WO2006085283A1 - High speed encryption and decryption - Google Patents

High speed encryption and decryption Download PDF

Info

Publication number
WO2006085283A1
WO2006085283A1 PCT/IB2006/050436 IB2006050436W WO2006085283A1 WO 2006085283 A1 WO2006085283 A1 WO 2006085283A1 IB 2006050436 W IB2006050436 W IB 2006050436W WO 2006085283 A1 WO2006085283 A1 WO 2006085283A1
Authority
WO
WIPO (PCT)
Prior art keywords
cipher
encryptor
output
encryption key
input
Prior art date
Application number
PCT/IB2006/050436
Other languages
French (fr)
Inventor
Raymond Krasinski
Michael A. Epstein
Marc Vauclair
Martin Rosner
Original Assignee
Koninklijke Philips Electronics N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V. filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2006085283A1 publication Critical patent/WO2006085283A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/23Processing of content or additional data; Elementary server operations; Server middleware
    • H04N21/234Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs
    • H04N21/2347Processing of video elementary streams, e.g. splicing of video streams, manipulating MPEG-4 scene graphs involving video stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/266Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel
    • H04N21/26613Channel or content management, e.g. generation and management of keys and entitlement messages in a conditional access system, merging a VOD unicast channel into a multicast channel for generating or managing keys in general

