ones or repetitions of bits from the key.
  • Fig. 11 contains an illustration of key extension by padding.
  • the integration may be performed with variable time steps, which e.g. can be calculated from any one of the state variables.
  • the step length ⁇ t varies in each integration step. This variation is coupled to the state variable X.
  • the keystream is extracted from some of the data related to the state variables. This may be done by extracting the 8 least significant bits from the y variable or by collecting some of the data wiped out in the calculations; e.g. from one or more of the multiplications performed in the calculation of one step.
  • the fixed-point variable is based on the integer data type; which is implemented identically on various computer systems. To express numbers, such as real numbers, digits after the decimal point are needed, the decimal point being artificially located somewhere else than at the end of the number (e.g. 12.345 instead of 12345).
  • Some of these tests are performed at run-time, and others are performed at design-time.
  • an amount of keystream equal to the complete data content of the state variables (e.g. 192 bits) or equal to the amount of a complete key (e.g. 128 bits) are generated using the algorithm and saved, in case the key has to be reloaded due to detection of periodic solutions or stationary points. In that case, the saved sequence is loaded as a new key, and the initialization, including extraction of extra key, is redone.
  • any numerical solution will be periodic.
  • some keys may result in keystreams having a rather small period. This is undesirable as it may compromise the security of the system. Therefore the there is propsed an algorithm for detecting such periodic solutions.
  • This algorithm watches the sign of a variable or the slope of a variable.
  • the check is performed on x.
  • the position check is performed (the position check can also be performed after all iterations). The position check compares the complete set of state variables with buffered sets from earlier. If a complete match is found, a periodic solution is detected.
  • Stationary points of a dynamical system are sets of state variables which remain unchanged during iteration. Such stationary points may be detected by comparing the current set of state variables with the last set, or by checking if the slopes of all of the variables are zero or by checking if both the current slope of one variable and its previous slope are zero. Chaotic systems may, for one reason or another, enter into periodic solutions. This has to be detected and corrected in order not to compromise the security of the system. If the solution of the system becomes periodic, encryption may preferably be stopped, as the extracted number from the solution of the mathematical system will also be periodic and hence not pseudo-random. The test for periodic solutions includes comparing coordinates of the solution with previously calculated coordinates. If a complete match is found, the system has entered a periodic solution.
  • Fig. 13 illustrates the principle of performing a check for periodic solutions.
  • Fig. 14 shows a mathematical system with a period solution, more specifically a two- dimensional non-linear system with a periodic solution.
  • the system is deterministic meaning that the solution is completely specified by its initial conditions. In theory, the solution will be continuous, thereby consisting of infinite many points.
  • the time-interval is discretized, and the solution is calculated at these points.
  • the numerical solution to a mathematical system is simply a sequence of coordinate sets. If we consider a two-dimensional system, then the solution is specified at a number of points (x,y), illustrated by dots on the curve in Fig. 14.
  • the deterministic nature of the system implies that if the solution ever hits a point, which it has visited previously, the solution is periodic and will keep being periodic. This property is employed in the present test.
  • SUBSTITUTE SHEET In order to test for periodic solutions during numerical integration, we have to compare the present calculated coordinate set with the previous values. In order to do this, the coordinate sets are stored as they are calculated. This storage works like a queue and is referred to as the coordinate cache. A calculated coordinate set is compared to every coordinate set in the coordinate cache. If a complete match (all values in the two coordinate sets are equal) is found, the system is in a periodic state. If the test is passed without a complete match, no periodic behavior is detected, and the calculations may continue. Before the calculations continue, the tested coordinate is added to the cache, for further comparisons.
  • the cache consists of a number of levels, each containing a coordinate of age growing by level. After each test or after a number of tests, the tested coordinate is inserted at level 0. Every second time (or any other time) a coordinate is inserted into level 0, the old value is inserted into level 1 before it is overwritten.
  • the method for inserting coordinates at the other levels is similar; every second time a value is inserted at any level, the old value is transported to the next level before it is overwritten at the current level.
  • This method results in a coordinate cache containing coordinates with an exponentially growing age.
  • Level 0 stores coordinates with an age of 1 or 2 (the prior checked coordinate or the one before the prior checked coordinate)
  • level 1 stores coordinates with an age of 3 - 6 (3 at the test after the coordinate has been inserted, and then growing to 6 before the next coordinate is inserted)
