WO2006110954A1 - Process of and apparatus for counting - Google Patents
Process of and apparatus for counting Download PDFInfo
- Publication number
- WO2006110954A1 WO2006110954A1 PCT/AU2006/000527 AU2006000527W WO2006110954A1 WO 2006110954 A1 WO2006110954 A1 WO 2006110954A1 AU 2006000527 W AU2006000527 W AU 2006000527W WO 2006110954 A1 WO2006110954 A1 WO 2006110954A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- finite state
- counter
- state machine
- output
- period
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
- H04L9/0662—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
Definitions
- the present invention relates to cryptographic primitives.
- the term 'counter' is used to mean a set of bits, the set being of a fixed size b.
- the ⁇ -bits represent a number which in turn is the value of the counter. That value increments in a deterministic manner by the operation of a defined process on the bits. Irrespective of the initial state of the set of bits, the counter will eventually reach a value to which, after further incrementing, it will eventually return.
- Counters for the purpose of generating spreading sequences are used extensively in communications applications.
- Counters for the purpose of ensuring the minimal period length to be of a certain value are used extensively in cryptographic stream cipher constructions.
- Counters are known to serve as the entire internal state of a cipher, to be used in conjunction with a symmetric key or to be used in conjunction with the internal state of a stream cipher that is continuously updated by a nonlinear function or 'hashed'.
- the counters ensure a minimal period length, while the nonlinear combiners or filters obfuscate the relation between the output bits and the counter state.
- the paper 'Guaranteeing the Diversity of Number Generators' by Adi Shamir and Boaz Tsaban published in 2001 discloses that simple counters ensuring a certain minimal period length when combined with iterative number generators produce pseudo-random sequences with guaranteed period lengths.
- the number systems used to store the state of a counter module may be implemented in a wide and varied ways including but not limited to:
- - Weighted binary systems o one's complement representation; o one's complement representation modulo 2 n ; o two's complement representation; o two' s complement representation modulo 2 n ; o n-residue; o binary coded decimal; o reflective codes; o sequential codes; o one-hot encoding;
- Non- weighted binary systems o minimum change codes (gray codes); o linear feedback shift registers; o small nonlinear feedback shift registers; o excess-3 codes; o one-hot encoding; ' - Hybrid (combined weighted/non- weighted) systems: o remainder number system (RNS);
- Counters in cryptographic implementations are typically restricted to one's complement representation, two's complement representation, one-hot encoding, and linear feedback shift registers.
- Counters in general can be implemented using operations such as multiplication by an odd constant modulo a prime, addition or subtraction by a constant modulo 2 n or sequential transitions over a finite state machine.
- m-LFSR maximal length linear feedback shift registers
- a useful property of m-LFSR constructions is that they generate a single bit output binary sequence of 2" '1 length enabling the single bit output of several independent m-LFSR of independent lengths to be combined in a nonlinear fashion with a larger period length as disclosed in US patent 4,797,922 (Massey, et al.) published 10 January 1989.
- the entire m-LFSR state can be fed into the cipher state as disclosed in the above-referenced US patent 4,202,051.
- Counters based on nonlinear feedback shift registers have not been used in cryptographic applications to ensure a guaranteed minimal period length. As of the date of filing of this patent application it is computationally feasible to find strong NLFSRs with period lengths approaching about 2 40 in a compact polynomial feedback size. Guaranteed period lengths of at least 2 64 are generally required for modern cryptographic applications, and testing for such loops is considered technically prohibitive.
- DeBruijn sequences are «-bit wide nonlinear feedback shift registers with a period 2 n .
- DeBraijn sequences are not used as counters for achieving guaranteed minimal period length. Finding such sequences for large n (80 bits or more) by brute force is computationally infeasible and constructing them remains an open problem. Also, even if construction of such a large DeBruijn generator was possible, all 80 bits of the counter state would have to be used as inputs into the feedback function and such a wide function would most probably be unable to compete in performance with the modern stream ciphers.
- Grey codes minimum change codes
- Many grey codes require a complex nonlinear function to calculate state transitions.
- Grey codes ensure that the hamming weight distance between any two consecutive integers in such codes is always a distance of one. Such insignificant changes between rounds are usually ignored or easily brute-forced by the attacker.
- Counters based on iterative multiplication by a constant modulo a prime are well known by the mathematical community to generate prime periods. Counters based on modular multiplication have not been used in cryptographic applications to guarantee a minimal period length. Distribution of the bits of the output of such counters differs significantly depending on the prime modulus chosen. The run-time calculation of multiplication modulo a prime is considered an expensive cryptographic operation.
- Counters based on addition by 1 modulo 2" are generally implemented in two's complement encoding and employ ripple-carry logic.
- the RNS is defined by a set of relatively prime integers ⁇ mi, ni 2 , ..., mi) called moduli.
- the dynamic range of the RNS system is M, which is the product of ⁇ mi, m2, ..., mi ⁇ .
- Addition over RNS systems requires each of the remainders to transition to the next sequential state. Such counters normally include the entire state as their output for further transformation operations.
- RNS remainders are represented in one-hot encoding, two's complement encoding, and as m-LFSR over prime feedback polynomials respectively in the above-referenced US patent 3,038,028, US patent 3,170,033 (Vasseur) published 16 February 1965 and the above- referenced US patent 4,058,673.
- Performing addition over RNS remainders represented in two's complement representation exhibits highly regular periods in many of the bit positions of the remainders as previously discussed as a characteristic of the incrementing modulo 2 n .
- Addition modulo 2" implemented in two's complement for each of the remainder can be easily approximated as a linear function, and thus the unknown state of the counter implemented in two's complement does not significantly contribute to the strength of a cipher.
- various embodiments of the present invention provide a process of counting for the purpose of guaranteeing a minimal period length. It will be also seen that various embodiments of the present invention provide a process of counting to generate spreading sequences used in encoding communication signals.
- the total period of a counter based on the set of such co-prime moduli is calculated as their product. For example an incremental counter based on the set of moduli ⁇ 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61 ⁇ generates a loop with a guaranteed period/? of ⁇ 2 81 54 . Generally speaking, if some of the moduli have common divisors, then the total period of such a counter would be calculated as the least common multiple of all the moduli.
