WO2006040682A2 - Process of and apparatus for encoding a digital input - Google Patents

Process of and apparatus for encoding a digital input Download PDF

Info

Publication number
WO2006040682A2
WO2006040682A2 PCT/IB2005/003371 IB2005003371W WO2006040682A2 WO 2006040682 A2 WO2006040682 A2 WO 2006040682A2 IB 2005003371 W IB2005003371 W IB 2005003371W WO 2006040682 A2 WO2006040682 A2 WO 2006040682A2
Authority
WO
WIPO (PCT)
Prior art keywords
type
chosen
group
cryptographic
logical
Prior art date
Application number
PCT/IB2005/003371
Other languages
French (fr)
Other versions
WO2006040682A9 (en
WO2006040682A3 (en
Inventor
Sean O'neil
Original Assignee
Synaptic Laboratories Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2004905897A external-priority patent/AU2004905897A0/en
Application filed by Synaptic Laboratories Limited filed Critical Synaptic Laboratories Limited
Publication of WO2006040682A2 publication Critical patent/WO2006040682A2/en
Publication of WO2006040682A9 publication Critical patent/WO2006040682A9/en
Publication of WO2006040682A3 publication Critical patent/WO2006040682A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation

Definitions

  • the present invention relates to cryptographic primitives.
  • crypto-sy stems can be implemented in dedicated hardware or general-purpose processors. It is desirable that the software-implementation of cryptographic processes on general-purpose processors can efficiently exploit the instruction sets and execution profiles provided on general-purpose hardware.
  • a cryptographic process that receives at least one block of input and produces an output block from the at least one block of input, the process comprising: the performance, in any order, of: at least one operation of a first type; at least one operation of a second type; at least one operation of a third type; and at least one operation of a fourth type; each operation of the first type being chosen from the group consisting of: swapping (SWAP) and bit order reversal, each operation of the second type being chosen from the group consisting of: bitwise rotation to the left (ROTL) and bitwise rotation to the right (ROTR); each operation of the third type being chosen from the group consisting of: addition (ADD), subtraction (SUB) and negation (NEG); and each operation of the fourth type being chosen from the group consisting of: exclusive-or (XOR), inverse exclusive-or (XNOR), logical AND, inverse logical AND (NAND), logical OR, inverse logical OR (NOR) and logical inverse (NOT), and
  • At least one operation of the second type uses at least one input chosen from the group consisting of: key material, data material and counter material.
  • At least one operation of the third type uses at least one input chosen from the group consisting of: key material, data material and counter material.
  • At least one operation of the fourth type uses at least one input chosen from the group consisting of: key material, data material and counter material.
  • At least one operation of the first type is immediately preceded by an operation chosen from the group consisting of: an operation of the third type; and an operation of the fourth type, and is immediately followed by an operation which is also chosen from that group.
  • the immediately following operation is of a different type from the type of the immediately preceding operation
  • At least one operation of the second type is immediately preceded by an operation chosen from the group consisting of: an operation of the third type; and an operation of the fourth type, and is immediately followed by an operation which is also chosen from that group.
  • the immediately following operation is of a different type from the type of the immediately preceding operation
  • at least one fixed N-bit constant is used in at least one operation of the third type or of the fourth type; and that N-bit constant is chosen as a balanced non-linear Boolean function with log(N) inputs.
  • the byte-swap operation on a 32-bit word is the fastest balancing function as it transposes the order of 4 groups of 8 bits.
  • the byte-swap operation is readily available for 16-bit, 32- bit, 64-bit words such as found on Sparc, MMX and 3DNow! instruction sets and 128-bit words as found on SSE instruction sets.
  • reference number 10 indicates a process according to a preferred embodiment of the invention.
  • Reference number 11 indicates a 32-bit wide word. The least significant bit of the 32-bit word 11 is illustrated as the rightmost bit.
  • the exclusive or (XOR) operation 12 has the word 11 as input and performs a 32-bit wide XOR operation with a second 32-bit value.
  • the second 32-bit value is not illustrated.
  • Byte-swap operation 15 has the word 14 as input and performs a byte-swap operation to produce the output word 16.
  • word 16 In the illustration of word 16 in the drawing, it can be seen that the cross-hatching that appeared on the right of the figure in word 14 now appears transposed towards the more significant bits of word 16 as a result of the byte-swap.