Definitions

  • a stream cipher is a cipher in which the input stream is encrypted sequentially, generally one data unit (word/byte/bit) at a time, and in which the transformation of subsequent data units varies during the encryption.
  • a block cipher is a cipher that operates on large blocks of data with a fixed, unvarying transformation. That is, a block cipher of a given block of data and a given encryption key will always produce the same encrypted output block.
  • a stream cipher's output is dependent upon the state of the cipher system at the time that the data unit is being encrypted.
  • a stream cipher combines the input stream with a generated keystream, the keystream being pseudorandomly generated based on a given encryption key, or set of keys. Because the sequential generation of a keystream is generally a less complex operation than the block-encryption of a data block, stream ciphers are typically substantially faster than block ciphers, and require substantially fewer hardware components.
  • Stream ciphers are particularly well suited for the high-speed encryption/decryption of streams of data of unknown length, such as telephone conversations, streaming video, and so on.
  • data of unknown length such as telephone conversations, streaming video, and so on.
  • block ciphers are used on such data, the design must include provisions for padding input streams that terminate prior to filling a block.
  • stream ciphers are less secure than block ciphers, in that they are all susceptible to distinguishing attacks that use less than an exhaustive search. Further, all stream ciphers are vulnerable to attack if the keystream is repeated.
  • the keystream's repeat-length is 2 128 bits, which is acceptable in most applications, but at an encryption rate of 100Mb per second, the recycle time of such a cipher amounts to under 25 minutes, which renders the cipher unsuitable for long-running applications, such as streaming video.
  • the complexity of block ciphers renders them either too costly or too slow for such consumer applications.
  • the "Common Scrambling Algorithm” has been used extensively for encrypting digital television channels.
  • the algorithm has not been published by the originators, but reverse-engineering of a software embodiment of the algorithm reveals that it uses a combination of a stream and block cipher.
  • Each of the ciphers receives the same key, which is configured to change regularly, presumably to avoid a repetition of the keystream.
  • An input packet is divided into blocks, and each block is encrypted, in reverse order, using the block cipher with an initialization vector of zero.
  • the last output block of the block cipher is used as a nonce to the stream cipher, and the bits of each encrypted block are XOR'd with the output bits of the stream cipher to produce a stream- and-block encrypted output. Because both ciphers are applied to the data, the speed of encryption or decryption is limited to the slower of the two ciphers, which is generally the block cipher. Additionally, because the same key is used in both the stream and block ciphers, an attack on either cipher to determine the key will defeat the system ("Fault attack on the DVB Common Scrambling Algorithm", Kai Wirt, November 2003, Cryptology EPrint Archive: Report 2004/289).
  • a block cipher is used to generate a sequence of seeds that is used to repeatedly re-seed a stream cipher.
  • the vulnerability of the stream cipher to attacks is substantially reduced. Because the block cipher is used to generate the seeds, and not to encrypt the input data, the speed of encryption of the input data is virtually independent of the speed of the block cipher.
  • An AES block cipher can be used to generate the seeds for the stream cipher, by encrypting a changing input value, such as a counter input, using a given encryption key.
  • the AES seed-generator periodically provides an initial/re-initial state value and working key value to a Helix stream cipher or a SNOW cipher.
  • FIGs. IA and IB illustrate example block diagrams of an encryption system and a decryption system in accordance with this invention.
  • FIGs. 2A and 2B illustrate example flow diagrams of an encryption system and a decryption system in accordance with this invention.
  • FIG. 3 illustrates an example block diagram of an embodiment of an encryption system in accordance with this invention, including an AES reseed-generator and a Helix stream cipher.
  • FIG. IA illustrates an example encryption system
  • FIG. IB illustrates an example decryption system
  • a first encryptor 110 receives plain input P 1n 101, and produces therefrom encrypted output E ou t 111
  • a first decryptor 160 receives encrypted input E 1n 151, and produces therefrom plain output P out 161. If the encrypted input Ein 151 corresponds to the encrypted output Eout 111, and the decryptor 160 uses the appropriate decryption parameters, the plain output P ou t 161 will correspond to the plain input P 1n 101.
  • a second encryptor 120 and a second decryptor 170 are used to provide the encrypting and decrypting parameters to the first encryptor 110 and first decryptor 160, respectively.
  • the invention is presented herein using the paradigm of a stream cipher being employed in the first encryptor 110 and first decryptor 160, and a block cipher being employed in the second encryptor 120 and second decryptor 170, because such a combination provides advantages that are particularly well suited for high-speed encryption of streaming data.
  • One of ordinary skill in the art will recognize, however, that the invention is not limited to this particular configuration.
  • the first encryptor/decryptor pair 110/160 could use a stream or a block cipher
  • the second encryptor/decryptor pair 120/170 could use a stream or a block cipher; or, either of the pairs could include a hybrid cipher that includes elements of a stream and a block cipher.
  • encryptors and decryptors are virtually identical, with minor changes typically associated with the first or last stages, as defined for the particular cipher.
  • the term "encrypt" is used hereinafter for convenience to refer to either the processing of plaintext input to produce encrypted output, or the processing of encrypted input to produce plaintext output.
  • encryptor is used hereinafter for convenience to refer to either the encryptor blocks 110-120, or the decryptor blocks 160-170, and the following description will address FIG. IA.
  • references to elements 101, 110, 111, 120, 121, 130, and 140 in FIG. IA correspond to elements 151, 160, 161, 170, 171, 180, and 190 in FIG. IB, respectively.
  • the encryption parameters that are provided to the first encryptor 110 are termed "seeds", corresponding to the stream cipher paradigm, wherein the seed values determine a starting state of the encryptor 110, from which subsequent states are developed.
  • the seed may also include an initial working key value, which is typically a set of bits that are derived from a secret input key and a selected (public) nonce. The use of a nonce allows the same secret key to be used for encrypting different messages, or the same message, by effectively forming a unique key for the particular stream being produced. If the first encryptor 110 uses a block cipher, which is state independent, the "seed" in this example would correspond to the working key value.
  • a reseed controller 140 is configured to periodically or aperiodically cause the first encryptor 110 to use a new seed that includes at least one cryptographic parameter that is substantially independent of the prior seed, and/or substantially independent of any prior state of the first encryptor 110.