- each remainder is a finite state machine labelled ⁇ rj, r 2 , ... , r ⁇ .
- Each remainder from the set ⁇ ri, r ⁇ , ..., ri) has a respective period length equal to its respective modulus labelled mi, ni 2 , ..., mi.
- Each remainder from the set ⁇ r ⁇ , r%, ..., r ⁇ is also respectively assigned a bit width labelled W 1 , W 2 , ..., W L , with w being the total width of the finite state machine r in bits.
- Each remainder r is respectively assigned a W j bit wide binary state r ⁇ i, ⁇ s 2 , ..., r j S p .
- the RNS binary state rs is the static but arbitrarily ordered sequence of all the bits of the remainder bit states ris, r ⁇ s, ..., ri ⁇ such that the size of the RNS binary state is the sum of W 1 , W 2 , ..., WL in length.
- the p states of the finite state machine r are called rs ⁇ , rsi, ..., rs p .
- moduli with the largest p for the given set of moduli widths W j which is found by choosing moduli with the smallest number of common factors.
- Each modulus m is then multiplied by an arbitrary small number increasing it to the largest number divisible by m that is no wider than W j bits.
- selecting moduli with 6-bit lengths allows for an efficient hardware implementation in a wide range of hardware architectures.
- the prime numbers less than 64 as well as the number 64 are present in the 16 moduli guaranteeing the minimal period p to be ⁇ 2 81 63 .
- the minimal period of any of the 16 moduli is now 37 ensuring that at least 37 rounds must pass before any of the remainders repeats.
- n-bit finite state machines as the remainders of an RNS counter implementing fixed pseudo-random permutations of all their 2" states with their respective periods matching the required moduli.
- label 100 illustrates an array of all the possible eight states for a 3-bit number enumerated from zero to seven.
- Label 110 illustrates a random permutation of the original eight states found in 100.
- the first state 151 of 120 is copied into 130.
- the eight-item array 140 is initialized with all states unknown, labelled with a question mark.
- the first item of state 152 selects the third index location in the array 140; assigning the cyclic next value of state 152, '5'.
- the second item of state 153 selects the fifth index location in the array 140; assigning the cyclic next value of state 152, '1'.
- the following items 154, 155, 156 select the index locations 1, 7 and 2; the values being assigned to state 140 being ⁇ 7', '2' and '3' respectively.
- This process creates a loop with a period of five in a state of 8 items in 140. The remaining 3 states in 140 remain unassigned at this time.
- region 150 illustrates the sequential output of the finite state machine execution.
- the initial state of the finite state machine is selected by 130 as index '3'.
- the value '5' stored in index 3 of 140 is released as the first value in region 150 and the binary value 161.
- the finite state machine transitions to the state '5' stored in index 3.
- the value ' 1 ' stored in index 5 of 140 is released as the second value in region 150 and the binary value 162.
- the finite state machine transitions to the state ' 1 ' stored in index 5.
- the value '7' stored in index 1 of 140 is released as the third value in region 150 and the binary value 163.
- the finite state machine transitions to the state '7' stored in index 1.
- the value '2' stored in index 7 of 140 is released as the fourth value in region 150 and the binary value 164.
- the finite state machine transitions to the state '2' stored in index 7.
- the value '3' stored in index 2 of 140 is released as the fifth value in region 150 and the binary value 165.
- the finite state machine transitions back to the first state
- the value '5' stored in index 3 of 140 is released as the sixth value in region 150 and the binary value 166.
- the current state of the finite state machine is released as output and is used to select the next state.
- the finite state machine has a period of five, which is also a prime number.
- the binary values of the sequential output can be seen in 161 thorough 165.
- the output 166 is the original starting state of the finite state machine.
- a heuristic process is used to select the best one judging by the quality of the output.
- the quality of the finite state machine is given a value based upon a heuristic fitness criterion.
- the first finite state machine is rated as the current best finite state machine. Additional finite state machines are generated as previously described and a value is established for each new finite state machine measuring its heuristic fitness criterion. If a finite state machine receives a high score it replaces the previous best finite state machine as the best finite state machine and the process continues.
- the process can also include refining (assessment of quality of each pseudo-randomly generated finite state machine with all possible minor modifications to it in case such modifications lead to an improvement in the output quality on subsequent iterations).
- refining assessment of quality of each pseudo-randomly generated finite state machine with all possible minor modifications to it in case such modifications lead to an improvement in the output quality on subsequent iterations.
- the search/refinement process is iterated indefinitely and can be stopped based on user intervention, a time limit, based upon the inability to generate a better finite state machine after a predetermined number of rounds, or based on other search termination methods used for heuristic algorithms.
- One of the improvements to the search is temporary minor randomisation of the search criteria on initial or final or all iterations allowing initially imperfect choices to be considered and allowing temporary descent from local maximums, which can result in further improvements on subsequent iterations due to the probabilistic nature of heuristic search algorithms.
- Other well known heuristic algorithms and optimisations can be applied if necessary..
- finite sate machines are selected based on more than one heuristic criterion.
- nil consecutive runs should be of length 1
- nlA consecutive runs should be of length 2
- n/8 consecutive runs decreasing by half for each additional run length.
- Another heuristic criterion useful in assessing finite state machines is to ensure that each of the bit columns 171, 172 and 173 have approximately 50% ones and 50% zeroes. Additionally the total bias for each of the column positions should be roughly +/-1.
- Another heuristic criterion is to assessing a finite state machine on the hamming weight distance between each sequential output.
- the hamming weight for the first state 161 transitioning to the second state 162 is calculated by counting the number of ones after calculating the bitwise sum of state 161 and 162.
- the hamming weight counts how many binary state transitions have taken place over n bits. Selection may be based upon a finite state machine with the highest total number of hamming weight transitions, alternatively preference may be given to finite state machines with the most uniform hamming weight distribution averaging to nil.
- the unassigned positions must be assigned a random permutation of remaining numbers with the last position pointing to an arbitrary position in the main loop.