  • the order reversal operation acts as a form of corrective balancing, compensating the dependency bias found in the lowest and the highest bits of the output across the entire word width.
  • Addition operation 17 has the word 16 as input and performs an addition with the constant hexadecimal value 0x00000001 to generate output 18.
  • the cross-hatched boxes in word 18 visually illustrate the probability of each bit generating a carry overflow as a result of the first addition operation 13 and the second arithmetic operation 17.
  • the rotation operation is a slower compensating construction than is the byte-swap operation, only permuting two contiguous sequences of bits and also not changing their order.
  • the static rotation operation 19 has the word 18 as input and performs a static rotation left by 17 bits to generate output word 20.
  • Output word 20 visually illustrates the distribution of influence of a carry bit after a byte-swap operation followed by a left 17-bit rotation.
  • Figure 2 illustrates a portion of the loop of iteratively applied byte-swap and 17-bit rotation operations showing each bit's position after every transposition operation.
  • word 31 illustrates a 32-bit word with a label for each bit position.
  • byte-swap operation 32 has the word 31 as input and generates word 33 as output.
  • Rotation operation 34 has the word 33 as input and performs a 32-bit wide rotation by 17 bits left to generate word 35 as output.
  • Words 36, 38, 40, 42 are the results of a byte-swap operation performed on words 35, 37, 39 and 41.
  • Words 37, 39, 41, 43 are the results of a 32-bit wide rotation by 17 bits left performed on words 36, 38, 40, 42.
  • Interleaving byte-swapping with any rotation other than by a number of bits divisible by 8 (including 0) results in a transposition that ensures the influence of carry-bits is not cancelled out in a later operation.
  • Interleaving byte-swapping and rotation operations between arithmetic and logical operations also introduces a new effect of continuously changing the order of bits in the word.
  • the byte-swap operation combined with rotation operations plays a role of a cryptographic transposition operation. This is a fundamentally different from performing byte order conversions to ensure compatibility between big-endian and little-endian architectures, which can be achieved by performing a byte-swap as the first operation when receiving a block of data to encode and as the last operation before returning the encoded block of output.
  • the reiterated sequence of a static rotation followed by a byte-swap operation over 32-bit, 64-bit, 128-bit or 256-bit word lengths achieves a maximal distance permutation of bits if one or two static rotations by an odd constant are performed between each byte-swap operation.
  • Figure 3 illustrates a process according to a further preferred embodiment of the invention.
  • Word 51 is an input to a cryptographic process 52.
  • Process 52 illustrates a cryptographic process such as a round function.
  • the process 52 comprises at least one arithmetic operation 53 selected from the set of: addition (ADD), subtraction (SUB) and negation (NEG).
  • the process 52 further comprises at least one rotation operation 54 selected from the set of: rotation left (ROL) and rotation right (ROR).
  • Process 52 further comprises at least one byte-swap operation 55.
  • Process 52 further comprises at least one operation 56 selected from the set of Boolean operators: exclusive-or (XOR), inverse exclusive-or (XNOR), logical AND, inverse logical AND (NAND), logical OR, inverse logical OR (NOR) and logical inverse (NOT).
  • the output 58 thus depends on at least one operation of each of the four classes of operation 53, 54, 55 and 56.
  • the order of operations 53, 54, 55 and 56 is arbitrary.
  • processor architectures such as PowerPC and Pentium families optimize the performance of instructions sequences that match common application execution profiles.
  • the arbitrary execution of operations selected from 53, 54, 55 and 56 achieve high performance on the above processors because they match common application execution profiles.
  • Multiplication operations are not recommended due to the poor performance when executed in close proximity with byte-swap or rotation operations on the above processors.
  • Process 52 further comprises at least 1 s-box look-up operation 57 from a precomputed table of values stored in memory.
  • arithmetic operations such as illustrated as 53 in figure 3 are interleaved with Boolean logic operations such as represented as 56 in figure 3, to ensure their non-associative and non-commutative behaviour.
  • the third sequence of transposition operations is not the inverse of the first sequence of transposition operations.
  • the second sequence of transposition operations is not the inverse of the first sequence of transposition operations.