  • the second encryptor 120 provides the entire seed, thereby simplifying the user's interaction with the system by having the user merely provide the cryptographic parameters required for the second encryptor 120.
  • the second encryptor 120 may provide a subset of the seed values, such as all or part of the state value, or all or part of the working key value.
  • a counter 130 provides a new input to the second encryptor 120 each time a new seed is required.
  • the new seed is a cryptographic encoding of the input from the counter 130, based on a secret key 121.
  • the second encryptor 120 uses an AES block cipher to produce the new seed, because of the high security level provided by AES, although any other encryption technique may be used.
  • the reseed controller 140 preferably controls the content of the counter 130, so that the use of the same algorithm in each of the controllers 140/190 (FIGs. IA and IB) assures that each of the second encryptors 120/170 receives the same input. In this way, if each of the keys 121/171 is the same, each of the first encryptors 110/160 will receive equivalent seeds at each re-seed event.
  • FIGs. 2A and 2B illustrate example flow diagrams for the encryption and decryption of data in an embodiment of this invention.
  • the flow diagram of FIG. 2A is detailed below.
  • references to elements 210, 220, 225, 230, 240, and encryptors El, E2, in FIG. 2A correspond to elements 260, 270, 275, 280, 290, and decryptors Dl, D2, respectively, in
  • FIG. 2B is a diagrammatic representation of FIG. 2B.
  • this initialization includes initializing the counter 130, generating a seed value via the second encryptor 120, based on the input key 121, and, optionally, the counter 130, and initializing the first encryptor 110 based on this seed value.
  • the second encryptor 120 preferably provides the entire seed; if not, the initialization 210 includes obtaining the remainder of the seed for the first encryptor 110, using conventional techniques.
  • the next/first input is encrypted by the encryptor El.
  • the encryptor El will typically use a stream cipher, for speed and hardware efficiency, although any other cipher process may be used.
  • the reseed interval "N" can be a variable that is generated by the second encryptor E2 when the previous seed is produced, or based on a previous encrypted output of the first encryptor El, or based on any of a variety of techniques commonly used in the art of cryptography for generating a varying parameter. If the first encryptor El uses a stream cipher, the value of "N" is preferably constrained to be substantially less than the repeat- length of the keystream.
  • the next input is processed, at 220. Otherwise, a new seed is obtained from the second encryptor E2, at 230, and the first encryptor is reseeded with this seed, at 240. As noted above, this new seed preferably affects all of the cryptographic parameters of the encryptor El, although it is typically only necessary to affect one of these parameters to introduce an "unpredictable" change to the conventional behavior of the encryptor El, thereby substantially enhancing the security of the encrypted output from the encryptor El. After reseeding, at 240, the next input is processed, at 220.
  • the reseed value is preferably pre-generated after each seeding of the encryptor El, in parallel with the processing of the input at 220, to minimize the delay incurred at each occurrence of a reseed operation.
  • the generation of a new seed value via a block cipher may be a time consuming process, compared to a stream cipher process, this time-consuming process need only occur once per "N" processings of the input stream.
  • a stream cipher is used in the first encryptor/decryptor pair 110/160
  • a block cipher is used in the second encryptor/ decryptor pair 120/170
  • the embodiments of FIGs. IA- IB and 2A- 2B achieve the speed advantage attributable to stream ciphers, while achieving the security advantage attributable to block ciphers.
  • Other cipher combinations will achieve other sets of advantages.
  • FIG. 3 illustrates an example block diagram of an example encryption system wherein an AES-based reseed generator 350 provides a periodic or aperiodic seed to a Helix stream cipher engine 310, so that a plain input Pi 301 is encrypted to an encrypted output Ei 331, with the speed of a Helix engine 310, but, when appropriately configured, provided with the security of at least the AES-based generator 350.
  • this description refers to the encryption of plain input to encrypted output, and applies equally to an encryption (decryption) of encrypted input to plain output.
  • the modification required for decryption is that the "plain input" to the Helix engine 310 is provided from the encrypted output of an identical engine. It is well known that if one encrypts by an XOR of a plain input with an unknown stream, the plain input can be restored by an XOR of the encrypted stream with the identical unknown stream.
  • the Helix engine 310 accepts as input two keywords X 11 O 322 and X 1 ⁇ 224 and plaintext P 1 301, the term "plaintext” being used in the general sense, meaning the input that is to be encrypted, regardless of whether it is “text” or “plain”, to facilitate the generation of a keystream S 1 315 for combining with the plaintext P 1 301 at the XOR gate
  • the Helix engine 310 provides an output keystream 315 based on a current state Z(Z-Z 4 1 311, and generates a next state Z 0 1+1 -Z 4 1+1 312 that replaces the current state 311 for each subsequent keystream generation.
  • a conventional Helix algorithm includes a keyword generator that generates the two keywords X 11 O 322 and X 1 ⁇ 224 based on a working key Ko-K 7 352 according to the following equations: 8;
  • the seed that is provided from the AES reseed generator provides the working key Ko-K 7 352, and the need for the nonce, N, is eliminated, so that the keyword generator 320 in a preferred embodiment provides:
  • the reseed generator 350 also provides a new state Zo 1 -Z 4 1 311. As noted above, the reseed operation need only provide a single cryptographic parameter that affects the subsequent encodings, but in this example application, the reseed generator 350 provides both new working keys K 0 -K 7 352 and a new initial state Z(Z-Z 4 1 311.
  • This complete reseed operation wherein the state 311 is set to a determined value, provides for an automatic re-sync capability, wherein any loss of synchronization between the encrypting/decrypting stream ciphers is automatically restored via the resynchronization to the reseeded initial state Z(Z-Z 4 1 311.
  • the block size of an AES cipher is 16 bytes.
  • the working key Ko-K 7 of the Helix cipher requires 32 bytes, and the state Z(Z-Z 4 1 311 requires 20 bytes.
  • To create the seed four blocks (64 bytes) are encrypted by the AES cipher, using either the contents of a counter, or a sample of the input stream 301. That is, for example, four blocks from a prior segment of the input stream 301 can be used as the input that produces the seed () for a subsequent segment of the input stream, with a known initialization vector being used to create the seed for the first segment.
  • a reseed operation is performed for each 1024 byte segment of the input stream 301. That is, a new seed (64 bytes) is produced by the AES cipher for each 1024 byte segment of the input stream, thereby allowing the AES cipher to be sixteen times slower than the Helix cipher.
  • multiple Helix cipher engines 310 can be arranged in parallel, each processing a portion of the input data stream, and a single AES reseed generator 350 can be used to provide each of these cipher engines 310 with periodic or aperiodic reseedings.
  • the time required for the AES block to create a seed can be compared to the number of seeds required for the multiple cipher engines to determine how frequently the seeds can be updated.