- Figure 5 shows the final selected finite state machine represented as an array of eight items. Two of the remaining three positions (4 and 6) are assigned two values from a random permutation of the remaining three numbers: (6 and 8), and the last position (8) is assigned an item pointing inside the loop (3), thus resulting in a finite state machine ⁇ 7,3,5,6,1,8,2,3 ⁇ . The indexes four, six and eight in 180 are assigned the states six, eight and three respectively.
- This process can be used to select complete finite state machines for each of the moduli.
- each column of output bits of each remainder should approximate to a binomial distribution.
- a minimum of one bit of output from each modulus is required for the entire RNS counter to have its guaranteed long period.
- the output bits may be further transformed through a bijective mapping or linearly combined, maintaining the required period length.
- the number of independent loops of the finite state machine can be chosen at will.
- the process used to generate a finite state machine with one loop of a predetermined length is trivially adapted to generate a finite state machine with two independent loops of two periods respectively and such that any state (if such state exists) not found on the two independent loops converges to a state in one of the two loops. That is, a single remainder is selected to result in two or more independent prime loops, for example five and seven respectively, such that all states converge to either the loop of five or the loop of seven outputs.
- Other preferred embodiments have finite state machines with three or more independent loops.
- any single-bit LFSR counter can be directly replaced with a finite state machine counter described above combining all the output bits from each modulus into a single bit of counter output that can be used for cryptographic purposes or for the purpose of generating spreading sequences.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Feedback Control In General (AREA)
- Storage Device Security (AREA)
Abstract
A cryptographic process receives initialization material and generates an output. The cryptographic process comprises the incrementing of a counter. The process of incrementing of the counter comprises incrementing the value of the counter cyclically through a loop of values, one value at a time. The values in the loop of values are chosen in accordance with a modified remainder number system comprising at least two remainders. Each of the at least two remainders is assigned a modulus of a fixed period. The period of at least one modulus of n-bits is selected by the equation period = floor(2' / p)*p where p is a prime number and floor(2'/p) > 1. The output of the counter is utilized in the course of generating the output of the cryptographic process.
Description
Title
Process of and apparatus for counting
Field of the invention The present invention relates to cryptographic primitives.
Background of the invention
The present application is related to our co-pending Australian provisional patent applications numbers 2005901988 and 2005902030, both entitled Process of and Apparatus for Counting, the contents of each of which are incorporated herein by reference.
The symbol '*' when used in this specification indicates multiplication so that, for example, a* a = a2.
Throughout this specification, including the claims, the term 'counter' is used to mean a set of bits, the set being of a fixed size b. The έ-bits represent a number which in turn is the value of the counter. That value increments in a deterministic manner by the operation of a defined process on the bits. Irrespective of the initial state of the set of bits, the counter will eventually reach a value to which, after further incrementing, it will eventually return. One of the simplest examples of a counter is counter = (counter + 1) modulo 2" and such a counter is also considered to be a finite state machine with 2" states.
Counters for the purpose of generating spreading sequences are used extensively in communications applications.
Counters for the purpose of ensuring the minimal period length to be of a certain value are used extensively in cryptographic stream cipher constructions.
Counters are known to serve as the entire internal state of a cipher, to be used in conjunction with a symmetric key or to be used in conjunction with the internal state of a stream cipher that is continuously updated by a nonlinear function or 'hashed'.
Counters serving the entire internal state of a stream cipher, as used in nonlinear combination generators of the form x, = F(z) are disclosed in US patent 3,038,028 (Henze) published 5 June 1962 and US patent 4,202,051 (Davida , et al.) published 6 May 1980. In stream ciphers, the counters ensure a minimal period length, while the nonlinear combiners or filters obfuscate the relation between the output bits and the counter state. A modern construction of this type is described in the paper 'Luby-Rackoff Backwards: Increasing security by Making Block Ciphers Non-Invertible' by Mihir Bellare, Ted Krovetz and Phillip Rogaway published 17 October 1998. (Advances in Cryptology- Eurocrypt 98 Proceedings, Lecture Notes in Computer Science Vol. 1403, K. Nyberg ed, Springer- Verlag, 1998.)
Counters that can be used to ensure a minimal period length in conjunction with a symmetric key also include the counter mode of operation of block ciphers x, = E(k, i).
Counters are also used to ensure a guaranteed minimal period length for dedicated stream cipher constructions. Iterative number generators of the form X1 = F(x;-1) with arbitrarily selected nonlinear functions F have no guaranteed minimal period length and calculation of the minimal period length of any given F remains an open problem, as does construction of F with predictable periods. The paper 'Guaranteeing the Diversity of Number Generators' by Adi Shamir and Boaz Tsaban published in 2001 (Inf. Comput. Vol. 171 n. 2, 2001) discloses that simple counters ensuring a certain minimal period length when combined with iterative number generators produce pseudo-random sequences with guaranteed period lengths. The simplest adaptation ensuring a large minimal loop length of an iterative black-box number generator is of the form: x, = F(x;-1) + i.
In all cases, a counter is used to ensure a guaranteed minimal period length.
The number systems used to store the state of a counter module may be implemented in a wide and varied ways including but not limited to:
- Base 16 - Hexadecimal;
- Base 10 - Decimal;
- Base 8 - Octal;
Base 3;
- Weighted binary systems: o one's complement representation; o one's complement representation modulo 2n; o two's complement representation; o two' s complement representation modulo 2n; o n-residue; o binary coded decimal; o reflective codes; o sequential codes; o one-hot encoding; Non- weighted binary systems: o minimum change codes (gray codes); o linear feedback shift registers; o small nonlinear feedback shift registers; o excess-3 codes; o one-hot encoding; ' - Hybrid (combined weighted/non- weighted) systems: o remainder number system (RNS);
Counters in cryptographic implementations are typically restricted to one's complement representation, two's complement representation, one-hot encoding, and linear feedback shift registers.
Counters in general can be implemented using operations such as multiplication by an odd constant modulo a prime, addition or subtraction by a constant modulo 2n or sequential transitions over a finite state machine.
Counters based on maximal length linear feedback shift registers (m-LFSR) generate 2""1 periods for feedback polynomials of n. A useful property of m-LFSR constructions is that they generate a single bit output binary sequence of 2"'1 length enabling the single bit output of several independent m-LFSR of independent lengths to be combined in a nonlinear fashion with a larger period length as disclosed in US patent 4,797,922 (Massey,
et al.) published 10 January 1989. Alternatively the entire m-LFSR state can be fed into the cipher state as disclosed in the above-referenced US patent 4,202,051.