Abstract

A cryptographic process (10) that receives input (11) and produces output (2). The cryptographic process (10) produces each block of output (20) by performing on a block of input (11), in any order, at least one operation (15) of a first type; at least one operation (19) of a second type; at least one operation (13, 17) of a third type; and at least one operation (12) of a fourth type. The operations of the first type (15) are swapping (SWAP) and bit order reversal. The operations of the second type (19) are bitwise rotation to the left (ROTL) and bitwise rotation to the right (ROTR). The operations of the third type (13, 17) are addition (ADD), subtraction (SUB) and negation (NEG). The operations of the fourth type (12) are exclusive-or (XOR), inverse exclusive-or (XNOR), logical AND, inverse logical AND (NAND), logical OR, inverse logical OR (NOR) and logical inverse (NOT). When both the first operation and the last operation in the cryptographic process (10) are swap operations (15), the cryptographic process includes a further swap operation (15).

Description

Title
Process of and apparatus for encoding a digital input
Field of the invention
The present invention relates to cryptographic primitives.
Background of the invention Throughout this specification, including the claims, we use the terms 'comprises' and 'comprising' to specify the presence of stated features, integers, steps or components but without precluding the presence or addition of one or more other features, integers, steps, components or groups.
In the cryptographic art, crypto-sy stems can be implemented in dedicated hardware or general-purpose processors. It is desirable that the software-implementation of cryptographic processes on general-purpose processors can efficiently exploit the instruction sets and execution profiles provided on general-purpose hardware.
Summary of the invention
Accordingly, in one aspect we provide a cryptographic process that receives at least one block of input and produces an output block from the at least one block of input, the process comprising: the performance, in any order, of: at least one operation of a first type; at least one operation of a second type; at least one operation of a third type; and at least one operation of a fourth type; each operation of the first type being chosen from the group consisting of: swapping (SWAP) and bit order reversal, each operation of the second type being chosen from the group consisting of: bitwise rotation to the left (ROTL) and bitwise rotation to the right (ROTR); each operation of the third type being chosen from the group consisting of: addition (ADD), subtraction (SUB) and negation (NEG); and each operation of the fourth type being chosen from the group consisting of: exclusive-or (XOR), inverse exclusive-or (XNOR), logical AND, inverse logical AND (NAND), logical OR, inverse logical OR (NOR) and logical inverse (NOT), and in which, when both the first operation and the last operation in the cryptographic process are swap operations, the cryptographic process further comprises a swap operation.
It is preferred that at least one operation of the second type uses at least one input chosen from the group consisting of: key material, data material and counter material.
It is preferred that at least one operation of the third type uses at least one input chosen from the group consisting of: key material, data material and counter material.
It is preferred that at least one operation of the fourth type uses at least one input chosen from the group consisting of: key material, data material and counter material.
It is preferred that at least one operation of the first type: is immediately preceded by an operation chosen from the group consisting of: an operation of the third type; and an operation of the fourth type, and is immediately followed by an operation which is also chosen from that group. In this case, it is preferred that the immediately following operation is of a different type from the type of the immediately preceding operation
It is preferred that at least one operation of the second type: is immediately preceded by an operation chosen from the group consisting of: an operation of the third type; and an operation of the fourth type, and is immediately followed by an operation which is also chosen from that group. In this case it is preferred that the immediately following operation is of a different type from the type of the immediately preceding operation It is preferred that: at least one fixed N-bit constant is used in at least one operation of the third type or of the fourth type; and that N-bit constant is chosen as a balanced non-linear Boolean function with log(N) inputs.
It is preferred that all operations of the third type and of the fourth type use an N-bit constant which is chosen as a balanced non-linear Boolean function with log(N) inputs.
In other aspects, we provide apparatus, machine readable substrates, data and signals as summarized in the claims at the end of this specification.