Abstract

A system and method that combine the speed of a stream cipher with the security of a block cipher. A block cipher is used to generate a sequence of seeds that is used to repeatedly re-seed a stream cipher. By re-seeding the stream cipher at intervals that are less than the cipher's keystream repeat period, the vulnerability of the stream cipher to attacks is substantially reduced. An AES block cipher can be used to generate the seeds for the stream cipher, by encrypting a changing input value, such as a counter input, using a given encryption key. In a preferred embodiment, the AES seed-generator periodically provides an initial/re-initial state value and working key value to a Helix stream cipher.

Description

HIGH SPEED ENCRYPTION AND DECRYPTION
This invention relates to the field of cryptographic systems, and in particular to a high speed stream cipher system with enhanced security. A stream cipher is a cipher in which the input stream is encrypted sequentially, generally one data unit (word/byte/bit) at a time, and in which the transformation of subsequent data units varies during the encryption. A block cipher, on the other hand, is a cipher that operates on large blocks of data with a fixed, unvarying transformation. That is, a block cipher of a given block of data and a given encryption key will always produce the same encrypted output block. A stream cipher's output, on the other hand, is dependent upon the state of the cipher system at the time that the data unit is being encrypted.
Generally, a stream cipher combines the input stream with a generated keystream, the keystream being pseudorandomly generated based on a given encryption key, or set of keys. Because the sequential generation of a keystream is generally a less complex operation than the block-encryption of a data block, stream ciphers are typically substantially faster than block ciphers, and require substantially fewer hardware components.
Stream ciphers are particularly well suited for the high-speed encryption/decryption of streams of data of unknown length, such as telephone conversations, streaming video, and so on. When block ciphers are used on such data, the design must include provisions for padding input streams that terminate prior to filling a block.
It is generally known, however, that stream ciphers are less secure than block ciphers, in that they are all susceptible to distinguishing attacks that use less than an exhaustive search. Further, all stream ciphers are vulnerable to attack if the keystream is repeated. Ideally, with a 128-bit key, the keystream's repeat-length is 2128 bits, which is acceptable in most applications, but at an encryption rate of 100Mb per second, the recycle time of such a cipher amounts to under 25 minutes, which renders the cipher unsuitable for long-running applications, such as streaming video. On the other hand, the complexity of block ciphers renders them either too costly or too slow for such consumer applications. The "Common Scrambling Algorithm" (CSA) has been used extensively for encrypting digital television channels. The algorithm has not been published by the originators, but reverse-engineering of a software embodiment of the algorithm reveals that it uses a combination of a stream and block cipher. Each of the ciphers receives the same key, which is configured to change regularly, presumably to avoid a repetition of the keystream. An input packet is divided into blocks, and each block is encrypted, in reverse order, using the block cipher with an initialization vector of zero. The last output block of the block cipher is used as a nonce to the stream cipher, and the bits of each encrypted block are XOR'd with the output bits of the stream cipher to produce a stream- and-block encrypted output. Because both ciphers are applied to the data, the speed of encryption or decryption is limited to the slower of the two ciphers, which is generally the block cipher. Additionally, because the same key is used in both the stream and block ciphers, an attack on either cipher to determine the key will defeat the system ("Fault attack on the DVB Common Scrambling Algorithm", Kai Wirt, November 2003, Cryptology EPrint Archive: Report 2004/289).
It is an object of this invention to provide a stream cipher with enhanced security. It is a further object of this invention to provide a high-speed stream cipher that incorporates the security provided by a block cipher. It is a further object of this invention to provide a stream cipher with a virtually non-repeating keystream.
These objects and others are achieved by a system and method that combine the speed of a stream cipher with the security of a block cipher. A block cipher is used to generate a sequence of seeds that is used to repeatedly re-seed a stream cipher. By re- seeding the stream cipher at intervals that are less than the cipher's keystream repeat period, the vulnerability of the stream cipher to attacks is substantially reduced. Because the block cipher is used to generate the seeds, and not to encrypt the input data, the speed of encryption of the input data is virtually independent of the speed of the block cipher. An AES block cipher can be used to generate the seeds for the stream cipher, by encrypting a changing input value, such as a counter input, using a given encryption key. In a preferred embodiment, the AES seed-generator periodically provides an initial/re-initial state value and working key value to a Helix stream cipher or a SNOW cipher.
The invention is explained in further detail, and by way of example, with reference to the accompanying drawings wherein: FIGs. IA and IB illustrate example block diagrams of an encryption system and a decryption system in accordance with this invention.
FIGs. 2A and 2B illustrate example flow diagrams of an encryption system and a decryption system in accordance with this invention. FIG. 3 illustrates an example block diagram of an embodiment of an encryption system in accordance with this invention, including an AES reseed-generator and a Helix stream cipher.
Throughout the drawings, the same reference numeral refers to the same element, or an element that performs substantially the same function. The drawings are included for illustrative purposes and are not intended to limit the scope of the invention.
In the following description, for purposes of explanation rather than limitation, specific details are set forth such as the particular architecture, interfaces, techniques, etc., in order to provide a thorough understanding of the present invention. However, it will be apparent to those skilled in the art that the present invention may be practiced in other embodiments, which depart from these specific details. For purposes of simplicity and clarity, detailed descriptions of well-known devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
