WO2005081934A2

WO2005081934A2 - Computer-implemented methods and systems for generating elastic block ciphers for encryption and decryption

Info

Publication number: WO2005081934A2
Application number: PCT/US2005/005615
Authority: WO
Inventors: Debra L. Cook; Marcel Mordechay Yung; Angelos D. Keromytis
Original assignee: The Trustees Of Columbia University In The City Of New York
Priority date: 2004-02-23
Filing date: 2005-02-23
Publication date: 2005-09-09
Also published as: WO2005081934A3

Abstract

In accordance with the present invention, computer implemented methods and systems are provided for converting an elastic block cipher from an original block cipher. The elastic block cipher accepts variable length inputs where the computation workload increases in proportion to the block size. To generate the elastic block cipher, the number of rounds in the block cipher is increased such that the round function is applied to each bit position at least the same number of times as the original block cipher. In addition, bits that are beyond the normal block size are left out of the round function and XORed and swapped with bits output from the round function to become part of the input to the next round.

Description

COMPUTER-IMPLEMENTED METHODS AND SYSTEMS FOR GENERATING ELASTIC BLOCK CIPHERS FOR ENCRYPTION AND DECRYPTION

Cross Reference to Related Application

[0001] This application claims the benefit under 35 U.S.C. § 119(e) of United States Provisional Patent Application Nos. 60/546,808, filed February 23, 2004 and 60/587,442, filed July 13, 2004, which are both hereby incorporated by reference herein in their entireties.

Field of the Invention

[0002] The present invention generally relates to cryptography. More particularly, the present invention relates to computer-implemented methods and systems for generating elastic block ciphers that may be used in various applications of encryption and decryption.

Background of the Invention

[0003] Computer viruses, worms, trojans, hackers, key recovery attacks, malicious executables, probes, etc. are a constant menace to all users of computers connected to public computer networks (such as the Internet) and/or private networks (such as corporate computer networks). Because of these threats, many computers are protected by antivirus software. In addition to installing antivirus software, encryption schemes may be used to further secure data that is transferred between these computers.

[0004] One conventional approach for encrypting data is known as symmetric-key encryption. In symmetric-key encryption schemes, a single key that is agreed upon by both the sender and receiver is used to both encrypt and decrypt data. Symmetric-key encryption schemes often use block ciphers, which are algorithms that transforms a fixed length block of plain text data (i.e., unencrypted text) into a block of ciphertext data (i.e., encrypted text) of the same length. This transformation takes place under the action of receiving a user-provided secret key. Decryption is performed by applying the reverse transformation to the ciphertext block using the same secret key.

[0005] Block ciphers usually support one block size (e.g., 128 bits). However, because the length of the data to be encrypted is often not a multiple of the supported block size, plaintext- padding approaches are required. Although widely used, padding imposes additional computational and space overheads to the encryption process. For example, most data fields in a database do not interact well with the typical block sizes as integers are often 32 bits long, doubles are 80 bits, and strings are of arbitrary length. Thus, the amount of space that is consumed due to encryption may be significant in a large database. Similar issues arise when considering network traffic protection. [0006] Furthermore, certain applications require that the length of the encrypted data remain the same. One solution that is proposed is the use of a stream cipher, which generates a keystream (i.e., a sequence of bits used as a key) that is combined with the plaintext. A problem with stream ciphers, however, is that they sacrifice data and key diffusion, and also require synchrony between the sender and the receiver, which is an unsuitable assumption for many applications. [0007] A few attempts have been made to generate variable-length pseudo-random functions (PRFs). The focus has generally been on variable-length inputs with fixed-length outputs as applicable to message authentication codes (MACs) and hash functions and, more recently, on modes that work on multiples of the original block length. However, these solutions all require creating a new cipher rather than an approach for converting existing block ciphers into variable- length block ciphers.

[0008] Another solution has been proposed that creates variable-length block ciphers by converting any existing block cipher into one that accepts variable size block lengths (See, e.g., Bellare et al., "On the Construction of Variable Length-Input Ciphers," Proceedings of Fast Software Encryption (FSE), LNCS 1636, Sptinger-Verlag, 1999). However, the proposed solution involves two applications of the cipher for block lengths between the original length and less than twice that length. Thus, the resulting cipher requires twice the work of the original block cipher per block, regardless of the block size. Moreover, this proposed solution treats the original cipher as a pseudo-random permutation (PRP) and analyzes it as a "black box" (i.e., an idea cipher or a PRP as is used in constructing modes of encryption).

[0009] Therefore, there is a need in the art for computer-implemented methods and systems for providing a more flexible and improved block cipher.

[0010] Accordingly, it is desirable to provide computer-implemented methods and systems that overcome these and other deficiencies of the prior art. Summary of the Invention [0011] In accordance with the present invention, computer implemented methods and systems are provided for converting an elastic block cipher from an original block cipher. The elastic block cipher accepts variable length inputs where the computation workload increases in proportion to the block size.

[0012] Generally speaking, to generate the elastic block cipher, the number of rounds in the round function of the block cipher are increased such that the round function is applied to each bit position the same number of times as the original block cipher. In addition, bits that are beyond the normal block size are left out of the round function and XORed and swapped with bits output from the round function to become part of the input to the next round. [0013] In some embodiments, an original block cipher that is based on a round function, where the original block cipher is configured to receive an input of a first block size, is provided. In order for the block cipher to receive data strings having a second block size different than the first block size, the original block cipher may be converted to an elastic block cipher. The number of rounds of the original block cipher may be expanded to a second number of rounds that is based at least in part on the first and second block sizes. An exclusive OR operation may be performed on a received data string with a first subkey. The bits of the data string may then be divided into a first subset and a second subset, wherein the bits of the first subset fit within the first block size and the second subset is the remainder of the data string that is beyond the first block size.

[0014] The first and second subsets are then input into the round function. The round function is iteratively performed. The round function of the block cipher may perform any suitable transformation on the first subset to create a transformed first subset. A second exclusive OR operation is performed on the transformed first subset and the second subset with a second subkey. A third exclusive OR operation is performed on the second subset with the transformed first subset to create a transformed second subset, which is then swapped with the transformed first subset.

[0015] After performing the last round of the round function on the transformed first subset, a fourth exclusive OR operation is performed on the transformed first subset and the trans ormed second subset with a third subkey resulting in the elastic block cipher. [0016] There has thus been outlined, rather broadly, the more important features of the invention in order that the detailed description thereof that follows may be better understood, and in order that the present contribution to the art may be better appreciated. There are, of course, additional features of the invention that will be described hereinafter and which will form the subject matter of the claims appended hereto. [0017] In this respect, before explaining at least one embodiment of the invention in detail, it is to be understood that the invention is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The invention is capable of other embodiments and of being practiced and carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting. [0018] As such, those skilled in the art will appreciate that the conception, upon which this disclosure is based, may readily be utilized as a basis for the designing of other structures, methods and systems for carrying out the several purposes of the present invention. It is important, therefore, that the claims be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the present invention. [0019] These together with other objects of the invention, along with the various features of novelty which characterize the invention, are pointed out with particularity in the claims annexed to and forming a part of this disclosure. For a better understanding of the invention, its operating advantages and the specific objects attained by its uses, reference should be had to the accompanying drawings and descriptive matter in which there is illustrated preferred embodiments of the invention.

Brief Description of the Drawings

[0020] Various objects, features, and advantages of the present invention can be more fully appreciated with reference to the following detailed description of the invention when considered in connection with the following drawings, in which like reference numerals identify like elements.

[0021] FIG. 1 is a schematic diagram of an illustrative system suitable for implementation of an application that converts an original block cipher to an elastic block cipher in accordance with some embodiments of the present invention. [0022] FIG. 2 is a-detailed example of the server and one of the workstations of FIG.1 that may be used in accordance with some embodiments of the present invention. [0023] FIGS. 3 A and 3B show a simplified flowchart illustrating the steps performed in generating an elastic block cipher from an original block cipher in accordance with some embodiments of the present invention [0024] FIG. 4 shows at least a portion of the original cipher embedded within the elastic block cipher in accordance with some embodiments of the present invention. [0025] FIG. 5 shows how the converted key is unchanged in the left b bits in accordance with some embodiments of the present invention. [0026] FIG. 6 shows a simplified illustration of how S 'md q and { (P,U)_md q-i } are created in accordance with some embodiments of the present invention. [0027] FIG. 7 shows a simplified illustration of the general structure of the MISTY 1 block cipher in accordance with some embodiments of the present invention.

[0028] FIG. 8 shows a simplified illustration of the swapping step and whitening step added after every two rounds in elastic MISTY1 block cipher so that each bit participates in the round function and is acted upon at least the same number of times as in the original version of the

MISTY 1 block cipher in accordance with some embodiments of the present invention.

[0029] FIG. 9 shows a simplified illustration of the round function in the elastic version of

MISTY 1 in accordance with some embodiments of the present invention.

Detailed Description of the Preferred Embodiments

[0030] The following description includes many specific details. The inclusion of such details is for the purpose of illustration only and should not be understood to limit the invention.

Moreover, certain features which are well known in the art are not described in detail in order to avoid complication of the subject matter of the present invention. In addition, it will be understood that features in one embodiment may be combined with features in other embodiments of the invention.

[0031] FIG. 1 is a schematic diagram of an illustrative system 100 suitable for implementation of an application that generates an elastic block cipher from an original block cipher in accordance with some embodiments of the present invention. Referring to FIG. 1, an exemplary system 100 for implementing the present invention is shown. As illustrated, system 100 may include one or more workstations 102. Workstations 102 may be local to each other or remote from each other, and are connected by one or more communications links 104 to a communications network 106 that is linked via a communications link 108 to a server 110. [0032] In system 100, server 110 may be any suitable server for providing access to the application, such as a processor, a computer, a data processing device, or a combination of such devices. Communications network 106 may be any suitable computer network including the Internet, an intranet, a wide-area network (WAN), a local-area network (LAN), a wireless network, a digital subscriber line (DSL) network, a frame relay network, an asynchronous transfer mode (ATM) network, a virtual private network (VPN), or any combination of any of the same. Communications links 104 and 108 may be any communications links suitable for communicating data between workstations 102 and server 110, such as network links, dial-up links, wireless links, hard-wired links, etc. Workstations 102 enable a user to access features using the contextual ontology. Workstations 102 may be personal computers, laptop computers, mainframe computers, dumb terminals, data displays, Internet browsers, personal digital assistants (PDAs), two-way pagers, wireless terminals, portable telephones, etc., or any combination of the same. Workstations 102 and server 110 may be located at any suitable location. In one embodiment, workstations 102 and server 110 may be located within an organization. Alternatively, workstations 102 and server 110 may be distributed between multiple organizations.

[0033] The server and one of the workstations, which are depicted in FIG. 1, are illustrated in more detail in FIG. 2. Referring to FIG. 2, workstation 102 may include processor 202, display 204, input device 206, and memory 208, which may be interconnected. In a preferred embodiment, memory 208 contains a storage device for storing a workstation program for controlling processor 202. Memory 208 also preferably contains the application according to the invention.

[0034] In some embodiments, the application may include an application program interface (not shown), or alternatively, as described above, the application may be resident in the memory of workstation 102 or server 110. In another suitable embodiment, the only distribution to the user may be a Graphical User Interface which allows the user to interact with the application resident at, for example, server 110. [0035] In one particular embodiment, the application may include client-side software, hardware, or both. For example, the application may encompass one or more Web-pages or Web-page portions (e.g., via any suitable encoding, such as HyperText Markup Language (HTML), Dynamic HyperText Markup Language (DHTML), Extensible Markup Language (XML), JavaServer Pages (JSP), Active Server Pages (ASP), Cold Fusion, or any other suitable approaches). [0036] Although the application is described herein as being implemented on a workstation, this is only illustrative. The application may be implemented on any suitable platform (e.g., a personal computer (PC), a mainframe computer, a dumb terminal, a data display, a two-way pager, a wireless terminal, a portable telephone, a portable computer, a palmtop computer, a H/PC, an automobile PC, a laptop computer, a personal digital assistant (PDA), a combined cellular phone and PDA, etc.) to provide such features.

[0037] Processor 202 may use the workstation program to present on display 204 the application and the data received through communication link 104 and commands and values transmitted by a user of workstation 102. It should also be noted that data received through communication link 104 or any other communications links may be received from any suitable source, such as web services. Input device 206 may be a computer keyboard, a cursor-controller, a dial, a switchbank, lever, or any other suitable input device as would be used by a designer of input systems or process control systems.

[0038] Server 210 may include processor 320, display 322, input device 324, and memory 326, which may be interconnected. In a preferred embodiment, memory 326 contains a storage device for storing data received through communication link 108 or through other links, and also receives commands and values transmitted by one or more users. The storage device further contains a server program for controlling processor 320.

[0039] In accordance with the present invention, computer implemented methods and systems are provided for generating elastic block ciphers. These elastic block ciphers stretch the support block size of a block cipher up to a length that is at least double the original block size, while increasing the computational load proportionally to the stretched block size. This, together with modes of operation, permits block sizes to be set based on an application's requirements without requiring padding to an integral block length. The elastic block cipher allows, for example, a non-traditional block size to be used for all blocks, or a traditional block size to be used for all but the last block in a given mode of operation. Such a cipher may be useful in applications, such as, for example, database and network traffic encryption, as well as other applications of encryption. [0040] Turning to FIGS. 3A and 3B, simplified flowcharts illustrating the steps performed in generating an elastic block cipher from an original block cipher in accordance with some embodiments of the present invention. These are generalized flow charts. It will be understood that the steps shown in FIGS. 3 A and 3B may be performed in any suitable order, some may be deleted, and others added. [0041] Generally, process 300 begins by modifying the encryption and decryption functions of the original block cipher to accept blocks of size b to 2b-l bits, where b is the block size of the original block cipher. Without modifying the round function of the original block cipher or decreasing the number of rounds applied to each bit, process 300 interleaves bits beyond the supported block size with bits in the supported block size.