  • level 2 stores coordinates with an age of 7 - 14, and so on.
  • the pseudo program code in Example I shows how the cache may be implemented.
  • a periodic solution having a period length of 11 tests will be detected at level 2 of the cache, because the age of the data at level 2 is between 7 and 14. However, the test will not detect the periodic solution before the coordinate is exactly 11 tests old. Therefore up to 12 tests may be performed before the periodic behavior is detected. In this case, it means that the system may pass through up to 12/11 period before it is detected.
  • a possible expansion to the algorithm described above is a varying TransportAge, cf. the pseudo code program in Example I. If some coordinates can be identified as more likely to take part of a periodic solution then others, the InsertCoordinate procedure, cf. the pseudo code program in Example I, may recognize them, and use a reduced value of TransportAge for those. This will favor the critical coordinates in the cache, and make the data in cache become younger if many critical coordinates are stored. The younger age of data in the cache makes a periodical solution detectable after less iteration within the periodic solution.
  • the test may be performed after each iteration. That means every time we have calculated a new coordinate set of the solution. However, to save processor resources, the test should instead be performed at a periodic interval. I order to make the test work; the test must be performed when the solutions is at a recognizable position. One way to make sure the test is
  • SUBSTITUTE SHEET performed at the same position each time is to find a recognizable point in the graphical plot of the solution. To do so, the system has to be analyzed for its characteristic behavior, and a criterion has to be chosen. For the above shown non-linear system, the examples of criteria illustrated in Figs. 16-18 are useable.
  • First possible criterion as illustrated in Fig. 16 is change of sign of x from minus to plus. That is, when the sign of x changes from minus to plus, the test is performed.
  • the second criterion is change of sign of dx from plus to minus, as illustrated in Fig. 17.
  • the third criterion is change of dy from plus to minus, as illustrated in Fig. 18.
  • the following pseudo code program shows an example of a program for encrypting and decrypting data which encrypts one byte at a time.
  • the program works in accordance with the flow charts of Figs. 20-27.
  • the program works with 32-bit registers.
  • Fig. 20 illustrates a method which encrypts a file containing data.
  • Figs. 21-27 correspond to those functions shown in the pseudo-code below which relate to check for periodic solution and to a stream- cipher using the Lorenz system.
  • FloatToFixedPoint Converts a floating-point number, X, into a fixed-point number.
  • the result of the function has the format S(a.b) or U(a.b) fixedpoint FloatToFixedPoint ( loat X) ⁇ return X*2 b ; // b is the number of bits after the decimal
  • FixedPointToFloat Converts a fixed-point number, X, having the format S(a.b) or U(a.b), into a floating-point number.
  • ConvertFixedPoint Converts an input fixed-point number, X, having the format S(a.b) or U(a.b), into the requested format, S(c.d) or U(c.d). The result is signed if the argument, X, is signed, and vise versa.
  • fixedpoint ConvertFixedPoint (fixedpoint X)
  • MulFixedPoint Multiply two fixed-point numbers, X and Y.
  • X has the format S(a.b) or U(a.b) and Y has the format S(c.d) or U(c.d).
  • the resulting fixed-point number has the format S(e.f) or U(e.f).
  • the result as well as X and Y must all be either signed or unsigned values and stored in 32-bit registers. ">>" is the arithmetic shift right for signed multiplication and logical shift right for unsigned multiplication.
  • fixedpoint MulFixedPoint (fixedpoint X, fixedpoint Y)
  • Temp X*Y; // Two 32-bit values X and Y are multiplied // into the 64-bit intermediate result return Temp » b+d-f; // b and d are the number of bits after the
  • SUBSTITUTE SHEET Global constants in the sub-system for checking for periodic solutions.
  • the sub-system for checking for periodic solutions has a number of global variables e.g. to store the cache of old coordinates and the spare key to be loaded if a periodic solutions is found.
  • SUBSTITUTE SHEET InsertCoordinate Inserts a coordinate at a certain level of the coordinate cache if the age of the previous values stored at that level has passed a certain threshold value. Before the old coordinate at that certain level is overwritten, is it inserted at the next level.
  • SUBSTITUTE SHEET // Insert the coordinate into the // coordinate cache InsertCoordinate ( , y, z, 0) ;
  • modulus function which takes an argument, q, returns a positive values in the range [0;q[.
  • Crypt Encryption, decryption and PRNG function.
  • Arguments are PData (pointer to the first byte to encrypt/decrypt) and PEnd (pointer to the last byte to encrypt/decrypt). If the function is intended to generate pseudo-random numbers, the function should be given an amount of data to encrypt (e.g. zeroes) of the same size as the requested pseudo-random data.
  • PData PData + 1; // Increase the pointer to data to encrypt
  • Initl92 Load a 192-bit seed (pointed to by the PSeed pointer) into the state of the system.
  • Initl28 Load a 128-bit seed (or key) (pointed to by the PSeed pointer) into the state of the system performing the key setup procedure.
  • Initl92 (Seedl92) ; // Load the pseudo-random data into the state