It will be seen that these processes and apparatus provide arithmetic operations, which achieve fast balancing of the distribution of monomials of all possible algebraic degrees in the polynomial relationships between all the bits of input, be it data, key or counter material.
We achieve this while maintaining fast execution on modern high-performance general- purpose processors such as the Pentium and PowerPC architectures.
Due to the unbalanced nature of operations with carry, the polynomial relationship between different bits of output and the input bits to operations with carry will have a different number of monomials and a different algebraic degree for different bit positions.
We correct this imbalance by using two different classes of transposition operations to achieve faster balancing of monomials and algebraic degrees of each of the bits than either class of transposition operations can achieve on their own. Combining two different classes of transposition operations allows widening the range of different bit permutations occurring in the encryption process. - A -
Brief description of the drawings
In the drawings, figures 1, 2 and 3 illustrate preferred embodiments of the invention.
Description of embodiments of the invention
There are three basic transposition operations available in most modem processors that can be used to compensate for the algebraic imbalances: fixed constant rotation, variable rotation and byte order reversal operations.
The byte-swap operation on a 32-bit word is the fastest balancing function as it transposes the order of 4 groups of 8 bits. The byte-swap operation is readily available for 16-bit, 32- bit, 64-bit words such as found on Sparc, MMX and 3DNow! instruction sets and 128-bit words as found on SSE instruction sets.
In figure 1, reference number 10 indicates a process according to a preferred embodiment of the invention.
Reference number 11 indicates a 32-bit wide word. The least significant bit of the 32-bit word 11 is illustrated as the rightmost bit.
The exclusive or (XOR) operation 12 has the word 11 as input and performs a 32-bit wide XOR operation with a second 32-bit value. The second 32-bit value is not illustrated.
The addition operation 13 has the word 12 as input and performs an addition with the constant hexadecimal value 0x00000001 to generate output 13. The cross-hatched boxes in word 13 visually illustrate the probability of each bit generating a carry overflow as a result of the addition operation 13.
During encryption where all variable input values can be usually seen as pseudo-random, the difference between algebraic addition operation (ADD) and a bitwise addition (XOR) has on average more than 75% zeroes and less than 25% ones representing the carry overflow bits: each bit in the addition operation 13 has a 25% probability of generating a carry overflow in the next bit. Once a carry overflow is produced, the probability of its reversal in the following bits is 25% for the immediately following bit decreasing exponentially by 75% with every bit. Thus in order to construct a cryptographically secure cipher, the highly localised small influence of carry overflow bits that also leave less significant bits unaffected needs to be diffused to all other bits with carefully chosen transposition operations.
Byte-swap operation 15 has the word 14 as input and performs a byte-swap operation to produce the output word 16. In the illustration of word 16 in the drawing, it can be seen that the cross-hatching that appeared on the right of the figure in word 14 now appears transposed towards the more significant bits of word 16 as a result of the byte-swap.
The order reversal operation acts as a form of corrective balancing, compensating the dependency bias found in the lowest and the highest bits of the output across the entire word width.
Addition operation 17 has the word 16 as input and performs an addition with the constant hexadecimal value 0x00000001 to generate output 18. The cross-hatched boxes in word 18 visually illustrate the probability of each bit generating a carry overflow as a result of the first addition operation 13 and the second arithmetic operation 17.
It is clear that a byte swap operation of word 18 would result in a redundant transposition.
The rotation operation is a slower compensating construction than is the byte-swap operation, only permuting two contiguous sequences of bits and also not changing their order.
The static rotation operation 19 has the word 18 as input and performs a static rotation left by 17 bits to generate output word 20. Output word 20 visually illustrates the distribution of influence of a carry bit after a byte-swap operation followed by a left 17-bit rotation.
Figure 2 illustrates a portion of the loop of iteratively applied byte-swap and 17-bit rotation operations showing each bit's position after every transposition operation. In figure 2, word 31 illustrates a 32-bit word with a label for each bit position. In figure 2, byte-swap operation 32 has the word 31 as input and generates word 33 as output.
Rotation operation 34 has the word 33 as input and performs a 32-bit wide rotation by 17 bits left to generate word 35 as output.