FIG. IA illustrates an example encryption system, and FIG. IB illustrates an example decryption system. In FIG. IA, a first encryptor 110 receives plain input P1n 101, and produces therefrom encrypted output Eout 111. In FIG. IB, a first decryptor 160 receives encrypted input E1n 151, and produces therefrom plain output Pout 161. If the encrypted input Ein 151 corresponds to the encrypted output Eout 111, and the decryptor 160 uses the appropriate decryption parameters, the plain output Pout 161 will correspond to the plain input P1n 101.
A second encryptor 120 and a second decryptor 170 are used to provide the encrypting and decrypting parameters to the first encryptor 110 and first decryptor 160, respectively. For ease of explanation and understanding, the invention is presented herein using the paradigm of a stream cipher being employed in the first encryptor 110 and first decryptor 160, and a block cipher being employed in the second encryptor 120 and second decryptor 170, because such a combination provides advantages that are particularly well suited for high-speed encryption of streaming data. One of ordinary skill in the art will recognize, however, that the invention is not limited to this particular configuration. That is, for example, the first encryptor/decryptor pair 110/160 could use a stream or a block cipher, and/or the second encryptor/decryptor pair 120/170 could use a stream or a block cipher; or, either of the pairs could include a hybrid cipher that includes elements of a stream and a block cipher. In most cryptographic embodiments, encryptors and decryptors are virtually identical, with minor changes typically associated with the first or last stages, as defined for the particular cipher. For ease of reference and understanding, the term "encrypt" is used hereinafter for convenience to refer to either the processing of plaintext input to produce encrypted output, or the processing of encrypted input to produce plaintext output. Similarly, the term "encryptor" is used hereinafter for convenience to refer to either the encryptor blocks 110-120, or the decryptor blocks 160-170, and the following description will address FIG. IA. One of ordinary skill in the art will recognize that references to elements 101, 110, 111, 120, 121, 130, and 140 in FIG. IA correspond to elements 151, 160, 161, 170, 171, 180, and 190 in FIG. IB, respectively.
The encryption parameters that are provided to the first encryptor 110 are termed "seeds", corresponding to the stream cipher paradigm, wherein the seed values determine a starting state of the encryptor 110, from which subsequent states are developed. In a typical stream cipher encryptor, the seed may also include an initial working key value, which is typically a set of bits that are derived from a secret input key and a selected (public) nonce. The use of a nonce allows the same secret key to be used for encrypting different messages, or the same message, by effectively forming a unique key for the particular stream being produced. If the first encryptor 110 uses a block cipher, which is state independent, the "seed" in this example would correspond to the working key value. A reseed controller 140 is configured to periodically or aperiodically cause the first encryptor 110 to use a new seed that includes at least one cryptographic parameter that is substantially independent of the prior seed, and/or substantially independent of any prior state of the first encryptor 110. In a preferred embodiment, the second encryptor 120 provides the entire seed, thereby simplifying the user's interaction with the system by having the user merely provide the cryptographic parameters required for the second encryptor 120. However, in an alternative embodiment, the second encryptor 120 may provide a subset of the seed values, such as all or part of the state value, or all or part of the working key value.
In a straightforward embodiment, a counter 130 provides a new input to the second encryptor 120 each time a new seed is required. The new seed is a cryptographic encoding of the input from the counter 130, based on a secret key 121. In a preferred embodiment, the second encryptor 120 uses an AES block cipher to produce the new seed, because of the high security level provided by AES, although any other encryption technique may be used.
The reseed controller 140 preferably controls the content of the counter 130, so that the use of the same algorithm in each of the controllers 140/190 (FIGs. IA and IB) assures that each of the second encryptors 120/170 receives the same input. In this way, if each of the keys 121/171 is the same, each of the first encryptors 110/160 will receive equivalent seeds at each re-seed event.
FIGs. 2A and 2B illustrate example flow diagrams for the encryption and decryption of data in an embodiment of this invention. For ease of reference, the flow diagram of FIG. 2A is detailed below. One of ordinary skill in the art will recognize that references to elements 210, 220, 225, 230, 240, and encryptors El, E2, in FIG. 2A correspond to elements 260, 270, 275, 280, 290, and decryptors Dl, D2, respectively, in
FIG. 2B.
At 210, the first and second encryptors El, E2, are initialized. With regard to the example embodiment of FIG. IA, this initialization includes initializing the counter 130, generating a seed value via the second encryptor 120, based on the input key 121, and, optionally, the counter 130, and initializing the first encryptor 110 based on this seed value.
As noted above, the second encryptor 120 preferably provides the entire seed; if not, the initialization 210 includes obtaining the remainder of the seed for the first encryptor 110, using conventional techniques.
At 220, the next/first input is encrypted by the encryptor El. As noted above, the encryptor El will typically use a stream cipher, for speed and hardware efficiency, although any other cipher process may be used.
At 225, a determination is made whether a reseed operation is required. As noted above, this determination may be based on periodic or aperiodic criteria. In a straightforward embodiment, for example, a reseed operation may be scheduled to occur after "N" data units (blocks/words/bytes/bits) are processed at 220. Optionally, to introduce some variability, the reseed interval "N" can be a variable that is generated by the second encryptor E2 when the previous seed is produced, or based on a previous encrypted output of the first encryptor El, or based on any of a variety of techniques commonly used in the art of cryptography for generating a varying parameter. If the first encryptor El uses a stream cipher, the value of "N" is preferably constrained to be substantially less than the repeat- length of the keystream.
If, at 225, a reseed operation is not scheduled to occur, the next input is processed, at 220. Otherwise, a new seed is obtained from the second encryptor E2, at 230, and the first encryptor is reseeded with this seed, at 240. As noted above, this new seed preferably affects all of the cryptographic parameters of the encryptor El, although it is typically only necessary to affect one of these parameters to introduce an "unpredictable" change to the conventional behavior of the encryptor El, thereby substantially enhancing the security of the encrypted output from the encryptor El. After reseeding, at 240, the next input is processed, at 220.