  • the statistical properties of the output of the system may be tested according to the NIST (National Institute of Standards and Technology) Test Suite, cf. V ⁇ statistical test suite for random and pseudo-random number generators for cryptographic applications', NIST Special Publication 800-22. See also http://csrc.nist.gov/rng/rng2.html.
  • the NIST Test Suite comprises sixteen different tests, which are briefly summarized below. The tests may for example be performed on a program similar to the above pseudo-code for a stream cipher using the Lorenz system.
  • Frequency monobit test This test determines the proportion of zeroes and ones for the entire keystream sequence. For a truly random keystream sequence, the number of ones is expected to be about the same as the number of zeros. During the test, it is investigated whether this property holds for the keystream sequence in question.
  • Frequency block test In this test, the keystream sequence is divided into M-bit blocks. In a truly random keystream sequence, the number of ones in each block is approximately M/2. If this also characterizes the tested keystream sequence, the test is regarded as successful.
  • Runs test A run within the keystream sequence is defined as a sub-sequence of identical bits. The test checks for runs of different lengths, where a run of length k is constituted by k identical bits bounded by bits of a value opposite to the bits in the run. The occurrence of runs of different lengths is compared to what is expected for a truly random sequence.
  • Longest run of zeroes In this test, the sequence is divided into blocks of M bits each, and the longest run of ones within each block is found. The distribution of the lengths of runs for the blocks is compared to the distribution for blocks in a random sequence. An irregularity in the expected length of the longest run of ones indicates that there is also an irregularity in the expected length of the longest run of zeroes.
  • Binary matrix rank test In this test, fixed length sub-sequences of the keystream sequence are used to form a number of matrices by colllecting M-Q bit seggments into M by Q matrices. By calculating the rank of these matrices, the test checks for linear dependence among the sub-sequences.
  • SUBSTITUTE SHEET Discrete Fourier transform test By applying the discrete Fourier transform, this test checks for periodic characteristics of the keystream sequence. The height of the resulting frequency components are compared to a threshold defined from a truly random sequence.
  • Non-overlapping template matching test When performing this test, a number of non- periodic m-bit patterns are defined, and the occurrences of the particular patterns are counted.
  • Overlapping template matching test This test is very similar to the non-overlapping template matching test, the only differences being the structure of the pattern of m bits, and the way the search for the pattern is performed.
  • the pattern of m bits is now a sequence of m ones.
  • Maurer's universal statistical test This test calculates the distance between matching patterns in the keystream sequence. By doing so, a measure of the compressibility of the keystream sequence is obtained. A significantly compressible keystream sequence is considered to be non-random.
  • Lempel-Ziv compression test In this test, the number of cumulatively distinct patterns is calculated, thus providing a measure of the compressibility of the keystream sequence. The result is compared to a random sequence, which has a characteristic number of distinct patterns.
  • Linear complexity test This test calculates the length of a linear feedback shift register in order to determine whether or not the sequence is complex enough to be considered random.
  • Serial test This test calculates the frequency of all possible overlapping m-bit patterns across the entire sequence. For a truly random keystream sequence, all of the 2 m possible m-bit patterns occur with the same probability. The deviation from this probability is calculated for the keystream sequence in question.
  • Approximate entropy test This test has the same focus as the serial test, but with the added feature that the frequencies of m- and (m+l)-bit patterns are calculated. The results obtained for the patterns of different length are compared and used to characterize the sequence as either random or non-random.
  • Cumulative sums test In this test, the sequence is used to define a random walk with ones and zeroes corresponding to +1 and -1, respectively. It is determined whether the amplitudes of the cumulative sums of the partial keystream sequences are too large or too small relative to what is expected for a truly random keystream sequence.
  • Random excursions test In this test, the sequence is similarly to the cumulative sums test transferred into a random walk. The number of visits to certain states (values the cumulative sum can hold), which the random walk potentially passes through, is used to characterize the sequence as either random or non-random. The considered states are -4, -3, -2, -1, 1, 2, 3, 4.
  • P va ⁇ For each test, a P-value, P va ⁇ , is calculated, which provides a quantitative comparison of the actual sequence and an assumed truly random sequence. The definitions of the P-values depend on the actual test (see the NIST documentation). Values of P va ⁇ > ⁇ indicate randomness, where ⁇ is a value in the interval 0.001 ⁇ ⁇ ⁇ 0.01, the exact value of ⁇ being defined for each test. Otherwise, non-randomness is declared.
  • the NIST Test Suite defines, for each test, the proportion of samples, whose P-value should pass the criterion P va ⁇ > . In all of the above tests, except the Random excursions test, the proportion of samples whose respective P-values, P va ⁇ , pass the appropriate criteria should be at least 0.972766. For the Random excursions test, the proportion given by NIST is at least 0.967813.