[0042] As shown in FIG. 3 A, process 300 begins with an existing block cipher that is structured as a sequence of rounds and P, a plaintext, where the length is b+y bits, b is the block length of the input to G in bits, and y is an integer in the range of 0 to b-1. It should be noted that process 300 sets the number of rounds, r', such that each of the b+y bits is input to and active in the same number of rounds in G', the resulting elastic block cipher, as each of the b bits is in G. Accordingly: r' = r + [yr/b] Each bit position of the input is required to be active in the same number of rounds in G' as the number of rounds in which each bit is active in G. This requirement allows the computational workload to increase proportionately to the block size of the resulting cipher while avoiding a reduced round attack on G from being applied to G'. For example, if y=b-l and no rounds were added to G when generating G': b-1 bits would be active in only half of the rounds in which a bit is normally active in G. As y increases, the number of rounds increases gradually from r + 1 when 0 < [ry/b] < 1 to 2r when r-1 < [ry/b] < r.

[0043] As used herein, a bit (position) input to a block cipher is "active" in a round if the bit in input to the round function. For example, in a DES block cipher, half of the bits are active in each round, while in an AES block cipher, all of the bits are active in each round. The round functions refers to one entire round of G, the original block cipher. For example, if G is a Feistel network, the round function of G consists of one entire round of the Feistel network as opposed to only the function used within the Feistel network. [0044] At step 301, an exclusive OR operation (sometimes referred to herein as an "XOR" operation) is performed on all b+y bits with key material (sometimes referred to herein as a "round key" or a "subkey"). That is, plaintext and a subkey are input into the XOR operation. It should be noted that this generally prevents an adversary from learning the y input bits to the second round in a plaintext attack. [0045] In some embodiments, process 300 may include a key-dependent mixing function that permutes or mixes the bits in such a manner that any individual bit is not guaranteed to be in the rightmost y bits with a probability of y (step 302). In some embodiments, a key-dependent mixing function may also be performed at the end of the last round of the block cipher (step 308). Applying a key-dependent mixing function of bytes prior to the first round increases the extent to which the first round contributes to preventing a differential attack. If the time to perform the key-dependent mixing function is more than the time it takes to perform a single round, an additional round may be added to decrease the probability of a specific differential attack from occurring. A trivial mixing that prevents an attacker from knowing with probability 1 which y bits are excluded from the first round is a key-dependent rotation. This assures that any particular bit is within the y bits with a probability of less than one-half. Similarly, a key- dependent mixing step performed after the last round may prevent a single round differential from occurring with a probability of 1 in the first round of decryption.

[0046] At step 303, the leftmost b-bits that are output from the mixing step are input into the round function of the original block cipher. The round function may includes performing any suitable transformation or any other suitable operation. For example, when the original block cipher is an AES block cipher, the S-Box, Shiftrows, and MixColumns transformations may be performed. [0047] At step 304, if the round function includes performing an exclusive OR function with key material at the end of the round and or as a final step in the algorithm, the whitening step, as described above, may be performed on all b+y bits (inner block as well as side whitening). If the block cipher does not contain end-of -round whitening and/or whitening as the last step in the algorithm, these whitening steps may be added and applied to all y+b bits. In either case, additional bits of expanded key material are required beyond the amount required by the block cipher. [0048] By including all b+y bits in the whitening performed at the end of the round prevents an adversary from learning any of the output bits of the next-to-last round. For example, suppose the additional y bits were not included in the whitening, then the ciphertext, C, for the block would include the y bits that were excluded from the last round. Since no bit is excluded from two consecutive rounds, an adversary would be provided with y bits of output from the next to last round, potentially aiding in cryptanalysis. [0049] At step 305, process 300 performs a swap function, where it alternates which y bits are left out of the round by XORing the y bits left out of the previous round with the y bits from the round's output and swaps the results with the y bits left out of the previous round. For example: (a) Let Y denote the y bits that were left out of the round; (b) Let X denote some subset of y bits from the round's output of b bits. A different set of X bits (in terms of position) is selected in each round. It should be noted that how to best select X is dependent on the specific block cipher. (c) Set Y <- X θ Y (see step 306) (d) Swap X and Y to form the input to the next round (see step 307).

[0050] The exclusive OR function is performed on X and Y instead of merely swapping X and Y in order to increase the rate of diffusion. Ji G does not have complete diffusion in one round, then at the end of the first round there is some subset S of bits output from the round that have not been impacted by some of the bits in X. While the bits in Y may impact the subset S in the second round, swapping X and Y would result in the bits in X having no impact in the second round; whereas, swapping X with X θ Y allows the bits in X to impact the second round. The selection of X depends on the round function of the specific block cipher. The bit positions selected for X may vary amongst the rounds to ensure that all bit positions are involved in both the b-bit and y-bit components, as opposed to always selecting the same y positions for use in X. If all input bits to the round are utilized in the same manner, the bit positions chosen for X may be rotated across the rounds.

[0051] In some embodiments, the original block cipher may be an Advanced Encryption Standard (AES) cipher that accepts 128-bit inputs. FIG. 3B is a simplified flowchart illustrating the steps performed in generating an elastic block cipher from an Advanced Encryption Standard (AES) cipher that accepts 128-bit inputs. It should be noted that although FIG. 3B and the following embodiments of the present invention generally relate to generating an elastic block cipher from an AES cipher, these embodiments are not limited only to converting AES ciphers. Rather, the invention may also be applied to any suitable block cipher or encryption algorithm, such as, for example, the Data Encryption Standard (DES), the International Data Encryption Algorithm (IDEA), the Secure and Fast Encryption Routine (SAFER), the Fast Data Encipherment Algorithm (FEAL), Skipjack, Blowfish, CAST-128, RC6, or MISTY1. [0052] It should also be noted that AES specifies a Federal Information Processing Standard (FJPS)-approved cryptographic algorithm that may be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt and decrypt data. The AES was issued as FTPS PUB 197 by the National Institute of Standards and Technology (NIST), which is incorporated by reference herein in its entirety.

[0053] Generally speaking, the AES block cipher encrypts a block of data by repeatedly performing a set of transformations, sometimes referred to herein as round transformations. The number of the rounds, r, depends on the key length. For example, the number of rounds for the key length of 128 and 256 are 10 and 14, respectively. In particular, for a key length of 128, the AES block cipher encrypts the block of data by performing 9 complete round transformations followed by 1 incomplete or final round transformation. The incomplete round transformation generally includes one less step than a complete round transformation. [0054] The set of transformations involved in the AES block cipher includes, in the following order: ByteSub, ShiftRow, MixColumn, and AddRoundKey. The incomplete round transformation does not include the MixColumn transformation.

[0055] At step 310, and as described previously in step 301, an exclusive OR operation is performed on all b+y bits with key material. In accordance with the AES specification, the plaintext and a subkey are input into the XOR operation to perform an AddRoundKey transformation. It should be noted that when the exclusive OR operation is performed on all b+y bits with key material, it requires including y extra bits in AES's AddRoundKey step. [0056] In some embodiments, before applying the exclusive OR operation of step 310, an additional whitening step (not shown) may be included. Generally, the whitening step performs a mathematical operation, such as an exclusive OR operation, to combine a whitening key with the original block cipher, G, to further strengthen the key material. It should be noted that the whitening step may be performed on an encrypted block and the corresponding decrypted block. If G includes such a whitening step, the exclusive OR operation is applied on the original b-bits "inner block" whitening for the leftmost bits, as well as "side whitening" of the extra y bits. [0057] Alternatively, if the additional whitening step is not performed, the output from step 310 is inputted into the AES block cipher. In either case, additional bits of expanded key material are required beyond the amount needed for the original block cipher (for the side whitening and, in some embodiments, the added inner block whitening). [0058] In some embodiments, a key-dependent mixing function that permutes or mixes the bits in such a manner that any individual bit is not guaranteed to be in the rightmost y bits with a probability of y (step 320) may be included. In some embodiments, a key-dependent mixing function may also be performed at the end of the last round of the block cipher. Applying a key- dependent mixing function of bytes prior to the first round increases the extent to which the first round contributes to preventing a differential attack. If the time to perform the key-dependent mixing function is more than the time it takes to perform a single round, an additional round may be added to decrease the probability of a specific differential attack from occurring. A trivial mixing that prevents an attacker from knowing with probability 1 which y bits are excluded from the first round is a key-dependent rotation. This assures that any particular bit is within the y bits with a probability of less than one-half. Similarly, a key-dependent mixing step performed after the last round may prevent a single round differential from occurring with a probability of 1 in the first round of decryption.

[0059] At step 330, the leftmost b-bits that are output from the mixing step are input into the round function of the AES block cipher. The round function includes performing at least the S- Box, Shiftrows, and MixColumns transformations. Using the S-Box transformation, the individual bytes are substituted according to values given in a substitution-box, or S-Box. The S-Box formula is further described in the above-referenced FIPS PUB 197 specification. During the Shiftrows transformation, individual rows (e.g., the last three rows of the state) are shifted over different numbers of bytes. For example, row 0 may not be shifted, while row 1 is offset by 4 bytes, row 2 offset by 6 bytes, and row 3 offset by 8 bytes.

[0060] After the Shiftrows transformation, the MixColumns transformation is performed on the state column-by-column, where each column of an input data code obtained from the output of the Shiftrows transformation is transformed into the corresponding column of the output data code by multiplying each column with a given polynomial. [0061] At step 340, if the round function includes performing an exclusive OR function with key material at the end of the round and/or as a final step in the algorithm, the whitening step, as described above, may be performed on all b+y bits (inner block as well as side whitening). If G does not contain end-of-round whitening and/or whitening as the last step in the algorithm, these whitening steps may be added and applied to all y+b bits. In either case, additional bits of expanded key material are required beyond the amount required by G. Because this is an AES block cipher, this requires including the extra y bits in the AddRoundKey step after each round. [0062] By including all b+y bits in the whitening performed at the end of the round prevents an adversary from learning any of the output bits of the next-to-last round. For example, suppose the additional y bits were not included in the whitening, then the ciphertext, C, for the block would include the y bits that were excluded from the last round. Since no bit is excluded from two consecutive rounds, an adversary would be provided with y bits of output from the next to last round, potentially aiding in cryptanalysis.

[0063] At step 350 and as described in steps 305-307, a swap function is performed, where it alternates which y bits are left out of the round by XORing the y bits left out of the previous round with the y bits from the round's output and swaps the results with the y bits left out of the previous round. For example: (a) Let Y denote the y bits that were left out of the round; (b) Let X denote some subset of y bits from the round's output of b bits. A different set of X bits (in terms of position) is selected in each round. It should be noted that how to best select X is dependent on the specific block cipher. (c) Set Y «- X θ Y (d) Swap X and Y to form the input to the next round.

[0064] The exclusive OR function is performed on X and Y instead of merely swapping X and Y in order to increase the rate of diffusion. If G does not have complete diffusion in one round, then at the end of the first round there is some subset S of bits output from the round that have not been impacted by some of the bits in X. While the bits in Y may impact the subset S in the second round, swapping X and Y would result in the bits in X having no impact in the second round; whereas, swapping X with X θ Y allows the bits in X to impact the second round. The selection of X depends on the round function of the specific block cipher. The bit positions selected for X may vary amongst the rounds to ensure that all bit positions are involved in both the b-bit and y-bit components, as opposed to always selecting the same y positions for use in X. If all input bits to the round are utilized in the same manner, the bit positions chosen for X may be rotated across the rounds. For example, in AES, all bytes are processed by the same functions within the round. In that case, it is sufficient to select X to be consecutive bits starting a position &ι + a₂ * i (mod b) in round i for some constants &ι and a₂. If the input bits are treated differently in the round (for example, in RC6 the input consists of four words of which one pair is operated- on differently than the other pair), then swap the bits such that each bit participates in each pair the same number of times. Another benefit of the exclusive OR is a reduction in the ability to specify a y-bit differential in the input to the second round.

[0065] In some embodiments, if the key-dependent mixing function is not performed, then without the exclusive OR function, a differential in the second round's input of y bits can be obtained with probability 100% regardless of the round function, by choosing the rightmost y bits of the original input appropriately.

[0066] The resulting elastic AES block cipher, G', is a permutation on b+y bits. A copy of G, the original block cipher, is embedded inside a prefix of G', the elastic block cipher, where the round key bits used outside the embedded G are independent of the round key bits used inside the embedded G.

[0067] An example of C programming code that converts the original block cipher, G, that is based on a round function to an elastic block cipher is shown in Appendix A, which is hereby incorporated by reference herein in its entirety.

[0068] Its inverse, the decryption function, consists of the same steps with the round keys applied in the reverse order and the round function replaced by its inverse. It should be noted that it is not possible to perform decryption by simply running the ciphertext through the encryption function of G' with the round keys used in the reverse order. Designing the elastic block cipher in this manner increases the diffusion rate compared to that of, for example, an unbalanced Feistel network. The Security of the Elastic Block Cipher [0069] In general, block ciphers used in practice (and not treated as a pseudorandom permutation or a member of a family of functions) generally cannot be proven secure in a theoretical sense but rather is proven secure against known types of attacks, such as key-recovery attacks. The following is a security analysis of the elastic version to that of the original block cipher, showing that a security weakness in the elastic block ciphers (G') implies a weakness in the original block cipher (G). In particular, the security analysis of G' exploits the relationship between G' and G and the proper expansion assumption on the key schedule. [0070] More particularly, security against key-recovery attacks does not by itself imply security (e.g., the identity function which ignores the key is insecure while key recovery is impossible). However, it should be noted that all concrete attacks against block cipher (e.g., differential, linear, etc.) attempt key recovery, and thus, block ciphers should be secure against such attacks.