Not illustrated in FIG. 2A, the reseed value is preferably pre-generated after each seeding of the encryptor El, in parallel with the processing of the input at 220, to minimize the delay incurred at each occurrence of a reseed operation. Note that although the generation of a new seed value via a block cipher may be a time consuming process, compared to a stream cipher process, this time-consuming process need only occur once per "N" processings of the input stream. Thus, if a stream cipher is used in the first encryptor/decryptor pair 110/160, and a block cipher is used in the second encryptor/ decryptor pair 120/170, the embodiments of FIGs. IA- IB and 2A- 2B achieve the speed advantage attributable to stream ciphers, while achieving the security advantage attributable to block ciphers. Other cipher combinations will achieve other sets of advantages.
FIG. 3 illustrates an example block diagram of an example encryption system wherein an AES-based reseed generator 350 provides a periodic or aperiodic seed to a Helix stream cipher engine 310, so that a plain input Pi 301 is encrypted to an encrypted output Ei 331, with the speed of a Helix engine 310, but, when appropriately configured, provided with the security of at least the AES-based generator 350. As in the prior examples, this description refers to the encryption of plain input to encrypted output, and applies equally to an encryption (decryption) of encrypted input to plain output. In the example of FIG. 3, the modification required for decryption is that the "plain input" to the Helix engine 310 is provided from the encrypted output of an identical engine. It is well known that if one encrypts by an XOR of a plain input with an unknown stream, the plain input can be restored by an XOR of the encrypted stream with the identical unknown stream.
The Helix engine 310 accepts as input two keywords X11O 322 and X1^ 224 and plaintext P1 301, the term "plaintext" being used in the general sense, meaning the input that is to be encrypted, regardless of whether it is "text" or "plain", to facilitate the generation of a keystream S1 315 for combining with the plaintext P1 301 at the XOR gate
330, to produce an encrypted output E1 331. The Helix algorithm is disclosed in detail in
"HELIX: Fast Encryption and Authentication in a Single Cryptographic Primitive", by Neil
Ferguson et al., published in Fast Software Encryption, 2003. Of particular note, the Helix engine 310 provides an output keystream 315 based on a current state Z(Z-Z4 1 311, and generates a next state Z0 1+1-Z4 1+1 312 that replaces the current state 311 for each subsequent keystream generation.
A conventional Helix algorithm includes a keyword generator that generates the two keywords X11O 322 and X1^ 224 based on a working key Ko-K7 352 according to the following equations:
Figure imgf000009_0001
8;
Xi,i = K(1+4) mod 8 + N1 mod 8 + Xi' + i + 8; where K is the working key,
N is the selected nonce, and X1' = (i+8)/231, if i mod 4 = 3,
4*L, if i mod 4 = 1,
0 otherwise, where L is the key length. In a preferred embodiment, the seed that is provided from the AES reseed generator provides the working key Ko-K7 352, and the need for the nonce, N, is eliminated, so that the keyword generator 320 in a preferred embodiment provides:
Xi1 i = K(I+4) mod 8 + Xi' + i + 8, where X1' is as defined above, with L set to a constant integer in the range of 0-32. By providing the working key directly, the conventional generation of the working key for the Helix cipher is also eliminated. Additionally, in a preferred embodiment, the reseed generator 350 also provides a new state Zo1 -Z4 1 311. As noted above, the reseed operation need only provide a single cryptographic parameter that affects the subsequent encodings, but in this example application, the reseed generator 350 provides both new working keys K0-K7 352 and a new initial state Z(Z-Z4 1 311. This complete reseed operation, wherein the state 311 is set to a determined value, provides for an automatic re-sync capability, wherein any loss of synchronization between the encrypting/decrypting stream ciphers is automatically restored via the resynchronization to the reseeded initial state Z(Z-Z4 1 311.
The block size of an AES cipher is 16 bytes. The working key Ko-K7 of the Helix cipher requires 32 bytes, and the state Z(Z-Z4 1 311 requires 20 bytes. To create the seed, four blocks (64 bytes) are encrypted by the AES cipher, using either the contents of a counter, or a sample of the input stream 301. That is, for example, four blocks from a prior segment of the input stream 301 can be used as the input that produces the seed () for a subsequent segment of the input stream, with a known initialization vector being used to create the seed for the first segment.
In a preferred embodiment, a reseed operation is performed for each 1024 byte segment of the input stream 301. That is, a new seed (64 bytes) is produced by the AES cipher for each 1024 byte segment of the input stream, thereby allowing the AES cipher to be sixteen times slower than the Helix cipher.
To provide even higher speed encryption/decryption, multiple Helix cipher engines 310 can be arranged in parallel, each processing a portion of the input data stream, and a single AES reseed generator 350 can be used to provide each of these cipher engines 310 with periodic or aperiodic reseedings. As in the single engine embodiment, the time required for the AES block to create a seed can be compared to the number of seeds required for the multiple cipher engines to determine how frequently the seeds can be updated.
The foregoing merely illustrates the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the invention and are thus within the spirit and scope of the following claims.
In interpreting these claims, it should be understood that: a) the word "comprising" does not exclude the presence of other elements or acts than those listed in a given claim; b) the word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements; c) any reference signs in the claims do not limit their scope; d) several "means" may be represented by the same item or hardware or software implemented structure or function; e) each of the disclosed elements may be comprised of hardware portions (e.g., including discrete and integrated electronic circuitry), software portions (e.g., computer programming), and any combination thereof; f) hardware portions may be comprised of one or both of analog and digital portions; g) any of the disclosed devices or portions thereof may be combined together or separated into further portions unless specifically stated otherwise; h) no specific sequence of acts is intended to be required unless specifically indicated; and i) the term "plurality of" an element includes two or more of the claimed element, and does not imply any particular range of number of elements; that is, a plurality of elements can be as few as two elements.