  • the following proportions are preferably achieved, as an average of at least 10 4 samples obtained by use of randomly chosen keys: at least 0.975, such as at least 0.98, such as at least 0.985, such as at least 0.99, such as at least 0.995, such as at least 0.998.
  • Kazumaro Aoki et al. Fast Implementation of AES Candidates (128 bit keys, 128 bit blocks, Pentium II).
  • speed and memory can be traded for many of the implementations, e.g. by using lookup tables which require more memory but may save processing time.
  • SUBSTITUTE SHEET may be disregarded (which may be the case in a pseudo-random number generator, where what is needed is not the true result of the computations but merely a pseudo-random number), the least and/or most significant bits of the resulting number need not be computed.
  • a method for performing mathematical operations on integer numbers of a certain bit width which is larger than the register width of the processing unit on which the computations are performed is disclosed.
  • Mathematical operations or computations on fixed- point numbers are performed as integer operations, whereby the integer numbers are expressed as binary numbers.
  • the binary representation of integer numbers requires a certain register width, e.g. 32 bit.
  • the binary numbers may be split into a plurality of binary sub-numbers, each represented by a width equal to or smaller than the register width of the processing unit.
  • two 32 bit numbers may be split into two sets of four 8 bit sub-numbers, and multiplication or addition may be performed on the 8 bit sub-numbers by means of an 8 bit processing unit.
  • Each of the numbers A and B is split into four sub-numbers, Al, A2, A3, A4, and BI, B2, B3, and B4.
  • Al represents the 8 most significant bits of the number A
  • A4 represents the 8 least significant bits of the number A, etc.
  • the sub-numbers are:
  • the number resulting from the addition of A and B is stored as four sub-numbers, Rl, R2, R3 and R4, and/or represented by a 32 bit wide string built from the sub-numbers Rl, R2, R3, and R4.
  • Dl represents the 8 most significant bits of D
  • D2 represents the 8 least significant bits of D
  • the sub-numbers are:
  • Dl is multiplied with El to achieve a 16 bit number expressed as two 8 bit numbers, Gl and G2.
  • Dl is multiplied with E2 to achieve a 16 bit number expressed as two 8 bit numbers, HI and H2.
  • D2 is multiplied with El to achieve a 16 bit number expressed as two 8 bit numbers, II and 12.
  • D2 is multiplied with E2 to achieve a 16 bit number expressed as two 8 bit numbers, Jl and J2.
  • the resulting 32 bit number F is expressed as four 8 bit numbers, FI, F2, F3, and F4, wherein:
  • F3 H2+I2+J1
  • F2 G2+Hl+Il+[any carry resulting from the calculation of F3]
  • SUBSTITUTE SHEET There is further provided a method of performing multiplication operations on a first binary number and a second binary number.
  • the method comprises summing a number of intermediate results, whereby the sum of the intermediate results is equal to the product of the two numbers.
  • the intermediate number is shifted a number of positions to the left, the number of positions corresponding to the position of the bit of the first number from which that particular intermediate number is calculated.
  • either the second number or the particular bit of the first number is switched to the left.
  • the step of multiplying one bit of a first one of the two numbers is repeated for each bit of the first number.
  • the product of a first number, 0110, and a second number 1010 is computed as follows: the least significant bit of the first number, 0, is multiplied with the second number 1010 to obtain a first intermediate number, 0000.
  • the second least significant bit of the first number, 1, is multiplied with the second number and shifted one position to the left to obtain a second intermediate number, 10100.
  • the third least significant bit of the first number, 1, is multiplied with the second number and shifted two positions to the left to obtain a third intermediate number, 101000.
  • the most significant bit of the first number, 0, is multiplied with the second number and shifted three positions to the left to obtain a fourth intermediate number, 0000000.
  • the resulting number is obtained as a sum of the four intermediate numbers, as illustrated below, the underlinings indicating which bits are being multiplied in the individual steps:
  • Fig. 28 illustrates a further mathematical system which may be employed in the methods of the present invention.
  • a set of five coupled subsystems is provided, wherein the subsystems are one-dimensional maps. Three of the maps contain static parameters and two of the maps are influenced by a counter. The system configuration is illustrated in Fig. 28.
  • a first one of the counters is only incremented when a second one of the counters reaches a certain value.
  • a first one of the counters may be incremented in each iteration, whereas a second one of the counters may be incremented only when the first one reaches its maximum.
  • both counters may be incremented in each iteration, or they may be incremented in an alternating way, so that the first counter is incremented in every second iteration and the second counter is incremented in those iterations where the first counter is not incremented.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Nonlinear Science (AREA)
  • Mathematical Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Artificial Intelligence (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)
  • Complex Calculations (AREA)