1. Round Key Recovery Attack

[0071] As described above and shown in FIG. 4, it should be noted that an instance of G, the original block cipher, is embedded in G', the elastic block cipher, thereby creating a reduction from G' to G. As a result of this reduction, an attack against G' that allows an attacker to determine some of the round keys implies an attack against G itself which is a polynomially related (with a given polynomial) in resources to the attack on G' . Assuming that G itself is resistant to such attacks, G' also does not reveal round-key bits to the attacker. The reduction requires a set of (plaintext,ciphertext) pairs. This is not considered a limiting factor because in most types of attacks, whether they are known plaintext, chosen plaintext, adaptive plaintext, chosen ciphertext, etc., the attacker usually acquires a set of such pairs. It is also assumed that G, the original block cipher, has end-of-round whitening and that they key scheduling and expansion method is input-dependent. These assumptions generally apply to many block ciphers, or versions of cipher that contain whitening and expand the key. [0072] Referring to FIG. 4, the operations performed in G' in its prefix until the leftmost b bit positions go through as many rounds as in G may be shown to be an application of G. This relationship between G and G' may be used to convert an attack which finds the round keys for G' to an attack which finds the round keys for G. For example, if G_rk denotes G using round keys, rk, and if G_k'(p || x) = c || z, a set of round keys, rk, for G such that G_rk(p) = c may be formed from the round keys and the round outputs in G' by collapsing the end-of-round whitening and swapping steps in G' into a whitening step. The leftmost b bits of the round key for the initial whitening are unchanged, and the rightmost y bits are dropped. While the resulting round keys provide good whitening to the rounds of the copy of G (due to the proper expansion property), the round keys may vary in rounds 1 to r per (plaintext, ciphertext) pair due to the previous round's output impacting the end-of-round whitening step. However, as shown below, it may be possible to use they keys to solve for the round keys of G. [0073] Theorem I: Jf there exists an attack on G' that allows the round keys to be determined for the first r rounds, then there exists a polynomially related attack on G with r rounds, assuming: G contains end-of-round whitening; there are no message-related round keys (if there are expanded key bits utilized in G aside from the initial and end-of-round whitening steps, these expanded key bits depend only from the key and do not vary across inputs); and the expanded key bits are done via proper expansion. [0074] The condition that G contains end-of-round whitening may be removed if the attack on G' involves solving for the round-key bits directly and allows the bits to be used in the whitening steps to be set to 0 for bit positions not swapped and to 0 or 1, as necessary, for bit positions swapped, to ensure the whitening on the leftmost b bits is equivalent to XORing with 0, which is the same as having no whitening in G. If the attack on G' finds all possible keys or sets of round keys, the attack must find the key or keys and set or sets of round keys corresponding to the round keys that are equivalent to XORing with 0.

[0075] It should be noted that for any set of (plaintext, ciphertext) pairs for G, where the round keys used in G' for the round function and the leftmost b bits of each whitening steps are the same as those used in G, the plaintexts used in G are the leftmost b bits of the plaintexts used in G' and the ciphertexts for G are the same as the leftmost b bits of output of the r^th round of G' prior to the swapping step.

[0076] Claim I: Let {(pi, ci)} denote a set of n (plaintext, ciphertext) pairs and let |w| = |vi| = y. If G_k (pi) = ci, then there exists n sets of round keys for the first r rounds of G' that are consistent with inputs pi || w producing ci || vi as the output of the r^th round prior to the swap at the end of the r round, for i= 1 to n, such that the leftmost b bits used for whitening in each round are identical across the n sets and any bits used internal to the round function are identical across the n sets. Further, let rk = {rkj for j = 0 to r} be the set of round keys corresponding to key k for G. rko denotes the key bits used for initial whitening. For (pi, ci), form a set of the first r round keys for G' as follows: Pick a constant string, w, of y bits, such as a string of 0's. Let pi || w be the input to G' . Let rki' = {rki'j for j = 0 to r} denote the round keys for G' through the r* round for the pair (pi, ci). Set any bits in rki'j used internal to the round function to be the same as the corresponding bits in rk_j. Set the rightmost y bits used for whitening in rki'j to be the same as the y bits left out of the round function in round j of G'. This is illustrated in FIG. 5. It should be noted that the leftmost b bits used for whitening in each round are identical across the n sets and any bits used internal to the round function are identical across the n sets. In particular, they correspond to rk in each case, and the rightmost y bits used in each whitening step differ based on (pi, ci) across the n sets. [0077] The operations of G' on the leftmost bits through round r, prior to the last swap, are identical to the operations in G (pi) because the swap step in G' results in XORing y bits of a round function's output with y 0's. Therefore, the leftmost b bits output from the I^th round prior to the swap in the r^th round is ci. For i=l to n, there exists a set of round keys rki' for G'_rkr such that G'(pi) produces ci as the leftmost b bits in the r* round prior to the swap step. [0078] The following attacks are described in terms of solving for the round keys from round 0 to r, but may also be performed by working from round r back to the initial whitening. [0079] Attack 1: The first method's efficiency is dependent on y, |k|, and r. This first method produces an attack on G that runs in time polynomial in the attack on G' and r. It may be more efficient than an exhaustive key search when y < |k|/(r-2). The attack may be performed as follows: Assume there exists a known (plaintext, ciphertext) pair attack on G' which produces the round keys either by finding the original key and then expanding it, or by finding the round keys directly. Using round keys for G one round at a time. For each round, extract the largest set of (plaintext, ciphertext) pairs used in the attack on G' that have the same converted round key. Each round may reduce the size of the set of pairs by 2^y. The end result is a set of round keys for G that are consistent with a set of n/2^y(r"2) b bit (plaintext, ciphertext) pairs for G. [0080] To convert a set of (plaintext, ciphertext) pairs for G into a set of (plaintext, ciphertext) pairs for G\ let {(P,C)} = {(pi || xi, ci || zi)} (for i = 1 to n) denote a set of n known b+y bit (plaintext, ciphertext) pairs for G', where |pi| = |ci| = b and |xi| = |zi| = y. Assume the existence of an algorithm A_G> that finds all possible keys, {k_j}, corresponding to {(P,C)} in time less than an exhaustive search for the key. Let m denote the number of keys found. Without loss of generality, it is assumed the keys are available in expanded form. The key bits for the initial whitening may be referred to as "round key 0." [0081] Let S = {ek_j } for j = 1 to m be the set of expanded keys used for whitening for which ekj is from the expansion of key kj and G'_kj (pi || xi) = ci || zi for i = 1 to n. [0082] Let Ri_nt denote any key material utilized within the round function. The values found for such key bits are the same for the solutions derived by the attack for G' and G. [0083] Let { (P,U) } = { (ρi||xi,ui||vi) } such that ui||vi is the output of the r^ft round of G' , where juib and |vi|=y. [0084] Let S' = {ek'j | ek'_j = bits of ek_j e S corresponding to rounds 0 to r used for whitening} be the set of expanded key bits used for whitening in rounds 0 to r of G' . [0085] For each ek_j e S' and each (pi || xi, ui || vi) e {(P,U)}, convert the round keys to round keys for G. Let ek'y be the converted key corresponding to the i th element of {(P,U)} and the j^th element of S'. The part of ek'y corresponding to round 0 is identical across all elements. When the round keys are converted, at most y bits change in the leftmost b bits. Thus, the resulting round keys for round q, 0 < q < r may be divided for each of the y impacted bits into those that have a 0 in the affected bit and those that have a 1 in the affected bit. For q=l to r, define Smdw ^{as me} maximum-sized set of ek'ys from S_{m q}-ι that have identical round keys for round q, where S'_mdo = S\ Let {(P,U)md_q} be the corresponding elements of {(P,U)}. When forming { { P,U)_ma _q } , at least 2^~y | { (P,U)_{md q-1} } | of the elements from { (P,U)_md _q.ι } are included. [0086] FIG. 6 shows a simplified illustration of how S'_{m q} and {(P,U)_{m q}-ι} are created. In FIG. 6, b = 4, y = 2, and the leftmost 2 bits are swapped with the y bits in the swapping step. The round number is q and {(P,U)_md_q-ι} contains three (plaintext, ciphertext) pairs. Suppose the outputs of the round function in the q^ft of G' are 100101, 110011, and 111111 and the whitening bits in the q^th round are 011010. The converted round keys corresponding to the three cases are 0110, 1110, and 1110. Since 1110 occurs in the majority of the cases, set the q^Λ round key of G to 1110. S'_{md q} contains the round keys for rounds 0 to q-1 from S'_{m q}-ι and 0010, and {(P,U)_mdq} contains the second and third (plaintext, ciphertext) pairs from {(P.U^_dq-i}. [0087] Let {(P,C)_G} = {(pi,ci)|(pi || yi, ui || vi) e {(P,U)_{md r}} }. |{(P,C)_σ}| > n/2^yr. {(P,C)_G} is a set of (plaintext, ciphertext) pairs for which G_rk(pi) = ci V (pi, ci) e {(P,C)_G} with the whitening round keys of rk e S'_{md q} and any additional key material utilized by the rounds is the same as that for G', namely Ri_nt- It should be noted that in order to produce the largest set of (plaintext, ciphertext) pairs with a common key, every possible S'_md_q may be formed for each round, and the iteration for the q + 1^st round applied to each, thereby creating a tree of dept r with at most 2^y children of each node. [0088] Let t_r denote the time to run r rounds of G' , and tA denote the time to run AQ- . In the case of obtaining at least one set {(P,U)_{md r}} of size > n^⁵*, the time required beyond t_A consist of: nmt_r time to obtain the outputs of the first r rounds for each { (P,U) } , O(nmr) time to perform the conversion of the round keys from G' to round keys for G and O(nmr) time to form the S'_{m r} sets. Thus, the additional time required to attack G (beyond the time required to attack G'_b+y) is nmt_r + O(nmr). The only unknown value is m, the number of keys produced by the attack on G'_b+1. If m is large enough, to the extent that it approaches the average number of keys to test in a brute force attack on G', then this contradicts the assumption that an efficient attack exists on G' because the attacker is left with a large set of potential keys for decrypting additional ciphertexts. [0089] To perform an attack on G when given a set of (plaintext, ciphertext) pairs for G, convert the pairs into a set of (plaintext, ciphertext) pairs for G' and find the round keys for G' then for G as follows: Let rk_r+ι, where 1 < 1 < r'-r, denote a set of randomly chosen round keys for rounds r+1 to the last round of G' that will be held constant, and let RF_end denote the last r'-r rounds of G' using these round keys. Given a set {(P*,C*)} = {(pi*, ci*)} for i=l to n known (plaintext, ciphertext) pairs for G, create the set {(P,C)} of (plaintext, ciphertext) pairs to use in the attack on G' by setting pi || xi = pi* || 0 and ci || zi = RF_end (ci* || 0) for i=l to n. This choice of ci || zi corresponds to an output of ci* || 0 in the r^th round of G' . For the set of (P,C) pairs are created, {(P,U)} = {(pi* || 0, ci* || 0)}. Apply the attack on G' to solve for the round keys of G' then produce the sets { (P,U)_{md r}} and S_md r- The sets of round keys in S_{md r} are consistent with the (plaintext, ciphertext) pairs in {(P,U)_mdr}-

[0090] The number of (plaintext, ciphertext) pairs required (i.e., the number of encryptions required) also differs to that of an exhaustive key search. Recall that the size of resulting set of (plaintext, ciphertext) pairs which are consistent with the round keys is > n/2^yr. When y > |k|/r the number of plaintexts encrypted, n, must be greater than 2' ' to guarantee at least one (plaintext, ciphertext) pair is in {(P,C)_GL which is more encryptions than required by an exhaustive key search. Without«changing either r or the length of k, this bound on y may be slightly increased to y > |k|/(r-2) by using b+y bit plaintexts that are the same in the rightmost y bits, and by defining the ui values representing the ciphertext output of G in the r* round prior to the swapping step. This results in |S'_md ι| = n and |S'mdr| = |S'π.dr-ι|, thus in the first andr^ώ rounds the set of (plaintext, ciphertext) pairs is not reduced. The number of (plaintext, ciphertext) produced for G that are consistent with the round keys for G is greater than or equal to n/(2^y(r"2)). It should be noted that increasing the number of rounds in G increases the number of (plaintext, ciphertext) pairs required to guarantee {(P,C)G} is non-empty and will prevent the attack from being more efficient than an exhaustive key search. The efficiency of the attack being based on the number of rounds is useful when setting G=GV_y in which case the rounds of G'b₊y may be adjusted, thereby creating a G' for the new G.

[0091] A direct attack on G'_b+y is generally an attack that finds the key or round keys for G'b₊y without attacking G'b₊y*, for y' > y and converting the round keys from G'b_+y> to the round keys for G'b_+y. Alternatively, an indirect attack on G y is generally an attack that finds the round keys for G'b_+y> for some y' > y, and uses them to find the round keys for G'b_+y, and y' - y < |k|/(r*-2), where r* is the number of rounds in G'_b+y. The foregoing analysis implies that if a direct attack exists on G'b_+y for y < |k|/(r-2), then an attack requiring less time than an exhaustive key search exists on G.. However, it does not imply that G'_b+y is secure for all y < |k|/(r-2) because there may be a direct attack on G'b₊y- for some y' such that y'-y < |k|/(r*-2), thereby implying an indirect attack on G'b₊ . In the worst case scenario, y'=y+l and r* must be increased to |k|+2 for the attack to be more inefficient than an exhaustive key search. If the length of k may be changed (as part of the design of G'), setting |k| to 2b(r-2) results in the bound being y < 2b, thereby allowing all y e [0,b-l].