Claims

CLAIMS:
1. A system comprising: a first encryptor that is configured to apply a first cipher to input data of an input data set and produce therefrom output data, based on a value of a first encryption key, a second encryptor that is configured to provide the value of the first encryption key, based on a value of a second encryption key, and a controller that is configured to cause the second encryptor to provide at least an other value of the first encryption key, and wherein the first encryptor applies the first cipher to subsequent input data of the first data set based on this other value of the first encryption key.
2. The system of claim 1, wherein the first cipher includes a stream cipher.
3. The system of claim 2, wherein the second encryptor is configured to apply a block cipher to provide the values of the first encryption key.
4. The system of claim 3, wherein the second encryptor is further configured to provide a state of the stream cipher.
5. The system of claim 3, wherein the first cipher includes at least one of a Helix cipher and a SNOW cipher.
6. The system of claim 3, wherein the block cipher includes an AES cipher.
7. The system of claim 2, wherein the first cipher includes at least one of a Helix cipher and a SNOW cipher.
8. The system of claim 2, wherein the controller is configured to repeatedly cause the second encryptor to provide additional values of the first encryption key to the first encryptor at one or more intervals that are substantially less than a repeat-length of a keystream of the stream cipher.
9. The system of claim 8, wherein the one or more intervals are determined based at least in part on at least one of: an amount of input data processed; an output of the first encryptor; and an output of the second encryptor.
10. The system of claim 1, wherein the second encryptor is configured to apply a block cipher to provide the other value of the first encryption key.
11. The system of claim 1, wherein the second encryptor is configured to provide the other value of the first encryption key based on a value of an input to the second encryptor, and the value of the input to the second encryptor is based on at least one of: a portion of the input data set; an output of a counter; an output of the first encryptor; and an output of the second encryptor.
12. The system of claim 1, wherein the input data is one of plain data and encrypted data, and the output data is, correspondingly, one of encrypted data and plain data.
13. The system of claim 1, wherein one of the input data and output data corresponds to video data.
14. A method comprising: applying a first cipher to first input data of an input data set and producing therefrom first output data, based on a first value of a first encryption key, applying a second cipher to an input item to provide a second value of the first encryption key, based on an input key, and applying the first cipher to second input data of the input data set and producing therefrom second output data, based on the second value of the first encryption key.
15. The method of claim 14, wherein the first cipher includes a stream cipher.
16. The method of claim 15, wherein the second cipher includes a block cipher.
17. The method of claim 16, further including providing a state of the stream cipher via the second cipher.
18. The method of claim 16, wherein the first cipher includes at least one of a Helix cipher and a SNOW cipher.
19. The method of claim 16, wherein the block cipher includes an AES cipher.
20. The method of claim 15, further including providing a state of the stream cipher via the second cipher.
21. The method of claim 15, wherein the first cipher includes at least one of a Helix cipher and a SNOW cipher.
22. The method of claim 15, further including repeatedly applying the second cipher to additional input items to provide additional values of the first encryption key at one or more intervals, and applying the first cipher to subsequent input data of the input data set and producing therefrom subsequent output data, based on the additional values of the first encryption key, wherein the one or more intervals are each less than a repeat-length associated with the stream cipher.
23. The method of claim 14, further including repeatedly applying the second cipher to additional input items to provide additional values of the first encryption key at one or more intervals, and applying the first cipher to subsequent input data of the input data set and producing therefrom subsequent output data, based on the additional values of the first encryption key.
24. The method of claim 23, wherein the one or more intervals are based on at least one of: an amount of the input data processed, an output of the first cipher, and an output of the second cipher.
25. The method of claim 14, wherein the input item to the second cipher is based on at least one of: an output of a counter, an output of the first cipher, an output of the second cipher, and a portion of the input data set.
26. The method of claim 14, wherein the second cipher includes a block cipher.
PCT/IB2006/050436 2005-02-09 2006-02-09 High speed encryption and decryption WO2006085283A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US65130305P 2005-02-09 2005-02-09
US60/651,303 2005-02-09
US72522205P 2005-10-11 2005-10-11
US60/725,222 2005-10-11

Publications (1)

Publication Number Publication Date
WO2006085283A1 true WO2006085283A1 (en) 2006-08-17

Family

ID=36570387

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2006/050436 WO2006085283A1 (en) 2005-02-09 2006-02-09 High speed encryption and decryption

Country Status (1)

Country Link
WO (1) WO2006085283A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007043002A2 (en) * 2005-10-14 2007-04-19 Koninklijke Philips Electronics N.V. Improved security system
WO2007060587A1 (en) * 2005-11-23 2007-05-31 Koninklijke Philips Electronics, N.V. Mutli-lane high-speed encryption and decryption
FR2941114A1 (en) * 2009-01-13 2010-07-16 Viaccess Sa METHOD AND MODULE FOR RENEWING THE CODE OF A CRYPTOGRAPHIC ALGORITHM, METHOD AND MODULE FOR GENERATING A SEED, SECURITY PROCESSOR, AND ENERGY SUPPORT FOR THESE METHODS

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1063811A1 (en) * 1999-06-22 2000-12-27 Hitachi Europe Limited Cryptographic apparatus and method
US20040202321A1 (en) * 1999-08-29 2004-10-14 Graunke Gary L. Digital video content transmission ciphering and deciphering method and apparatus