Abstract

L'invention concerne un procédé permettant d'effectuer des calculs dans un système mathématique présentant un exposant de Lyapunov, ou présentant un comportement chaotique, lequel procédé consistant à faire varier un paramètre du système. Lorsque ce procédé est employé en cryptographie, notamment, dans un générateur de nombres pseudo aléatoires d'un algorithme de chiffre en continu, dans un système de cryptage par blocs ou dans un système de condensé numérique (HASH/MAC), l'imprévisibilité peut être accrue. Dans un système analogue, un procédé de calcul consiste à multiplier deux nombres et à manipuler au moins l'un des bits les plus significatifs du nombre résultant de la multiplication pour produire une sortie. Un nombre dérivé d'une division de deux nombres peut être utilisé pour dériver une sortie. Dans un système permettant de générer une séquence de nombres, un réseau de compteurs est mis à jour à chaque étape de calcul, une valeur de retenue étant ajoutée à chaque compteur. L'arithmétique en virgule fixe peut être utilisée. L'invention concerne un procédé permettant la détermination d'une valeur d'identification, et un cryptage simultané et/ou un décryptage simultané d'un ensemble de données.
PCT/DK2003/000375 2002-06-06 2003-06-06 Procedes permettant d'ameliorer l'imprevisibilite d'une sortie de generateurs de nombres pseudo aleatoires WO2003104969A2 (fr)

Priority Applications (4)

Application Number Priority Date Filing Date Title
AU2003232162A AU2003232162A1 (en) 2002-06-06 2003-06-06 Computations in a mathematical system
JP2004511973A JP2005529364A (ja) 2002-06-06 2003-06-06 擬似乱数生成器の出力の予測不可能性を向上させる方法
EP03756974A EP1532515A2 (fr) 2002-06-06 2003-06-06 Procedes permettant d'ameliorer l'imprevisibilite d'une sortie de generateurs de nombres pseudo aleatoires
CA002488514A CA2488514A1 (fr) 2002-06-06 2003-06-06 Procedes permettant d'ameliorer l'imprevisibilite d'une sortie de generateurs de nombres pseudo aleatoires

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
DKPA200200864 2002-06-06
DKPA200200864 2002-06-06
DKPA200300211 2003-02-12
DKPA200300211 2003-02-12

Publications (2)

Publication Number Publication Date
WO2003104969A2 true WO2003104969A2 (fr) 2003-12-18
WO2003104969A3 WO2003104969A3 (fr) 2005-03-24

Family

ID=29737849

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/DK2003/000375 WO2003104969A2 (fr) 2002-06-06 2003-06-06 Procedes permettant d'ameliorer l'imprevisibilite d'une sortie de generateurs de nombres pseudo aleatoires

Country Status (6)

Country Link
EP (1) EP1532515A2 (fr)
JP (1) JP2005529364A (fr)
CN (1) CN1668995A (fr)
AU (1) AU2003232162A1 (fr)
CA (1) CA2488514A1 (fr)
WO (1) WO2003104969A2 (fr)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009015979A2 (fr) * 2007-08-02 2009-02-05 International Business Machines Corporation Procédé, dispositif informatisé et programme informatique pour crypter ou décrypter des données de manière efficace et avec une faible consommation de puissance
CN102082668A (zh) * 2010-07-16 2011-06-01 北京邮电大学 一种基于耦合混沌映射的消息完整性认证方法
CN102546603A (zh) * 2011-12-22 2012-07-04 洛阳元煜自控工程有限公司 一种远程路灯控制系统通信协议动态加密方法
US8589460B2 (en) 2007-11-20 2013-11-19 Jiguo Dong Random number generator and random number generating method thereof
CN103490876A (zh) * 2013-10-18 2014-01-01 重庆科技学院 基于超混沌Lorenz系统构建Hash函数的数据加密方法
CN104954117A (zh) * 2015-06-29 2015-09-30 宋煜 基于Logistic混沌映射转移轨道判决的序列密码生成系统
WO2017185412A1 (fr) * 2016-04-29 2017-11-02 北京中科寒武纪科技有限公司 Dispositif et procédé pour opérations de réseau neuronal prenant en charge des nombres à virgule fixe à petit nombre de bits
CN112272091A (zh) * 2020-09-24 2021-01-26 北京石油化工学院 一种具有均匀分布特征的多维整数混沌伪随机序列的生成方法
EP3771978A1 (fr) * 2019-07-31 2021-02-03 Denso Ten Limited Appareil de traitement d'informations
WO2021076518A1 (fr) * 2019-10-15 2021-04-22 Onenav, Inc. Récepteurs de système de satellites de navigation mondiaux modernisés
CN113407900A (zh) * 2021-01-26 2021-09-17 南京信息职业技术学院 Lorenz振子的快速求解方法
CN113965315A (zh) * 2021-10-15 2022-01-21 华东师范大学 一种轻量级密码学安全伪随机数生成器及伪随机数生成方法
US11288663B1 (en) 2021-06-25 2022-03-29 Arri E. Manuel Blockring service, system, and method thereof
CN113407900B (zh) * 2021-01-26 2024-06-04 南京信息职业技术学院 Lorenz振子的快速求解方法

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102323476B (zh) * 2011-06-08 2013-09-18 山东电力研究院 采用谱估计和混沌理论的电力系统谐波和间谐波测量方法
CN103135961A (zh) * 2011-11-28 2013-06-05 中泽宏 基于具有两个奇素因子的模数生成乘同余随机数的方法
CN102520908B (zh) * 2011-12-20 2015-04-29 大唐微电子技术有限公司 一种伪随机数生成器及伪随机数生成方法
EP2667537A1 (fr) * 2012-05-24 2013-11-27 Enigmedia SLL Procédé de codage et de décodage d'un flux de données
US8861725B2 (en) * 2012-07-10 2014-10-14 Infineon Technologies Ag Random bit stream generator with enhanced backward secrecy
DE102013205168A1 (de) * 2013-03-22 2014-09-25 Robert Bosch Gmbh Verfahren zum Erzeugen einer zufälligen Ausgangsbitfolge
CN104426651A (zh) * 2013-08-30 2015-03-18 上海复旦微电子集团股份有限公司 数据处理方法和装置
BR112017003063A2 (pt) * 2014-08-19 2018-02-27 Ericsson Telefon Ab L M métodos para gerar uma soma de verificação criptográfica e para autenticar uma mensagem, programa de computador, produto de programa de computador, gerador de soma de verificação, dispositivos emissor e receptor, terminal móvel, e, nó de acesso de rádio.
JP2016178574A (ja) * 2015-03-23 2016-10-06 日本電気株式会社 復号装置、受信装置、送受信システムおよび復号方法
US10209957B2 (en) * 2015-05-04 2019-02-19 Samsung Electronics Co., Ltd. Partial remainder/divisor table split implementation
US10142103B2 (en) * 2015-12-07 2018-11-27 The Boeing Company Hardware assisted fast pseudorandom number generation
CN107301454B (zh) * 2016-04-15 2021-01-22 中科寒武纪科技股份有限公司 支持离散数据表示的人工神经网络反向训练装置和方法
CN109039579A (zh) * 2016-04-28 2018-12-18 王志 一种Lorenz型吸引子的简单混沌系统电路
GB2551787A (en) * 2016-06-30 2018-01-03 Ipco 2012 Ltd Generating a plurality of one time tokens
US10078493B2 (en) 2016-10-10 2018-09-18 International Business Machines Corporation Secured pseudo-random number generator
CN107193530B (zh) * 2017-04-28 2020-04-24 广州酷狗计算机科技有限公司 一种生成随机数的方法和装置
CN107181566A (zh) * 2017-05-10 2017-09-19 桂林电子科技大学 一种面向高速移动通信的混沌交织算法
CN110110318B (zh) * 2019-01-22 2021-02-05 清华大学 基于循环神经网络的文本隐写检测方法及系统
CN110851112A (zh) * 2019-11-06 2020-02-28 成都卫士通信息产业股份有限公司 一种随机比特生成方法、装置及电子设备和存储介质
CN111723542A (zh) * 2020-07-07 2020-09-29 南京晓庄学院 一种四维无平衡点超混沌系统自适应同步方法及电路
CN112632558B (zh) * 2020-12-23 2021-08-10 工业信息安全(四川)创新中心有限公司 一种工控安全设备的分块中最长的零行程测试方法及装置
CN112861121B (zh) * 2020-12-23 2023-04-07 工业信息安全(四川)创新中心有限公司 一种块内最大1、0游程检测合并优化实现方法及装置
CN112764713B (zh) * 2021-01-25 2024-04-26 北京信而泰科技股份有限公司 随机数的生成方法和装置
CN113343609B (zh) * 2021-06-21 2023-07-07 中国人民解放军陆军炮兵防空兵学院 基于可公开的混沌流密码加密的通信保密电路设计方法