[0092] Attack 2: In another method of attacking the block cipher, an attack may run in quadratic time in the n umber of rounds of G and avoids the decrease in the number of (plaintext, ciphertext) pairs that occurs in the first approach for attack. The attack on G' is used to solve for round keys 0 and 1 for G, then repeatedly solves for one round key of G at a time, using the output of one round of G as partial input to a reduced round version of G', running the attack on G' and converting the 1^st round key of G' to the round key for the next round of G. This is assuming that if an attack on G' with r rounds exists, then a reduced round attack on G' exists for any number of rounds < r'. [0093] Given a set { (P*,C*) } = { (pi*, ci*) } of n (plaintext, ciphertext) pairs for G, create a set {(P,C)} = {(pi* || 0, ci ]| vi)} of n (plaintext, ciphertext) pairs for an r round version of G\ It should be noted that the y bits appended to each pi* when forming {(P,C)} is assumed to be constant, such as 0. The vi values appended to the ci's are arbitrary and may not be identical. Solve G' for round keys 0 and 1. By the pseudo-randomness of the round keys, sets of round keys exist that correspond to {(P,C)} and which are identical in all but the last round. Denote the first two rounds as rk'o and rk' i and use the leftmost b bits of rk'o as round key 0, rko, for G. Since the rightmost y bits are identical across all inputs to G', when rk'i is converted to a round key for G, the result is the same across all n elements of {(P,C)}. Use the converted round key as round key 1, rki, for G. For each pi*, apply the initial whitening and first round of G using the two converted round keys. Let pli denote the output of the first round of G for i =1 to n. Using a reduced round version of G' with r-1 rounds and the initial whitening period removed, set {(P,C)} = {(pli || 0, ci || vi)} and solve for the first round key of G' . As described above, convert the resulting round keys to a round key for G. Again, the converted round keys for G will be identical across all n values. Use the converted round key as the second round key for G. Repeat the process for the remaining rounds of G, each time using the outputs of the last round of G for which the round key has been determined as the inputs to G' and reducing the number of rounds in G' by 1, to sequentially find the round keys for G. This attack requires work equivalent of applying n rounds of G when deriving the outputs of the n inputs to each round of G, n(r+l)r/2 rounds of G' in the worse case if A'_G' requires knowing the output of each round of G' to find the first round key and r applications of A'c on n(r+l)r/2 rounds of G' when solving for the round keys of G.

[0094] In summary, the attack on G described in this second approach may be written as: Input {(P*,C*)} = {(pi*, ci*) for i = 1 to n} Create {(P,C)} = {(pi* || 0, ci* || vi) for i = 1 to n} for a r round version of G', where the vi's are arbitrary. Using Ac solve a r reduced round version of G' for rk'o and rk' i. Convert rk'o to rk₀ and rk' i to rki. Set pli = first round output of G using rko and rki, for i = 1 to n. Forj = 1 to r - 1 { {(P,C)} = {(pli || 0, ci* || vi) for i = 1 to n}. Solve a r-j reduced round version of G' for the first round key, ϊk'i. Convert rk'i to form rkj₊i. p(j+l)i = output of round j+1 on G on pji using rk_j+i for i = 1 to n. } [0095] In accordance with the present invention, computer-implemented methods and systems for converting an original block cipher that is based on a round function into an elastic block cipher are provided. In the elastic block cipher, the support block size of the original block cipher is stretched to support a block size up to twice the original length while increasing computational load proportionally to block size. The elastic block cipher does not increase the size of the cleartext since no padding techniques are needed. Such an elastic block cipher may be used in, for example, database and network traffic encryption. [0096] In one embodiment, the present invention may be applied to an AES cipher. For example, the present invention may be applied to AES to create an elastic version of the AES block cipher that accepts block sizes of 128 to 255 bits.

Performance of the Elastic AES

[0097] As shown in Appendix A, the elastic version of AES in the C programming language is provided. To compare the performance of the elastic AES to that of the original AES, AES will range from 10 when y = 0 to 20 when y > 116. The modifications to the encryption and decryption process consists of an additional y bits in the initial whitening and per-round whitening, key dependent mixing steps, and the XORing and swapping of y bits between each round. The elastic AES increases the number of operations beyond the 128 bit version of AES due to the swapping step and the two key dependent rotations. However, by avoiding the need to pad the data to two full blocks, the elastic AES saves processing time in those cases where padding would normally be required for most or all data blocks.

[0098] Both the elastic AES and the original 128 bit version of AES were run on several processors in Linux and Windows environments to compare their performance. In the tests, the data to be encrypted was viewed as individual b+y bit blocks. The elastic AES encrypted each block individually with no padding. To encrypt the data with the original AES block cipher, the b+y bits were padded to 2b bits and encrypted as two b bit blocks. When measuring encryption performance (in terms of blocks per second), AES's performance for a single block was based on the time to encrypt 32 bytes, to represent the padding required when using AES for b+y bit blocks. The time to encrypt one million 128+y bit blocks (for all values of y from 0 to 127) was measured using the elastic AES, while the time to encrypt two million 128 bit blocks was measured using the original AES. It should be noted that when measuring the time for the original version of AES, the time to pad the b+y bits to 2b bits is excluded. The performance ratios of the two algorithms were similar for each platform tested. As shown below, Table 1 shows the results from a C implementation compiled with Nisual C++ 6.0 on a 1.3 GHz Pentium 4 processor running Windows XP. In particular, Table 1 shows how the elastic version compares to the original version for 8 bit intervals of b+y.

TWile 1. normalizes- Number βf Blocks Encrypted toy Elastic AES in Unit Time (Regular AES = 108}

The number of b+y bit blocks the elastic version encrypts per second ranges from 190% of the number of 2b blocks that AES encrypts per second when y = 1 to 100% when y=97. Accordingly, the elastic AES algorithm may double performance for application that require significant data padding.

Elastic Block Cipher from Feistel Ciphers and MISTY1

[0099] In some embodiments, an elastic block cipher may be generated from block ciphers having a round function that processes subsets of bits from the data block differently, such as in a Feistel network or MISTY 1. In the elastic block cipher described above, bits beyond the normal block size are left out of the round function then XORed and swapped with bits output from the round function in order to become part of the input to the next round. The bits output from the round function involved in the XOR become the set left out in the next round. The number of rounds are increased such that the round function is applied to each bit position the same number of times as in the original block cipher. In general, care must be taken in selecting the bits to be swapped when the round function processes subsets of the bits differently. Initial and end-of- round whitening may also be added. [0100] An example of code in the C programming language that converts the original MISTY Feistel cipher to an elastic block cipher is shown in Appendix B, which is hereby incorporated by reference herein in its entirety. [0101] FIG. 7 shows a simplified illustration of the general structure of MISTY1. MISTY1 is a Feistel cipher with the addition of a function applied to each half of the data at the start of the odd numbered rounds. Thus, the round function differs between even and odd numbered rounds. As shown in FIG. 7, Lj and Ri denote the left and right halves of output, respectively, of the i round after the halves are switched with i=0 denoting the input to round 1. FL(x,FL) and F0(x,K0,KI) are functions taking bit string x and key material KL, K0, KI. FLj and FO_f denote the i^th occurrence of FL and FO, respectively. KL, KI, and K0 denote subkeys from the expanded key material, with a subscript of I denoting the 1^th component. The output of odd numbered rounds is defined by: Ri = FLi (Li-ι, KLi) Li = FLi₊i (Ri-i, KL₊ θ F0i (R_i5 K0_i; KI). The output of the even numbered rounds is defined by: Ri = Li-i Li = Ri-i Φ FOj (Ri, K0i, Kli). [0102] As described previously, the round function of AES is applied to every bit input to the round function. In particular, all of the 128 bit input to the round function have SubBytes, Shiftrows, and MixColumns operations applied. In ciphers where all input bits are equally impacted by the round function in each round, the swap step may be implemented by selecting a consecutive sequence of bits from the round function's output to swap with the y bits left out of the round, with the starting position rotating amongst the byte positions in the leftmost b bits. [0103] However, when input bits to the round function are treated differently, the swap step is also modified. It should be noted that, regardless of where the swap step is added, the bit positions from being involved in multiple swaps while others are involved in no swaps and to maintain some sense of equality amongst bit position. The term half refers to b/2 of the input bits to the round function as opposed to half of the entire b+y bit data block in the elastic version. In a Feistel network, only half of the input bits to the round are fed into the function, with the output being XORed with the bits left out of the function. If the swap step is added after every round, the bits swapped out would have to be swapped back into the same half that they were in when swapped out. If the starting bit position within the b bits for the swap varies and if y > b/2 then some bits end up in the wrong half compared to where they would be in the original cipher. This results in some bits participating in the left half or right half more than required and not participating in the other half the required amount of times. [0104] As shown in FIG. 8, so that each bit participates in the round function and acted upon at least the same number of times as in the regular version of the block cipher, the swap step and whitening step is added after every two rounds. Note that FIG. 8 does not show the initial and final key dependent mixing step. When the swap occurs after every two rounds, each of the leftmost b bits participates in the actions applied to each half once prior to potentially being swapped out. When computing the number of rounds for the elastic version, at most one additional round may be needed when inserting the swap after each pair of rounds compared to when inserting it after every single round. For example, when y=l, one additional round is required if the swap was added after single rounds; whereas, one additional pair of rounds is now needed.

[0105] In accordance with the present invention, a swap function and an end of round whitening function are added to create an elastic version of MISTY1. MISTY 1 does not use the same round function in every round, instead alternating between round functions by including FL only in odd number rounds and F0 in every round. The term original round generally refers to the round function as defined in the regular version of MISTY1. By defining a round to consist of a pair of original rounds, a round is viewed as consisting of the application of FL followed by two applications of F0. In the elastic version of a cipher, every bit position must pass through the round function at least the same number of times as a bit in the regular version of the cipher. Regardless of whether MISTYl's round function is viewed according to its original definition or as otherwise defined, the same number of F0 and FL applications are added. Furthermore, each bit position passes through the FL and F0 functions in the same order as in regular MISTY 1, meaning a bit output from FL applied to the right half of the round function input is XORed with the output of F0 to form the input to the second occurrence of F0. A bit swapped out of one half of the round function's output may be swapped back into the half where it would normally not be in regular MISTYl, thereby resulting in some bits serving as the left half of input to the round function more than the right half or vice versa. [0106] By viewing a round as two original rounds and positioning the swap step after each such round, every bit ends up in the left half and right half of input to the round function at least the same number of times as occurs in regular MISTYl. Therefore, elastic MISTYl is created by adding the swap step and whitening after every two original rounds. FIG. 9 shows a simplified illustration of the round function in the elastic version of MISTYl in accordance with some embodiments of the present invention. It should be noted that MISTYl's round function is not modified, but where a round begins and ends is redefined. The bit positions from a round's output that are involved in the swap step varies across each round to avoid some bit positions from being swapped every round while others are never involved in the swap. [0107] The starting position for the swap between the left and right halves of the round' s output are alternated and, within each halve, the starting position one byte each time is rotated. The bit positions swapped are chosen sequentially from the entire 64 bit round output from the starting position. Since the round function is two original rounds, regardless of where a bit was positioned when swapped out and where it is when it is swapped back in, the bit ends up in the left and right halves of the original round function the same number of times as in regular MISTYl. Furthermore, since the swap XORs the bits being swapped out with those being swapped in, the bits swapped out continue to influence the next round in the same positions they would have influence had they not been swapped out.

[0108] In some embodiments, a key dependent mixing step after the initial whitening and prior to the final whitening may be added when generating an elastic block cipher. These steps may prevent a first round differential from occurring with a probability of 1. For example, let B = leftmost b bits of data, and Y = rightmost y bits. In the elastic version of a block cipher, the exclusion of Y from the first round allows for a first round differential that occurs with probability one by using inputs with ΔB = 0 and ΔY ≠ 0. That is, the first round does not contribute to preventing a differential attack. The existence of such a differential is due entirely to the fact that the adversary knows what bits are excluded from the first round. Mixing the input bits such that the adversary no longer knows with a probability of 1 where the non-zero Δ occurs eliminates such a problem. Any key dependent mixing step may take less time than the round function; otherwise another round may be added if needed to further decrease the probability of a differential since all bits influence the output of the second round due to the XOR in the swap step. [0109] a key dependent permutation is performed prior to the first round, the probability of a single byte Δ in B || Y ending up in any specific byte position is l/((b+y)/8) or 8/(b+y) and the probability of it being in Y is proportional to y/(b+y). Therefore, a key dependent permutation assists most in preventing a ΔB=0 input to the first round when y is small. If y=b-l, the probability of the single byte Δ remaining in ΔY and not be in ΔB after the permutation is approximately Vz. [0110] In addition, to ensure a zero differential in B occurs with probability strictly less than Vz in the input to the first round, y bits in B are replaced with their XOR in Y. For example, consider the case where there is a single byte with a non-zero Δ in the input. After the permutation, if the byte with the non-zero Δ was in B, it will still be in B after the XOR. If it was in Y, it will remain in Y and result in ΔB≠O. While there still exists the potential for ΔB=0 in the input to round 1 (e.g., if the original data contains some single byte Δz that occurs twice), the probability a Δz is in any byte in B equals 2b/(b+y) and the probability of other Δz ends up in a specific byte in Y equals 8/(b+y). Thus, the probability ΔB=0 after the mixing is less than or equal to 16b/(b+y)². Any inputs that differ in more than two bytes have a lower chance of creating a zeroΔ in the leftmost bits input to the first round function.

[0111] In summary, the permutation combined with the XOR eliminates the ability of an attacker to set the differential in round 1 with probability 1. The key dependent permutation and XOR may collectively be used as the key dependent mixing step. When the mixing step is present, a single byte non-zero differential in the original input result in a non-zero Δ in the input to the first round function with probability 1. Any non-zero differential involving more than one byte in the original input produces a zero Δ in the input to the first round function with probability ≤ 16b/(b+y)². For the same reason a key dependent mixing step is needed prior to the first round, a key dependent mixing step may be added after the last round prior to the final whitening step. This generally prevents a differential which occurs with probability of 1 in the last round of encryption (first round of decryption), which is useful for a differential attack which starts with the ciphertexts and works towards the plaintexts. These key dependent mixing steps may be used when there is a need to decrease the probability an attacker knows the exact positions used in the first rounds of encryption and decryption. [0112] Alternatively, adding rounds may also lower the differential probability and may be an alternative if the round function may be performed faster than a key dependent permutation and XOR function. Performance of Elastic MISTYl [0113] The elastic version, with and without the key dependent permutations, and the regular version of MISTYl was implemented in the C programming language. An example of the elastic version of MISTYl in the C programming language is shown in Appendix B. The elastic version accommodates block sizes of 64 to 127 bits. RC4 with the first 512 bytes discarded was used for the key schedule instead of modifying MISTYl's key schedule to provide the additional expanded key bits required by the elastic version. This implementation determines the impact on the encryption and decryption rates due to the addition of whitening, key dependent permutations and swap steps performed by the elastic version of MISTYl. It should be noted that the key schedule may be replaced with another stream cipher, a modification of MISTYl's key schedule, a combination of MISTYl's key schedule to provide key material for the round function and a stream cipher to provide key material for whitening, or any other suitable key schedule. In accordance with the present invention, the swap step was added after every two rounds. Both the elastic and regular versions of MISTYl were tested in Redhat Linux 9 and Windows XP environments with Intel Centrino, Pentium 3 and Pentium 4 processors varying from lGhz to 2Ghz to compare their encryption and decryption rates. The results in terms of how large the block size can be in the elastic version while remaining more efficient than padding a second block and encrypting two blocks in MISTYl are consistent across the environments. The elastic versions increased the number of operations beyond the 64 bit version of MISTYl due to the whitening and the swapping steps, and the key dependent permutations in one version.

[0114] The data to be encrypted was viewed as individual b+y bit blocks. The elastic version of MISTYl encrypted each block individually with no padding. To encrypt the data with regular MISTYl, the b+y bits were padded to 2b bits and encrypted as two bit blocks. Table 2 show the results from a C implementation compiled with Nisual C++ 6.0 on a 1.8Ghz Pentium 4 processor running Windows XP. When measuring the encryption rate in terms of blocks per second, MISTYl's rate for a single block was based on the time to encrypt 16 bytes to represent the padding required when using MISTYl for b+y bit blocks. The rates are determined by the time to encrypt one million 64+y bit blocks using the elastic version and two million 64 bit blocks using the original version of MISTYl. The times for the original version of MISTYl exclude the time to pad the b+y bits to 2b bits. Table 3 shows how elastic versions with and without key dependent permutations compare to the original version of MISTYl for 8 bit intervals of b+y. Without the key dependent permutations, the elastic version's rate for encrypting b+y bit blocks ranges from 121% of MISTYl's rate when y = 1 to 55% of MISTYl's rate when y=63. By adding the two key dependent permutations, the elastic version of MISTYl's rate decreased slightly compared to the version without the permutations, ranging from 110% of the original MISTYl's rate when y=l to 51% of MISTY's rate when y =63. For each value of b+y, the decryption rates in terms of MB/sec are substantially identical to the encryption rates and thus the ratios between the encryption rates of the elastic and original versions of MISTYl also represent their decryption ratios.

Table 2 shows a comparison of the elastic versions of MISTYl with and without the key dependent permutation to the original version of MISTY

[0115] In accordance with the present invention, an elastic block cipher that is converted from a block cipher based on a Feistel network is provided.

[0116] It will also be understood that the detailed description herein may be presented in terms of program procedures executed on a computer or network of computers. These procedural descriptions and representations are the means used by those skilled in the art to most effectively convey the substance of their work to others skilled in the art. [0117] A procedure is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. These steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared and otherwise manipulated. It proves convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like. It should be noted, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. [0118] Further, the manipulations performed are often referred to in terms, such as adding or comparing, which are commonly associated with mental operations performed by a human operator. No such capability of a human operator is necessary, or desirable in most cases, in any of the operations described herein which form part of the present invention; the operations are machine operations. Useful machines for performing the operation of the present invention include general purpose digital computers or similar devices. [0119] The present invention also relates to apparatus for performing these operations. This apparatus may be specially constructed for the required purpose or it may comprise a general purpose computer as selectively activated or reconfigured by a computer program stored in the computer. The procedures presented herein are not inherently related to a particular computer or other apparatus. Various general purpose machines may be used with programs written in accordance with the teachings herein, or it may prove more convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these machines will appear from the description given.

[0120] The system according to the invention may include a general purpose computer, or a specially programmed special purpose computer. The user may interact with the system via e.g., a personal computer or over PDA, e.g., the Internet an Intranet, etc. Either of these may be implemented as a distributed computer system rather than a single computer. Similarly, the communications link may be a dedicated link, a modem over a POTS line, the Internet and/or any other method of communicating between computers and/or users. Moreover, the processing could be controlled by a software program on one or more computer systems or processors, or could even be partially or wholly implemented in hardware. [0121] Although a single computer may be used, the system according to one or more embodiments of the invention is optionally suitably equipped with a multitude or combination of processors or storage devices. For example, the computer may be replaced by, or combined with, any suitable processing system operative in accordance with the concepts of embodiments of the present invention, including sophisticated calculators, hand held, laptop/notebook, mini, mainframe and super computers, as well as processing system network combinations of the same. Further, portions of the system may be provided in any appropriate electronic format, including, for example, provided over a communication line as electronic signals, provided on CD and/or DND, provided on optical disk memory, etc. [0122] Any presently available or future developed computer software language and/or hardware components can be employed in such embodiments of the present invention. For example, at least some of the functionality mentioned above could be implemented using Nisual Basic, C, C++ or any assembly language appropriate in view of the processor being used. It could also be written in an object oriented and/or interpretive environment such as Java and transported to multiple destinations to various users.

[0123] It is to be understood that the invention is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The invention is capable of other embodiments and of being practiced and carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting.

[0124] As such, those skilled in the art will appreciate that the conception, upon which this disclosure is based, may readily be utilized as a basis for the designing of other structures, methods and systems for carrying out the several purposes of the present invention. It is important, therefore, that the claims be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the present invention. [0125] Although the present invention has been described and illustrated in the foregoing exemplary embodiments, it is understood that the present disclosure has been made only by way of example, and that numerous changes in the details of implementation of the invention may be made without departing from the spirit and scope of the invention, which is limited only by the claims which follow. [0126] The following references are incorporated by reference herein in their entireties: FTPS 46-2, Data Encryption Standard (DES), 1993. FJPS 197, Advanced Encryption Standard (AES), 2001. J. An and M. Bellare, Constructing VlL-MACs from FIL-MACs: Message Authentication Under Weakened Assumptions, Proceedings of Advances in Cryptology - Crypto '99, LΝCS 1666, Springer-Nerlag, 1999. M. Bellare, R. Canetti, and H. Krawczyk, Pseudorandom Functions Re-Nisited: The Cascade Construction and its Concrete Security. In Proceedings of Foundations of Computer Science, IEEE, 1996. M. Bellare and P. Rogaway, On the Construction of Variable Length-Input Ciphers. Proceedings of Fast Software Encryption (FSE), LΝCS 1636, Springer-Nerlag, 1999. D. Bernstein, How to Stretch Random Functions: The Security of Protected Counter Sums, Journal of Cryptology, Nol. 12(3), Springer-Nerlag, pp. 185-192, 1999. E. Biham, New Types of Cryptanalytic Attacks Using Related Keys, Proceedings of Advances in Cryptology - Eurocrypt '93, LNCS 0765, Springer-Nerlag, 1993. E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard. Springer-Nerlag, New York, 1993. J. Black and P. Rogaway, CBC MACs for Arbitrary-Length: The Three-Key Constructions, Proceedings of Advances in Cryptology - Crypto 2000, LNCS 1880, Springer- Nerlag, 2000. K. Claffy, G. Miller, and K. Thompson, The nature of the beast: Recent traffic measurements from an Internet backbone, Proceedings of the ISOC IΝET Conference, July 1998. J. Daemon and N. Rijmen, The Design of Rijndael: AES the Advanced Encryption Standard, Springer-Nerlag, Berlin, 2002. S. Halevi and P. Rogaway, A Tweakable Enciphering Mode, Proceedings of Advances in Cryptology - Crypto 2003, LΝCS 2729, Springer-Nerlag, 2003. S. Halevi and P. Rogaway, A parallelizable enciphering mode, Cryptology ePrint Archive, Report 2003/147, 2003. A. Joux, G. Martinet, and F. Valette, Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models, Proceedings of Advances in Cryptology - Crypto 2002, LNCS 2442, Springer-Verlag, 2002. S. Kent and R. Atkinson, IP Encapsulating Security Payload (ESP), RFC 2406, Nov. 1998. S. Kent and R. Atkinson, Security Architecture for the Internet Protocol, Request for Comments (Proposed Standard) 2401, Internet Engineering Task Force, Nov. 1998. Matsui, Linear Cryptanalysis Method for DES Cipher, Proceedings of Advances in Cryptology - Eurocrypt '93, LNCS 0765, Springer-Verlag, 1993. M. Matsui, Specification of MISTYl - a 64-bit Block Cipher, September 18, 2000. I. Mironov. (Not So) Random Shuffles of RC4, Proceedings of Advances in Cryptology - Crypto 2002, LNCS 2442, Springer-Verlag, 2002. Rivest, Robshaw, Sidney, and Yin, RC6 Block Cipher, http://www.rsa.security.com/ rsalabs/rc6, 1998. Schneier and Kelsey, Unbalanced Feistel Networks and Block Cipher Design, Proceedings of Fast Software Encryption (FSE), LNCS 1039, Springer-Verlag, 1996. B. Schneier, Applied Cryptography, John Wiley and Sons, New York, 1996. R. Schroeppel, Hasty Pudding Cipher, http://www.cs.arizona.edu/rcs/hpc, 1998. NESSIE Security Report, Version 2, https://www.cosic.esat.kuleuven.ac.be/ nessie, February 2003. M. Matsui, New Structure of Block Ciphers with Provable Security Against Differential and Linear Cryptanalysis, Workshop on Fast Software Encryption - FSE '96, Lecture Notes in Computer Science 1039, Springer-Verlag, pages 205-218, 1996. M. Matsui, New Block Encryption Algorithm MISTY, Workshop on Fast Software Encryption - FSE '97, Lecture Notes in Computer Science 1267, Springer-Verlag, pp. 54-68, 1997.

APPENDIX A

eaes_0701.c /* Elastic Version of AES opyright 2003 Debra cook Department of computer science, Columbia university Compiles in Visual C++ 6.0 or later and linux. 256 bit test block of data is hardcoded in main Encrypts and decrypts b+y bits where b = 128 and 0 <= y < 128 main set to encrypt and decrypt every block size from 128 to 256 bits The variables for timing the encryption/decryption rates were left in, but comment. out or set to have no impact. If timing encryption, decryption rates: Visual C++: unco ment time variables with "_" and #include<time.h> linux: uncomment variables with no "_" and comment out #include<time.h> change cnt variable in prp function from 1 to the # of times to encrypt/decrypt the block Uses standard representation of AES: subβytes shift ows Mixcolumns Cas opposed to the version of table lookups and XORs) NOTE: When the block size is not an integral number of bits, the remaining bits are

#define BYTE unsigned char

#define MAX_KS 676 /* # of expanded key bytes: max 32 bytes per round, 20 rounds + initial whitening + 4 bytes for key dependent permutations */

#define MAX_B OCK 32 // maximum block size in bytes /* tables for aes Logtable and Alogtable are used to perform multiplication. */ BYTE Logtable[256] = { 0, 0, 25, 1, 50, 2, 26, 198, 75, 199, 27, 104, 51, 238, 223, 3,

100, 4, 224, 14, 52, 141, 129, 239, 76, 113, 8, 200, 248, 105, 28, 193,

125, 194, 29, 181, 249, 185, 39, 106, 77, 228, 166, 114, 154, 201, 9, 120,

101, 47, 138, 5, 33, 15, 225, 36, 18, 240, 130, 69, 53, 147, 218, 142,

150, 143, 219, 189, 54, 208, 206, 148, 19, 92, 210, 241, 64, 70, 131, 56,

102, 221, 253, 48, 191, 6, 139, 98, 179, 37, 226, 152, 34, 136, 145, 16,

126, 110, 72, 195, 163, 182, 30, 66, 58, 107, 40, 84, 250, 133, 61, 186, 43, 121, 10, 21, 155, 159, 94, 202, 78, 212, 172, 229, 243, 115, 167, 87, 175, 88, 168, 80, 244, 234, 214, 116, 79, 174, 233, 213, 231, 230, 173, 232, 44, 215, 117, 122, 235, 22, 11, 245, 89, 203, 95, 176, 156, 169, 81, 160,

127, 12, 246, 111, 23, 196, 73, 236, 216, 67, 31, 45, 164, 118, 123, 183, 204, 187, 62, 90, 251, 96, 177, 134, 59, 82, 161, 108, 170, 85, 41, 157,

151, 178, 135, 144, 97, 190, 220, 252, 188, 149, 207, 205, 55, 63, 91, 209, 83, 57, 132, 60, 65, 162, 109, 71, 20, 42, 158, 93, 86, 242, 211, 171, 68, 17, 146, 217, 35, 32, 46, 137, 180, 124, 184, 38, 119, 153, 227, 165,

103, 74, 237, 222, 197, 49, 254, 24, 13, 99, 140, 128, 192, 247, 112, 7,

}; eaes_0701.c BYTE Alogtable[256] = { 1, 3, 5, 15, 17, 51, 85, 255, 26, 46, 114, 150, 161, 248, 19, 53, 95, 225, 56, 72, 216, 115, 149, 164, 247, 2, 6, 10, 30, 34, 102, 170, 229, 52, 92, 228, 55, 89, 235, 38, 106, 190, 217, 112, 144, 171, 230, 49, 83, 245, 4, 12, 20, 60, 68, 204, 79, 209, 104, 184, 211, 110, 178, 205, 76, 212, 103, 169, 224, 59, 77, 215, 98, 166, 241, 8, 24, 40, 120, 136, 131, 158, 185, 208, 107, 189, 220, 127, 129, 152, 179, 206, 73, 219, 118, 154, 181, 196, 87, 249, 16, 48, 80, 240, 11, 29, 39, 105, 187, 214, 97, 163, 254, 25, 43, 125, 135, 146, 173, 236, 47, 113, 147, 174, 233, 32, 96, 160, 251, 22, 58, 78, 210, 109, 183, 194, 93, 231, 50, 86, 250, 21, 63, 65, 195, 94, 226, 61, 71, 201, 64, 192, 91, 237, 44, 116, 156, 191, 218, 117, 159, 186, 213, 100, 172, 239, 42, 126, 130, 157, 188, 223, 122, 142, 137, 128, 155, 182, 193, 88, 232, 35, 101, 175, 234, 37, 111, 177, 200, 67, 197, 84, 252, 31, 33, 99, 165, 244, 7, 9, 27, 45, 119, 153, 176, 203, 70, 202, 69, 207, 74, 222, 121, 139, 134, 145, 168, 227, 62, 66, 198, 81, 243, 14, 18, 54, 90, 238, 41, 123, 141, 140, 143, 138, 133, 148, 167, 242, 13, 23, 57, 75, 221, 124, 132, 151, 162, 253, 28, 36, 108, 180, 199, 82, 246, 1, }; /* SBox */ BYTE S[256] = { 99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219,

224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158,

225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22,

};

•/* inverse of SBox */ BYTE Si [256] = { 82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215, 251, 124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222, 233, 203, 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66, 250, 195, 78, 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73, 109, 139, 209, 37,

114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92, 204, 93, 101, 182, 146,

108, 112, 72, 80, 253, 237, 185, 218, 94, 21, 70, 87, 167, 141, 157, 132,

144, 216, 171, 0, 140, 188, 211, 10, 247, 228, 88, 5, 184, 179, 69, 6,

208, 44, 30, 143, 202, 63, 15, 2, 193, 175, 189, 3, 1, 19, 138, 107, 58, 145, 17, 65, 79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115,

150, 172, 116, 34, 231, 173, 53, 133, 226, 249, 55, 232, 28, 117, 223, 110, 71, 241, 26, 113, 29, 41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27,

252, 86, 62, 75, 198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244, 31, 221, 168, 51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95, 96, 81, 127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239,

160, 224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97, 23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12, 125,

}; static BYTE shifts [4] = {0,1,2,3}; /* eaes_0701.c mul : helper function: multiply two elements of GF256 */ BYTE mul (BYTE a, BYTE b) { if (a && b) return Alogtable[(Logtable[a] + Logtable[b])%255] ; else return 0; } /* end of mul */

;}

/* decryption case */ ; ;}

/* create and store results in temp matrix */

/* copy the temp matrix to a */ for (i=0; i < 16; ++i) { a[i] = tmp_a[i] ; } } /* end of MixColumns */

/* invMixColumns : i nverse of MixCol umns operation eaes_0701.c */ void invMixCol umns(BYTE* a) { BYTE tmp_a[16] ; int i, ; /* create and store results in temp matrix b */

/* copy the temp matrix to the original */ for (i=0; i < 16; ++i) { a[i] = tmp_a[i] ; } } /* end of invMixcolumns */ /* aes_encrypt : encrypti on function for al l but last round */ void aes_encrypt (BYTE* a) { subBytes(a,s); shiftRows(a,0); MixColumns(a); } /* end of aes_encrypt */ /* aes_encrypt_last: encryption function for last round void aes_encrypt_last (BYTE*a) { subBytes(a,s); ShiftRows(a,0); } /* end of aes_encrypt_last */ /* aes_decrypt: decryption function for all but last round */ void aes_decrypt (BYTE* a) { invMixcol umns(a) ; SubBytes(a.si); ShiftRows(a,1); } /* end of aes_decrypt */

/* aes_decrypt_l ast : decryption functi on for fi rst round of decryption - undo last round of encrypti on */ void aes_decrypt_las (BYTE *a) { SubBytes(a,si); shiftRows(a,1); } /* end of aes_decrypt_last */ /* , */

/* functions for key expansion */

/* repeat supplied key until 256 bytes are filled */

key until expkey is filled with 256 entries

} /

} // end of create_s

eaes_0701. c } /* end of keystream */

/* zero out array which holds keystream */ for (i=0; i < (int) MAX_KS; ++i) {κs[i] = 0x00;} /* fill in 256 bytes of key material */ key_bytes (key, expkey, 16) ; /* create sbox for RC4 */ Sbox(s,expkey); /* generate RC4 key stream */ keystream(s , KS, 1 en >V

_/ /_** end of key stream generator functions _V*/

{

// last bits to swap may be less than full byte tmp = data[i]; // need to save all of data[ij data[i] = tmpΛ(data[j] & rem_mask) ; // make sure only use lower bits in j // & not needed if handle by key xor data[j] = tmp & renunask; // only swap lower bits } // end of if right_sz } /* end of swap bytes */ int right_sz, BYTE renunask)

tmp = data[j] & rem_mask; data[ι] = tmpΛ(data[i ] & rem_mask) ; // make sure only use lower bits i n j data[ι ] = (data[i] & (Oxffff A rem_mask)) A tmp; // only swap lower bits } // end i f right_sz } /* end of rev_swap_bytes */

/* if last byte contains < 8 bits of data, leave out of rotation */ if (rem_mask = Oxff) {sz2 = sz;} else {sz2 = sz-1;} j = indl % sz2; /* rotate bytes */ for (i=0; i < sz2; ++i) { temp[i] = data[j]; j = (++j)%sz2;

/* if last byte contained < 8 bits of data, swap with bits from byte at ind2 position in rotated array */ if (sz2 != sz) { tmp = temp[ind2] ; temp i nd2] = (temp[ind2] & (Oxff - rem_mask)) A (data[sz-l] & rem_mask) temp sz-1] = tmp & renoiask;

/* copy rotated array back to data */ for (i=0; i < sz; ++i) {data[i ] = temp[i ] ; }

/* end of perm */

rem_mask) {

eaes_0701.c /* if last byte contains < 8 bits of data, leave out of rotation */ if (rem_mask == Oxff) {sz2 = sz;} else {sz2 = sz-1;} j = indl % sz2; for (i=0; i < sz; ++i) {temp[i] = data[i];} /* if last byte contained < 8 bits of data, swap with bits from ;

/* rotate bytes */ for (i=0; i < sz2; ++i) { temp[j] = data[i]; j = (++j)%sz2;

/* copy rotated array back to data */ for (i=0; i < sz; ++i) {data[i] = temp[i];}

/* end of rev_perm */

/* encrypt: encrypts a block of data returns 0 ekey contains the expanded key bytes data contains the data to be encrypted and will be populated with the ciphertext nun lb = # of bytes normally in the algorithms' block of b bits num_rb = # of bytes needed for the "y" bits numjob = # of bytes in the variable length block of b+y bits rem_mask is the mask for the last byte of the y bits (i.e. y may not be integral number of bytes)

Note: rightmost bits of y bits are rightmost bits of last byte. rnds = # of rounds in variable length version

*/ int encrypt (BYTE* ekey, BYTE* data, int num_lb,int num_rb,int num_bb,BYTE rem_mask,ιnt rnds, int pi, int p2, int p3, int p4) {

/* initial whitening */ for ( =0; j < num_bb; ++j) { data[j] = data[j] A ekey[ki]; ++ki;}

/* initial permutation */ perm(data , pi , p2 , num_bb , rem_mask) ;

/* for all but last round ... */ for (i=0; i < cnt; ++i) { /* for now use AES, need to modify to determine function - maybe pass pointer to algorithm in ? */ aes-_encrypt (data) ; eaes_0701.c /* swap right and left parts */ swap_bytes (data , di , num_l b , num_rb , rem_mask) ; /* increment index */ di = (di+l)%num_lb; /* end of round whitening */ for Gj=0; j < num_bb; ++3) { data[j] = data[j] A ekey[ki]; ++ki;} } /* end of for i */ /* last round, aes encryption excludes multiplication */ aes_encrypt_l ast (data) ; swap_bytes (data , di , num_l b , num_rb , rem_mask) ;

/* end of round whitening */ for (j=0; j < num_bb; ++3) { data[j] = data[j] A ekey[ki]; ++ki;}

/* final permutation */ perm(data , p3 , p4 , num_bb , rem_mask) ; return 0;

} /* end of encrypt */

int num_bb, BYTE rem_mask,ιnt

int i, ; int ki = num_bb * (rnds+1) - 1; / index of first key byte to use int di = ind; // start swapping with this byte int cnt = rnds-1; /* undo final permutation */ rev_perm(data , p3 , p4 , num_bb , ren mask) ; /* last round, aes decryption excludes multiplication¹ */ /* undo end of round whitening */ for (j=num_bb-l; j >=0; — j) { data[j] = data[j] A ekey[ki]; — ki;} /* undo swap right and left parts */ rev_swap_bytes (data , di , num_l b , num_rb , rem_mask) ; aes_decrypt_l ast (data) ; /* update indices */ if (di == 0) {di = num_lb-l;} else { — di;}

/* remaining rounds ... */ for (i=0; i < cnt; ++i) { /* undo end of round whitening */ for (j=num_bb-l; j >=0; --j) { data[j] = data[j] A ekey[ki]; --ki;} /* undo swap right and left parts */ rev_swap_bytes (data , di , num_l b , num_rb , rem_mask) ; /* 1 round of decryption */ aes_decrypt(data) ; eaes_0701.c /* update indices */ if (di == 0) {di = num_lb-l;} else {--di;} } /* end of for i */ /* undo initial permutation */ rev_perm(data , pi , p2 , num_bb , rem_mask) ; /* undo initial whitening */ for (j=nunt_bb-l; j >=0; — j) { data[j] = data[j] A ekey[ki]; --ki;} return 0; } /* end of decrypt */

struct _t me tl,t2;

renumask = mask_list[num_rem_bits] ;

// printf ("parameters: rnds %d num_.lb %d num_rb %d num_bb %d num_rem_bits %d ekey„len %d \n",rnds, num_lb, num_rb, num_bb, num_rem_bits,ekey_len) ; // printf("rem_mask %u \n",rem_mask) ; // ftime(&tl); // _ftime(&tl);

// printf("start time = %ld.%d

if (action == 0) { for (cl=0; cl < cnt; ++cl) { eaes_0701.c stat = encrypt(ekey,data,num_lb,num_rb, num_bb, em_mask, rnds,pi,p2 ,p3,p4) ; else if (action ==1) { for (cl=0; cl < cnt; ++cl) { stat = decrypt(ekey,data,num_lb, num_rb,num_bb, rem_mask, rnds , ind, pi,p2,p3,p4) ;

// ftime(&t2) ; // _ftime(&t2) ; // printfC'stop time = %ld .%d \n" ,t2.time,t2.millitm) ; return stat; } /* end of prp */'

,0x14,0x15 ,0x16} ;

printf("data: ") ; for (i=0; i < 32; ++i) {printf("%x " ,data_orig[i]) ;} // prp function call : key, data, 0/l=encrypt/decrypt,# bits in variabl e size block, # bits in normal AES block, // # rnds in normal AES // The following prints all 256 bits stored in data. Fewer bits may have been // encrypted, when comparing the decryption result to the original data, the the original data