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1063811A1 (en) * 1999-06-22 2000-12-27 Hitachi Europe Limited Cryptographic apparatus and method
US20040202321A1 (en) * 1999-08-29 2004-10-14 Graunke Gary L. Digital video content transmission ciphering and deciphering method and apparatus

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MITSUYAMA Y ET AL: "VLSI implementation of high performance burst mode for 128-bit block ciphers", ASIC/SOC CONFERENCE, 2001. PROCEEDINGS. 14TH ANNUAL IEEE INTERNATIONAL SEPT. 12-15, 2001, PISCATAWAY, NJ, USA,IEEE, 12 September 2001 (2001-09-12), pages 3 - 7, XP010560746, ISBN: 0-7803-6741-3 *
YA-PING ZHANG ET AL: "A stream cipher algorithm based on conventional encryption techniques", ELECTRICAL AND COMPUTER ENGINEERING, 2004. CANADIAN CONFERENCE ON NIAGARA FALLS, ONT., CANADA 2-5 MAY 2004, PISCATAWAY, NJ, USA,IEEE, US, 2 May 2004 (2004-05-02), pages 649 - 652Vol2, XP010733530, ISBN: 0-7803-8253-6 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007043002A2 (en) * 2005-10-14 2007-04-19 Koninklijke Philips Electronics N.V. Improved security system
WO2007043002A3 (en) * 2005-10-14 2007-08-16 Koninkl Philips Electronics Nv Improved security system
WO2007060587A1 (en) * 2005-11-23 2007-05-31 Koninklijke Philips Electronics, N.V. Mutli-lane high-speed encryption and decryption
FR2941114A1 (en) * 2009-01-13 2010-07-16 Viaccess Sa METHOD AND MODULE FOR RENEWING THE CODE OF A CRYPTOGRAPHIC ALGORITHM, METHOD AND MODULE FOR GENERATING A SEED, SECURITY PROCESSOR, AND ENERGY SUPPORT FOR THESE METHODS
WO2010081631A1 (en) * 2009-01-13 2010-07-22 Viaccess Method and module for renewing the code of a cryptographic algorithm, method and module for generating a seed, security processor and recording medium for these methods
CN102282797A (en) * 2009-01-13 2011-12-14 维亚塞斯公司 Method and module for renewing the code of a cryptographic algorithm, method and module for generating a seed, security processor and recording medium for these methods
TWI410104B (en) * 2009-01-13 2013-09-21 Viaccess Sa Method and module for renewing the code of a cryptographic algorithm, method and module for generating a seed, security processor and recording carrier for these methods
US8542822B2 (en) 2009-01-13 2013-09-24 Viaccess Method and module for renewing the code of a cryptographic algorithm, method and module for generating a seed, security processor and recording carrier for these methods
CN102282797B (en) * 2009-01-13 2015-09-16 维亚塞斯公司 The update method of cryptographic algorithm code and device, and safe processor

Similar Documents

Publication Publication Date Title
EP0615361B1 (en) System and method for high speed encryption using multiple keystream generator
US8942371B2 (en) Method and system for a symmetric block cipher using a plurality of symmetric algorithms
US10320554B1 (en) Differential power analysis resistant encryption and decryption functions
US5745577A (en) Symmetric cryptographic system for data encryption
AU2008258582B2 (en) Cryptographic methods and devices for pseudo-random generation, encrypting data, and cryptographically hashing a message
EP2197144A1 (en) Methods and devices for a chained encryption mode
US7110539B1 (en) Method and apparatus for encrypting and decrypting data
CN109861810B (en) Data encryption method and decryption method based on chaotic block encryption algorithm
EP0681768A1 (en) A method and apparatus for generating a cipher stream
EP1281254A1 (en) Cryptographic system for data encryption standard
CA2414261A1 (en) Method of encryption using multi-key process to create a variable-length key
WO2019225735A1 (en) Data processing device, method, and computer program
CN109714154B (en) Implementation method of white-box cryptographic algorithm under white-box security model with difficult code volume
JP4399602B2 (en) Random number generation, encryption and decryption apparatus, method, program, and recording medium
WO2006085283A1 (en) High speed encryption and decryption
Patil et al. An enhancement in international data encryption algorithm for increasing security
WO2000056004A1 (en) Method and apparatus for encoding and decoding information
Shimal et al. Extended of TEA: A 256 bits block cipher algorithm for image encryption
TWI728933B (en) Hybrid multistage algorithm encryption and decryption system, transmitting device thereof, and receiving device thereof
EP3996321A1 (en) Method for processing encrypted data
Searan et al. Modification of RC4 algorithm by using two state tables and initial state factorial
Ali et al. Modified Advanced Encryption Standard algorithm for fast transmitted data protection
Tun et al. Message Security using One Time Pad and AES Hybrid Cryptography
Khalil et al. Round S-Boxes Development for Present-80 Lightweight Block Cipher Encryption Algorithm
Hassan et al. NETWORK SECURITY BY BLOCK CIPHERS

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2006710871

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Ref document number: 2006710871

Country of ref document: EP

122 Ep: pct application non-entry in european phase

Ref document number: 06710871

Country of ref document: EP

Kind code of ref document: A1

WWW Wipo information: withdrawn in national office

Ref document number: 6710871

Country of ref document: EP