Counters based on m-LFSR must be carefully selected. The paper 'Decimation Attack of Stream Ciphers' by Eric Filiol published 22 September 2000 ('Ciphers' Proceedings of the First International Conference on Progress in Cryptology, 2000, Springer- Verlag.) describes how the m-LFSR generators with sizes other than prime can be readily attacked as disclosed in US patent 4,202,922 (Osment) published 13 May 1980.
The paper 'Algebraic Attacks on Stream Ciphers with Linear Feedback' by Nicolas T. Courtois and Will Meir published in Eurocrypt 2003 (Eurocrypt 2003, Lecture Notes in Computer Science, Vol. 2656, pp. 345-359, Springer.) outlines significant cryptographic weaknesses in linear feedback systems. The bits of unknown state of counters based on m-LFSR do not significantly contribute to the security of a cipher.
Counting based on nonlinear feedback shift registers is described in the paper 'Counting with nonlinear binary feedback shift registers,' IEEE Trans. Electron. Comput., vol. EC- 13, pp. 357-361, Aug, 1963. Counters based on nonlinear feedback shift registers have not been used in cryptographic applications to ensure a guaranteed minimal period length. As of the date of filing of this patent application it is computationally feasible to find strong NLFSRs with period lengths approaching about 240 in a compact polynomial feedback size. Guaranteed period lengths of at least 264 are generally required for modern cryptographic applications, and testing for such loops is considered technically prohibitive. Even after identifying a single long enough loop in an NLFSR of a sufficient size, it is still not possible to ensure for an arbitrary starting point to be in the loop or to produce a loop of a sufficient length. For these reasons NLFSR counters have not previously been used in cryptographic applications to guarantee a minimal period length. Our co-pending Australian provisional patent application number 2005902030 discloses a methodology using a specific class of NLFSRs for this purpose.
DeBruijn sequences are «-bit wide nonlinear feedback shift registers with a period 2n. DeBraijn sequences are not used as counters for achieving guaranteed minimal period length. Finding such sequences for large n (80 bits or more) by brute force is
computationally infeasible and constructing them remains an open problem. Also, even if construction of such a large DeBruijn generator was possible, all 80 bits of the counter state would have to be used as inputs into the feedback function and such a wide function would most probably be unable to compete in performance with the modern stream ciphers.
Counters based on minimum change codes (grey codes) have not been used in cryptographic applications to guarantee a minimal period length. Many grey codes require a complex nonlinear function to calculate state transitions. Grey codes ensure that the hamming weight distance between any two consecutive integers in such codes is always a distance of one. Such insignificant changes between rounds are usually ignored or easily brute-forced by the attacker.
Counters based on iterative multiplication by a constant modulo a prime are well known by the mathematical community to generate prime periods. Counters based on modular multiplication have not been used in cryptographic applications to guarantee a minimal period length. Distribution of the bits of the output of such counters differs significantly depending on the prime modulus chosen. The run-time calculation of multiplication modulo a prime is considered an expensive cryptographic operation.
Counters based on addition by 1 modulo 2" (or subtraction by 1 modulo 2n) are generally implemented in two's complement encoding and employ ripple-carry logic.
The problem with counters incremented by one is clearly described in international patent application WO 2003/104,969 A2 (Cryptico A/S) published 18 December 2003 as follows. In the case where the counter c is incremented by 1 until it reaches the value
and in the following iteration the value restarts from zero. The least significant bit, c[0], is successively added the value 1, and will thereby repeatedly obtain the values 0 and 1, that is, have a period of 2. For every second increment by one this will give rise to a carry being added to the next bit in the register, c[1], which thereby will have a period of 4. For bits at position/, the period will be give by 2/n.
Such a system suffers from the disadvantage that all the bits, except for the most
significant bit have periods smaller than the total period 2n. Another disadvantage is that the dynamic behaviour of the bits is rather predictable. For instance, the value of the least significant bit flips on each step. Thereby, even though the value at a given iteration is not known, the value will be the opposite in the following iteration. Also, the value of the most significant bit will change only when half of the period 2" has passed. This means that the value of the most significant bit is constant for a long time. Such predictability of the behaviour of the counter bits allows the attackers to ignore the counter state in many attacks.
The above-referenced international patent application WO 2003/104,969 A2 (Cryptico AJS), describes incrementing a 256-bit number by an odd constant with a recurring binary pattern starting from the least significant bit '001101 ' such that the final overflow bit is carried into the least significant bit for the purpose of counting.
In normal 256-bit addition operation the final overflow bit is not fed back into the least significant bit. This feedback is claimed to disrupt the otherwise regular periods of the counters. Further analysis determines that the single bit carry overflow into the least significant bit has insignificant impact on the periodic behaviour of the most significant bits for non-negligible sequences of time. After 224 operations the bits in positions eight and higher exhibit increasingly similar run characteristics when compared to the non-carry overflow adders.
Of much greater significance is the addition by a balanced constant with approximately 50% ones. Unfortunately, the distribution of consecutive runs of binary ones or binary zeros for each bit is still heavily biased towards run lengths of one and two or run lengths of two and three. Individual bits in the sequential output of addition with a constant, with or without the most significant bit carry overflow into the least significant bit, do not resemble a binomial distribution and can be often ignored by the attacker as providing highly predictable changes.
Pseudo-random sequences leveraging counters based on the remainder number system (RNS) can be found described in the above-referenced US patent 3,038,028, US patent 3,170,033 (Vasseur) published 16 February 1965, US patent 4,058,673 (Johansson)
published 15 November 1977 and US patent 4,797,922 (Massey, et al.) published 10
January 1989.
The RNS is defined by a set of relatively prime integers {mi, ni2, ..., mi) called moduli. The dynamic range of the RNS system is M, which is the product of {mi, m2, ..., mi}. Any integer X e [0, M-I] is represented by the Z-tuple {xi, %2, ..., xι} of its remainders, where Xj =Xmod mt for i = 1, 2, ..., L. Addition over RNS systems requires each of the remainders to transition to the next sequential state. Such counters normally include the entire state as their output for further transformation operations.