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4719592A (en) * 1982-11-20 1988-01-12 International Computers Limited Sequence generator
US4755969A (en) * 1986-11-07 1988-07-05 Digital Electronic Communications Equipment (Dece Corp.) Pseudo random sequence generation
US4780840A (en) * 1982-06-23 1988-10-25 U.S. Philips Corp. Method of generating a pseudo-random sequence of signs of a large sequence length
US5007087A (en) * 1990-04-16 1991-04-09 Loral Aerospace Corp. Method and apparatus for generating secure random numbers using chaos
EP0536905A2 (fr) * 1991-10-07 1993-04-14 International Business Machines Corporation Générateur de nombres aléatoires
EP0949563A2 (fr) * 1998-03-04 1999-10-13 Lucent Technologies Inc. Méthode de génération de nombres pseudo-aléatoires
WO2002009030A1 (fr) * 2000-07-11 2002-01-31 Schlumberger Systemes Systeme de traitement informatique comprenant des donnees confidentielles
US20020064279A1 (en) * 2000-11-29 2002-05-30 Uner Eric R. Method and apparatus for generating a group of character sets that are both never repeating within certain period of time and difficult to guess
WO2002047272A2 (fr) * 2000-12-07 2002-06-13 Cryptico A/S Procede permettant d'effectuer des operations mathematiques dans un dispositif electronique, procede permettant de generer des nombres pseudo-aleatoires dans un dispositif electronique et procede permettant de crypter et de decrypter des donnees electroniques

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1153173A (ja) * 1997-08-07 1999-02-26 Nec Corp 擬似乱数発生方法及び装置

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4780840A (en) * 1982-06-23 1988-10-25 U.S. Philips Corp. Method of generating a pseudo-random sequence of signs of a large sequence length
US4719592A (en) * 1982-11-20 1988-01-12 International Computers Limited Sequence generator
US4755969A (en) * 1986-11-07 1988-07-05 Digital Electronic Communications Equipment (Dece Corp.) Pseudo random sequence generation
US5007087A (en) * 1990-04-16 1991-04-09 Loral Aerospace Corp. Method and apparatus for generating secure random numbers using chaos
EP0536905A2 (fr) * 1991-10-07 1993-04-14 International Business Machines Corporation Générateur de nombres aléatoires
EP0949563A2 (fr) * 1998-03-04 1999-10-13 Lucent Technologies Inc. Méthode de génération de nombres pseudo-aléatoires
WO2002009030A1 (fr) * 2000-07-11 2002-01-31 Schlumberger Systemes Systeme de traitement informatique comprenant des donnees confidentielles
US20020064279A1 (en) * 2000-11-29 2002-05-30 Uner Eric R. Method and apparatus for generating a group of character sets that are both never repeating within certain period of time and difficult to guess
WO2002047272A2 (fr) * 2000-12-07 2002-06-13 Cryptico A/S Procede permettant d'effectuer des operations mathematiques dans un dispositif electronique, procede permettant de generer des nombres pseudo-aleatoires dans un dispositif electronique et procede permettant de crypter et de decrypter des donnees electroniques

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BERNSTEINM G.M. ET AL: "Secure random number generation using chaotic circuits" CIRCUITS AND SYSTEMS, IEEE TRANSACTIONS ON, vol. 37, no. 9, September 1990 (1990-09), pages 1157-1164, XP002269576 *
BULS, J.: "Contruction of pseudo-random sequences from chaos" CONTROL OF OSCILLATIONS AND CHAOS, 2000. PROCEEDINGS. 2000 2ND INTERNATIONAL CONFERENCE, vol. 3, 5 - 7 July 2000, pages 558-560, XP002269575 *
JESSA, M.: "Chaotic numbers" SINGAPORE ICCS/ISITA '92'. 'COMMUNICATIONS ON THE MOVE', vol. 1, 16 - 20 November 1992, pages 50-52, XP002269577 *
See also references of EP1532515A2 *