APPENDIX B

e i sty0104. c /* 12/28/03 version Elastic MISTY Copyright 2003 Debra cook Computer science Department, Columbia university Elastic ersion of Misty with initial key dependent permutation change "cnt" variable in prp function (default is 1) to indicate # of blocks to encrypt 128 bit block of data is hardcoded in main main set to encrypt and decrypt all block sizes of b+y bits where b = 64 and 0 <= < 64 Compi les in Visual C++ 6.0 and later and l inux. Need to comment/unco ment appropriate time variables and <time. h>. NOTE: when block size i s not an integral number of bits , remaining bi ts are stored as rightmost bits in rigtmost byte of the input. For effi ciency, whiteni ng bits are computed i n one byte i ncrements and whitening is appl i ed to enti re rightmost byte even if < 8 bits are data. */ #include <stdlib.h> ^include <stdio.h> #include <math.h> / #include <time.h> #inelude <sys/timeb.h> #include <sys/types . h> , typedef unsigned long BITS32; typedef unsigned short int BITS16; typedef unsigned char BYTE; #define MAX_KW_SZ 160 // 10 * 16 bytes: 8 rounds, initial and final whitening #define MAX_KS 660 // larger than needed - 296 + 160 ? #define AX_BLOCK 16 // maximum block size static unsigned char s7[] = 0x54, 0x5b, Oxla, 0x72, 0x73, 0x6b, 0x4a, 0x5d, OxOf, 0x40, 0x56, 0x25, 0x42, 0x2b, Oxle, 0x41, 0x14, 0x4b, 0x53, 0x28, 0x0a, 0x7e, 0x38, 0x02, 0x68, 0x5f, 0x78, 0x2a, 0x4c, 0x64, 0x3c, Oxld, 0x21, 0x5e, 0x27, 0x6a, 0x05, 0x26, 0x76, 0x00, 0x31, 0x2d, 0x4e, 0x71, 0x3e, 0x69, 0x43, 0x34,

OxOfb, 0x035, 0x181, 0x0b9, 0x117, 0x193, Oxldδ , 0x0a3, Oxlle, 0x055,

emisty0104.c 0x14b, 0x152, 0xld2, OxOOf, 0x02b, 0x030, 0x13a, 0x0e5, 0x111, 0x138, Oxlδe, 0x063, 0x0e3, OxOcδ, 0xlf4, 0x01b, 0x001, 0x09d, OxOfδ, OxlaO, 0xl6d, Oxlf3, 0x01c, 0x146, 0x07d, OxOdl, 0x082, Oxlea, 0x183, 0xl2d, 0x0f4, 0xl9e, 0xld3, OxOdd, Oxle2, 0x128, OxleO, OxOec, 0x059, 0x091, 0x011, 0xl2f, 0x026, OxOdc, OxObO, 0x18c, OxlOf, Oxlf7, 0x0e7, 0x16c, 0x0b6, 0x0f9, 0x0d8, 0x151, 0x101, 0x14c, 0x103, OxObδ, 0x154, 0x12b, Oxlae, 0x017, 0x071, OxOOc, 0x047, 0x058, Ox07f, 0xla4, 0x134, 0x129, 0x084, Oxl5d, 0xl9d, 0xlb2, Oxla3, 0x048, 0x07c, 0x051, Oxlca, 0x023, 0x13d, Oxla7, 0x165, 0x03b, 0x042, OxOda, 0x192, OxOce, OxOcl, 0x06b, 0x09f, Oxlfl, 0x12c, 0x184, OxOfa, 0x196, Oxlel, 0x169, 0xl7d, 0x031, 0x180, 0x10a, 0x094, Oxlda, 0x186, Oxl3e, Oxllc, 0x060, 0x175, Oxlcf, 0x067, 0x119, 0x065, 0x068, 0x099, 0x150, 0x008, 0x007, 0x17c, 0x0b7, 0x024, 0x019, OxOde, 0x127, OxOdb, 0x0e4, Oxla9, 0x052, 0x109, 0x090, 0x19c, Oxlcl, 0x028, Oxlb3, 0x135, 0x16a, 0x176, OxOdf, Oxle5, 0x188, OxOc5, 0xl6e, Oxide, Oxlbl, OxOc3, Oxldf, 0x036, OxOee, Oxlee, OxOfO, 0x093, 0x049, 0x09a, 0xlb6, 0x069, 0x081, 0x125, OxOOb, Ox05e, 0x0b4, 0x149, 0xlc7, 0x174, 0x03e, 0x13b, Oxlb7, OxOδe, 0xlc6, OxOae, 0x010, 0x095, Oxlef, 0x04e, OxOf2, Oxlfd, 0x085, OxOfd, 0x0f6, OxOaO, 0xl6f, 0x083, 0x08a, 0x156, 0x09b, 0x13c, 0x107, 0x167, 0x098, OxldO, 0xle9, 0x003, Oxlfe, OxObd, 0x122, 0x089, 0x0d2, Oxlδf, 0x012, 0x033, 0x06a, 0x142, OxOed, 0x170, Oxllb, OxOe2, Oxl4f, 0x158, 0x131, 0x147, Ox05d, 0x113, Oxlcd, 0x079, 0x161, Oxla5, 0x179, Ox09e, 0xlb4, OxOce, 0x022, 0x132, 0x01a, OxOeδ, 0x004, 0xlδ7, Oxled, 0x197, 0x039, Oxlbf, Oxld7, 0x027, 0x18b, 0x0c6, 0x09c, OxOdO, 0xl4e, 0x06c, 0x034, 0xlf2, Ox06e, OxOca, 0x025, OxOba, 0x191, OxOfe, 0x013, 0x106, Ox02f, Oxlad, 0x172, Oxldb, OxOcO, 0x10b, 0xld6, OxOf5, Oxlec, OxlOd, 0x076, 0x114, Oxlab, 0x075, 0x10c, 0xle4, 0x159, 0x054, Oxllf, 0x04b, 0x0c4, Oxlbe, OxOf7, 0x029, 0x0a4, OxOOe, OxlfO, 0x077, 0x04d, 0x17a, 0x086, 0x08b, OxOb3, 0x171, OxObf, OxlOe, 0x104, 0x097, 0x15b, 0x160, 0x168, 0x0d7, OxObb, 0x066, Oxlce, OxOfc, 0x092, 0xlc5, Ox06f, 0x016, 0x04a, OxOal, 0x139, OxOaf, OxOfl, 0x190, OxOOa, Oxlaa, 0x143, 0x17b, 0x056, 0xl8d, 0x166, 0x0d4, Oxlfb, 0xl4d, 0x194, 0x19a, 0x0δ7, Oxlfδ, 0x123, 0x0a7, Oxlbδ, 0x141, 0x03c, 0xlf9, 0x140, 0x02a, 0x155, Oxlla, Oxlal, 0x198, OxOd5, 0x126, Oxlaf, 0x061, Oxl2e, 0x157, Oxide, 0x072, Oxlδa, OxOaa, 0x096, 0x115, OxOef, 0x045, 0x07b, OxOδd, 0x145, 0x053, Ox05f, 0xl7δ, 0x0b2, Ox02e, 0x020, Oxld5, Ox03f, 0xlc9, 0xle7, Oxlac, 0x044, 0x038, 0x014, OxObl, 0x16b, OxOab, OxOb5, 0x05a, Oxlδ2, Oxlcδ, 0xld4, 0x018, 0x177, 0x064, OxOcf, 0x06d, 0x100, 0x199, 0x130, 0x15a, 0x005, 0x120, Oxlbb, Oxlbd, OxOeO, 0x04f, 0x0d6, Oxl3f, 0xlc4, 0x12a, 0x015, 0x006, OxOff, 0x19b, 0x0a6, 0x043, 0x088, 0x050, Oxl5f, Oxleδ, 0x121, 0x073, Oxl7e, OxObc, 0x0c2, 0x0c9, 0x173, 0x189, Oxlf5, 0x074, Oxlcc, 0xle6, 0xla8, 0x195, OxOlf, 0x041, OxOOd, Oxlba, 0x032, 0x03d, Oxldl, 0x080, 0x0a8, 0x057, Oxlb9, 0x162, 0x148, 0x0d9, 0x105, 0x062, 0x07a, 0x021, Oxlff, 0x112, 0x108, OxleO, 0x0a9, Oxlld, OxlbO, Oxla6, OxOcd, OxOf3, 0x05c, 0x102, 0x05b, 0xld9, 0x144, 0xlf6, OxOad, OxOa5, 0x03a, Oxlcb, 0x136, 0xl7f, 0x046, OxOel, OxOle, Oxldd, 0x0e6, 0x137, Oxlfa, 0x185, 0x08c, 0x08f, 0x040, Oxlb5, OxObe, 0x078, 0x000, OxOac, 0x110, Oxl5e, 0x124, 0x002, Oxlbc, OxOa2, OxOea, 0x070, Oxlfc, 0x116, 0x15c, 0x04c, 0xlc2 };

/* */ emi sty0104. c /* functions for key expansion */ /* keystream generator rc4 is used to generate the expanded key. The fi rst 512 bytes are discarded. */

/* repeat supplied key until 256 bytes are filled */ void key_bytes(BYTE* key,BYTE* expkey, int len) { i nt i ; int j = len; for (i=0; i < len; ++i) {expkey [i] = key[i] ; } for (i=len ; i < 256; ++i) {expkey [i] = 0;} ey until expkey is filled with 256 entries

void {

emisty0104.c κs[cnt] = s[t]; } /* end of keystream */ /* key is 16 byte seed expanded key is placed in KS */ void expand_key(BYTE* key, BYTE* KS.int len){ BYTE expkey[256]; BYTE S[256j; int i ; /* zero out array which holds keystream */ for (i=0; i < (int) MAX_KS; ++i) {κs[i] = 0x00;} /* fill in 256 bytes of key material */ key_bytes(key, expkey,16) ; /* create sbox for RC4 */ Sbox(S, expkey) ; /* generate RC4 key stream */ keystream(S, KS , 1 en) ;

/* end of generic key stream generator functions */

/* need max of 32 KO's, each stored as 2 BITS16 since used in 16 bit parts */ for (i=0; j < 64; ++i) { // uses 128 bytes K0[j] = (((BITS16) KS[i]) « 8) I ((BITS16) KS[i+l]); i = i+2; ored as 3 BITS16 since used in 16 bit parts bytes ((BITS16) KS[i+l]);

rounds (2 per round) then 2 for final FL application) used in 16 bit parts */ uses 72 bytes « 8) I ((BITS16) KS[i+l]) ;

/* whitening bytes */

emi sty0104. c /* key bytes For key j ddeeopeennddeenntt ppeermutation */ KPERMLO] = KS len-2] KPERMΪlj = KS [len-1]; } /* end of create_subkeys */ /* */ nt permutation indl, int ind2,int sz.BYTE rem_mask) {

/* if last byte contains < 8 bits of data, leave out of rotation */ if (rem_mask = Oxff) {sz2 = sz;} else {sz2 = sz-1;} j = indl % sz2; /* rotate bytes */ for (i=0; i < sz2; ++i) { temp[i] = datat ]; j = (++ )%sz2;

/* if last byte contained < 8 bits of data, swap with bits from byte at ind2 position in rotated array */ if (sz2 != sz) { tmp = temp[ind2]; temp[ind2j = (temp[ind2] & (Oxff - renunask)) A (data[sz-l] & rem_mask); temp[sz-l] = tmp & rem_mask;

/* end of perm */

/re*v_perm: reverse initial key dependent permutation

*/ void rev_perm(BYTE* data, int indl, int ind2,int sz.BYTE rem_mask) { BYTE temp[MAX_BLOCK]; BYTE tmp; int i ,j; int sz2; /* if last byte contains < 8 bits of data, leave out of rotation */ if (renunask == Oxff) {sz2 = sz;} else {sz2 = sz-1;} j = indl % sz2; for (i=0; i < sz; ++i) {temp[i] = data[i];} /* if last byte contained < 8 bits of data, swap w h bits from

emi sty0104. c data[sz-l] = temp[sz-ll ; data[ind2] = temρ[ind2j ; /* rotate bytes */ for (i=0; i < sz2: ++i) { temp[j] = datati]; 3 = (++3^')%sz2;

/* copy rotated array back to data */ for (i=0; i < sz; ++i) {data[i] = temp[i] ;} /* end of rev_perm */

// last bits to swap may be less than full byte tmp - data[i]; // need to save all of data[i] data[i] = tmpA(data[j] & renunask); // make sure only use lower bits in j // & not needed if handle by key xor data[j] = tmp & renunask; // only swap lower bits } // end of if right_sz } /* end of swap bytes */ , int left_sz, int right_sz, BYTE renunask) {

e i sty0104. c tmp = data[j] & renunask; data[ ] = tmpΛ(data[i] & renunask); // make sure only use lower bits in j data[ι] = (data[i] & (Oxffff A renunask)) A tmp; // only swap lower bits } // end of if rignt_sz } /* end of rev_swap_bytes */ /* FI function from Misty Note: data is really 16 bits stored in BITS32 to avoid casting */ BITS32 Flfunc(BITS32 indata, BITS16 k) { BITS32 L09 , R07 , L17 , L29 , L3 ,R19 , 27 ,R39; BITS32 k7,k9; k7 = (k » 9) & 0x7f; // left 7 key bits k9 = k & Oxlff; // right 9 key bits L09 = (indata » 7) & Oxlff; // left 9 bits R07 = indata & 0x7f; // right 7 bits L17 = R07; R19 = s9[L09] A (R07 & 0x7f) ; L29 = Rl9 A i9" R27 = S7[L17] A (Rig & 0x7f) A k7; L37 = R27; R39 = s9[L29] A (R27 & 0x7f) ; return ((L37«9) I R39);

/*

FO function from Misty

*/

BITS32 F0func(BITS32 indata, BITS16 k01,Blτsl6 k02,BITSl6 k03,BiTSl6 k04,Biτsl6 kil,BlTSl6 ki2,BlTSl6 k 3) { BITS32 Li,Ri,L ,RJ; Li = (indata » 16); // left half Ri = indata & OxFFFF; // right half // 3 iterations Rj = Flfunc((Li'Λ ((BITS32) k01)),kil) A Ri; Li = Ri ; Ri = Flfunc((LjΛ ((BITS32) k02)),ki2) A R ; Li = Rj; Ri = Flfunc((Ll'Λ ((BITS32) k03)),ki3) Λ Ri ; 3 = Ri; Li = Lj A k04; return ((Li«16)| Rj );