RNS remainders are represented in one-hot encoding, two's complement encoding, and as m-LFSR over prime feedback polynomials respectively in the above-referenced US patent 3,038,028, US patent 3,170,033 (Vasseur) published 16 February 1965 and the above- referenced US patent 4,058,673.
Addition over RNS represented in two's complement representation results in each remainder transformed as xi+i = x,+l modulo mt. Performing addition over RNS remainders represented in two's complement representation exhibits highly regular periods in many of the bit positions of the remainders as previously discussed as a characteristic of the incrementing modulo 2n. Addition modulo 2" implemented in two's complement for each of the remainder can be easily approximated as a linear function, and thus the unknown state of the counter implemented in two's complement does not significantly contribute to the strength of a cipher.
Addition over RNS represented in m-LFSR representation results in each m-LFSR moduli sequentially transitioning by one state. The use of m-LFSR remainder is disclosed in the above-referenced US patent 4,058,673. The linear nature of the feedback function for each of the remainders results in the unknown state not significantly contributing to the strength of a cipher.
Addition over RNS represented in one-hot encoding results in the singular active bit cycling to the next bit location. The use of one-hot encoding remainders is disclosed in the above-referenced US patent 3,038,028. The linear nature of the feedback function for
each of the moduli results in the unknown state not significantly contributing to the strength of a cipher.
The remainders of an RNS have also been used to control 3 independent indexes to a singular memory module as disclosed in US patent 4,776,011 (Busby) published 4 October 1988.
Summary of the invention In contrast, the present invention provides a cryptographic process which receives initialization material and which generates an output, the cryptographic process comprising: a process of incrementing a counter, the process of incrementing the counter comprising: incrementing the value of the counter cyclically through a loop of values one value at a time; so that: the values in the loop of values are chosen in accordance with a modified remainder number system comprising at least two remainders; each of the at least two remainders is assigned a modulus of a fixed period; and the period of at least one modulus of «-bits is selected by the equation period = fioor(2" I p)*p where p is a prime number and floor(2» > l, and utilizing the output of the counter in the course of generating the output of the cryptographic process.
It will be seen that various embodiments of the present invention provide a process of counting for the purpose of guaranteeing a minimal period length. It will be also seen that various embodiments of the present invention provide a process of counting to generate spreading sequences used in encoding communication signals.
Brief description of the drawings
In order that the present invention may be more readily understood, preferred embodiments of it are described by reference to figures 1 to 5 of the drawings.
Description of preferred embodiments of the invention
In most applications only relatively prime numbers are used as the RNS moduli. The total period of a counter based on the set of such co-prime moduli is calculated as their product. For example an incremental counter based on the set of moduli {3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61} generates a loop with a guaranteed period/? of ~281 54. Generally speaking, if some of the moduli have common divisors, then the total period of such a counter would be calculated as the least common multiple of all the moduli.
For the purpose of describing embodiments of our invention we will consider each remainder to be a finite state machine labelled {rj, r2, ... , rι} . Each remainder from the set {ri, r∑, ..., ri) has a respective period length equal to its respective modulus labelled mi, ni2, ..., mi. The total period length of the finite state machine r isp which is the least common multiple of the period lengths of all moduli : j>=LCM(m i,m2,...,mi). In case where all nij are relatively prime, p is a product of all moduli: p = nti*m2*-- -*mι. Each remainder from the set {r\ , r%, ..., rϊ\ is also respectively assigned a bit width labelled W1, W2, ..., WL, with w being the total width of the finite state machine r in bits. Each remainder r,is respectively assigned a Wj bit wide binary state rβi, ηs2, ..., rjSp.
The RNS binary state rs is the static but arbitrarily ordered sequence of all the bits of the remainder bit states ris, r^s, ..., riβ such that the size of the RNS binary state is the sum of W1, W2, ..., WL in length. The p states of the finite state machine r are called rs\ ,rsi, ..., rsp.
As previously described, the simplest adaptation ensuring a guaranteed minimal period length of a black box iterative number generator is of the form: xt - F(x(-1) + i.
We adapt the formula x,- = F(Xz-1) + rsi for the purpose of elucidation.
According to a preferred embodiment of the current invention, we select moduli with the largest p for the given set of moduli widths Wj, which is found by choosing moduli with
the smallest number of common factors. Each modulus m is then multiplied by an arbitrary small number increasing it to the largest number divisible by m that is no wider than Wj bits.
In a preferred embodiment, selecting moduli with 6-bit lengths allows for an efficient hardware implementation in a wide range of hardware architectures. We select the largest primes under 26 and calculate floor(26/prime) * prime for each prime larger than 2 not used as one of the factors in previous moduli. We also include 26 as one of the moduli.
With a limit of six-bit inputs for Boolean functions, we choose the primes:
{61,59,53,47,43,41,37,31,29,23,19,17,13,11,7,5,3} Thus the moduli to choose from are:
{64,61,59,53,47,43,41,37,(31*2),(29*2),(23!!:2),(19H:3),(17*3),(13*4),(11*5),(7*9)
} Sorted in the descending order as:
{64,63,62,61,59,58,57,55,53,52,51,47,46,43,41,37}.
AU the prime numbers less than 64 as well as the number 64 are present in the 16 moduli guaranteeing the minimal period p to be ~281 63. The minimal period of any of the 16 moduli is now 37 ensuring that at least 37 rounds must pass before any of the remainders repeats.
LFSR, one-hot-encoding and incremental counters have linear components and low- quality distributions at a bit level, which are considered to be weaknesses potentially exploitable by the attackers. The RNS finite state machines implemented using linear or algebraic feedback functions will demonstrate the same weaknesses.
According to a preferred embodiment of the current invention, we select n-bit finite state machines as the remainders of an RNS counter implementing fixed pseudo-random permutations of all their 2" states with their respective periods matching the required moduli. The finite state machines are initialized with an initial position xo and the sequential state transitions are achieved by x,- = FSM[x,./]. The feedback functions are chosen such that for each remainder in the RNS finite state machine there exists only one
loop with the required period length. This allows the finite state machine to be initialized with any xo=F(key) guaranteeing that the minimal period of the cipher relying on such RNS finite state machine is no less than/? (greater than 280), while also ensuring maximum difference between the output bits on every round as well as the highest nonlinearity of their relationships by choosing the right feedback functions for each modulus.