Words 36, 38, 40, 42 are the results of a byte-swap operation performed on words 35, 37, 39 and 41.
Words 37, 39, 41, 43 are the results of a 32-bit wide rotation by 17 bits left performed on words 36, 38, 40, 42.
Visually inspecting figure 2 it is clear that not only each of the 32 bits of word 31 is cycled into a unique position, but also in such a way, that the biased influence of all carry bits in arithmetic operations is quickly balanced. It can also be visually seen that such combination has advantages of both rotation and byte swapping operations and does not have their disadvantages: byte-swapping operations may get canceled out in subsequent iterations, and rotation operations offer less balancing of the biased carry overflow influence and maintain the same order of bits throughout the entire cipher operation.
Interleaving byte-swapping with any rotation other than by a number of bits divisible by 8 (including 0) results in a transposition that ensures the influence of carry-bits is not cancelled out in a later operation. Interleaving byte-swapping and rotation operations between arithmetic and logical operations also introduces a new effect of continuously changing the order of bits in the word.
The byte-swap operation combined with rotation operations plays a role of a cryptographic transposition operation. This is a fundamentally different from performing byte order conversions to ensure compatibility between big-endian and little-endian architectures, which can be achieved by performing a byte-swap as the first operation when receiving a block of data to encode and as the last operation before returning the encoded block of output. According to further preferred embodiments of the invention, the reiterated sequence of a static rotation followed by a byte-swap operation over 32-bit, 64-bit, 128-bit or 256-bit word lengths achieves a maximal distance permutation of bits if one or two static rotations by an odd constant are performed between each byte-swap operation. The direction of the static rotation is irrelevant to achieving the desired output distribution; however, single rotations between byte-swaps do not result in maximal length loops for 64-bit or wider words. If such property is desired, multiple rotation operations should be performed before executing the next byte-swap.
Figure 3 illustrates a process according to a further preferred embodiment of the invention.
Word 51 is an input to a cryptographic process 52. Process 52 illustrates a cryptographic process such as a round function. The process 52 comprises at least one arithmetic operation 53 selected from the set of: addition (ADD), subtraction (SUB) and negation (NEG). The process 52 further comprises at least one rotation operation 54 selected from the set of: rotation left (ROL) and rotation right (ROR). Process 52 further comprises at least one byte-swap operation 55. Process 52 further comprises at least one operation 56 selected from the set of Boolean operators: exclusive-or (XOR), inverse exclusive-or (XNOR), logical AND, inverse logical AND (NAND), logical OR, inverse logical OR (NOR) and logical inverse (NOT).
Various further preferred embodiments of the invention (which are not illustrated in the drawings) use plaintext, key material and counter values as input parameters into any of the abovementioned operations, for example allowing use of data-dependent or key- dependent operations and s-boxes implemented either as look-up tables or using bit-slicing techniques.
The output 58 thus depends on at least one operation of each of the four classes of operation 53, 54, 55 and 56. The order of operations 53, 54, 55 and 56 is arbitrary.
Many modern processor architectures such as PowerPC and Pentium families optimize the performance of instructions sequences that match common application execution profiles. The arbitrary execution of operations selected from 53, 54, 55 and 56 achieve high performance on the above processors because they match common application execution profiles. Multiplication operations are not recommended due to the poor performance when executed in close proximity with byte-swap or rotation operations on the above processors.
Process 52 further comprises at least 1 s-box look-up operation 57 from a precomputed table of values stored in memory.
In further preferred embodiment of the invention, arithmetic operations such as illustrated as 53 in figure 3, are interleaved with Boolean logic operations such as represented as 56 in figure 3, to ensure their non-associative and non-commutative behaviour.
In yet further preferred embodiments of the invention, for every three consecutive occurrences of sequences of contiguous transposition operations from the class 54 and 55, the third sequence of transposition operations is not the inverse of the first sequence of transposition operations.
In yet further preferred embodiments of the invention, for every two consecutive occurrences of sequences of contiguous transposition operations from the class 54 and 55, the second sequence of transposition operations is not the inverse of the first sequence of transposition operations.