/*

FL function from Misty

*/

BITS32 FL(BITS32 indata, BITS16 KL, BITS16 KR) { BITS32 XL,XR,YL,YR; XL = (indata » 16); // left half XR = indata & Oxffff; // right half YR = (XL & KL) A XR; YL a (YR I KR) A XL; e i sty0104. c return ((YL«16) | YR) ;

/* FL i nverse function from Mi sty */ BITS32 FLINV(BITS32 i ndata , BITS16 KL , BITS16 KR) { BITS32 XL,XR,YL,YR; YL = (indata » 16) ; // left half YR = indata & Oxffff ; // right hal XL = (YR I KR) A YL ; XR = (XL & KL) A YR; return ((XL«16) j XR); into byte array

/* whitening: XORS data with whitening key bytes from KW ind = first index to use in KW array num_bb = number of bytes in data

*/ void whitening (BYTE* data, BYTE* KW.i nt ind, i nt num_bb) { i nt i ; for (ι=0 ; i < num_bb; ++i) {data[i ] = data[i ] A κw[ind] ; ++i nd ; }

/* encrypt: encrypts 1 block of data

KL,KI,K0 are Misty round keys. They are passed in as arrays of 16 bit elements since they are divided into 16 bit segments within the round function. num_lb = # of bytes used in round function ("b bits of the b+y bits") num_rb = # of bytes left out of round function ("y bits of the b+y bits") num_bb = number of bytes in data renunask = mask to use for rightmost byte ("b+y" may not be integral # of bytes)

*/ void encrypt(B!TSl6* KL,BITS16* KI,BITS16* K0,BYTE* KW,BYTE* data, int num_lb,int emi sty0104. c num_rb,int num_bb,BYTE renunask, int rnds, int pi, int p2) {

/* initial whitening */ whitening(data,κw,wι ,num_bb); wi = i+num_bb; /* initial permutation */ perm(data , pi , p2 , num_bb , renunask) ; /* convert leftmost 64 bits of data to 32 bit LEFT, RIGHT segments for Misty's round function */ data_to_ r(data,iNLEFT,iNRiGHT,0) ; i=0; for (cnt=0; cnt < rnds; ++cnt) { /* apply first part of round: FL and FO function */ OUTLEFT[i] = FL(lNLEFT[i],KL[kl],KL[kl+l]); OUTRIGHT[i] = FL(lNRIGHT[i],KL[kl+2],KL[kl+3]) A F0func(OUTLEFT[i] ,K0[k2] ,K0[k2+l] ,K0[k2+2] ,K0[k2+3] ,Kl[k3] ,Kl[k3+l] ,KI[k3+2]);

count /* apply second part of round function - second FO - Note: Misty's swap occurs here */ OUTLEFT[i] = OUTRIGHT[i-l]; OUTRIGHT[i] = OUTLEFT[l^'-l] A FOfunc(OUTRIGHT[i -1] , KO[k2] ,KO[k2+l] , O [k2+2] ,KO[k2+3] , I[k3] , KI [k3+l] , KI[k3+2] ) ; /* convert left and right halves to bytes - needed for whitening and swap steps

*/ lr_to_data(data,ouτLEFT[i] ,0UTRiGHT[i]) ; /* end of round whitening */ whitening (data, KW,wi ,num_bb) ; /* update key indices */ wi = wi+num_bb; k2 = k2+4; k3 = k3+3; ++i ; // update half round count /* end of round swap */ swap_bytes (data, swap_start_i nd [di ] , num_l b , nunurb, renunask) ; ++di ; /* convert 64 bytes of data left and right halves - Note: Misty's swap included here */ emi sty0104. c data_to_lr(data,iNRlGHT,iNLEFT,i); } /* final FL */ OUTRlGHT[i] = FL(lNLEFT[i],KL[kl],KL[kl+l]): // Note: Misty's swap included here OUTLEFT[i] = FL(lNRIGHT[i],KL[kl+2],KL[kl+3j); /* convert left and right halves back to bytes */ lr_to_data(data,0UTLEFT[i] ,OUTRlGHT[i]) ; /* final whitening */ whitening (data, κw,wi ,num_bb); } /* end of encrypt */ void decrypt (BITS16* KL.BITS16* KI.BITS16* KO.BYTE* KW.int wh_ind,BYTE* data, int num_lb,int num_rb,int num_bb,BYTE rem_mask,int rnds, int ind, int pi, int p2) { BITS32 INLEFT[17],INRIGHT[17] _jOUTLEFT[17],OUTRIGHT[17] .TMPRIGHT; /* max size */ int wi = wh_ind; // starting index of whitening keys int di = ind; /* index into swap_start_i nd */ int i; /* index of half round */ int cnt =0; int kl = 4*(rnds+l) - 1; /* 4 BITS16 each application, number rnds + final applications */ int k2 = 8* rnds - 1; /* 2 applications per round, 4 BITS16 in each application */ int k3 = 6*rnds - 1; /* 2 applications per round, 3 BITS16 in each application */ int swap_start_i nd [] = {0,4,1,5,2,6,3,7}; /* swap starting position alternates between left and right half */ // undo final whitening whitening(data,κw,wi ,num_bb); wi = wi-num_bb; i=2*rnds; /* 2*rnds is index corresponding to final FL application */ /* undo final FL */ data_to_l r (data, OUTLEFT, OUTRIGHT, i) ; INRlGHT[i] = FLiNV(OUTLEFT[i],KL[kl-l],KL[kl]); // Note: Misty's swap included here INLEFT[i] = FLINV(OUTRIGHT[i],KL[kl-3],KL[kl-2]); kl = kl-4; for (cnt=0; cnt < rnds; ++cnt) { /* convert left and right halves to bytes - Note: Misty's swap included here

V lr_to_data(data,iNRiGHT[i],iNLEFT[i]); /* undo end of round swap */ rev_swap_bytes (data , swap_start_i nd [di ] , numjl b , num_rb , renunask) ; /* undo end of round whitening */ whitening(data,κw,wi ,num_bb) ; wi = wi-num_bb; — i; - i; /* convert data bytes to left and right halves needed for Misty's round functions */ data_to_l r(data, OUTLEFT, OUTRIGHT, i ) ; /* undo second F0 part of round function */ emi sty0104. c INRIGHT[i] = OUTRIGHT[i] A F0func(OUTLEFT[i] ,K0[k2-3] ,K0[k2-2] ,K0[k2-l] ,K0[k2] ,Kl[k3-2] ,KI[k3-l] ,Kl[k3]) ; INLEFT[i] = OUTLEFT[l]; k2 = k2-4; k3 = k3-3; /* undo first FL, FO part of round function */ TMPRIGHT = INLEFT[i] A FOfunc(lNRlGHT[i] ,K0[k2-3] ,κθ[k2-2] ,K0[k2-l] ,K0[k2] ,κi[k3-2] ,Kl[k3-l] ,Kl[k3]) ; —i ; INRIGHT[i] = FLINV(TMPRIGHT, KL[kl-l],KL[kl]); INLEFT[i] = FLINV(INRIGHT[l'+l],KL[kl-3],KL[kl-2]); /* update key indices */ kl = kl-4; k2 = k2-4; k3 = k3-3; } // end for loop /* convert left and right halves to bytes */ 1 r_to_data(data,lNLEFT[0] ,INRIGHT[0]) ; /* undo initial permutation */ rev_perm(data , pi , p2 , num_bb , renunask) ; /* undo initial whitening */ whitening(data,κw,wi ,num_bb) } /* end of decrypt */

struct timeb tl,t2; // struct _timeb tl,t2; char* ti l; char* tim2; rnds = (int) ceil( (float) (alg_rnds * block_sz) / (float) alg_block_sz) ; ind = ((rnds-1) % num- b); // index of first swap byte for decryption emisty0104.c /* whitening needed for each round + initial + final whitening */ ekey_len = (num_bb * (rnds+2)) + 298; /* 296+2 (2 needed for perm) */ wh_len = ekey_len - 298; /* bytes needed for whitening */ // use rnds+1 instead of rnds+2 because index to index+num_bb-l used in each whitening step wh_i nd = (num_bb * (rnds+1)) ; expand_key (mi stykey , ekey , ekey_l en) ; create_subkeys(ekey , KW, KO , Ki , L , PERM, ekey_l en) ; pi = ((int) KPERM [0]) % nunu b; p2 = ((int) KPERM[1]) % (num_bb-l) ; /* if block_sz i s not an i ntegral # of bits , create a mask for last byte in data[] */ renunask = mask_l ist [num_rem__bits] ; ftime(&tl) ; // _ftitne(&tl) ; timl = ctime(&(tl.time)) ; printfC'start time %.19s .%hu %s" ,timl, tl.mi ll itm,&timl[20]) ; if (action == 0) { for (cl=0; cl < cnt; ++cl) { encrypt (KL , Ki , KO , KW , data , num_l b , num_rb , nunubb , renunask , rnds , pi , p2) ; } else if (action ==1) { for (cl=0; cl < cnt; ++cl) { rnds , i nd , pi , p2) ;

/* test data is hardcoded encrypts and decrypts blocks of every size from 64 to 127 bits

*/ main(){

e i sty0104. printf("%d plaintext: ", »blk_ .s Zz); stat = prp(mistykey₎data,l,blk_sz,alg_bs,alg_rnds); for (i=0; i < 16; ++i) { printf("%x ^.dataH]);} printf("\n"); } /* end of for blk_sz */ return (0) ;

Claims

What is claimed is: 1. A method for converting an elastic block cipher from an original block cipher based on a round function, wherein the original block cipher is configured to receive an input of a first block size, the method comprising: receiving a data string having a second block size, wherein the second block size and the first block size are not equivalent and wherein the difference between the second block size and the first block size is a remainder; expanding the first number of rounds of the original block cipher to a second number of rounds that is based at least in part on the first block size and the second block size, wherein the second number of rounds is less than two times the first number of rounds; performing a first exclusive OR operation on the data string with a first subkey; dividing the bits of the data string into a first subset and a second subset, wherein the bits in the first subset fit in the first block size and the second subset is the remainder of the data string that would not fit in the first block size; inputting the first and second subsets into the round function that is iteratively performed for each round that is less than the second number of rounds, wherein the round function comprises: performing an S-Box transformation function, a Shiftrows transformation function, and a MixColumns transformation function on the first subset to create a transformed first subset; performing a second exclusive OR operation on the transformed first subset and the second subset with a second subkey; performing a third exclusive OR operation on the second subset with the transformed first subset to create a transformed second subset; and swapping the transformed first subset and the transformed second subset for subsequent iteration; performing the S-Box transformation function and the Shiftrows transformation function on the transformed first subset; and performing a fourth exclusive OR operation on the transformed first subset and the transformed second subset with a third subkey resulting in the elastic block cipher.

2. The method of claim 1 , further comprising generating a plurality of subkeys for each of the second number of rounds.

3. The method of claim 1, further comprising performing a whitening operation that combines a whitening key with the original block cipher.

4. The method of claim 1 , further comprising performing a first key dependent mixing operation that mixes the bits of the data string before performing the round function.

5. The method of claim 1 , further comprising performing a second key dependent mixing operation that mixes the transformed first and second subsets after performing the round function.

6. The method of claim 1, further comprising swapping the first and second subsets after the round function has been performed.

7. The method of claim 1, further comprising interleaving the bits of the second subset within the bits of the first subset.

8. A method for converting an elastic block cipher from an original block cipher based on a round function, wherein the original block cipher is configured to receive an input of a first block size, the method comprising: receiving a data string having a second block size, wherein the second block size and the first block size are not equivalent; expanding the first number of rounds of the original block cipher to a second number of rounds that is based at least in part on the first block size and the second block size, wherein the second number of rounds is less than two times the first number of rounds; modifying the original block cipher, wherein the step of modifying comprises: dividing the bits of the data string into a first subset and a second subset, wherein the block length of the first subset is equivalent to the first block size; performing the round function of the original block cipher on the first subset; performing an exclusive OR operation on the second subset with the first subset; and iteratively swapping the second subset within the bits of the first subset by swapping the first subset with the second subset; and using the modified original block cipher to encrypt the data string.

9. A method for converting an elastic block cipher from an original block cipher based on a round function, wherein the original block cipher is configured to receive an input of a first block size, the method comprising: receiving a data string having a second block size, wherein the second block size and the first block size are not equivalent; expanding the first number of rounds of the original block cipher to a second number of rounds that is based at least in part on the first block size and the second block size, wherein the second number of rounds is less than two times the first number of rounds; dividing the bits of the data string into a first subset and a second subset, wherein the block length of the first subset is equivalent to the first block size; and inputting the first and second subsets into the round function that is iteratively performed for each round, wherein the round function comprises: performing the round function of the original block cipher on the first subset; performing an exclusive OR operation on the second subset with the first subset; and swapping the second subset with the first subset.

10. The method of claim 9, further comprising performing an exclusive OR operation on the bits of the data string with at least one subkey.

11. The method of claim 9, further comprising generating a plurality of subkeys for each of the second number of rounds.

12. The method of claim 9, further comprising performing a whitening operation that combines a whitening key with the original block cipher.

13. The method of claim 9, further comprising performing a key dependent mixing operation that mixes the bits of the data string before performing the round function.

14. The method of claim 9, further comprising performing a key dependent mixing operation that mixes the transformed first and second subsets after performing the round function.

15. The method of claim 9, further comprising interleaving the bits of the second subset within the bits of the first subset.