According to a preferred embodiment of the current invention, we select the state transition model for each modular finite state machine through a heuristic pseudo-random process. We will describe selecting a random 3-bit finite state machine with a prime period of five states .
In figure 1, label 100 illustrates an array of all the possible eight states for a 3-bit number enumerated from zero to seven. Label 110 illustrates a random permutation of the original eight states found in 100.
In figure 2, the first 5 states of 110 are copied into a new 5-item array 120.
In figure 3, the first state 151 of 120 is copied into 130. The eight-item array 140 is initialized with all states unknown, labelled with a question mark.
The first item of state 152 selects the third index location in the array 140; assigning the cyclic next value of state 152, '5'. The second item of state 153 selects the fifth index location in the array 140; assigning the cyclic next value of state 152, '1'. The following items 154, 155, 156 select the index locations 1, 7 and 2; the values being assigned to state 140 being ς7', '2' and '3' respectively.
This process creates a loop with a period of five in a state of 8 items in 140. The remaining 3 states in 140 remain unassigned at this time.
In figure 4: region 150 illustrates the sequential output of the finite state machine execution.
The initial state of the finite state machine is selected by 130 as index '3'.
The value '5' stored in index 3 of 140 is released as the first value in region 150 and the binary value 161. The finite state machine transitions to the state '5' stored in index 3. The value ' 1 ' stored in index 5 of 140 is released as the second value in region 150 and the binary value 162. The finite state machine transitions to the state ' 1 ' stored in index 5.
The value '7' stored in index 1 of 140 is released as the third value in region 150 and the binary value 163. The finite state machine transitions to the state '7' stored in index 1.
The value '2' stored in index 7 of 140 is released as the fourth value in region 150 and the binary value 164. The finite state machine transitions to the state '2' stored in index 7.
The value '3' stored in index 2 of 140 is released as the fifth value in region 150 and the binary value 165. The finite state machine transitions back to the first state
'5' stored in index 3.
The value '5' stored in index 3 of 140 is released as the sixth value in region 150 and the binary value 166.
The current state of the finite state machine is released as output and is used to select the next state. The finite state machine has a period of five, which is also a prime number. The binary values of the sequential output can be seen in 161 thorough 165. The output 166 is the original starting state of the finite state machine.
Having pseudo-randomly created a finite state machine with a selected period of five, a heuristic process is used to select the best one judging by the quality of the output. The quality of the finite state machine is given a value based upon a heuristic fitness criterion. The first finite state machine is rated as the current best finite state machine. Additional finite state machines are generated as previously described and a value is established for each new finite state machine measuring its heuristic fitness criterion. If a finite state machine receives a high score it replaces the previous best finite state machine as the best finite state machine and the process continues. The process can also include refining (assessment of quality of each pseudo-randomly generated finite state machine with all
possible minor modifications to it in case such modifications lead to an improvement in the output quality on subsequent iterations). As any heuristic algorithm, the search/refinement process is iterated indefinitely and can be stopped based on user intervention, a time limit, based upon the inability to generate a better finite state machine after a predetermined number of rounds, or based on other search termination methods used for heuristic algorithms. One of the improvements to the search is temporary minor randomisation of the search criteria on initial or final or all iterations allowing initially imperfect choices to be considered and allowing temporary descent from local maximums, which can result in further improvements on subsequent iterations due to the probabilistic nature of heuristic search algorithms. Other well known heuristic algorithms and optimisations can be applied if necessary..
According to other preferred embodiments of the current invention, finite sate machines are selected based on more than one heuristic criterion.
One such criterion the finite state machine may be evaluated upon is how close the bit positions 171, 172 and 173 are to a binomial distribution. This can be calculated by determining the number of each run of consecutive binary values for each sequential column of bit position. For a period of n5 roughly nil consecutive runs should be of length 1 , nlA consecutive runs should be of length 2, and n/8 consecutive runs of length 3, decreasing by half for each additional run length.
Another heuristic criterion useful in assessing finite state machines is to ensure that each of the bit columns 171, 172 and 173 have approximately 50% ones and 50% zeroes. Additionally the total bias for each of the column positions should be roughly +/-1.
Another heuristic criterion is to assessing a finite state machine on the hamming weight distance between each sequential output. The hamming weight for the first state 161 transitioning to the second state 162 is calculated by counting the number of ones after calculating the bitwise sum of state 161 and 162. The hamming weight counts how many binary state transitions have taken place over n bits. Selection may be based upon a finite state machine with the highest total number of hamming weight transitions, alternatively preference may be given to finite state machines with the most uniform hamming weight
distribution averaging to nil.
Additional heuristic criteria will select finite state machines with expected results.
Once a suitable finite state machine has been selected for a given period length, the unassigned positions must be assigned a random permutation of remaining numbers with the last position pointing to an arbitrary position in the main loop.
Figure 5 shows the final selected finite state machine represented as an array of eight items. Two of the remaining three positions (4 and 6) are assigned two values from a random permutation of the remaining three numbers: (6 and 8), and the last position (8) is assigned an item pointing inside the loop (3), thus resulting in a finite state machine {7,3,5,6,1,8,2,3}. The indexes four, six and eight in 180 are assigned the states six, eight and three respectively.
The finite state machine with a period of 5 is now complete.
This process can be used to select complete finite state machines for each of the moduli.
If the binomial heuristic criterion is used to select each modular finite state machine, each column of output bits of each remainder should approximate to a binomial distribution. In this case, a minimum of one bit of output from each modulus is required for the entire RNS counter to have its guaranteed long period. The output bits may be further transformed through a bijective mapping or linearly combined, maintaining the required period length.
The number of independent loops of the finite state machine can be chosen at will. In a preferred embodiment the process used to generate a finite state machine with one loop of a predetermined length is trivially adapted to generate a finite state machine with two independent loops of two periods respectively and such that any state (if such state exists) not found on the two independent loops converges to a state in one of the two loops. That is, a single remainder is selected to result in two or more independent prime loops, for example five and seven respectively, such that all states converge to either the loop of five
or the loop of seven outputs. Other preferred embodiments have finite state machines with three or more independent loops.