Claims

Claims:
1. A cryptographic process that receives at least one block of input and produces an output block from the at least one block of input, the process comprising: the performance, in any order, of: at least one operation of a first type; at least one operation of a second type; at least one operation of a third type; and at least one operation of a fourth type; each operation of the first type being chosen from the group consisting of: swapping (SWAP) and bit order reversal, each operation of the second type being chosen from the group consisting of: bitwise rotation to the left (ROTL) and bitwise rotation to the right (ROTR); each operation of the third type being chosen from the group consisting of: addition (ADD), subtraction (SUB) and negation (NEG); and each operation of the fourth type being chosen from the group consisting of: exclusive-or (XOR), inverse exclusive-or (XNOR), logical AND, inverse logical AND (NAND), logical OR, inverse logical OR (NOR) and logical inverse (NOT), and in which, when both the first operation and the last operation in the cryptographic process are swap operations, the cryptographic process further comprises a swap operation.
2. A cryptographic process as claimed in claim 1, in which at least one operation of the second type uses at least one input chosen from the group consisting of: key material, data material and counter material.
3. A cryptographic process as claimed in claim 1 or claim 2, in which at least one operation of the third type uses at least one input chosen from the group consisting of: key material, data material and counter material.
4. A cryptographic process as claimed in claim any one of the preceding claims, in which at least one operation of the fourth type uses at least one input chosen from the group consisting of: key material, data material and counter material.
5. A cryptographic process as claimed in any one of the preceding claims, in which at least one operation of the first type: is immediately preceded by an operation chosen from the group consisting of: an operation of the third type; and an operation of the fourth type, and is immediately followed by an operation which is also chosen from that group.
6. A cryptographic process as claimed in claim 5, in which the immediately following operation is of a different type from the type of the immediately preceding operation
7. A cryptographic process as claimed in any one of the preceding claims, in which at least one operation of the second type: is immediately preceded by an operation chosen from the group consisting of: an operation of the third type; and an operation of the fourth type, and is immediately followed by an operation which is also chosen from that group.
8. A cryptographic process as claimed in claim 7, in which the immediately following operation is of a different type from the type of the immediately preceding operation
9. A cryptographic process as claimed in any one of the preceding claims, in which: at least one fixed N-bit constant is used in at least one operation of the third type or of the fourth type; and that N-bit constant is chosen as a balanced non-linear Boolean function with log(N) inputs.
10. A cryptographic process as claimed in claim 9, in which all operations of the third type and of the fourth type use an N-bit constant which is chosen as a balanced non-linear Boolean function with log(N) inputs.
11. Cryptographic apparatus that receives at least one block of input and produces an output block from the at least one block of input by performing on the block of input the cryptographic process comprising: the performance, in any order, of: at least one operation of a first type; at least one operation of a second type; at least one operation of a third type; and at least one operation of a fourth type; each operation of the first type being chosen from the group consisting of: swapping (SWAP) and bit order reversal, each operation of the second type being chosen from the group consisting of: bitwise rotation to the left (ROTL) and bitwise rotation to the right (ROTR); each operation of the third type being chosen from the group consisting of: addition (ADD), subtraction (SUB) and negation (NEG); and each operation of the fourth type being chosen from the group consisting of: exclusive-or (XOR), inverse exclusive-or (XNOR), logical AND, inverse logical AND (NAND), logical OR, inverse logical OR (NOR) and logical inverse (NOT), and in which, when both the first operation and the last operation in the cryptographic process are swap operations, the cryptographic process further comprises a swap operation.
12. Cryptographic apparatus as claimed in claim 11, in which at least one operation of the second type uses at least one input chosen from the group consisting of: key material, data material and counter material.
13. Cryptographic apparatus as claimed in claim 11 or claim 12, in which at least one operation of the third type uses at least one input chosen from the group consisting of: key material, data material and counter material.
14. Cryptographic apparatus as claimed in claim any one of claims 11 to 13, in which at least one operation of the fourth type uses at least one input chosen from the group consisting of: key material, data material and counter material.
15. Cryptographic apparatus as claimed in any one of claims 11 to 14, in which at least one operation of the first type: is immediately preceded by an operation chosen from the group consisting of: an operation of the third type; and an operation of the fourth type, and is immediately followed by an operation which is also chosen from that group.
16. Cryptographic apparatus as claimed in claim 15, in which the immediately following operation is of a different type from the type of the immediately preceding operation
17. Cryptographic apparatus as claimed in any one of the claims 11 to 16, in which at least one operation of the second type: is immediately preceded by an operation chosen from the group consisting of: an operation of the third type; and an operation of the fourth type, and is immediately followed by an operation which is also chosen from that group.
18. Cryptographic apparatus as claimed in claim 17, in which the immediately following operation is of a different type from the type of the immediately preceding operation
19. A cryptographic process as claimed in any one of claims 11 to 18, in which: at least one fixed N-bit constant is used in at least one operation of the third type or of the fourth type; and that N-bit constant is chosen as a balanced non-linear Boolean function with log(N) inputs.
20. Cryptographic apparatus as claimed in claim 19, in which all operations of the third type and of the fourth type use an N-bit constant which is chosen as a balanced non-linear Boolean function with log(N) inputs.
21. Data which has been generated by the process of any one of claims 1 to 10.
22. A machine readable substrate carrying data which has been generated according to the process of any one of claims 1 to 10.
23. A signal carrying data which has been generated according to the process of any one of claims 1 to 10.
PCT/IB2005/003371 2004-10-13 2005-10-12 Process of and apparatus for encoding a digital input WO2006040682A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2004905897A AU2004905897A0 (en) 2004-10-13 Process of and apparatus for encoding a digital input
AU2004905897 2004-10-13

Publications (3)

Publication Number Publication Date
WO2006040682A2 true WO2006040682A2 (en) 2006-04-20
WO2006040682A9 WO2006040682A9 (en) 2006-06-08
WO2006040682A3 WO2006040682A3 (en) 2006-07-27