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009015979A2 (fr) * 2007-08-02 2009-02-05 International Business Machines Corporation Procédé, dispositif informatisé et programme informatique pour crypter ou décrypter des données de manière efficace et avec une faible consommation de puissance
WO2009015979A3 (fr) * 2007-08-02 2009-04-02 Ibm Procédé, dispositif informatisé et programme informatique pour crypter ou décrypter des données de manière efficace et avec une faible consommation de puissance
US8130956B2 (en) 2007-08-02 2012-03-06 International Business Machines Corporation Efficient and low power encrypting and decrypting of data
US8589460B2 (en) 2007-11-20 2013-11-19 Jiguo Dong Random number generator and random number generating method thereof
CN102082668A (zh) * 2010-07-16 2011-06-01 北京邮电大学 一种基于耦合混沌映射的消息完整性认证方法
CN102546603A (zh) * 2011-12-22 2012-07-04 洛阳元煜自控工程有限公司 一种远程路灯控制系统通信协议动态加密方法
CN103490876A (zh) * 2013-10-18 2014-01-01 重庆科技学院 基于超混沌Lorenz系统构建Hash函数的数据加密方法
CN103490876B (zh) * 2013-10-18 2016-05-18 重庆科技学院 基于超混沌Lorenz系统构建Hash函数的数据加密方法
CN104954117A (zh) * 2015-06-29 2015-09-30 宋煜 基于Logistic混沌映射转移轨道判决的序列密码生成系统
WO2017185412A1 (fr) * 2016-04-29 2017-11-02 北京中科寒武纪科技有限公司 Dispositif et procédé pour opérations de réseau neuronal prenant en charge des nombres à virgule fixe à petit nombre de bits
US11537717B2 (en) 2019-07-31 2022-12-27 Denso Ten Limited Information processing apparatus
EP3771978A1 (fr) * 2019-07-31 2021-02-03 Denso Ten Limited Appareil de traitement d'informations
WO2021076518A1 (fr) * 2019-10-15 2021-04-22 Onenav, Inc. Récepteurs de système de satellites de navigation mondiaux modernisés
EP3997562A4 (fr) * 2019-10-15 2023-08-02 Onenav, Inc. Récepteurs de système de satellites de navigation mondiaux modernisés
US11686855B2 (en) 2019-10-15 2023-06-27 Onenav, Inc. Modernized global navigation satellite system (GNSS) receivers and commercially viable consumer grade GNSS receivers
CN112272091A (zh) * 2020-09-24 2021-01-26 北京石油化工学院 一种具有均匀分布特征的多维整数混沌伪随机序列的生成方法
CN112272091B (zh) * 2020-09-24 2023-06-20 北京石油化工学院 一种具有均匀分布特征的多维整数混沌伪随机序列的生成方法
CN113407900A (zh) * 2021-01-26 2021-09-17 南京信息职业技术学院 Lorenz振子的快速求解方法
CN113407900B (zh) * 2021-01-26 2024-06-04 南京信息职业技术学院 Lorenz振子的快速求解方法
US11288663B1 (en) 2021-06-25 2022-03-29 Arri E. Manuel Blockring service, system, and method thereof
CN113965315A (zh) * 2021-10-15 2022-01-21 华东师范大学 一种轻量级密码学安全伪随机数生成器及伪随机数生成方法
CN113965315B (zh) * 2021-10-15 2023-12-01 华东师范大学 一种轻量级密码学安全伪随机数生成器及伪随机数生成方法

Also Published As

Publication number Publication date
CA2488514A1 (fr) 2003-12-18
JP2005529364A (ja) 2005-09-29
CN1668995A (zh) 2005-09-14
AU2003232162A1 (en) 2003-12-22
EP1532515A2 (fr) 2005-05-25
WO2003104969A3 (fr) 2005-03-24

Similar Documents

Publication Publication Date Title
US7170997B2 (en) Method of generating pseudo-random numbers in an electronic device, and a method of encrypting and decrypting electronic data
US20040086117A1 (en) Methods for improving unpredictability of output of pseudo-random number generators
WO2003104969A2 (fr) Procedes permettant d'ameliorer l'imprevisibilite d'une sortie de generateurs de nombres pseudo aleatoires
CN110363030B (zh) 用于执行基于格的密码操作的方法和处理设备
EP1583278B1 (fr) Conception d'un chiffrage par flux utilisant des mémoires tampon tournantes
US20210165633A1 (en) Protection system and method
Arnaud et al. Timing attack against protected RSA-CRT implementation used in PolarSSL
Kundu et al. Higher-order masked saber
Boesgaard et al. The stream cipher rabbit
Coron et al. Fast evaluation of polynomials over binary finite fields and application to side-channel countermeasures
Braeken et al. SFINKS: A synchronous stream cipher for restricted hardware environments
AU2002220534A1 (en) A method of performing mathematical operations in an electronic device, a method of generating pseudo-random numbers in an electronic device, and a method of encrypting and decrypting electronic data
Anashin et al. ABC: A new fast flexible stream cipher
Kanso et al. Irregularly decimated chaotic map (s) for binary digits generations
JP2004530919A5 (fr)
Rose KISS: A bit too simple
Younes et al. CeTrivium: A Stream Cipher Based on Cellular Automata for Securing Real-TimeMultimedia Transmission.
Kundu et al. On the Masking-Friendly Designs for Post-quantum Cryptography
US20230195943A1 (en) Processor architecture and related techniques
Kanso An efficient cryptosystem Delta for stream cipher applications
Svensson et al. A simple secure communications system utilizing chaotic functions to control the encryption and decryption of messages
Abhishek On Random Number Generation for Kernel Applications
Santoro et al. Arithmetic operators for on-the-fly evaluation of TRNGs
Howgrave-Graham et al. Pseudo-random number generation on the IBM 4758 Secure Crypto Coprocessor
Bucerzan A cryptographic algorithm based on a pseudorandom number generator

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2003232162

Country of ref document: AU

Ref document number: 2488514

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 2004511973

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 2003756974

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 1904/KOLNP/2004

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 20038173212

Country of ref document: CN

WWP Wipo information: published in national office

Ref document number: 2003756974

Country of ref document: EP