Although detailed embodiments, with a number of variations, which incorporates the teachings of the present invention, have been shown and described in detail herein, those skilled in the art can readily devise many other embodiments and applications of the present invention that still utilize these teachings. In particular, those skilled in the art can readily adapt the finite state machine as described herein as a one-to-one replacement in the existing cipher designs. For example, in other preferred embodiments of the current invention, any single-bit LFSR counter can be directly replaced with a finite state machine counter described above combining all the output bits from each modulus into a single bit of counter output that can be used for cryptographic purposes or for the purpose of generating spreading sequences.
'Comprises/comprising' when used in this specification is taken to specify the presence of stated features, integers, steps or components but does not preclude the presence or addition of one or more other features, integers, steps, components or groups thereof.
Claims
1. A cryptographic process which receives initialization material and which generates an output, the cryptographic process comprising: a process of incrementing a counter, the process of incrementing the counter comprising: incrementing the value of the counter cyclically through a loop of values one value at a time; so that: the values in the loop of values are chosen in accordance with a modified remainder number system comprising at least two remainders; each of the at least two remainders is assigned a modulus of a fixed period; and the period of at least one modulus of «-bits is selected by the equation period = floor(2" / p)*p where p is a prime number and floor(2>) > l, and utilizing the output of the counter in the course of generating the output of the cryptographic process.
2. A process as claimed in claim 1 , in which the number b is at least equal to the sum of the number of bits which comprise each of the at least two remainders.
3 A process as claimed in any one of the preceding claims in which the initialization material comprises one of: a fixed constant; a random number; a data input; a counter value; and a secret key.
4. A process as claimed in any one of the preceding claims, in which the w-bits of at least one of the at least two remainders depends on the initialization material.
5. A process as claimed in any one of the preceding claims, in which at least one of the at least two remainders is implemented as a nonlinear finite state machine such that: the finite state machine comprises at least one and no more than four loops, each of which loops has a respective predetermined period; any states of the finite state machine that are not on a loop of a respective predetermined period converge over one or more state transitions to a state that is on one of the loops of a respective predetermined period; and the finite state machine releases at least a part of its current binary state as output.
6. A process as claimed in any one of the preceding claims, in which the transitions between states within each nonlinear finite state machine are selected to improve the randomness of the distribution of the subsequent output of the nonlinear finite state machine.
7. A process as claimed in claim 2 or claim 3, in which at least one of the finite state machines contains a singular loop of a predetermined period.
8. A process as claimed in any one of the preceding claims, in which at least one finite state machine is heuristically refined to ensure that the sequential state transitions for each predetermined loop are such that the value of the sequential states of the counter satisfies at least one fitness criterion.
9. A process as claimed in claim 8 in which the at least one fitness criterion is a randomness test.
10. A process as claimed in any one of the preceding claims, in which the output is used as input to a further cryptographic process.
11. Data which has been generated by encryption according to the process of any one of the preceding claims.
12. Data which has been generated by decryption according to the process of any one of claims 1 to 10.
13. Pseudo-random sequences which have been generated according to the process of any one of claims 1 to 10.
14. Spreading sequences which have been generated according to the process of any one of the claims 1 to 10.
15. A machine readable substrate carrying data which has been generated according to the process of any one of claims 1 to 10.
16. A signal carrying data which has been generated according to the process of any one of claims 1 to 10.
17. Apparatus for encoding a digital input, which apparatus performs a process according to any one of claims 1 to 10.
18. Apparatus for decoding a digital input, which apparatus performs a process according to any one of claims 1 to 10.
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2005901987 | 2005-04-20 | ||
AU2005901987A AU2005901987A0 (en) | 2005-04-20 | Process of and Apparatus for Counting | |
AU2005902019A AU2005902019A0 (en) | 2005-04-22 | Process of and Apparatus for Counting | |
AU2005902019 | 2005-04-22 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006110954A1 true WO2006110954A1 (en) | 2006-10-26 |
Family
ID=37114632
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/AU2006/000527 WO2006110954A1 (en) | 2005-04-20 | 2006-04-20 | Process of and apparatus for counting |
Country Status (2)
Country | Link |
---|---|
TW (1) | TW200707277A (en) |
WO (1) | WO2006110954A1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2000900A2 (en) | 2007-05-22 | 2008-12-10 | Harris Corporation | Extending a repetition period of a random sequence |
EP2056519A1 (en) * | 2007-10-30 | 2009-05-06 | Harris Corporation | Cryptographic system configured for extending a repetition period of a random sequence |
US7937427B2 (en) | 2007-04-19 | 2011-05-03 | Harris Corporation | Digital generation of a chaotic numerical sequence |
US8005221B2 (en) | 2007-08-01 | 2011-08-23 | Harris Corporation | Chaotic spread spectrum communications system receiver |
US8200728B2 (en) | 2008-05-29 | 2012-06-12 | Harris Corporation | Sine/cosine generator |
US8345725B2 (en) | 2010-03-11 | 2013-01-01 | Harris Corporation | Hidden Markov Model detection for spread spectrum waveforms |
US8848909B2 (en) | 2009-07-22 | 2014-09-30 | Harris Corporation | Permission-based TDMA chaotic communication systems |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5077793A (en) * | 1989-09-29 | 1991-12-31 | The Boeing Company | Residue number encryption and decryption system |
US5166978A (en) * | 1990-02-23 | 1992-11-24 | U.S. Philips Corp. | Encoding system according to the so-called rsa method, by means of a microcontroller and arrangement implementing this system |
US6125182A (en) * | 1994-11-09 | 2000-09-26 | Channel One Communications, Inc. | Cryptographic engine using logic and base conversions |
WO2001022653A2 (en) * | 1999-09-22 | 2001-03-29 | Raytheon Company | Key escrow systems |
US20030140077A1 (en) * | 2001-12-18 | 2003-07-24 | Oleg Zaboronski | Logic circuits for performing modular multiplication and exponentiation |
US20040039922A1 (en) * | 2002-08-26 | 2004-02-26 | Mosaid Technologies, Inc. | Method and apparatus for processing arbitrary key bit length encryption operations with similar efficiencies |
US20040148325A1 (en) * | 2003-01-23 | 2004-07-29 | Takashi Endo | Information processing means |
-
2006
- 2006-04-20 TW TW095114208A patent/TW200707277A/en unknown
- 2006-04-20 WO PCT/AU2006/000527 patent/WO2006110954A1/en not_active Application Discontinuation
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5077793A (en) * | 1989-09-29 | 1991-12-31 | The Boeing Company | Residue number encryption and decryption system |
US5166978A (en) * | 1990-02-23 | 1992-11-24 | U.S. Philips Corp. | Encoding system according to the so-called rsa method, by means of a microcontroller and arrangement implementing this system |
US6125182A (en) * | 1994-11-09 | 2000-09-26 | Channel One Communications, Inc. | Cryptographic engine using logic and base conversions |
WO2000070819A1 (en) * | 1998-02-07 | 2000-11-23 | Satterfield Richard C | Cryptographic engine using base conversion, logic operations and prng in data arrays to increase dispersion in ciphertext |
WO2001022653A2 (en) * | 1999-09-22 | 2001-03-29 | Raytheon Company | Key escrow systems |
US20030140077A1 (en) * | 2001-12-18 | 2003-07-24 | Oleg Zaboronski | Logic circuits for performing modular multiplication and exponentiation |
US20040039922A1 (en) * | 2002-08-26 | 2004-02-26 | Mosaid Technologies, Inc. | Method and apparatus for processing arbitrary key bit length encryption operations with similar efficiencies |
US20040148325A1 (en) * | 2003-01-23 | 2004-07-29 | Takashi Endo | Information processing means |
Non-Patent Citations (3)
Title |
---|
BAJARD J.C. ET AL.: "An RNS Montgomery Modular Multiplication Algorithm", IEEE TRANSACTIONS ON COMPUTERS, vol. 47, no. 7, July 1998 (1998-07-01) * |
RAY G.A.: "Systolic RNS arithmetic using feedback shift logic", 8TH ANNUAL CONFERENCE ON COMPUTERS AND COMMUNICATIONS, 1989 * |
YANG L-L. ET AL.: "A rsidue number system based parallel communication scheme using orthogonal signalling: Part I-System Outline", IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, vol. 51, no. 6, 25 July 2002 (2002-07-25) * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7937427B2 (en) | 2007-04-19 | 2011-05-03 | Harris Corporation | Digital generation of a chaotic numerical sequence |
EP2000900A2 (en) | 2007-05-22 | 2008-12-10 | Harris Corporation | Extending a repetition period of a random sequence |
JP2009003925A (en) * | 2007-05-22 | 2009-01-08 | Harris Corp | Extension of repetition period of random sequence |
EP2000900A3 (en) * | 2007-05-22 | 2009-03-11 | Harris Corporation | Extending a repetition period of a random sequence |
US7921145B2 (en) | 2007-05-22 | 2011-04-05 | Harris Corporation | Extending a repetition period of a random sequence |
US8005221B2 (en) | 2007-08-01 | 2011-08-23 | Harris Corporation | Chaotic spread spectrum communications system receiver |
EP2056519A1 (en) * | 2007-10-30 | 2009-05-06 | Harris Corporation | Cryptographic system configured for extending a repetition period of a random sequence |
JP2009110002A (en) * | 2007-10-30 | 2009-05-21 | Harris Corp | Cryptographic system configured for extending repetition period of random sequence |
US8200728B2 (en) | 2008-05-29 | 2012-06-12 | Harris Corporation | Sine/cosine generator |
US8848909B2 (en) | 2009-07-22 | 2014-09-30 | Harris Corporation | Permission-based TDMA chaotic communication systems |
US8345725B2 (en) | 2010-03-11 | 2013-01-01 | Harris Corporation | Hidden Markov Model detection for spread spectrum waveforms |
Also Published As
Publication number | Publication date |
---|---|
TW200707277A (en) | 2007-02-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Canteaut | Open problems related to algebraic attacks on stream ciphers | |
AU729638B2 (en) | A non-deterministic public key encryption system | |
Sen et al. | Cellular automata based cryptosystem (CAC) | |
EP1820295A2 (en) | Substitution boxes | |
WO2006110954A1 (en) | Process of and apparatus for counting | |
Deepthi et al. | Design, implementation and analysis of hardware efficient stream ciphers using LFSR based hash functions | |
Helleseth et al. | Simplifying algebraic attacks with univariate analysis | |
Mandal et al. | Probabilistic generation of good span n sequences from nonlinear feedback shift registers | |
Berbain et al. | Decim–a new stream cipher for hardware applications | |
Jamil et al. | A new cryptographic hash function based on cellular automata rules 30, 134 and omega-flip network | |
WO2006116801A1 (en) | Process of and apparatus for hashing | |
Klapper | On the existence of secure feedback registers | |
Pandian et al. | Five decade evolution of feedback shift register: algorithms, architectures and applications | |
Spencer | Pseudorandom Bit Generators from Enhanced Cellular Automata. | |
Younes et al. | CeTrivium: A Stream Cipher Based on Cellular Automata for Securing Real-TimeMultimedia Transmission. | |
Deepthi et al. | Hardware stream cipher based on LFSR and modular division circuit | |
Tasheva et al. | Self-shrinking p-adic cryptographic generator | |
Banerjee et al. | NCASH: nonlinear cellular automata-based hash function | |
Arnault et al. | Design of new pseudo random generators based on a filtered FCSR automaton | |
Tian et al. | Linearity properties of binary FCSR sequences | |
Jiao | Specifications and improvements of LPN solving algorithms | |
Klapper | On the existence of secure keystream generators | |
Soriano | Stream ciphers based on NLFSR | |
Li et al. | Construction of De Bruijn Sequences from l-sequences | |
Constantinescu | Combining Linear Feedback Shift Registers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
NENP | Non-entry into the national phase |
Ref country code: RU |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: RU |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 06721407 Country of ref document: EP Kind code of ref document: A1 |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 6721407 Country of ref document: EP |