Family

ID=36118193

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2005/003371 WO2006040682A2 (en) 2004-10-13 2005-10-12 Process of and apparatus for encoding a digital input

Country Status (2)

Country Link
TW (1) TW200637317A (en)
WO (1) WO2006040682A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108563465A (en) * 2012-09-28 2018-09-21 英特尔公司 Systems, devices and methods for executing cycle and exclusive or in response to single instruction

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999066669A2 (en) * 1998-06-15 1999-12-23 Rsa Security, Inc. Block ciphers with integer multiplication, data-dependent and fixed number of rotations in each round
WO2000075750A2 (en) * 1999-06-09 2000-12-14 Microsoft Corporation Parameter generation using elementary register operations
US6199162B1 (en) * 1997-09-17 2001-03-06 Frank C. Luyster Block cipher method
US20020114451A1 (en) * 2000-07-06 2002-08-22 Richard Satterfield Variable width block cipher

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6199162B1 (en) * 1997-09-17 2001-03-06 Frank C. Luyster Block cipher method
WO1999066669A2 (en) * 1998-06-15 1999-12-23 Rsa Security, Inc. Block ciphers with integer multiplication, data-dependent and fixed number of rotations in each round
WO2000075750A2 (en) * 1999-06-09 2000-12-14 Microsoft Corporation Parameter generation using elementary register operations
US20020114451A1 (en) * 2000-07-06 2002-08-22 Richard Satterfield Variable width block cipher

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
VERBAUWHEDE I ET AL: "SECURITY AND PERFORMANCE OPTIMIZATION OF A NEW DES DATA ENCRYPTION CHIP" IEEE JOURNAL OF SOLID-STATE CIRCUITS, IEEE SERVICE CENTER, PISCATAWAY, NJ, US, vol. 23, no. 3, 1 June 1988 (1988-06-01), pages 647-656, XP000112776 ISSN: 0018-9200 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108563465A (en) * 2012-09-28 2018-09-21 英特尔公司 Systems, devices and methods for executing cycle and exclusive or in response to single instruction
CN108563465B (en) * 2012-09-28 2022-09-20 元平台公司 Systems, apparatuses, and methods for performing a loop and an XOR in response to a single instruction

Also Published As

Publication number Publication date
WO2006040682A9 (en) 2006-06-08
TW200637317A (en) 2006-10-16
WO2006040682A3 (en) 2006-07-27

Similar Documents

Publication Publication Date Title
Schneier et al. Twofish: A 128-bit block cipher
US6952478B2 (en) Method and system for performing permutations using permutation instructions based on modified omega and flip stages
Eisenbarth et al. Compact implementation and performance evaluation of block ciphers in ATtiny devices
US7295671B2 (en) Advanced encryption standard (AES) hardware cryptographic engine
US5003597A (en) Method and apparatus for data encryption
US8787563B2 (en) Data converter, data conversion method and program
GB2327581A (en) Block cypher resists differential or linear cryptoanalysis
US20060039555A1 (en) Method and system for performing permutations using permutation instructions based on butterfly networks
US20020118827A1 (en) Block cipher method
US20110228928A1 (en) Selection of a lookup table with data masked with a combination of an additive and multiplicative mask
US11700111B2 (en) Platform neutral data encryption standard (DES) cryptographic operation
Bernstein Salsa20 specification
US20020018562A1 (en) Key scheduler for encryption apparatus using data encryption standard algorithm
Biryukov et al. Security and performance analysis of ARIA
US7103180B1 (en) Method of implementing the data encryption standard with reduced computation
WO1999014889A1 (en) Improved block cipher method
WO2006040682A2 (en) Process of and apparatus for encoding a digital input
EP0932273A1 (en) Executing permutations
Paar et al. The data encryption standard (DES) and alternatives
Schneier et al. Two sh: A 128-bit block cipher
Junod et al. Revisiting the IDEA philosophy
Rohit et al. Practical Forgery attacks on Limdolen and HERN
Mahdi Design and implementation of proposed BR encryption algorithm
Kivilinna Block ciphers: fast implementations on x86-64 architecture
TWI776474B (en) Circuit module of single round advanced encryption standard

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

COP Corrected version of pamphlet

Free format text: PAGES 1/3, 2/3, DRAWINGS, REPLACED BY NEW PAGES 1/3, 2/3

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase